stormkitty | 5c8608607a328036d0c4ddde044703033a6b105f62e167fb9abd6739036215c8

Analysis

max time kernel
139s
max time network
145s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
28-07-2024 02:55

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

AstrobootStrap_upd.exe
Size

35.2MB
MD5

5abc8be3cb3ad48aebf2a63f05341582
SHA1

47e3f6e271fa04748ee1b83afc7d0a21059f9ae5
SHA256

5c8608607a328036d0c4ddde044703033a6b105f62e167fb9abd6739036215c8
SHA512

c8beeba10268f76fb1bfa7036a3094335eb383bcf81010decc5ad2b1fd99075ad57a44196e544fd2e9e83663dab3fc6f121c15eaecf4f5af8c285397e63bee14
SSDEEP

786432:6A6Vk51XxQgLespvvwY0vFfVtMI9aznj381fvKFf+/CfBGkZOHk+:eV6Kfsp50BzMSazrcfvKh+/CpGsS

Score

10^/10

stormkitty xworm credential_access discovery persistence privilege_escalation pyinstaller ransomware rat spyware stealer trojan

Malware Config

Extracted

Family

xworm

147.185.221.21:27469

Attributes

Install_directory
%AppData%
install_file
astroGG.exe

Signatures

Contains code to disable Windows Defender 1 IoCs

A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

resource	yara_rule
behavioral1/memory/680-790-0x000000001B8B0000-0x000000001B8BE000-memory.dmp	disable_win_def

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral1/files/0x00070000000234d5-56.dat	family_xworm
behavioral1/memory/680-61-0x0000000000B00000-0x0000000000B16000-memory.dmp	family_xworm

StormKitty
StormKitty is an open source info stealer written in C#.
stealer stormkitty

StormKitty payload 1 IoCs

resource	yara_rule
behavioral1/memory/680-521-0x000000001D920000-0x000000001DA40000-memory.dmp	family_stormkitty

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	AstrobootStrap_upd.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\astroGG.lnk	astroGG.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\astroGG.lnk	astroGG.exe

Executes dropped EXE 3 IoCs

pid	Process
3736	AstroBootStrapper.exe
680	astroGG.exe
6116	AstroBootStrapper.exe

Loads dropped DLL 28 IoCs

pid	Process
6116	AstroBootStrapper.exe
6116	AstroBootStrapper.exe
6116	AstroBootStrapper.exe
6116	AstroBootStrapper.exe
6116	AstroBootStrapper.exe
6116	AstroBootStrapper.exe
6116	AstroBootStrapper.exe
6116	AstroBootStrapper.exe
6116	AstroBootStrapper.exe
6116	AstroBootStrapper.exe
6116	AstroBootStrapper.exe
6116	AstroBootStrapper.exe
6116	AstroBootStrapper.exe
6116	AstroBootStrapper.exe
6116	AstroBootStrapper.exe
6116	AstroBootStrapper.exe
6116	AstroBootStrapper.exe
6116	AstroBootStrapper.exe
6116	AstroBootStrapper.exe
6116	AstroBootStrapper.exe
6116	AstroBootStrapper.exe
6116	AstroBootStrapper.exe
6116	AstroBootStrapper.exe
6116	AstroBootStrapper.exe
6116	AstroBootStrapper.exe
6116	AstroBootStrapper.exe
6116	AstroBootStrapper.exe
6116	AstroBootStrapper.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\astroGG = "C:\\Users\\Admin\\AppData\\Roaming\\astroGG.exe"	astroGG.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\XBackground.bmp"	astroGG.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Detects Pyinstaller 1 IoCs

pyinstaller

resource	yara_rule
behavioral1/files/0x000400000001e552-38.dat	pyinstaller

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 9 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 3 IoCs

Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

discovery

Wi-Fi Discovery

T1016.002

pid	Process
1592	netsh.exe
2740	netsh.exe
5064	netsh.exe

Enumerates system info in registry 2 TTPs 9 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133666089999297174"	chrome.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
6116	AstroBootStrapper.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

pid	Process
4656	msedge.exe
4656	msedge.exe
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe
2076	chrome.exe
2076	chrome.exe
1568	msedge.exe
1568	msedge.exe
3984	msedge.exe
3984	msedge.exe
4532	identity_helper.exe
4532	identity_helper.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
6116	AstroBootStrapper.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 13 IoCs

pid	Process
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe
2076	chrome.exe
2076	chrome.exe
2076	chrome.exe
3984	msedge.exe
3984	msedge.exe
3984	msedge.exe
3984	msedge.exe
3984	msedge.exe
3984	msedge.exe

Suspicious use of AdjustPrivilegeToken 57 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2076	chrome.exe
Token: SeCreatePagefilePrivilege	2076	chrome.exe
Token: SeShutdownPrivilege	2076	chrome.exe
Token: SeCreatePagefilePrivilege	2076	chrome.exe
Token: SeShutdownPrivilege	2076	chrome.exe
Token: SeCreatePagefilePrivilege	2076	chrome.exe
Token: SeShutdownPrivilege	2076	chrome.exe
Token: SeCreatePagefilePrivilege	2076	chrome.exe
Token: SeShutdownPrivilege	2076	chrome.exe
Token: SeCreatePagefilePrivilege	2076	chrome.exe
Token: SeDebugPrivilege	680	astroGG.exe
Token: SeShutdownPrivilege	2076	chrome.exe
Token: SeCreatePagefilePrivilege	2076	chrome.exe
Token: SeShutdownPrivilege	2076	chrome.exe
Token: SeCreatePagefilePrivilege	2076	chrome.exe
Token: SeShutdownPrivilege	2076	chrome.exe
Token: SeCreatePagefilePrivilege	2076	chrome.exe
Token: SeShutdownPrivilege	2076	chrome.exe
Token: SeCreatePagefilePrivilege	2076	chrome.exe
Token: SeShutdownPrivilege	2076	chrome.exe
Token: SeCreatePagefilePrivilege	2076	chrome.exe
Token: SeShutdownPrivilege	2076	chrome.exe
Token: SeCreatePagefilePrivilege	2076	chrome.exe
Token: SeShutdownPrivilege	2076	chrome.exe
Token: SeCreatePagefilePrivilege	2076	chrome.exe
Token: SeShutdownPrivilege	2076	chrome.exe
Token: SeCreatePagefilePrivilege	2076	chrome.exe
Token: SeShutdownPrivilege	2076	chrome.exe
Token: SeCreatePagefilePrivilege	2076	chrome.exe
Token: SeDebugPrivilege	680	astroGG.exe
Token: SeShutdownPrivilege	2076	chrome.exe
Token: SeCreatePagefilePrivilege	2076	chrome.exe
Token: SeShutdownPrivilege	2076	chrome.exe
Token: SeCreatePagefilePrivilege	2076	chrome.exe
Token: SeShutdownPrivilege	2076	chrome.exe
Token: SeCreatePagefilePrivilege	2076	chrome.exe
Token: SeShutdownPrivilege	2076	chrome.exe
Token: SeCreatePagefilePrivilege	2076	chrome.exe
Token: SeShutdownPrivilege	2076	chrome.exe
Token: SeCreatePagefilePrivilege	2076	chrome.exe
Token: SeShutdownPrivilege	2076	chrome.exe
Token: SeCreatePagefilePrivilege	2076	chrome.exe
Token: SeShutdownPrivilege	2076	chrome.exe
Token: SeCreatePagefilePrivilege	2076	chrome.exe
Token: SeShutdownPrivilege	2076	chrome.exe
Token: SeCreatePagefilePrivilege	2076	chrome.exe
Token: SeShutdownPrivilege	2076	chrome.exe
Token: SeCreatePagefilePrivilege	2076	chrome.exe
Token: SeShutdownPrivilege	2076	chrome.exe
Token: SeCreatePagefilePrivilege	2076	chrome.exe
Token: SeShutdownPrivilege	2076	chrome.exe
Token: SeCreatePagefilePrivilege	2076	chrome.exe
Token: SeShutdownPrivilege	2076	chrome.exe
Token: SeCreatePagefilePrivilege	2076	chrome.exe
Token: SeShutdownPrivilege	2076	chrome.exe
Token: SeCreatePagefilePrivilege	2076	chrome.exe
Token: SeShutdownPrivilege	680	astroGG.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe
2076	chrome.exe
2076	chrome.exe
2076	chrome.exe
2076	chrome.exe
2076	chrome.exe
2076	chrome.exe
2076	chrome.exe
2076	chrome.exe
2076	chrome.exe
2076	chrome.exe
2076	chrome.exe
2076	chrome.exe
2076	chrome.exe
2076	chrome.exe
2076	chrome.exe
2076	chrome.exe
2076	chrome.exe
2076	chrome.exe
2076	chrome.exe
2076	chrome.exe
2076	chrome.exe
2076	chrome.exe
2076	chrome.exe
2076	chrome.exe
2076	chrome.exe
2076	chrome.exe
2076	chrome.exe
2076	chrome.exe
2076	chrome.exe
2076	chrome.exe
2076	chrome.exe
2076	chrome.exe
2076	chrome.exe
2076	chrome.exe
2076	chrome.exe
2076	chrome.exe
2076	chrome.exe
2076	chrome.exe
2076	chrome.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe
2076	chrome.exe
2076	chrome.exe
2076	chrome.exe
2076	chrome.exe
2076	chrome.exe
2076	chrome.exe
2076	chrome.exe
2076	chrome.exe
2076	chrome.exe
2076	chrome.exe
2076	chrome.exe
2076	chrome.exe
2076	chrome.exe
2076	chrome.exe
2076	chrome.exe
2076	chrome.exe
2076	chrome.exe
2076	chrome.exe
2076	chrome.exe
2076	chrome.exe
2076	chrome.exe
2076	chrome.exe
2076	chrome.exe
2076	chrome.exe
2076	chrome.exe
2076	chrome.exe
2076	chrome.exe
2076	chrome.exe
2076	chrome.exe
2076	chrome.exe
2076	chrome.exe
2076	chrome.exe
2076	chrome.exe
2076	chrome.exe
2076	chrome.exe
2076	chrome.exe
2076	chrome.exe
2076	chrome.exe
2076	chrome.exe
2076	chrome.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
6116	AstroBootStrapper.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4968 wrote to memory of 4896	4968	msedge.exe	87
PID 4968 wrote to memory of 4896	4968	msedge.exe	87
PID 4968 wrote to memory of 5020	4968	msedge.exe	90
PID 4968 wrote to memory of 5020	4968	msedge.exe	90
PID 4968 wrote to memory of 5020	4968	msedge.exe	90
PID 4968 wrote to memory of 5020	4968	msedge.exe	90
PID 4968 wrote to memory of 5020	4968	msedge.exe	90
PID 4968 wrote to memory of 5020	4968	msedge.exe	90
PID 4968 wrote to memory of 5020	4968	msedge.exe	90
PID 4968 wrote to memory of 5020	4968	msedge.exe	90
PID 4968 wrote to memory of 5020	4968	msedge.exe	90
PID 4968 wrote to memory of 5020	4968	msedge.exe	90
PID 4968 wrote to memory of 5020	4968	msedge.exe	90
PID 4968 wrote to memory of 5020	4968	msedge.exe	90
PID 4968 wrote to memory of 5020	4968	msedge.exe	90
PID 4968 wrote to memory of 5020	4968	msedge.exe	90
PID 4968 wrote to memory of 5020	4968	msedge.exe	90
PID 4968 wrote to memory of 5020	4968	msedge.exe	90
PID 4968 wrote to memory of 5020	4968	msedge.exe	90
PID 4968 wrote to memory of 5020	4968	msedge.exe	90
PID 4968 wrote to memory of 5020	4968	msedge.exe	90
PID 4968 wrote to memory of 5020	4968	msedge.exe	90
PID 4968 wrote to memory of 5020	4968	msedge.exe	90
PID 4968 wrote to memory of 5020	4968	msedge.exe	90
PID 4968 wrote to memory of 5020	4968	msedge.exe	90
PID 4968 wrote to memory of 5020	4968	msedge.exe	90
PID 4968 wrote to memory of 5020	4968	msedge.exe	90
PID 4968 wrote to memory of 5020	4968	msedge.exe	90
PID 4968 wrote to memory of 5020	4968	msedge.exe	90
PID 4968 wrote to memory of 5020	4968	msedge.exe	90
PID 4968 wrote to memory of 5020	4968	msedge.exe	90
PID 4968 wrote to memory of 5020	4968	msedge.exe	90
PID 4968 wrote to memory of 5020	4968	msedge.exe	90
PID 4968 wrote to memory of 5020	4968	msedge.exe	90
PID 4968 wrote to memory of 5020	4968	msedge.exe	90
PID 4968 wrote to memory of 5020	4968	msedge.exe	90
PID 4968 wrote to memory of 5020	4968	msedge.exe	90
PID 4968 wrote to memory of 5020	4968	msedge.exe	90
PID 4968 wrote to memory of 5020	4968	msedge.exe	90
PID 4968 wrote to memory of 5020	4968	msedge.exe	90
PID 4968 wrote to memory of 5020	4968	msedge.exe	90
PID 4968 wrote to memory of 5020	4968	msedge.exe	90
PID 4968 wrote to memory of 4656	4968	msedge.exe	92
PID 4968 wrote to memory of 4656	4968	msedge.exe	92
PID 4968 wrote to memory of 4868	4968	msedge.exe	94
PID 4968 wrote to memory of 4868	4968	msedge.exe	94
PID 4968 wrote to memory of 4868	4968	msedge.exe	94
PID 4968 wrote to memory of 4868	4968	msedge.exe	94
PID 4968 wrote to memory of 4868	4968	msedge.exe	94
PID 4968 wrote to memory of 4868	4968	msedge.exe	94
PID 4968 wrote to memory of 4868	4968	msedge.exe	94
PID 4968 wrote to memory of 4868	4968	msedge.exe	94
PID 4968 wrote to memory of 4868	4968	msedge.exe	94
PID 4968 wrote to memory of 4868	4968	msedge.exe	94
PID 4968 wrote to memory of 4868	4968	msedge.exe	94
PID 4968 wrote to memory of 4868	4968	msedge.exe	94
PID 4968 wrote to memory of 4868	4968	msedge.exe	94
PID 4968 wrote to memory of 4868	4968	msedge.exe	94
PID 4968 wrote to memory of 4868	4968	msedge.exe	94
PID 4968 wrote to memory of 4868	4968	msedge.exe	94
PID 4968 wrote to memory of 4868	4968	msedge.exe	94
PID 4968 wrote to memory of 4868	4968	msedge.exe	94
PID 4968 wrote to memory of 4868	4968	msedge.exe	94
PID 4968 wrote to memory of 4868	4968	msedge.exe	94

C:\Users\Admin\AppData\Local\Temp\AstrobootStrap_upd.exe
"C:\Users\Admin\AppData\Local\Temp\AstrobootStrap_upd.exe"
1⤵
- Checks computer location settings
PID:1040
- C:\Users\Admin\AppData\Local\Temp\AstroBootStrapper.exe
  "C:\Users\Admin\AppData\Local\Temp\AstroBootStrapper.exe"
  2⤵
  - Executes dropped EXE
  PID:3736
- - C:\Users\Admin\AppData\Local\Temp\AstroBootStrapper.exe
    "C:\Users\Admin\AppData\Local\Temp\AstroBootStrapper.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: AddClipboardFormatListener
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    PID:6116
- C:\Users\Admin\AppData\Local\Temp\astroGG.exe
  "C:\Users\Admin\AppData\Local\Temp\astroGG.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Sets desktop wallpaper using registry
  - Suspicious use of AdjustPrivilegeToken
  PID:680
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd"
    3⤵
    PID:5808
  - - C:\Windows\system32\netsh.exe
      netsh wlan show profiles
      4⤵
      Event Triggered Execution: Netsh Helper DLL
      System Network Configuration Discovery: Wi-Fi Discovery
      PID:1592
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd"
    3⤵
    PID:5812
  - - C:\Windows\system32\netsh.exe
      netsh wlan show profiles
      4⤵
      Event Triggered Execution: Netsh Helper DLL
      System Network Configuration Discovery: Wi-Fi Discovery
      PID:2740
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd"
    3⤵
    PID:228
  - - C:\Windows\system32\netsh.exe
      netsh wlan show profiles
      4⤵
      Event Triggered Execution: Netsh Helper DLL
      System Network Configuration Discovery: Wi-Fi Discovery
      PID:5064
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\How To Decrypt My Files.html
    3⤵
    - Enumerates system info in registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    PID:3984
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffcb5e746f8,0x7ffcb5e74708,0x7ffcb5e74718
      4⤵
      PID:1712
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2240,10236187533416073457,7835724309825551832,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2260 /prefetch:2
      4⤵
      PID:3252
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2240,10236187533416073457,7835724309825551832,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2312 /prefetch:3
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:1568
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2240,10236187533416073457,7835724309825551832,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2960 /prefetch:8
      4⤵
      PID:4912
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2240,10236187533416073457,7835724309825551832,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3316 /prefetch:1
      4⤵
      PID:4380
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2240,10236187533416073457,7835724309825551832,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3336 /prefetch:1
      4⤵
      PID:3824
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2240,10236187533416073457,7835724309825551832,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4704 /prefetch:8
      4⤵
      PID:1592
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2240,10236187533416073457,7835724309825551832,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4704 /prefetch:8
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:4532
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2240,10236187533416073457,7835724309825551832,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5344 /prefetch:1
      4⤵
      PID:5056
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2240,10236187533416073457,7835724309825551832,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5412 /prefetch:1
      4⤵
      PID:5132
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2240,10236187533416073457,7835724309825551832,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5260 /prefetch:1
      4⤵
      PID:5208
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2240,10236187533416073457,7835724309825551832,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5628 /prefetch:1
      4⤵
      PID:5344

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4968
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x12c,0x130,0x134,0x108,0x138,0x7ffcb5e746f8,0x7ffcb5e74708,0x7ffcb5e74718
  2⤵
  PID:4896
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2012,3924224195096866629,6076840379313205808,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1976 /prefetch:2
  2⤵
  PID:5020
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2012,3924224195096866629,6076840379313205808,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2156 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4656
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2012,3924224195096866629,6076840379313205808,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2892 /prefetch:8
  2⤵
  PID:4868
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2012,3924224195096866629,6076840379313205808,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3376 /prefetch:1
  2⤵
  PID:2532
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2012,3924224195096866629,6076840379313205808,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3384 /prefetch:1
  2⤵
  PID:3248
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2012,3924224195096866629,6076840379313205808,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4736 /prefetch:1
  2⤵
  PID:1472
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2012,3924224195096866629,6076840379313205808,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4764 /prefetch:1
  2⤵
  PID:4860

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
PID:776
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.106 --initial-client-data=0x124,0x128,0x12c,0x100,0x130,0x7ffcb38ccc40,0x7ffcb38ccc4c,0x7ffcb38ccc58
  2⤵
  PID:4704

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2076
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.106 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffcb38ccc40,0x7ffcb38ccc4c,0x7ffcb38ccc58
  2⤵
  PID:852
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1920,i,15217627720722101832,6309406612130304882,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=1912 /prefetch:2
  2⤵
  PID:1944
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1968,i,15217627720722101832,6309406612130304882,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=2460 /prefetch:3
  2⤵
  PID:4800
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2128,i,15217627720722101832,6309406612130304882,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=2636 /prefetch:8
  2⤵
  PID:2724
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3104,i,15217627720722101832,6309406612130304882,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=3124 /prefetch:1
  2⤵
  PID:4016
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3132,i,15217627720722101832,6309406612130304882,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=3164 /prefetch:1
  2⤵
  PID:2408
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4348,i,15217627720722101832,6309406612130304882,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=4588 /prefetch:1
  2⤵
  PID:5296
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4720,i,15217627720722101832,6309406612130304882,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=4776 /prefetch:8
  2⤵
  PID:5540
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4944,i,15217627720722101832,6309406612130304882,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=4956 /prefetch:8
  2⤵
  PID:5304

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2572

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:564

C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe"
1⤵
PID:5304

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:5896

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:6132

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2256

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Wi-Fi Discovery

T1016.002

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
cba8083e368c6abfd8fb447ea309c784

SHA1
4142b7c5b5467929ff1c1058aafcc329e5c5f563

SHA256
e5066d392268865b378cd234117192541397744db4ac1b8652b1435065e330e2

SHA512
9aa90dbd7dd9fe8188aa21a971ed154221b956f55cfe739bda17760896cef212fc055c766bd7ade8fb3455e7823cdedb6a9def3b131687fe48ee4bd1d567a5ce

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
2904c0954d89eab25333ede7696d55c0

SHA1
fac436fa6b69b90bddaa9b6bb0fd262029964442

SHA256
0c7c2bbfbd39db1fa876b1f1e9de7139a7a311cfecb32d3fa2376176a60584b8

SHA512
345555ea6555dcf60a0c7b6568ba3e88658b23ef45c66139fcbdf1de752c69446c041cab324ff75fe8f8e96cb4f5def08efa05caa7ad1a9f5231fbf2f6f19335

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
1e7041c6c7993b8a3abad8dfb3a9d990

SHA1
43b1e2abd003a26a6c5513f3a6c2d4b458a59ae6

SHA256
9d562bf782a78567fcc2be55e1deff6ee97b437b3b6860271a82c698f72734ae

SHA512
f14f9a0168403f874489a35f45b6da9d88efb9d37d9fb2886d0214b8d4a25e3ee7a624021ea7a44917b086175a4a56ad20ebab72ef284ddecf4c26d635eadf37

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
46ab174865e982bdac0fb9c6d0f4013e

SHA1
b008e8faf633a5a67fa09b529e7dc5ce7802131c

SHA256
53498820e40b265224f910ecc47a5bc825b144b7da6298c3b073d4a6332faa0d

SHA512
392fbe5e54af764abbe118478315181dd4a711d435d778b68328da366f65f67599a573c06c0c902223cd02323fdd92733dd8cc21893ab85240b07beae96e87d2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
354B

MD5
65e729e42d9a720df5c665a372f7c0c6

SHA1
33a2a1efda978becc250115396322a1bfe2771fa

SHA256
9f7463ec52c7afe2161b4c6a36c6a4424695937653f6a1feda19c5fede474251

SHA512
04b000e7c67baa33da720aa1d0b9da0080e7a27346a3eaafe9c770840e8053404fca68586b49eb265b8475b4c7a666fdf0ebbb5659677bb7e81deaaa931efabc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
655efab9ca792fe6115a4d19b09e0f0c

SHA1
dce98b0f7a4a07e488fa0d605ee3274249eb4f8f

SHA256
e690f0d90c776d16b7897eda7fe829dcbc5595ae30aaa73fb200799d93bc18f6

SHA512
98d12f964025119fff19e4019fd21c3d0592035774674f4c992e36bbc392c2e74f679d7699db102a14437808e200166c1c15de71f5650ec21d8aa2c7fba2d1e4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
ddd7ff843b1735a684bb5c382fc0dafd

SHA1
ae799ca13bf7966b597883964e40add51cf2472a

SHA256
482a1cf7470423ab08f228bab7002dd58725b70d5b08c0a810845dee09810e1b

SHA512
3c7a44e026eb46b8f70fe67da58655f1d42f25ec3e74e8fe33ea408ab541233e4a0abb4f2d6222b15fbc4ea719fa46a2cd9ec34a9fbe87a77129d642507139c4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
1021e89b90e33eb70b0d37936e59d86d

SHA1
7dbd4052ef6819c920a6c904cffb6e323befab1e

SHA256
76a420edf4f2a42e509613adf695e7373e11218d4d714441562ec59e2b33bd21

SHA512
9abe23273514ed6568a862cab0405a74e4334969ad3a61c4771d928d607973b097f71857b5a4b2edde6ff2e7db36a3aa0b1f1c3344f28feb39fe97671e5ad448

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
b0b281c7954f274aca2b7ccee1e653d3

SHA1
616295f6dbea5b3f619dc93eb4a3a64b17362bbd

SHA256
d271541de4babb7ed8b0b8698d459d376949e9cc72cd3b34516634676949005c

SHA512
f60b6ba9f7669671ad5a69cf9aa672796cee15a00ab95277cf084437d6b3a57c6c8aa3521155d235bce6e4285b16415412aa47684ca16673302aa8288b57a80d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
92KB

MD5
6770050cfe0d9f647c8bfe8fd929b319

SHA1
9ab54ce2e2145a24c6bd337b9891b30b959184e4

SHA256
262779597dec18bc6cc4cd768624318d30817bbd601ec4e0e2f11c380e1abdc8

SHA512
6309f77b396619fe9350a5c9c095d0416e95bd03f5a0debea69b2609b9a2dc3fcaefe7e73de2837225bd3e891f3df5be7c62122dfe3fc54a55a85ef4659d3df2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
92KB

MD5
e3a948ee10ae6863014f4bdc3f2f78b5

SHA1
ffbb863459987e156c8793748be81dbd0ec7c762

SHA256
e5364bf680d3d595f36644fafa2feee5c75f8a7cdd44e2262e5e9deee1751c50

SHA512
d09ef5218936eade17c00f3d57a3695dd2ab960dc554f1d28f0a8deb9d95c31b344b739f31d4735dcce1e2ec55f56fd4dc704205942a4d328861a13b1f28fc33

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
189KB

MD5
6ae314fda175a5fe1d3c68c2cf08fcf0

SHA1
ce69f1d9de594c917a3d647047260134d19c82a1

SHA256
a68d1a74565807c49d153ee7c8884dcad3f41fc493c643f98dd6eb49f1c89988

SHA512
f371409dcd8dd5fafa5e416647b7a2bd2b44bb3237ce3912e154230ebfeea7c4dbf991e5b5c4c8de0ed2629e65ec6b02223a00c77f94b3656b2587a3a2b92dc0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
189KB

MD5
bf19c9dc1d68600912d74829d3edf62a

SHA1
a6abc78fbf22669385c78520011ba68928d8e0ab

SHA256
b9816ff8b669ef322c7091e44bb6d0114a273e1cd9f36bf29ad8da0b492cae20

SHA512
645972394cd7e35621735484033ceeab4e3b7932c86b941b992e36102eb963380b01eaf34a0ffeccdaf88f73425900bedbde4cc29b3c0a030ca221929899e1cd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
d406f3135e11b0a0829109c1090a41dc

SHA1
810f00e803c17274f9af074fc6c47849ad6e873e

SHA256
91f57909a10174b06c862089a9c1f3b3aeafea74a70ee1942ce11bb80d9eace4

SHA512
2b9f0f94b1e8a1b62ab38af8df2add0ec9e4c6dfa94d9c84cc24fe86d2d57d4fc0d9ec8a9775cf42a859ddfd130260128185a0e2588992bca8fd4ebf5ee6d409

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
7f37f119665df6beaa925337bbff0e84

SHA1
c2601d11f8aa77e12ab3508479cbf20c27cbd865

SHA256
1073dbff3ec315ac85361c35c8ba791cc4198149b097c7b287dda1d791925027

SHA512
8e180e41dd27c51e81788564b19b8ff411028890da506fbf767d394b1e73ec53e046c8d07235b2ec7c1c593c976bbf74ed9b7d442d68b526a0a77a9b5b0ab817

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
8a7ea577991501d285cb8d494e812e10

SHA1
e144f18a687c7c0f141ce81389f696ce339e739d

SHA256
2ff2645a41e9a2ae622b3ac3dd8a6749908e39a793e170054cab4649d4e678f1

SHA512
771f4afd1f75b736dda7bd8ed72ab290bd2068c93fcd9b25ac24ed97bbe4622eea8840358efa54ffb4fae9ac3ceead3ab11e0880e21fddaea7a90ce5162c0ac0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
389531204133ca1c7eb1e3442f360c6a

SHA1
be2ab5dec118748772ac9a669a503d9775b7b771

SHA256
77c497993bcd358c7e6a3514b6742b87dd681b8ea06266bd531532da4be8911b

SHA512
f37e312baacd409af9926c69500af97b2292270991fcd62d0e8221cd256200df1c02bac92616a1f1fb75ccb51768d83da7c35d7510929be8397bce7fa6ce6217

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
7ea9e8c6253d6c65f82dad8fcfbaa614

SHA1
9b37e5b34dcd8fe9e64fc16032d73cb226929fd3

SHA256
9735c8b2291b902eaca6271cbbbf8d12ab46944a3908b1d7ecaa1c825da617f6

SHA512
1b914a30b0cd65102f462fdf3176a5e29fc485a6e75b06115743305ba7f557f2e71affeeb8c41f01f2fd11ac3f76754039bf8f15a5403bee70a52dea0b9824e9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
ea695c7efaff0449f15015412e0bea97

SHA1
c6fc0c69ce8404bafdcf4d890a31dec8e053cc6e

SHA256
cefecae2a3471ae43b5be697782bad6e3d0b5e3db20f233578cacf287ade2d33

SHA512
49ef93ece608982bf8203409371f333b2093a45e1e445df72dbddd2618b1c7ad6dcef6327b2b48166794871b4c845a97d3249b08250bdc4731debdf069499351

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
3d7fa5bccbd014a2d4a9c6d563f41b60

SHA1
b1d3245000655fb1b00253cd7e95e1c6faf70370

SHA256
cfb2e7b7fcc956e4bd108177d931f28b60944c1359551e3ce02df48df3e64d5d

SHA512
6419ee40edbf51687a8d4fd565f83fe2d938d030a8a79240ed4333fb8d01ca80c98e2a7cf00775e87941a1c4312032bf8fae1168a2099a4bfa4499c6340d70e4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
f11b07503b669a0224b5a89b70c16d98

SHA1
1e49629f6a83c143999cdb4f031782dba3893277

SHA256
a5cdf8be121909c8e35c641dfd79805a95798d8af81cc98981e612fdea4b33f7

SHA512
7dc25b592685361603ecada0fd201336d3e3d5ee3c058c1ac20f18f3442cc591749e3930240c49de7f63ff3eacc527e5cbd3e530524858c5490b9b4bafdeb330

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
3a7ef37a17e4a7ffd98a77d71dfbc088

SHA1
e45adebb427e69c27a97cd7df7cbc635f5f263c1

SHA256
03248b6b3896d8e868a036f440c3f9a4562ba4dc108b47c9004e507e7f1289d3

SHA512
c1e9f024a815240cbd83ffb84a0c493ad07f421fadee17a83d7e5b0efe92f9a842f5871938ede08662306d880550b01980df6e378a4d62a8194f593240ffecfd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
2cde949562b37b6f618821b978885dc7

SHA1
1cfe3a0de27f93b62ea307e5dd7600d98c833834

SHA256
d9062aa351652e6e8bb4fb8d7f2709dab7b3191add7a6d0860dfc88ba2cdf647

SHA512
98f10f38fc239303815a8d0a1190d0df4acafbdea25798e0afde292726592d67ed2dd4b3f3838c6ce9c27e565c195499c21dca39fab0de54a5d4d882327c747f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\ed68bc78-f485-4b08-ac18-dbbbad26e1ef.tmp

Filesize
1B

MD5
5058f1af8388633f609cadb75a75dc9d

SHA1
3a52ce780950d4d969792a2559cd519d7ee8c727

SHA256
cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8

SHA512
0b61241d7c17bcbb1baee7094d14b7c451efecc7ffcbd92598a0f13d313cc9ebc2a07e61f007baf58fbf94ff9a8695bdd5cae7ce03bbf1e94e93613a00f25f21

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
a4149c2744d071765873561850fb2529

SHA1
30b9d35a4bad23e5c0fcd0004b3a96f6bef5d0f3

SHA256
3fc3947812e751b6db7d504575472aa2a0a38eb5514e0e25726cb0ff095da5f2

SHA512
304bf4c2cf22f366c13a9ab568e563be042abc2a97f662758490622243672145b05dd5f3c032de657fd1e1bb491876d9ebed3f214e6be46f769a349ad565c7a0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
490f864c77b47f82409a6a8cb3f75a4d

SHA1
e03821a7459fd8ef263b913744b54f39b9009bab

SHA256
ea445755fc6ca68bab39f0f1b4a4091428d15b71e59d1b36789245a98e0cfd8b

SHA512
bba55922277c58ae5267e45beeea5d0b53f6083e78b1c9dacb4322f191c9202ebdf04fd37fafc8e26a15cc1438a8642551777069daf3ae01ea7f94ab075e5cf5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
b86a5e458ed48b6a577aad105826b572

SHA1
f34f3b1275e06849efce1ba6b924abb91087c077

SHA256
344d83966487960569bc064aac99b96beff033670d6253e66e5debd6222f4c8d

SHA512
ee7e1dc1d90e22a9708548729fd7ecfc70879b5c2234a22018962ccb2642735b9e7884cd3ca2d9d0b34d473b7195604317b2dbd572afcabbd687ac12d36734a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\AstroBootStrapper.exe

Filesize
35.4MB

MD5
a6b9aa5664f3c5a950dea794efa126cb

SHA1
b6e3edb436fbc405f78fc2e7e67c03dac5b48a34

SHA256
a37a2a94b99d2b16edf07ba60e096d3d7ced427aa9334e92c6c97bb479e7f0e6

SHA512
ca3fd8685558446fecab4caf64cbc3f9ca00ce46bfb025ecf5ad27093dfa03568f45d18193197244a6a93c41215a70a2ee334097fc315a8aba5badfaef7b0c6d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI37362\PyQt5\Qt5\bin\MSVCP140.dll

Filesize
576KB

MD5
01b946a2edc5cc166de018dbb754b69c

SHA1
dbe09b7b9ab2d1a61ef63395111d2eb9b04f0a46

SHA256
88f55d86b50b0a7e55e71ad2d8f7552146ba26e927230daf2e26ad3a971973c5

SHA512
65dc3f32faf30e62dfdecb72775df870af4c3a32a0bf576ed1aaae4b16ac6897b62b19e01dc2bf46f46fbe3f475c061f79cbe987eda583fee1817070779860e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI37362\PyQt5\Qt5\bin\MSVCP140_1.dll

Filesize
30KB

MD5
0fe6d52eb94c848fe258dc0ec9ff4c11

SHA1
95cc74c64ab80785f3893d61a73b8a958d24da29

SHA256
446c48c1224c289bd3080087fe15d6759416d64f4136addf30086abd5415d83f

SHA512
c39a134210e314627b0f2072f4ffc9b2ce060d44d3365d11d8c1fe908b3b9403ebdd6f33e67d556bd052338d0ed3d5f16b54d628e8290fd3a155f55d36019a86

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI37362\PyQt5\Qt5\bin\Qt5Core.dll

Filesize
5.7MB

MD5
817520432a42efa345b2d97f5c24510e

SHA1
fea7b9c61569d7e76af5effd726b7ff6147961e5

SHA256
8d2ff4ce9096ddccc4f4cd62c2e41fc854cfd1b0d6e8d296645a7f5fd4ae565a

SHA512
8673b26ec5421fce8e23adf720de5690673bb4ce6116cb44ebcc61bbbef12c0ad286dfd675edbed5d8d000efd7609c81aae4533180cf4ec9cd5316e7028f7441

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI37362\PyQt5\Qt5\bin\Qt5Gui.dll

Filesize
6.7MB

MD5
47307a1e2e9987ab422f09771d590ff1

SHA1
0dfc3a947e56c749a75f921f4a850a3dcbf04248

SHA256
5e7d2d41b8b92a880e83b8cc0ca173f5da61218604186196787ee1600956be1e

SHA512
21b1c133334c7ca7bbbe4f00a689c580ff80005749da1aa453cceb293f1ad99f459ca954f54e93b249d406aea038ad3d44d667899b73014f884afdbd9c461c14

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI37362\PyQt5\Qt5\bin\Qt5Widgets.dll

Filesize
5.2MB

MD5
4cd1f8fdcd617932db131c3688845ea8

SHA1
b090ed884b07d2d98747141aefd25590b8b254f9

SHA256
3788c669d4b645e5a576de9fc77fca776bf516d43c89143dc2ca28291ba14358

SHA512
7d47d2661bf8fac937f0d168036652b7cfe0d749b571d9773a5446c512c58ee6bb081fec817181a90f4543ebc2367c7f8881ff7f80908aa48a7f6bb261f1d199

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI37362\PyQt5\Qt5\bin\VCRUNTIME140_1.dll

Filesize
43KB

MD5
6bc084255a5e9eb8df2bcd75b4cd0777

SHA1
cf071ad4e512cd934028f005cabe06384a3954b6

SHA256
1f0f5f2ce671e0f68cf96176721df0e5e6f527c8ca9cfa98aa875b5a3816d460

SHA512
b822538494d13bda947655af791fed4daa811f20c4b63a45246c8f3befa3ec37ff1aa79246c89174fe35d76ffb636fa228afa4bda0bd6d2c41d01228b151fd89

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI37362\PyQt5\Qt5\plugins\platforms\qminimal.dll

Filesize
824KB

MD5
2f6d88f8ec3047deaf174002228219ab

SHA1
eb7242bb0fe74ea78a17d39c76310a7cdd1603a8

SHA256
05d1e7364dd2a672df3ca44dd6fd85bed3d3dc239dcfe29bfb464f10b4daa628

SHA512
0a895ba11c81af14b5bd1a04a450d6dcca531063307c9ef076e9c47bd15f4438837c5d425caee2150f3259691f971d6ee61154748d06d29e4e77da3110053b54

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI37362\PyQt5\Qt5\plugins\platforms\qoffscreen.dll

Filesize
736KB

MD5
6407499918557594916c6ab1ffef1e99

SHA1
5a57c6b3ffd51fc5688d5a28436ad2c2e70d3976

SHA256
54097626faae718a4bc8e436c85b4ded8f8fb7051b2b9563a29aee4ed5c32b7b

SHA512
8e8abb563a508e7e75241b9720a0e7ae9c1a59dd23788c74e4ed32a028721f56546792d6cca326f3d6aa0a62fdedc63bf41b8b74187215cd3b26439f40233f4d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI37362\PyQt5\Qt5\plugins\platforms\qwebgl.dll

Filesize
470KB

MD5
1edcb08c16d30516483a4cbb7d81e062

SHA1
4760915f1b90194760100304b8469a3b2e97e2bc

SHA256
9c3b2fa2383eeed92bb5810bdcf893ae30fa654a30b453ab2e49a95e1ccf1631

SHA512
0a923495210b2dc6eb1acedaf76d57b07d72d56108fd718bd0368d2c2e78ae7ac848b90d90c8393320a3d800a38e87796965afd84da8c1df6c6b244d533f0f39

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI37362\PyQt5\Qt5\plugins\platforms\qwindows.dll

Filesize
1.4MB

MD5
4931fcd0e86c4d4f83128dc74e01eaad

SHA1
ac1d0242d36896d4dda53b95812f11692e87d8df

SHA256
3333ba244c97264e3bd19db5953efa80a6e47aaced9d337ac3287ec718162b85

SHA512
0396bccda43856950afe4e7b16e0f95d4d48b87473dc90cf029e6ddfd0777e1192c307cfe424eae6fb61c1b479f0ba1ef1e4269a69c843311a37252cf817d84d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI37362\PyQt5\Qt5\plugins\platformthemes\qxdgdesktopportal.dll

Filesize
66KB

MD5
f66f6e9eda956f72e3bb113407035e61

SHA1
97328524da8e82f5f92878f1c0421b38ecec1e6c

SHA256
e23fbc1bec6ceedfa9fd305606a460d9cac5d43a66d19c0de36e27632fddd952

SHA512
7ff76e83c8d82016ab6bd349f10405f30deebe97e8347c6762eb71a40009f9a2978a0d8d0c054cf7a3d2d377563f6a21b97ddefd50a9ac932d43cc124d7c4918

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI37362\PyQt5\Qt5\plugins\styles\qwindowsvistastyle.dll

Filesize
140KB

MD5
53a85f51054b7d58d8ad7c36975acb96

SHA1
893a757ca01472a96fb913d436aa9f8cfb2a297f

SHA256
d9b21182952682fe7ba63af1df24e23ace592c35b3f31eceef9f0eabeb5881b9

SHA512
35957964213b41f1f21b860b03458404fbf11daf03d102fbea8c2b2f249050cefbb348edc3f22d8ecc3cb8abfdc44215c2dc9da029b4f93a7f40197bd0c16960

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI37362\PyQt5\QtCore.pyd

Filesize
2.4MB

MD5
678fa1496ffdea3a530fa146dedcdbcc

SHA1
c80d8f1de8ae06ecf5750c83d879d2dcc2d6a4f8

SHA256
d6e45fd8c3b3f93f52c4d1b6f9e3ee220454a73f80f65f3d70504bd55415ea37

SHA512
8d9e3fa49fb42f844d8df241786ea9c0f55e546d373ff07e8c89aac4f3027c62ec1bd0c9c639afeabc034cc39e424b21da55a1609c9f95397a66d5f0d834e88e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI37362\PyQt5\QtGui.pyd

Filesize
2.4MB

MD5
ae182c36f5839baddc9dcb71192cfa7a

SHA1
c9fa448981ba61343c7d7decacae300cad416957

SHA256
a9408e3b15ff3030f0e9acb3429000d253d3bb7206f750091a7130325f6d0d72

SHA512
8950244d828c5ede5c3934cfe2ee229be19cc00fbf0c4a7ccebec19e8641345ef5fd028511c5428e1e21ce5491a3f74fb0175b03da17588daef918e3f66b206a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI37362\PyQt5\QtWidgets.pyd

Filesize
4.9MB

MD5
e8c3bfbc19378e541f5f569e2023b7aa

SHA1
aca007030c1cee45cbc692adcb8bcb29665792ba

SHA256
a1e97a2ab434c6ae5e56491c60172e59cdcce42960734e8bdf5d851b79361071

SHA512
9134c2ead00c2d19dec499e60f91e978858766744965ead655d2349ff92834ab267ac8026038e576a7e207d3bbd4a87cd5f2e2846a703c7f481a406130530eb0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI37362\PyQt5\sip.cp312-win_amd64.pyd

Filesize
117KB

MD5
f57134d35976c48ffb955df1739af5d4

SHA1
c1b3a81352e462d4ecc33ee5119b882d657bed2f

SHA256
9e91b237e2aa69c0c7e268f072999bb0319b04513c9fc97ab7c4371e642375d2

SHA512
db385592876f489460023f2d02fc80635fe4f9746ecd99c8c7622399a34ea43ef631d3668429ad4e8f69552a5c386bbf12f3805a9101f7eb70337ce23e65c80b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI37362\VCRUNTIME140.dll

Filesize
116KB

MD5
be8dbe2dc77ebe7f88f910c61aec691a

SHA1
a19f08bb2b1c1de5bb61daf9f2304531321e0e40

SHA256
4d292623516f65c80482081e62d5dadb759dc16e851de5db24c3cbb57b87db83

SHA512
0da644472b374f1da449a06623983d0477405b5229e386accadb154b43b8b083ee89f07c3f04d2c0c7501ead99ad95aecaa5873ff34c5eeb833285b598d5a655

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI37362\VCRUNTIME140_1.dll

Filesize
48KB

MD5
f8dfa78045620cf8a732e67d1b1eb53d

SHA1
ff9a604d8c99405bfdbbf4295825d3fcbc792704

SHA256
a113f192195f245f17389e6ecbed8005990bcb2476ddad33f7c4c6c86327afe5

SHA512
ba7f8b7ab0deb7a7113124c28092b543e216ca08d1cf158d9f40a326fb69f4a2511a41a59ea8482a10c9ec4ec8ac69b70dfe9ca65e525097d93b819d498da371

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI37362\_bz2.pyd

Filesize
83KB

MD5
223fd6748cae86e8c2d5618085c768ac

SHA1
dcb589f2265728fe97156814cbe6ff3303cd05d3

SHA256
f81dc49eac5ecc528e628175add2ff6bda695a93ea76671d7187155aa6326abb

SHA512
9c22c178417b82e68f71e5b7fe7c0c0a77184ee12bd0dc049373eace7fa66c89458164d124a9167ae760ff9d384b78ca91001e5c151a51ad80c824066b8ecce6

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI37362\_decimal.pyd

Filesize
245KB

MD5
3055edf761508190b576e9bf904003aa

SHA1
f0dc8d882b5cd7955cc6dfc8f9834f70a83c7890

SHA256
e4104e47399d3f635a14d649f61250e9fd37f7e65c81ffe11f099923f8532577

SHA512
87538fe20bd2c1150a8fefd0478ffd32e2a9c59d22290464bf5dfb917f6ac7ec874f8b1c70d643a4dc3dd32cbe17e7ea40c0be3ea9dd07039d94ab316f752248

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI37362\_hashlib.pyd

Filesize
64KB

MD5
eedb6d834d96a3dffffb1f65b5f7e5be

SHA1
ed6735cfdd0d1ec21c7568a9923eb377e54b308d

SHA256
79c4cde23397b9a35b54a3c2298b3c7a844454f4387cb0693f15e4facd227dd2

SHA512
527bd7bb2f4031416762595f4ce24cbc6254a50eaf2cc160b930950c4f2b3f5e245a486972148c535f8cd80c78ec6fa8c9a062085d60db8f23d4b21e8ae4c0ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI37362\_lzma.pyd

Filesize
156KB

MD5
05e8b2c429aff98b3ae6adc842fb56a3

SHA1
834ddbced68db4fe17c283ab63b2faa2e4163824

SHA256
a6e2a5bb7a33ad9054f178786a031a46ea560faeef1fb96259331500aae9154c

SHA512
badeb99795b89bc7c1f0c36becc7a0b2ce99ecfd6f6bb493bda24b8e57e6712e23f4c509c96a28bc05200910beddc9f1536416bbc922331cae698e813cbb50b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI37362\_socket.pyd

Filesize
81KB

MD5
dc06f8d5508be059eae9e29d5ba7e9ec

SHA1
d666c88979075d3b0c6fd3be7c595e83e0cb4e82

SHA256
7daff6aa3851a913ed97995702a5dfb8a27cb7cf00fb496597be777228d7564a

SHA512
57eb36bc1e9be20c85c34b0a535b2349cb13405d60e752016e23603c4648939f1150e4dbebc01ec7b43eb1a6947c182ccb8a806e7e72167ad2e9d98d1fd94ab3

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI37362\base_library.zip

Filesize
1.3MB

MD5
08332a62eb782d03b959ba64013ac5bc

SHA1
b70b6ae91f1bded398ca3f62e883ae75e9966041

SHA256
8584f0eb44456a275e3bc69626e3acad595546fd78de21a946b2eb7d6ba02288

SHA512
a58e4a096d3ce738f6f93477c9a73ddbfcb4b82d212c0a19c0cf9e07f1e62b2f477a5dd468cd31cc5a13a73b93fa17f64d6b516afef2c56d38ede1ace35cf087

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI37362\libcrypto-3.dll

Filesize
5.0MB

MD5
e547cf6d296a88f5b1c352c116df7c0c

SHA1
cafa14e0367f7c13ad140fd556f10f320a039783

SHA256
05fe080eab7fc535c51e10c1bd76a2f3e6217f9c91a25034774588881c3f99de

SHA512
9f42edf04c7af350a00fa4fdf92b8e2e6f47ab9d2d41491985b20cd0adde4f694253399f6a88f4bdd765c4f49792f25fb01e84ec03fd5d0be8bb61773d77d74d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI37362\python3.dll

Filesize
66KB

MD5
79b02450d6ca4852165036c8d4eaed1f

SHA1
ce9ff1b302426d4c94a2d3ea81531d3cb9e583e4

SHA256
d2e348e615a5d3b08b0bac29b91f79b32f0c1d0be48976450042462466b51123

SHA512
47044d18db3a4dd58a93b43034f4fafa66821d157dcfefb85fca2122795f4591dc69a82eb2e0ebd9183075184368850e4caf9c9fea0cfe6f766c73a60ffdf416

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI37362\python312.dll

Filesize
6.6MB

MD5
3c388ce47c0d9117d2a50b3fa5ac981d

SHA1
038484ff7460d03d1d36c23f0de4874cbaea2c48

SHA256
c98ba3354a7d1f69bdca42560feec933ccba93afcc707391049a065e1079cddb

SHA512
e529c5c1c028be01e44a156cd0e7cad0a24b5f91e5d34697fafc395b63e37780dc0fac8f4c5d075ad8fe4bd15d62a250b818ff3d4ead1e281530a4c7e3ce6d35

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI37362\select.pyd

Filesize
29KB

MD5
92b440ca45447ec33e884752e4c65b07

SHA1
5477e21bb511cc33c988140521a4f8c11a427bcc

SHA256
680df34fb908c49410ac5f68a8c05d92858acd111e62d1194d15bdce520bd6c3

SHA512
40e60e1d1445592c5e8eb352a4052db28b1739a29e16b884b0ba15917b058e66196988214ce473ba158704837b101a13195d5e48cb1dc2f07262dfecfe8d8191

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI37362\unicodedata.pyd

Filesize
1.1MB

MD5
16be9a6f941f1a2cb6b5fca766309b2c

SHA1
17b23ae0e6a11d5b8159c748073e36a936f3316a

SHA256
10ffd5207eeff5a836b330b237d766365d746c30e01abf0fd01f78548d1f1b04

SHA512
64b7ecc58ae7cf128f03a0d5d5428aaa0d4ad4ae7e7d19be0ea819bbbf99503836bfe4946df8ee3ab8a92331fdd002ab9a9de5146af3e86fef789ce46810796b

Download Submit
C:\Users\Admin\AppData\Local\Temp\astroGG.exe

Filesize
60KB

MD5
aa214096148443fef487b52dbecee5a4

SHA1
ebd815c0faa3cb17f4a6c6c41ef1faaa307c68c8

SHA256
05171a217f14814ed567a59e4230ebcb2a552720e8419761016b2ba8677f9a2a

SHA512
ae0a44736c385da5119f27190af09e18ce7c2c26ae81fd3b194683cd27da6ea839206348578c4e5ec0cfd428ef89d0c2e318d711a2915fae3df7ab407b74cc0e

Download Submit
C:\Users\Admin\NTUSER.DAT{53b39e88-18c4-11ea-a811-000d3aa4692b}.TMContainer00000000000000000001.regtrans-ms.ENC

Filesize
16B

MD5
b36a303828943e62cd328784e180df4f

SHA1
746375437b5f4b75585799025cf018b892d437d6

SHA256
4f9d3aef7f8c2e6fd2f8b31c97995c82f9e9d794b4b0233942fd7df3850f8fb3

SHA512
1542f1aafd6cf01cc50a11c85df5eed91f894c5b8428c8240cace2de8290e0f3d6fd5117e58052f325e94537784820729a7c645a281e17f868e3183ec1ae5d57

Download Submit
memory/680-522-0x000000001B8A0000-0x000000001B8AE000-memory.dmp

Filesize
56KB

Download
memory/680-521-0x000000001D920000-0x000000001DA40000-memory.dmp

Filesize
1.1MB

Download
memory/680-561-0x000000001C730000-0x000000001C752000-memory.dmp

Filesize
136KB

Download
memory/680-563-0x000000001E040000-0x000000001E390000-memory.dmp

Filesize
3.3MB

Download
memory/680-564-0x0000000002A80000-0x0000000002A8C000-memory.dmp

Filesize
48KB

Download
memory/680-790-0x000000001B8B0000-0x000000001B8BE000-memory.dmp

Filesize
56KB

Download
memory/680-61-0x0000000000B00000-0x0000000000B16000-memory.dmp

Filesize
88KB

Download
memory/1040-0-0x00007FFCB7493000-0x00007FFCB7495000-memory.dmp

Filesize
8KB

Download
memory/1040-63-0x00007FFCB7490000-0x00007FFCB7F51000-memory.dmp

Filesize
10.8MB

Download
memory/1040-34-0x00007FFCB7490000-0x00007FFCB7F51000-memory.dmp

Filesize
10.8MB

Download
memory/1040-1-0x0000000000470000-0x00000000027B0000-memory.dmp

Filesize
35.2MB

Download
memory/6116-277-0x00007FFCAA580000-0x00007FFCAAAC1000-memory.dmp

Filesize
5.3MB

Download
memory/6116-300-0x00007FFCAB2F0000-0x00007FFCAB555000-memory.dmp

Filesize
2.4MB

Download
memory/6116-288-0x00007FFCAAAD0000-0x00007FFCAAFBC000-memory.dmp

Filesize
4.9MB

Download
memory/6116-260-0x00007FFCABB30000-0x00007FFCABD93000-memory.dmp

Filesize
2.4MB

Download

Analysis

Sharing

Errors

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads