hxxps://cdn[.]discordapp[.]com/attachments/1268342744368021615/1268575149871992954/zoom_64789348756[.]com?ex=66acec2c&is=66ab9aac&hm=af3d8cc80c557ad5af6359a5adb27b3399b4c58500bca8ac6a0942d3ecd8f1b0&

Analysis

max time kernel
150s
max time network
139s
platform
windows10-2004_x64
resource
win10v2004-20240730-es
resource tags

arch:x64arch:x86image:win10v2004-20240730-eslocale:es-esos:windows10-2004-x64systemwindows
submitted
01-08-2024 21:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://cdn.discordapp.com/attachments/1268342744368021615/1268575149871992954/zoom_64789348756.com?ex=66acec2c&is=66ab9aac&hm=af3d8cc80c557ad5af6359a5adb27b3399b4c58500bca8ac6a0942d3ecd8f1b0&

Score

9^/10

credential_access discovery persistence privilege_escalation pyinstaller spyware stealer upx

Malware Config

Signatures

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Executes dropped EXE 6 IoCs

pid	Process
4832	zoom_64789348756.com
2600	zoom_64789348756.com
1840	zoom_64789348756.com
3556	zoom_64789348756.com
4536	zoom_64789348756.com
1836	zoom_64789348756.com

Loads dropped DLL 64 IoCs

pid	Process
1840	zoom_64789348756.com
1840	zoom_64789348756.com
3556	zoom_64789348756.com
3556	zoom_64789348756.com
1840	zoom_64789348756.com
1840	zoom_64789348756.com
1840	zoom_64789348756.com
1840	zoom_64789348756.com
1840	zoom_64789348756.com
3556	zoom_64789348756.com
3556	zoom_64789348756.com
3556	zoom_64789348756.com
1840	zoom_64789348756.com
3556	zoom_64789348756.com
1840	zoom_64789348756.com
1840	zoom_64789348756.com
3556	zoom_64789348756.com
1840	zoom_64789348756.com
3556	zoom_64789348756.com
1840	zoom_64789348756.com
3556	zoom_64789348756.com
1840	zoom_64789348756.com
1840	zoom_64789348756.com
3556	zoom_64789348756.com
1840	zoom_64789348756.com
3556	zoom_64789348756.com
3556	zoom_64789348756.com
3556	zoom_64789348756.com
3556	zoom_64789348756.com
1840	zoom_64789348756.com
3556	zoom_64789348756.com
3556	zoom_64789348756.com
3556	zoom_64789348756.com
3556	zoom_64789348756.com
3556	zoom_64789348756.com
3556	zoom_64789348756.com
3556	zoom_64789348756.com
3556	zoom_64789348756.com
3556	zoom_64789348756.com
1840	zoom_64789348756.com
1840	zoom_64789348756.com
3556	zoom_64789348756.com
3556	zoom_64789348756.com
3556	zoom_64789348756.com
3556	zoom_64789348756.com
1840	zoom_64789348756.com
1840	zoom_64789348756.com
1840	zoom_64789348756.com
1840	zoom_64789348756.com
1840	zoom_64789348756.com
3556	zoom_64789348756.com
3556	zoom_64789348756.com
3556	zoom_64789348756.com
3556	zoom_64789348756.com
3556	zoom_64789348756.com
3556	zoom_64789348756.com
3556	zoom_64789348756.com
3556	zoom_64789348756.com
3556	zoom_64789348756.com
3556	zoom_64789348756.com
3556	zoom_64789348756.com
3556	zoom_64789348756.com
3556	zoom_64789348756.com
3556	zoom_64789348756.com

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x00070000000233c3-263.dat	upx
behavioral1/memory/1840-298-0x00007FFD6DE90000-0x00007FFD6E2FE000-memory.dmp	upx
behavioral1/memory/1840-323-0x00007FFD80D60000-0x00007FFD80D84000-memory.dmp	upx
behavioral1/files/0x0007000000023392-334.dat	upx
behavioral1/files/0x0007000000023397-341.dat	upx
behavioral1/files/0x00070000000233bb-371.dat	upx
behavioral1/memory/3556-382-0x00007FFD7D480000-0x00007FFD7D53C000-memory.dmp	upx
behavioral1/memory/3556-386-0x00007FFD7FA30000-0x00007FFD7FA4C000-memory.dmp	upx
behavioral1/memory/3556-385-0x00007FFD7FAF0000-0x00007FFD7FAFA000-memory.dmp	upx
behavioral1/memory/3556-384-0x00007FFD7D430000-0x00007FFD7D472000-memory.dmp	upx
behavioral1/memory/3556-390-0x00007FFD6D6A0000-0x00007FFD6DA15000-memory.dmp	upx
behavioral1/memory/1840-392-0x00007FFD7D2F0000-0x00007FFD7D332000-memory.dmp	upx
behavioral1/memory/3556-399-0x00007FFD7F230000-0x00007FFD7F23B000-memory.dmp	upx
behavioral1/memory/1840-398-0x00007FFD7C850000-0x00007FFD7C86C000-memory.dmp	upx
behavioral1/memory/1840-401-0x00007FFD7BCB0000-0x00007FFD7BCDE000-memory.dmp	upx
behavioral1/memory/1840-403-0x00007FFD6D140000-0x00007FFD6D4B5000-memory.dmp	upx
behavioral1/memory/3556-407-0x00007FFD6CFC0000-0x00007FFD6D131000-memory.dmp	upx
behavioral1/memory/3556-409-0x00007FFD7F170000-0x00007FFD7F17B000-memory.dmp	upx
behavioral1/memory/3556-429-0x00007FFD77280000-0x00007FFD7728C000-memory.dmp	upx
behavioral1/memory/1840-435-0x00007FFD76BF0000-0x00007FFD76BFB000-memory.dmp	upx
behavioral1/memory/1840-446-0x00007FFD6CDD0000-0x00007FFD6CDEF000-memory.dmp	upx
behavioral1/memory/3556-451-0x00007FFD6CC20000-0x00007FFD6CC49000-memory.dmp	upx
behavioral1/memory/3556-450-0x00007FFD717F0000-0x00007FFD71807000-memory.dmp	upx
behavioral1/memory/1840-449-0x00007FFD6CC50000-0x00007FFD6CDC1000-memory.dmp	upx
behavioral1/memory/3556-445-0x00007FFD6CDF0000-0x00007FFD6CE0E000-memory.dmp	upx
behavioral1/memory/3556-444-0x00007FFD6CE10000-0x00007FFD6CE21000-memory.dmp	upx
behavioral1/memory/3556-443-0x00007FFD6CE30000-0x00007FFD6CE7C000-memory.dmp	upx
behavioral1/memory/3556-442-0x00007FFD6CE80000-0x00007FFD6CE99000-memory.dmp	upx
behavioral1/memory/3556-440-0x00007FFD7D340000-0x00007FFD7D3F8000-memory.dmp	upx
behavioral1/memory/3556-439-0x00007FFD7D400000-0x00007FFD7D42E000-memory.dmp	upx
behavioral1/memory/3556-438-0x00007FFD71810000-0x00007FFD71832000-memory.dmp	upx
behavioral1/memory/3556-437-0x00007FFD71840000-0x00007FFD71854000-memory.dmp	upx
behavioral1/memory/3556-436-0x00007FFD6D6A0000-0x00007FFD6DA15000-memory.dmp	upx
behavioral1/memory/3556-434-0x00007FFD807C0000-0x00007FFD807D9000-memory.dmp	upx
behavioral1/memory/1840-433-0x00007FFD6CEA0000-0x00007FFD6CFB8000-memory.dmp	upx
behavioral1/memory/1840-432-0x00007FFD71910000-0x00007FFD71936000-memory.dmp	upx
behavioral1/memory/3556-431-0x00007FFD76BE0000-0x00007FFD76BF0000-memory.dmp	upx
behavioral1/memory/3556-430-0x00007FFD76C00000-0x00007FFD76C15000-memory.dmp	upx
behavioral1/memory/3556-428-0x00007FFD77290000-0x00007FFD7729D000-memory.dmp	upx
behavioral1/memory/3556-427-0x00007FFD772A0000-0x00007FFD772AC000-memory.dmp	upx
behavioral1/memory/3556-425-0x00007FFD80820000-0x00007FFD80854000-memory.dmp	upx
behavioral1/memory/3556-424-0x00007FFD76C20000-0x00007FFD76C32000-memory.dmp	upx
behavioral1/memory/3556-502-0x00007FFD6C970000-0x00007FFD6CBC2000-memory.dmp	upx
behavioral1/memory/3556-423-0x00007FFD772B0000-0x00007FFD772BC000-memory.dmp	upx
behavioral1/memory/1840-507-0x00007FFD71900000-0x00007FFD7190B000-memory.dmp	upx
behavioral1/memory/1840-506-0x00007FFD76BD0000-0x00007FFD76BDB000-memory.dmp	upx
behavioral1/memory/3556-504-0x00007FFD6D580000-0x00007FFD6D698000-memory.dmp	upx
behavioral1/memory/3556-503-0x00007FFD7C870000-0x00007FFD7C896000-memory.dmp	upx
behavioral1/memory/3556-422-0x00007FFD772F0000-0x00007FFD772FB000-memory.dmp	upx
behavioral1/memory/1840-421-0x00007FFD80A80000-0x00007FFD80A99000-memory.dmp	upx
behavioral1/memory/3556-420-0x00007FFD772C0000-0x00007FFD772CB000-memory.dmp	upx
behavioral1/memory/1840-419-0x00007FFD772D0000-0x00007FFD772E4000-memory.dmp	upx
behavioral1/memory/3556-418-0x00007FFD78510000-0x00007FFD7851C000-memory.dmp	upx
behavioral1/memory/3556-417-0x00007FFD79300000-0x00007FFD7930C000-memory.dmp	upx
behavioral1/memory/3556-416-0x00007FFD7BC40000-0x00007FFD7BC4E000-memory.dmp	upx
behavioral1/memory/3556-415-0x00007FFD7BC50000-0x00007FFD7BC5D000-memory.dmp	upx
behavioral1/memory/3556-414-0x00007FFD7BC60000-0x00007FFD7BC6C000-memory.dmp	upx
behavioral1/memory/3556-413-0x00007FFD7BC70000-0x00007FFD7BC7B000-memory.dmp	upx
behavioral1/memory/3556-412-0x00007FFD7BC80000-0x00007FFD7BC8C000-memory.dmp	upx
behavioral1/memory/3556-411-0x00007FFD7BC90000-0x00007FFD7BC9B000-memory.dmp	upx
behavioral1/memory/3556-410-0x00007FFD7BCA0000-0x00007FFD7BCAC000-memory.dmp	upx
behavioral1/memory/3556-408-0x00007FFD7F220000-0x00007FFD7F22B000-memory.dmp	upx
behavioral1/memory/1840-426-0x00007FFD807F0000-0x00007FFD8081E000-memory.dmp	upx
behavioral1/memory/3556-406-0x00007FFD7C830000-0x00007FFD7C84F000-memory.dmp	upx

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2927035347-1736702767-189270196-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\empyrean = "C:\\Users\\Admin\\AppData\\Roaming\\empyrean\\run.bat"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2927035347-1736702767-189270196-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\empyrean = "C:\\Users\\Admin\\AppData\\Roaming\\empyrean\\run.bat"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2927035347-1736702767-189270196-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\empyrean = "C:\\Users\\Admin\\AppData\\Roaming\\empyrean\\run.bat"	reg.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 11 IoCs

Web Service

T1102

flow	ioc
38	discord.com
39	discord.com
44	discord.com
45	raw.githubusercontent.com
66	discord.com
75	raw.githubusercontent.com
82	discord.com
43	raw.githubusercontent.com
46	raw.githubusercontent.com
69	discord.com
74	discord.com

Looks up external IP address via web service 13 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
55	ipapi.co
59	ipapi.co
62	ipapi.co
64	ipapi.co
37	ipapi.co
53	ipapi.co
81	ipapi.co
36	ipapi.co
77	ipapi.co
51	ipapi.co
73	ipapi.co
42	ipapi.co
79	ipapi.co

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\System32\DriverStore\FileRepository\display.inf_amd64_71aa85b0e2292a7a\display.PNF	chrome.exe
File created	\??\c:\windows\system32\driverstore\filerepository\display.inf_amd64_71aa85b0e2292a7a\display.PNF	chrome.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\INF\display.PNF	chrome.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Detects Pyinstaller 1 IoCs

pyinstaller

resource	yara_rule
behavioral1/files/0x000e000000023315-73.dat	pyinstaller

Event Triggered Execution: Netsh Helper DLL 1 TTPs 27 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 18 IoCs

Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

discovery

Wi-Fi Discovery

T1016.002

pid	Process
4064	cmd.exe
4572	cmd.exe
3360	cmd.exe
4316	netsh.exe
5016	netsh.exe
676	cmd.exe
232	netsh.exe
2372	cmd.exe
3052	cmd.exe
3124	netsh.exe
4488	cmd.exe
672	netsh.exe
2412	netsh.exe
2940	cmd.exe
4800	netsh.exe
2416	netsh.exe
2980	cmd.exe
1404	netsh.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133670207492183333"	chrome.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2927035347-1736702767-189270196-1000_Classes\Local Settings	chrome.exe

Modifies registry key 1 TTPs 6 IoCs

Modify Registry

T1112

pid	Process
4736	reg.exe
2092	reg.exe
3156	reg.exe
4988	reg.exe
2372	reg.exe
4728	reg.exe

Suspicious behavior: EnumeratesProcesses 30 IoCs

pid	Process
2916	chrome.exe
2916	chrome.exe
3556	zoom_64789348756.com
3556	zoom_64789348756.com
3556	zoom_64789348756.com
3556	zoom_64789348756.com
1840	zoom_64789348756.com
1840	zoom_64789348756.com
1840	zoom_64789348756.com
1840	zoom_64789348756.com
3556	zoom_64789348756.com
3556	zoom_64789348756.com
3556	zoom_64789348756.com
3556	zoom_64789348756.com
1840	zoom_64789348756.com
1840	zoom_64789348756.com
1840	zoom_64789348756.com
1840	zoom_64789348756.com
1836	zoom_64789348756.com
1836	zoom_64789348756.com
1836	zoom_64789348756.com
1836	zoom_64789348756.com
1836	zoom_64789348756.com
1836	zoom_64789348756.com
1836	zoom_64789348756.com
1836	zoom_64789348756.com
4856	chrome.exe
4856	chrome.exe
4856	chrome.exe
4856	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
2916	chrome.exe
2916	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2916	chrome.exe
Token: SeCreatePagefilePrivilege	2916	chrome.exe
Token: SeShutdownPrivilege	2916	chrome.exe
Token: SeCreatePagefilePrivilege	2916	chrome.exe
Token: SeShutdownPrivilege	2916	chrome.exe
Token: SeCreatePagefilePrivilege	2916	chrome.exe
Token: SeShutdownPrivilege	2916	chrome.exe
Token: SeCreatePagefilePrivilege	2916	chrome.exe
Token: SeShutdownPrivilege	2916	chrome.exe
Token: SeCreatePagefilePrivilege	2916	chrome.exe
Token: SeShutdownPrivilege	2916	chrome.exe
Token: SeCreatePagefilePrivilege	2916	chrome.exe
Token: SeShutdownPrivilege	2916	chrome.exe
Token: SeCreatePagefilePrivilege	2916	chrome.exe
Token: SeShutdownPrivilege	2916	chrome.exe
Token: SeCreatePagefilePrivilege	2916	chrome.exe
Token: SeShutdownPrivilege	2916	chrome.exe
Token: SeCreatePagefilePrivilege	2916	chrome.exe
Token: SeShutdownPrivilege	2916	chrome.exe
Token: SeCreatePagefilePrivilege	2916	chrome.exe
Token: SeShutdownPrivilege	2916	chrome.exe
Token: SeCreatePagefilePrivilege	2916	chrome.exe
Token: SeShutdownPrivilege	2916	chrome.exe
Token: SeCreatePagefilePrivilege	2916	chrome.exe
Token: SeShutdownPrivilege	2916	chrome.exe
Token: SeCreatePagefilePrivilege	2916	chrome.exe
Token: SeShutdownPrivilege	2916	chrome.exe
Token: SeCreatePagefilePrivilege	2916	chrome.exe
Token: SeShutdownPrivilege	2916	chrome.exe
Token: SeCreatePagefilePrivilege	2916	chrome.exe
Token: SeShutdownPrivilege	2916	chrome.exe
Token: SeCreatePagefilePrivilege	2916	chrome.exe
Token: SeShutdownPrivilege	2916	chrome.exe
Token: SeCreatePagefilePrivilege	2916	chrome.exe
Token: SeShutdownPrivilege	2916	chrome.exe
Token: SeCreatePagefilePrivilege	2916	chrome.exe
Token: SeShutdownPrivilege	2916	chrome.exe
Token: SeCreatePagefilePrivilege	2916	chrome.exe
Token: SeShutdownPrivilege	2916	chrome.exe
Token: SeCreatePagefilePrivilege	2916	chrome.exe
Token: SeShutdownPrivilege	2916	chrome.exe
Token: SeCreatePagefilePrivilege	2916	chrome.exe
Token: SeShutdownPrivilege	2916	chrome.exe
Token: SeCreatePagefilePrivilege	2916	chrome.exe
Token: SeShutdownPrivilege	2916	chrome.exe
Token: SeCreatePagefilePrivilege	2916	chrome.exe
Token: SeShutdownPrivilege	2916	chrome.exe
Token: SeCreatePagefilePrivilege	2916	chrome.exe
Token: SeShutdownPrivilege	2916	chrome.exe
Token: SeCreatePagefilePrivilege	2916	chrome.exe
Token: SeShutdownPrivilege	2916	chrome.exe
Token: SeCreatePagefilePrivilege	2916	chrome.exe
Token: SeShutdownPrivilege	2916	chrome.exe
Token: SeCreatePagefilePrivilege	2916	chrome.exe
Token: SeShutdownPrivilege	2916	chrome.exe
Token: SeCreatePagefilePrivilege	2916	chrome.exe
Token: SeShutdownPrivilege	2916	chrome.exe
Token: SeCreatePagefilePrivilege	2916	chrome.exe
Token: SeShutdownPrivilege	2916	chrome.exe
Token: SeCreatePagefilePrivilege	2916	chrome.exe
Token: SeShutdownPrivilege	2916	chrome.exe
Token: SeCreatePagefilePrivilege	2916	chrome.exe
Token: SeShutdownPrivilege	2916	chrome.exe
Token: SeCreatePagefilePrivilege	2916	chrome.exe

Suspicious use of FindShellTrayWindow 37 IoCs

pid	Process
2916	chrome.exe
2916	chrome.exe
2916	chrome.exe
2916	chrome.exe
2916	chrome.exe
2916	chrome.exe
2916	chrome.exe
2916	chrome.exe
2916	chrome.exe
2916	chrome.exe
2916	chrome.exe
2916	chrome.exe
2916	chrome.exe
2916	chrome.exe
2916	chrome.exe
2916	chrome.exe
2916	chrome.exe
2916	chrome.exe
2916	chrome.exe
2916	chrome.exe
2916	chrome.exe
2916	chrome.exe
2916	chrome.exe
2916	chrome.exe
2916	chrome.exe
2916	chrome.exe
2916	chrome.exe
2916	chrome.exe
2916	chrome.exe
2916	chrome.exe
2916	chrome.exe
2916	chrome.exe
2916	chrome.exe
2916	chrome.exe
2916	chrome.exe
2916	chrome.exe
2916	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
2916	chrome.exe
2916	chrome.exe
2916	chrome.exe
2916	chrome.exe
2916	chrome.exe
2916	chrome.exe
2916	chrome.exe
2916	chrome.exe
2916	chrome.exe
2916	chrome.exe
2916	chrome.exe
2916	chrome.exe
2916	chrome.exe
2916	chrome.exe
2916	chrome.exe
2916	chrome.exe
2916	chrome.exe
2916	chrome.exe
2916	chrome.exe
2916	chrome.exe
2916	chrome.exe
2916	chrome.exe
2916	chrome.exe
2916	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2916 wrote to memory of 2284	2916	chrome.exe	83
PID 2916 wrote to memory of 2284	2916	chrome.exe	83
PID 2916 wrote to memory of 4248	2916	chrome.exe	85
PID 2916 wrote to memory of 4248	2916	chrome.exe	85
PID 2916 wrote to memory of 4248	2916	chrome.exe	85
PID 2916 wrote to memory of 4248	2916	chrome.exe	85
PID 2916 wrote to memory of 4248	2916	chrome.exe	85
PID 2916 wrote to memory of 4248	2916	chrome.exe	85
PID 2916 wrote to memory of 4248	2916	chrome.exe	85
PID 2916 wrote to memory of 4248	2916	chrome.exe	85
PID 2916 wrote to memory of 4248	2916	chrome.exe	85
PID 2916 wrote to memory of 4248	2916	chrome.exe	85
PID 2916 wrote to memory of 4248	2916	chrome.exe	85
PID 2916 wrote to memory of 4248	2916	chrome.exe	85
PID 2916 wrote to memory of 4248	2916	chrome.exe	85
PID 2916 wrote to memory of 4248	2916	chrome.exe	85
PID 2916 wrote to memory of 4248	2916	chrome.exe	85
PID 2916 wrote to memory of 4248	2916	chrome.exe	85
PID 2916 wrote to memory of 4248	2916	chrome.exe	85
PID 2916 wrote to memory of 4248	2916	chrome.exe	85
PID 2916 wrote to memory of 4248	2916	chrome.exe	85
PID 2916 wrote to memory of 4248	2916	chrome.exe	85
PID 2916 wrote to memory of 4248	2916	chrome.exe	85
PID 2916 wrote to memory of 4248	2916	chrome.exe	85
PID 2916 wrote to memory of 4248	2916	chrome.exe	85
PID 2916 wrote to memory of 4248	2916	chrome.exe	85
PID 2916 wrote to memory of 4248	2916	chrome.exe	85
PID 2916 wrote to memory of 4248	2916	chrome.exe	85
PID 2916 wrote to memory of 4248	2916	chrome.exe	85
PID 2916 wrote to memory of 4248	2916	chrome.exe	85
PID 2916 wrote to memory of 4248	2916	chrome.exe	85
PID 2916 wrote to memory of 4248	2916	chrome.exe	85
PID 2916 wrote to memory of 1672	2916	chrome.exe	86
PID 2916 wrote to memory of 1672	2916	chrome.exe	86
PID 2916 wrote to memory of 5112	2916	chrome.exe	87
PID 2916 wrote to memory of 5112	2916	chrome.exe	87
PID 2916 wrote to memory of 5112	2916	chrome.exe	87
PID 2916 wrote to memory of 5112	2916	chrome.exe	87
PID 2916 wrote to memory of 5112	2916	chrome.exe	87
PID 2916 wrote to memory of 5112	2916	chrome.exe	87
PID 2916 wrote to memory of 5112	2916	chrome.exe	87
PID 2916 wrote to memory of 5112	2916	chrome.exe	87
PID 2916 wrote to memory of 5112	2916	chrome.exe	87
PID 2916 wrote to memory of 5112	2916	chrome.exe	87
PID 2916 wrote to memory of 5112	2916	chrome.exe	87
PID 2916 wrote to memory of 5112	2916	chrome.exe	87
PID 2916 wrote to memory of 5112	2916	chrome.exe	87
PID 2916 wrote to memory of 5112	2916	chrome.exe	87
PID 2916 wrote to memory of 5112	2916	chrome.exe	87
PID 2916 wrote to memory of 5112	2916	chrome.exe	87
PID 2916 wrote to memory of 5112	2916	chrome.exe	87
PID 2916 wrote to memory of 5112	2916	chrome.exe	87
PID 2916 wrote to memory of 5112	2916	chrome.exe	87
PID 2916 wrote to memory of 5112	2916	chrome.exe	87
PID 2916 wrote to memory of 5112	2916	chrome.exe	87
PID 2916 wrote to memory of 5112	2916	chrome.exe	87
PID 2916 wrote to memory of 5112	2916	chrome.exe	87
PID 2916 wrote to memory of 5112	2916	chrome.exe	87
PID 2916 wrote to memory of 5112	2916	chrome.exe	87
PID 2916 wrote to memory of 5112	2916	chrome.exe	87
PID 2916 wrote to memory of 5112	2916	chrome.exe	87
PID 2916 wrote to memory of 5112	2916	chrome.exe	87
PID 2916 wrote to memory of 5112	2916	chrome.exe	87
PID 2916 wrote to memory of 5112	2916	chrome.exe	87

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://cdn.discordapp.com/attachments/1268342744368021615/1268575149871992954/zoom_64789348756.com?ex=66acec2c&is=66ab9aac&hm=af3d8cc80c557ad5af6359a5adb27b3399b4c58500bca8ac6a0942d3ecd8f1b0&
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2916
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.106 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffd80bccc40,0x7ffd80bccc4c,0x7ffd80bccc58
  2⤵
  PID:2284
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1968,i,4718261283399695358,14296931045892877365,262144 --variations-seed-version=20240729-180130.470000 --mojo-platform-channel-handle=1964 /prefetch:2
  2⤵
  PID:4248
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1812,i,4718261283399695358,14296931045892877365,262144 --variations-seed-version=20240729-180130.470000 --mojo-platform-channel-handle=2092 /prefetch:3
  2⤵
  PID:1672
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2224,i,4718261283399695358,14296931045892877365,262144 --variations-seed-version=20240729-180130.470000 --mojo-platform-channel-handle=2436 /prefetch:8
  2⤵
  PID:5112
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3100,i,4718261283399695358,14296931045892877365,262144 --variations-seed-version=20240729-180130.470000 --mojo-platform-channel-handle=3128 /prefetch:1
  2⤵
  PID:352
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3092,i,4718261283399695358,14296931045892877365,262144 --variations-seed-version=20240729-180130.470000 --mojo-platform-channel-handle=3164 /prefetch:1
  2⤵
  PID:4564
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4960,i,4718261283399695358,14296931045892877365,262144 --variations-seed-version=20240729-180130.470000 --mojo-platform-channel-handle=4972 /prefetch:8
  2⤵
  PID:4480
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5136,i,4718261283399695358,14296931045892877365,262144 --variations-seed-version=20240729-180130.470000 --mojo-platform-channel-handle=5148 /prefetch:8
  2⤵
  PID:3664
- C:\Users\Admin\Downloads\zoom_64789348756.com
  "C:\Users\Admin\Downloads\zoom_64789348756.com"
  2⤵
  - Executes dropped EXE
  PID:4832
- - C:\Users\Admin\Downloads\zoom_64789348756.com
    "C:\Users\Admin\Downloads\zoom_64789348756.com"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    PID:1840
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "ver"
      4⤵
      PID:4020
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Windows\System32\wbem\WMIC.exe csproduct get uuid"
      4⤵
      PID:1404
    - - C:\Windows\System32\wbem\WMIC.exe
        
        C:\Windows\System32\wbem\WMIC.exe csproduct get uuid
        5⤵
        
        PID:4908
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "reg delete HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v empyrean /f"
      4⤵
      PID:2584
    - - C:\Windows\system32\reg.exe
        
        reg delete HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v empyrean /f
        5⤵
        Modifies registry key
        
        PID:4736
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v empyrean /t REG_SZ /d C:\Users\Admin\AppData\Roaming\empyrean\run.bat /f"
      4⤵
      PID:4808
    - - C:\Windows\system32\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v empyrean /t REG_SZ /d C:\Users\Admin\AppData\Roaming\empyrean\run.bat /f
        5⤵
        Adds Run key to start application
        Modifies registry key
        
        PID:2092
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Windows\System32\wbem\WMIC.exe csproduct get uuid"
      4⤵
      PID:3352
    - - C:\Windows\System32\wbem\WMIC.exe
        
        C:\Windows\System32\wbem\WMIC.exe csproduct get uuid
        5⤵
        
        PID:2928
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Windows\System32\wbem\WMIC.exe csproduct get uuid"
      4⤵
      PID:1172
    - - C:\Windows\System32\wbem\WMIC.exe
        
        C:\Windows\System32\wbem\WMIC.exe csproduct get uuid
        5⤵
        
        PID:1404
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Windows\System32\wbem\WMIC.exe csproduct get uuid"
      4⤵
      PID:4508
    - - C:\Windows\System32\wbem\WMIC.exe
        
        C:\Windows\System32\wbem\WMIC.exe csproduct get uuid
        5⤵
        
        PID:3000
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "netsh wlan show profiles"
      4⤵
      System Network Configuration Discovery: Wi-Fi Discovery
      PID:2372
    - - C:\Windows\system32\netsh.exe
        
        netsh wlan show profiles
        5⤵
        Event Triggered Execution: Netsh Helper DLL
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:2412
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "netsh wlan show profiles"
      4⤵
      System Network Configuration Discovery: Wi-Fi Discovery
      PID:3052
    - - C:\Windows\system32\netsh.exe
        
        netsh wlan show profiles
        5⤵
        Event Triggered Execution: Netsh Helper DLL
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:2416
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "netsh wlan show profiles"
      4⤵
      System Network Configuration Discovery: Wi-Fi Discovery
      PID:676
    - - C:\Windows\system32\netsh.exe
        
        netsh wlan show profiles
        5⤵
        Event Triggered Execution: Netsh Helper DLL
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:232
- C:\Users\Admin\Downloads\zoom_64789348756.com
  "C:\Users\Admin\Downloads\zoom_64789348756.com"
  2⤵
  - Executes dropped EXE
  PID:2600
- - C:\Users\Admin\Downloads\zoom_64789348756.com
    "C:\Users\Admin\Downloads\zoom_64789348756.com"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    PID:3556
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "ver"
      4⤵
      PID:1804
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Windows\System32\wbem\WMIC.exe csproduct get uuid"
      4⤵
      PID:4316
    - - C:\Windows\System32\wbem\WMIC.exe
        
        C:\Windows\System32\wbem\WMIC.exe csproduct get uuid
        5⤵
        
        PID:512
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "reg delete HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v empyrean /f"
      4⤵
      PID:2392
    - - C:\Windows\system32\reg.exe
        
        reg delete HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v empyrean /f
        5⤵
        Modifies registry key
        
        PID:2372
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v empyrean /t REG_SZ /d C:\Users\Admin\AppData\Roaming\empyrean\run.bat /f"
      4⤵
      PID:4224
    - - C:\Windows\system32\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v empyrean /t REG_SZ /d C:\Users\Admin\AppData\Roaming\empyrean\run.bat /f
        5⤵
        Adds Run key to start application
        Modifies registry key
        
        PID:4728
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Windows\System32\wbem\WMIC.exe csproduct get uuid"
      4⤵
      PID:4332
    - - C:\Windows\System32\wbem\WMIC.exe
        
        C:\Windows\System32\wbem\WMIC.exe csproduct get uuid
        5⤵
        
        PID:4968
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Windows\System32\wbem\WMIC.exe csproduct get uuid"
      4⤵
      PID:2640
    - - C:\Windows\System32\wbem\WMIC.exe
        
        C:\Windows\System32\wbem\WMIC.exe csproduct get uuid
        5⤵
        
        PID:4588
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Windows\System32\wbem\WMIC.exe csproduct get uuid"
      4⤵
      PID:2364
    - - C:\Windows\System32\wbem\WMIC.exe
        
        C:\Windows\System32\wbem\WMIC.exe csproduct get uuid
        5⤵
        
        PID:1836
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "netsh wlan show profiles"
      4⤵
      System Network Configuration Discovery: Wi-Fi Discovery
      PID:3360
    - - C:\Windows\system32\netsh.exe
        
        netsh wlan show profiles
        5⤵
        Event Triggered Execution: Netsh Helper DLL
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:4316
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "netsh wlan show profiles"
      4⤵
      System Network Configuration Discovery: Wi-Fi Discovery
      PID:2940
    - - C:\Windows\system32\netsh.exe
        
        netsh wlan show profiles
        5⤵
        Event Triggered Execution: Netsh Helper DLL
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:4800
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "netsh wlan show profiles"
      4⤵
      System Network Configuration Discovery: Wi-Fi Discovery
      PID:2980
    - - C:\Windows\system32\netsh.exe
        
        netsh wlan show profiles
        5⤵
        Event Triggered Execution: Netsh Helper DLL
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:5016
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=3820,i,4718261283399695358,14296931045892877365,262144 --variations-seed-version=20240729-180130.470000 --mojo-platform-channel-handle=5104 /prefetch:8
  2⤵
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  PID:4856

C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe"
1⤵
PID:2700

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:2228

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2980

C:\Users\Admin\Downloads\zoom_64789348756.com
"C:\Users\Admin\Downloads\zoom_64789348756.com"
1⤵
- Executes dropped EXE
PID:4536
- C:\Users\Admin\Downloads\zoom_64789348756.com
  "C:\Users\Admin\Downloads\zoom_64789348756.com"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:1836
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "ver"
    3⤵
    PID:3368
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Windows\System32\wbem\WMIC.exe csproduct get uuid"
    3⤵
    PID:2772
  - - C:\Windows\System32\wbem\WMIC.exe
      C:\Windows\System32\wbem\WMIC.exe csproduct get uuid
      4⤵
      PID:3516
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "reg delete HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v empyrean /f"
    3⤵
    PID:2760
  - - C:\Windows\system32\reg.exe
      reg delete HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v empyrean /f
      4⤵
      Modifies registry key
      PID:3156
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v empyrean /t REG_SZ /d C:\Users\Admin\AppData\Roaming\empyrean\run.bat /f"
    3⤵
    PID:1712
  - - C:\Windows\system32\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v empyrean /t REG_SZ /d C:\Users\Admin\AppData\Roaming\empyrean\run.bat /f
      4⤵
      Adds Run key to start application
      Modifies registry key
      PID:4988
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Windows\System32\wbem\WMIC.exe csproduct get uuid"
    3⤵
    PID:3644
  - - C:\Windows\System32\wbem\WMIC.exe
      C:\Windows\System32\wbem\WMIC.exe csproduct get uuid
      4⤵
      PID:4868
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Windows\System32\wbem\WMIC.exe csproduct get uuid"
    3⤵
    PID:2312
  - - C:\Windows\System32\wbem\WMIC.exe
      C:\Windows\System32\wbem\WMIC.exe csproduct get uuid
      4⤵
      PID:3972
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Windows\System32\wbem\WMIC.exe csproduct get uuid"
    3⤵
    PID:236
  - - C:\Windows\System32\wbem\WMIC.exe
      C:\Windows\System32\wbem\WMIC.exe csproduct get uuid
      4⤵
      PID:1660
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "netsh wlan show profiles"
    3⤵
    - System Network Configuration Discovery: Wi-Fi Discovery
    PID:4064
  - - C:\Windows\system32\netsh.exe
      netsh wlan show profiles
      4⤵
      Event Triggered Execution: Netsh Helper DLL
      System Network Configuration Discovery: Wi-Fi Discovery
      PID:3124
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "netsh wlan show profiles"
    3⤵
    - System Network Configuration Discovery: Wi-Fi Discovery
    PID:4488
  - - C:\Windows\system32\netsh.exe
      netsh wlan show profiles
      4⤵
      Event Triggered Execution: Netsh Helper DLL
      System Network Configuration Discovery: Wi-Fi Discovery
      PID:672
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "netsh wlan show profiles"
    3⤵
    - System Network Configuration Discovery: Wi-Fi Discovery
    PID:4572
  - - C:\Windows\system32\netsh.exe
      netsh wlan show profiles
      4⤵
      Event Triggered Execution: Netsh Helper DLL
      System Network Configuration Discovery: Wi-Fi Discovery
      PID:1404

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Wi-Fi Discovery

T1016.002

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
819B

MD5
a0225b026d36a28995772b497e61637f

SHA1
19cc3f3b25a91504d815dbd2d6408da74739004d

SHA256
06567473fb63695742e8cafdcde3de4e7c5affa4dd2bf14b814e288c29653f0b

SHA512
020a013eb2f91eae684ac4cdfb58d76294aa3b475f2c946ca0f5ca7f1284fe8eba3704c66d38528a8a95f54199b5a7d5175492776f75c98a3fbd3245522c23e0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
c61bc834f17986c7a4ae974c63ae62f1

SHA1
b9f38201038dd51f891c532aace7e80991ee7f8d

SHA256
d5759c567ac9ee27c1c0be9bc5ee3b732d2d6170c5026097c408efcc00f4bbf9

SHA512
002c5db09cbb69184d10f064ee2afbdf76aae1bea98e61c5793ba756db0a92742a928f489821e65ed9b2af8ddb49907ba1de00d2bc122006f4765668d487f86a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
530cfb26778359f9fe50f78a3ccaf161

SHA1
72f0854438b7ae29850b50cf3c83efbe6a5de5bc

SHA256
7f99e839f3f129c2d22b707c56f65c2d4884be0774659d166bed5b29edada0b4

SHA512
a9ac2db2b8e341f432b90285b5639c404a96ed2f9238e4fdeb36d3ed9f521aeb7d638ebbd3dcab2355f54a7e1b35eeb4126f1565798fd569cb2810b786bfcdcd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
5bf857dcc92da474538283c79fb9efaa

SHA1
2d08061272371f2e7fa8349410e84e3d3e477ad3

SHA256
f491f42ea55b1d40cbd87bc506eeed5032925350160ac36d0345c6acf5c21fcc

SHA512
83d7a8cba739eaead7e02a7d13dab08c48edb2b611a0e3741097504b1dc8e5b7dd8ab3fea21588d984ffd32ce7cbdee94b9ee9577b7f1847cbc85a4339ceeb8b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
15229ad6012eae433331279e6ce78557

SHA1
011a7d1f789c1e69265be13f80cd9889e001fe00

SHA256
c95d28ec6d869fa64d44b0443670e3036462d54b6f8b01a128d1f7472b475795

SHA512
3c1182259e6e0c0453b0cb6db0956878ebfa2b4b4e5ee90eda75e2983769b430c9ba1b8751b6c68d79c37e7732a313c1773dccbb44e56670736bc35bbe54feb6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
729ad0644df311938bc7f232b4ea993e

SHA1
3230866b006072b6ea4986d1c4934f6cc9120ddb

SHA256
49541650cdb3c0e361782da51e47cd2783bd8b7224008d8e35e7ea4fb207699b

SHA512
9a862a93c246b055665298f8171fe36dc670d2ff5bafbfa514f2e75acd97f59c235e59aa86127515c7e9343597011ddec69d01b7a623dd6d623ed3523455de09

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
bbab7eafff5c9f384737c432f58ccaef

SHA1
31a740287d9d644048a6fcea285df0a815b14b53

SHA256
36a287f54e2dea99a212419435936f875698d7fb7395e6e750a4c6bb2b4485fd

SHA512
f4e8bb1c50a0d274f5ce12056f3f7323806ca655e6481a2049b7f551c0b9293d52d5b4e4e2ac5d5e8d3f59417e6e5ce32a7335e74e8d145c951d4c13d6d16d37

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
2baf440e9bc517b15de293796daf28a6

SHA1
f01388a11f0dfbd7b0b1c9878277ff5cca70510d

SHA256
afd5f9b8851c37ab9db947db02b6ae59c14757f3415da91485e2ce3ea9c1404c

SHA512
fb39cb7491b8101bb84a6430422bd4a08aaa82b77702fbbdb505d86fe185c9bbfee17b55330364d71b9fe4a150a8ab76d53e205d59d91b3ced3e049ed86d7d8a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
018ee54803ede425953625da9acdd269

SHA1
6310f95266e6d0b182aa874f1c27544edb86f7cd

SHA256
068bcdb0fb09bad784664a74067015f849ce1cb88aa79e1b08725122e7d7741c

SHA512
b48091c14015f4538319192f05e57e5596c8b550dfd693704d48ab1d6a96d4cfbc1ff71d3d58f6fa71729ab361f2d0aa38ab410046b02c9cc8e8608be3ed491a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
e7ede7a3d18f49ea1ae4ee97b8aa3c95

SHA1
6e57baf17e7daee0be7f00660425eee53c0622f1

SHA256
69dd234627b1c44b5f36041c1b1cda7dc64fd70c37bd5f93e98c843ac3b0106b

SHA512
77277cf952b262a0de6e141fe8c28dc682d02d4b8393b75cc450ac16b4955176141f3140567938b5ea7d3121577eac51014d99bd2e72f8c6f01b2adf8f23d35a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
f5008b735ddae5e809201c17d65622d2

SHA1
bf47022680f5b52a2a29ac296467807142f9d4a9

SHA256
ee4769bf76945b69c555249414d82943abd9b353785b46d6e3c2e967efe315c9

SHA512
25703482ca478d1ab671dedfb5bb12403160a72d64bd442350f362a263e89d41f7c3933b2857dd5ffe49f73ec2b203e51a4d846f083819a2157b2663a744bf45

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
877cb7e20aee80973048de8f9773222a

SHA1
38d0892fad1aeeebb94a4dc97298bdbc64a6fe04

SHA256
ca6594e9f405af04ccea715ccc41065794b1f23f5bdc30e137b8b0544ff10438

SHA512
9de0393008d1faf94e6399671543ef31d2df4f48391f26c51f3671606d3b0a2db71531facfb78a666a153cab4723b24bd628c370e38439abfb06a89c07880b88

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
197KB

MD5
d2b9ee6d6d5bb975845d1e8f5faee589

SHA1
b3977a2e3052bce8f16b55e4d946966309c89d6e

SHA256
683093bb8546f91ed70332670ceb36156958d63e6492a88162147c313b751647

SHA512
a9515376778f1dc46f1f182b8007c01748d7caebe54659073d448332df877265405f985c08bf1009b77b1e7d209d4cf2688fc77238230eb53cf6af3c0de4ec50

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
197KB

MD5
1df1304809c38d362318444b39407218

SHA1
e9b94f7bd14b1fc8f78656f49963878d3bb935ab

SHA256
ab04a76bb5c849df8564fe9eafecdf4b1292a6c0553a5c861c9a548ca56780c0

SHA512
50f6afe9c98cce90b771fd2b3bfd3f715c18844bfa63bf1584dc64b6d0345ab76da50969039f1b9b5474422d828e48a2dfa55741500750201477b9845b1ed28b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI26002\_bz2.pyd

Filesize
47KB

MD5
758fff1d194a7ac7a1e3d98bcf143a44

SHA1
de1c61a8e1fb90666340f8b0a34e4d8bfc56da07

SHA256
f5e913a9f2adf7d599ea9bb105e144ba11699bbcb1514e73edcf7e062354e708

SHA512
468d7c52f14812d5bde1e505c95cb630e22d71282bda05bf66324f31560bfa06095cf60fc0d34877f8b361ccd65a1b61d0fd1f91d52facb0baf8e74f3fed31cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI26002\_ctypes.pyd

Filesize
56KB

MD5
6ca9a99c75a0b7b6a22681aa8e5ad77b

SHA1
dd1118b7d77be6bb33b81da65f6b5dc153a4b1e8

SHA256
d39390552c55d8fd4940864905cd4437bc3f8efe7ff3ca220543b2c0efab04f8

SHA512
b0b5f2979747d2f6796d415dd300848f32b4e79ede59827ac447af0f4ea8709b60d6935d09e579299b3bc54b6c0f10972f17f6c0d1759c5388ad5b14689a23fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI26002\_queue.pyd

Filesize
24KB

MD5
0d267bb65918b55839a9400b0fb11aa2

SHA1
54e66a14bea8ae551ab6f8f48d81560b2add1afc

SHA256
13ee41980b7d0fb9ce07f8e41ee6a309e69a30bbf5b801942f41cbc357d59e9c

SHA512
c2375f46a98e44f54e2dd0a5cc5f016098500090bb78de520dc5e05aef8e6f11405d8f6964850a03060caed3628d0a6303091cba1f28a0aa9b3b814217d71e56

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI26002\attrs-23.1.0.dist-info\INSTALLER

Filesize
4B

MD5
365c9bfeb7d89244f2ce01c1de44cb85

SHA1
d7a03141d5d6b1e88b6b59ef08b6681df212c599

SHA256
ceebae7b8927a3227e5303cf5e0f1f7b34bb542ad7250ac03fbcde36ec2f1508

SHA512
d220d322a4053d84130567d626a9f7bb2fb8f0b854da1621f001826dc61b0ed6d3f91793627e6f0ac2ac27aea2b986b6a7a63427f05fe004d8a2adfbdadc13c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI26002\libffi-7.dll

Filesize
23KB

MD5
b5150b41ca910f212a1dd236832eb472

SHA1
a17809732c562524b185953ffe60dfa91ba3ce7d

SHA256
1a106569ac0ad3152f3816ff361aa227371d0d85425b357632776ac48d92ea8a

SHA512
9e82b0caa3d72bb4a7ad7d66ebfb10edb778749e89280bca67c766e72dc794e99aab2bc2980d64282a384699929ce6cc996462a73584898d2df67a57bff2a9c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI26002\pyexpat.pyd

Filesize
86KB

MD5
5a328b011fa748939264318a433297e2

SHA1
d46dd2be7c452e5b6525e88a2d29179f4c07de65

SHA256
e8a81b47029e8500e0f4e04ccf81f8bdf23a599a2b5cd627095678cdf2fabc14

SHA512
06fa8262378634a42f5ab8c1e5f6716202544c8b304de327a08aa20c8f888114746f69b725ed3088d975d09094df7c3a37338a93983b957723aa2b7fda597f87

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI26002\python3.dll

Filesize
63KB

MD5
c17b7a4b853827f538576f4c3521c653

SHA1
6115047d02fbbad4ff32afb4ebd439f5d529485a

SHA256
d21e60f3dfbf2bab0cc8a06656721fa3347f026df10297674fc635ebf9559a68

SHA512
8e08e702d69df6840781d174c4565e14a28022b40f650fda88d60172be2d4ffd96a3e9426d20718c54072ca0da27e0455cc0394c098b75e062a27559234a3df7

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI26002\select.pyd

Filesize
24KB

MD5
72009cde5945de0673a11efb521c8ccd

SHA1
bddb47ac13c6302a871a53ba303001837939f837

SHA256
5aaa15868421a46461156e7817a69eeeb10b29c1e826a9155b5f8854facf3dca

SHA512
d00a42700c9201f23a44fd9407fea7ea9df1014c976133f33ff711150727bf160941373d53f3a973f7dd6ca7b5502e178c2b88ea1815ca8bce1a239ed5d8256d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48322\VCRUNTIME140.dll

Filesize
106KB

MD5
870fea4e961e2fbd00110d3783e529be

SHA1
a948e65c6f73d7da4ffde4e8533c098a00cc7311

SHA256
76fdb83fde238226b5bebaf3392ee562e2cb7ca8d3ef75983bf5f9d6c7119644

SHA512
0b636a3cdefa343eb4cb228b391bb657b5b4c20df62889cd1be44c7bee94ffad6ec82dc4db79949edef576bff57867e0d084e0a597bf7bf5c8e4ed1268477e88

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48322\VCRUNTIME140_1.dll

Filesize
48KB

MD5
bba9680bc310d8d25e97b12463196c92

SHA1
9a480c0cf9d377a4caedd4ea60e90fa79001f03a

SHA256
e0b66601cc28ecb171c3d4b7ac690c667f47da6b6183bff80604c84c00d265ab

SHA512
1575c786ac3324b17057255488da5f0bc13ad943ac9383656baf98db64d4ec6e453230de4cd26b535ce7e8b7d41a9f2d3f569a0eff5a84aeb1c2f9d6e3429739

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48322\_lzma.pyd

Filesize
84KB

MD5
abceeceaeff3798b5b0de412af610f58

SHA1
c3c94c120b5bed8bccf8104d933e96ac6e42ca90

SHA256
216aa4bb6f62dd250fd6d2dcde14709aa82e320b946a21edeec7344ed6c2c62e

SHA512
3e1a2eb86605aa851a0c5153f7be399f6259ecaad86dbcbf12eeae5f985dc2ea2ab25683285e02b787a5b75f7df70b4182ae8f1567946f99ad2ec7b27d4c7955

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48322\_socket.pyd

Filesize
41KB

MD5
afd296823375e106c4b1ac8b39927f8b

SHA1
b05d811e5a5921d5b5cc90b9e4763fd63783587b

SHA256
e423a7c2ce5825dfdd41cfc99c049ff92abfb2aa394c85d0a9a11de7f8673007

SHA512
95e98a24be9e603b2870b787349e2aa7734014ac088c691063e4078e11a04898c9c547d6998224b1b171fc4802039c3078a28c7e81d59f6497f2f9230d8c9369

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48322\base_library.zip

Filesize
812KB

MD5
fbd6be906ac7cd45f1d98f5cb05f8275

SHA1
5d563877a549f493da805b4d049641604a6a0408

SHA256
ae35709e6b8538827e3999e61a0345680c5167962296ac7bef62d6b813227fb0

SHA512
1547b02875f3e547c4f5e15c964719c93d7088c7f4fd044f6561bebd29658a54ef044211f9d5cfb4570ca49ed0f17b08011d27fe85914e8c3ea12024c8071e8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48322\python310.dll

Filesize
1.4MB

MD5
69d4f13fbaeee9b551c2d9a4a94d4458

SHA1
69540d8dfc0ee299a7ff6585018c7db0662aa629

SHA256
801317463bd116e603878c7c106093ba7db2bece11e691793e93065223fc7046

SHA512
8e632f141daf44bc470f8ee677c6f0fdcbcacbfce1472d928576bf7b9f91d6b76639d18e386d5e1c97e538a8fe19dd2d22ea47ae1acf138a0925e3c6dd156378

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48322\pythoncom310.dll

Filesize
193KB

MD5
9051abae01a41ea13febdea7d93470c0

SHA1
b06bd4cd4fd453eb827a108e137320d5dc3a002f

SHA256
f12c8141d4795719035c89ff459823ed6174564136020739c106f08a6257b399

SHA512
58d8277ec4101ad468dd8c4b4a9353ab684ecc391e5f9db37de44d5c3316c17d4c7a5ffd547ce9b9a08c56e3dd6d3c87428eae12144dfb72fc448b0f2cfc47da

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48322\pywintypes310.dll

Filesize
62KB

MD5
6f2aa8fa02f59671f99083f9cef12cda

SHA1
9fd0716bcde6ac01cd916be28aa4297c5d4791cd

SHA256
1a15d98d4f9622fa81b60876a5f359707a88fbbbae3ae4e0c799192c378ef8c6

SHA512
f5d5112e63307068cdb1d0670fe24b65a9f4942a39416f537bdbc17dedfd99963861bf0f4e94299cdce874816f27b3d86c4bebb889c3162c666d5ee92229c211

Download Submit
C:\Users\Admin\Downloads\cards_db

Filesize
116KB

MD5
f70aa3fa04f0536280f872ad17973c3d

SHA1
50a7b889329a92de1b272d0ecf5fce87395d3123

SHA256
8d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8

SHA512
30675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84

Download Submit
C:\Users\Admin\Downloads\cards_db

Filesize
114KB

MD5
0916be64eb5262b8fb2f0eae86843dc6

SHA1
92dfeec1180489639c4df32313d252e629fb6d1d

SHA256
d0c8b5b03a18107fabb594a466bf586913f92bade5ddaf679688fd12c0232480

SHA512
0295211f5b49f70e58748b5b2ea11973ddb267828cbd16d0d20497fe2dc218f97fc3cbc37311900a0f11179cbed10c428832baeb8bef7bd2c9bb08603ef0132e

Download Submit
C:\Users\Admin\Downloads\downloads_db

Filesize
160KB

MD5
b6b6a62dd3638b2cf41098dcfdafc4ec

SHA1
f18b9fedda4d30b69f60d66b41171ca37526816d

SHA256
a642587f3ff374d56468f82a8d27f25883e74190beda37c47a3ca7ccd2d5cded

SHA512
befedeb49cf975cc9b1e39202e57efd20da3add2006290338b54cb9ebfa8a70667f5a234c7c1991b825409cc30eae615a0e8322317c29768baede8249e928d99

Download Submit
C:\Users\Admin\Downloads\downloads_db

Filesize
124KB

MD5
9618e15b04a4ddb39ed6c496575f6f95

SHA1
1c28f8750e5555776b3c80b187c5d15a443a7412

SHA256
a4cd72e529e60b5f74c50e4e5b159efaf80625f23534dd15a28203760b8b28ab

SHA512
f802582aa7510f6b950e3343b0560ffa9037c6d22373a6a33513637ab0f8e60ed23294a13ad8890935b02c64830b5232ba9f60d0c0fe90df02b5da30ecd7fa26

Download Submit
C:\Users\Admin\Downloads\login_db

Filesize
40KB

MD5
a182561a527f929489bf4b8f74f65cd7

SHA1
8cd6866594759711ea1836e86a5b7ca64ee8911f

SHA256
42aad7886965428a941508b776a666a4450eb658cb90e80fae1e7457fc71f914

SHA512
9bc3bf5a82f6f057e873adebd5b7a4c64adef966537ab9c565fe7c4bb3582e2e485ff993d5ab8a6002363231958fabd0933b48811371b8c155eaa74592b66558

Download Submit
C:\Users\Admin\Downloads\login_db

Filesize
48KB

MD5
349e6eb110e34a08924d92f6b334801d

SHA1
bdfb289daff51890cc71697b6322aa4b35ec9169

SHA256
c9fd7be4579e4aa942e8c2b44ab10115fa6c2fe6afd0c584865413d9d53f3b2a

SHA512
2a635b815a5e117ea181ee79305ee1baf591459427acc5210d8c6c7e447be3513ead871c605eb3d32e4ab4111b2a335f26520d0ef8c1245a4af44e1faec44574

Download Submit
C:\Users\Admin\Downloads\vault\downloads.txt

Filesize
238B

MD5
6866bd5deea737830b7166020529a67d

SHA1
7f4bd56ce64a10f4698c077b9a9bd83578c40f8a

SHA256
16c30929ae29130f032e3f84da6bb457ad04d19c4fa1a84f1432e28f8d36cfa6

SHA512
6c986a07ab9f3a1e97d0773a306a40d4056191384707fb2271199934a2d2b301088265c851bc8847d6217c5a6cd705afffafa7cf2e36c8c8520a4b999db61e3c

Download Submit
C:\Users\Admin\Downloads\zoom_64789348756.com

Filesize
17.8MB

MD5
3e9f28645b3a47af4e8a3474e1c91db7

SHA1
1d114c51396ae4bdb6284824c6aa6bccb7edcf49

SHA256
8bed44795846f52a3cfd176c34d9865a457805d202a11ae50a3328dcc232416f

SHA512
6ef45af041f83863ba91b8faadde7e4f3a92e7cbbc3e8037f432455108d94ab12874afdea2cae137931f354b4c639a34581c4b69671edf1d0cdc1fd3cb634d7c

Download Submit
memory/1840-617-0x00007FFD71910000-0x00007FFD71936000-memory.dmp

Filesize
152KB

Download
memory/1840-356-0x00007FFD81420000-0x00007FFD8142D000-memory.dmp

Filesize
52KB

Download
memory/1840-426-0x00007FFD807F0000-0x00007FFD8081E000-memory.dmp

Filesize
184KB

Download
memory/1840-606-0x00007FFD807F0000-0x00007FFD8081E000-memory.dmp

Filesize
184KB

Download
memory/1840-598-0x00007FFD80D60000-0x00007FFD80D84000-memory.dmp

Filesize
144KB

Download
memory/1840-449-0x00007FFD6CC50000-0x00007FFD6CDC1000-memory.dmp

Filesize
1.4MB

Download
memory/1840-607-0x00007FFD80700000-0x00007FFD807BC000-memory.dmp

Filesize
752KB

Download
memory/1840-620-0x00007FFD6CC50000-0x00007FFD6CDC1000-memory.dmp

Filesize
1.4MB

Download
memory/1840-446-0x00007FFD6CDD0000-0x00007FFD6CDEF000-memory.dmp

Filesize
124KB

Download
memory/1840-322-0x00007FFD87E40000-0x00007FFD87E4F000-memory.dmp

Filesize
60KB

Download
memory/1840-435-0x00007FFD76BF0000-0x00007FFD76BFB000-memory.dmp

Filesize
44KB

Download
memory/1840-433-0x00007FFD6CEA0000-0x00007FFD6CFB8000-memory.dmp

Filesize
1.1MB

Download
memory/1840-432-0x00007FFD71910000-0x00007FFD71936000-memory.dmp

Filesize
152KB

Download
memory/1840-331-0x00007FFD80F70000-0x00007FFD80F89000-memory.dmp

Filesize
100KB

Download
memory/1840-619-0x00007FFD6CDD0000-0x00007FFD6CDEF000-memory.dmp

Filesize
124KB

Download
memory/1840-614-0x00007FFD6D140000-0x00007FFD6D4B5000-memory.dmp

Filesize
3.5MB

Download
memory/1840-338-0x00007FFD808F0000-0x00007FFD8091D000-memory.dmp

Filesize
180KB

Download
memory/1840-340-0x00007FFD808B0000-0x00007FFD808E4000-memory.dmp

Filesize
208KB

Download
memory/1840-597-0x00007FFD6DE90000-0x00007FFD6E2FE000-memory.dmp

Filesize
4.4MB

Download
memory/1840-403-0x00007FFD6D140000-0x00007FFD6D4B5000-memory.dmp

Filesize
3.5MB

Download
memory/1840-354-0x00007FFD81520000-0x00007FFD8152D000-memory.dmp

Filesize
52KB

Download
memory/1840-618-0x00007FFD6CEA0000-0x00007FFD6CFB8000-memory.dmp

Filesize
1.1MB

Download
memory/1840-505-0x0000021BF9B30000-0x0000021BF9EA5000-memory.dmp

Filesize
3.5MB

Download
memory/1840-507-0x00007FFD71900000-0x00007FFD7190B000-memory.dmp

Filesize
44KB

Download
memory/1840-506-0x00007FFD76BD0000-0x00007FFD76BDB000-memory.dmp

Filesize
44KB

Download
memory/1840-401-0x00007FFD7BCB0000-0x00007FFD7BCDE000-memory.dmp

Filesize
184KB

Download
memory/1840-359-0x00007FFD80A80000-0x00007FFD80A99000-memory.dmp

Filesize
100KB

Download
memory/1840-398-0x00007FFD7C850000-0x00007FFD7C86C000-memory.dmp

Filesize
112KB

Download
memory/1840-421-0x00007FFD80A80000-0x00007FFD80A99000-memory.dmp

Filesize
100KB

Download
memory/1840-392-0x00007FFD7D2F0000-0x00007FFD7D332000-memory.dmp

Filesize
264KB

Download
memory/1840-419-0x00007FFD772D0000-0x00007FFD772E4000-memory.dmp

Filesize
80KB

Download
memory/1840-365-0x00007FFD807F0000-0x00007FFD8081E000-memory.dmp

Filesize
184KB

Download
memory/1840-323-0x00007FFD80D60000-0x00007FFD80D84000-memory.dmp

Filesize
144KB

Download
memory/1840-298-0x00007FFD6DE90000-0x00007FFD6E2FE000-memory.dmp

Filesize
4.4MB

Download
memory/1840-377-0x00007FFD80700000-0x00007FFD807BC000-memory.dmp

Filesize
752KB

Download
memory/1840-381-0x00007FFD802A0000-0x00007FFD802CB000-memory.dmp

Filesize
172KB

Download
memory/1840-387-0x00007FFD6DE90000-0x00007FFD6E2FE000-memory.dmp

Filesize
4.4MB

Download
memory/1840-394-0x00007FFD7FA60000-0x00007FFD7FA6A000-memory.dmp

Filesize
40KB

Download
memory/1840-400-0x00007FFD80D60000-0x00007FFD80D84000-memory.dmp

Filesize
144KB

Download
memory/1840-402-0x00007FFD6D4C0000-0x00007FFD6D578000-memory.dmp

Filesize
736KB

Download
memory/1840-404-0x0000021BF9B30000-0x0000021BF9EA5000-memory.dmp

Filesize
3.5MB

Download
memory/3556-439-0x00007FFD7D400000-0x00007FFD7D42E000-memory.dmp

Filesize
184KB

Download
memory/3556-441-0x0000023317CB0000-0x0000023318025000-memory.dmp

Filesize
3.5MB

Download
memory/3556-405-0x00007FFD80920000-0x00007FFD80944000-memory.dmp

Filesize
144KB

Download
memory/3556-408-0x00007FFD7F220000-0x00007FFD7F22B000-memory.dmp

Filesize
44KB

Download
memory/3556-410-0x00007FFD7BCA0000-0x00007FFD7BCAC000-memory.dmp

Filesize
48KB

Download
memory/3556-411-0x00007FFD7BC90000-0x00007FFD7BC9B000-memory.dmp

Filesize
44KB

Download
memory/3556-397-0x00007FFD6D580000-0x00007FFD6D698000-memory.dmp

Filesize
1.1MB

Download
memory/3556-396-0x00007FFD7C870000-0x00007FFD7C896000-memory.dmp

Filesize
152KB

Download
memory/3556-395-0x00007FFD7F880000-0x00007FFD7F894000-memory.dmp

Filesize
80KB

Download
memory/3556-412-0x00007FFD7BC80000-0x00007FFD7BC8C000-memory.dmp

Filesize
48KB

Download
memory/3556-393-0x00007FFD6DA20000-0x00007FFD6DE8E000-memory.dmp

Filesize
4.4MB

Download
memory/3556-389-0x00007FFD7D340000-0x00007FFD7D3F8000-memory.dmp

Filesize
736KB

Download
memory/3556-388-0x00007FFD7D400000-0x00007FFD7D42E000-memory.dmp

Filesize
184KB

Download
memory/3556-413-0x00007FFD7BC70000-0x00007FFD7BC7B000-memory.dmp

Filesize
44KB

Download
memory/3556-383-0x00007FFD7FB00000-0x00007FFD7FB2B000-memory.dmp

Filesize
172KB

Download
memory/3556-414-0x00007FFD7BC60000-0x00007FFD7BC6C000-memory.dmp

Filesize
48KB

Download
memory/3556-380-0x00007FFD806B0000-0x00007FFD806DE000-memory.dmp

Filesize
184KB

Download
memory/3556-379-0x00007FFD806E0000-0x00007FFD806ED000-memory.dmp

Filesize
52KB

Download
memory/3556-378-0x00007FFD806F0000-0x00007FFD806FD000-memory.dmp

Filesize
52KB

Download
memory/3556-415-0x00007FFD7BC50000-0x00007FFD7BC5D000-memory.dmp

Filesize
52KB

Download
memory/3556-376-0x00007FFD807C0000-0x00007FFD807D9000-memory.dmp

Filesize
100KB

Download
memory/3556-416-0x00007FFD7BC40000-0x00007FFD7BC4E000-memory.dmp

Filesize
56KB

Download
memory/3556-417-0x00007FFD79300000-0x00007FFD7930C000-memory.dmp

Filesize
48KB

Download
memory/3556-418-0x00007FFD78510000-0x00007FFD7851C000-memory.dmp

Filesize
48KB

Download
memory/3556-420-0x00007FFD772C0000-0x00007FFD772CB000-memory.dmp

Filesize
44KB

Download
memory/3556-362-0x00007FFD80820000-0x00007FFD80854000-memory.dmp

Filesize
208KB

Download
memory/3556-422-0x00007FFD772F0000-0x00007FFD772FB000-memory.dmp

Filesize
44KB

Download
memory/3556-503-0x00007FFD7C870000-0x00007FFD7C896000-memory.dmp

Filesize
152KB

Download
memory/3556-504-0x00007FFD6D580000-0x00007FFD6D698000-memory.dmp

Filesize
1.1MB

Download
memory/3556-423-0x00007FFD772B0000-0x00007FFD772BC000-memory.dmp

Filesize
48KB

Download
memory/3556-355-0x00007FFD80860000-0x00007FFD8088D000-memory.dmp

Filesize
180KB

Download
memory/3556-502-0x00007FFD6C970000-0x00007FFD6CBC2000-memory.dmp

Filesize
2.3MB

Download
memory/3556-353-0x00007FFD80890000-0x00007FFD808A9000-memory.dmp

Filesize
100KB

Download
memory/3556-352-0x00007FFD80920000-0x00007FFD80944000-memory.dmp

Filesize
144KB

Download
memory/3556-424-0x00007FFD76C20000-0x00007FFD76C32000-memory.dmp

Filesize
72KB

Download
memory/3556-425-0x00007FFD80820000-0x00007FFD80854000-memory.dmp

Filesize
208KB

Download
memory/3556-339-0x00007FFD85E00000-0x00007FFD85E0F000-memory.dmp

Filesize
60KB

Download
memory/3556-427-0x00007FFD772A0000-0x00007FFD772AC000-memory.dmp

Filesize
48KB

Download
memory/3556-428-0x00007FFD77290000-0x00007FFD7729D000-memory.dmp

Filesize
52KB

Download
memory/3556-430-0x00007FFD76C00000-0x00007FFD76C15000-memory.dmp

Filesize
84KB

Download
memory/3556-431-0x00007FFD76BE0000-0x00007FFD76BF0000-memory.dmp

Filesize
64KB

Download
memory/3556-434-0x00007FFD807C0000-0x00007FFD807D9000-memory.dmp

Filesize
100KB

Download
memory/3556-436-0x00007FFD6D6A0000-0x00007FFD6DA15000-memory.dmp

Filesize
3.5MB

Download
memory/3556-317-0x00007FFD6DA20000-0x00007FFD6DE8E000-memory.dmp

Filesize
4.4MB

Download
memory/3556-437-0x00007FFD71840000-0x00007FFD71854000-memory.dmp

Filesize
80KB

Download
memory/3556-438-0x00007FFD71810000-0x00007FFD71832000-memory.dmp

Filesize
136KB

Download
memory/3556-440-0x00007FFD7D340000-0x00007FFD7D3F8000-memory.dmp

Filesize
736KB

Download
memory/3556-406-0x00007FFD7C830000-0x00007FFD7C84F000-memory.dmp

Filesize
124KB

Download
memory/3556-644-0x00007FFD7C830000-0x00007FFD7C84F000-memory.dmp

Filesize
124KB

Download
memory/3556-640-0x00007FFD7F880000-0x00007FFD7F894000-memory.dmp

Filesize
80KB

Download
memory/3556-442-0x00007FFD6CE80000-0x00007FFD6CE99000-memory.dmp

Filesize
100KB

Download
memory/3556-443-0x00007FFD6CE30000-0x00007FFD6CE7C000-memory.dmp

Filesize
304KB

Download
memory/3556-444-0x00007FFD6CE10000-0x00007FFD6CE21000-memory.dmp

Filesize
68KB

Download
memory/3556-445-0x00007FFD6CDF0000-0x00007FFD6CE0E000-memory.dmp

Filesize
120KB

Download
memory/3556-450-0x00007FFD717F0000-0x00007FFD71807000-memory.dmp

Filesize
92KB

Download
memory/3556-642-0x00007FFD7C870000-0x00007FFD7C896000-memory.dmp

Filesize
152KB

Download
memory/3556-639-0x00007FFD6D6A0000-0x00007FFD6DA15000-memory.dmp

Filesize
3.5MB

Download
memory/3556-661-0x00007FFD7FA30000-0x00007FFD7FA4C000-memory.dmp

Filesize
112KB

Download
memory/3556-660-0x00007FFD7FAF0000-0x00007FFD7FAFA000-memory.dmp

Filesize
40KB

Download
memory/3556-659-0x00007FFD7D430000-0x00007FFD7D472000-memory.dmp

Filesize
264KB

Download
memory/3556-658-0x00007FFD7FB00000-0x00007FFD7FB2B000-memory.dmp

Filesize
172KB

Download
memory/3556-657-0x00007FFD7D480000-0x00007FFD7D53C000-memory.dmp

Filesize
752KB

Download
memory/3556-656-0x00007FFD806B0000-0x00007FFD806DE000-memory.dmp

Filesize
184KB

Download
memory/3556-655-0x00007FFD806E0000-0x00007FFD806ED000-memory.dmp

Filesize
52KB

Download
memory/3556-654-0x00007FFD806F0000-0x00007FFD806FD000-memory.dmp

Filesize
52KB

Download
memory/3556-653-0x00007FFD807C0000-0x00007FFD807D9000-memory.dmp

Filesize
100KB

Download
memory/3556-652-0x00007FFD80820000-0x00007FFD80854000-memory.dmp

Filesize
208KB

Download
memory/3556-651-0x00007FFD80860000-0x00007FFD8088D000-memory.dmp

Filesize
180KB

Download
memory/3556-650-0x00007FFD80890000-0x00007FFD808A9000-memory.dmp

Filesize
100KB

Download
memory/3556-649-0x00007FFD85E00000-0x00007FFD85E0F000-memory.dmp

Filesize
60KB

Download
memory/3556-648-0x00007FFD80920000-0x00007FFD80944000-memory.dmp

Filesize
144KB

Download
memory/3556-647-0x00007FFD6DA20000-0x00007FFD6DE8E000-memory.dmp

Filesize
4.4MB

Download
memory/3556-638-0x00007FFD7D340000-0x00007FFD7D3F8000-memory.dmp

Filesize
736KB

Download
memory/3556-637-0x00007FFD7D400000-0x00007FFD7D42E000-memory.dmp

Filesize
184KB

Download
memory/3556-636-0x00007FFD7FA30000-0x00007FFD7FA4C000-memory.dmp

Filesize
112KB

Download
memory/3556-634-0x00007FFD7D430000-0x00007FFD7D472000-memory.dmp

Filesize
264KB

Download
memory/3556-633-0x00007FFD7FB00000-0x00007FFD7FB2B000-memory.dmp

Filesize
172KB

Download
memory/3556-632-0x00007FFD7D480000-0x00007FFD7D53C000-memory.dmp

Filesize
752KB

Download
memory/3556-631-0x00007FFD806B0000-0x00007FFD806DE000-memory.dmp

Filesize
184KB

Download
memory/3556-628-0x00007FFD807C0000-0x00007FFD807D9000-memory.dmp

Filesize
100KB

Download
memory/3556-623-0x00007FFD80920000-0x00007FFD80944000-memory.dmp

Filesize
144KB

Download
memory/3556-622-0x00007FFD6DA20000-0x00007FFD6DE8E000-memory.dmp

Filesize
4.4MB

Download
memory/3556-451-0x00007FFD6CC20000-0x00007FFD6CC49000-memory.dmp

Filesize
164KB

Download
memory/3556-429-0x00007FFD77280000-0x00007FFD7728C000-memory.dmp

Filesize
48KB

Download
memory/3556-409-0x00007FFD7F170000-0x00007FFD7F17B000-memory.dmp

Filesize
44KB

Download
memory/3556-407-0x00007FFD6CFC0000-0x00007FFD6D131000-memory.dmp

Filesize
1.4MB

Download
memory/3556-399-0x00007FFD7F230000-0x00007FFD7F23B000-memory.dmp

Filesize
44KB

Download
memory/3556-391-0x0000023317CB0000-0x0000023318025000-memory.dmp

Filesize
3.5MB

Download
memory/3556-390-0x00007FFD6D6A0000-0x00007FFD6DA15000-memory.dmp

Filesize
3.5MB

Download
memory/3556-384-0x00007FFD7D430000-0x00007FFD7D472000-memory.dmp

Filesize
264KB

Download
memory/3556-385-0x00007FFD7FAF0000-0x00007FFD7FAFA000-memory.dmp

Filesize
40KB

Download
memory/3556-386-0x00007FFD7FA30000-0x00007FFD7FA4C000-memory.dmp

Filesize
112KB

Download
memory/3556-382-0x00007FFD7D480000-0x00007FFD7D53C000-memory.dmp

Filesize
752KB

Download