add7c0120951d2c7b0ccde90ac3590bd1e6749c9fb2f8b1662d4049bbef14880

Analysis

max time kernel
147s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
30-06-2024 22:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

main.exe
Size

19.5MB
MD5

d9d8f69e5c86b8d05aa4bdd5b0d3f468
SHA1

5553a5dce8d4d6fa8f54c018e57ef97bd75a4043
SHA256

add7c0120951d2c7b0ccde90ac3590bd1e6749c9fb2f8b1662d4049bbef14880
SHA512

738ffa0ee138433ea3a201f5095167a15b5ef6a592b80b13d9a7c48f12260d3366a8406deaa39af392c1267152f68fa734333870d8aaaacd2b7636b22b61667d
SSDEEP

393216:7u7L/1a/vUIYlDfDg8Qic65FMagxbyJ6ZjfyU3aEJ:7CLdaelb08Q9wMaMNfL3

Score

7^/10

persistence pyinstaller spyware stealer

Malware Config

Signatures

Loads dropped DLL 64 IoCs

Processes:

main.exemain.exe

pid	process
2112	main.exe
2112	main.exe
2112	main.exe
2112	main.exe
2112	main.exe
2112	main.exe
2112	main.exe
2112	main.exe
2112	main.exe
2112	main.exe
2112	main.exe
2112	main.exe
2112	main.exe
2112	main.exe
2112	main.exe
2112	main.exe
2112	main.exe
2112	main.exe
2112	main.exe
2112	main.exe
2112	main.exe
2112	main.exe
2112	main.exe
2112	main.exe
2112	main.exe
2112	main.exe
2112	main.exe
2112	main.exe
2112	main.exe
2112	main.exe
2112	main.exe
2112	main.exe
2112	main.exe
2112	main.exe
2112	main.exe
2112	main.exe
2112	main.exe
2112	main.exe
2112	main.exe
2112	main.exe
2112	main.exe
2112	main.exe
2112	main.exe
2112	main.exe
2112	main.exe
2112	main.exe
2112	main.exe
2112	main.exe
2112	main.exe
2112	main.exe
2112	main.exe
2112	main.exe
2112	main.exe
2112	main.exe
2112	main.exe
2112	main.exe
2112	main.exe
2112	main.exe
5652	main.exe
5652	main.exe
5652	main.exe
5652	main.exe
5652	main.exe
5652	main.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

reg.exereg.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\empyrean = "C:\\Users\\Admin\\AppData\\Roaming\\empyrean\\run.bat"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\empyrean = "C:\\Users\\Admin\\AppData\\Roaming\\empyrean\\run.bat"	reg.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service
T1102

Processes:

flow ioc

5 discord.com
8 raw.githubusercontent.com
25 discord.com
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

2 ipapi.co
22 ipapi.co

flow	ioc
5	discord.com
8	raw.githubusercontent.com
25	discord.com

flow	ioc
2	ipapi.co
22	ipapi.co

Drops file in System32 directory 16 IoCs

Processes:

main.exe

description	ioc	process
File created	C:\Windows\System32\login_db	main.exe
File opened for modification	C:\Windows\system32\login_db	main.exe
File opened for modification	C:\Windows\system32\cookie_db	main.exe
File opened for modification	C:\Windows\system32\downloads_db	main.exe
File opened for modification	C:\Windows\System32\login_db	main.exe
File created	C:\Windows\System32\cookie_db	main.exe
File opened for modification	C:\Windows\System32\cookie_db	main.exe
File opened for modification	C:\Windows\System32\downloads_db	main.exe
File opened for modification	C:\Windows\System32\cards_db	main.exe
File opened for modification	C:\Windows\System32\web_history_db	main.exe
File created	C:\Windows\System32\downloads_db	main.exe
File created	C:\Windows\System32\cards_db	main.exe
File created	C:\Windows\System32\vault.zip	main.exe
File created	C:\Windows\System32\web_history_db	main.exe
File opened for modification	C:\Windows\system32\web_history_db	main.exe
File opened for modification	C:\Windows\system32\cards_db	main.exe

Detects Pyinstaller 1 IoCs
pyinstaller

Processes:

resource yara_rule

C:\Users\Admin\AppData\Roaming\empyrean\dat.txt pyinstaller

resource	yara_rule
C:\Users\Admin\AppData\Roaming\empyrean\dat.txt	pyinstaller

Checks processor information in registry 2 TTPs 10 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

firefox.exefirefox.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe

Modifies registry class 1 IoCs

Processes:

firefox.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings firefox.exe
Modifies registry key 1 TTPs 4 IoCs

Modify Registry
T1112

Processes:

reg.exereg.exereg.exereg.exe

pid process

5304 reg.exe
5372 reg.exe
1808 reg.exe
4736 reg.exe
Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

main.exemain.exe

pid process

2112 main.exe
2112 main.exe
2112 main.exe
2112 main.exe
5652 main.exe
5652 main.exe
5652 main.exe
5652 main.exe
Suspicious behavior: LoadsDriver 6 IoCs

Processes:

pid

4
4
4
4
4
656

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings	firefox.exe

pid	process
5304	reg.exe
5372	reg.exe
1808	reg.exe
4736	reg.exe

pid
4
4
4
4
4
656

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

main.exeWMIC.exeWMIC.exe

description	pid	process
Token: SeDebugPrivilege	2112	main.exe
Token: SeIncreaseQuotaPrivilege	4848	WMIC.exe
Token: SeSecurityPrivilege	4848	WMIC.exe
Token: SeTakeOwnershipPrivilege	4848	WMIC.exe
Token: SeLoadDriverPrivilege	4848	WMIC.exe
Token: SeSystemProfilePrivilege	4848	WMIC.exe
Token: SeSystemtimePrivilege	4848	WMIC.exe
Token: SeProfSingleProcessPrivilege	4848	WMIC.exe
Token: SeIncBasePriorityPrivilege	4848	WMIC.exe
Token: SeCreatePagefilePrivilege	4848	WMIC.exe
Token: SeBackupPrivilege	4848	WMIC.exe
Token: SeRestorePrivilege	4848	WMIC.exe
Token: SeShutdownPrivilege	4848	WMIC.exe
Token: SeDebugPrivilege	4848	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4848	WMIC.exe
Token: SeRemoteShutdownPrivilege	4848	WMIC.exe
Token: SeUndockPrivilege	4848	WMIC.exe
Token: SeManageVolumePrivilege	4848	WMIC.exe
Token: 33	4848	WMIC.exe
Token: 34	4848	WMIC.exe
Token: 35	4848	WMIC.exe
Token: 36	4848	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4848	WMIC.exe
Token: SeSecurityPrivilege	4848	WMIC.exe
Token: SeTakeOwnershipPrivilege	4848	WMIC.exe
Token: SeLoadDriverPrivilege	4848	WMIC.exe
Token: SeSystemProfilePrivilege	4848	WMIC.exe
Token: SeSystemtimePrivilege	4848	WMIC.exe
Token: SeProfSingleProcessPrivilege	4848	WMIC.exe
Token: SeIncBasePriorityPrivilege	4848	WMIC.exe
Token: SeCreatePagefilePrivilege	4848	WMIC.exe
Token: SeBackupPrivilege	4848	WMIC.exe
Token: SeRestorePrivilege	4848	WMIC.exe
Token: SeShutdownPrivilege	4848	WMIC.exe
Token: SeDebugPrivilege	4848	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4848	WMIC.exe
Token: SeRemoteShutdownPrivilege	4848	WMIC.exe
Token: SeUndockPrivilege	4848	WMIC.exe
Token: SeManageVolumePrivilege	4848	WMIC.exe
Token: 33	4848	WMIC.exe
Token: 34	4848	WMIC.exe
Token: 35	4848	WMIC.exe
Token: 36	4848	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3776	WMIC.exe
Token: SeSecurityPrivilege	3776	WMIC.exe
Token: SeTakeOwnershipPrivilege	3776	WMIC.exe
Token: SeLoadDriverPrivilege	3776	WMIC.exe
Token: SeSystemProfilePrivilege	3776	WMIC.exe
Token: SeSystemtimePrivilege	3776	WMIC.exe
Token: SeProfSingleProcessPrivilege	3776	WMIC.exe
Token: SeIncBasePriorityPrivilege	3776	WMIC.exe
Token: SeCreatePagefilePrivilege	3776	WMIC.exe
Token: SeBackupPrivilege	3776	WMIC.exe
Token: SeRestorePrivilege	3776	WMIC.exe
Token: SeShutdownPrivilege	3776	WMIC.exe
Token: SeDebugPrivilege	3776	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3776	WMIC.exe
Token: SeRemoteShutdownPrivilege	3776	WMIC.exe
Token: SeUndockPrivilege	3776	WMIC.exe
Token: SeManageVolumePrivilege	3776	WMIC.exe
Token: 33	3776	WMIC.exe
Token: 34	3776	WMIC.exe
Token: 35	3776	WMIC.exe
Token: 36	3776	WMIC.exe

Suspicious use of FindShellTrayWindow 6 IoCs

Processes:

firefox.exe7zFM.exe7zG.exe

pid process

3536 firefox.exe
3536 firefox.exe
3536 firefox.exe
3536 firefox.exe
1684 7zFM.exe
5608 7zG.exe
Suspicious use of SendNotifyMessage 3 IoCs

Processes:

firefox.exe

pid process

3536 firefox.exe
3536 firefox.exe
3536 firefox.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

firefox.exe

pid process

3536 firefox.exe

pid	process
3536	firefox.exe
3536	firefox.exe
3536	firefox.exe
3536	firefox.exe
1684	7zFM.exe
5608	7zG.exe

pid	process
3536	firefox.exe
3536	firefox.exe
3536	firefox.exe

pid	process
3536	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

main.exemain.execmd.execmd.execmd.execmd.execmd.exefirefox.exefirefox.exe

description	pid	process	target process
PID 1408 wrote to memory of 2112	1408	main.exe	main.exe
PID 1408 wrote to memory of 2112	1408	main.exe	main.exe
PID 2112 wrote to memory of 4920	2112	main.exe	cmd.exe
PID 2112 wrote to memory of 4920	2112	main.exe	cmd.exe
PID 2112 wrote to memory of 4296	2112	main.exe	cmd.exe
PID 2112 wrote to memory of 4296	2112	main.exe	cmd.exe
PID 4296 wrote to memory of 1808	4296	cmd.exe	reg.exe
PID 4296 wrote to memory of 1808	4296	cmd.exe	reg.exe
PID 2112 wrote to memory of 4532	2112	main.exe	cmd.exe
PID 2112 wrote to memory of 4532	2112	main.exe	cmd.exe
PID 4532 wrote to memory of 4736	4532	cmd.exe	reg.exe
PID 4532 wrote to memory of 4736	4532	cmd.exe	reg.exe
PID 2112 wrote to memory of 2440	2112	main.exe	cmd.exe
PID 2112 wrote to memory of 2440	2112	main.exe	cmd.exe
PID 2440 wrote to memory of 4848	2440	cmd.exe	WMIC.exe
PID 2440 wrote to memory of 4848	2440	cmd.exe	WMIC.exe
PID 2112 wrote to memory of 4616	2112	main.exe	cmd.exe
PID 2112 wrote to memory of 4616	2112	main.exe	cmd.exe
PID 4616 wrote to memory of 3776	4616	cmd.exe	WMIC.exe
PID 4616 wrote to memory of 3776	4616	cmd.exe	WMIC.exe
PID 2112 wrote to memory of 4588	2112	main.exe	cmd.exe
PID 2112 wrote to memory of 4588	2112	main.exe	cmd.exe
PID 4588 wrote to memory of 3880	4588	cmd.exe	WMIC.exe
PID 4588 wrote to memory of 3880	4588	cmd.exe	WMIC.exe
PID 3908 wrote to memory of 3536	3908	firefox.exe	firefox.exe
PID 3908 wrote to memory of 3536	3908	firefox.exe	firefox.exe
PID 3908 wrote to memory of 3536	3908	firefox.exe	firefox.exe
PID 3908 wrote to memory of 3536	3908	firefox.exe	firefox.exe
PID 3908 wrote to memory of 3536	3908	firefox.exe	firefox.exe
PID 3908 wrote to memory of 3536	3908	firefox.exe	firefox.exe
PID 3908 wrote to memory of 3536	3908	firefox.exe	firefox.exe
PID 3908 wrote to memory of 3536	3908	firefox.exe	firefox.exe
PID 3908 wrote to memory of 3536	3908	firefox.exe	firefox.exe
PID 3908 wrote to memory of 3536	3908	firefox.exe	firefox.exe
PID 3908 wrote to memory of 3536	3908	firefox.exe	firefox.exe
PID 3536 wrote to memory of 2728	3536	firefox.exe	firefox.exe
PID 3536 wrote to memory of 2728	3536	firefox.exe	firefox.exe
PID 3536 wrote to memory of 2728	3536	firefox.exe	firefox.exe
PID 3536 wrote to memory of 2728	3536	firefox.exe	firefox.exe
PID 3536 wrote to memory of 2728	3536	firefox.exe	firefox.exe
PID 3536 wrote to memory of 2728	3536	firefox.exe	firefox.exe
PID 3536 wrote to memory of 2728	3536	firefox.exe	firefox.exe
PID 3536 wrote to memory of 2728	3536	firefox.exe	firefox.exe
PID 3536 wrote to memory of 2728	3536	firefox.exe	firefox.exe
PID 3536 wrote to memory of 2728	3536	firefox.exe	firefox.exe
PID 3536 wrote to memory of 2728	3536	firefox.exe	firefox.exe
PID 3536 wrote to memory of 2728	3536	firefox.exe	firefox.exe
PID 3536 wrote to memory of 2728	3536	firefox.exe	firefox.exe
PID 3536 wrote to memory of 2728	3536	firefox.exe	firefox.exe
PID 3536 wrote to memory of 2728	3536	firefox.exe	firefox.exe
PID 3536 wrote to memory of 2728	3536	firefox.exe	firefox.exe
PID 3536 wrote to memory of 2728	3536	firefox.exe	firefox.exe
PID 3536 wrote to memory of 2728	3536	firefox.exe	firefox.exe
PID 3536 wrote to memory of 2728	3536	firefox.exe	firefox.exe
PID 3536 wrote to memory of 2728	3536	firefox.exe	firefox.exe
PID 3536 wrote to memory of 2728	3536	firefox.exe	firefox.exe
PID 3536 wrote to memory of 2728	3536	firefox.exe	firefox.exe
PID 3536 wrote to memory of 2728	3536	firefox.exe	firefox.exe
PID 3536 wrote to memory of 2728	3536	firefox.exe	firefox.exe
PID 3536 wrote to memory of 2728	3536	firefox.exe	firefox.exe
PID 3536 wrote to memory of 2728	3536	firefox.exe	firefox.exe
PID 3536 wrote to memory of 2728	3536	firefox.exe	firefox.exe
PID 3536 wrote to memory of 2728	3536	firefox.exe	firefox.exe
PID 3536 wrote to memory of 2728	3536	firefox.exe	firefox.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\main.exe
"C:\Users\Admin\AppData\Local\Temp\main.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1408

C:\Users\Admin\AppData\Local\Temp\main.exe
"C:\Users\Admin\AppData\Local\Temp\main.exe"
2⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2112

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "ver"
3⤵
PID:4920

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "reg delete HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v empyrean /f"
3⤵
- Suspicious use of WriteProcessMemory
PID:4296

C:\Windows\system32\reg.exe
reg delete HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v empyrean /f
4⤵
- Modifies registry key
PID:1808

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v empyrean /t REG_SZ /d C:\Users\Admin\AppData\Roaming\empyrean\run.bat /f"
3⤵
- Suspicious use of WriteProcessMemory
PID:4532

C:\Windows\system32\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v empyrean /t REG_SZ /d C:\Users\Admin\AppData\Roaming\empyrean\run.bat /f
4⤵
- Adds Run key to start application
- Modifies registry key
PID:4736

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Windows\System32\wbem\WMIC.exe csproduct get uuid"
3⤵
- Suspicious use of WriteProcessMemory
PID:2440

C:\Windows\System32\wbem\WMIC.exe
C:\Windows\System32\wbem\WMIC.exe csproduct get uuid
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:4848

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Windows\System32\wbem\WMIC.exe csproduct get uuid"
3⤵
- Suspicious use of WriteProcessMemory
PID:4616

C:\Windows\System32\wbem\WMIC.exe
C:\Windows\System32\wbem\WMIC.exe csproduct get uuid
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:3776

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Windows\System32\wbem\WMIC.exe csproduct get uuid"
3⤵
- Suspicious use of WriteProcessMemory
PID:4588

C:\Windows\System32\wbem\WMIC.exe
C:\Windows\System32\wbem\WMIC.exe csproduct get uuid
4⤵
PID:3880

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1736

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3908

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
2⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3536

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3536.0.223763272\542345095" -parentBuildID 20230214051806 -prefsHandle 1788 -prefMapHandle 1780 -prefsLen 22076 -prefMapSize 235121 -appDir "C:\Program Files\Mozilla Firefox\browser" - {aa2bad42-3999-40ad-8914-777ec5f1c2fb} 3536 "\\.\pipe\gecko-crash-server-pipe.3536" 1740 1c12cb15458 gpu
3⤵
PID:2728

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3536.1.1753493394\991608829" -parentBuildID 20230214051806 -prefsHandle 2424 -prefMapHandle 2412 -prefsLen 22112 -prefMapSize 235121 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a44027f1-c67c-4957-b4b9-ac7a6b7d3827} 3536 "\\.\pipe\gecko-crash-server-pipe.3536" 2436 1c11fd89f58 socket
3⤵
- Checks processor information in registry
PID:4008

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3536.2.1721177631\305809142" -childID 1 -isForBrowser -prefsHandle 3292 -prefMapHandle 3288 -prefsLen 22150 -prefMapSize 235121 -jsInitHandle 1308 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f9c5759f-792d-4bc5-b094-55bfb55601eb} 3536 "\\.\pipe\gecko-crash-server-pipe.3536" 3304 1c12f932b58 tab
3⤵
PID:3108

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3536.3.1717775145\1539997891" -childID 2 -isForBrowser -prefsHandle 3976 -prefMapHandle 3972 -prefsLen 27616 -prefMapSize 235121 -jsInitHandle 1308 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {eaf7bc2f-a1e6-4335-99a5-351d220b5fce} 3536 "\\.\pipe\gecko-crash-server-pipe.3536" 3988 1c1316cd858 tab
3⤵
PID:2244

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3536.4.945276270\1835242394" -childID 3 -isForBrowser -prefsHandle 4896 -prefMapHandle 4892 -prefsLen 27692 -prefMapSize 235121 -jsInitHandle 1308 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e1bb4773-b22b-4aba-95b5-7e7ceb601c5a} 3536 "\\.\pipe\gecko-crash-server-pipe.3536" 4908 1c133b98158 tab
3⤵
PID:972

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3536.5.696009797\240031644" -childID 4 -isForBrowser -prefsHandle 5048 -prefMapHandle 5052 -prefsLen 27692 -prefMapSize 235121 -jsInitHandle 1308 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2d14dc66-41b4-4f72-ba57-a9166069ae35} 3536 "\\.\pipe\gecko-crash-server-pipe.3536" 5040 1c133b98458 tab
3⤵
PID:2972

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3536.6.1158315131\1153703221" -childID 5 -isForBrowser -prefsHandle 5236 -prefMapHandle 5240 -prefsLen 27692 -prefMapSize 235121 -jsInitHandle 1308 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {306c9fd0-bd88-46af-bba4-7f1a0ee2eb77} 3536 "\\.\pipe\gecko-crash-server-pipe.3536" 5224 1c133b9a258 tab
3⤵
PID:1636

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3536.7.1872482332\235712762" -childID 6 -isForBrowser -prefsHandle 4728 -prefMapHandle 4724 -prefsLen 27957 -prefMapSize 235121 -jsInitHandle 1308 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ae602b54-aa64-4183-9eea-c9360fdd0320} 3536 "\\.\pipe\gecko-crash-server-pipe.3536" 5640 1c11fd7e258 tab
3⤵
PID:4332

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\main.exe"
1⤵
- Suspicious use of FindShellTrayWindow
PID:1684

C:\Users\Admin\AppData\Local\Temp\main.exe
"C:\Users\Admin\AppData\Local\Temp\main.exe"
1⤵
PID:5188

C:\Users\Admin\AppData\Local\Temp\main.exe
"C:\Users\Admin\AppData\Local\Temp\main.exe"
2⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:5652

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "ver"
3⤵
PID:5712

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "reg delete HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v empyrean /f"
3⤵
PID:5260

C:\Windows\system32\reg.exe
reg delete HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v empyrean /f
4⤵
- Modifies registry key
PID:5304

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v empyrean /t REG_SZ /d C:\Users\Admin\AppData\Roaming\empyrean\run.bat /f"
3⤵
PID:5320

C:\Windows\system32\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v empyrean /t REG_SZ /d C:\Users\Admin\AppData\Roaming\empyrean\run.bat /f
4⤵
- Adds Run key to start application
- Modifies registry key
PID:5372

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Windows\System32\wbem\WMIC.exe csproduct get uuid"
3⤵
PID:5416

C:\Windows\System32\wbem\WMIC.exe
C:\Windows\System32\wbem\WMIC.exe csproduct get uuid
4⤵
PID:5476

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Windows\System32\wbem\WMIC.exe csproduct get uuid"
3⤵
PID:5516

C:\Windows\System32\wbem\WMIC.exe
C:\Windows\System32\wbem\WMIC.exe csproduct get uuid
4⤵
PID:5572

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Windows\System32\wbem\WMIC.exe csproduct get uuid"
3⤵
PID:5632

C:\Windows\System32\wbem\WMIC.exe
C:\Windows\System32\wbem\WMIC.exe csproduct get uuid
4⤵
PID:5708

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\AppData\Local\Temp\main\" -ad -an -ai#7zMap4805:88:7zEvent19138
1⤵
- Suspicious use of FindShellTrayWindow
PID:5608

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
1⤵
PID:5772

C:\Windows\system32\notepad.exe
notepad main.exe
2⤵
PID:3420

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ue3bcu6m.default-release\activity-stream.discovery_stream.json.tmp
Filesize
23KB

MD5
c45f9b87048b27f79081276c1aba5607

SHA1
9da122a5c3684397b4df2e463355cdf5871058de

SHA256
d2be91532e7e2e69cfd917121635501d47947409957f7ff0c1289cbdd386f82a

SHA512
74eb423e90dffc2ea0e3eda8761ddb134e6289741996b943a8d4b1dafe80c55962a1a9a3728ed9232bac860172bad0375e823bcce760e796c847b3697da08247

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI14082\Crypto\Cipher\_raw_cbc.pyd
Filesize
12KB

MD5
a1b78a3ce3165e90957880b8724d944f

SHA1
a69f63cc211e671a08daad7a66ed0b05f8736cc7

SHA256
84e071321e378054b6d3b56bbd66699e36554f637a44728b38b96a31199dfa69

SHA512
15847386652cbee378d0ff6aad0a3fe0d0c6c7f1939f764f86c665f3493b4bccaf98d7a29259e94ed197285d9365b9d6e697b010aff3370cf857b8cb4106d7d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI14082\Crypto\Cipher\_raw_cfb.pyd
Filesize
13KB

MD5
0dca79c062f2f800132cf1748a8e147f

SHA1
91f525b8ca0c0db245c4d3fa4073541826e8fb89

SHA256
2a63e504c8aa4d291bbd8108f26eecde3dcd9bfba579ae80b777ff6dfec5e922

SHA512
a820299fba1d0952a00db78b92fb7d68d77c427418388cc67e3a37dc87b1895d9ae416cac32b859d11d21a07a8f4cef3bd26ebb06cc39f04ad5e60f8692c659b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI14082\Crypto\Cipher\_raw_ecb.pyd
Filesize
10KB

MD5
aec314222600ade3d96b6dc33af380a6

SHA1
c6af3edadb09ea3a56048b57237c0a2dca33bee1

SHA256
ea96505b38d27c085544fb129f2b0e00df5020d323d7853e6a6a8645ac785304

SHA512
bbc00aa7fdf178bb6b2d86419c31967f2bc32d157aa7ee3ac308c28d8bf4823c1fafcde6c91651edc05c146e44d7e59e02a76283890652b27c52f509c3b9ef9a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI14082\Crypto\Cipher\_raw_ofb.pyd
Filesize
12KB

MD5
4ed6d4b1b100384d13f25dfa3737fb78

SHA1
852a2f76c853db02e65512af35f5b4b4a2346abd

SHA256
084e4b2da2180ad2a2e96e8804a6f2fc37bce6349eb8a5f6b182116b4d04bd82

SHA512
276201a9bcb9f88f4bbac0cd9e3ea2da83e0fb4854b1a0dd63cff2af08af3883be34af6f06ece32fad2fd4271a0a09a3b576f1ed78b8a227d13c04a07eaf0827

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI14082\VCRUNTIME140.dll
Filesize
95KB

MD5
f34eb034aa4a9735218686590cba2e8b

SHA1
2bc20acdcb201676b77a66fa7ec6b53fa2644713

SHA256
9d2b40f0395cc5d1b4d5ea17b84970c29971d448c37104676db577586d4ad1b1

SHA512
d27d5e65e8206bd7923cf2a3c4384fec0fc59e8bc29e25f8c03d039f3741c01d1a8c82979d7b88c10b209db31fbbec23909e976b3ee593dc33481f0050a445af

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI14082\VCRUNTIME140_1.dll
Filesize
36KB

MD5
135359d350f72ad4bf716b764d39e749

SHA1
2e59d9bbcce356f0fece56c9c4917a5cacec63d7

SHA256
34048abaa070ecc13b318cea31425f4ca3edd133d350318ac65259e6058c8b32

SHA512
cf23513d63ab2192c78cae98bd3fea67d933212b630be111fa7e03be3e92af38e247eb2d3804437fd0fda70fdc87916cd24cf1d3911e9f3bfb2cc4ab72b459ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI14082\_bz2.pyd
Filesize
81KB

MD5
86d1b2a9070cd7d52124126a357ff067

SHA1
18e30446fe51ced706f62c3544a8c8fdc08de503

SHA256
62173a8fadd4bf4dd71ab89ea718754aa31620244372f0c5bbbae102e641a60e

SHA512
7db4b7e0c518a02ae901f4b24e3860122acc67e38e73f98f993fe99eb20bb3aa539db1ed40e63d6021861b54f34a5f5a364907ffd7da182adea68bbdd5c2b535

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI14082\_ctypes.pyd
Filesize
120KB

MD5
1635a0c5a72df5ae64072cbb0065aebe

SHA1
c975865208b3369e71e3464bbcc87b65718b2b1f

SHA256
1ea3dd3df393fa9b27bf6595be4ac859064cd8ef9908a12378a6021bba1cb177

SHA512
6e34346ea8a0aacc29ccd480035da66e280830a7f3d220fd2f12d4cfa3e1c03955d58c0b95c2674aea698a36a1b674325d3588483505874c2ce018135320ff99

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI14082\_decimal.pyd
Filesize
248KB

MD5
20c77203ddf9ff2ff96d6d11dea2edcf

SHA1
0d660b8d1161e72c993c6e2ab0292a409f6379a5

SHA256
9aac010a424c757c434c460c3c0a6515d7720966ab64bad667539282a17b4133

SHA512
2b24346ece2cbd1e9472a0e70768a8b4a5d2c12b3d83934f22ebdc9392d9023dcb44d2322ada9edbe2eb0e2c01b5742d2a83fa57ca23054080909ec6eb7cf3ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI14082\_hashlib.pyd
Filesize
63KB

MD5
d4674750c732f0db4c4dd6a83a9124fe

SHA1
fd8d76817abc847bb8359a7c268acada9d26bfd5

SHA256
caa4d2f8795e9a55e128409cc016e2cc5c694cb026d7058fc561e4dd131ed1c9

SHA512
97d57cfb80dd9dd822f2f30f836e13a52f771ee8485bc0fd29236882970f6bfbdfaac3f2e333bba5c25c20255e8c0f5ad82d8bc8a6b6e2f7a07ea94a9149c81e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI14082\_lzma.pyd
Filesize
154KB

MD5
7447efd8d71e8a1929be0fac722b42dc

SHA1
6080c1b84c2dcbf03dcc2d95306615ff5fce49a6

SHA256
60793c8592193cfbd00fd3e5263be4315d650ba4f9e4fda9c45a10642fd998be

SHA512
c6295d45ed6c4f7534c1a38d47ddc55fea8b9f62bbdc0743e4d22e8ad0484984f8ab077b73e683d0a92d11bf6588a1ae395456cfa57da94bb2a6c4a1b07984de

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI14082\_queue.pyd
Filesize
30KB

MD5
d8c1b81bbc125b6ad1f48a172181336e

SHA1
3ff1d8dcec04ce16e97e12263b9233fbf982340c

SHA256
925f05255f4aae0997dc4ec94d900fd15950fd840685d5b8aa755427c7422b14

SHA512
ccc9f0d3aca66729832f26be12f8e7021834bbee1f4a45da9451b1aa5c2e63126c0031d223af57cf71fad2c85860782a56d78d8339b35720194df139076e0772

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI14082\_socket.pyd
Filesize
77KB

MD5
819166054fec07efcd1062f13c2147ee

SHA1
93868ebcd6e013fda9cd96d8065a1d70a66a2a26

SHA256
e6deb751039cd5424a139708475ce83f9c042d43e650765a716cb4a924b07e4f

SHA512
da3a440c94cb99b8af7d2bc8f8f0631ae9c112bd04badf200edbf7ea0c48d012843b4a9fb9f1e6d3a9674fd3d4eb6f0fa78fd1121fad1f01f3b981028538b666

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI14082\_sqlite3.pyd
Filesize
96KB

MD5
5279d497eee4cf269d7b4059c72b14c2

SHA1
aff2f5de807ae03e599979a1a5c605fc4bad986e

SHA256
b298a44af162be7107fd187f04b63fb3827f1374594e22910ec38829da7a12dc

SHA512
20726fc5b46a6d07a3e58cdf1bed821db57ce2d9f5bee8cfd59fce779c8d5c4b517d3eb70cd2a0505e48e465d628a674d18030a909f5b73188d07cc80dcda925

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI14082\_ssl.pyd
Filesize
156KB

MD5
7910fb2af40e81bee211182cffec0a06

SHA1
251482ed44840b3c75426dd8e3280059d2ca06c6

SHA256
d2a7999e234e33828888ad455baa6ab101d90323579abc1095b8c42f0f723b6f

SHA512
bfe6506feb27a592fe9cf1db7d567d0d07f148ef1a2c969f1e4f7f29740c6bb8ccf946131e65fe5aa8ede371686c272b0860bd4c0c223195aaa1a44f59301b27

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI14082\_uuid.pyd
Filesize
24KB

MD5
b68c98113c8e7e83af56ba98ff3ac84a

SHA1
448938564559570b269e05e745d9c52ecda37154

SHA256
990586f2a2ba00d48b59bdd03d3c223b8e9fb7d7fab6d414bac2833eb1241ca2

SHA512
33c69199cba8e58e235b96684346e748a17cc7f03fc068cfa8a7ec7b5f9f6fa90d90b5cdb43285abf8b4108e71098d4e87fb0d06b28e2132357964b3eea3a4f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI14082\base_library.zip
Filesize
812KB

MD5
678d03034d0a29770e881bcb5ce31720

SHA1
a55befcf5cd76ceb98719bafc0e3dfb20c0640e3

SHA256
9c0e49af57460f5a550044ff40436615d848616b87cff155fcad0a7d609fd3cb

SHA512
19a6e2dc2df81ffc4f9af19df0a75cf2531ba1002dca00cd1e60bdc58ede08747dafa3778ab78781a88c93a3ece4e5a46c5676250ed624f70d8a38af2c75395f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI14082\charset_normalizer\md.cp310-win_amd64.pyd
Filesize
10KB

MD5
f33ca57d413e6b5313272fa54dbc8baa

SHA1
4e0cabe7d38fe8d649a0a497ed18d4d1ca5f4c44

SHA256
9b3d70922dcfaeb02812afa9030a40433b9d2b58bcf088781f9ab68a74d20664

SHA512
f17c06f4202b6edbb66660d68ff938d4f75b411f9fab48636c3575e42abaab6464d66cb57bce7f84e8e2b5755b6ef757a820a50c13dd5f85faa63cd553d3ff32

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI14082\charset_normalizer\md__mypyc.cp310-win_amd64.pyd
Filesize
117KB

MD5
494f5b9adc1cfb7fdb919c9b1af346e1

SHA1
4a5fddd47812d19948585390f76d5435c4220e6b

SHA256
ad9bcc0de6815516dfde91bb2e477f8fb5f099d7f5511d0f54b50fa77b721051

SHA512
2c0d68da196075ea30d97b5fd853c673e28949df2b6bf005ae72fd8b60a0c036f18103c5de662cac63baaef740b65b4ed2394fcd2e6da4dfcfbeef5b64dab794

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI14082\libcrypto-1_1.dll
Filesize
3.3MB

MD5
9d7a0c99256c50afd5b0560ba2548930

SHA1
76bd9f13597a46f5283aa35c30b53c21976d0824

SHA256
9b7b4a0ad212095a8c2e35c71694d8a1764cd72a829e8e17c8afe3a55f147939

SHA512
cb39aa99b9d98c735fdacf1c5ed68a4d09d11f30262b91f6aa48c3f8520eff95e499400d0ce7e280ca7a90ff6d7141d2d893ef0b33a8803a1cadb28ba9a9e3e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI14082\libffi-7.dll
Filesize
32KB

MD5
eef7981412be8ea459064d3090f4b3aa

SHA1
c60da4830ce27afc234b3c3014c583f7f0a5a925

SHA256
f60dd9f2fcbd495674dfc1555effb710eb081fc7d4cae5fa58c438ab50405081

SHA512
dc9ff4202f74a13ca9949a123dff4c0223da969f49e9348feaf93da4470f7be82cfa1d392566eaaa836d77dde7193fed15a8395509f72a0e9f97c66c0a096016

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI14082\libssl-1_1.dll
Filesize
688KB

MD5
bec0f86f9da765e2a02c9237259a7898

SHA1
3caa604c3fff88e71f489977e4293a488fb5671c

SHA256
d74ce01319ae6f54483a19375524aa39d9f5fd91f06cf7df238ca25e043130fd

SHA512
ffbc4e5ffdb49704e7aa6d74533e5af76bbe5db297713d8e59bd296143fe5f145fbb616b343eed3c48eceaccccc2431630470d8975a4a17c37eafcc12edd19f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI14082\psutil\_psutil_windows.pyd
Filesize
76KB

MD5
ebefbc98d468560b222f2d2d30ebb95c

SHA1
ee267e3a6e5bed1a15055451efcccac327d2bc43

SHA256
67c17558b635d6027ddbb781ea4e79fc0618bbec7485bd6d84b0ebcd9ef6a478

SHA512
ab9f949adfe9475b0ba8c37fa14b0705923f79c8a10b81446abc448ad38d5d55516f729b570d641926610c99df834223567c1efde166e6a0f805c9e2a35556e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI14082\pyexpat.pyd
Filesize
194KB

MD5
1118c1329f82ce9072d908cbd87e197c

SHA1
c59382178fe695c2c5576dca47c96b6de4bbcffd

SHA256
4a2d59993bce76790c6d923af81bf404f8e2cb73552e320113663b14cf78748c

SHA512
29f1b74e96a95b0b777ef00448da8bd0844e2f1d8248788a284ec868ae098c774a694d234a00bd991b2d22c2372c34f762cdbd9ec523234861e39c0ca752dcaa

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI14082\python3.DLL
Filesize
64KB

MD5
fd4a39e7c1f7f07cf635145a2af0dc3a

SHA1
05292ba14acc978bb195818499a294028ab644bd

SHA256
dc909eb798a23ba8ee9f8e3f307d97755bc0d2dc0cb342cedae81fbbad32a8a9

SHA512
37d3218bc767c44e8197555d3fa18d5aad43a536cfe24ac17bf8a3084fb70bd4763ccfd16d2df405538b657f720871e0cd312dfeb7f592f3aac34d9d00d5a643

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI14082\python310.dll
Filesize
4.3MB

MD5
63a1fa9259a35eaeac04174cecb90048

SHA1
0dc0c91bcd6f69b80dcdd7e4020365dd7853885a

SHA256
14b06796f288bc6599e458fb23a944ab0c843e9868058f02a91d4606533505ed

SHA512
896caa053f48b1e4102e0f41a7d13d932a746eea69a894ae564ef5a84ef50890514deca6496e915aae40a500955220dbc1b1016fe0b8bcdde0ad81b2917dea8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI14082\pythoncom310.dll
Filesize
653KB

MD5
65dd753f51cd492211986e7b700983ef

SHA1
f5b469ec29a4be76bc479b2219202f7d25a261e2

SHA256
c3b33ba6c4f646151aed4172562309d9f44a83858ddfd84b2d894a8b7da72b1e

SHA512
8bd505e504110e40fa4973feff2fae17edc310a1ce1dc78b6af7972efdd93348087e6f16296bfd57abfdbbe49af769178f063bb0aa1dee661c08659f47a6216d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI14082\pywintypes310.dll
Filesize
131KB

MD5
ceb06a956b276cea73098d145fa64712

SHA1
6f0ba21f0325acc7cf6bf9f099d9a86470a786bf

SHA256
c8ec6429d243aef1f78969863be23d59273fa6303760a173ab36ab71d5676005

SHA512
05bab4a293e4c7efa85fa2491c32f299afd46fdb079dcb7ee2cc4c31024e01286daaf4aead5082fc1fd0d4169b2d1be589d1670fcf875b06c6f15f634e0c6f34

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI14082\select.pyd
Filesize
29KB

MD5
a653f35d05d2f6debc5d34daddd3dfa1

SHA1
1a2ceec28ea44388f412420425665c3781af2435

SHA256
db85f2f94d4994283e1055057372594538ae11020389d966e45607413851d9e9

SHA512
5aede99c3be25b1a962261b183ae7a7fb92cb0cb866065dc9cd7bb5ff6f41cc8813d2cc9de54670a27b3ad07a33b833eaa95a5b46dad7763ca97dfa0c1ce54c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI14082\sqlite3.dll
Filesize
1.4MB

MD5
914925249a488bd62d16455d156bd30d

SHA1
7e66ba53f3512f81c9014d322fcb7dd895f62c55

SHA256
fbd8832b5bc7e5c9adcf7320c051a67ee1c33fd198105283058533d132785ab4

SHA512
21a468929b15b76b313b32be65cfc50cad8f03c3b2e9bf11ca3b02c88a0482b7bc15646ce40df7fb42fbc96bd12362a54cffe0563c4ddc3fc78622622c699186

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI14082\unicodedata.pyd
Filesize
1.1MB

MD5
81d62ad36cbddb4e57a91018f3c0816e

SHA1
fe4a4fc35df240b50db22b35824e4826059a807b

SHA256
1fb2d66c056f69e8bbdd8c6c910e72697874dae680264f8fb4b4df19af98aa2e

SHA512
7d15d741378e671591356dfaad4e1e03d3f5456cbdf87579b61d02a4a52ab9b6ecbffad3274cede8c876ea19eaeb8ba4372ad5986744d430a29f50b9caffb75d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI14082\win32api.pyd
Filesize
130KB

MD5
00e5da545c6a4979a6577f8f091e85e1

SHA1
a31a2c85e272234584dacf36f405d102d9c43c05

SHA256
ac483d60a565cc9cbf91a6f37ea516b2162a45d255888d50fbbb7e5ff12086ee

SHA512
9e4f834f56007f84e8b4ec1c16fb916e68c3baadab1a3f6b82faf5360c57697dc69be86f3c2ea6e30f95e7c32413babbe5d29422d559c99e6cf4242357a85f31

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI51882\attrs-23.1.0.dist-info\INSTALLER
Filesize
4B

MD5
365c9bfeb7d89244f2ce01c1de44cb85

SHA1
d7a03141d5d6b1e88b6b59ef08b6681df212c599

SHA256
ceebae7b8927a3227e5303cf5e0f1f7b34bb542ad7250ac03fbcde36ec2f1508

SHA512
d220d322a4053d84130567d626a9f7bb2fb8f0b854da1621f001826dc61b0ed6d3f91793627e6f0ac2ac27aea2b986b6a7a63427f05fe004d8a2adfbdadc13c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\downloads_db
Filesize
152KB

MD5
73bd1e15afb04648c24593e8ba13e983

SHA1
4dd85ca46fcdf9d93f6b324f8bb0b5bb512a1b91

SHA256
aab0b201f392fef9fdff09e56a9d0ac33d0f68be95da270e6dab89bb1f971d8b

SHA512
6eb58fb41691894045569085bd64a83acd62277575ab002cf73d729bda4b6d43c36643a5fa336342e87a493326337ed43b8e5eaeae32f53210714699cb8dfac7

Download Submit
C:\Users\Admin\AppData\Local\Temp\downloads_db
Filesize
124KB

MD5
9618e15b04a4ddb39ed6c496575f6f95

SHA1
1c28f8750e5555776b3c80b187c5d15a443a7412

SHA256
a4cd72e529e60b5f74c50e4e5b159efaf80625f23534dd15a28203760b8b28ab

SHA512
f802582aa7510f6b950e3343b0560ffa9037c6d22373a6a33513637ab0f8e60ed23294a13ad8890935b02c64830b5232ba9f60d0c0fe90df02b5da30ecd7fa26

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ue3bcu6m.default-release\prefs-1.js
Filesize
7KB

MD5
2bed304af2e505fd13440627fecdafc1

SHA1
47776c8794320829ca4e5f3765fc1ddbaf4711dc

SHA256
f2ef98300475b88bb9888aeec1050c7cfb0510fb3f64314ca4c29d2f33c827b1

SHA512
775d1259803b043ece4b7bb62ca5e7d4ec415552e26997e60a87176e55f3f858b68648d44789824676a4f15f610595eb6a3c469a2b310ae5ac0bb01f040577c6

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ue3bcu6m.default-release\prefs-1.js
Filesize
7KB

MD5
7f82f8ac790fb4aac451019da7c4874c

SHA1
3b83ce15e9aca1f2b34c5aea2aec71db354dbbae

SHA256
3a2cdef68fd5862ab0c9dd894d37eb7a04050040547a648428507ef361eaf98f

SHA512
60ece5ed280bb07f639722572de9ab8edee4e8cffb439a67ba97416086e3e8089f89ca2bc5289006ccd64ef1ab61d50161e19d16bf822d0b8f8d6a1d4c84590f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ue3bcu6m.default-release\prefs.js
Filesize
6KB

MD5
416336177a20ecc1d8c0c55d0ee77610

SHA1
6dcbceeb6f89c95f4c8d0b3e8e0e7f1c2a92485e

SHA256
6e4126c8fc3bc3d599bb104b091b42b8883db6e76d2c45335e4b66dfe1e58d11

SHA512
cd44c14df6bbe2c0ce21881ec38acfc2868479db2db27acb9eece8ba07034324265208db450053794ecfd4504e05320a88f20455a6b43674fcd5e54f513ea535

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ue3bcu6m.default-release\sessionstore-backups\recovery.jsonlz4
Filesize
1KB

MD5
e48ccb81cd230971962e28494c0f44d8

SHA1
7c55436c038ad7f8df211c0bc78b1e631ae8f469

SHA256
36616cfcef6099997f1e3754c4c0b3742f6e9e04d57b0726e4c11e61b8b12b0b

SHA512
17c0f6a0852af988b109bddd8393e39c4368a4bb5a97e7558e876daeb4af862f24cf4919709f8396a86ac72e729cc92f64ce3216e72fc776f67a5c56175a34f8

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ue3bcu6m.default-release\sessionstore-backups\recovery.jsonlz4
Filesize
1KB

MD5
633571998d052f25d11a7bc11e9ac280

SHA1
e5423879442b4c479fe8345f0c3f06b8a2a3c6c6

SHA256
1a51bc689d1d1238cb226fea5a1f19651f06bcce282d3e839ccfc352e29c3d44

SHA512
88f706e4c1b06c10b9f11daccd09dc11a986fdb8d85d2926d8bffc87761eaa405bcab5c43d28b9dc3e0865434a927af0cf9d0a93c15cf7ac1dfb6d2dd38ed361

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ue3bcu6m.default-release\sessionstore.jsonlz4
Filesize
1KB

MD5
4016ca35c74d16886b5743c17a2ca4c9

SHA1
4a41912ad59c369d74fb1b8e5060984729d9bd3c

SHA256
1557dcfa234580d0a4161a633a834a2e1221f705581d89add4eb38aa0ce3e515

SHA512
6fbaaf1dcc09c749398008a0d53faa9b0373c664299d10427af990ba575305eae75786eb3f8886ff2ae4998881500bfa8a4e4a9e6209f667b0df006c0c137e47

Download Submit
C:\Users\Admin\AppData\Roaming\empyrean\dat.txt
Filesize
19.5MB

MD5
d9d8f69e5c86b8d05aa4bdd5b0d3f468

SHA1
5553a5dce8d4d6fa8f54c018e57ef97bd75a4043

SHA256
add7c0120951d2c7b0ccde90ac3590bd1e6749c9fb2f8b1662d4049bbef14880

SHA512
738ffa0ee138433ea3a201f5095167a15b5ef6a592b80b13d9a7c48f12260d3366a8406deaa39af392c1267152f68fa734333870d8aaaacd2b7636b22b61667d

Download Submit
C:\Windows\System32\cards_db
Filesize
100KB

MD5
bfbf67a3ad4b5c0f7804f85d1f449a80

SHA1
110780a35d61de23b5fcb7b9e75a3ed07deb7838

SHA256
2a38ab429847061aa3c614982e801e2e7139977a227466ce5ee61fa382a2bc2e

SHA512
77bd3011b5d0074af16b93a5ab1967379a0a032bbf43c1e7b6ef205aeb27454e079c94e419bea6f7d730dc84b632e44250203a508fcdcd864ada9888381f4fdd

Download Submit
C:\Windows\System32\cards_db
Filesize
116KB

MD5
f70aa3fa04f0536280f872ad17973c3d

SHA1
50a7b889329a92de1b272d0ecf5fce87395d3123

SHA256
8d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8

SHA512
30675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84

Download Submit
C:\Windows\System32\cookie_db
Filesize
20KB

MD5
42c395b8db48b6ce3d34c301d1eba9d5

SHA1
b7cfa3de344814bec105391663c0df4a74310996

SHA256
5644546ecefc6786c7be5b1a89e935e640963ccd34b130f21baab9370cb9055d

SHA512
7b9214db96e9bec8745b4161a41c4c0520cdda9950f0cd3f12c7744227a25d639d07c0dd68b552cf1e032181c2e4f8297747f27bad6c7447b0f415a86bd82845

Download Submit
C:\Windows\System32\login_db
Filesize
46KB

MD5
8f5942354d3809f865f9767eddf51314

SHA1
20be11c0d42fc0cef53931ea9152b55082d1a11e

SHA256
776ecf8411b1b0167bea724409ac9d3f8479973df223ecc6e60e3302b3b2b8ea

SHA512
fde8dfae8a862cf106b0cb55e02d73e4e4c0527c744c20886681245c8160287f722612a6de9d0046ed1156b1771229c8950b9ac036b39c988d75aa20b7bac218

Download Submit
C:\Windows\System32\login_db
Filesize
48KB

MD5
349e6eb110e34a08924d92f6b334801d

SHA1
bdfb289daff51890cc71697b6322aa4b35ec9169

SHA256
c9fd7be4579e4aa942e8c2b44ab10115fa6c2fe6afd0c584865413d9d53f3b2a

SHA512
2a635b815a5e117ea181ee79305ee1baf591459427acc5210d8c6c7e447be3513ead871c605eb3d32e4ab4111b2a335f26520d0ef8c1245a4af44e1faec44574

Download Submit