add7c0120951d2c7b0ccde90ac3590bd1e6749c9fb2f8b1662d4049bbef14880

Resubmissions

29-06-2024 18:23

240629-w1fqmssgpb 10

29-06-2024 18:20

29-06-2024 18:17

29-06-2024 18:06

29-06-2024 17:59

Analysis

max time kernel
93s
max time network
100s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
29-06-2024 18:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

main.exe
Size

19.5MB
MD5

d9d8f69e5c86b8d05aa4bdd5b0d3f468
SHA1

5553a5dce8d4d6fa8f54c018e57ef97bd75a4043
SHA256

add7c0120951d2c7b0ccde90ac3590bd1e6749c9fb2f8b1662d4049bbef14880
SHA512

738ffa0ee138433ea3a201f5095167a15b5ef6a592b80b13d9a7c48f12260d3366a8406deaa39af392c1267152f68fa734333870d8aaaacd2b7636b22b61667d
SSDEEP

393216:7u7L/1a/vUIYlDfDg8Qic65FMagxbyJ6ZjfyU3aEJ:7CLdaelb08Q9wMaMNfL3

Score

7^/10

persistence privilege_escalation pyinstaller spyware stealer

Malware Config

Signatures

Loads dropped DLL 64 IoCs

Processes:

main.exemain.exe

pid	process
5040	main.exe
5040	main.exe
5040	main.exe
5040	main.exe
5040	main.exe
5040	main.exe
5040	main.exe
5040	main.exe
5040	main.exe
5040	main.exe
5040	main.exe
5040	main.exe
5040	main.exe
5040	main.exe
5040	main.exe
5040	main.exe
5040	main.exe
5040	main.exe
5040	main.exe
5040	main.exe
5040	main.exe
5040	main.exe
5040	main.exe
5040	main.exe
5040	main.exe
5040	main.exe
5040	main.exe
5040	main.exe
5040	main.exe
5040	main.exe
5040	main.exe
5040	main.exe
5040	main.exe
5040	main.exe
5040	main.exe
5040	main.exe
5040	main.exe
5040	main.exe
5040	main.exe
5040	main.exe
5040	main.exe
5040	main.exe
5040	main.exe
5040	main.exe
5040	main.exe
5040	main.exe
5040	main.exe
5040	main.exe
5040	main.exe
5040	main.exe
5040	main.exe
5040	main.exe
5040	main.exe
5040	main.exe
5040	main.exe
5040	main.exe
5040	main.exe
5040	main.exe
2820	main.exe
2820	main.exe
2820	main.exe
2820	main.exe
2820	main.exe
2820	main.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

reg.exereg.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\empyrean = "C:\\Users\\Admin\\AppData\\Roaming\\empyrean\\run.bat"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\empyrean = "C:\\Users\\Admin\\AppData\\Roaming\\empyrean\\run.bat"	reg.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service
T1102

Processes:

flow ioc

5 discord.com
8 raw.githubusercontent.com
30 discord.com
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

2 ipapi.co
27 ipapi.co

flow	ioc
5	discord.com
8	raw.githubusercontent.com
30	discord.com

flow	ioc
2	ipapi.co
27	ipapi.co

Drops file in System32 directory 7 IoCs

Processes:

svchost.exesvchost.exe

description	ioc	process
File created	C:\Windows\System32\DriverStore\FileRepository\netrtl64.inf_amd64_8e9c2368fe308df2\netrtl64.PNF	svchost.exe
File created	C:\Windows\system32\NDF\{D9CC4505-41C9-41DD-A353-09BE05256290}-temp-06292024-1822.etl	svchost.exe
File opened for modification	C:\Windows\system32\NDF\{D9CC4505-41C9-41DD-A353-09BE05256290}-temp-06292024-1822.etl	svchost.exe
File opened for modification	C:\Windows\system32\SRU\SRU.chk	svchost.exe
File opened for modification	C:\Windows\system32\SRU\SRU.log	svchost.exe
File opened for modification	C:\Windows\system32\SRU\SRUDB.dat	svchost.exe
File opened for modification	C:\Windows\system32\SRU\SRUDB.jfm	svchost.exe

Drops file in Windows directory 1 IoCs

Processes:

svchost.exe

description ioc process

File created C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Network\Connections\Pbk\_hiddenPbk\rasphone.pbk svchost.exe
Detects Pyinstaller 1 IoCs
pyinstaller

Processes:

resource yara_rule

C:\Users\Admin\AppData\Roaming\empyrean\dat.txt pyinstaller

description	ioc	process
File created	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Network\Connections\Pbk\_hiddenPbk\rasphone.pbk	svchost.exe

resource	yara_rule
C:\Users\Admin\AppData\Roaming\empyrean\dat.txt	pyinstaller

Event Triggered Execution: Netsh Helper DLL 1 TTPs 6 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

Processes:

netsh.exenetsh.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

svchost.exe

description	ioc	process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	svchost.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.

System Information Discovery
T1082

Command and Scripting Interpreter
T1059

Processes:

ipconfig.exe

pid process

4736 ipconfig.exe

pid	process
4736	ipconfig.exe

Modifies data under HKEY_USERS 6 IoCs

Processes:

svchost.exesvchost.exechrome.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@%SystemRoot%\system32\hnetcfgclient.dll,-201 = "HNetCfg Client"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Classes\Local Settings\MuiCache\2a\52C64B7E\@%SystemRoot%\system32\hnetcfgclient.dll,-201 = "HNetCfg Client"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133641589252402110"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\RAS AutoDial	svchost.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\RAS AutoDial\Default	svchost.exe

Modifies registry key 1 TTPs 4 IoCs

Modify Registry
T1112

Processes:

reg.exereg.exereg.exereg.exe

pid process

2956 reg.exe
3428 reg.exe
3932 reg.exe
4104 reg.exe
Suspicious behavior: EnumeratesProcesses 13 IoCs

Processes:

main.exechrome.exesdiagnhost.exesvchost.exemain.exe

pid process

5040 main.exe
5040 main.exe
5040 main.exe
5040 main.exe
2108 chrome.exe
2108 chrome.exe
4980 sdiagnhost.exe
1384 svchost.exe
1384 svchost.exe
2820 main.exe
2820 main.exe
2820 main.exe
2820 main.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

Processes:

chrome.exe

pid process

2108 chrome.exe
2108 chrome.exe
2108 chrome.exe
2108 chrome.exe
2108 chrome.exe
2108 chrome.exe

pid	process
2956	reg.exe
3428	reg.exe
3932	reg.exe
4104	reg.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

main.exeWMIC.exeWMIC.exe

description	pid	process
Token: SeDebugPrivilege	5040	main.exe
Token: SeIncreaseQuotaPrivilege	728	WMIC.exe
Token: SeSecurityPrivilege	728	WMIC.exe
Token: SeTakeOwnershipPrivilege	728	WMIC.exe
Token: SeLoadDriverPrivilege	728	WMIC.exe
Token: SeSystemProfilePrivilege	728	WMIC.exe
Token: SeSystemtimePrivilege	728	WMIC.exe
Token: SeProfSingleProcessPrivilege	728	WMIC.exe
Token: SeIncBasePriorityPrivilege	728	WMIC.exe
Token: SeCreatePagefilePrivilege	728	WMIC.exe
Token: SeBackupPrivilege	728	WMIC.exe
Token: SeRestorePrivilege	728	WMIC.exe
Token: SeShutdownPrivilege	728	WMIC.exe
Token: SeDebugPrivilege	728	WMIC.exe
Token: SeSystemEnvironmentPrivilege	728	WMIC.exe
Token: SeRemoteShutdownPrivilege	728	WMIC.exe
Token: SeUndockPrivilege	728	WMIC.exe
Token: SeManageVolumePrivilege	728	WMIC.exe
Token: 33	728	WMIC.exe
Token: 34	728	WMIC.exe
Token: 35	728	WMIC.exe
Token: 36	728	WMIC.exe
Token: SeIncreaseQuotaPrivilege	728	WMIC.exe
Token: SeSecurityPrivilege	728	WMIC.exe
Token: SeTakeOwnershipPrivilege	728	WMIC.exe
Token: SeLoadDriverPrivilege	728	WMIC.exe
Token: SeSystemProfilePrivilege	728	WMIC.exe
Token: SeSystemtimePrivilege	728	WMIC.exe
Token: SeProfSingleProcessPrivilege	728	WMIC.exe
Token: SeIncBasePriorityPrivilege	728	WMIC.exe
Token: SeCreatePagefilePrivilege	728	WMIC.exe
Token: SeBackupPrivilege	728	WMIC.exe
Token: SeRestorePrivilege	728	WMIC.exe
Token: SeShutdownPrivilege	728	WMIC.exe
Token: SeDebugPrivilege	728	WMIC.exe
Token: SeSystemEnvironmentPrivilege	728	WMIC.exe
Token: SeRemoteShutdownPrivilege	728	WMIC.exe
Token: SeUndockPrivilege	728	WMIC.exe
Token: SeManageVolumePrivilege	728	WMIC.exe
Token: 33	728	WMIC.exe
Token: 34	728	WMIC.exe
Token: 35	728	WMIC.exe
Token: 36	728	WMIC.exe
Token: SeIncreaseQuotaPrivilege	5028	WMIC.exe
Token: SeSecurityPrivilege	5028	WMIC.exe
Token: SeTakeOwnershipPrivilege	5028	WMIC.exe
Token: SeLoadDriverPrivilege	5028	WMIC.exe
Token: SeSystemProfilePrivilege	5028	WMIC.exe
Token: SeSystemtimePrivilege	5028	WMIC.exe
Token: SeProfSingleProcessPrivilege	5028	WMIC.exe
Token: SeIncBasePriorityPrivilege	5028	WMIC.exe
Token: SeCreatePagefilePrivilege	5028	WMIC.exe
Token: SeBackupPrivilege	5028	WMIC.exe
Token: SeRestorePrivilege	5028	WMIC.exe
Token: SeShutdownPrivilege	5028	WMIC.exe
Token: SeDebugPrivilege	5028	WMIC.exe
Token: SeSystemEnvironmentPrivilege	5028	WMIC.exe
Token: SeRemoteShutdownPrivilege	5028	WMIC.exe
Token: SeUndockPrivilege	5028	WMIC.exe
Token: SeManageVolumePrivilege	5028	WMIC.exe
Token: 33	5028	WMIC.exe
Token: 34	5028	WMIC.exe
Token: 35	5028	WMIC.exe
Token: 36	5028	WMIC.exe

Suspicious use of FindShellTrayWindow 28 IoCs

Processes:

chrome.exemsdt.exe

pid	process
2108	chrome.exe
2108	chrome.exe
2108	chrome.exe
2108	chrome.exe
2108	chrome.exe
2108	chrome.exe
2108	chrome.exe
2108	chrome.exe
2108	chrome.exe
2108	chrome.exe
2108	chrome.exe
2108	chrome.exe
2108	chrome.exe
2108	chrome.exe
2108	chrome.exe
2108	chrome.exe
2108	chrome.exe
2108	chrome.exe
2108	chrome.exe
2108	chrome.exe
2108	chrome.exe
2108	chrome.exe
2108	chrome.exe
2108	chrome.exe
2108	chrome.exe
2108	chrome.exe
2108	chrome.exe
772	msdt.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

chrome.exe

pid	process
2108	chrome.exe
2108	chrome.exe
2108	chrome.exe
2108	chrome.exe
2108	chrome.exe
2108	chrome.exe
2108	chrome.exe
2108	chrome.exe
2108	chrome.exe
2108	chrome.exe
2108	chrome.exe
2108	chrome.exe
2108	chrome.exe
2108	chrome.exe
2108	chrome.exe
2108	chrome.exe
2108	chrome.exe
2108	chrome.exe
2108	chrome.exe
2108	chrome.exe
2108	chrome.exe
2108	chrome.exe
2108	chrome.exe
2108	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

main.exemain.execmd.execmd.execmd.execmd.execmd.exechrome.exe

description	pid	process	target process
PID 992 wrote to memory of 5040	992	main.exe	main.exe
PID 992 wrote to memory of 5040	992	main.exe	main.exe
PID 5040 wrote to memory of 2756	5040	main.exe	cmd.exe
PID 5040 wrote to memory of 2756	5040	main.exe	cmd.exe
PID 5040 wrote to memory of 2152	5040	main.exe	cmd.exe
PID 5040 wrote to memory of 2152	5040	main.exe	cmd.exe
PID 2152 wrote to memory of 3932	2152	cmd.exe	reg.exe
PID 2152 wrote to memory of 3932	2152	cmd.exe	reg.exe
PID 5040 wrote to memory of 3912	5040	main.exe	cmd.exe
PID 5040 wrote to memory of 3912	5040	main.exe	cmd.exe
PID 3912 wrote to memory of 4104	3912	cmd.exe	reg.exe
PID 3912 wrote to memory of 4104	3912	cmd.exe	reg.exe
PID 5040 wrote to memory of 1984	5040	main.exe	cmd.exe
PID 5040 wrote to memory of 1984	5040	main.exe	cmd.exe
PID 1984 wrote to memory of 728	1984	cmd.exe	WMIC.exe
PID 1984 wrote to memory of 728	1984	cmd.exe	WMIC.exe
PID 5040 wrote to memory of 5076	5040	main.exe	cmd.exe
PID 5040 wrote to memory of 5076	5040	main.exe	cmd.exe
PID 5076 wrote to memory of 5028	5076	cmd.exe	WMIC.exe
PID 5076 wrote to memory of 5028	5076	cmd.exe	WMIC.exe
PID 5040 wrote to memory of 4596	5040	main.exe	cmd.exe
PID 5040 wrote to memory of 4596	5040	main.exe	cmd.exe
PID 4596 wrote to memory of 5036	4596	cmd.exe	WMIC.exe
PID 4596 wrote to memory of 5036	4596	cmd.exe	WMIC.exe
PID 2108 wrote to memory of 4564	2108	chrome.exe	chrome.exe
PID 2108 wrote to memory of 4564	2108	chrome.exe	chrome.exe
PID 2108 wrote to memory of 4920	2108	chrome.exe	chrome.exe
PID 2108 wrote to memory of 4920	2108	chrome.exe	chrome.exe
PID 2108 wrote to memory of 4920	2108	chrome.exe	chrome.exe
PID 2108 wrote to memory of 4920	2108	chrome.exe	chrome.exe
PID 2108 wrote to memory of 4920	2108	chrome.exe	chrome.exe
PID 2108 wrote to memory of 4920	2108	chrome.exe	chrome.exe
PID 2108 wrote to memory of 4920	2108	chrome.exe	chrome.exe
PID 2108 wrote to memory of 4920	2108	chrome.exe	chrome.exe
PID 2108 wrote to memory of 4920	2108	chrome.exe	chrome.exe
PID 2108 wrote to memory of 4920	2108	chrome.exe	chrome.exe
PID 2108 wrote to memory of 4920	2108	chrome.exe	chrome.exe
PID 2108 wrote to memory of 4920	2108	chrome.exe	chrome.exe
PID 2108 wrote to memory of 4920	2108	chrome.exe	chrome.exe
PID 2108 wrote to memory of 4920	2108	chrome.exe	chrome.exe
PID 2108 wrote to memory of 4920	2108	chrome.exe	chrome.exe
PID 2108 wrote to memory of 4920	2108	chrome.exe	chrome.exe
PID 2108 wrote to memory of 4920	2108	chrome.exe	chrome.exe
PID 2108 wrote to memory of 4920	2108	chrome.exe	chrome.exe
PID 2108 wrote to memory of 4920	2108	chrome.exe	chrome.exe
PID 2108 wrote to memory of 4920	2108	chrome.exe	chrome.exe
PID 2108 wrote to memory of 4920	2108	chrome.exe	chrome.exe
PID 2108 wrote to memory of 4920	2108	chrome.exe	chrome.exe
PID 2108 wrote to memory of 4920	2108	chrome.exe	chrome.exe
PID 2108 wrote to memory of 4920	2108	chrome.exe	chrome.exe
PID 2108 wrote to memory of 4920	2108	chrome.exe	chrome.exe
PID 2108 wrote to memory of 4920	2108	chrome.exe	chrome.exe
PID 2108 wrote to memory of 4920	2108	chrome.exe	chrome.exe
PID 2108 wrote to memory of 4920	2108	chrome.exe	chrome.exe
PID 2108 wrote to memory of 4920	2108	chrome.exe	chrome.exe
PID 2108 wrote to memory of 4920	2108	chrome.exe	chrome.exe
PID 2108 wrote to memory of 4920	2108	chrome.exe	chrome.exe
PID 2108 wrote to memory of 3644	2108	chrome.exe	chrome.exe
PID 2108 wrote to memory of 3644	2108	chrome.exe	chrome.exe
PID 2108 wrote to memory of 3900	2108	chrome.exe	chrome.exe
PID 2108 wrote to memory of 3900	2108	chrome.exe	chrome.exe
PID 2108 wrote to memory of 3900	2108	chrome.exe	chrome.exe
PID 2108 wrote to memory of 3900	2108	chrome.exe	chrome.exe
PID 2108 wrote to memory of 3900	2108	chrome.exe	chrome.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\main.exe
"C:\Users\Admin\AppData\Local\Temp\main.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:992

C:\Users\Admin\AppData\Local\Temp\main.exe
"C:\Users\Admin\AppData\Local\Temp\main.exe"
2⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5040

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "ver"
3⤵
PID:2756

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "reg delete HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v empyrean /f"
3⤵
- Suspicious use of WriteProcessMemory
PID:2152

C:\Windows\system32\reg.exe
reg delete HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v empyrean /f
4⤵
- Modifies registry key
PID:3932

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v empyrean /t REG_SZ /d C:\Users\Admin\AppData\Roaming\empyrean\run.bat /f"
3⤵
- Suspicious use of WriteProcessMemory
PID:3912

C:\Windows\system32\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v empyrean /t REG_SZ /d C:\Users\Admin\AppData\Roaming\empyrean\run.bat /f
4⤵
- Adds Run key to start application
- Modifies registry key
PID:4104

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Windows\System32\wbem\WMIC.exe csproduct get uuid"
3⤵
- Suspicious use of WriteProcessMemory
PID:1984

C:\Windows\System32\wbem\WMIC.exe
C:\Windows\System32\wbem\WMIC.exe csproduct get uuid
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:728

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Windows\System32\wbem\WMIC.exe csproduct get uuid"
3⤵
- Suspicious use of WriteProcessMemory
PID:5076

C:\Windows\System32\wbem\WMIC.exe
C:\Windows\System32\wbem\WMIC.exe csproduct get uuid
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:5028

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Windows\System32\wbem\WMIC.exe csproduct get uuid"
3⤵
- Suspicious use of WriteProcessMemory
PID:4596

C:\Windows\System32\wbem\WMIC.exe
C:\Windows\System32\wbem\WMIC.exe csproduct get uuid
4⤵
PID:5036

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1212

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2108

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ff841f5ab58,0x7ff841f5ab68,0x7ff841f5ab78
2⤵
PID:4564

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1740 --field-trial-handle=2060,i,5034570575236085821,14204606830498613155,131072 /prefetch:2
2⤵
PID:4920

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1812 --field-trial-handle=2060,i,5034570575236085821,14204606830498613155,131072 /prefetch:8
2⤵
PID:3644

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2188 --field-trial-handle=2060,i,5034570575236085821,14204606830498613155,131072 /prefetch:8
2⤵
PID:3900

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3048 --field-trial-handle=2060,i,5034570575236085821,14204606830498613155,131072 /prefetch:1
2⤵
PID:4204

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3064 --field-trial-handle=2060,i,5034570575236085821,14204606830498613155,131072 /prefetch:1
2⤵
PID:4016

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4256 --field-trial-handle=2060,i,5034570575236085821,14204606830498613155,131072 /prefetch:1
2⤵
PID:2308

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=4544 --field-trial-handle=2060,i,5034570575236085821,14204606830498613155,131072 /prefetch:1
2⤵
PID:3956

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4848 --field-trial-handle=2060,i,5034570575236085821,14204606830498613155,131072 /prefetch:8
2⤵
PID:5048

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5016 --field-trial-handle=2060,i,5034570575236085821,14204606830498613155,131072 /prefetch:8
2⤵
PID:2276

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=4712 --field-trial-handle=2060,i,5034570575236085821,14204606830498613155,131072 /prefetch:1
2⤵
PID:1124

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=3168 --field-trial-handle=2060,i,5034570575236085821,14204606830498613155,131072 /prefetch:1
2⤵
PID:2760

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:1580

C:\Windows\System32\msdt.exe
"C:\Windows\System32\msdt.exe" -skip TRUE -id NetworkDiagnosticsNetworkAdapter -ep NetworkDiagnosticsPNI
1⤵
- Suspicious use of FindShellTrayWindow
PID:772

C:\Windows\System32\sdiagnhost.exe
C:\Windows\System32\sdiagnhost.exe -Embedding
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:4980

C:\Windows\system32\netsh.exe
"C:\Windows\system32\netsh.exe" trace diagnose Scenario=NetworkSnapshot Mode=NetTroubleshooter AdapterGuid={EA9541AF-7146-4529-80BA-F1A9AD00DFE1}
2⤵
- Event Triggered Execution: Netsh Helper DLL
PID:4436

C:\Windows\system32\netsh.exe
"C:\Windows\system32\netsh.exe" trace diagnose Scenario=NetworkSnapshot Mode=NetTroubleshooter AdapterGuid={EA9541AF-7146-4529-80BA-F1A9AD00DFE1}
2⤵
- Event Triggered Execution: Netsh Helper DLL
PID:4724

C:\Windows\system32\ipconfig.exe
"C:\Windows\system32\ipconfig.exe" /all
2⤵
- Gathers network information
PID:4736

C:\Windows\system32\ROUTE.EXE
"C:\Windows\system32\ROUTE.EXE" print
2⤵
PID:1584

C:\Windows\system32\makecab.exe
"C:\Windows\system32\makecab.exe" /f NetworkConfiguration.ddf
2⤵
PID:1824

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNoNetwork -p -s DPS
1⤵
- Drops file in System32 directory
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:1384

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s WdiServiceHost
1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:4168

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s WdiSystemHost
1⤵
PID:3592

C:\Users\Admin\Desktop\main.exe
"C:\Users\Admin\Desktop\main.exe"
1⤵
PID:5048

C:\Users\Admin\Desktop\main.exe
"C:\Users\Admin\Desktop\main.exe"
2⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:2820

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "ver"
3⤵
PID:372

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "reg delete HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v empyrean /f"
3⤵
PID:4764

C:\Windows\system32\reg.exe
reg delete HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v empyrean /f
4⤵
- Modifies registry key
PID:2956

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v empyrean /t REG_SZ /d C:\Users\Admin\AppData\Roaming\empyrean\run.bat /f"
3⤵
PID:2368

C:\Windows\system32\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v empyrean /t REG_SZ /d C:\Users\Admin\AppData\Roaming\empyrean\run.bat /f
4⤵
- Adds Run key to start application
- Modifies registry key
PID:3428

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Windows\System32\wbem\WMIC.exe csproduct get uuid"
3⤵
PID:4052

C:\Windows\System32\wbem\WMIC.exe
C:\Windows\System32\wbem\WMIC.exe csproduct get uuid
4⤵
PID:4064

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Windows\System32\wbem\WMIC.exe csproduct get uuid"
3⤵
PID:444

C:\Windows\System32\wbem\WMIC.exe
C:\Windows\System32\wbem\WMIC.exe csproduct get uuid
4⤵
PID:824

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Windows\System32\wbem\WMIC.exe csproduct get uuid"
3⤵
PID:4924

C:\Windows\System32\wbem\WMIC.exe
C:\Windows\System32\wbem\WMIC.exe csproduct get uuid
4⤵
PID:4856

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s Netman
1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:4912

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\ElevatedDiagnostics\1612347604\2024062918.000\NetworkDiagnostics.debugreport.xml
Filesize
205KB

MD5
c928ae7957a6c23ecbc083723fefefa1

SHA1
1808827d5ec6accce52ba00f20e30372d7260409

SHA256
8acbe9bb8a21d437a4f21cf6081b8ac3dc4dfed479064cefd81389e40ff96575

SHA512
71f7821d591bb42ccbb16f09b726ee3d63aefd835d5553dc8edb41e41fd9d7433272f71ad26824f4b162f1a71894f8d45c6b75a4c0365f06884683e72a4c6d54

Download Submit
C:\Users\Admin\AppData\Local\ElevatedDiagnostics\1612347604\2024062918.000\results.xsl
Filesize
47KB

MD5
310e1da2344ba6ca96666fb639840ea9

SHA1
e8694edf9ee68782aa1de05470b884cc1a0e1ded

SHA256
67401342192babc27e62d4c1e0940409cc3f2bd28f77399e71d245eae8d3f63c

SHA512
62ab361ffea1f0b6ff1cc76c74b8e20c2499d72f3eb0c010d47dba7e6d723f9948dba3397ea26241a1a995cffce2a68cd0aaa1bb8d917dd8f4c8f3729fa6d244

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
811B

MD5
0b020589898816ed2e4067c8dc27b42e

SHA1
8223e3f8914aaa0a80d88a60994d11c5357a63c0

SHA256
8e9efa95a04385049964096bf2427fa74844d7a1496206aa696f996e8b949db1

SHA512
b765ab207ea6f15b75666539988ad4d4aebd82f340e89412122ea3c23544b131a56affb9fcc82706f49a59653f87615105452af377057ac418d40e11e50548c4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports
Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
7KB

MD5
55d4dde1be90759ca7bf8b1da03a456b

SHA1
01e7d5a6e396758397426e71e741cdce922003c1

SHA256
73c044dc29a7d74a06d3841a55d4d802a3655994c743239bb00388fb708f7f39

SHA512
ecf4081e8a0d2598186c52a5c7b12e3105a6b1904d98c435335051b0d9184bcbb12fc05d7abd3ef78ee80822ee3d67876b39284d1ca0afe22922044d5ff66326

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
257KB

MD5
ba3aa2f5f6a1276a6472a50fb954cfa1

SHA1
45c8810ae62a9354b14cb42e8c5e62341b2c0f2d

SHA256
41970375b9d7be95bda3bc90e17f164c0da21c9029c7ecee8f572f4ee2a06c21

SHA512
b29138f1944fc41bfc78d19e615554e04b904e77a615019faa8ed97fce6870b8503cc9aa41327694e1f5d2fa556de1035bcd49636799b437eb47a46d6ba07f43

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
257KB

MD5
d37fc204216524699d694dbf4fa983c7

SHA1
c1cda01f44adf2a6d5c2e03f251cc45e1a8ba113

SHA256
774a62344cf5fb286c59116987de734e9f4b5fa669b658177d1db634387cceeb

SHA512
c770ce29b0a363bdf022c2e0c7711f595880908be5c4c887d5c14009a41f87c8d4143f751177b5ea858e8670940a438b62a7483475ee4e7906f988c229710fd1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
257KB

MD5
530d89bdda1c3c5d73ac37164085a33c

SHA1
2a83d4b1162fbfae5508eea8d58a6161cc2a89a2

SHA256
5cc1fc1879536b15ae988c2c55a9f5c4a85172561a1404cf4c2fb705bc688c4b

SHA512
c1dc39b85bb95bc60e3a4a1db7406e103be68aac04f516177e74868c1c71e81e2e0f9ce694d55f09b4bd92789e26c3b13ec828eef5f38d94d911f3bfe29a4dc9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ShaderCache\data_1
Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50482\attrs-23.1.0.dist-info\INSTALLER
Filesize
4B

MD5
365c9bfeb7d89244f2ce01c1de44cb85

SHA1
d7a03141d5d6b1e88b6b59ef08b6681df212c599

SHA256
ceebae7b8927a3227e5303cf5e0f1f7b34bb542ad7250ac03fbcde36ec2f1508

SHA512
d220d322a4053d84130567d626a9f7bb2fb8f0b854da1621f001826dc61b0ed6d3f91793627e6f0ac2ac27aea2b986b6a7a63427f05fe004d8a2adfbdadc13c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI9922\Crypto\Cipher\_raw_cbc.pyd
Filesize
12KB

MD5
a1b78a3ce3165e90957880b8724d944f

SHA1
a69f63cc211e671a08daad7a66ed0b05f8736cc7

SHA256
84e071321e378054b6d3b56bbd66699e36554f637a44728b38b96a31199dfa69

SHA512
15847386652cbee378d0ff6aad0a3fe0d0c6c7f1939f764f86c665f3493b4bccaf98d7a29259e94ed197285d9365b9d6e697b010aff3370cf857b8cb4106d7d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI9922\Crypto\Cipher\_raw_cfb.pyd
Filesize
13KB

MD5
0dca79c062f2f800132cf1748a8e147f

SHA1
91f525b8ca0c0db245c4d3fa4073541826e8fb89

SHA256
2a63e504c8aa4d291bbd8108f26eecde3dcd9bfba579ae80b777ff6dfec5e922

SHA512
a820299fba1d0952a00db78b92fb7d68d77c427418388cc67e3a37dc87b1895d9ae416cac32b859d11d21a07a8f4cef3bd26ebb06cc39f04ad5e60f8692c659b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI9922\Crypto\Cipher\_raw_ecb.pyd
Filesize
10KB

MD5
aec314222600ade3d96b6dc33af380a6

SHA1
c6af3edadb09ea3a56048b57237c0a2dca33bee1

SHA256
ea96505b38d27c085544fb129f2b0e00df5020d323d7853e6a6a8645ac785304

SHA512
bbc00aa7fdf178bb6b2d86419c31967f2bc32d157aa7ee3ac308c28d8bf4823c1fafcde6c91651edc05c146e44d7e59e02a76283890652b27c52f509c3b9ef9a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI9922\Crypto\Cipher\_raw_ofb.pyd
Filesize
12KB

MD5
4ed6d4b1b100384d13f25dfa3737fb78

SHA1
852a2f76c853db02e65512af35f5b4b4a2346abd

SHA256
084e4b2da2180ad2a2e96e8804a6f2fc37bce6349eb8a5f6b182116b4d04bd82

SHA512
276201a9bcb9f88f4bbac0cd9e3ea2da83e0fb4854b1a0dd63cff2af08af3883be34af6f06ece32fad2fd4271a0a09a3b576f1ed78b8a227d13c04a07eaf0827

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI9922\VCRUNTIME140.dll
Filesize
95KB

MD5
f34eb034aa4a9735218686590cba2e8b

SHA1
2bc20acdcb201676b77a66fa7ec6b53fa2644713

SHA256
9d2b40f0395cc5d1b4d5ea17b84970c29971d448c37104676db577586d4ad1b1

SHA512
d27d5e65e8206bd7923cf2a3c4384fec0fc59e8bc29e25f8c03d039f3741c01d1a8c82979d7b88c10b209db31fbbec23909e976b3ee593dc33481f0050a445af

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI9922\VCRUNTIME140_1.dll
Filesize
36KB

MD5
135359d350f72ad4bf716b764d39e749

SHA1
2e59d9bbcce356f0fece56c9c4917a5cacec63d7

SHA256
34048abaa070ecc13b318cea31425f4ca3edd133d350318ac65259e6058c8b32

SHA512
cf23513d63ab2192c78cae98bd3fea67d933212b630be111fa7e03be3e92af38e247eb2d3804437fd0fda70fdc87916cd24cf1d3911e9f3bfb2cc4ab72b459ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI9922\_bz2.pyd
Filesize
81KB

MD5
86d1b2a9070cd7d52124126a357ff067

SHA1
18e30446fe51ced706f62c3544a8c8fdc08de503

SHA256
62173a8fadd4bf4dd71ab89ea718754aa31620244372f0c5bbbae102e641a60e

SHA512
7db4b7e0c518a02ae901f4b24e3860122acc67e38e73f98f993fe99eb20bb3aa539db1ed40e63d6021861b54f34a5f5a364907ffd7da182adea68bbdd5c2b535

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI9922\_ctypes.pyd
Filesize
120KB

MD5
1635a0c5a72df5ae64072cbb0065aebe

SHA1
c975865208b3369e71e3464bbcc87b65718b2b1f

SHA256
1ea3dd3df393fa9b27bf6595be4ac859064cd8ef9908a12378a6021bba1cb177

SHA512
6e34346ea8a0aacc29ccd480035da66e280830a7f3d220fd2f12d4cfa3e1c03955d58c0b95c2674aea698a36a1b674325d3588483505874c2ce018135320ff99

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI9922\_decimal.pyd
Filesize
248KB

MD5
20c77203ddf9ff2ff96d6d11dea2edcf

SHA1
0d660b8d1161e72c993c6e2ab0292a409f6379a5

SHA256
9aac010a424c757c434c460c3c0a6515d7720966ab64bad667539282a17b4133

SHA512
2b24346ece2cbd1e9472a0e70768a8b4a5d2c12b3d83934f22ebdc9392d9023dcb44d2322ada9edbe2eb0e2c01b5742d2a83fa57ca23054080909ec6eb7cf3ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI9922\_hashlib.pyd
Filesize
63KB

MD5
d4674750c732f0db4c4dd6a83a9124fe

SHA1
fd8d76817abc847bb8359a7c268acada9d26bfd5

SHA256
caa4d2f8795e9a55e128409cc016e2cc5c694cb026d7058fc561e4dd131ed1c9

SHA512
97d57cfb80dd9dd822f2f30f836e13a52f771ee8485bc0fd29236882970f6bfbdfaac3f2e333bba5c25c20255e8c0f5ad82d8bc8a6b6e2f7a07ea94a9149c81e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI9922\_lzma.pyd
Filesize
154KB

MD5
7447efd8d71e8a1929be0fac722b42dc

SHA1
6080c1b84c2dcbf03dcc2d95306615ff5fce49a6

SHA256
60793c8592193cfbd00fd3e5263be4315d650ba4f9e4fda9c45a10642fd998be

SHA512
c6295d45ed6c4f7534c1a38d47ddc55fea8b9f62bbdc0743e4d22e8ad0484984f8ab077b73e683d0a92d11bf6588a1ae395456cfa57da94bb2a6c4a1b07984de

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI9922\_queue.pyd
Filesize
30KB

MD5
d8c1b81bbc125b6ad1f48a172181336e

SHA1
3ff1d8dcec04ce16e97e12263b9233fbf982340c

SHA256
925f05255f4aae0997dc4ec94d900fd15950fd840685d5b8aa755427c7422b14

SHA512
ccc9f0d3aca66729832f26be12f8e7021834bbee1f4a45da9451b1aa5c2e63126c0031d223af57cf71fad2c85860782a56d78d8339b35720194df139076e0772

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI9922\_socket.pyd
Filesize
77KB

MD5
819166054fec07efcd1062f13c2147ee

SHA1
93868ebcd6e013fda9cd96d8065a1d70a66a2a26

SHA256
e6deb751039cd5424a139708475ce83f9c042d43e650765a716cb4a924b07e4f

SHA512
da3a440c94cb99b8af7d2bc8f8f0631ae9c112bd04badf200edbf7ea0c48d012843b4a9fb9f1e6d3a9674fd3d4eb6f0fa78fd1121fad1f01f3b981028538b666

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI9922\_sqlite3.pyd
Filesize
96KB

MD5
5279d497eee4cf269d7b4059c72b14c2

SHA1
aff2f5de807ae03e599979a1a5c605fc4bad986e

SHA256
b298a44af162be7107fd187f04b63fb3827f1374594e22910ec38829da7a12dc

SHA512
20726fc5b46a6d07a3e58cdf1bed821db57ce2d9f5bee8cfd59fce779c8d5c4b517d3eb70cd2a0505e48e465d628a674d18030a909f5b73188d07cc80dcda925

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI9922\_ssl.pyd
Filesize
156KB

MD5
7910fb2af40e81bee211182cffec0a06

SHA1
251482ed44840b3c75426dd8e3280059d2ca06c6

SHA256
d2a7999e234e33828888ad455baa6ab101d90323579abc1095b8c42f0f723b6f

SHA512
bfe6506feb27a592fe9cf1db7d567d0d07f148ef1a2c969f1e4f7f29740c6bb8ccf946131e65fe5aa8ede371686c272b0860bd4c0c223195aaa1a44f59301b27

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI9922\_uuid.pyd
Filesize
24KB

MD5
b68c98113c8e7e83af56ba98ff3ac84a

SHA1
448938564559570b269e05e745d9c52ecda37154

SHA256
990586f2a2ba00d48b59bdd03d3c223b8e9fb7d7fab6d414bac2833eb1241ca2

SHA512
33c69199cba8e58e235b96684346e748a17cc7f03fc068cfa8a7ec7b5f9f6fa90d90b5cdb43285abf8b4108e71098d4e87fb0d06b28e2132357964b3eea3a4f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI9922\base_library.zip
Filesize
812KB

MD5
678d03034d0a29770e881bcb5ce31720

SHA1
a55befcf5cd76ceb98719bafc0e3dfb20c0640e3

SHA256
9c0e49af57460f5a550044ff40436615d848616b87cff155fcad0a7d609fd3cb

SHA512
19a6e2dc2df81ffc4f9af19df0a75cf2531ba1002dca00cd1e60bdc58ede08747dafa3778ab78781a88c93a3ece4e5a46c5676250ed624f70d8a38af2c75395f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI9922\charset_normalizer\md.cp310-win_amd64.pyd
Filesize
10KB

MD5
f33ca57d413e6b5313272fa54dbc8baa

SHA1
4e0cabe7d38fe8d649a0a497ed18d4d1ca5f4c44

SHA256
9b3d70922dcfaeb02812afa9030a40433b9d2b58bcf088781f9ab68a74d20664

SHA512
f17c06f4202b6edbb66660d68ff938d4f75b411f9fab48636c3575e42abaab6464d66cb57bce7f84e8e2b5755b6ef757a820a50c13dd5f85faa63cd553d3ff32

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI9922\charset_normalizer\md__mypyc.cp310-win_amd64.pyd
Filesize
117KB

MD5
494f5b9adc1cfb7fdb919c9b1af346e1

SHA1
4a5fddd47812d19948585390f76d5435c4220e6b

SHA256
ad9bcc0de6815516dfde91bb2e477f8fb5f099d7f5511d0f54b50fa77b721051

SHA512
2c0d68da196075ea30d97b5fd853c673e28949df2b6bf005ae72fd8b60a0c036f18103c5de662cac63baaef740b65b4ed2394fcd2e6da4dfcfbeef5b64dab794

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI9922\libcrypto-1_1.dll
Filesize
3.3MB

MD5
9d7a0c99256c50afd5b0560ba2548930

SHA1
76bd9f13597a46f5283aa35c30b53c21976d0824

SHA256
9b7b4a0ad212095a8c2e35c71694d8a1764cd72a829e8e17c8afe3a55f147939

SHA512
cb39aa99b9d98c735fdacf1c5ed68a4d09d11f30262b91f6aa48c3f8520eff95e499400d0ce7e280ca7a90ff6d7141d2d893ef0b33a8803a1cadb28ba9a9e3e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI9922\libffi-7.dll
Filesize
32KB

MD5
eef7981412be8ea459064d3090f4b3aa

SHA1
c60da4830ce27afc234b3c3014c583f7f0a5a925

SHA256
f60dd9f2fcbd495674dfc1555effb710eb081fc7d4cae5fa58c438ab50405081

SHA512
dc9ff4202f74a13ca9949a123dff4c0223da969f49e9348feaf93da4470f7be82cfa1d392566eaaa836d77dde7193fed15a8395509f72a0e9f97c66c0a096016

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI9922\libssl-1_1.dll
Filesize
688KB

MD5
bec0f86f9da765e2a02c9237259a7898

SHA1
3caa604c3fff88e71f489977e4293a488fb5671c

SHA256
d74ce01319ae6f54483a19375524aa39d9f5fd91f06cf7df238ca25e043130fd

SHA512
ffbc4e5ffdb49704e7aa6d74533e5af76bbe5db297713d8e59bd296143fe5f145fbb616b343eed3c48eceaccccc2431630470d8975a4a17c37eafcc12edd19f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI9922\psutil\_psutil_windows.pyd
Filesize
76KB

MD5
ebefbc98d468560b222f2d2d30ebb95c

SHA1
ee267e3a6e5bed1a15055451efcccac327d2bc43

SHA256
67c17558b635d6027ddbb781ea4e79fc0618bbec7485bd6d84b0ebcd9ef6a478

SHA512
ab9f949adfe9475b0ba8c37fa14b0705923f79c8a10b81446abc448ad38d5d55516f729b570d641926610c99df834223567c1efde166e6a0f805c9e2a35556e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI9922\pyexpat.pyd
Filesize
194KB

MD5
1118c1329f82ce9072d908cbd87e197c

SHA1
c59382178fe695c2c5576dca47c96b6de4bbcffd

SHA256
4a2d59993bce76790c6d923af81bf404f8e2cb73552e320113663b14cf78748c

SHA512
29f1b74e96a95b0b777ef00448da8bd0844e2f1d8248788a284ec868ae098c774a694d234a00bd991b2d22c2372c34f762cdbd9ec523234861e39c0ca752dcaa

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI9922\python3.dll
Filesize
64KB

MD5
fd4a39e7c1f7f07cf635145a2af0dc3a

SHA1
05292ba14acc978bb195818499a294028ab644bd

SHA256
dc909eb798a23ba8ee9f8e3f307d97755bc0d2dc0cb342cedae81fbbad32a8a9

SHA512
37d3218bc767c44e8197555d3fa18d5aad43a536cfe24ac17bf8a3084fb70bd4763ccfd16d2df405538b657f720871e0cd312dfeb7f592f3aac34d9d00d5a643

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI9922\python310.dll
Filesize
4.3MB

MD5
63a1fa9259a35eaeac04174cecb90048

SHA1
0dc0c91bcd6f69b80dcdd7e4020365dd7853885a

SHA256
14b06796f288bc6599e458fb23a944ab0c843e9868058f02a91d4606533505ed

SHA512
896caa053f48b1e4102e0f41a7d13d932a746eea69a894ae564ef5a84ef50890514deca6496e915aae40a500955220dbc1b1016fe0b8bcdde0ad81b2917dea8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI9922\pythoncom310.dll
Filesize
653KB

MD5
65dd753f51cd492211986e7b700983ef

SHA1
f5b469ec29a4be76bc479b2219202f7d25a261e2

SHA256
c3b33ba6c4f646151aed4172562309d9f44a83858ddfd84b2d894a8b7da72b1e

SHA512
8bd505e504110e40fa4973feff2fae17edc310a1ce1dc78b6af7972efdd93348087e6f16296bfd57abfdbbe49af769178f063bb0aa1dee661c08659f47a6216d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI9922\pywintypes310.dll
Filesize
131KB

MD5
ceb06a956b276cea73098d145fa64712

SHA1
6f0ba21f0325acc7cf6bf9f099d9a86470a786bf

SHA256
c8ec6429d243aef1f78969863be23d59273fa6303760a173ab36ab71d5676005

SHA512
05bab4a293e4c7efa85fa2491c32f299afd46fdb079dcb7ee2cc4c31024e01286daaf4aead5082fc1fd0d4169b2d1be589d1670fcf875b06c6f15f634e0c6f34

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI9922\select.pyd
Filesize
29KB

MD5
a653f35d05d2f6debc5d34daddd3dfa1

SHA1
1a2ceec28ea44388f412420425665c3781af2435

SHA256
db85f2f94d4994283e1055057372594538ae11020389d966e45607413851d9e9

SHA512
5aede99c3be25b1a962261b183ae7a7fb92cb0cb866065dc9cd7bb5ff6f41cc8813d2cc9de54670a27b3ad07a33b833eaa95a5b46dad7763ca97dfa0c1ce54c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI9922\sqlite3.dll
Filesize
1.4MB

MD5
914925249a488bd62d16455d156bd30d

SHA1
7e66ba53f3512f81c9014d322fcb7dd895f62c55

SHA256
fbd8832b5bc7e5c9adcf7320c051a67ee1c33fd198105283058533d132785ab4

SHA512
21a468929b15b76b313b32be65cfc50cad8f03c3b2e9bf11ca3b02c88a0482b7bc15646ce40df7fb42fbc96bd12362a54cffe0563c4ddc3fc78622622c699186

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI9922\unicodedata.pyd
Filesize
1.1MB

MD5
81d62ad36cbddb4e57a91018f3c0816e

SHA1
fe4a4fc35df240b50db22b35824e4826059a807b

SHA256
1fb2d66c056f69e8bbdd8c6c910e72697874dae680264f8fb4b4df19af98aa2e

SHA512
7d15d741378e671591356dfaad4e1e03d3f5456cbdf87579b61d02a4a52ab9b6ecbffad3274cede8c876ea19eaeb8ba4372ad5986744d430a29f50b9caffb75d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI9922\win32api.pyd
Filesize
130KB

MD5
00e5da545c6a4979a6577f8f091e85e1

SHA1
a31a2c85e272234584dacf36f405d102d9c43c05

SHA256
ac483d60a565cc9cbf91a6f37ea516b2162a45d255888d50fbbb7e5ff12086ee

SHA512
9e4f834f56007f84e8b4ec1c16fb916e68c3baadab1a3f6b82faf5360c57697dc69be86f3c2ea6e30f95e7c32413babbe5d29422d559c99e6cf4242357a85f31

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_mxpx32d2.jhd.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\downloads_db
Filesize
152KB

MD5
73bd1e15afb04648c24593e8ba13e983

SHA1
4dd85ca46fcdf9d93f6b324f8bb0b5bb512a1b91

SHA256
aab0b201f392fef9fdff09e56a9d0ac33d0f68be95da270e6dab89bb1f971d8b

SHA512
6eb58fb41691894045569085bd64a83acd62277575ab002cf73d729bda4b6d43c36643a5fa336342e87a493326337ed43b8e5eaeae32f53210714699cb8dfac7

Download Submit
C:\Users\Admin\AppData\Local\Temp\downloads_db
Filesize
124KB

MD5
9618e15b04a4ddb39ed6c496575f6f95

SHA1
1c28f8750e5555776b3c80b187c5d15a443a7412

SHA256
a4cd72e529e60b5f74c50e4e5b159efaf80625f23534dd15a28203760b8b28ab

SHA512
f802582aa7510f6b950e3343b0560ffa9037c6d22373a6a33513637ab0f8e60ed23294a13ad8890935b02c64830b5232ba9f60d0c0fe90df02b5da30ecd7fa26

Download Submit
C:\Users\Admin\AppData\Roaming\empyrean\dat.txt
Filesize
19.5MB

MD5
d9d8f69e5c86b8d05aa4bdd5b0d3f468

SHA1
5553a5dce8d4d6fa8f54c018e57ef97bd75a4043

SHA256
add7c0120951d2c7b0ccde90ac3590bd1e6749c9fb2f8b1662d4049bbef14880

SHA512
738ffa0ee138433ea3a201f5095167a15b5ef6a592b80b13d9a7c48f12260d3366a8406deaa39af392c1267152f68fa734333870d8aaaacd2b7636b22b61667d

Download Submit
C:\Users\Admin\Desktop\cards_db
Filesize
100KB

MD5
bfbf67a3ad4b5c0f7804f85d1f449a80

SHA1
110780a35d61de23b5fcb7b9e75a3ed07deb7838

SHA256
2a38ab429847061aa3c614982e801e2e7139977a227466ce5ee61fa382a2bc2e

SHA512
77bd3011b5d0074af16b93a5ab1967379a0a032bbf43c1e7b6ef205aeb27454e079c94e419bea6f7d730dc84b632e44250203a508fcdcd864ada9888381f4fdd

Download Submit
C:\Users\Admin\Desktop\cards_db
Filesize
116KB

MD5
f70aa3fa04f0536280f872ad17973c3d

SHA1
50a7b889329a92de1b272d0ecf5fce87395d3123

SHA256
8d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8

SHA512
30675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84

Download Submit
C:\Users\Admin\Desktop\cookie_db
Filesize
20KB

MD5
42c395b8db48b6ce3d34c301d1eba9d5

SHA1
b7cfa3de344814bec105391663c0df4a74310996

SHA256
5644546ecefc6786c7be5b1a89e935e640963ccd34b130f21baab9370cb9055d

SHA512
7b9214db96e9bec8745b4161a41c4c0520cdda9950f0cd3f12c7744227a25d639d07c0dd68b552cf1e032181c2e4f8297747f27bad6c7447b0f415a86bd82845

Download Submit
C:\Users\Admin\Desktop\login_db
Filesize
46KB

MD5
8f5942354d3809f865f9767eddf51314

SHA1
20be11c0d42fc0cef53931ea9152b55082d1a11e

SHA256
776ecf8411b1b0167bea724409ac9d3f8479973df223ecc6e60e3302b3b2b8ea

SHA512
fde8dfae8a862cf106b0cb55e02d73e4e4c0527c744c20886681245c8160287f722612a6de9d0046ed1156b1771229c8950b9ac036b39c988d75aa20b7bac218

Download Submit
C:\Users\Admin\Desktop\login_db
Filesize
48KB

MD5
349e6eb110e34a08924d92f6b334801d

SHA1
bdfb289daff51890cc71697b6322aa4b35ec9169

SHA256
c9fd7be4579e4aa942e8c2b44ab10115fa6c2fe6afd0c584865413d9d53f3b2a

SHA512
2a635b815a5e117ea181ee79305ee1baf591459427acc5210d8c6c7e447be3513ead871c605eb3d32e4ab4111b2a335f26520d0ef8c1245a4af44e1faec44574

Download Submit
C:\Windows\Temp\SDIAG_1b8f3c5d-7323-4cfd-8ea7-f9dd8199772f\DiagPackage.dll
Filesize
478KB

MD5
580dc3658fa3fe42c41c99c52a9ce6b0

SHA1
3c4be12c6e3679a6c2267f88363bbd0e6e00cac5

SHA256
5b7aa413e4a64679c550c77e6599a1c940ee947cbdf77d310e142a07a237aad2

SHA512
68c52cd7b762b8f5d2f546092ed9c4316924fa04bd3ab748ab99541a8b4e7d9aec70acf5c9594d1457ad3a2f207d0c189ec58421d4352ddbc7eae453324d13f2

Download Submit
C:\Windows\Temp\SDIAG_1b8f3c5d-7323-4cfd-8ea7-f9dd8199772f\en-US\DiagPackage.dll.mui
Filesize
17KB

MD5
44c4385447d4fa46b407fc47c8a467d0

SHA1
41e4e0e83b74943f5c41648f263b832419c05256

SHA256
8be175e8fbdae0dade54830fece6c6980d1345dbeb4a06c07f7efdb1152743f4

SHA512
191cd534e85323a4cd9649a1fc372312ed4a600f6252dffc4435793650f9dd40d0c0e615ba5eb9aa437a58af334146aac7c0ba08e0a1bf24ec4837a40f966005

Download Submit
C:\Windows\Temp\SDIAG_1b8f3c5d-7323-4cfd-8ea7-f9dd8199772f\result\D9CC4505-41C9-41DD-A353-09BE05256290.Diagnose.Admin.0.etl
Filesize
192KB

MD5
9e239a28f5eb6dc6ce22168a59c00469

SHA1
b8467ba57567ca1a032fbc8b48508f6f3edd394a

SHA256
5f51583c0103c3fdbbbea9ce011c4397108fb997f3cec6812e5b59b2fb085be8

SHA512
6aa77f9027ecf43dea692eef99858a94a15c6151bb1d73270a9c7fce2346b711ddd47609b8b4ed1f87e31bfee3b3f5ce2539978be47ddddf7189f6b1349b56ff

Download Submit
C:\Windows\Temp\SDIAG_1b8f3c5d-7323-4cfd-8ea7-f9dd8199772f\result\NetworkConfiguration.cab
Filesize
1KB

MD5
37e55d8aa08a8648f8a0a3f8654300a0

SHA1
35c6dd76dfd7b4108f87f79e3b6e5f8397c15f67

SHA256
56df1d167e0c20982819a81d32fea39fe492e77729f6fffb2de31f979d03d212

SHA512
05f0d8d89b90fe6435f3863419811aaf63714d8b1f863213b06431065fa30662c8f127624ba483a0f26b5921763231c04f20574c70695a940e9a273c0c2eca1c

Download Submit
memory/1384-788-0x000002501DC60000-0x000002501DC61000-memory.dmp

Filesize
4KB

Download
memory/1384-781-0x000002501D170000-0x000002501D180000-memory.dmp

Filesize
64KB

Download
memory/1384-784-0x000002501D1A0000-0x000002501D1B0000-memory.dmp

Filesize
64KB

Download
memory/4980-779-0x00000120A79A0000-0x00000120A79C2000-memory.dmp

Filesize
136KB

Download