Analysis
-
max time kernel
149s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
30-05-2024 12:34
Static task
static1
Behavioral task
behavioral1
Sample
rbxfpsunlocker.exe
Resource
win10v2004-20240426-en
General
-
Target
rbxfpsunlocker.exe
-
Size
418KB
-
MD5
d8f62c2fb70fc556231ad0f19d74c701
-
SHA1
c8136fc9eaf99b0b8de0e03e7d7e227f8ed41cf2
-
SHA256
77b09fdd0b43a407f40f5ea1d86bdfd1c0863cf13608f2750fc25d5665417530
-
SHA512
59f817630d2f9518f545523beb15e29f36ec79b64cc4d98c86ce06fb4523cd0f2fc1c7198ddf2f43292afbf7a53e1940071fb54fa7c169adf9eca081c00fd3c5
-
SSDEEP
6144:Zo+XBN20NKf1C5wPgH4bM1r6Zp8VE58TePlQZsOmug:lXNEngvMcTePlQZsJug
Malware Config
Extracted
xworm
3.1
blood-sticker.gl.at.ply.gg:65461
bWnUu8WsazcVG1Ed
-
Install_directory
%AppData%
-
install_file
USB.exe
Signatures
-
Detect Xworm Payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\FpsUnlocker.exe family_xworm behavioral1/memory/2756-19-0x00000000009E0000-0x00000000009F0000-memory.dmp family_xworm -
Looks for VirtualBox Guest Additions in registry 2 TTPs 64 IoCs
Processes:
rbxfpsunlocker.exerbxfpsunlocker.exerbxfpsunlocker.exerbxfpsunlocker.exerbxfpsunlocker.exerbxfpsunlocker.exerbxfpsunlocker.exerbxfpsunlocker.exerbxfpsunlocker.exerbxfpsunlocker.exerbxfpsunlocker.exerbxfpsunlocker.exerbxfpsunlocker.exerbxfpsunlocker.exerbxfpsunlocker.exerbxfpsunlocker.exerbxfpsunlocker.exerbxfpsunlocker.exerbxfpsunlocker.exerbxfpsunlocker.exerbxfpsunlocker.exerbxfpsunlocker.exerbxfpsunlocker.exerbxfpsunlocker.exerbxfpsunlocker.exerbxfpsunlocker.exerbxfpsunlocker.exerbxfpsunlocker.exerbxfpsunlocker.exerbxfpsunlocker.exerbxfpsunlocker.exerbxfpsunlocker.exerbxfpsunlocker.exerbxfpsunlocker.exerbxfpsunlocker.exerbxfpsunlocker.exerbxfpsunlocker.exerbxfpsunlocker.exerbxfpsunlocker.exerbxfpsunlocker.exerbxfpsunlocker.exerbxfpsunlocker.exerbxfpsunlocker.exerbxfpsunlocker.exerbxfpsunlocker.exerbxfpsunlocker.exerbxfpsunlocker.exerbxfpsunlocker.exerbxfpsunlocker.exerbxfpsunlocker.exerbxfpsunlocker.exerbxfpsunlocker.exerbxfpsunlocker.exerbxfpsunlocker.exerbxfpsunlocker.exerbxfpsunlocker.exerbxfpsunlocker.exerbxfpsunlocker.exerbxfpsunlocker.exerbxfpsunlocker.exerbxfpsunlocker.exerbxfpsunlocker.exerbxfpsunlocker.exerbxfpsunlocker.exedescription ioc process Key opened \REGISTRY\MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions rbxfpsunlocker.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions rbxfpsunlocker.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions rbxfpsunlocker.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions rbxfpsunlocker.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions rbxfpsunlocker.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions rbxfpsunlocker.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions rbxfpsunlocker.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions rbxfpsunlocker.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions rbxfpsunlocker.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions rbxfpsunlocker.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions rbxfpsunlocker.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions rbxfpsunlocker.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions rbxfpsunlocker.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions rbxfpsunlocker.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions rbxfpsunlocker.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions rbxfpsunlocker.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions rbxfpsunlocker.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions rbxfpsunlocker.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions rbxfpsunlocker.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions rbxfpsunlocker.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions rbxfpsunlocker.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions rbxfpsunlocker.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions rbxfpsunlocker.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions rbxfpsunlocker.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions rbxfpsunlocker.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions rbxfpsunlocker.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions rbxfpsunlocker.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions rbxfpsunlocker.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions rbxfpsunlocker.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions rbxfpsunlocker.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions rbxfpsunlocker.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions rbxfpsunlocker.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions rbxfpsunlocker.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions rbxfpsunlocker.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions rbxfpsunlocker.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions rbxfpsunlocker.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions rbxfpsunlocker.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions rbxfpsunlocker.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions rbxfpsunlocker.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions rbxfpsunlocker.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions rbxfpsunlocker.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions rbxfpsunlocker.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions rbxfpsunlocker.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions rbxfpsunlocker.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions rbxfpsunlocker.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions rbxfpsunlocker.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions rbxfpsunlocker.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions rbxfpsunlocker.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions rbxfpsunlocker.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions rbxfpsunlocker.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions rbxfpsunlocker.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions rbxfpsunlocker.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions rbxfpsunlocker.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions rbxfpsunlocker.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions rbxfpsunlocker.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions rbxfpsunlocker.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions rbxfpsunlocker.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions rbxfpsunlocker.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions rbxfpsunlocker.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions rbxfpsunlocker.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions rbxfpsunlocker.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions rbxfpsunlocker.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions rbxfpsunlocker.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions rbxfpsunlocker.exe -
Looks for VMWare Tools registry key 2 TTPs 64 IoCs
Processes:
rbxfpsunlocker.exerbxfpsunlocker.exerbxfpsunlocker.exerbxfpsunlocker.exerbxfpsunlocker.exerbxfpsunlocker.exerbxfpsunlocker.exerbxfpsunlocker.exerbxfpsunlocker.exerbxfpsunlocker.exerbxfpsunlocker.exerbxfpsunlocker.exerbxfpsunlocker.exerbxfpsunlocker.exerbxfpsunlocker.exerbxfpsunlocker.exerbxfpsunlocker.exerbxfpsunlocker.exerbxfpsunlocker.exerbxfpsunlocker.exerbxfpsunlocker.exerbxfpsunlocker.exerbxfpsunlocker.exerbxfpsunlocker.exerbxfpsunlocker.exerbxfpsunlocker.exerbxfpsunlocker.exerbxfpsunlocker.exerbxfpsunlocker.exerbxfpsunlocker.exerbxfpsunlocker.exerbxfpsunlocker.exerbxfpsunlocker.exerbxfpsunlocker.exerbxfpsunlocker.exerbxfpsunlocker.exerbxfpsunlocker.exerbxfpsunlocker.exerbxfpsunlocker.exerbxfpsunlocker.exerbxfpsunlocker.exerbxfpsunlocker.exerbxfpsunlocker.exerbxfpsunlocker.exerbxfpsunlocker.exerbxfpsunlocker.exerbxfpsunlocker.exerbxfpsunlocker.exerbxfpsunlocker.exerbxfpsunlocker.exerbxfpsunlocker.exerbxfpsunlocker.exerbxfpsunlocker.exerbxfpsunlocker.exerbxfpsunlocker.exerbxfpsunlocker.exerbxfpsunlocker.exerbxfpsunlocker.exerbxfpsunlocker.exerbxfpsunlocker.exerbxfpsunlocker.exerbxfpsunlocker.exerbxfpsunlocker.exerbxfpsunlocker.exedescription ioc process Key opened \REGISTRY\MACHINE\SOFTWARE\VMware, Inc.\VMware Tools rbxfpsunlocker.exe Key opened \REGISTRY\MACHINE\SOFTWARE\VMware, Inc.\VMware Tools rbxfpsunlocker.exe Key opened \REGISTRY\MACHINE\SOFTWARE\VMware, Inc.\VMware Tools rbxfpsunlocker.exe Key opened \REGISTRY\MACHINE\SOFTWARE\VMware, Inc.\VMware Tools rbxfpsunlocker.exe Key opened \REGISTRY\MACHINE\SOFTWARE\VMware, Inc.\VMware Tools rbxfpsunlocker.exe Key opened \REGISTRY\MACHINE\SOFTWARE\VMware, Inc.\VMware Tools rbxfpsunlocker.exe Key opened \REGISTRY\MACHINE\SOFTWARE\VMware, Inc.\VMware Tools rbxfpsunlocker.exe Key opened \REGISTRY\MACHINE\SOFTWARE\VMware, Inc.\VMware Tools rbxfpsunlocker.exe Key opened \REGISTRY\MACHINE\SOFTWARE\VMware, Inc.\VMware Tools rbxfpsunlocker.exe Key opened \REGISTRY\MACHINE\SOFTWARE\VMware, Inc.\VMware Tools rbxfpsunlocker.exe Key opened \REGISTRY\MACHINE\SOFTWARE\VMware, Inc.\VMware Tools rbxfpsunlocker.exe Key opened \REGISTRY\MACHINE\SOFTWARE\VMware, Inc.\VMware Tools rbxfpsunlocker.exe Key opened \REGISTRY\MACHINE\SOFTWARE\VMware, Inc.\VMware Tools rbxfpsunlocker.exe Key opened \REGISTRY\MACHINE\SOFTWARE\VMware, Inc.\VMware Tools rbxfpsunlocker.exe Key opened \REGISTRY\MACHINE\SOFTWARE\VMware, Inc.\VMware Tools rbxfpsunlocker.exe Key opened \REGISTRY\MACHINE\SOFTWARE\VMware, Inc.\VMware Tools rbxfpsunlocker.exe Key opened \REGISTRY\MACHINE\SOFTWARE\VMware, Inc.\VMware Tools rbxfpsunlocker.exe Key opened \REGISTRY\MACHINE\SOFTWARE\VMware, Inc.\VMware Tools rbxfpsunlocker.exe Key opened \REGISTRY\MACHINE\SOFTWARE\VMware, Inc.\VMware Tools rbxfpsunlocker.exe Key opened \REGISTRY\MACHINE\SOFTWARE\VMware, Inc.\VMware Tools rbxfpsunlocker.exe Key opened \REGISTRY\MACHINE\SOFTWARE\VMware, Inc.\VMware Tools rbxfpsunlocker.exe Key opened \REGISTRY\MACHINE\SOFTWARE\VMware, Inc.\VMware Tools rbxfpsunlocker.exe Key opened \REGISTRY\MACHINE\SOFTWARE\VMware, Inc.\VMware Tools rbxfpsunlocker.exe Key opened \REGISTRY\MACHINE\SOFTWARE\VMware, Inc.\VMware Tools rbxfpsunlocker.exe Key opened \REGISTRY\MACHINE\SOFTWARE\VMware, Inc.\VMware Tools rbxfpsunlocker.exe Key opened \REGISTRY\MACHINE\SOFTWARE\VMware, Inc.\VMware Tools rbxfpsunlocker.exe Key opened \REGISTRY\MACHINE\SOFTWARE\VMware, Inc.\VMware Tools rbxfpsunlocker.exe Key opened \REGISTRY\MACHINE\SOFTWARE\VMware, Inc.\VMware Tools rbxfpsunlocker.exe Key opened \REGISTRY\MACHINE\SOFTWARE\VMware, Inc.\VMware Tools rbxfpsunlocker.exe Key opened \REGISTRY\MACHINE\SOFTWARE\VMware, Inc.\VMware Tools rbxfpsunlocker.exe Key opened \REGISTRY\MACHINE\SOFTWARE\VMware, Inc.\VMware Tools rbxfpsunlocker.exe Key opened \REGISTRY\MACHINE\SOFTWARE\VMware, Inc.\VMware Tools rbxfpsunlocker.exe Key opened \REGISTRY\MACHINE\SOFTWARE\VMware, Inc.\VMware Tools rbxfpsunlocker.exe Key opened \REGISTRY\MACHINE\SOFTWARE\VMware, Inc.\VMware Tools rbxfpsunlocker.exe Key opened \REGISTRY\MACHINE\SOFTWARE\VMware, Inc.\VMware Tools rbxfpsunlocker.exe Key opened \REGISTRY\MACHINE\SOFTWARE\VMware, Inc.\VMware Tools rbxfpsunlocker.exe Key opened \REGISTRY\MACHINE\SOFTWARE\VMware, Inc.\VMware Tools rbxfpsunlocker.exe Key opened \REGISTRY\MACHINE\SOFTWARE\VMware, Inc.\VMware Tools rbxfpsunlocker.exe Key opened \REGISTRY\MACHINE\SOFTWARE\VMware, Inc.\VMware Tools rbxfpsunlocker.exe Key opened \REGISTRY\MACHINE\SOFTWARE\VMware, Inc.\VMware Tools rbxfpsunlocker.exe Key opened \REGISTRY\MACHINE\SOFTWARE\VMware, Inc.\VMware Tools rbxfpsunlocker.exe Key opened \REGISTRY\MACHINE\SOFTWARE\VMware, Inc.\VMware Tools rbxfpsunlocker.exe Key opened \REGISTRY\MACHINE\SOFTWARE\VMware, Inc.\VMware Tools rbxfpsunlocker.exe Key opened \REGISTRY\MACHINE\SOFTWARE\VMware, Inc.\VMware Tools rbxfpsunlocker.exe Key opened \REGISTRY\MACHINE\SOFTWARE\VMware, Inc.\VMware Tools rbxfpsunlocker.exe Key opened \REGISTRY\MACHINE\SOFTWARE\VMware, Inc.\VMware Tools rbxfpsunlocker.exe Key opened \REGISTRY\MACHINE\SOFTWARE\VMware, Inc.\VMware Tools rbxfpsunlocker.exe Key opened \REGISTRY\MACHINE\SOFTWARE\VMware, Inc.\VMware Tools rbxfpsunlocker.exe Key opened \REGISTRY\MACHINE\SOFTWARE\VMware, Inc.\VMware Tools rbxfpsunlocker.exe Key opened \REGISTRY\MACHINE\SOFTWARE\VMware, Inc.\VMware Tools rbxfpsunlocker.exe Key opened \REGISTRY\MACHINE\SOFTWARE\VMware, Inc.\VMware Tools rbxfpsunlocker.exe Key opened \REGISTRY\MACHINE\SOFTWARE\VMware, Inc.\VMware Tools rbxfpsunlocker.exe Key opened \REGISTRY\MACHINE\SOFTWARE\VMware, Inc.\VMware Tools rbxfpsunlocker.exe Key opened \REGISTRY\MACHINE\SOFTWARE\VMware, Inc.\VMware Tools rbxfpsunlocker.exe Key opened \REGISTRY\MACHINE\SOFTWARE\VMware, Inc.\VMware Tools rbxfpsunlocker.exe Key opened \REGISTRY\MACHINE\SOFTWARE\VMware, Inc.\VMware Tools rbxfpsunlocker.exe Key opened \REGISTRY\MACHINE\SOFTWARE\VMware, Inc.\VMware Tools rbxfpsunlocker.exe Key opened \REGISTRY\MACHINE\SOFTWARE\VMware, Inc.\VMware Tools rbxfpsunlocker.exe Key opened \REGISTRY\MACHINE\SOFTWARE\VMware, Inc.\VMware Tools rbxfpsunlocker.exe Key opened \REGISTRY\MACHINE\SOFTWARE\VMware, Inc.\VMware Tools rbxfpsunlocker.exe Key opened \REGISTRY\MACHINE\SOFTWARE\VMware, Inc.\VMware Tools rbxfpsunlocker.exe Key opened \REGISTRY\MACHINE\SOFTWARE\VMware, Inc.\VMware Tools rbxfpsunlocker.exe Key opened \REGISTRY\MACHINE\SOFTWARE\VMware, Inc.\VMware Tools rbxfpsunlocker.exe Key opened \REGISTRY\MACHINE\SOFTWARE\VMware, Inc.\VMware Tools rbxfpsunlocker.exe -
Checks BIOS information in registry 2 TTPs 64 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
rbxfpsunlocker.exerbxfpsunlocker.exerbxfpsunlocker.exerbxfpsunlocker.exerbxfpsunlocker.exerbxfpsunlocker.exerbxfpsunlocker.exerbxfpsunlocker.exerbxfpsunlocker.exerbxfpsunlocker.exerbxfpsunlocker.exerbxfpsunlocker.exerbxfpsunlocker.exerbxfpsunlocker.exerbxfpsunlocker.exerbxfpsunlocker.exerbxfpsunlocker.exerbxfpsunlocker.exerbxfpsunlocker.exerbxfpsunlocker.exerbxfpsunlocker.exerbxfpsunlocker.exerbxfpsunlocker.exerbxfpsunlocker.exerbxfpsunlocker.exerbxfpsunlocker.exerbxfpsunlocker.exerbxfpsunlocker.exerbxfpsunlocker.exerbxfpsunlocker.exerbxfpsunlocker.exerbxfpsunlocker.exerbxfpsunlocker.exerbxfpsunlocker.exerbxfpsunlocker.exerbxfpsunlocker.exerbxfpsunlocker.exerbxfpsunlocker.exerbxfpsunlocker.exerbxfpsunlocker.exerbxfpsunlocker.exerbxfpsunlocker.exerbxfpsunlocker.exerbxfpsunlocker.exerbxfpsunlocker.exerbxfpsunlocker.exerbxfpsunlocker.exerbxfpsunlocker.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion rbxfpsunlocker.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion rbxfpsunlocker.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion rbxfpsunlocker.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion rbxfpsunlocker.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion rbxfpsunlocker.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion rbxfpsunlocker.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion rbxfpsunlocker.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion rbxfpsunlocker.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion rbxfpsunlocker.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion rbxfpsunlocker.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion rbxfpsunlocker.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion rbxfpsunlocker.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion rbxfpsunlocker.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion rbxfpsunlocker.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion rbxfpsunlocker.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion rbxfpsunlocker.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion rbxfpsunlocker.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion rbxfpsunlocker.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion rbxfpsunlocker.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion rbxfpsunlocker.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion rbxfpsunlocker.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion rbxfpsunlocker.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion rbxfpsunlocker.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion rbxfpsunlocker.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion rbxfpsunlocker.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion rbxfpsunlocker.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion rbxfpsunlocker.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion rbxfpsunlocker.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion rbxfpsunlocker.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion rbxfpsunlocker.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion rbxfpsunlocker.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion rbxfpsunlocker.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion rbxfpsunlocker.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion rbxfpsunlocker.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion rbxfpsunlocker.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion rbxfpsunlocker.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion rbxfpsunlocker.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion rbxfpsunlocker.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion rbxfpsunlocker.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion rbxfpsunlocker.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion rbxfpsunlocker.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion rbxfpsunlocker.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion rbxfpsunlocker.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion rbxfpsunlocker.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion rbxfpsunlocker.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion rbxfpsunlocker.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion rbxfpsunlocker.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion rbxfpsunlocker.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion rbxfpsunlocker.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion rbxfpsunlocker.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion rbxfpsunlocker.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion rbxfpsunlocker.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion rbxfpsunlocker.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion rbxfpsunlocker.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion rbxfpsunlocker.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion rbxfpsunlocker.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion rbxfpsunlocker.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion rbxfpsunlocker.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion rbxfpsunlocker.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion rbxfpsunlocker.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion rbxfpsunlocker.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion rbxfpsunlocker.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion rbxfpsunlocker.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion rbxfpsunlocker.exe -
Checks computer location settings 2 TTPs 64 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
rbxfpsunlocker.exerbxfpsunlocker.exerbxfpsunlocker.exerbxfpsunlocker.exerbxfpsunlocker.exerbxfpsunlocker.exerbxfpsunlocker.exerbxfpsunlocker.exerbxfpsunlocker.exerbxfpsunlocker.exerbxfpsunlocker.exerbxfpsunlocker.exerbxfpsunlocker.exerbxfpsunlocker.exerbxfpsunlocker.exerbxfpsunlocker.exerbxfpsunlocker.exerbxfpsunlocker.exerbxfpsunlocker.exerbxfpsunlocker.exerbxfpsunlocker.exerbxfpsunlocker.exerbxfpsunlocker.exerbxfpsunlocker.exerbxfpsunlocker.exerbxfpsunlocker.exerbxfpsunlocker.exerbxfpsunlocker.exerbxfpsunlocker.exerbxfpsunlocker.exerbxfpsunlocker.exerbxfpsunlocker.exerbxfpsunlocker.exerbxfpsunlocker.exerbxfpsunlocker.exerbxfpsunlocker.exeFpsUnlocker.exerbxfpsunlocker.exerbxfpsunlocker.exerbxfpsunlocker.exerbxfpsunlocker.exerbxfpsunlocker.exerbxfpsunlocker.exerbxfpsunlocker.exerbxfpsunlocker.exerbxfpsunlocker.exerbxfpsunlocker.exerbxfpsunlocker.exerbxfpsunlocker.exerbxfpsunlocker.exerbxfpsunlocker.exerbxfpsunlocker.exerbxfpsunlocker.exerbxfpsunlocker.exerbxfpsunlocker.exerbxfpsunlocker.exerbxfpsunlocker.exerbxfpsunlocker.exerbxfpsunlocker.exerbxfpsunlocker.exerbxfpsunlocker.exerbxfpsunlocker.exerbxfpsunlocker.exerbxfpsunlocker.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation rbxfpsunlocker.exe Key value queried \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation rbxfpsunlocker.exe Key value queried \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation rbxfpsunlocker.exe Key value queried \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation rbxfpsunlocker.exe Key value queried \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation rbxfpsunlocker.exe Key value queried \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation rbxfpsunlocker.exe Key value queried \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation rbxfpsunlocker.exe Key value queried \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation rbxfpsunlocker.exe Key value queried \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation rbxfpsunlocker.exe Key value queried \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation rbxfpsunlocker.exe Key value queried \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation rbxfpsunlocker.exe Key value queried \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation rbxfpsunlocker.exe Key value queried \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation rbxfpsunlocker.exe Key value queried \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation rbxfpsunlocker.exe Key value queried \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation rbxfpsunlocker.exe Key value queried \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation rbxfpsunlocker.exe Key value queried \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation rbxfpsunlocker.exe Key value queried \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation rbxfpsunlocker.exe Key value queried \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation rbxfpsunlocker.exe Key value queried \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation rbxfpsunlocker.exe Key value queried \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation rbxfpsunlocker.exe Key value queried \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation rbxfpsunlocker.exe Key value queried \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation rbxfpsunlocker.exe Key value queried \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation rbxfpsunlocker.exe Key value queried \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation rbxfpsunlocker.exe Key value queried \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation rbxfpsunlocker.exe Key value queried \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation rbxfpsunlocker.exe Key value queried \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation rbxfpsunlocker.exe Key value queried \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation rbxfpsunlocker.exe Key value queried \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation rbxfpsunlocker.exe Key value queried \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation rbxfpsunlocker.exe Key value queried \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation rbxfpsunlocker.exe Key value queried \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation rbxfpsunlocker.exe Key value queried \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation rbxfpsunlocker.exe Key value queried \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation rbxfpsunlocker.exe Key value queried \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation rbxfpsunlocker.exe Key value queried \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation FpsUnlocker.exe Key value queried \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation rbxfpsunlocker.exe Key value queried \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation rbxfpsunlocker.exe Key value queried \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation rbxfpsunlocker.exe Key value queried \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation rbxfpsunlocker.exe Key value queried \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation rbxfpsunlocker.exe Key value queried \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation rbxfpsunlocker.exe Key value queried \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation rbxfpsunlocker.exe Key value queried \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation rbxfpsunlocker.exe Key value queried \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation rbxfpsunlocker.exe Key value queried \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation rbxfpsunlocker.exe Key value queried \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation rbxfpsunlocker.exe Key value queried \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation rbxfpsunlocker.exe Key value queried \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation rbxfpsunlocker.exe Key value queried \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation rbxfpsunlocker.exe Key value queried \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation rbxfpsunlocker.exe Key value queried \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation rbxfpsunlocker.exe Key value queried \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation rbxfpsunlocker.exe Key value queried \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation rbxfpsunlocker.exe Key value queried \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation rbxfpsunlocker.exe Key value queried \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation rbxfpsunlocker.exe Key value queried \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation rbxfpsunlocker.exe Key value queried \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation rbxfpsunlocker.exe Key value queried \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation rbxfpsunlocker.exe Key value queried \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation rbxfpsunlocker.exe Key value queried \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation rbxfpsunlocker.exe Key value queried \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation rbxfpsunlocker.exe Key value queried \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation rbxfpsunlocker.exe -
Executes dropped EXE 64 IoCs
Processes:
FpsUnlocker.exeFpsUnlocker.exeFpsUnlocker.exeFpsUnlocker.exeFpsUnlocker.exeFpsUnlocker.exeFpsUnlocker.exeFpsUnlocker.exeFpsUnlocker.exeFpsUnlocker.exeFpsUnlocker.exeFpsUnlocker.exeFpsUnlocker.exeFpsUnlocker.exeFpsUnlocker.exeFpsUnlocker.exeFpsUnlocker.exeFpsUnlocker.exeFpsUnlocker.exeFpsUnlocker.exeFpsUnlocker.exeFpsUnlocker.exeFpsUnlocker.exeFpsUnlocker.exeFpsUnlocker.exeFpsUnlocker.exeFpsUnlocker.exeFpsUnlocker.exeFpsUnlocker.exeFpsUnlocker.exeFpsUnlocker.exeFpsUnlocker.exeFpsUnlocker.exeFpsUnlocker.exeFpsUnlocker.exeFpsUnlocker.exeFpsUnlocker.exeFpsUnlocker.exeFpsUnlocker.exeFpsUnlocker.exeFpsUnlocker.exeFpsUnlocker.exeFpsUnlocker.exeFpsUnlocker.exeFpsUnlocker.exeFpsUnlocker.exeFpsUnlocker.exeFpsUnlocker.exeFpsUnlocker.exeFpsUnlocker.exeFpsUnlocker.exeFpsUnlocker.exeFpsUnlocker.exeFpsUnlocker.exeFpsUnlocker.exeFpsUnlocker.exeFpsUnlocker.exeFpsUnlocker.exeFpsUnlocker.exeFpsUnlocker.exeFpsUnlocker.exeFpsUnlocker.exeFpsUnlocker.exeFpsUnlocker.exepid process 2756 FpsUnlocker.exe 3384 FpsUnlocker.exe 2240 FpsUnlocker.exe 4684 FpsUnlocker.exe 4084 FpsUnlocker.exe 1644 FpsUnlocker.exe 1832 FpsUnlocker.exe 1144 FpsUnlocker.exe 4384 FpsUnlocker.exe 1324 FpsUnlocker.exe 1852 FpsUnlocker.exe 3404 FpsUnlocker.exe 3656 FpsUnlocker.exe 1468 FpsUnlocker.exe 524 FpsUnlocker.exe 1844 FpsUnlocker.exe 1796 FpsUnlocker.exe 5056 FpsUnlocker.exe 1772 FpsUnlocker.exe 2448 FpsUnlocker.exe 1864 FpsUnlocker.exe 2348 FpsUnlocker.exe 1972 FpsUnlocker.exe 2624 FpsUnlocker.exe 3440 FpsUnlocker.exe 3960 FpsUnlocker.exe 2696 FpsUnlocker.exe 4860 FpsUnlocker.exe 2120 FpsUnlocker.exe 2156 FpsUnlocker.exe 3720 FpsUnlocker.exe 4284 FpsUnlocker.exe 3108 FpsUnlocker.exe 3192 FpsUnlocker.exe 2200 FpsUnlocker.exe 3236 FpsUnlocker.exe 4604 FpsUnlocker.exe 4988 FpsUnlocker.exe 1440 FpsUnlocker.exe 3228 FpsUnlocker.exe 4268 FpsUnlocker.exe 1732 FpsUnlocker.exe 4188 FpsUnlocker.exe 4316 FpsUnlocker.exe 4196 FpsUnlocker.exe 2668 FpsUnlocker.exe 844 FpsUnlocker.exe 4772 FpsUnlocker.exe 4692 FpsUnlocker.exe 4672 FpsUnlocker.exe 4980 FpsUnlocker.exe 2240 FpsUnlocker.exe 3596 FpsUnlocker.exe 1168 FpsUnlocker.exe 4464 FpsUnlocker.exe 2960 FpsUnlocker.exe 2524 FpsUnlocker.exe 1020 FpsUnlocker.exe 2824 FpsUnlocker.exe 4348 FpsUnlocker.exe 1368 FpsUnlocker.exe 1412 FpsUnlocker.exe 4708 FpsUnlocker.exe 844 FpsUnlocker.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
FpsUnlocker.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\FpsUnlocker = "C:\\Users\\Admin\\AppData\\Roaming\\FpsUnlocker.exe" FpsUnlocker.exe -
Maps connected drives based on registry 3 TTPs 64 IoCs
Disk information is often read in order to detect sandboxing environments.
Processes:
rbxfpsunlocker.exerbxfpsunlocker.exerbxfpsunlocker.exerbxfpsunlocker.exerbxfpsunlocker.exerbxfpsunlocker.exerbxfpsunlocker.exerbxfpsunlocker.exerbxfpsunlocker.exerbxfpsunlocker.exerbxfpsunlocker.exerbxfpsunlocker.exerbxfpsunlocker.exerbxfpsunlocker.exerbxfpsunlocker.exerbxfpsunlocker.exerbxfpsunlocker.exerbxfpsunlocker.exerbxfpsunlocker.exerbxfpsunlocker.exerbxfpsunlocker.exerbxfpsunlocker.exerbxfpsunlocker.exerbxfpsunlocker.exerbxfpsunlocker.exerbxfpsunlocker.exerbxfpsunlocker.exerbxfpsunlocker.exerbxfpsunlocker.exerbxfpsunlocker.exerbxfpsunlocker.exerbxfpsunlocker.exerbxfpsunlocker.exerbxfpsunlocker.exerbxfpsunlocker.exerbxfpsunlocker.exerbxfpsunlocker.exerbxfpsunlocker.exerbxfpsunlocker.exerbxfpsunlocker.exerbxfpsunlocker.exerbxfpsunlocker.exerbxfpsunlocker.exerbxfpsunlocker.exerbxfpsunlocker.exerbxfpsunlocker.exerbxfpsunlocker.exedescription ioc process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 rbxfpsunlocker.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 rbxfpsunlocker.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 rbxfpsunlocker.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 rbxfpsunlocker.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 rbxfpsunlocker.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum rbxfpsunlocker.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 rbxfpsunlocker.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 rbxfpsunlocker.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 rbxfpsunlocker.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum rbxfpsunlocker.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 rbxfpsunlocker.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 rbxfpsunlocker.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 rbxfpsunlocker.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum rbxfpsunlocker.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum rbxfpsunlocker.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 rbxfpsunlocker.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum rbxfpsunlocker.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum rbxfpsunlocker.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 rbxfpsunlocker.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 rbxfpsunlocker.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum rbxfpsunlocker.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 rbxfpsunlocker.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 rbxfpsunlocker.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum rbxfpsunlocker.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum rbxfpsunlocker.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum rbxfpsunlocker.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum rbxfpsunlocker.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum rbxfpsunlocker.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 rbxfpsunlocker.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum rbxfpsunlocker.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 rbxfpsunlocker.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 rbxfpsunlocker.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 rbxfpsunlocker.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum rbxfpsunlocker.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 rbxfpsunlocker.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum rbxfpsunlocker.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 rbxfpsunlocker.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 rbxfpsunlocker.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 rbxfpsunlocker.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 rbxfpsunlocker.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum rbxfpsunlocker.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 rbxfpsunlocker.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum rbxfpsunlocker.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 rbxfpsunlocker.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum rbxfpsunlocker.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 rbxfpsunlocker.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 rbxfpsunlocker.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 rbxfpsunlocker.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum rbxfpsunlocker.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 rbxfpsunlocker.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 rbxfpsunlocker.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum rbxfpsunlocker.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 rbxfpsunlocker.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum rbxfpsunlocker.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum rbxfpsunlocker.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 rbxfpsunlocker.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum rbxfpsunlocker.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum rbxfpsunlocker.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 rbxfpsunlocker.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 rbxfpsunlocker.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum rbxfpsunlocker.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 rbxfpsunlocker.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum rbxfpsunlocker.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum rbxfpsunlocker.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
rbxfpsunlocker.exerbxfpsunlocker.exerbxfpsunlocker.exerbxfpsunlocker.exerbxfpsunlocker.exerbxfpsunlocker.exerbxfpsunlocker.exerbxfpsunlocker.exerbxfpsunlocker.exerbxfpsunlocker.exerbxfpsunlocker.exerbxfpsunlocker.exerbxfpsunlocker.exerbxfpsunlocker.exerbxfpsunlocker.exerbxfpsunlocker.exerbxfpsunlocker.exerbxfpsunlocker.exerbxfpsunlocker.exerbxfpsunlocker.exerbxfpsunlocker.exerbxfpsunlocker.exerbxfpsunlocker.exerbxfpsunlocker.exerbxfpsunlocker.exerbxfpsunlocker.exerbxfpsunlocker.exerbxfpsunlocker.exerbxfpsunlocker.exerbxfpsunlocker.exerbxfpsunlocker.exerbxfpsunlocker.exerbxfpsunlocker.exerbxfpsunlocker.exerbxfpsunlocker.exerbxfpsunlocker.exerbxfpsunlocker.exerbxfpsunlocker.exerbxfpsunlocker.exerbxfpsunlocker.exerbxfpsunlocker.exerbxfpsunlocker.exerbxfpsunlocker.exerbxfpsunlocker.exerbxfpsunlocker.exerbxfpsunlocker.exerbxfpsunlocker.exerbxfpsunlocker.exerbxfpsunlocker.exerbxfpsunlocker.exerbxfpsunlocker.exerbxfpsunlocker.exerbxfpsunlocker.exerbxfpsunlocker.exerbxfpsunlocker.exerbxfpsunlocker.exerbxfpsunlocker.exerbxfpsunlocker.exerbxfpsunlocker.exerbxfpsunlocker.exerbxfpsunlocker.exerbxfpsunlocker.exerbxfpsunlocker.exerbxfpsunlocker.exepid process 912 rbxfpsunlocker.exe 1948 rbxfpsunlocker.exe 1964 rbxfpsunlocker.exe 3656 rbxfpsunlocker.exe 2908 rbxfpsunlocker.exe 2012 rbxfpsunlocker.exe 1080 rbxfpsunlocker.exe 3356 rbxfpsunlocker.exe 2088 rbxfpsunlocker.exe 2504 rbxfpsunlocker.exe 2932 rbxfpsunlocker.exe 1336 rbxfpsunlocker.exe 1044 rbxfpsunlocker.exe 2500 rbxfpsunlocker.exe 2892 rbxfpsunlocker.exe 2336 rbxfpsunlocker.exe 1208 rbxfpsunlocker.exe 2312 rbxfpsunlocker.exe 748 rbxfpsunlocker.exe 1144 rbxfpsunlocker.exe 1488 rbxfpsunlocker.exe 5096 rbxfpsunlocker.exe 4440 rbxfpsunlocker.exe 3408 rbxfpsunlocker.exe 4064 rbxfpsunlocker.exe 3964 rbxfpsunlocker.exe 3680 rbxfpsunlocker.exe 3152 rbxfpsunlocker.exe 2824 rbxfpsunlocker.exe 4524 rbxfpsunlocker.exe 4968 rbxfpsunlocker.exe 3452 rbxfpsunlocker.exe 3764 rbxfpsunlocker.exe 4664 rbxfpsunlocker.exe 4164 rbxfpsunlocker.exe 2348 rbxfpsunlocker.exe 1972 rbxfpsunlocker.exe 2260 rbxfpsunlocker.exe 4424 rbxfpsunlocker.exe 4800 rbxfpsunlocker.exe 380 rbxfpsunlocker.exe 2824 rbxfpsunlocker.exe 5028 rbxfpsunlocker.exe 4168 rbxfpsunlocker.exe 1740 rbxfpsunlocker.exe 3148 rbxfpsunlocker.exe 820 rbxfpsunlocker.exe 732 rbxfpsunlocker.exe 1324 rbxfpsunlocker.exe 4460 rbxfpsunlocker.exe 2212 rbxfpsunlocker.exe 1676 rbxfpsunlocker.exe 4988 rbxfpsunlocker.exe 624 rbxfpsunlocker.exe 2304 rbxfpsunlocker.exe 5008 rbxfpsunlocker.exe 5104 rbxfpsunlocker.exe 2364 rbxfpsunlocker.exe 5028 rbxfpsunlocker.exe 1308 rbxfpsunlocker.exe 2020 rbxfpsunlocker.exe 1132 rbxfpsunlocker.exe 2404 rbxfpsunlocker.exe 4956 rbxfpsunlocker.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
rbxfpsunlocker.exerbxfpsunlocker.exeFpsUnlocker.exeFpsUnlocker.exerbxfpsunlocker.exerbxfpsunlocker.exeFpsUnlocker.exeFpsUnlocker.exerbxfpsunlocker.exerbxfpsunlocker.exeFpsUnlocker.exeFpsUnlocker.exerbxfpsunlocker.exerbxfpsunlocker.exeFpsUnlocker.exeFpsUnlocker.exerbxfpsunlocker.exeFpsUnlocker.exerbxfpsunlocker.exeFpsUnlocker.exerbxfpsunlocker.exeFpsUnlocker.exerbxfpsunlocker.exerbxfpsunlocker.exeFpsUnlocker.exerbxfpsunlocker.exeFpsUnlocker.exerbxfpsunlocker.exeFpsUnlocker.exerbxfpsunlocker.exeFpsUnlocker.exerbxfpsunlocker.exeFpsUnlocker.exerbxfpsunlocker.exeFpsUnlocker.exerbxfpsunlocker.exeFpsUnlocker.exerbxfpsunlocker.exeFpsUnlocker.exerbxfpsunlocker.exeFpsUnlocker.exerbxfpsunlocker.exeFpsUnlocker.exerbxfpsunlocker.exeFpsUnlocker.exerbxfpsunlocker.exeFpsUnlocker.exerbxfpsunlocker.exeFpsUnlocker.exerbxfpsunlocker.exeFpsUnlocker.exerbxfpsunlocker.exeFpsUnlocker.exerbxfpsunlocker.exeFpsUnlocker.exerbxfpsunlocker.exeFpsUnlocker.exerbxfpsunlocker.exeFpsUnlocker.exeFpsUnlocker.exerbxfpsunlocker.exeFpsUnlocker.exerbxfpsunlocker.exeFpsUnlocker.exedescription pid process Token: SeDebugPrivilege 912 rbxfpsunlocker.exe Token: SeDebugPrivilege 1948 rbxfpsunlocker.exe Token: SeDebugPrivilege 2756 FpsUnlocker.exe Token: SeDebugPrivilege 3384 FpsUnlocker.exe Token: SeDebugPrivilege 1964 rbxfpsunlocker.exe Token: SeDebugPrivilege 3656 rbxfpsunlocker.exe Token: SeDebugPrivilege 2240 FpsUnlocker.exe Token: SeDebugPrivilege 4684 FpsUnlocker.exe Token: SeDebugPrivilege 2908 rbxfpsunlocker.exe Token: SeDebugPrivilege 2012 rbxfpsunlocker.exe Token: SeDebugPrivilege 4084 FpsUnlocker.exe Token: SeDebugPrivilege 1644 FpsUnlocker.exe Token: SeDebugPrivilege 1080 rbxfpsunlocker.exe Token: SeDebugPrivilege 3356 rbxfpsunlocker.exe Token: SeDebugPrivilege 1832 FpsUnlocker.exe Token: SeDebugPrivilege 1144 FpsUnlocker.exe Token: SeDebugPrivilege 2088 rbxfpsunlocker.exe Token: SeDebugPrivilege 4384 FpsUnlocker.exe Token: SeDebugPrivilege 2504 rbxfpsunlocker.exe Token: SeDebugPrivilege 1324 FpsUnlocker.exe Token: SeDebugPrivilege 2932 rbxfpsunlocker.exe Token: SeDebugPrivilege 1852 FpsUnlocker.exe Token: SeDebugPrivilege 1336 rbxfpsunlocker.exe Token: SeDebugPrivilege 1044 rbxfpsunlocker.exe Token: SeDebugPrivilege 3404 FpsUnlocker.exe Token: SeDebugPrivilege 2500 rbxfpsunlocker.exe Token: SeDebugPrivilege 3656 FpsUnlocker.exe Token: SeDebugPrivilege 2892 rbxfpsunlocker.exe Token: SeDebugPrivilege 1468 FpsUnlocker.exe Token: SeDebugPrivilege 2336 rbxfpsunlocker.exe Token: SeDebugPrivilege 524 FpsUnlocker.exe Token: SeDebugPrivilege 1208 rbxfpsunlocker.exe Token: SeDebugPrivilege 1844 FpsUnlocker.exe Token: SeDebugPrivilege 2312 rbxfpsunlocker.exe Token: SeDebugPrivilege 1796 FpsUnlocker.exe Token: SeDebugPrivilege 748 rbxfpsunlocker.exe Token: SeDebugPrivilege 5056 FpsUnlocker.exe Token: SeDebugPrivilege 1144 rbxfpsunlocker.exe Token: SeDebugPrivilege 1772 FpsUnlocker.exe Token: SeDebugPrivilege 1488 rbxfpsunlocker.exe Token: SeDebugPrivilege 2448 FpsUnlocker.exe Token: SeDebugPrivilege 5096 rbxfpsunlocker.exe Token: SeDebugPrivilege 1864 FpsUnlocker.exe Token: SeDebugPrivilege 4440 rbxfpsunlocker.exe Token: SeDebugPrivilege 2348 FpsUnlocker.exe Token: SeDebugPrivilege 3408 rbxfpsunlocker.exe Token: SeDebugPrivilege 1972 FpsUnlocker.exe Token: SeDebugPrivilege 4064 rbxfpsunlocker.exe Token: SeDebugPrivilege 2624 FpsUnlocker.exe Token: SeDebugPrivilege 3964 rbxfpsunlocker.exe Token: SeDebugPrivilege 3440 FpsUnlocker.exe Token: SeDebugPrivilege 3680 rbxfpsunlocker.exe Token: SeDebugPrivilege 3960 FpsUnlocker.exe Token: SeDebugPrivilege 3152 rbxfpsunlocker.exe Token: SeDebugPrivilege 2696 FpsUnlocker.exe Token: SeDebugPrivilege 2824 rbxfpsunlocker.exe Token: SeDebugPrivilege 4860 FpsUnlocker.exe Token: SeDebugPrivilege 4524 rbxfpsunlocker.exe Token: SeDebugPrivilege 2120 FpsUnlocker.exe Token: SeDebugPrivilege 2156 FpsUnlocker.exe Token: SeDebugPrivilege 4968 rbxfpsunlocker.exe Token: SeDebugPrivilege 3720 FpsUnlocker.exe Token: SeDebugPrivilege 3452 rbxfpsunlocker.exe Token: SeDebugPrivilege 4284 FpsUnlocker.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
rbxfpsunlocker.exerbxfpsunlocker.exeFpsUnlocker.exerbxfpsunlocker.exerbxfpsunlocker.exerbxfpsunlocker.exerbxfpsunlocker.exerbxfpsunlocker.exerbxfpsunlocker.exerbxfpsunlocker.exerbxfpsunlocker.exerbxfpsunlocker.exerbxfpsunlocker.exerbxfpsunlocker.exerbxfpsunlocker.exerbxfpsunlocker.exerbxfpsunlocker.exedescription pid process target process PID 912 wrote to memory of 1948 912 rbxfpsunlocker.exe rbxfpsunlocker.exe PID 912 wrote to memory of 1948 912 rbxfpsunlocker.exe rbxfpsunlocker.exe PID 912 wrote to memory of 2756 912 rbxfpsunlocker.exe FpsUnlocker.exe PID 912 wrote to memory of 2756 912 rbxfpsunlocker.exe FpsUnlocker.exe PID 1948 wrote to memory of 1964 1948 rbxfpsunlocker.exe rbxfpsunlocker.exe PID 1948 wrote to memory of 1964 1948 rbxfpsunlocker.exe rbxfpsunlocker.exe PID 1948 wrote to memory of 3384 1948 rbxfpsunlocker.exe FpsUnlocker.exe PID 1948 wrote to memory of 3384 1948 rbxfpsunlocker.exe FpsUnlocker.exe PID 2756 wrote to memory of 4008 2756 FpsUnlocker.exe schtasks.exe PID 2756 wrote to memory of 4008 2756 FpsUnlocker.exe schtasks.exe PID 1964 wrote to memory of 3656 1964 rbxfpsunlocker.exe rbxfpsunlocker.exe PID 1964 wrote to memory of 3656 1964 rbxfpsunlocker.exe rbxfpsunlocker.exe PID 1964 wrote to memory of 2240 1964 rbxfpsunlocker.exe FpsUnlocker.exe PID 1964 wrote to memory of 2240 1964 rbxfpsunlocker.exe FpsUnlocker.exe PID 3656 wrote to memory of 2908 3656 rbxfpsunlocker.exe rbxfpsunlocker.exe PID 3656 wrote to memory of 2908 3656 rbxfpsunlocker.exe rbxfpsunlocker.exe PID 3656 wrote to memory of 4684 3656 rbxfpsunlocker.exe FpsUnlocker.exe PID 3656 wrote to memory of 4684 3656 rbxfpsunlocker.exe FpsUnlocker.exe PID 2908 wrote to memory of 2012 2908 rbxfpsunlocker.exe rbxfpsunlocker.exe PID 2908 wrote to memory of 2012 2908 rbxfpsunlocker.exe rbxfpsunlocker.exe PID 2908 wrote to memory of 4084 2908 rbxfpsunlocker.exe FpsUnlocker.exe PID 2908 wrote to memory of 4084 2908 rbxfpsunlocker.exe FpsUnlocker.exe PID 2012 wrote to memory of 1080 2012 rbxfpsunlocker.exe rbxfpsunlocker.exe PID 2012 wrote to memory of 1080 2012 rbxfpsunlocker.exe rbxfpsunlocker.exe PID 2012 wrote to memory of 1644 2012 rbxfpsunlocker.exe FpsUnlocker.exe PID 2012 wrote to memory of 1644 2012 rbxfpsunlocker.exe FpsUnlocker.exe PID 1080 wrote to memory of 3356 1080 rbxfpsunlocker.exe rbxfpsunlocker.exe PID 1080 wrote to memory of 3356 1080 rbxfpsunlocker.exe rbxfpsunlocker.exe PID 1080 wrote to memory of 1832 1080 rbxfpsunlocker.exe FpsUnlocker.exe PID 1080 wrote to memory of 1832 1080 rbxfpsunlocker.exe FpsUnlocker.exe PID 3356 wrote to memory of 2088 3356 rbxfpsunlocker.exe rbxfpsunlocker.exe PID 3356 wrote to memory of 2088 3356 rbxfpsunlocker.exe rbxfpsunlocker.exe PID 3356 wrote to memory of 1144 3356 rbxfpsunlocker.exe FpsUnlocker.exe PID 3356 wrote to memory of 1144 3356 rbxfpsunlocker.exe FpsUnlocker.exe PID 2088 wrote to memory of 2504 2088 rbxfpsunlocker.exe rbxfpsunlocker.exe PID 2088 wrote to memory of 2504 2088 rbxfpsunlocker.exe rbxfpsunlocker.exe PID 2088 wrote to memory of 4384 2088 rbxfpsunlocker.exe FpsUnlocker.exe PID 2088 wrote to memory of 4384 2088 rbxfpsunlocker.exe FpsUnlocker.exe PID 2504 wrote to memory of 2932 2504 rbxfpsunlocker.exe rbxfpsunlocker.exe PID 2504 wrote to memory of 2932 2504 rbxfpsunlocker.exe rbxfpsunlocker.exe PID 2504 wrote to memory of 1324 2504 rbxfpsunlocker.exe FpsUnlocker.exe PID 2504 wrote to memory of 1324 2504 rbxfpsunlocker.exe FpsUnlocker.exe PID 2932 wrote to memory of 1336 2932 rbxfpsunlocker.exe rbxfpsunlocker.exe PID 2932 wrote to memory of 1336 2932 rbxfpsunlocker.exe rbxfpsunlocker.exe PID 2932 wrote to memory of 1852 2932 rbxfpsunlocker.exe FpsUnlocker.exe PID 2932 wrote to memory of 1852 2932 rbxfpsunlocker.exe FpsUnlocker.exe PID 1336 wrote to memory of 1044 1336 rbxfpsunlocker.exe rbxfpsunlocker.exe PID 1336 wrote to memory of 1044 1336 rbxfpsunlocker.exe rbxfpsunlocker.exe PID 1336 wrote to memory of 3404 1336 rbxfpsunlocker.exe FpsUnlocker.exe PID 1336 wrote to memory of 3404 1336 rbxfpsunlocker.exe FpsUnlocker.exe PID 1044 wrote to memory of 2500 1044 rbxfpsunlocker.exe rbxfpsunlocker.exe PID 1044 wrote to memory of 2500 1044 rbxfpsunlocker.exe rbxfpsunlocker.exe PID 1044 wrote to memory of 3656 1044 rbxfpsunlocker.exe FpsUnlocker.exe PID 1044 wrote to memory of 3656 1044 rbxfpsunlocker.exe FpsUnlocker.exe PID 2500 wrote to memory of 2892 2500 rbxfpsunlocker.exe rbxfpsunlocker.exe PID 2500 wrote to memory of 2892 2500 rbxfpsunlocker.exe rbxfpsunlocker.exe PID 2500 wrote to memory of 1468 2500 rbxfpsunlocker.exe FpsUnlocker.exe PID 2500 wrote to memory of 1468 2500 rbxfpsunlocker.exe FpsUnlocker.exe PID 2892 wrote to memory of 2336 2892 rbxfpsunlocker.exe rbxfpsunlocker.exe PID 2892 wrote to memory of 2336 2892 rbxfpsunlocker.exe rbxfpsunlocker.exe PID 2892 wrote to memory of 524 2892 rbxfpsunlocker.exe FpsUnlocker.exe PID 2892 wrote to memory of 524 2892 rbxfpsunlocker.exe FpsUnlocker.exe PID 2336 wrote to memory of 1208 2336 rbxfpsunlocker.exe rbxfpsunlocker.exe PID 2336 wrote to memory of 1208 2336 rbxfpsunlocker.exe rbxfpsunlocker.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\rbxfpsunlocker.exe"C:\Users\Admin\AppData\Local\Temp\rbxfpsunlocker.exe"1⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Checks computer location settings
- Maps connected drives based on registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:912 -
C:\Users\Admin\AppData\Local\Temp\rbxfpsunlocker.exe"C:\Users\Admin\AppData\Local\Temp\rbxfpsunlocker.exe"2⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Checks computer location settings
- Maps connected drives based on registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1948 -
C:\Users\Admin\AppData\Local\Temp\rbxfpsunlocker.exe"C:\Users\Admin\AppData\Local\Temp\rbxfpsunlocker.exe"3⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Checks computer location settings
- Maps connected drives based on registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1964 -
C:\Users\Admin\AppData\Local\Temp\rbxfpsunlocker.exe"C:\Users\Admin\AppData\Local\Temp\rbxfpsunlocker.exe"4⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks computer location settings
- Maps connected drives based on registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3656 -
C:\Users\Admin\AppData\Local\Temp\rbxfpsunlocker.exe"C:\Users\Admin\AppData\Local\Temp\rbxfpsunlocker.exe"5⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2908 -
C:\Users\Admin\AppData\Local\Temp\rbxfpsunlocker.exe"C:\Users\Admin\AppData\Local\Temp\rbxfpsunlocker.exe"6⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Checks computer location settings
- Maps connected drives based on registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2012 -
C:\Users\Admin\AppData\Local\Temp\rbxfpsunlocker.exe"C:\Users\Admin\AppData\Local\Temp\rbxfpsunlocker.exe"7⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Checks computer location settings
- Maps connected drives based on registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1080 -
C:\Users\Admin\AppData\Local\Temp\rbxfpsunlocker.exe"C:\Users\Admin\AppData\Local\Temp\rbxfpsunlocker.exe"8⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3356 -
C:\Users\Admin\AppData\Local\Temp\rbxfpsunlocker.exe"C:\Users\Admin\AppData\Local\Temp\rbxfpsunlocker.exe"9⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Checks computer location settings
- Maps connected drives based on registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2088 -
C:\Users\Admin\AppData\Local\Temp\rbxfpsunlocker.exe"C:\Users\Admin\AppData\Local\Temp\rbxfpsunlocker.exe"10⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2504 -
C:\Users\Admin\AppData\Local\Temp\rbxfpsunlocker.exe"C:\Users\Admin\AppData\Local\Temp\rbxfpsunlocker.exe"11⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Checks computer location settings
- Maps connected drives based on registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2932 -
C:\Users\Admin\AppData\Local\Temp\rbxfpsunlocker.exe"C:\Users\Admin\AppData\Local\Temp\rbxfpsunlocker.exe"12⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Checks computer location settings
- Maps connected drives based on registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1336 -
C:\Users\Admin\AppData\Local\Temp\rbxfpsunlocker.exe"C:\Users\Admin\AppData\Local\Temp\rbxfpsunlocker.exe"13⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks computer location settings
- Maps connected drives based on registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1044 -
C:\Users\Admin\AppData\Local\Temp\rbxfpsunlocker.exe"C:\Users\Admin\AppData\Local\Temp\rbxfpsunlocker.exe"14⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Checks computer location settings
- Maps connected drives based on registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2500 -
C:\Users\Admin\AppData\Local\Temp\rbxfpsunlocker.exe"C:\Users\Admin\AppData\Local\Temp\rbxfpsunlocker.exe"15⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2892 -
C:\Users\Admin\AppData\Local\Temp\rbxfpsunlocker.exe"C:\Users\Admin\AppData\Local\Temp\rbxfpsunlocker.exe"16⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Checks computer location settings
- Maps connected drives based on registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2336 -
C:\Users\Admin\AppData\Local\Temp\rbxfpsunlocker.exe"C:\Users\Admin\AppData\Local\Temp\rbxfpsunlocker.exe"17⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Checks computer location settings
- Maps connected drives based on registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1208 -
C:\Users\Admin\AppData\Local\Temp\rbxfpsunlocker.exe"C:\Users\Admin\AppData\Local\Temp\rbxfpsunlocker.exe"18⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Checks computer location settings
- Maps connected drives based on registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2312 -
C:\Users\Admin\AppData\Local\Temp\rbxfpsunlocker.exe"C:\Users\Admin\AppData\Local\Temp\rbxfpsunlocker.exe"19⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks computer location settings
- Maps connected drives based on registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:748 -
C:\Users\Admin\AppData\Local\Temp\rbxfpsunlocker.exe"C:\Users\Admin\AppData\Local\Temp\rbxfpsunlocker.exe"20⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks computer location settings
- Maps connected drives based on registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1144 -
C:\Users\Admin\AppData\Local\Temp\rbxfpsunlocker.exe"C:\Users\Admin\AppData\Local\Temp\rbxfpsunlocker.exe"21⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Maps connected drives based on registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1488 -
C:\Users\Admin\AppData\Local\Temp\rbxfpsunlocker.exe"C:\Users\Admin\AppData\Local\Temp\rbxfpsunlocker.exe"22⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5096 -
C:\Users\Admin\AppData\Local\Temp\rbxfpsunlocker.exe"C:\Users\Admin\AppData\Local\Temp\rbxfpsunlocker.exe"23⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks computer location settings
- Maps connected drives based on registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4440 -
C:\Users\Admin\AppData\Local\Temp\rbxfpsunlocker.exe"C:\Users\Admin\AppData\Local\Temp\rbxfpsunlocker.exe"24⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Checks computer location settings
- Maps connected drives based on registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3408 -
C:\Users\Admin\AppData\Local\Temp\rbxfpsunlocker.exe"C:\Users\Admin\AppData\Local\Temp\rbxfpsunlocker.exe"25⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Checks computer location settings
- Maps connected drives based on registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4064 -
C:\Users\Admin\AppData\Local\Temp\rbxfpsunlocker.exe"C:\Users\Admin\AppData\Local\Temp\rbxfpsunlocker.exe"26⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Checks computer location settings
- Maps connected drives based on registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3964 -
C:\Users\Admin\AppData\Local\Temp\rbxfpsunlocker.exe"C:\Users\Admin\AppData\Local\Temp\rbxfpsunlocker.exe"27⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Checks computer location settings
- Maps connected drives based on registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3680 -
C:\Users\Admin\AppData\Local\Temp\rbxfpsunlocker.exe"C:\Users\Admin\AppData\Local\Temp\rbxfpsunlocker.exe"28⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Checks computer location settings
- Maps connected drives based on registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3152 -
C:\Users\Admin\AppData\Local\Temp\rbxfpsunlocker.exe"C:\Users\Admin\AppData\Local\Temp\rbxfpsunlocker.exe"29⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2824 -
C:\Users\Admin\AppData\Local\Temp\rbxfpsunlocker.exe"C:\Users\Admin\AppData\Local\Temp\rbxfpsunlocker.exe"30⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4524 -
C:\Users\Admin\AppData\Local\Temp\rbxfpsunlocker.exe"C:\Users\Admin\AppData\Local\Temp\rbxfpsunlocker.exe"31⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Checks computer location settings
- Maps connected drives based on registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4968 -
C:\Users\Admin\AppData\Local\Temp\rbxfpsunlocker.exe"C:\Users\Admin\AppData\Local\Temp\rbxfpsunlocker.exe"32⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks computer location settings
- Maps connected drives based on registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3452 -
C:\Users\Admin\AppData\Local\Temp\rbxfpsunlocker.exe"C:\Users\Admin\AppData\Local\Temp\rbxfpsunlocker.exe"33⤵
- Looks for VirtualBox Guest Additions in registry
- Checks BIOS information in registry
- Checks computer location settings
- Maps connected drives based on registry
- Suspicious behavior: EnumeratesProcesses
PID:3764 -
C:\Users\Admin\AppData\Local\Temp\rbxfpsunlocker.exe"C:\Users\Admin\AppData\Local\Temp\rbxfpsunlocker.exe"34⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Checks computer location settings
- Maps connected drives based on registry
- Suspicious behavior: EnumeratesProcesses
PID:4664 -
C:\Users\Admin\AppData\Local\Temp\rbxfpsunlocker.exe"C:\Users\Admin\AppData\Local\Temp\rbxfpsunlocker.exe"35⤵
- Looks for VMWare Tools registry key
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
PID:4164 -
C:\Users\Admin\AppData\Local\Temp\rbxfpsunlocker.exe"C:\Users\Admin\AppData\Local\Temp\rbxfpsunlocker.exe"36⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks computer location settings
- Maps connected drives based on registry
- Suspicious behavior: EnumeratesProcesses
PID:2348 -
C:\Users\Admin\AppData\Local\Temp\rbxfpsunlocker.exe"C:\Users\Admin\AppData\Local\Temp\rbxfpsunlocker.exe"37⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
PID:1972 -
C:\Users\Admin\AppData\Local\Temp\rbxfpsunlocker.exe"C:\Users\Admin\AppData\Local\Temp\rbxfpsunlocker.exe"38⤵
- Looks for VirtualBox Guest Additions in registry
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
PID:2260 -
C:\Users\Admin\AppData\Local\Temp\rbxfpsunlocker.exe"C:\Users\Admin\AppData\Local\Temp\rbxfpsunlocker.exe"39⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
PID:4424 -
C:\Users\Admin\AppData\Local\Temp\rbxfpsunlocker.exe"C:\Users\Admin\AppData\Local\Temp\rbxfpsunlocker.exe"40⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks computer location settings
- Maps connected drives based on registry
- Suspicious behavior: EnumeratesProcesses
PID:4800 -
C:\Users\Admin\AppData\Local\Temp\rbxfpsunlocker.exe"C:\Users\Admin\AppData\Local\Temp\rbxfpsunlocker.exe"41⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
PID:380 -
C:\Users\Admin\AppData\Local\Temp\rbxfpsunlocker.exe"C:\Users\Admin\AppData\Local\Temp\rbxfpsunlocker.exe"42⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
PID:2824 -
C:\Users\Admin\AppData\Local\Temp\rbxfpsunlocker.exe"C:\Users\Admin\AppData\Local\Temp\rbxfpsunlocker.exe"43⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks computer location settings
- Maps connected drives based on registry
- Suspicious behavior: EnumeratesProcesses
PID:5028 -
C:\Users\Admin\AppData\Local\Temp\rbxfpsunlocker.exe"C:\Users\Admin\AppData\Local\Temp\rbxfpsunlocker.exe"44⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Checks computer location settings
- Maps connected drives based on registry
- Suspicious behavior: EnumeratesProcesses
PID:4168 -
C:\Users\Admin\AppData\Local\Temp\rbxfpsunlocker.exe"C:\Users\Admin\AppData\Local\Temp\rbxfpsunlocker.exe"45⤵
- Looks for VirtualBox Guest Additions in registry
- Checks BIOS information in registry
- Checks computer location settings
- Maps connected drives based on registry
- Suspicious behavior: EnumeratesProcesses
PID:1740 -
C:\Users\Admin\AppData\Local\Temp\rbxfpsunlocker.exe"C:\Users\Admin\AppData\Local\Temp\rbxfpsunlocker.exe"46⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Checks computer location settings
- Maps connected drives based on registry
- Suspicious behavior: EnumeratesProcesses
PID:3148 -
C:\Users\Admin\AppData\Local\Temp\rbxfpsunlocker.exe"C:\Users\Admin\AppData\Local\Temp\rbxfpsunlocker.exe"47⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Maps connected drives based on registry
- Suspicious behavior: EnumeratesProcesses
PID:820 -
C:\Users\Admin\AppData\Local\Temp\rbxfpsunlocker.exe"C:\Users\Admin\AppData\Local\Temp\rbxfpsunlocker.exe"48⤵
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Checks computer location settings
- Maps connected drives based on registry
- Suspicious behavior: EnumeratesProcesses
PID:732 -
C:\Users\Admin\AppData\Local\Temp\rbxfpsunlocker.exe"C:\Users\Admin\AppData\Local\Temp\rbxfpsunlocker.exe"49⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Checks computer location settings
- Maps connected drives based on registry
- Suspicious behavior: EnumeratesProcesses
PID:1324 -
C:\Users\Admin\AppData\Local\Temp\rbxfpsunlocker.exe"C:\Users\Admin\AppData\Local\Temp\rbxfpsunlocker.exe"50⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Checks computer location settings
- Maps connected drives based on registry
- Suspicious behavior: EnumeratesProcesses
PID:4460 -
C:\Users\Admin\AppData\Local\Temp\rbxfpsunlocker.exe"C:\Users\Admin\AppData\Local\Temp\rbxfpsunlocker.exe"51⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Checks computer location settings
- Maps connected drives based on registry
- Suspicious behavior: EnumeratesProcesses
PID:2212 -
C:\Users\Admin\AppData\Local\Temp\rbxfpsunlocker.exe"C:\Users\Admin\AppData\Local\Temp\rbxfpsunlocker.exe"52⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
PID:1676 -
C:\Users\Admin\AppData\Local\Temp\rbxfpsunlocker.exe"C:\Users\Admin\AppData\Local\Temp\rbxfpsunlocker.exe"53⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Maps connected drives based on registry
- Suspicious behavior: EnumeratesProcesses
PID:4988 -
C:\Users\Admin\AppData\Local\Temp\rbxfpsunlocker.exe"C:\Users\Admin\AppData\Local\Temp\rbxfpsunlocker.exe"54⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Checks computer location settings
- Maps connected drives based on registry
- Suspicious behavior: EnumeratesProcesses
PID:624 -
C:\Users\Admin\AppData\Local\Temp\rbxfpsunlocker.exe"C:\Users\Admin\AppData\Local\Temp\rbxfpsunlocker.exe"55⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Checks computer location settings
- Maps connected drives based on registry
- Suspicious behavior: EnumeratesProcesses
PID:2304 -
C:\Users\Admin\AppData\Local\Temp\rbxfpsunlocker.exe"C:\Users\Admin\AppData\Local\Temp\rbxfpsunlocker.exe"56⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
PID:5008 -
C:\Users\Admin\AppData\Local\Temp\rbxfpsunlocker.exe"C:\Users\Admin\AppData\Local\Temp\rbxfpsunlocker.exe"57⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Checks computer location settings
- Maps connected drives based on registry
- Suspicious behavior: EnumeratesProcesses
PID:5104 -
C:\Users\Admin\AppData\Local\Temp\rbxfpsunlocker.exe"C:\Users\Admin\AppData\Local\Temp\rbxfpsunlocker.exe"58⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
PID:2364 -
C:\Users\Admin\AppData\Local\Temp\rbxfpsunlocker.exe"C:\Users\Admin\AppData\Local\Temp\rbxfpsunlocker.exe"59⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Checks computer location settings
- Maps connected drives based on registry
- Suspicious behavior: EnumeratesProcesses
PID:5028 -
C:\Users\Admin\AppData\Local\Temp\rbxfpsunlocker.exe"C:\Users\Admin\AppData\Local\Temp\rbxfpsunlocker.exe"60⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Checks computer location settings
- Maps connected drives based on registry
- Suspicious behavior: EnumeratesProcesses
PID:1308 -
C:\Users\Admin\AppData\Local\Temp\rbxfpsunlocker.exe"C:\Users\Admin\AppData\Local\Temp\rbxfpsunlocker.exe"61⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
PID:2020 -
C:\Users\Admin\AppData\Local\Temp\rbxfpsunlocker.exe"C:\Users\Admin\AppData\Local\Temp\rbxfpsunlocker.exe"62⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks computer location settings
- Maps connected drives based on registry
- Suspicious behavior: EnumeratesProcesses
PID:1132 -
C:\Users\Admin\AppData\Local\Temp\rbxfpsunlocker.exe"C:\Users\Admin\AppData\Local\Temp\rbxfpsunlocker.exe"63⤵
- Looks for VMWare Tools registry key
- Checks computer location settings
- Maps connected drives based on registry
- Suspicious behavior: EnumeratesProcesses
PID:2404 -
C:\Users\Admin\AppData\Local\Temp\rbxfpsunlocker.exe"C:\Users\Admin\AppData\Local\Temp\rbxfpsunlocker.exe"64⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
PID:4956 -
C:\Users\Admin\AppData\Local\Temp\rbxfpsunlocker.exe"C:\Users\Admin\AppData\Local\Temp\rbxfpsunlocker.exe"65⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Checks computer location settings
PID:4896 -
C:\Users\Admin\AppData\Local\Temp\rbxfpsunlocker.exe"C:\Users\Admin\AppData\Local\Temp\rbxfpsunlocker.exe"66⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Checks computer location settings
- Maps connected drives based on registry
PID:3408 -
C:\Users\Admin\AppData\Local\Temp\rbxfpsunlocker.exe"C:\Users\Admin\AppData\Local\Temp\rbxfpsunlocker.exe"67⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
PID:3512
-
-
C:\Users\Admin\AppData\Local\Temp\FpsUnlocker.exe"C:\Users\Admin\AppData\Local\Temp\FpsUnlocker.exe"67⤵PID:2476
-
-
-
C:\Users\Admin\AppData\Local\Temp\FpsUnlocker.exe"C:\Users\Admin\AppData\Local\Temp\FpsUnlocker.exe"66⤵PID:3468
-
-
-
C:\Users\Admin\AppData\Local\Temp\FpsUnlocker.exe"C:\Users\Admin\AppData\Local\Temp\FpsUnlocker.exe"65⤵PID:4692
-
-
-
C:\Users\Admin\AppData\Local\Temp\FpsUnlocker.exe"C:\Users\Admin\AppData\Local\Temp\FpsUnlocker.exe"64⤵PID:1336
-
-
-
C:\Users\Admin\AppData\Local\Temp\FpsUnlocker.exe"C:\Users\Admin\AppData\Local\Temp\FpsUnlocker.exe"63⤵
- Executes dropped EXE
PID:844
-
-
-
C:\Users\Admin\AppData\Local\Temp\FpsUnlocker.exe"C:\Users\Admin\AppData\Local\Temp\FpsUnlocker.exe"62⤵
- Executes dropped EXE
PID:4708
-
-
-
C:\Users\Admin\AppData\Local\Temp\FpsUnlocker.exe"C:\Users\Admin\AppData\Local\Temp\FpsUnlocker.exe"61⤵
- Executes dropped EXE
PID:1412
-
-
-
C:\Users\Admin\AppData\Local\Temp\FpsUnlocker.exe"C:\Users\Admin\AppData\Local\Temp\FpsUnlocker.exe"60⤵
- Executes dropped EXE
PID:1368
-
-
-
C:\Users\Admin\AppData\Local\Temp\FpsUnlocker.exe"C:\Users\Admin\AppData\Local\Temp\FpsUnlocker.exe"59⤵
- Executes dropped EXE
PID:4348
-
-
-
C:\Users\Admin\AppData\Local\Temp\FpsUnlocker.exe"C:\Users\Admin\AppData\Local\Temp\FpsUnlocker.exe"58⤵
- Executes dropped EXE
PID:2824
-
-
-
C:\Users\Admin\AppData\Local\Temp\FpsUnlocker.exe"C:\Users\Admin\AppData\Local\Temp\FpsUnlocker.exe"57⤵
- Executes dropped EXE
PID:1020
-
-
-
C:\Users\Admin\AppData\Local\Temp\FpsUnlocker.exe"C:\Users\Admin\AppData\Local\Temp\FpsUnlocker.exe"56⤵
- Executes dropped EXE
PID:2960
-
-
-
C:\Users\Admin\AppData\Local\Temp\FpsUnlocker.exe"C:\Users\Admin\AppData\Local\Temp\FpsUnlocker.exe"55⤵
- Executes dropped EXE
PID:4464
-
-
-
C:\Users\Admin\AppData\Local\Temp\FpsUnlocker.exe"C:\Users\Admin\AppData\Local\Temp\FpsUnlocker.exe"54⤵
- Executes dropped EXE
PID:1168
-
-
-
C:\Users\Admin\AppData\Local\Temp\FpsUnlocker.exe"C:\Users\Admin\AppData\Local\Temp\FpsUnlocker.exe"53⤵
- Executes dropped EXE
PID:3596
-
-
-
C:\Users\Admin\AppData\Local\Temp\FpsUnlocker.exe"C:\Users\Admin\AppData\Local\Temp\FpsUnlocker.exe"52⤵
- Executes dropped EXE
PID:2240
-
-
-
C:\Users\Admin\AppData\Local\Temp\FpsUnlocker.exe"C:\Users\Admin\AppData\Local\Temp\FpsUnlocker.exe"51⤵
- Executes dropped EXE
PID:4980
-
-
-
C:\Users\Admin\AppData\Local\Temp\FpsUnlocker.exe"C:\Users\Admin\AppData\Local\Temp\FpsUnlocker.exe"50⤵
- Executes dropped EXE
PID:4672
-
-
-
C:\Users\Admin\AppData\Local\Temp\FpsUnlocker.exe"C:\Users\Admin\AppData\Local\Temp\FpsUnlocker.exe"49⤵
- Executes dropped EXE
PID:4692
-
-
-
C:\Users\Admin\AppData\Local\Temp\FpsUnlocker.exe"C:\Users\Admin\AppData\Local\Temp\FpsUnlocker.exe"48⤵
- Executes dropped EXE
PID:4772
-
-
-
C:\Users\Admin\AppData\Local\Temp\FpsUnlocker.exe"C:\Users\Admin\AppData\Local\Temp\FpsUnlocker.exe"47⤵
- Executes dropped EXE
PID:844
-
-
-
C:\Users\Admin\AppData\Local\Temp\FpsUnlocker.exe"C:\Users\Admin\AppData\Local\Temp\FpsUnlocker.exe"46⤵
- Executes dropped EXE
PID:2668
-
-
-
C:\Users\Admin\AppData\Local\Temp\FpsUnlocker.exe"C:\Users\Admin\AppData\Local\Temp\FpsUnlocker.exe"45⤵
- Executes dropped EXE
PID:4196
-
-
-
C:\Users\Admin\AppData\Local\Temp\FpsUnlocker.exe"C:\Users\Admin\AppData\Local\Temp\FpsUnlocker.exe"44⤵
- Executes dropped EXE
PID:4316
-
-
-
C:\Users\Admin\AppData\Local\Temp\FpsUnlocker.exe"C:\Users\Admin\AppData\Local\Temp\FpsUnlocker.exe"43⤵
- Executes dropped EXE
PID:4188
-
-
-
C:\Users\Admin\AppData\Local\Temp\FpsUnlocker.exe"C:\Users\Admin\AppData\Local\Temp\FpsUnlocker.exe"42⤵
- Executes dropped EXE
PID:1732
-
-
-
C:\Users\Admin\AppData\Local\Temp\FpsUnlocker.exe"C:\Users\Admin\AppData\Local\Temp\FpsUnlocker.exe"41⤵
- Executes dropped EXE
PID:4268
-
-
-
C:\Users\Admin\AppData\Local\Temp\FpsUnlocker.exe"C:\Users\Admin\AppData\Local\Temp\FpsUnlocker.exe"40⤵
- Executes dropped EXE
PID:3228
-
-
-
C:\Users\Admin\AppData\Local\Temp\FpsUnlocker.exe"C:\Users\Admin\AppData\Local\Temp\FpsUnlocker.exe"39⤵
- Executes dropped EXE
PID:1440
-
-
-
C:\Users\Admin\AppData\Local\Temp\FpsUnlocker.exe"C:\Users\Admin\AppData\Local\Temp\FpsUnlocker.exe"38⤵
- Executes dropped EXE
PID:4988
-
-
-
C:\Users\Admin\AppData\Local\Temp\FpsUnlocker.exe"C:\Users\Admin\AppData\Local\Temp\FpsUnlocker.exe"37⤵
- Executes dropped EXE
PID:4604
-
-
-
C:\Users\Admin\AppData\Local\Temp\FpsUnlocker.exe"C:\Users\Admin\AppData\Local\Temp\FpsUnlocker.exe"36⤵
- Executes dropped EXE
PID:3236
-
-
-
C:\Users\Admin\AppData\Local\Temp\FpsUnlocker.exe"C:\Users\Admin\AppData\Local\Temp\FpsUnlocker.exe"35⤵
- Executes dropped EXE
PID:2200
-
-
-
C:\Users\Admin\AppData\Local\Temp\FpsUnlocker.exe"C:\Users\Admin\AppData\Local\Temp\FpsUnlocker.exe"34⤵
- Executes dropped EXE
PID:3192
-
-
-
C:\Users\Admin\AppData\Local\Temp\FpsUnlocker.exe"C:\Users\Admin\AppData\Local\Temp\FpsUnlocker.exe"33⤵
- Executes dropped EXE
PID:3108
-
-
-
C:\Users\Admin\AppData\Local\Temp\FpsUnlocker.exe"C:\Users\Admin\AppData\Local\Temp\FpsUnlocker.exe"32⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4284
-
-
-
C:\Users\Admin\AppData\Local\Temp\FpsUnlocker.exe"C:\Users\Admin\AppData\Local\Temp\FpsUnlocker.exe"31⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3720
-
-
-
C:\Users\Admin\AppData\Local\Temp\FpsUnlocker.exe"C:\Users\Admin\AppData\Local\Temp\FpsUnlocker.exe"30⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2120
-
-
-
C:\Users\Admin\AppData\Local\Temp\FpsUnlocker.exe"C:\Users\Admin\AppData\Local\Temp\FpsUnlocker.exe"29⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4860
-
-
-
C:\Users\Admin\AppData\Local\Temp\FpsUnlocker.exe"C:\Users\Admin\AppData\Local\Temp\FpsUnlocker.exe"28⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2696
-
-
-
C:\Users\Admin\AppData\Local\Temp\FpsUnlocker.exe"C:\Users\Admin\AppData\Local\Temp\FpsUnlocker.exe"27⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3960
-
-
-
C:\Users\Admin\AppData\Local\Temp\FpsUnlocker.exe"C:\Users\Admin\AppData\Local\Temp\FpsUnlocker.exe"26⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3440
-
-
-
C:\Users\Admin\AppData\Local\Temp\FpsUnlocker.exe"C:\Users\Admin\AppData\Local\Temp\FpsUnlocker.exe"25⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2624
-
-
-
C:\Users\Admin\AppData\Local\Temp\FpsUnlocker.exe"C:\Users\Admin\AppData\Local\Temp\FpsUnlocker.exe"24⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1972
-
-
-
C:\Users\Admin\AppData\Local\Temp\FpsUnlocker.exe"C:\Users\Admin\AppData\Local\Temp\FpsUnlocker.exe"23⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2348
-
-
-
C:\Users\Admin\AppData\Local\Temp\FpsUnlocker.exe"C:\Users\Admin\AppData\Local\Temp\FpsUnlocker.exe"22⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1864
-
-
-
C:\Users\Admin\AppData\Local\Temp\FpsUnlocker.exe"C:\Users\Admin\AppData\Local\Temp\FpsUnlocker.exe"21⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2448
-
-
-
C:\Users\Admin\AppData\Local\Temp\FpsUnlocker.exe"C:\Users\Admin\AppData\Local\Temp\FpsUnlocker.exe"20⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1772
-
-
-
C:\Users\Admin\AppData\Local\Temp\FpsUnlocker.exe"C:\Users\Admin\AppData\Local\Temp\FpsUnlocker.exe"19⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5056
-
-
-
C:\Users\Admin\AppData\Local\Temp\FpsUnlocker.exe"C:\Users\Admin\AppData\Local\Temp\FpsUnlocker.exe"18⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1796
-
-
-
C:\Users\Admin\AppData\Local\Temp\FpsUnlocker.exe"C:\Users\Admin\AppData\Local\Temp\FpsUnlocker.exe"17⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1844
-
-
-
C:\Users\Admin\AppData\Local\Temp\FpsUnlocker.exe"C:\Users\Admin\AppData\Local\Temp\FpsUnlocker.exe"16⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:524
-
-
-
C:\Users\Admin\AppData\Local\Temp\FpsUnlocker.exe"C:\Users\Admin\AppData\Local\Temp\FpsUnlocker.exe"15⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1468
-
-
-
C:\Users\Admin\AppData\Local\Temp\FpsUnlocker.exe"C:\Users\Admin\AppData\Local\Temp\FpsUnlocker.exe"14⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3656
-
-
-
C:\Users\Admin\AppData\Local\Temp\FpsUnlocker.exe"C:\Users\Admin\AppData\Local\Temp\FpsUnlocker.exe"13⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3404
-
-
-
C:\Users\Admin\AppData\Local\Temp\FpsUnlocker.exe"C:\Users\Admin\AppData\Local\Temp\FpsUnlocker.exe"12⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1852
-
-
-
C:\Users\Admin\AppData\Local\Temp\FpsUnlocker.exe"C:\Users\Admin\AppData\Local\Temp\FpsUnlocker.exe"11⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1324
-
-
-
C:\Users\Admin\AppData\Local\Temp\FpsUnlocker.exe"C:\Users\Admin\AppData\Local\Temp\FpsUnlocker.exe"10⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4384
-
-
-
C:\Users\Admin\AppData\Local\Temp\FpsUnlocker.exe"C:\Users\Admin\AppData\Local\Temp\FpsUnlocker.exe"9⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1144
-
-
-
C:\Users\Admin\AppData\Local\Temp\FpsUnlocker.exe"C:\Users\Admin\AppData\Local\Temp\FpsUnlocker.exe"8⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1832
-
-
-
C:\Users\Admin\AppData\Local\Temp\FpsUnlocker.exe"C:\Users\Admin\AppData\Local\Temp\FpsUnlocker.exe"7⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1644
-
-
-
C:\Users\Admin\AppData\Local\Temp\FpsUnlocker.exe"C:\Users\Admin\AppData\Local\Temp\FpsUnlocker.exe"6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4084
-
-
-
C:\Users\Admin\AppData\Local\Temp\FpsUnlocker.exe"C:\Users\Admin\AppData\Local\Temp\FpsUnlocker.exe"5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4684
-
-
-
C:\Users\Admin\AppData\Local\Temp\FpsUnlocker.exe"C:\Users\Admin\AppData\Local\Temp\FpsUnlocker.exe"4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2240
-
-
-
C:\Users\Admin\AppData\Local\Temp\FpsUnlocker.exe"C:\Users\Admin\AppData\Local\Temp\FpsUnlocker.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3384
-
-
-
C:\Users\Admin\AppData\Local\Temp\FpsUnlocker.exe"C:\Users\Admin\AppData\Local\Temp\FpsUnlocker.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2756 -
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "FpsUnlocker" /tr "C:\Users\Admin\AppData\Roaming\FpsUnlocker.exe"3⤵
- Creates scheduled task(s)
PID:4008
-
-
-
C:\Users\Admin\AppData\Roaming\FpsUnlocker.exeC:\Users\Admin\AppData\Roaming\FpsUnlocker.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2156
-
C:\Users\Admin\AppData\Roaming\FpsUnlocker.exeC:\Users\Admin\AppData\Roaming\FpsUnlocker.exe1⤵
- Executes dropped EXE
PID:2524
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
654B
MD52ff39f6c7249774be85fd60a8f9a245e
SHA1684ff36b31aedc1e587c8496c02722c6698c1c4e
SHA256e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced
SHA5121d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1
-
Filesize
1KB
MD5cd7e88a5c1b5023aa2e9647a22a3ea87
SHA125473742a40fe87a4323fd311f9543c9243443ad
SHA256716972434bed208012b57e2b6e93a1e0e2035b7b04083e5724e0c2b860d2944d
SHA5123799e686c3a4af7f0049be86031c1c08b7d36aec88b909cae8181db7879eb6c6a1a56f42bb51b2f55f509220a1f827584b382b261ace4c6366a015fe57f93e90
-
Filesize
36KB
MD513b1f52af285016c137d37646b99e2fd
SHA1985926d09d6d231621f4e4c53547737381af356e
SHA25657cf877bbf970e3ad2fa0877dab961a96e16e5745aa27badfd9ff6be27f5515f
SHA512b235fb7870f9483f255b706180bf2f681b8d7cb129b41f411a4c07cfff96f0dcd738afb9e4ec67560124d90512efc7407e856eaad31f9304d6a098801cedcb7c