ebb5d35149b7de84c0483c9071d4412976796c0b76ede033d8b271b72b5eb64e

Analysis

max time kernel
168s
max time network
191s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
30/12/2023, 14:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NovaClosetCheat.exe
Size

84.5MB
MD5

1c771b7beced636731f297820c9396b9
SHA1

b908ba323a605c723abb552218f4bb9d522ee75c
SHA256

ebb5d35149b7de84c0483c9071d4412976796c0b76ede033d8b271b72b5eb64e
SHA512

d0f223a711fd02b4df12d8baa32b4ba9e2cd153f2e5edde8524a9b049adf7ddf57240fde4bb6c30e1837910b5a261bafe793ca04935ab96c8393fab92c7f6594
SSDEEP

1572864:aiRiJDePU1e4iamkhLDyPl4QiZh3/tQE88nZGjSYukZg7jaE7pPZNl8W9hP50d:aiRj4e4iadhLDy943r/tQonZODzZgvli

Score

8^/10

evasion persistence upx

Malware Config

Signatures

Drops file in Drivers directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	attrib.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	NovaClosetCheat.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	attrib.exe

Modifies Windows Firewall 1 TTPs 1 IoCs

evasion

Windows Service

T1543.003

pid	Process
4108	netsh.exe

Loads dropped DLL 64 IoCs

pid	Process
464	NovaClosetCheat.exe
464	NovaClosetCheat.exe
464	NovaClosetCheat.exe
464	NovaClosetCheat.exe
464	NovaClosetCheat.exe
464	NovaClosetCheat.exe
464	NovaClosetCheat.exe
464	NovaClosetCheat.exe
464	NovaClosetCheat.exe
464	NovaClosetCheat.exe
464	NovaClosetCheat.exe
464	NovaClosetCheat.exe
464	NovaClosetCheat.exe
464	NovaClosetCheat.exe
464	NovaClosetCheat.exe
464	NovaClosetCheat.exe
464	NovaClosetCheat.exe
464	NovaClosetCheat.exe
464	NovaClosetCheat.exe
464	NovaClosetCheat.exe
464	NovaClosetCheat.exe
464	NovaClosetCheat.exe
464	NovaClosetCheat.exe
464	NovaClosetCheat.exe
464	NovaClosetCheat.exe
464	NovaClosetCheat.exe
464	NovaClosetCheat.exe
464	NovaClosetCheat.exe
464	NovaClosetCheat.exe
464	NovaClosetCheat.exe
464	NovaClosetCheat.exe
464	NovaClosetCheat.exe
464	NovaClosetCheat.exe
464	NovaClosetCheat.exe
464	NovaClosetCheat.exe
464	NovaClosetCheat.exe
464	NovaClosetCheat.exe
464	NovaClosetCheat.exe
464	NovaClosetCheat.exe
464	NovaClosetCheat.exe
464	NovaClosetCheat.exe
464	NovaClosetCheat.exe
464	NovaClosetCheat.exe
464	NovaClosetCheat.exe
464	NovaClosetCheat.exe
464	NovaClosetCheat.exe
464	NovaClosetCheat.exe
464	NovaClosetCheat.exe
464	NovaClosetCheat.exe
464	NovaClosetCheat.exe
464	NovaClosetCheat.exe
464	NovaClosetCheat.exe
464	NovaClosetCheat.exe
464	NovaClosetCheat.exe
464	NovaClosetCheat.exe
464	NovaClosetCheat.exe
464	NovaClosetCheat.exe
464	NovaClosetCheat.exe
464	NovaClosetCheat.exe
464	NovaClosetCheat.exe
464	NovaClosetCheat.exe
464	NovaClosetCheat.exe
464	NovaClosetCheat.exe
464	NovaClosetCheat.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2564-0-0x00007FF701EC0000-0x00007FF701F29000-memory.dmp	upx
behavioral2/memory/2564-620-0x00007FF701EC0000-0x00007FF701F29000-memory.dmp	upx
behavioral2/memory/2564-795-0x00007FF701EC0000-0x00007FF701F29000-memory.dmp	upx
behavioral2/memory/2564-1249-0x00007FF701EC0000-0x00007FF701F29000-memory.dmp	upx
behavioral2/files/0x000600000002329d-1288.dat	upx
behavioral2/memory/464-1289-0x00007FF701EC0000-0x00007FF701F29000-memory.dmp	upx
behavioral2/memory/464-1293-0x00007FF911910000-0x00007FF911EF8000-memory.dmp	upx
behavioral2/files/0x00060000000231f3-1295.dat	upx
behavioral2/files/0x000600000002323d-1300.dat	upx
behavioral2/memory/464-1302-0x00007FF922F20000-0x00007FF922F44000-memory.dmp	upx
behavioral2/memory/464-1304-0x00007FF926380000-0x00007FF92638F000-memory.dmp	upx
behavioral2/files/0x00060000000231f1-1303.dat	upx
behavioral2/memory/464-1308-0x00007FF922F00000-0x00007FF922F19000-memory.dmp	upx
behavioral2/files/0x000600000002323f-1312.dat	upx
behavioral2/files/0x000600000002323c-1310.dat	upx
behavioral2/files/0x00060000000231f7-1307.dat	upx
behavioral2/files/0x0006000000023200-1346.dat	upx
behavioral2/memory/464-1347-0x00007FF922060000-0x00007FF92208D000-memory.dmp	upx
behavioral2/memory/464-1349-0x00007FF9219C0000-0x00007FF9219D9000-memory.dmp	upx
behavioral2/files/0x00060000000232a1-1350.dat	upx
behavioral2/files/0x00060000000231fb-1348.dat	upx
behavioral2/files/0x00060000000231ff-1345.dat	upx
behavioral2/files/0x00060000000231fe-1344.dat	upx
behavioral2/files/0x0006000000023272-1351.dat	upx
behavioral2/files/0x00060000000231fa-1352.dat	upx
behavioral2/memory/464-1354-0x00007FF921900000-0x00007FF92190D000-memory.dmp	upx
behavioral2/memory/464-1355-0x00007FF922140000-0x00007FF92214D000-memory.dmp	upx
behavioral2/memory/464-1353-0x00007FF921980000-0x00007FF9219B5000-memory.dmp	upx
behavioral2/files/0x00060000000231fd-1343.dat	upx
behavioral2/files/0x00060000000231fc-1342.dat	upx
behavioral2/files/0x00060000000231f9-1339.dat	upx
behavioral2/files/0x00060000000231f8-1338.dat	upx
behavioral2/files/0x00060000000231f6-1337.dat	upx
behavioral2/files/0x00060000000231f5-1336.dat	upx
behavioral2/files/0x00060000000231f4-1335.dat	upx
behavioral2/files/0x00060000000231f2-1334.dat	upx
behavioral2/files/0x00060000000231f0-1333.dat	upx
behavioral2/files/0x0006000000023685-1332.dat	upx
behavioral2/files/0x0006000000023677-1330.dat	upx
behavioral2/files/0x000600000002361a-1329.dat	upx
behavioral2/files/0x00060000000232a3-1328.dat	upx
behavioral2/files/0x00060000000232a2-1327.dat	upx
behavioral2/files/0x00060000000231ed-1325.dat	upx
behavioral2/files/0x00060000000231ec-1324.dat	upx
behavioral2/files/0x00060000000231eb-1323.dat	upx
behavioral2/files/0x00060000000231ea-1322.dat	upx
behavioral2/files/0x000600000002326f-1320.dat	upx
behavioral2/files/0x0006000000023246-1319.dat	upx
behavioral2/files/0x0006000000023245-1318.dat	upx
behavioral2/files/0x0006000000023244-1317.dat	upx
behavioral2/files/0x0006000000023243-1316.dat	upx
behavioral2/files/0x0006000000023242-1315.dat	upx
behavioral2/files/0x0006000000023241-1314.dat	upx
behavioral2/files/0x0006000000023240-1313.dat	upx
behavioral2/files/0x000600000002323e-1311.dat	upx
behavioral2/files/0x0006000000023239-1309.dat	upx
behavioral2/files/0x00060000000232a0-1356.dat	upx
behavioral2/files/0x000600000002329f-1360.dat	upx
behavioral2/memory/464-1361-0x00007FF912FF0000-0x00007FF91301E000-memory.dmp	upx
behavioral2/memory/464-1362-0x00007FF912240000-0x00007FF9122FC000-memory.dmp	upx
behavioral2/files/0x000600000002367a-1363.dat	upx
behavioral2/memory/464-1366-0x00007FF911910000-0x00007FF911EF8000-memory.dmp	upx
behavioral2/memory/464-1367-0x00007FF912F60000-0x00007FF912F8B000-memory.dmp	upx
behavioral2/memory/464-1369-0x00007FF912FC0000-0x00007FF912FEE000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rose = "C:\\Users\\Admin\\AppData\\Roaming\\rose\\rose.exe"	reg.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
55	api.ipify.org
58	api.ipify.org
75	api.ipify.org

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
464	NovaClosetCheat.exe
464	NovaClosetCheat.exe
3264	powershell.exe
3264	powershell.exe
4220	powershell.exe
4220	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	464	NovaClosetCheat.exe
Token: SeIncreaseQuotaPrivilege	2296	wmic.exe
Token: SeSecurityPrivilege	2296	wmic.exe
Token: SeTakeOwnershipPrivilege	2296	wmic.exe
Token: SeLoadDriverPrivilege	2296	wmic.exe
Token: SeSystemProfilePrivilege	2296	wmic.exe
Token: SeSystemtimePrivilege	2296	wmic.exe
Token: SeProfSingleProcessPrivilege	2296	wmic.exe
Token: SeIncBasePriorityPrivilege	2296	wmic.exe
Token: SeCreatePagefilePrivilege	2296	wmic.exe
Token: SeBackupPrivilege	2296	wmic.exe
Token: SeRestorePrivilege	2296	wmic.exe
Token: SeShutdownPrivilege	2296	wmic.exe
Token: SeDebugPrivilege	2296	wmic.exe
Token: SeSystemEnvironmentPrivilege	2296	wmic.exe
Token: SeRemoteShutdownPrivilege	2296	wmic.exe
Token: SeUndockPrivilege	2296	wmic.exe
Token: SeManageVolumePrivilege	2296	wmic.exe
Token: 33	2296	wmic.exe
Token: 34	2296	wmic.exe
Token: 35	2296	wmic.exe
Token: 36	2296	wmic.exe
Token: SeIncreaseQuotaPrivilege	2296	wmic.exe
Token: SeSecurityPrivilege	2296	wmic.exe
Token: SeTakeOwnershipPrivilege	2296	wmic.exe
Token: SeLoadDriverPrivilege	2296	wmic.exe
Token: SeSystemProfilePrivilege	2296	wmic.exe
Token: SeSystemtimePrivilege	2296	wmic.exe
Token: SeProfSingleProcessPrivilege	2296	wmic.exe
Token: SeIncBasePriorityPrivilege	2296	wmic.exe
Token: SeCreatePagefilePrivilege	2296	wmic.exe
Token: SeBackupPrivilege	2296	wmic.exe
Token: SeRestorePrivilege	2296	wmic.exe
Token: SeShutdownPrivilege	2296	wmic.exe
Token: SeDebugPrivilege	2296	wmic.exe
Token: SeSystemEnvironmentPrivilege	2296	wmic.exe
Token: SeRemoteShutdownPrivilege	2296	wmic.exe
Token: SeUndockPrivilege	2296	wmic.exe
Token: SeManageVolumePrivilege	2296	wmic.exe
Token: 33	2296	wmic.exe
Token: 34	2296	wmic.exe
Token: 35	2296	wmic.exe
Token: 36	2296	wmic.exe
Token: SeIncreaseQuotaPrivilege	1700	WMIC.exe
Token: SeSecurityPrivilege	1700	WMIC.exe
Token: SeTakeOwnershipPrivilege	1700	WMIC.exe
Token: SeLoadDriverPrivilege	1700	WMIC.exe
Token: SeSystemProfilePrivilege	1700	WMIC.exe
Token: SeSystemtimePrivilege	1700	WMIC.exe
Token: SeProfSingleProcessPrivilege	1700	WMIC.exe
Token: SeIncBasePriorityPrivilege	1700	WMIC.exe
Token: SeCreatePagefilePrivilege	1700	WMIC.exe
Token: SeBackupPrivilege	1700	WMIC.exe
Token: SeRestorePrivilege	1700	WMIC.exe
Token: SeShutdownPrivilege	1700	WMIC.exe
Token: SeDebugPrivilege	1700	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1700	WMIC.exe
Token: SeRemoteShutdownPrivilege	1700	WMIC.exe
Token: SeUndockPrivilege	1700	WMIC.exe
Token: SeManageVolumePrivilege	1700	WMIC.exe
Token: 33	1700	WMIC.exe
Token: 34	1700	WMIC.exe
Token: 35	1700	WMIC.exe
Token: 36	1700	WMIC.exe

Suspicious use of WriteProcessMemory 56 IoCs

description	pid	Process	procid_target
PID 2564 wrote to memory of 464	2564	NovaClosetCheat.exe	96
PID 2564 wrote to memory of 464	2564	NovaClosetCheat.exe	96
PID 464 wrote to memory of 3592	464	NovaClosetCheat.exe	98
PID 464 wrote to memory of 3592	464	NovaClosetCheat.exe	98
PID 464 wrote to memory of 2296	464	NovaClosetCheat.exe	101
PID 464 wrote to memory of 2296	464	NovaClosetCheat.exe	101
PID 464 wrote to memory of 4352	464	NovaClosetCheat.exe	103
PID 464 wrote to memory of 4352	464	NovaClosetCheat.exe	103
PID 4352 wrote to memory of 1700	4352	cmd.exe	105
PID 4352 wrote to memory of 1700	4352	cmd.exe	105
PID 464 wrote to memory of 4976	464	NovaClosetCheat.exe	106
PID 464 wrote to memory of 4976	464	NovaClosetCheat.exe	106
PID 464 wrote to memory of 2248	464	NovaClosetCheat.exe	108
PID 464 wrote to memory of 2248	464	NovaClosetCheat.exe	108
PID 2248 wrote to memory of 1560	2248	cmd.exe	110
PID 2248 wrote to memory of 1560	2248	cmd.exe	110
PID 464 wrote to memory of 1100	464	NovaClosetCheat.exe	111
PID 464 wrote to memory of 1100	464	NovaClosetCheat.exe	111
PID 1100 wrote to memory of 4424	1100	cmd.exe	113
PID 1100 wrote to memory of 4424	1100	cmd.exe	113
PID 464 wrote to memory of 2164	464	NovaClosetCheat.exe	116
PID 464 wrote to memory of 2164	464	NovaClosetCheat.exe	116
PID 464 wrote to memory of 700	464	NovaClosetCheat.exe	118
PID 464 wrote to memory of 700	464	NovaClosetCheat.exe	118
PID 700 wrote to memory of 4108	700	cmd.exe	122
PID 700 wrote to memory of 4108	700	cmd.exe	122
PID 464 wrote to memory of 3592	464	NovaClosetCheat.exe	123
PID 464 wrote to memory of 3592	464	NovaClosetCheat.exe	123
PID 464 wrote to memory of 2652	464	NovaClosetCheat.exe	125
PID 464 wrote to memory of 2652	464	NovaClosetCheat.exe	125
PID 2652 wrote to memory of 3264	2652	cmd.exe	127
PID 2652 wrote to memory of 3264	2652	cmd.exe	127
PID 464 wrote to memory of 4940	464	NovaClosetCheat.exe	128
PID 464 wrote to memory of 4940	464	NovaClosetCheat.exe	128
PID 4940 wrote to memory of 4220	4940	cmd.exe	130
PID 4940 wrote to memory of 4220	4940	cmd.exe	130
PID 464 wrote to memory of 752	464	NovaClosetCheat.exe	131
PID 464 wrote to memory of 752	464	NovaClosetCheat.exe	131
PID 752 wrote to memory of 3524	752	cmd.exe	133
PID 752 wrote to memory of 3524	752	cmd.exe	133
PID 464 wrote to memory of 4972	464	NovaClosetCheat.exe	134
PID 464 wrote to memory of 4972	464	NovaClosetCheat.exe	134
PID 4972 wrote to memory of 2912	4972	cmd.exe	136
PID 4972 wrote to memory of 2912	4972	cmd.exe	136
PID 464 wrote to memory of 1124	464	NovaClosetCheat.exe	137
PID 464 wrote to memory of 1124	464	NovaClosetCheat.exe	137
PID 1124 wrote to memory of 4500	1124	cmd.exe	139
PID 1124 wrote to memory of 4500	1124	cmd.exe	139
PID 464 wrote to memory of 1768	464	NovaClosetCheat.exe	140
PID 464 wrote to memory of 1768	464	NovaClosetCheat.exe	140
PID 1768 wrote to memory of 4560	1768	cmd.exe	142
PID 1768 wrote to memory of 4560	1768	cmd.exe	142
PID 464 wrote to memory of 1376	464	NovaClosetCheat.exe	143
PID 464 wrote to memory of 1376	464	NovaClosetCheat.exe	143
PID 1376 wrote to memory of 3236	1376	cmd.exe	145
PID 1376 wrote to memory of 3236	1376	cmd.exe	145

Views/modifies file attributes 1 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
2912	attrib.exe
4500	attrib.exe

C:\Users\Admin\AppData\Local\Temp\NovaClosetCheat.exe
"C:\Users\Admin\AppData\Local\Temp\NovaClosetCheat.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2564
- C:\Users\Admin\AppData\Local\Temp\NovaClosetCheat.exe
  "C:\Users\Admin\AppData\Local\Temp\NovaClosetCheat.exe"
  2⤵
  - Drops file in Drivers directory
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:464
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "ver"
    3⤵
    PID:3592
- - C:\Windows\System32\Wbem\wmic.exe
    wmic csproduct get uuid
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2296
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic os get MUILanguages /format:list"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4352
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic os get MUILanguages /format:list
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1700
- - C:\Windows\System32\Wbem\wmic.exe
    wmic os get MUILanguages /format:list
    3⤵
    PID:4976
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic os get Caption /format:list"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2248
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic os get Caption /format:list
      4⤵
      PID:1560
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path softwarelicensingservice get OA3xOriginalProductKey"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1100
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path softwarelicensingservice get OA3xOriginalProductKey
      4⤵
      PID:4424
- - C:\Windows\System32\Wbem\wmic.exe
    wmic csproduct get name
    3⤵
    PID:2164
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "netsh advfirewall set domainprofile state off"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:700
  - - C:\Windows\system32\netsh.exe
      netsh advfirewall set domainprofile state off
      4⤵
      Modifies Windows Firewall
      PID:4108
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender" -Name "DisableRealtimeMonitoring" -Value 1"
    3⤵
    PID:3592
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\rose','C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup'""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2652
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\rose','C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup'"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:3264
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4940
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:4220
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:752
  - - C:\Windows\system32\reg.exe
      REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath
      4⤵
      PID:3524
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "attrib -r C:\Windows\System32\drivers\etc\hosts"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4972
  - - C:\Windows\system32\attrib.exe
      attrib -r C:\Windows\System32\drivers\etc\hosts
      4⤵
      Drops file in Drivers directory
      Views/modifies file attributes
      PID:2912
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "attrib +r C:\Windows\System32\drivers\etc\hosts"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1124
  - - C:\Windows\system32\attrib.exe
      attrib +r C:\Windows\System32\drivers\etc\hosts
      4⤵
      Drops file in Drivers directory
      Views/modifies file attributes
      PID:4500
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "reg delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v rose /f"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1768
  - - C:\Windows\system32\reg.exe
      reg delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v rose /f
      4⤵
      PID:4560
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v rose /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\rose\rose.exe" /f"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1376
  - - C:\Windows\system32\reg.exe
      reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v rose /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\rose\rose.exe" /f
      4⤵
      Adds Run key to start application
      PID:3236

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3664

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_MEI25642\SDL2.dll

Filesize
635KB

MD5
aacc454789a522c8652717096b3b6cc4

SHA1
b08c9349abe6d8d15679cc5f77b51eeb25bcfcd8

SHA256
61f927f4ab813fccebc600ffb0870f6ebdff856914d8fc208eb86b01d6be4859

SHA512
9e04b0695c25c78e243bc1e93c0880c6d522179369b05b31843efa9b22468ecde392a898b7eaeac2ffc2c0525df07b3e2f4ca0cb0fe7d73af27a5def4f6b5f8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI25642\SDL2_image.dll

Filesize
58KB

MD5
71780d5b9aedb54b990b975aff28bbf3

SHA1
dd59dfd88255e26e9f6fc2c96972f37f175189c1

SHA256
f670f630df5dbdf0a6e19f7bbb5cb280db519a72ddef8567a1e9315591604e96

SHA512
959edf08748a00e0c2f84c352119def05b4c4da884a178cae47b6e776eefbc87534f084b5a279c4a778a99f84ea7b98c71fb259a54ca9a12ffa506c5824f48e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI25642\SDL2_mixer.dll

Filesize
124KB

MD5
4bf8a0231b35b804cdd002ca6ec234eb

SHA1
f6e2192e02ce714612c6aaa3fe85e3c9adb6447b

SHA256
867ea749aa6b8432c69c43b9606d8e6de19e88aef3aea2faf1b0643e0c6c516f

SHA512
420c45ff39491814e56fc6b4bf4eb99bb2b31eb4d8ead4d25fd84ef00b8b17973eb3a7bf7b31a0c100b813b717fcefe4245c403ec36038158c87bf24faf46623

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI25642\SDL2_ttf.dll

Filesize
601KB

MD5
e3913036bdb469d933c658737dd05464

SHA1
30fd6b3571472d50d4a87b4908daef1c5516afd5

SHA256
e85aa1b2a8d7624973f9f0db7ff502e615b57edf38b0af7b030ee9cb01561416

SHA512
df6837512de2e3d03a4ce00ad20f72100139e15c80ae7062d12e4b266e4b6670b30889778621ecc869fcca691a03263158f2fa57a6bcaac9b3bda952bf88b749

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI25642\VCRUNTIME140.dll

Filesize
96KB

MD5
f12681a472b9dd04a812e16096514974

SHA1
6fd102eb3e0b0e6eef08118d71f28702d1a9067c

SHA256
d66c3b47091ceb3f8d3cc165a43d285ae919211a0c0fcb74491ee574d8d464f8

SHA512
7d3accbf84de73fb0c5c0de812a9ed600d39cd7ed0f99527ca86a57ce63f48765a370e913e3a46ffc2ccd48ee07d823dafdd157710eef9e7cc1eb7505dc323a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI25642\VCRUNTIME140_1.dll

Filesize
37KB

MD5
75e78e4bf561031d39f86143753400ff

SHA1
324c2a99e39f8992459495182677e91656a05206

SHA256
1758085a61527b427c4380f0c976d29a8bee889f2ac480c356a3f166433bf70e

SHA512
ce4daf46bce44a89d21308c63e2de8b757a23be2630360209c4a25eb13f1f66a04fbb0a124761a33bbf34496f2f2a02b8df159b4b62f1b6241e1dbfb0e5d9756

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI25642\_asyncio.pyd

Filesize
34KB

MD5
b42a92003d73446d40da16e0f4d9f5ee

SHA1
3742fb1b2302864181d1568e3526aa63bd7db2c5

SHA256
6b12b8a4a3cdc802e53918ad30296fb4c9da639595463eb6249406e9256ffaa3

SHA512
7fd42f1aa5c96fcc1f5ed7289d4f9a1845174e47112dfa95ebbb23e22ab7ef93ad537f1b5dc9415ba78d71a84bcbeac35d9f27f202c4cd81d855907e1d90f91c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI25642\_bz2.pyd

Filesize
46KB

MD5
81578115dd99002ccdd4095b1152db1b

SHA1
e497a0761f2ac9eeba50e78e2d2f4c2349babcf2

SHA256
27b6bf8412d7b660939f31aeedd87585878470b7586a4361f0dccdadd7d64b45

SHA512
b468f71b15cf92164cee6b81bd840864d1d795b86ba3fb33317c4ec89959d5f10b62530a4edf8960e93741af54500a062c0713ab3a0d9ff929e6389633538796

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI25642\_cffi_backend.cp311-win_amd64.pyd

Filesize
71KB

MD5
c1cd1d53ddfe5033a341f0c2051c4357

SHA1
b205344ada67dc82d208baf2d6b9cda4a497abea

SHA256
44381ffef40a5e344ca951de08f13fb4e25096c240d965acfaa47221b9f9ef52

SHA512
d4f509cfb8fa1f044ff4b0b55c5298ead40fd635cfb5a6c7d779a66eeb5f52d3e30a5b3e61507f2891e9ef1070e0c8eea1b698b680048fbb7cb5f15f4e26d309

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI25642\_ctypes.pyd

Filesize
57KB

MD5
87e8cc70c59737ce8e248a35550086e6

SHA1
082b43a944ca3739602d0edf96e37784d32fc509

SHA256
e8a40dfc0d412329d8192d78bcd3d12199ef3551b61dcfa3eb852f86ac49a493

SHA512
d418f1cf437f4dd8797bedc7b909d2433ea03fecaadb34135db13d0eb34b9b16aedd1c340c4a5670fb05df420636a83ab704c0432a605cf5e95e9ebe87ef2a2b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI25642\_decimal.pyd

Filesize
104KB

MD5
82ae89cf9d47eda296253e6a4b3bacd8

SHA1
5b593f3d8afe484b0afec866643b26b14cfef05b

SHA256
5dbd333752ed7a1767c8b67d3a6d36ff141b8752dfbdd70386341b4f55fae3dd

SHA512
245c6fd4a64c17e7936ad9a84299a7f5c4ef93ac2b1dcb86cccb10a7d51e443c3afd47822eb3962d37292015c34cef76f394c41b680b154ed18223b2e20c32f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI25642\_elementtree.pyd

Filesize
56KB

MD5
db9a210f9b024d4f3710807d754e62fb

SHA1
9fb878cad9884a18fef8990c9caffc32c252e5ec

SHA256
b94500e7774c0b2c70b83796a3790b3b25f8e5c848965fa4f73623eb875c2fdd

SHA512
f3191af572601db7722f50c1f4602ebf44f58df3f6535057cb26ad2936339a380c8b8ac6b0d054407953b2b92a2982fde774c96d76adc0eb302c1cf54b55b69f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI25642\_hashlib.pyd

Filesize
33KB

MD5
44288ccbdf7e9b62b2b8b7c03257a8e8

SHA1
fe70c375cc865a5abcee331c069d4899604cfe1a

SHA256
d7cd29693e5632ee2e91b1f323b8eb5c20b65116e32c918a42c0da6256d83f9d

SHA512
ab517968ac5662221cb0b52d17a05211c601af17704c625c2f6d4fbce33b20f26a041a86707450297f1f3a4384589223cd8be7a482a7c37a516a2957dade0aac

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI25642\_lzma.pyd

Filesize
84KB

MD5
351034ddaaf1234458e65b90c4189eb3

SHA1
246dc4c5011f9cb2b0c85e453f9276190a1b6c6e

SHA256
3af3703e458370997679dca6c2241a1fa1c799248c4e092e614e2c103690d23b

SHA512
18f110d73cf876638b72e2a877059f52e4cef4e2c2ff877b1bdd21747364f9f5a339a6d349a941e0a0fefa98e3e34ce5689a66caa1378f3c3ebcdf607a87eb13

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI25642\_multiprocessing.pyd

Filesize
25KB

MD5
d629edf1d6af8567aea57dab640b4174

SHA1
f920e358c0c429e87fe9ba4f34d8fd89996e82ea

SHA256
2487e57feac587a079879325fd447a48731ebd9c311e8553fd2a5dd60864068a

SHA512
29218a3adfe1d4a0a4bf6c22bf55d189e0836b45efad96b7a8eeede379e6918599c90a4c4c5185309e5991710b2162ec9e2c9fa50a62e31aaace380dfa7c03df

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI25642\_overlapped.pyd

Filesize
30KB

MD5
490665d832ff3c369fe9fc5aa9381288

SHA1
d5575d0ae9bcba972ecd928762db79f39f843ecf

SHA256
a5a1152e8ea3e16fe5bd5649216e36680a2afc03a1cf4c53c95c61db853375aa

SHA512
57124e754b112059219d4771d055f113e9af3d8086ab3b330ff0828224a82924f08fa863f009c653a789194bd93bfd4139cf0aad0d39c3896b3c15cbba754e7a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI25642\_queue.pyd

Filesize
24KB

MD5
7ae2d836bf4420edc6a1213912074fcb

SHA1
bb9c4d90cc380c53082f77378f9f0ad2521efd6c

SHA256
4cd5f1721cb141f2b1cf79ed22b3fa873ff626b709c51f1d8b5f724ebe6533bc

SHA512
ed3785ec37deffdba391563daffde38af7dc33c2f2ff00b6420a04c7f99c9536168c9cc83fffa443948aa2c764fbd6ccd1b24dde3f7e51680225729e54b4e4da

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI25642\_socket.pyd

Filesize
41KB

MD5
66ae8b5b160df4abffaf34c40adfe96b

SHA1
c86be1817815da8bc105a4b5dc49de61ef205577

SHA256
f87523cbfb071062d1988267373f8b66195a29e102d03c2e119f2f94e66b1f94

SHA512
5e1ca8e4214572422062d60f52746d57f2f55da2b39d73a4e108005859812f10c1bc40b8ac68019154c927427e43c76b7a6bff77a57c915b1122738c5a1264d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI25642\_sqlite3.pyd

Filesize
54KB

MD5
2d78ce9e29b899cfca2684baacde5b25

SHA1
3c36b7ed168359a4c4375f0ae0141856cfa85203

SHA256
6d9f1d418adb30f53fb646848c16787b05ba6d9dffa22597d03bc2e49e80f3be

SHA512
15a62a0008f3749125dbc07ec3558bc7724e77e2ffa12989e6c4207e3f61ce01d7a0d715afc78057767593a8947449de087edb5a954a8ac5bdfb946d0fdee5bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI25642\_ssl.pyd

Filesize
60KB

MD5
917d1f89ffc7034efd9e8b6735315f01

SHA1
873d7aea27390959988cd4ff9f5206339a6694ea

SHA256
98818be47ef29fb5a3e7a774ace378fdb0b5822d7e877f0071f6b0654557b2b8

SHA512
744f2a85c16a0bfe54299898728c8bf3d8984ceb693fee5b0e6de9dd4fc5ea66b58633c599b0dc67022c916b99ce17a4b86430215c8973336df94c8debf508eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI25642\_tkinter.pyd

Filesize
36KB

MD5
fbddeda725a1e995b4efcb5b3ddf974f

SHA1
823784fc770f2a5c3d206f0c52aa114b9415f521

SHA256
d3a259c288d22bf5f533b56fad01d86b0f8f52da41e0cd07ef4ba7209aa5f2f4

SHA512
93688736a4d61cb9f73c52e03ca1d0ef407bd853cfe9701de733a1e32e66a9f8c8a77b2c4bb3ac9ff2491fb33922deafcc1f77b72613a1fb63248b72d8116fd2

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI25642\_uuid.pyd

Filesize
21KB

MD5
81d18c8d2dbd64bf5518d9d389c18e37

SHA1
28f240ab3b5d23c5148aaff2752d1c93b9a82580

SHA256
3e59b1b0e920a492ceda8785d8e1a61cdcb392b9e68a79011024f0a2af36fb7a

SHA512
7dd9635189be0ff4991ea733a45ca166d98314f305da22da1589119cd7009ff25e12057303371b863a70fb1baaa7a8b05c9ac5178cea4c812532d281ebacaaa6

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI25642\_zoneinfo.pyd

Filesize
30KB

MD5
ef47257899e918427d3539a5f6b7acbb

SHA1
16b2ba9b71cebe79fc7ecc42b652357445555f98

SHA256
0bd9441a3f8f41ae0bdfbd9dda81665dd588421b8cf04d0ae8f287f87baea5c3

SHA512
53ca0baeeddfdc694daeece40aa476a47effc9916cdef7002778dc37557729d4d4ab434d8bcfbc50a8bd5e3787453fb4de2ba80952bbed86ba21fc33fd56e93b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI25642\base_library.zip

Filesize
1.4MB

MD5
83d235e1f5b0ee5b0282b5ab7244f6c4

SHA1
629a1ce71314d7abbce96674a1ddf9f38c4a5e9c

SHA256
db389a9e14bfac6ee5cce17d41f9637d3ff8b702cc74102db8643e78659670a0

SHA512
77364aff24cfc75ee32e50973b7d589b4a896d634305d965ecbc31a9e0097e270499dbec93126092eb11f3f1ad97692db6ca5927d3d02f3d053336d6267d7e5f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI25642\freetype.dll

Filesize
292KB

MD5
82f05dbb0f1cce48f7c3983e8c214e34

SHA1
019d790608c0676ea7f02bc2eb89c949196a1249

SHA256
f9f58cb7bd727fde30c3c63638a5e701cf74e4d73fd8a0ed65da3e889fd4ebb4

SHA512
393f8cc9fb76b44cfb252a7a03ba7bcb9b01952b03f861a4b8cd3287d795ad5d1bbe1379d18b7a62547851d70c1eb8e1c5756c53a5de7da7a5c5f918ddd37a69

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI25642\libcrypto-1_1.dll

Filesize
1.1MB

MD5
5ce966f78ba43eaccd0cc578ac78e6d8

SHA1
565743321bfd39126616296816b157cd520ba28f

SHA256
d47d421807495984d611c6f80d3be0d15568bce8a313df6a97cd862ba0524a0d

SHA512
204e54c2d45ef92d940c55f37dbc298e8861c3654ae978582637120d29ff141c184c7ec1b8658aeaa8341d8bf9157ad29b6f6187d5c8a019b56e3b7643037a04

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI25642\libffi-8.dll

Filesize
24KB

MD5
cf6316144d6f3b5884f423b1ac6c3907

SHA1
6e05f6b2772230a8a7636fa5db81958fba5b28d4

SHA256
4022e7cf1dab9d68511b7235aa3a26aacf267ff23c30319f59b351b058691dc4

SHA512
f411aaacdbbd3b2aaf1c969c697b281c00922c43e7b4dee2c1f237f468bbf273f455bc11820c2ad0289efaa2f525920bcfa63d503e089322cc232717f8ad9d77

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI25642\libjpeg-9.dll

Filesize
108KB

MD5
41633e0912bf97cacb5651e2fd2ad506

SHA1
d9382c55247244fc38c253490e71498fcd469182

SHA256
2919f523293c03c48debe55d338f3d17002e8e185bbf9d1978d8d8f765f9502a

SHA512
2cd6fc9f5da6f925c4ae2351882c853af46cbd1fe8d99788640afbfc89054f95ec05ddbbfb51965d7141647295b3993cc6d73c94d6f63ecd15fd88748d89a34d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI25642\libmodplug-1.dll

Filesize
117KB

MD5
0c985da17c6c82e61ea96d20ac0eab4d

SHA1
ee703038cae84749ea0c69c95f33497cb3ab33eb

SHA256
68c95b609f4464b34f0beca377fffaa02316655ddb18e208cf92fef486d2a42a

SHA512
cb6d4d8f15540e2ea3c1588c8893e951efba125ce85af5efc2aed09d7f33873a2675e15b2746c45c6978b3d2a6b97d9bcfb437b31d54b7bad3fcbdcea408dd21

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI25642\libogg-0.dll

Filesize
16KB

MD5
ab504a0ac020045ad44a8f6f5f9bc783

SHA1
19fead3f5bfd83915915516c13fc44133adcd12f

SHA256
6d0c00699e42ef9f79e2accd1fa6129dd032473cd81248e1a6c65ad3cb147a51

SHA512
9a2a3278ef8a0b53fec8549a528b22d1686206a30f5e9afc1b888a1a15de16e0a3aa497cc6873655feddf13a7b1623d13b2a4aa7e422ceed8f836974b1e7d535

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI25642\libopus-0.dll

Filesize
181KB

MD5
94fd9860bede297d3c77eaa40511f549

SHA1
6d22c1e12a6cbaaaf4ec9938dec29827f2d6df33

SHA256
554707828c21a5cacfa2af347be15caeff205a9c772b7c72a0292be410f1d458

SHA512
268561cee431918cba7f0531068674c59ba7234179026ee0084e06a7d493f5f46b0d5c9029ea83ef7d97fa29772b54f2431513bba5bd9dbbe5d76bfc0ff3d91d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI25642\libopusfile-0.dll

Filesize
26KB

MD5
d669449f8a7dfdc0c7c8dddd95ea6855

SHA1
11f9cf6210ce8b4311f047a800f37feb901b402a

SHA256
5f0b18d22b566a05ccba829649314e14a59ff59055f1a6d0f1c8eb7700c8bdba

SHA512
7750cbaecbe489eb0a1649951f4b01c54341cdfe43dc3736450b466f574c30d23ba37d1c313b065a8f76e717d571134ea5befb86920b7643a363ea265ccf6954

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI25642\libpng16-16.dll

Filesize
98KB

MD5
3175d904587f59af989251a2c2fc63e2

SHA1
770688d85522c647588ba2fc004c3ef48997819b

SHA256
16a2f6da537545f45757b5fa261b90dd87ee6a0f46d0326b270514648f43a253

SHA512
2a9e426f87a75b7efacebafbfe153015dd47498ce9578b65a43ca8042299110dd89ef37c4eebfac552d9ac196e9ae9d99381aed7935d8d715c28210be84c43af

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI25642\libssl-1_1.dll

Filesize
203KB

MD5
5bdcdfe8f74e6b1022224daea45e00dc

SHA1
1519130c894561067c5e146129ad9026da6a8f4d

SHA256
bfe8550987814eb740d4dc8321a52fc97582166541395bb802307b96a151baac

SHA512
276f4dac162fedc95a6a3924d7939ac9754a6738c0a487dc17ae1c148a7960fa47fd356f8bbff1c903624b1d631f5bbc27e7e51da0a79c99342be935eb5b8c1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI25642\libtiff-5.dll

Filesize
127KB

MD5
dbc84c57a4a0eac0b72d890c34eaa9e9

SHA1
bbb475ccd76b12a820a02b12e9ac4ef2662eb04d

SHA256
ccc783f4877936cd92e0a5db05209be92984cf2140ae523f084179fc16f93000

SHA512
89014963ccf7071f0f40d296239c9cf0879375d94c89d191d0f8fcfd09ed50a634ca58b11184225a1c8a738b5b946b457cf2d6da66a890eefda9b9ac78b852db

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI25642\libwebp-7.dll

Filesize
192KB

MD5
8a188af3c4037da968dc8b72e62c438f

SHA1
07de31918ca8a3f5d75431acc6ffee5570b3cdb7

SHA256
f744f63142e189ef8e1693bc89ff81008263f97cfe38a94e47b31119b761c7fa

SHA512
0500c5d7cdca551d91121812db24ae2cda604f9a84dfa0b43a32870905115a9e1ca741ffcf0081f77e782257fc415bbda8a0508c9244d077f040b883654a8f7a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI25642\portmidi.dll

Filesize
18KB

MD5
38f1fec9bf5e3ffdd22074ad246f3b7d

SHA1
ba6d0d842f5707c8678a9bcff4502cb0b3810eb8

SHA256
8cbfeb763ff321d7d1bc3d238bcd20f62fc7301611a4808d7daa11dfac408b4b

SHA512
566966ea6ada58dd6cf4c04f17e52db127d94b868cda160e6c953ccb0962d43f3946bcec199b37e1329ec5a502213791e6e8c8c099b512517a96ab5bef4fbf31

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI25642\pyexpat.pyd

Filesize
86KB

MD5
562cfdd2aea820c6721e6e1c6de927eb

SHA1
bdbf3f8b92a2eb12b8134be08a2fcd795a32ef25

SHA256
250b2e7962e2533bdc112346bbc5c5f66a574af0b87e18f261f48ef8cee3f1a5

SHA512
24df40a620fba22c5c0e3230bfb0eff617a905e134fe810a60020bd8db42032d848ebf5034267f181918cab8f754f826d4e17cb461b45a32ea59ded924a4d0e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI25642\python3.DLL

Filesize
64KB

MD5
34e49bb1dfddf6037f0001d9aefe7d61

SHA1
a25a39dca11cdc195c9ecd49e95657a3e4fe3215

SHA256
4055d1b9e553b78c244143ab6b48151604003b39a9bf54879dee9175455c1281

SHA512
edb715654baaf499cf788bcacd5657adcf9f20b37b02671abe71bda334629344415ed3a7e95cb51164e66a7aa3ed4bf84acb05649ccd55e3f64036f3178b7856

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI25642\python311.dll

Filesize
1.6MB

MD5
527923fc1de5a440980010ea5a4aaba1

SHA1
ab2b5659b82a014e0804ab1a69412a465ae37d49

SHA256
d94637faaa6d0dbd87c7ad6193831af4553648f4c3024a8a8d8adf549f516c91

SHA512
51a67b02e49a36d11828831f334f4242dfa1c0ac557ed50892b5a7f4d6ff153edab5458c312e57d80ed1b40434037c75c9e933ccbf4a187ec57685bdb42cdfb6

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI25642\pywin32_system32\pythoncom311.dll

Filesize
193KB

MD5
6aeb23912e08d018d7f32a28127e5494

SHA1
27e6c869b7b24757f7cb18ee2925d5e74024e8e2

SHA256
e1e3b7040846de45406e96585fc2baaca1853efcdf4fd402909a0b7f78d1ed7a

SHA512
4c24dae64a49b11af61882570607ad7d14ac794799904951221bf5c82b503768d018d13e24d1c66f70a43d0d900c596d60870eb26244812191a1d1ed36ba469e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI25642\pywin32_system32\pywintypes311.dll

Filesize
62KB

MD5
51771d430061cf437733c45dd877d20d

SHA1
56d61b080e7c943978a43af77fef30c21d7b7455

SHA256
79e3a80f9d6a44d7cb466b51e6e23a862d8c1908a0cb32f9996ea6ebbfc12aa8

SHA512
3b30cfff85157167af8c6eb3d83547f03c9cea93fe796243451484a2f74b510fd8246639832cbb286be0019295e1a575dd69543b956393cac5b953ee52882de2

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI25642\select.pyd

Filesize
24KB

MD5
9897d23e1dd3ebb9706d922160986806

SHA1
0e319352d8e7d4c3e68392b78417867dfcbaa41f

SHA256
d0a86b39b06741b3628211a5740d9b5a4719cd75b8876967776d6e4d433cf41d

SHA512
25bfa6cec4897094165d99fa888796897510c0ecaa05fae2992b469a7e035832b0c68789b9ca16e84a86cc09278a814539fdc5ec0b89f5efd66e61628cc165e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI25642\sqlite3.dll

Filesize
608KB

MD5
20eb3b9f1713fc51d7b5fc7847786963

SHA1
d74ac2a3eaa387bd6698289a74622f0e7c2eb65d

SHA256
6edb12716ffbbbb17a5414c9366d66ebfdb172981261f7ca5be57cc81de57ebc

SHA512
7b566c98b1de0037ca0e3fb92a4e7b7338ed474a7e07789c544fc652cd24cff0c5c5b0856d4c95bbe46b59cdd942df49fa8a9322cdfa2777c148a9db805ed0f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI25642\tcl86t.dll

Filesize
673KB

MD5
ee0ccbc5fcf0a48d31781e0b9bd31d78

SHA1
47089554b09ebe092ef1497aa2e4b55ac07664ff

SHA256
461585787e1171c4c2ab234e55a23d9e92d79786122b2a6359a429399250fecc

SHA512
bebb9ff3b1c7e9e5edf2baa85d6d8cef5f47453561bf1e7cc7ccfd991ca14178563c5725a54f3ba1be916a6eaccce0b3d110d35234e35a422b04181bebf04206

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI25642\tk86t.dll

Filesize
620KB

MD5
3b6ebced3b05ae5edadc3bc084c133d7

SHA1
1614f4af5537f25b18912327fcc4fc18295a5fe9

SHA256
5bfa32d877dfa4567a7b668cb25d52c328ab33fa1fc9f51ad6d248ca77af8c9a

SHA512
07e06344acf293d8c7d325e5f240d1784d9d715f491645f47066229ed2ca6773f2173155d508cbb7ca1ae72477b0518152ca4700da244c077d1e1e46e3ab2e0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI25642\unicodedata.pyd

Filesize
293KB

MD5
dbd7fc132fc99e953dffc746d996bc0d

SHA1
b8dfa120d81a6ec16bd152f84defbb3e2778f30b

SHA256
c2a740708514d5be94e69db82a82c82df7fc82cee4bd066249d6adce833a8656

SHA512
ce4fa63de7abbef0b28f6fe80fcff64211c650695a7f54eb1a3bb9fd8d8d11174e2ffc9c34b7e8176b4d6cac1eadff3e25e4be1d58e9646f546b3b2afa3f7721

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI25642\win32\win32api.pyd

Filesize
48KB

MD5
d054b5a8a6f8cbcb6e3d339cc5b4fe97

SHA1
410c291809844c411324b5935b3dd11b1a718fe4

SHA256
03d2f3a3a0ed71a3a929c44aa6cd3cbd6543e9c1a490aa1ce079dacff7f7dfe5

SHA512
004b51f3c11a2571fa62f8d8601351f8529125c5e5b2ebcd816aa5295c2d0b133edad7778d7f22d722e6f8a5e09391ae4e37eb5dfb86887cb7ba322b75ed686b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI25642\zlib1.dll

Filesize
52KB

MD5
7ec6cb7d2b2abe92446de11d6485ebbc

SHA1
972a44c57865a3247f0d7d17c932ea25de336cdd

SHA256
5ec6e34c0e0ee5e09a87802f305531e34e3d0c7166ed751d82766a7b9fcd4176

SHA512
c09ceea5eab2e368cc9d7872985556a513bc9a31d5f289d81aa81c13b3a8c6381b8efd5a731beb80d76df4b480518334bd8641b423b99ebce43ddf01d128cf20

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_igla2ydm.upl.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/464-1361-0x00007FF912FF0000-0x00007FF91301E000-memory.dmp

Filesize
184KB

Download
memory/464-1390-0x00007FF912FC0000-0x00007FF912FEE000-memory.dmp

Filesize
184KB

Download
memory/464-1355-0x00007FF922140000-0x00007FF92214D000-memory.dmp

Filesize
52KB

Download
memory/464-1354-0x00007FF921900000-0x00007FF92190D000-memory.dmp

Filesize
52KB

Download
memory/464-1349-0x00007FF9219C0000-0x00007FF9219D9000-memory.dmp

Filesize
100KB

Download
memory/464-1347-0x00007FF922060000-0x00007FF92208D000-memory.dmp

Filesize
180KB

Download
memory/464-1308-0x00007FF922F00000-0x00007FF922F19000-memory.dmp

Filesize
100KB

Download
memory/464-1304-0x00007FF926380000-0x00007FF92638F000-memory.dmp

Filesize
60KB

Download
memory/464-1302-0x00007FF922F20000-0x00007FF922F44000-memory.dmp

Filesize
144KB

Download
memory/464-1293-0x00007FF911910000-0x00007FF911EF8000-memory.dmp

Filesize
5.9MB

Download
memory/464-1289-0x00007FF701EC0000-0x00007FF701F29000-memory.dmp

Filesize
420KB

Download
memory/464-1547-0x00007FF922F20000-0x00007FF922F44000-memory.dmp

Filesize
144KB

Download
memory/464-1546-0x00007FF911910000-0x00007FF911EF8000-memory.dmp

Filesize
5.9MB

Download
memory/464-1362-0x00007FF912240000-0x00007FF9122FC000-memory.dmp

Filesize
752KB

Download
memory/464-1471-0x00007FF910A10000-0x00007FF910A24000-memory.dmp

Filesize
80KB

Download
memory/464-1366-0x00007FF911910000-0x00007FF911EF8000-memory.dmp

Filesize
5.9MB

Download
memory/464-1367-0x00007FF912F60000-0x00007FF912F8B000-memory.dmp

Filesize
172KB

Download
memory/464-1369-0x00007FF912FC0000-0x00007FF912FEE000-memory.dmp

Filesize
184KB

Download
memory/464-1368-0x00007FF701EC0000-0x00007FF701F29000-memory.dmp

Filesize
420KB

Download
memory/464-1370-0x00007FF912180000-0x00007FF912238000-memory.dmp

Filesize
736KB

Download
memory/464-1371-0x00007FF911590000-0x00007FF911905000-memory.dmp

Filesize
3.5MB

Download
memory/464-1372-0x00007FF912FA0000-0x00007FF912FB2000-memory.dmp

Filesize
72KB

Download
memory/464-1373-0x00007FF912F40000-0x00007FF912F51000-memory.dmp

Filesize
68KB

Download
memory/464-1374-0x00007FF911310000-0x00007FF911588000-memory.dmp

Filesize
2.5MB

Download
memory/464-1469-0x00007FF910E10000-0x00007FF910E1F000-memory.dmp

Filesize
60KB

Download
memory/464-1376-0x00007FF91D770000-0x00007FF91D785000-memory.dmp

Filesize
84KB

Download
memory/464-1377-0x00007FF922F20000-0x00007FF922F44000-memory.dmp

Filesize
144KB

Download
memory/464-1378-0x00007FF912160000-0x00007FF912176000-memory.dmp

Filesize
88KB

Download
memory/464-1379-0x00007FF912140000-0x00007FF912155000-memory.dmp

Filesize
84KB

Download
memory/464-1380-0x00007FF921850000-0x00007FF92185F000-memory.dmp

Filesize
60KB

Download
memory/464-1381-0x00007FF9219C0000-0x00007FF9219D9000-memory.dmp

Filesize
100KB

Download
memory/464-1382-0x00007FF91AE50000-0x00007FF91AE5C000-memory.dmp

Filesize
48KB

Download
memory/464-1383-0x00007FF912120000-0x00007FF912131000-memory.dmp

Filesize
68KB

Download
memory/464-1384-0x00007FF918D00000-0x00007FF918D0E000-memory.dmp

Filesize
56KB

Download
memory/464-1385-0x00007FF912100000-0x00007FF91211B000-memory.dmp

Filesize
108KB

Download
memory/464-1386-0x00007FF912240000-0x00007FF9122FC000-memory.dmp

Filesize
752KB

Download
memory/464-1387-0x00007FF9112F0000-0x00007FF911305000-memory.dmp

Filesize
84KB

Download
memory/464-1389-0x00007FF911280000-0x00007FF911296000-memory.dmp

Filesize
88KB

Download
memory/464-1388-0x00007FF9112A0000-0x00007FF9112E4000-memory.dmp

Filesize
272KB

Download
memory/464-1353-0x00007FF921980000-0x00007FF9219B5000-memory.dmp

Filesize
212KB

Download
memory/464-1391-0x00007FF912180000-0x00007FF912238000-memory.dmp

Filesize
736KB

Download
memory/464-1392-0x00007FF911590000-0x00007FF911905000-memory.dmp

Filesize
3.5MB

Download
memory/464-1394-0x00007FF911160000-0x00007FF911174000-memory.dmp

Filesize
80KB

Download
memory/464-1393-0x00007FF911310000-0x00007FF911588000-memory.dmp

Filesize
2.5MB

Download
memory/464-1395-0x0000000068B40000-0x0000000068B81000-memory.dmp

Filesize
260KB

Download
memory/464-1396-0x000000006A880000-0x000000006A8AB000-memory.dmp

Filesize
172KB

Download
memory/464-1397-0x00007FF911140000-0x00007FF911151000-memory.dmp

Filesize
68KB

Download
memory/464-1398-0x00007FF912F40000-0x00007FF912F51000-memory.dmp

Filesize
68KB

Download
memory/464-1399-0x00007FF912F00000-0x00007FF912F0E000-memory.dmp

Filesize
56KB

Download
memory/464-1400-0x0000000062E80000-0x0000000062EA8000-memory.dmp

Filesize
160KB

Download
memory/464-1401-0x00007FF9120F0000-0x00007FF9120FE000-memory.dmp

Filesize
56KB

Download
memory/464-1402-0x00007FF911070000-0x00007FF91107F000-memory.dmp

Filesize
60KB

Download
memory/464-1403-0x00007FF911060000-0x00007FF91106E000-memory.dmp

Filesize
56KB

Download
memory/464-1404-0x00007FF911030000-0x00007FF911046000-memory.dmp

Filesize
88KB

Download
memory/464-1405-0x00007FF911050000-0x00007FF91105E000-memory.dmp

Filesize
56KB

Download
memory/464-1406-0x00007FF911020000-0x00007FF911030000-memory.dmp

Filesize
64KB

Download
memory/464-1407-0x00007FF911000000-0x00007FF911015000-memory.dmp

Filesize
84KB

Download
memory/464-1408-0x00007FF9112A0000-0x00007FF9112E4000-memory.dmp

Filesize
272KB

Download
memory/464-1409-0x00007FF910FE0000-0x00007FF910FF7000-memory.dmp

Filesize
92KB

Download
memory/464-1410-0x00007FF910FD0000-0x00007FF910FDF000-memory.dmp

Filesize
60KB

Download
memory/464-1411-0x0000000068B40000-0x0000000068B81000-memory.dmp

Filesize
260KB

Download
memory/464-1412-0x000000006A880000-0x000000006A8AB000-memory.dmp

Filesize
172KB

Download
memory/464-1413-0x00007FF910E40000-0x00007FF910FC6000-memory.dmp

Filesize
1.5MB

Download
memory/464-1416-0x00007FF910E10000-0x00007FF910E1F000-memory.dmp

Filesize
60KB

Download
memory/464-1415-0x00007FF912F00000-0x00007FF912F0E000-memory.dmp

Filesize
56KB

Download
memory/464-1414-0x00007FF911140000-0x00007FF911151000-memory.dmp

Filesize
68KB

Download
memory/464-1423-0x00007FF701EC0000-0x00007FF701F29000-memory.dmp

Filesize
420KB

Download
memory/464-1424-0x00007FF911910000-0x00007FF911EF8000-memory.dmp

Filesize
5.9MB

Download
memory/464-1442-0x00007FF911310000-0x00007FF911588000-memory.dmp

Filesize
2.5MB

Download
memory/464-1444-0x00007FF912140000-0x00007FF912155000-memory.dmp

Filesize
84KB

Download
memory/464-1467-0x00007FF910FD0000-0x00007FF910FDF000-memory.dmp

Filesize
60KB

Download
memory/464-1465-0x00007FF911000000-0x00007FF911015000-memory.dmp

Filesize
84KB

Download
memory/2564-1375-0x00007FF701EC0000-0x00007FF701F29000-memory.dmp

Filesize
420KB

Download
memory/2564-795-0x00007FF701EC0000-0x00007FF701F29000-memory.dmp

Filesize
420KB

Download
memory/2564-0-0x00007FF701EC0000-0x00007FF701F29000-memory.dmp

Filesize
420KB

Download
memory/2564-1249-0x00007FF701EC0000-0x00007FF701F29000-memory.dmp

Filesize
420KB

Download
memory/2564-620-0x00007FF701EC0000-0x00007FF701F29000-memory.dmp

Filesize
420KB

Download