03cdb29b6e0b1da7038eb0a999f344f797a4d547548dbdb1b565771df30d2b8b

Resubmissions

29/06/2024, 17:44

240629-wbgxeavgnr 8

29/06/2024, 17:43

29/06/2024, 17:38

29/06/2024, 17:37

29/06/2024, 17:31

29/06/2024, 14:11

29/06/2024, 14:08

Analysis

max time kernel
206s
max time network
211s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
29/06/2024, 17:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Lemotu.rar
Size

19.2MB
MD5

46d888e464737207c89193ce92ee4014
SHA1

b8dbd0ad6d33f69570609e459bdc646d86fc177a
SHA256

03cdb29b6e0b1da7038eb0a999f344f797a4d547548dbdb1b565771df30d2b8b
SHA512

1de74a63b4cc8e3d978a28215ac8cfa651d2a0212ed92ece6840d3a05a5567f664ca631ee3c00ac4f9a6e828cdc4cea69ce5e6fee97facb17c15f36e01c6691b
SSDEEP

393216:vaZW3Tk17K0YCuMk4zuKluG99o49fAqsW8HE1xFCkpnzAWJAlG:yZ7huMk4qERA4xHsW8WrC6n0WClG

Score

7^/10

persistence privilege_escalation pyinstaller spyware stealer

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1792	main.exe
3228	main.exe

Loads dropped DLL 64 IoCs

pid	Process
3228	main.exe
3228	main.exe
3228	main.exe
3228	main.exe
3228	main.exe
3228	main.exe
3228	main.exe
3228	main.exe
3228	main.exe
3228	main.exe
3228	main.exe
3228	main.exe
3228	main.exe
3228	main.exe
3228	main.exe
3228	main.exe
3228	main.exe
3228	main.exe
3228	main.exe
3228	main.exe
3228	main.exe
3228	main.exe
3228	main.exe
3228	main.exe
3228	main.exe
3228	main.exe
3228	main.exe
3228	main.exe
3228	main.exe
3228	main.exe
3228	main.exe
3228	main.exe
3228	main.exe
3228	main.exe
3228	main.exe
3228	main.exe
3228	main.exe
3228	main.exe
3228	main.exe
3228	main.exe
3228	main.exe
3228	main.exe
3228	main.exe
3228	main.exe
3228	main.exe
3228	main.exe
3228	main.exe
3228	main.exe
3228	main.exe
3228	main.exe
3228	main.exe
3228	main.exe
3228	main.exe
3228	main.exe
3228	main.exe
3228	main.exe
3228	main.exe
828	da.exe
828	da.exe
828	da.exe
828	da.exe
828	da.exe
828	da.exe
828	da.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\empyrean = "C:\\Users\\Admin\\AppData\\Roaming\\empyrean\\run.bat"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\empyrean = "C:\\Users\\Admin\\AppData\\Roaming\\empyrean\\run.bat"	reg.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 7 IoCs

Web Service

T1102

flow	ioc
90	raw.githubusercontent.com
72	discord.com
73	discord.com
75	raw.githubusercontent.com
76	raw.githubusercontent.com
87	discord.com
89	discord.com

Looks up external IP address via web service 9 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
81	ipapi.co
83	ipapi.co
92	ipapi.co
96	ipapi.co
71	ipapi.co
86	ipapi.co
88	ipapi.co
94	ipapi.co
70	ipapi.co

Detects Pyinstaller 1 IoCs

pyinstaller

resource	yara_rule
behavioral1/files/0x000e000000023378-2.dat	pyinstaller

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 9 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\Local Settings	taskmgr.exe

Modifies registry key 1 TTPs 4 IoCs

Modify Registry

T1112

pid	Process
324	reg.exe
4616	reg.exe
3752	reg.exe
2772	reg.exe

Opens file in notepad (likely ransom note) 4 IoCs

ransomware

pid	Process
864	NOTEPAD.EXE
2120	NOTEPAD.EXE
2092	NOTEPAD.EXE
4644	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 29 IoCs

pid	Process
3228	main.exe
3228	main.exe
3228	main.exe
3228	main.exe
3228	main.exe
3228	main.exe
3228	main.exe
3228	main.exe
1064	taskmgr.exe
1064	taskmgr.exe
1064	taskmgr.exe
1064	taskmgr.exe
1064	taskmgr.exe
1064	taskmgr.exe
1064	taskmgr.exe
1064	taskmgr.exe
1064	taskmgr.exe
1064	taskmgr.exe
1064	taskmgr.exe
1064	taskmgr.exe
1064	taskmgr.exe
828	da.exe
828	da.exe
828	da.exe
828	da.exe
828	da.exe
828	da.exe
828	da.exe
828	da.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1872	7zFM.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeRestorePrivilege	1872	7zFM.exe
Token: 35	1872	7zFM.exe
Token: SeSecurityPrivilege	1872	7zFM.exe
Token: SeSecurityPrivilege	1872	7zFM.exe
Token: SeSecurityPrivilege	1872	7zFM.exe
Token: SeDebugPrivilege	3228	main.exe
Token: SeIncreaseQuotaPrivilege	3724	WMIC.exe
Token: SeSecurityPrivilege	3724	WMIC.exe
Token: SeTakeOwnershipPrivilege	3724	WMIC.exe
Token: SeLoadDriverPrivilege	3724	WMIC.exe
Token: SeSystemProfilePrivilege	3724	WMIC.exe
Token: SeSystemtimePrivilege	3724	WMIC.exe
Token: SeProfSingleProcessPrivilege	3724	WMIC.exe
Token: SeIncBasePriorityPrivilege	3724	WMIC.exe
Token: SeCreatePagefilePrivilege	3724	WMIC.exe
Token: SeBackupPrivilege	3724	WMIC.exe
Token: SeRestorePrivilege	3724	WMIC.exe
Token: SeShutdownPrivilege	3724	WMIC.exe
Token: SeDebugPrivilege	3724	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3724	WMIC.exe
Token: SeRemoteShutdownPrivilege	3724	WMIC.exe
Token: SeUndockPrivilege	3724	WMIC.exe
Token: SeManageVolumePrivilege	3724	WMIC.exe
Token: 33	3724	WMIC.exe
Token: 34	3724	WMIC.exe
Token: 35	3724	WMIC.exe
Token: 36	3724	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3724	WMIC.exe
Token: SeSecurityPrivilege	3724	WMIC.exe
Token: SeTakeOwnershipPrivilege	3724	WMIC.exe
Token: SeLoadDriverPrivilege	3724	WMIC.exe
Token: SeSystemProfilePrivilege	3724	WMIC.exe
Token: SeSystemtimePrivilege	3724	WMIC.exe
Token: SeProfSingleProcessPrivilege	3724	WMIC.exe
Token: SeIncBasePriorityPrivilege	3724	WMIC.exe
Token: SeCreatePagefilePrivilege	3724	WMIC.exe
Token: SeBackupPrivilege	3724	WMIC.exe
Token: SeRestorePrivilege	3724	WMIC.exe
Token: SeShutdownPrivilege	3724	WMIC.exe
Token: SeDebugPrivilege	3724	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3724	WMIC.exe
Token: SeRemoteShutdownPrivilege	3724	WMIC.exe
Token: SeUndockPrivilege	3724	WMIC.exe
Token: SeManageVolumePrivilege	3724	WMIC.exe
Token: 33	3724	WMIC.exe
Token: 34	3724	WMIC.exe
Token: 35	3724	WMIC.exe
Token: 36	3724	WMIC.exe
Token: SeRestorePrivilege	2496	7zFM.exe
Token: 35	2496	7zFM.exe
Token: SeIncreaseQuotaPrivilege	1780	WMIC.exe
Token: SeSecurityPrivilege	1780	WMIC.exe
Token: SeTakeOwnershipPrivilege	1780	WMIC.exe
Token: SeLoadDriverPrivilege	1780	WMIC.exe
Token: SeSystemProfilePrivilege	1780	WMIC.exe
Token: SeSystemtimePrivilege	1780	WMIC.exe
Token: SeProfSingleProcessPrivilege	1780	WMIC.exe
Token: SeIncBasePriorityPrivilege	1780	WMIC.exe
Token: SeCreatePagefilePrivilege	1780	WMIC.exe
Token: SeBackupPrivilege	1780	WMIC.exe
Token: SeRestorePrivilege	1780	WMIC.exe
Token: SeShutdownPrivilege	1780	WMIC.exe
Token: SeDebugPrivilege	1780	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1780	WMIC.exe

Suspicious use of FindShellTrayWindow 45 IoCs

pid	Process
1872	7zFM.exe
1872	7zFM.exe
1872	7zFM.exe
1872	7zFM.exe
2496	7zFM.exe
1064	taskmgr.exe
1064	taskmgr.exe
1064	taskmgr.exe
1064	taskmgr.exe
1064	taskmgr.exe
1064	taskmgr.exe
1064	taskmgr.exe
1064	taskmgr.exe
1064	taskmgr.exe
1064	taskmgr.exe
1064	taskmgr.exe
1064	taskmgr.exe
1064	taskmgr.exe
1064	taskmgr.exe
1064	taskmgr.exe
1064	taskmgr.exe
1064	taskmgr.exe
1064	taskmgr.exe
1064	taskmgr.exe
1064	taskmgr.exe
1064	taskmgr.exe
1064	taskmgr.exe
1064	taskmgr.exe
1064	taskmgr.exe
1064	taskmgr.exe
1064	taskmgr.exe
1064	taskmgr.exe
1064	taskmgr.exe
1064	taskmgr.exe
1064	taskmgr.exe
1064	taskmgr.exe
1064	taskmgr.exe
1064	taskmgr.exe
1064	taskmgr.exe
1064	taskmgr.exe
1064	taskmgr.exe
1064	taskmgr.exe
1064	taskmgr.exe
1064	taskmgr.exe
1064	taskmgr.exe

Suspicious use of SendNotifyMessage 39 IoCs

pid	Process
1064	taskmgr.exe
1064	taskmgr.exe
1064	taskmgr.exe
1064	taskmgr.exe
1064	taskmgr.exe
1064	taskmgr.exe
1064	taskmgr.exe
1064	taskmgr.exe
1064	taskmgr.exe
1064	taskmgr.exe
1064	taskmgr.exe
1064	taskmgr.exe
1064	taskmgr.exe
1064	taskmgr.exe
1064	taskmgr.exe
1064	taskmgr.exe
1064	taskmgr.exe
1064	taskmgr.exe
1064	taskmgr.exe
1064	taskmgr.exe
1064	taskmgr.exe
1064	taskmgr.exe
1064	taskmgr.exe
1064	taskmgr.exe
1064	taskmgr.exe
1064	taskmgr.exe
1064	taskmgr.exe
1064	taskmgr.exe
1064	taskmgr.exe
1064	taskmgr.exe
1064	taskmgr.exe
1064	taskmgr.exe
1064	taskmgr.exe
1064	taskmgr.exe
1064	taskmgr.exe
1064	taskmgr.exe
1064	taskmgr.exe
1064	taskmgr.exe
1064	taskmgr.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
404	OpenWith.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1792 wrote to memory of 3228	1792	main.exe	116
PID 1792 wrote to memory of 3228	1792	main.exe	116
PID 3228 wrote to memory of 4448	3228	main.exe	117
PID 3228 wrote to memory of 4448	3228	main.exe	117
PID 3228 wrote to memory of 4068	3228	main.exe	119
PID 3228 wrote to memory of 4068	3228	main.exe	119
PID 4068 wrote to memory of 3724	4068	cmd.exe	121
PID 4068 wrote to memory of 3724	4068	cmd.exe	121
PID 3228 wrote to memory of 2076	3228	main.exe	124
PID 3228 wrote to memory of 2076	3228	main.exe	124
PID 2076 wrote to memory of 4616	2076	cmd.exe	126
PID 2076 wrote to memory of 4616	2076	cmd.exe	126
PID 3228 wrote to memory of 2188	3228	main.exe	127
PID 3228 wrote to memory of 2188	3228	main.exe	127
PID 2188 wrote to memory of 3752	2188	cmd.exe	129
PID 2188 wrote to memory of 3752	2188	cmd.exe	129
PID 3228 wrote to memory of 4892	3228	main.exe	131
PID 3228 wrote to memory of 4892	3228	main.exe	131
PID 4892 wrote to memory of 1780	4892	cmd.exe	133
PID 4892 wrote to memory of 1780	4892	cmd.exe	133
PID 3228 wrote to memory of 4844	3228	main.exe	134
PID 3228 wrote to memory of 4844	3228	main.exe	134
PID 4844 wrote to memory of 4376	4844	cmd.exe	136
PID 4844 wrote to memory of 4376	4844	cmd.exe	136
PID 3228 wrote to memory of 3408	3228	main.exe	138
PID 3228 wrote to memory of 3408	3228	main.exe	138
PID 3408 wrote to memory of 3532	3408	cmd.exe	140
PID 3408 wrote to memory of 3532	3408	cmd.exe	140
PID 3228 wrote to memory of 3864	3228	main.exe	141
PID 3228 wrote to memory of 3864	3228	main.exe	141
PID 3864 wrote to memory of 3020	3864	cmd.exe	143
PID 3864 wrote to memory of 3020	3864	cmd.exe	143
PID 3228 wrote to memory of 2100	3228	main.exe	144
PID 3228 wrote to memory of 2100	3228	main.exe	144
PID 2100 wrote to memory of 2036	2100	cmd.exe	146
PID 2100 wrote to memory of 2036	2100	cmd.exe	146
PID 3228 wrote to memory of 1868	3228	main.exe	150
PID 3228 wrote to memory of 1868	3228	main.exe	150
PID 1868 wrote to memory of 3504	1868	cmd.exe	152
PID 1868 wrote to memory of 3504	1868	cmd.exe	152
PID 1676 wrote to memory of 828	1676	da.exe	164
PID 1676 wrote to memory of 828	1676	da.exe	164
PID 828 wrote to memory of 1868	828	da.exe	165
PID 828 wrote to memory of 1868	828	da.exe	165
PID 828 wrote to memory of 4584	828	da.exe	167
PID 828 wrote to memory of 4584	828	da.exe	167
PID 4584 wrote to memory of 5056	4584	cmd.exe	169
PID 4584 wrote to memory of 5056	4584	cmd.exe	169
PID 828 wrote to memory of 4148	828	da.exe	170
PID 828 wrote to memory of 4148	828	da.exe	170
PID 4148 wrote to memory of 2772	4148	cmd.exe	172
PID 4148 wrote to memory of 2772	4148	cmd.exe	172
PID 828 wrote to memory of 2888	828	da.exe	173
PID 828 wrote to memory of 2888	828	da.exe	173
PID 2888 wrote to memory of 324	2888	cmd.exe	175
PID 2888 wrote to memory of 324	2888	cmd.exe	175
PID 828 wrote to memory of 5040	828	da.exe	176
PID 828 wrote to memory of 5040	828	da.exe	176
PID 5040 wrote to memory of 3324	5040	cmd.exe	178
PID 5040 wrote to memory of 3324	5040	cmd.exe	178
PID 828 wrote to memory of 3980	828	da.exe	179
PID 828 wrote to memory of 3980	828	da.exe	179
PID 3980 wrote to memory of 992	3980	cmd.exe	181
PID 3980 wrote to memory of 992	3980	cmd.exe	181

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\Lemotu.rar
1⤵
- Modifies registry class
PID:4028

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:404

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1360

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\Lemotu.rar"
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1872

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\jusched.log
1⤵
- Opens file in notepad (likely ransom note)
PID:864

C:\Users\Admin\Desktop\main.exe
"C:\Users\Admin\Desktop\main.exe"
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1792
- C:\Users\Admin\Desktop\main.exe
  "C:\Users\Admin\Desktop\main.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3228
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "ver"
    3⤵
    PID:4448
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Windows\System32\wbem\WMIC.exe csproduct get uuid"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4068
  - - C:\Windows\System32\wbem\WMIC.exe
      C:\Windows\System32\wbem\WMIC.exe csproduct get uuid
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3724
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "reg delete HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v empyrean /f"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2076
  - - C:\Windows\system32\reg.exe
      reg delete HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v empyrean /f
      4⤵
      Modifies registry key
      PID:4616
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v empyrean /t REG_SZ /d C:\Users\Admin\AppData\Roaming\empyrean\run.bat /f"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2188
  - - C:\Windows\system32\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v empyrean /t REG_SZ /d C:\Users\Admin\AppData\Roaming\empyrean\run.bat /f
      4⤵
      Adds Run key to start application
      Modifies registry key
      PID:3752
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Windows\System32\wbem\WMIC.exe csproduct get uuid"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4892
  - - C:\Windows\System32\wbem\WMIC.exe
      C:\Windows\System32\wbem\WMIC.exe csproduct get uuid
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1780
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Windows\System32\wbem\WMIC.exe csproduct get uuid"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4844
  - - C:\Windows\System32\wbem\WMIC.exe
      C:\Windows\System32\wbem\WMIC.exe csproduct get uuid
      4⤵
      PID:4376
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Windows\System32\wbem\WMIC.exe csproduct get uuid"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3408
  - - C:\Windows\System32\wbem\WMIC.exe
      C:\Windows\System32\wbem\WMIC.exe csproduct get uuid
      4⤵
      PID:3532
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "netsh wlan show profiles"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3864
  - - C:\Windows\system32\netsh.exe
      netsh wlan show profiles
      4⤵
      Event Triggered Execution: Netsh Helper DLL
      PID:3020
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "netsh wlan show profiles"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2100
  - - C:\Windows\system32\netsh.exe
      netsh wlan show profiles
      4⤵
      Event Triggered Execution: Netsh Helper DLL
      PID:2036
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "netsh wlan show profiles"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1868
  - - C:\Windows\system32\netsh.exe
      netsh wlan show profiles
      4⤵
      Event Triggered Execution: Netsh Helper DLL
      PID:3504

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Desktop\main.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2496

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\Temp1_vault.zip\cookies.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:2120

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /7
1⤵
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1064

C:\Windows\System32\NOTEPAD.EXE
"C:\Windows\System32\NOTEPAD.EXE" C:\Users\Admin\AppData\Roaming\empyrean\run.bat
1⤵
- Opens file in notepad (likely ransom note)
PID:2092

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Roaming\empyrean\dat.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:4644

C:\Users\Admin\Desktop\da.exe
"C:\Users\Admin\Desktop\da.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1676
- C:\Users\Admin\Desktop\da.exe
  "C:\Users\Admin\Desktop\da.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:828
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "ver"
    3⤵
    PID:1868
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Windows\System32\wbem\WMIC.exe csproduct get uuid"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4584
  - - C:\Windows\System32\wbem\WMIC.exe
      C:\Windows\System32\wbem\WMIC.exe csproduct get uuid
      4⤵
      PID:5056
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "reg delete HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v empyrean /f"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4148
  - - C:\Windows\system32\reg.exe
      reg delete HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v empyrean /f
      4⤵
      Modifies registry key
      PID:2772
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v empyrean /t REG_SZ /d C:\Users\Admin\AppData\Roaming\empyrean\run.bat /f"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2888
  - - C:\Windows\system32\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v empyrean /t REG_SZ /d C:\Users\Admin\AppData\Roaming\empyrean\run.bat /f
      4⤵
      Adds Run key to start application
      Modifies registry key
      PID:324
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Windows\System32\wbem\WMIC.exe csproduct get uuid"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5040
  - - C:\Windows\System32\wbem\WMIC.exe
      C:\Windows\System32\wbem\WMIC.exe csproduct get uuid
      4⤵
      PID:3324
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Windows\System32\wbem\WMIC.exe csproduct get uuid"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3980
  - - C:\Windows\System32\wbem\WMIC.exe
      C:\Windows\System32\wbem\WMIC.exe csproduct get uuid
      4⤵
      PID:992
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Windows\System32\wbem\WMIC.exe csproduct get uuid"
    3⤵
    PID:1468
  - - C:\Windows\System32\wbem\WMIC.exe
      C:\Windows\System32\wbem\WMIC.exe csproduct get uuid
      4⤵
      PID:1616
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "netsh wlan show profiles"
    3⤵
    PID:4884
  - - C:\Windows\system32\netsh.exe
      netsh wlan show profiles
      4⤵
      PID:632
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "netsh wlan show profiles"
    3⤵
    PID:4212
  - - C:\Windows\system32\netsh.exe
      netsh wlan show profiles
      4⤵
      PID:1000

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_MEI16762\attrs-23.1.0.dist-info\INSTALLER

Filesize
4B

MD5
365c9bfeb7d89244f2ce01c1de44cb85

SHA1
d7a03141d5d6b1e88b6b59ef08b6681df212c599

SHA256
ceebae7b8927a3227e5303cf5e0f1f7b34bb542ad7250ac03fbcde36ec2f1508

SHA512
d220d322a4053d84130567d626a9f7bb2fb8f0b854da1621f001826dc61b0ed6d3f91793627e6f0ac2ac27aea2b986b6a7a63427f05fe004d8a2adfbdadc13c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI17922\Crypto\Cipher\_raw_cbc.pyd

Filesize
12KB

MD5
a1b78a3ce3165e90957880b8724d944f

SHA1
a69f63cc211e671a08daad7a66ed0b05f8736cc7

SHA256
84e071321e378054b6d3b56bbd66699e36554f637a44728b38b96a31199dfa69

SHA512
15847386652cbee378d0ff6aad0a3fe0d0c6c7f1939f764f86c665f3493b4bccaf98d7a29259e94ed197285d9365b9d6e697b010aff3370cf857b8cb4106d7d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI17922\Crypto\Cipher\_raw_cfb.pyd

Filesize
13KB

MD5
0dca79c062f2f800132cf1748a8e147f

SHA1
91f525b8ca0c0db245c4d3fa4073541826e8fb89

SHA256
2a63e504c8aa4d291bbd8108f26eecde3dcd9bfba579ae80b777ff6dfec5e922

SHA512
a820299fba1d0952a00db78b92fb7d68d77c427418388cc67e3a37dc87b1895d9ae416cac32b859d11d21a07a8f4cef3bd26ebb06cc39f04ad5e60f8692c659b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI17922\Crypto\Cipher\_raw_ecb.pyd

Filesize
10KB

MD5
aec314222600ade3d96b6dc33af380a6

SHA1
c6af3edadb09ea3a56048b57237c0a2dca33bee1

SHA256
ea96505b38d27c085544fb129f2b0e00df5020d323d7853e6a6a8645ac785304

SHA512
bbc00aa7fdf178bb6b2d86419c31967f2bc32d157aa7ee3ac308c28d8bf4823c1fafcde6c91651edc05c146e44d7e59e02a76283890652b27c52f509c3b9ef9a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI17922\VCRUNTIME140.dll

Filesize
95KB

MD5
f34eb034aa4a9735218686590cba2e8b

SHA1
2bc20acdcb201676b77a66fa7ec6b53fa2644713

SHA256
9d2b40f0395cc5d1b4d5ea17b84970c29971d448c37104676db577586d4ad1b1

SHA512
d27d5e65e8206bd7923cf2a3c4384fec0fc59e8bc29e25f8c03d039f3741c01d1a8c82979d7b88c10b209db31fbbec23909e976b3ee593dc33481f0050a445af

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI17922\VCRUNTIME140_1.dll

Filesize
36KB

MD5
135359d350f72ad4bf716b764d39e749

SHA1
2e59d9bbcce356f0fece56c9c4917a5cacec63d7

SHA256
34048abaa070ecc13b318cea31425f4ca3edd133d350318ac65259e6058c8b32

SHA512
cf23513d63ab2192c78cae98bd3fea67d933212b630be111fa7e03be3e92af38e247eb2d3804437fd0fda70fdc87916cd24cf1d3911e9f3bfb2cc4ab72b459ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI17922\_bz2.pyd

Filesize
81KB

MD5
86d1b2a9070cd7d52124126a357ff067

SHA1
18e30446fe51ced706f62c3544a8c8fdc08de503

SHA256
62173a8fadd4bf4dd71ab89ea718754aa31620244372f0c5bbbae102e641a60e

SHA512
7db4b7e0c518a02ae901f4b24e3860122acc67e38e73f98f993fe99eb20bb3aa539db1ed40e63d6021861b54f34a5f5a364907ffd7da182adea68bbdd5c2b535

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI17922\_ctypes.pyd

Filesize
120KB

MD5
1635a0c5a72df5ae64072cbb0065aebe

SHA1
c975865208b3369e71e3464bbcc87b65718b2b1f

SHA256
1ea3dd3df393fa9b27bf6595be4ac859064cd8ef9908a12378a6021bba1cb177

SHA512
6e34346ea8a0aacc29ccd480035da66e280830a7f3d220fd2f12d4cfa3e1c03955d58c0b95c2674aea698a36a1b674325d3588483505874c2ce018135320ff99

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI17922\_decimal.pyd

Filesize
248KB

MD5
20c77203ddf9ff2ff96d6d11dea2edcf

SHA1
0d660b8d1161e72c993c6e2ab0292a409f6379a5

SHA256
9aac010a424c757c434c460c3c0a6515d7720966ab64bad667539282a17b4133

SHA512
2b24346ece2cbd1e9472a0e70768a8b4a5d2c12b3d83934f22ebdc9392d9023dcb44d2322ada9edbe2eb0e2c01b5742d2a83fa57ca23054080909ec6eb7cf3ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI17922\_hashlib.pyd

Filesize
63KB

MD5
d4674750c732f0db4c4dd6a83a9124fe

SHA1
fd8d76817abc847bb8359a7c268acada9d26bfd5

SHA256
caa4d2f8795e9a55e128409cc016e2cc5c694cb026d7058fc561e4dd131ed1c9

SHA512
97d57cfb80dd9dd822f2f30f836e13a52f771ee8485bc0fd29236882970f6bfbdfaac3f2e333bba5c25c20255e8c0f5ad82d8bc8a6b6e2f7a07ea94a9149c81e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI17922\_lzma.pyd

Filesize
154KB

MD5
7447efd8d71e8a1929be0fac722b42dc

SHA1
6080c1b84c2dcbf03dcc2d95306615ff5fce49a6

SHA256
60793c8592193cfbd00fd3e5263be4315d650ba4f9e4fda9c45a10642fd998be

SHA512
c6295d45ed6c4f7534c1a38d47ddc55fea8b9f62bbdc0743e4d22e8ad0484984f8ab077b73e683d0a92d11bf6588a1ae395456cfa57da94bb2a6c4a1b07984de

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI17922\_queue.pyd

Filesize
30KB

MD5
d8c1b81bbc125b6ad1f48a172181336e

SHA1
3ff1d8dcec04ce16e97e12263b9233fbf982340c

SHA256
925f05255f4aae0997dc4ec94d900fd15950fd840685d5b8aa755427c7422b14

SHA512
ccc9f0d3aca66729832f26be12f8e7021834bbee1f4a45da9451b1aa5c2e63126c0031d223af57cf71fad2c85860782a56d78d8339b35720194df139076e0772

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI17922\_socket.pyd

Filesize
77KB

MD5
819166054fec07efcd1062f13c2147ee

SHA1
93868ebcd6e013fda9cd96d8065a1d70a66a2a26

SHA256
e6deb751039cd5424a139708475ce83f9c042d43e650765a716cb4a924b07e4f

SHA512
da3a440c94cb99b8af7d2bc8f8f0631ae9c112bd04badf200edbf7ea0c48d012843b4a9fb9f1e6d3a9674fd3d4eb6f0fa78fd1121fad1f01f3b981028538b666

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI17922\_sqlite3.pyd

Filesize
96KB

MD5
5279d497eee4cf269d7b4059c72b14c2

SHA1
aff2f5de807ae03e599979a1a5c605fc4bad986e

SHA256
b298a44af162be7107fd187f04b63fb3827f1374594e22910ec38829da7a12dc

SHA512
20726fc5b46a6d07a3e58cdf1bed821db57ce2d9f5bee8cfd59fce779c8d5c4b517d3eb70cd2a0505e48e465d628a674d18030a909f5b73188d07cc80dcda925

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI17922\_ssl.pyd

Filesize
156KB

MD5
7910fb2af40e81bee211182cffec0a06

SHA1
251482ed44840b3c75426dd8e3280059d2ca06c6

SHA256
d2a7999e234e33828888ad455baa6ab101d90323579abc1095b8c42f0f723b6f

SHA512
bfe6506feb27a592fe9cf1db7d567d0d07f148ef1a2c969f1e4f7f29740c6bb8ccf946131e65fe5aa8ede371686c272b0860bd4c0c223195aaa1a44f59301b27

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI17922\_uuid.pyd

Filesize
24KB

MD5
b68c98113c8e7e83af56ba98ff3ac84a

SHA1
448938564559570b269e05e745d9c52ecda37154

SHA256
990586f2a2ba00d48b59bdd03d3c223b8e9fb7d7fab6d414bac2833eb1241ca2

SHA512
33c69199cba8e58e235b96684346e748a17cc7f03fc068cfa8a7ec7b5f9f6fa90d90b5cdb43285abf8b4108e71098d4e87fb0d06b28e2132357964b3eea3a4f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI17922\base_library.zip

Filesize
812KB

MD5
678d03034d0a29770e881bcb5ce31720

SHA1
a55befcf5cd76ceb98719bafc0e3dfb20c0640e3

SHA256
9c0e49af57460f5a550044ff40436615d848616b87cff155fcad0a7d609fd3cb

SHA512
19a6e2dc2df81ffc4f9af19df0a75cf2531ba1002dca00cd1e60bdc58ede08747dafa3778ab78781a88c93a3ece4e5a46c5676250ed624f70d8a38af2c75395f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI17922\charset_normalizer\md.cp310-win_amd64.pyd

Filesize
10KB

MD5
f33ca57d413e6b5313272fa54dbc8baa

SHA1
4e0cabe7d38fe8d649a0a497ed18d4d1ca5f4c44

SHA256
9b3d70922dcfaeb02812afa9030a40433b9d2b58bcf088781f9ab68a74d20664

SHA512
f17c06f4202b6edbb66660d68ff938d4f75b411f9fab48636c3575e42abaab6464d66cb57bce7f84e8e2b5755b6ef757a820a50c13dd5f85faa63cd553d3ff32

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI17922\charset_normalizer\md__mypyc.cp310-win_amd64.pyd

Filesize
117KB

MD5
494f5b9adc1cfb7fdb919c9b1af346e1

SHA1
4a5fddd47812d19948585390f76d5435c4220e6b

SHA256
ad9bcc0de6815516dfde91bb2e477f8fb5f099d7f5511d0f54b50fa77b721051

SHA512
2c0d68da196075ea30d97b5fd853c673e28949df2b6bf005ae72fd8b60a0c036f18103c5de662cac63baaef740b65b4ed2394fcd2e6da4dfcfbeef5b64dab794

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI17922\libcrypto-1_1.dll

Filesize
3.3MB

MD5
9d7a0c99256c50afd5b0560ba2548930

SHA1
76bd9f13597a46f5283aa35c30b53c21976d0824

SHA256
9b7b4a0ad212095a8c2e35c71694d8a1764cd72a829e8e17c8afe3a55f147939

SHA512
cb39aa99b9d98c735fdacf1c5ed68a4d09d11f30262b91f6aa48c3f8520eff95e499400d0ce7e280ca7a90ff6d7141d2d893ef0b33a8803a1cadb28ba9a9e3e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI17922\libffi-7.dll

Filesize
32KB

MD5
eef7981412be8ea459064d3090f4b3aa

SHA1
c60da4830ce27afc234b3c3014c583f7f0a5a925

SHA256
f60dd9f2fcbd495674dfc1555effb710eb081fc7d4cae5fa58c438ab50405081

SHA512
dc9ff4202f74a13ca9949a123dff4c0223da969f49e9348feaf93da4470f7be82cfa1d392566eaaa836d77dde7193fed15a8395509f72a0e9f97c66c0a096016

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI17922\libssl-1_1.dll

Filesize
688KB

MD5
bec0f86f9da765e2a02c9237259a7898

SHA1
3caa604c3fff88e71f489977e4293a488fb5671c

SHA256
d74ce01319ae6f54483a19375524aa39d9f5fd91f06cf7df238ca25e043130fd

SHA512
ffbc4e5ffdb49704e7aa6d74533e5af76bbe5db297713d8e59bd296143fe5f145fbb616b343eed3c48eceaccccc2431630470d8975a4a17c37eafcc12edd19f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI17922\psutil\_psutil_windows.pyd

Filesize
76KB

MD5
ebefbc98d468560b222f2d2d30ebb95c

SHA1
ee267e3a6e5bed1a15055451efcccac327d2bc43

SHA256
67c17558b635d6027ddbb781ea4e79fc0618bbec7485bd6d84b0ebcd9ef6a478

SHA512
ab9f949adfe9475b0ba8c37fa14b0705923f79c8a10b81446abc448ad38d5d55516f729b570d641926610c99df834223567c1efde166e6a0f805c9e2a35556e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI17922\pyexpat.pyd

Filesize
194KB

MD5
1118c1329f82ce9072d908cbd87e197c

SHA1
c59382178fe695c2c5576dca47c96b6de4bbcffd

SHA256
4a2d59993bce76790c6d923af81bf404f8e2cb73552e320113663b14cf78748c

SHA512
29f1b74e96a95b0b777ef00448da8bd0844e2f1d8248788a284ec868ae098c774a694d234a00bd991b2d22c2372c34f762cdbd9ec523234861e39c0ca752dcaa

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI17922\python3.dll

Filesize
64KB

MD5
fd4a39e7c1f7f07cf635145a2af0dc3a

SHA1
05292ba14acc978bb195818499a294028ab644bd

SHA256
dc909eb798a23ba8ee9f8e3f307d97755bc0d2dc0cb342cedae81fbbad32a8a9

SHA512
37d3218bc767c44e8197555d3fa18d5aad43a536cfe24ac17bf8a3084fb70bd4763ccfd16d2df405538b657f720871e0cd312dfeb7f592f3aac34d9d00d5a643

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI17922\python310.dll

Filesize
4.3MB

MD5
63a1fa9259a35eaeac04174cecb90048

SHA1
0dc0c91bcd6f69b80dcdd7e4020365dd7853885a

SHA256
14b06796f288bc6599e458fb23a944ab0c843e9868058f02a91d4606533505ed

SHA512
896caa053f48b1e4102e0f41a7d13d932a746eea69a894ae564ef5a84ef50890514deca6496e915aae40a500955220dbc1b1016fe0b8bcdde0ad81b2917dea8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI17922\pythoncom310.dll

Filesize
653KB

MD5
65dd753f51cd492211986e7b700983ef

SHA1
f5b469ec29a4be76bc479b2219202f7d25a261e2

SHA256
c3b33ba6c4f646151aed4172562309d9f44a83858ddfd84b2d894a8b7da72b1e

SHA512
8bd505e504110e40fa4973feff2fae17edc310a1ce1dc78b6af7972efdd93348087e6f16296bfd57abfdbbe49af769178f063bb0aa1dee661c08659f47a6216d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI17922\pywintypes310.dll

Filesize
131KB

MD5
ceb06a956b276cea73098d145fa64712

SHA1
6f0ba21f0325acc7cf6bf9f099d9a86470a786bf

SHA256
c8ec6429d243aef1f78969863be23d59273fa6303760a173ab36ab71d5676005

SHA512
05bab4a293e4c7efa85fa2491c32f299afd46fdb079dcb7ee2cc4c31024e01286daaf4aead5082fc1fd0d4169b2d1be589d1670fcf875b06c6f15f634e0c6f34

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI17922\select.pyd

Filesize
29KB

MD5
a653f35d05d2f6debc5d34daddd3dfa1

SHA1
1a2ceec28ea44388f412420425665c3781af2435

SHA256
db85f2f94d4994283e1055057372594538ae11020389d966e45607413851d9e9

SHA512
5aede99c3be25b1a962261b183ae7a7fb92cb0cb866065dc9cd7bb5ff6f41cc8813d2cc9de54670a27b3ad07a33b833eaa95a5b46dad7763ca97dfa0c1ce54c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI17922\sqlite3.dll

Filesize
1.4MB

MD5
914925249a488bd62d16455d156bd30d

SHA1
7e66ba53f3512f81c9014d322fcb7dd895f62c55

SHA256
fbd8832b5bc7e5c9adcf7320c051a67ee1c33fd198105283058533d132785ab4

SHA512
21a468929b15b76b313b32be65cfc50cad8f03c3b2e9bf11ca3b02c88a0482b7bc15646ce40df7fb42fbc96bd12362a54cffe0563c4ddc3fc78622622c699186

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI17922\unicodedata.pyd

Filesize
1.1MB

MD5
81d62ad36cbddb4e57a91018f3c0816e

SHA1
fe4a4fc35df240b50db22b35824e4826059a807b

SHA256
1fb2d66c056f69e8bbdd8c6c910e72697874dae680264f8fb4b4df19af98aa2e

SHA512
7d15d741378e671591356dfaad4e1e03d3f5456cbdf87579b61d02a4a52ab9b6ecbffad3274cede8c876ea19eaeb8ba4372ad5986744d430a29f50b9caffb75d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI17922\win32api.pyd

Filesize
130KB

MD5
00e5da545c6a4979a6577f8f091e85e1

SHA1
a31a2c85e272234584dacf36f405d102d9c43c05

SHA256
ac483d60a565cc9cbf91a6f37ea516b2162a45d255888d50fbbb7e5ff12086ee

SHA512
9e4f834f56007f84e8b4ec1c16fb916e68c3baadab1a3f6b82faf5360c57697dc69be86f3c2ea6e30f95e7c32413babbe5d29422d559c99e6cf4242357a85f31

Download Submit
C:\Users\Admin\Desktop\cards_db

Filesize
100KB

MD5
5900bdbf6d6116e4197377afc5c91252

SHA1
39385952e4310ce1fe639e773b422c25b8e22eb1

SHA256
d20965e1b78a7f3355ebef118c6ab555c1437c7f08cc575b3ef65be05cbb08d8

SHA512
4b5acb368130204639a921bb63072670312875a955c77e02f072989ae657554f6fe3047a86de2815208863e0318a8df515b9405a90eb06091120de490274559e

Download Submit
C:\Users\Admin\Desktop\cards_db

Filesize
116KB

MD5
f70aa3fa04f0536280f872ad17973c3d

SHA1
50a7b889329a92de1b272d0ecf5fce87395d3123

SHA256
8d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8

SHA512
30675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84

Download Submit
C:\Users\Admin\Desktop\cookie_db

Filesize
20KB

MD5
072ec63e346e8ed4158aeb87e08cd98e

SHA1
b408cab15d90526a7be587c864e2838024997438

SHA256
cb46646acba692f072817651c0a7ca9f2a68afb9032737b91c9e74278bab691a

SHA512
9fcb379c95cf83be074f6fdbd98a28712fa724be0dd3aae7530e3f93f7f2a098b825985324ebdfd6093a63a9d7c214c7ef0167f71d434b290912e72bce148973

Download Submit
C:\Users\Admin\Desktop\downloads_db

Filesize
124KB

MD5
9618e15b04a4ddb39ed6c496575f6f95

SHA1
1c28f8750e5555776b3c80b187c5d15a443a7412

SHA256
a4cd72e529e60b5f74c50e4e5b159efaf80625f23534dd15a28203760b8b28ab

SHA512
f802582aa7510f6b950e3343b0560ffa9037c6d22373a6a33513637ab0f8e60ed23294a13ad8890935b02c64830b5232ba9f60d0c0fe90df02b5da30ecd7fa26

Download Submit
C:\Users\Admin\Desktop\downloads_db

Filesize
152KB

MD5
73bd1e15afb04648c24593e8ba13e983

SHA1
4dd85ca46fcdf9d93f6b324f8bb0b5bb512a1b91

SHA256
aab0b201f392fef9fdff09e56a9d0ac33d0f68be95da270e6dab89bb1f971d8b

SHA512
6eb58fb41691894045569085bd64a83acd62277575ab002cf73d729bda4b6d43c36643a5fa336342e87a493326337ed43b8e5eaeae32f53210714699cb8dfac7

Download Submit
C:\Users\Admin\Desktop\login_db

Filesize
46KB

MD5
8f5942354d3809f865f9767eddf51314

SHA1
20be11c0d42fc0cef53931ea9152b55082d1a11e

SHA256
776ecf8411b1b0167bea724409ac9d3f8479973df223ecc6e60e3302b3b2b8ea

SHA512
fde8dfae8a862cf106b0cb55e02d73e4e4c0527c744c20886681245c8160287f722612a6de9d0046ed1156b1771229c8950b9ac036b39c988d75aa20b7bac218

Download Submit
C:\Users\Admin\Desktop\login_db

Filesize
48KB

MD5
349e6eb110e34a08924d92f6b334801d

SHA1
bdfb289daff51890cc71697b6322aa4b35ec9169

SHA256
c9fd7be4579e4aa942e8c2b44ab10115fa6c2fe6afd0c584865413d9d53f3b2a

SHA512
2a635b815a5e117ea181ee79305ee1baf591459427acc5210d8c6c7e447be3513ead871c605eb3d32e4ab4111b2a335f26520d0ef8c1245a4af44e1faec44574

Download Submit
C:\Users\Admin\Desktop\main.exe

Filesize
19.5MB

MD5
d9d8f69e5c86b8d05aa4bdd5b0d3f468

SHA1
5553a5dce8d4d6fa8f54c018e57ef97bd75a4043

SHA256
add7c0120951d2c7b0ccde90ac3590bd1e6749c9fb2f8b1662d4049bbef14880

SHA512
738ffa0ee138433ea3a201f5095167a15b5ef6a592b80b13d9a7c48f12260d3366a8406deaa39af392c1267152f68fa734333870d8aaaacd2b7636b22b61667d

Download Submit
C:\Users\Admin\Desktop\vault\cookies.txt

Filesize
222B

MD5
218bc13481bbd310f428ca0b6a628dac

SHA1
9fe8740e4dbde7b9bf6fc2fe39357166ee557973

SHA256
0a4726e3bae1a9092862524f4c989f715ef0d2ee34a0096083a086338c598b8d

SHA512
6b9a4f0e6af18fd6be8deb1a82f70f9120632e27bf25a2e073a944afa1a9300c960fc2609dd93a1ab5346879c51167d5daeacf627508a5747fea4b19cafbc429

Download Submit
memory/1064-299-0x000001A13B710000-0x000001A13B711000-memory.dmp

Filesize
4KB

Download
memory/1064-296-0x000001A13B710000-0x000001A13B711000-memory.dmp

Filesize
4KB

Download
memory/1064-295-0x000001A13B710000-0x000001A13B711000-memory.dmp

Filesize
4KB

Download
memory/1064-294-0x000001A13B710000-0x000001A13B711000-memory.dmp

Filesize
4KB

Download
memory/1064-297-0x000001A13B710000-0x000001A13B711000-memory.dmp

Filesize
4KB

Download
memory/1064-298-0x000001A13B710000-0x000001A13B711000-memory.dmp

Filesize
4KB

Download
memory/1064-293-0x000001A13B710000-0x000001A13B711000-memory.dmp

Filesize
4KB

Download
memory/1064-287-0x000001A13B710000-0x000001A13B711000-memory.dmp

Filesize
4KB

Download
memory/1064-288-0x000001A13B710000-0x000001A13B711000-memory.dmp

Filesize
4KB

Download
memory/1064-289-0x000001A13B710000-0x000001A13B711000-memory.dmp

Filesize
4KB

Download