Malware Analysis Report

2025-03-15 03:37

Sample ID 250218-v5qkzavlaq
Target zoom_64789348756.com
SHA256 8bed44795846f52a3cfd176c34d9865a457805d202a11ae50a3328dcc232416f
Tags
discovery persistence privilege_escalation spyware stealer upx pyinstaller empyrean
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

8bed44795846f52a3cfd176c34d9865a457805d202a11ae50a3328dcc232416f

Threat Level: Known bad

The file zoom_64789348756.com was found to be: Known bad.

Malicious Activity Summary

discovery persistence privilege_escalation spyware stealer upx pyinstaller empyrean

Detects Empyrean stealer

Empyrean family

Loads dropped DLL

Reads user/profile data of web browsers

Adds Run key to start application

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

UPX packed file

Drops file in Windows directory

Browser Information Discovery

Detects Pyinstaller

System Location Discovery: System Language Discovery

System Network Configuration Discovery: Wi-Fi Discovery

Event Triggered Execution: Netsh Helper DLL

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Modifies data under HKEY_USERS

Enumerates system info in registry

Modifies registry key

Suspicious use of AdjustPrivilegeToken

Suspicious use of SendNotifyMessage

Checks processor information in registry

Uses Task Scheduler COM API

Modifies registry class

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Suspicious use of FindShellTrayWindow

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-02-18 17:34

Signatures

Detects Empyrean stealer

Description Indicator Process Target
N/A N/A N/A N/A

Empyrean family

empyrean

Detects Pyinstaller

pyinstaller
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-02-18 17:34

Reported

2025-02-18 17:52

Platform

win10v2004-20250217-en

Max time kernel

920s

Max time network

422s

Command Line

"C:\Users\Admin\AppData\Local\Temp\zoom_64789348756.exe"

Signatures

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\zoom_64789348756.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zoom_64789348756.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zoom_64789348756.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zoom_64789348756.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zoom_64789348756.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zoom_64789348756.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zoom_64789348756.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zoom_64789348756.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zoom_64789348756.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zoom_64789348756.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zoom_64789348756.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zoom_64789348756.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zoom_64789348756.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zoom_64789348756.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zoom_64789348756.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zoom_64789348756.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zoom_64789348756.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zoom_64789348756.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zoom_64789348756.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zoom_64789348756.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zoom_64789348756.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zoom_64789348756.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zoom_64789348756.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zoom_64789348756.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zoom_64789348756.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zoom_64789348756.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zoom_64789348756.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zoom_64789348756.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zoom_64789348756.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zoom_64789348756.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zoom_64789348756.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zoom_64789348756.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zoom_64789348756.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zoom_64789348756.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zoom_64789348756.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zoom_64789348756.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zoom_64789348756.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zoom_64789348756.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zoom_64789348756.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zoom_64789348756.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zoom_64789348756.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zoom_64789348756.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zoom_64789348756.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zoom_64789348756.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zoom_64789348756.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zoom_64789348756.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zoom_64789348756.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zoom_64789348756.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zoom_64789348756.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zoom_64789348756.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zoom_64789348756.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zoom_64789348756.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zoom_64789348756.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zoom_64789348756.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zoom_64789348756.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zoom_64789348756.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zoom_64789348756.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zoom_64789348756.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\empyrean = "C:\\Users\\Admin\\AppData\\Roaming\\empyrean\\run.bat" C:\Windows\system32\reg.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A raw.githubusercontent.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A raw.githubusercontent.com N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ipapi.co N/A N/A
N/A ipapi.co N/A N/A
N/A ipapi.co N/A N/A
N/A ipapi.co N/A N/A
N/A ipapi.co N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Browser Information Discovery

discovery

Event Triggered Execution: Netsh Helper DLL

persistence privilege_escalation
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A

System Network Configuration Discovery: Wi-Fi Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Windows\system32\cmd.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\cmd.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\cmd.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133843737134614727" C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\system32\reg.exe N/A
N/A N/A C:\Windows\system32\reg.exe N/A

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Description Indicator Process Target
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\zoom_64789348756.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\wbem\WMIC.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4768 wrote to memory of 2324 N/A C:\Users\Admin\AppData\Local\Temp\zoom_64789348756.exe C:\Users\Admin\AppData\Local\Temp\zoom_64789348756.exe
PID 4768 wrote to memory of 2324 N/A C:\Users\Admin\AppData\Local\Temp\zoom_64789348756.exe C:\Users\Admin\AppData\Local\Temp\zoom_64789348756.exe
PID 2324 wrote to memory of 1628 N/A C:\Users\Admin\AppData\Local\Temp\zoom_64789348756.exe C:\Windows\system32\cmd.exe
PID 2324 wrote to memory of 1628 N/A C:\Users\Admin\AppData\Local\Temp\zoom_64789348756.exe C:\Windows\system32\cmd.exe
PID 2324 wrote to memory of 1072 N/A C:\Users\Admin\AppData\Local\Temp\zoom_64789348756.exe C:\Windows\system32\cmd.exe
PID 2324 wrote to memory of 1072 N/A C:\Users\Admin\AppData\Local\Temp\zoom_64789348756.exe C:\Windows\system32\cmd.exe
PID 1072 wrote to memory of 2752 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\wbem\WMIC.exe
PID 1072 wrote to memory of 2752 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\wbem\WMIC.exe
PID 2324 wrote to memory of 3620 N/A C:\Users\Admin\AppData\Local\Temp\zoom_64789348756.exe C:\Windows\system32\cmd.exe
PID 2324 wrote to memory of 3620 N/A C:\Users\Admin\AppData\Local\Temp\zoom_64789348756.exe C:\Windows\system32\cmd.exe
PID 3620 wrote to memory of 4348 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 3620 wrote to memory of 4348 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2324 wrote to memory of 4716 N/A C:\Users\Admin\AppData\Local\Temp\zoom_64789348756.exe C:\Windows\system32\cmd.exe
PID 2324 wrote to memory of 4716 N/A C:\Users\Admin\AppData\Local\Temp\zoom_64789348756.exe C:\Windows\system32\cmd.exe
PID 4716 wrote to memory of 960 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 4716 wrote to memory of 960 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2324 wrote to memory of 4368 N/A C:\Users\Admin\AppData\Local\Temp\zoom_64789348756.exe C:\Windows\system32\cmd.exe
PID 2324 wrote to memory of 4368 N/A C:\Users\Admin\AppData\Local\Temp\zoom_64789348756.exe C:\Windows\system32\cmd.exe
PID 4368 wrote to memory of 4028 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\wbem\WMIC.exe
PID 4368 wrote to memory of 4028 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\wbem\WMIC.exe
PID 2324 wrote to memory of 1052 N/A C:\Users\Admin\AppData\Local\Temp\zoom_64789348756.exe C:\Windows\system32\cmd.exe
PID 2324 wrote to memory of 1052 N/A C:\Users\Admin\AppData\Local\Temp\zoom_64789348756.exe C:\Windows\system32\cmd.exe
PID 1052 wrote to memory of 1736 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\wbem\WMIC.exe
PID 1052 wrote to memory of 1736 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\wbem\WMIC.exe
PID 2324 wrote to memory of 3964 N/A C:\Users\Admin\AppData\Local\Temp\zoom_64789348756.exe C:\Windows\system32\cmd.exe
PID 2324 wrote to memory of 3964 N/A C:\Users\Admin\AppData\Local\Temp\zoom_64789348756.exe C:\Windows\system32\cmd.exe
PID 3964 wrote to memory of 2588 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\wbem\WMIC.exe
PID 3964 wrote to memory of 2588 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\wbem\WMIC.exe
PID 2324 wrote to memory of 4460 N/A C:\Users\Admin\AppData\Local\Temp\zoom_64789348756.exe C:\Windows\system32\cmd.exe
PID 2324 wrote to memory of 4460 N/A C:\Users\Admin\AppData\Local\Temp\zoom_64789348756.exe C:\Windows\system32\cmd.exe
PID 4460 wrote to memory of 2200 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 4460 wrote to memory of 2200 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2324 wrote to memory of 3744 N/A C:\Users\Admin\AppData\Local\Temp\zoom_64789348756.exe C:\Windows\system32\cmd.exe
PID 2324 wrote to memory of 3744 N/A C:\Users\Admin\AppData\Local\Temp\zoom_64789348756.exe C:\Windows\system32\cmd.exe
PID 3744 wrote to memory of 2720 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 3744 wrote to memory of 2720 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2324 wrote to memory of 4444 N/A C:\Users\Admin\AppData\Local\Temp\zoom_64789348756.exe C:\Windows\system32\cmd.exe
PID 2324 wrote to memory of 4444 N/A C:\Users\Admin\AppData\Local\Temp\zoom_64789348756.exe C:\Windows\system32\cmd.exe
PID 4444 wrote to memory of 2312 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 4444 wrote to memory of 2312 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2964 wrote to memory of 1000 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2964 wrote to memory of 1000 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2964 wrote to memory of 4480 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2964 wrote to memory of 4480 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2964 wrote to memory of 4480 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2964 wrote to memory of 4480 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2964 wrote to memory of 4480 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2964 wrote to memory of 4480 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2964 wrote to memory of 4480 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2964 wrote to memory of 4480 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2964 wrote to memory of 4480 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2964 wrote to memory of 4480 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2964 wrote to memory of 4480 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2964 wrote to memory of 4480 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2964 wrote to memory of 4480 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2964 wrote to memory of 4480 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2964 wrote to memory of 4480 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2964 wrote to memory of 4480 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2964 wrote to memory of 4480 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2964 wrote to memory of 4480 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2964 wrote to memory of 4480 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2964 wrote to memory of 4480 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2964 wrote to memory of 4480 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2964 wrote to memory of 4480 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe

Processes

C:\Users\Admin\AppData\Local\Temp\zoom_64789348756.exe

"C:\Users\Admin\AppData\Local\Temp\zoom_64789348756.exe"

C:\Users\Admin\AppData\Local\Temp\zoom_64789348756.exe

"C:\Users\Admin\AppData\Local\Temp\zoom_64789348756.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "ver"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Windows\System32\wbem\WMIC.exe csproduct get uuid"

C:\Windows\System32\wbem\WMIC.exe

C:\Windows\System32\wbem\WMIC.exe csproduct get uuid

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "reg delete HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v empyrean /f"

C:\Windows\system32\reg.exe

reg delete HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v empyrean /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v empyrean /t REG_SZ /d C:\Users\Admin\AppData\Roaming\empyrean\run.bat /f"

C:\Windows\system32\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v empyrean /t REG_SZ /d C:\Users\Admin\AppData\Roaming\empyrean\run.bat /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Windows\System32\wbem\WMIC.exe csproduct get uuid"

C:\Windows\System32\wbem\WMIC.exe

C:\Windows\System32\wbem\WMIC.exe csproduct get uuid

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Windows\System32\wbem\WMIC.exe csproduct get uuid"

C:\Windows\System32\wbem\WMIC.exe

C:\Windows\System32\wbem\WMIC.exe csproduct get uuid

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Windows\System32\wbem\WMIC.exe csproduct get uuid"

C:\Windows\System32\wbem\WMIC.exe

C:\Windows\System32\wbem\WMIC.exe csproduct get uuid

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "netsh wlan show profiles"

C:\Windows\system32\netsh.exe

netsh wlan show profiles

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "netsh wlan show profiles"

C:\Windows\system32\netsh.exe

netsh wlan show profiles

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "netsh wlan show profiles"

C:\Windows\system32\netsh.exe

netsh wlan show profiles

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ffcb3e3cc40,0x7ffcb3e3cc4c,0x7ffcb3e3cc58

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1916,i,17515409957488651883,1964311424246749380,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=1912 /prefetch:2

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2192,i,17515409957488651883,1964311424246749380,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=2244 /prefetch:3

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2280,i,17515409957488651883,1964311424246749380,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=2484 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3172,i,17515409957488651883,1964311424246749380,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=3192 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3232,i,17515409957488651883,1964311424246749380,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=3328 /prefetch:1

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe

"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=3888,i,17515409957488651883,1964311424246749380,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4592 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4780,i,17515409957488651883,1964311424246749380,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4796 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=3892,i,17515409957488651883,1964311424246749380,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4600 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4984,i,17515409957488651883,1964311424246749380,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4512 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4964,i,17515409957488651883,1964311424246749380,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4968 /prefetch:8

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 ipapi.co udp
US 104.26.9.44:443 ipapi.co tcp
US 8.8.8.8:53 discord.com udp
US 162.159.128.233:443 discord.com tcp
US 8.8.8.8:53 raw.githubusercontent.com udp
US 185.199.109.133:443 raw.githubusercontent.com tcp
US 8.8.8.8:53 www.cloudflare.com udp
US 104.16.123.96:443 www.cloudflare.com tcp
US 104.26.9.44:443 ipapi.co tcp
US 104.16.123.96:443 www.cloudflare.com tcp
US 104.26.9.44:443 ipapi.co tcp
US 104.16.123.96:443 www.cloudflare.com tcp
US 104.26.9.44:443 ipapi.co tcp
US 162.159.128.233:443 discord.com tcp
US 8.8.8.8:53 www.google.com udp
GB 142.250.200.4:443 www.google.com tcp
GB 142.250.200.4:443 www.google.com udp
US 8.8.8.8:53 ogads-pa.googleapis.com udp
GB 142.250.187.202:443 ogads-pa.googleapis.com udp
GB 142.250.187.202:443 ogads-pa.googleapis.com tcp
US 8.8.8.8:53 play.google.com udp
GB 142.250.178.14:443 play.google.com udp
GB 142.250.178.14:443 play.google.com tcp
US 8.8.8.8:53 clients2.google.com udp
GB 142.250.178.14:443 play.google.com udp
GB 172.217.169.78:443 clients2.google.com udp
GB 172.217.169.78:443 clients2.google.com tcp
N/A 224.0.0.251:5353 udp

Files

C:\Users\Admin\AppData\Local\Temp\_MEI47682\python310.dll

MD5 69d4f13fbaeee9b551c2d9a4a94d4458
SHA1 69540d8dfc0ee299a7ff6585018c7db0662aa629
SHA256 801317463bd116e603878c7c106093ba7db2bece11e691793e93065223fc7046
SHA512 8e632f141daf44bc470f8ee677c6f0fdcbcacbfce1472d928576bf7b9f91d6b76639d18e386d5e1c97e538a8fe19dd2d22ea47ae1acf138a0925e3c6dd156378

C:\Users\Admin\AppData\Local\Temp\_MEI47682\VCRUNTIME140.dll

MD5 870fea4e961e2fbd00110d3783e529be
SHA1 a948e65c6f73d7da4ffde4e8533c098a00cc7311
SHA256 76fdb83fde238226b5bebaf3392ee562e2cb7ca8d3ef75983bf5f9d6c7119644
SHA512 0b636a3cdefa343eb4cb228b391bb657b5b4c20df62889cd1be44c7bee94ffad6ec82dc4db79949edef576bff57867e0d084e0a597bf7bf5c8e4ed1268477e88

memory/2324-115-0x00007FFCB4660000-0x00007FFCB4ACE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI47682\base_library.zip

MD5 fbd6be906ac7cd45f1d98f5cb05f8275
SHA1 5d563877a549f493da805b4d049641604a6a0408
SHA256 ae35709e6b8538827e3999e61a0345680c5167962296ac7bef62d6b813227fb0
SHA512 1547b02875f3e547c4f5e15c964719c93d7088c7f4fd044f6561bebd29658a54ef044211f9d5cfb4570ca49ed0f17b08011d27fe85914e8c3ea12024c8071e8a

C:\Users\Admin\AppData\Local\Temp\_MEI47682\_ctypes.pyd

MD5 6ca9a99c75a0b7b6a22681aa8e5ad77b
SHA1 dd1118b7d77be6bb33b81da65f6b5dc153a4b1e8
SHA256 d39390552c55d8fd4940864905cd4437bc3f8efe7ff3ca220543b2c0efab04f8
SHA512 b0b5f2979747d2f6796d415dd300848f32b4e79ede59827ac447af0f4ea8709b60d6935d09e579299b3bc54b6c0f10972f17f6c0d1759c5388ad5b14689a23fe

C:\Users\Admin\AppData\Local\Temp\_MEI47682\python3.DLL

MD5 c17b7a4b853827f538576f4c3521c653
SHA1 6115047d02fbbad4ff32afb4ebd439f5d529485a
SHA256 d21e60f3dfbf2bab0cc8a06656721fa3347f026df10297674fc635ebf9559a68
SHA512 8e08e702d69df6840781d174c4565e14a28022b40f650fda88d60172be2d4ffd96a3e9426d20718c54072ca0da27e0455cc0394c098b75e062a27559234a3df7

memory/2324-123-0x00007FFCC4310000-0x00007FFCC4334000-memory.dmp

memory/2324-125-0x00007FFCC9C80000-0x00007FFCC9C8F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI47682\libffi-7.dll

MD5 b5150b41ca910f212a1dd236832eb472
SHA1 a17809732c562524b185953ffe60dfa91ba3ce7d
SHA256 1a106569ac0ad3152f3816ff361aa227371d0d85425b357632776ac48d92ea8a
SHA512 9e82b0caa3d72bb4a7ad7d66ebfb10edb778749e89280bca67c766e72dc794e99aab2bc2980d64282a384699929ce6cc996462a73584898d2df67a57bff2a9c6

C:\Users\Admin\AppData\Local\Temp\_MEI47682\_bz2.pyd

MD5 758fff1d194a7ac7a1e3d98bcf143a44
SHA1 de1c61a8e1fb90666340f8b0a34e4d8bfc56da07
SHA256 f5e913a9f2adf7d599ea9bb105e144ba11699bbcb1514e73edcf7e062354e708
SHA512 468d7c52f14812d5bde1e505c95cb630e22d71282bda05bf66324f31560bfa06095cf60fc0d34877f8b361ccd65a1b61d0fd1f91d52facb0baf8e74f3fed31cc

memory/2324-128-0x00007FFCC9BB0000-0x00007FFCC9BC9000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI47682\_lzma.pyd

MD5 abceeceaeff3798b5b0de412af610f58
SHA1 c3c94c120b5bed8bccf8104d933e96ac6e42ca90
SHA256 216aa4bb6f62dd250fd6d2dcde14709aa82e320b946a21edeec7344ed6c2c62e
SHA512 3e1a2eb86605aa851a0c5153f7be399f6259ecaad86dbcbf12eeae5f985dc2ea2ab25683285e02b787a5b75f7df70b4182ae8f1567946f99ad2ec7b27d4c7955

memory/2324-131-0x00007FFCC44C0000-0x00007FFCC44ED000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI47682\pyexpat.pyd

MD5 5a328b011fa748939264318a433297e2
SHA1 d46dd2be7c452e5b6525e88a2d29179f4c07de65
SHA256 e8a81b47029e8500e0f4e04ccf81f8bdf23a599a2b5cd627095678cdf2fabc14
SHA512 06fa8262378634a42f5ab8c1e5f6716202544c8b304de327a08aa20c8f888114746f69b725ed3088d975d09094df7c3a37338a93983b957723aa2b7fda597f87

memory/2324-134-0x00007FFCC4480000-0x00007FFCC44B4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI47682\_socket.pyd

MD5 afd296823375e106c4b1ac8b39927f8b
SHA1 b05d811e5a5921d5b5cc90b9e4763fd63783587b
SHA256 e423a7c2ce5825dfdd41cfc99c049ff92abfb2aa394c85d0a9a11de7f8673007
SHA512 95e98a24be9e603b2870b787349e2aa7734014ac088c691063e4078e11a04898c9c547d6998224b1b171fc4802039c3078a28c7e81d59f6497f2f9230d8c9369

memory/2324-138-0x00007FFCC8830000-0x00007FFCC8849000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI47682\select.pyd

MD5 72009cde5945de0673a11efb521c8ccd
SHA1 bddb47ac13c6302a871a53ba303001837939f837
SHA256 5aaa15868421a46461156e7817a69eeeb10b29c1e826a9155b5f8854facf3dca
SHA512 d00a42700c9201f23a44fd9407fea7ea9df1014c976133f33ff711150727bf160941373d53f3a973f7dd6ca7b5502e178c2b88ea1815ca8bce1a239ed5d8256d

memory/2324-140-0x00007FFCC8960000-0x00007FFCC896D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI47682\_queue.pyd

MD5 0d267bb65918b55839a9400b0fb11aa2
SHA1 54e66a14bea8ae551ab6f8f48d81560b2add1afc
SHA256 13ee41980b7d0fb9ce07f8e41ee6a309e69a30bbf5b801942f41cbc357d59e9c
SHA512 c2375f46a98e44f54e2dd0a5cc5f016098500090bb78de520dc5e05aef8e6f11405d8f6964850a03060caed3628d0a6303091cba1f28a0aa9b3b814217d71e56

memory/2324-143-0x00007FFCC8740000-0x00007FFCC874D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI47682\pywintypes310.dll

MD5 6f2aa8fa02f59671f99083f9cef12cda
SHA1 9fd0716bcde6ac01cd916be28aa4297c5d4791cd
SHA256 1a15d98d4f9622fa81b60876a5f359707a88fbbbae3ae4e0c799192c378ef8c6
SHA512 f5d5112e63307068cdb1d0670fe24b65a9f4942a39416f537bdbc17dedfd99963861bf0f4e94299cdce874816f27b3d86c4bebb889c3162c666d5ee92229c211

memory/2324-147-0x00007FFCC4450000-0x00007FFCC447E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI47682\VCRUNTIME140_1.dll

MD5 bba9680bc310d8d25e97b12463196c92
SHA1 9a480c0cf9d377a4caedd4ea60e90fa79001f03a
SHA256 e0b66601cc28ecb171c3d4b7ac690c667f47da6b6183bff80604c84c00d265ab
SHA512 1575c786ac3324b17057255488da5f0bc13ad943ac9383656baf98db64d4ec6e453230de4cd26b535ce7e8b7d41a9f2d3f569a0eff5a84aeb1c2f9d6e3429739

C:\Users\Admin\AppData\Local\Temp\_MEI47682\pythoncom310.dll

MD5 9051abae01a41ea13febdea7d93470c0
SHA1 b06bd4cd4fd453eb827a108e137320d5dc3a002f
SHA256 f12c8141d4795719035c89ff459823ed6174564136020739c106f08a6257b399
SHA512 58d8277ec4101ad468dd8c4b4a9353ab684ecc391e5f9db37de44d5c3316c17d4c7a5ffd547ce9b9a08c56e3dd6d3c87428eae12144dfb72fc448b0f2cfc47da

C:\Users\Admin\AppData\Local\Temp\_MEI47682\win32api.pyd

MD5 561f419a2b44158646ee13cd9af44c60
SHA1 93212788de48e0a91e603d74f071a7c8f42fe39b
SHA256 631465da2a1dad0cb11cd86b14b4a0e4c7708d5b1e8d6f40ae9e794520c3aaf7
SHA512 d76ab089f6dc1beffd5247e81d267f826706e60604a157676e6cbc3b3447f5bcee66a84bf35c21696c020362fadd814c3e0945942cdc5e0dfe44c0bca169945c

memory/2324-156-0x00007FFCC4420000-0x00007FFCC444B000-memory.dmp

memory/2324-155-0x00007FFCC4310000-0x00007FFCC4334000-memory.dmp

memory/2324-154-0x00007FFCC4120000-0x00007FFCC41DC000-memory.dmp

memory/2324-152-0x00007FFCB4660000-0x00007FFCB4ACE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI47682\_decimal.pyd

MD5 eb45ea265a48348ce0ac4124cb72df22
SHA1 ecdc1d76a205f482d1ed9c25445fa6d8f73a1422
SHA256 3881f00dbc4aadf9e87b44c316d93425a8f6ba73d72790987226238defbc7279
SHA512 f7367bf2a2d221a7508d767ad754b61b2b02cdd7ae36ae25b306f3443d4800d50404ac7e503f589450ed023ff79a2fb1de89a30a49aa1dd32746c3e041494013

memory/2324-161-0x00007FFCC42C0000-0x00007FFCC4302000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI47682\_uuid.pyd

MD5 81dfa68ca3cb20ced73316dbc78423f6
SHA1 8841cf22938aa6ee373ff770716bb9c6d9bc3e26
SHA256 d0cb6dd98a2c9d4134c6ec74e521bad734bc722d6a3b4722428bf79e7b66f190
SHA512 e24288ae627488251682cd47c1884f2dc5f4cd834d7959b9881e5739c42d91fd0a30e75f0de77f5b5a0d63d9baebcafa56851e7e40812df367fd433421c0ccdb

memory/2324-165-0x00007FFCC46B0000-0x00007FFCC46BA000-memory.dmp

memory/2324-164-0x00007FFCC9BB0000-0x00007FFCC9BC9000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI47682\psutil\_psutil_windows.pyd

MD5 fb17b2f2f09725c3ffca6345acd7f0a8
SHA1 b8d747cc0cb9f7646181536d9451d91d83b9fc61
SHA256 9c7d401418db14353db85b54ff8c7773ee5d17cbf9a20085fde4af652bd24fc4
SHA512 b4acb60045da8639779b6bb01175b13344c3705c92ea55f9c2942f06c89e5f43cedae8c691836d63183cacf2d0a98aa3bcb0354528f1707956b252206991bf63

memory/2324-169-0x00007FFCC45D0000-0x00007FFCC45EC000-memory.dmp

memory/2324-168-0x00007FFCC44C0000-0x00007FFCC44ED000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI47682\_ssl.pyd

MD5 1e643c629f993a63045b0ff70d6cf7c6
SHA1 9af2d22226e57dc16c199cad002e3beb6a0a0058
SHA256 4a50b4b77bf9e5d6f62c7850589b80b4caa775c81856b0d84cb1a73d397eb38a
SHA512 9d8cd6e9c03880cc015e87059db28ff588881679f8e3f5a26a90f13e2c34a5bd03fb7329d9a4e33c4a01209c85a36fc999e77d9ece42cebdb738c2f1fd6775af

memory/2324-173-0x00007FFCC4290000-0x00007FFCC42BE000-memory.dmp

memory/2324-172-0x00007FFCC4480000-0x00007FFCC44B4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI47682\libcrypto-1_1.dll

MD5 da5fe6e5cfc41381025994f261df7148
SHA1 13998e241464952d2d34eb6e8ecfcd2eb1f19a64
SHA256 de045c36ae437a5b40fc90a8a7cc037facd5b7e307cfcf9a9087c5f1a6a2cf18
SHA512 a0d7ebf83204065236439d495eb3c97be093c41daac2e6cfbbb1aa8ffeac049402a3dea7139b1770d2e1a45e08623a56a94d64c8f0c5be74c5bae039a2bc6ca9

C:\Users\Admin\AppData\Local\Temp\_MEI47682\libssl-1_1.dll

MD5 48d792202922fffe8ea12798f03d94de
SHA1 f8818be47becb8ccf2907399f62019c3be0efeb5
SHA256 8221a76831a103b2b2ae01c3702d0bba4f82f2afd4390a3727056e60b28650cc
SHA512 69f3a8b556dd517ae89084623f499ef89bd0f97031e3006677ceed330ed13fcc56bf3cde5c9ed0fc6c440487d13899ffda775e6a967966294cadfd70069b2833

memory/2324-177-0x00007FFCC8830000-0x00007FFCC8849000-memory.dmp

memory/2324-178-0x00007FFCB40B0000-0x00007FFCB4168000-memory.dmp

memory/2324-183-0x00007FFCC8740000-0x00007FFCC874D000-memory.dmp

memory/2324-182-0x00007FFCB3D30000-0x00007FFCB40A5000-memory.dmp

memory/2324-181-0x000001DB32CD0000-0x000001DB33045000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI47682\_hashlib.pyd

MD5 0d723bc34592d5bb2b32cf259858d80e
SHA1 eacfabd037ba5890885656f2485c2d7226a19d17
SHA256 f2b927aaa856d23f628b01380d5a19bfe9233db39c9078c0e0585d376948c13f
SHA512 3e79455554d527d380adca39ac10dbf3914ca4980d8ee009b7daf30aeb4e9359d9d890403da9cc2b69327c695c57374c390fa780a8fd6148bbea3136138ead33

memory/2324-187-0x00007FFCC4100000-0x00007FFCC4114000-memory.dmp

memory/2324-186-0x00007FFCC4450000-0x00007FFCC447E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI47682\charset_normalizer\md.cp310-win_amd64.pyd

MD5 79f58590559566a010140b0b94a9ff3f
SHA1 e3b6b62886bba487e524cbba4530ca703b24cbda
SHA256 f8eae2b1020024ee92ba116c29bc3c8f80906be2029ddbe0c48ca1d02bf1ea73
SHA512 ecfcd6c58175f3e95195abe9a18bb6dd1d10b989539bf24ea1bcdbd3c435a10bbd2d8835a4c3acf7f9aeb44b160307ae0c377125202b9dbf0dd6e8cfd2603131

memory/2324-191-0x00007FFCC4410000-0x00007FFCC441B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI47682\charset_normalizer\md__mypyc.cp310-win_amd64.pyd

MD5 9bb72ad673c91050ecb9f4a3f98b91ef
SHA1 67ff2d6ab21e2bbe84f43a84ecd2fd64161e25f4
SHA256 17fc896275afcd3cdd20836a7379d565d156cd409dc28f95305c32f1b3e99c4f
SHA512 4c1236f9cfbb2ec8e895c134b7965d1ebf5404e5d00acf543b9935bc22d07d58713a75eee793c02dfda29b128412972f00e82a636d33ec8c9e0d9804f465bc40

memory/2324-195-0x00007FFCC40D0000-0x00007FFCC40F6000-memory.dmp

memory/2324-194-0x00007FFCC4420000-0x00007FFCC444B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI47682\unicodedata.pyd

MD5 ca3baebf8725c7d785710f1dfbb2736d
SHA1 8f9aec2732a252888f3873967d8cc0139ff7f4e5
SHA256 f2d03a39556491d1ace63447b067b38055f32f5f1523c01249ba18052c599b4c
SHA512 5c2397e4dcb361a154cd3887c229bcf7ef980acbb4b851a16294d5df6245b2615cc4b42f6a95cf1d3c49b735c2f7025447247d887ccf4cd964f19f14e4533470

memory/2324-198-0x00007FFCB3C10000-0x00007FFCB3D28000-memory.dmp

memory/2324-197-0x00007FFCC42C0000-0x00007FFCC4302000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI47682\_sqlite3.pyd

MD5 7b45afc909647c373749ef946c67d7cf
SHA1 81f813c1d8c4b6497c01615dcb6aa40b92a7bd20
SHA256 a5f39bfd2b43799922e303a3490164c882f6e630777a3a0998e89235dc513b5e
SHA512 fe67e58f30a2c95d7d42a102ed818f4d57baa524c5c2d781c933de201028c75084c3e836ff4237e066f3c7dd6a5492933c3da3fee76eb2c50a6915996ef6d7fb

memory/2324-202-0x00007FFCC46B0000-0x00007FFCC46BA000-memory.dmp

memory/2324-203-0x00007FFCC40B0000-0x00007FFCC40CF000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI47682\sqlite3.dll

MD5 b70d218798c0fec39de1199c796ebce8
SHA1 73b9f8389706790a0fec3c7662c997d0a238a4a0
SHA256 4830e8d4ae005a73834371fe7bb5b91ca8a4c4c3a4b9a838939f18920f10faff
SHA512 2ede15cc8a229bfc599980ce7180a7a3c37c0264415470801cf098ef4dac7bcf857821f647614490c1b0865882619a24e3ac0848b5aea1796fad054c0dd6f718

memory/2324-206-0x00007FFCB3A90000-0x00007FFCB3C01000-memory.dmp

memory/2324-205-0x00007FFCC45D0000-0x00007FFCC45EC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI47682\Crypto\Cipher\_raw_ecb.pyd

MD5 f94726f6b584647142ea6d5818b0349d
SHA1 4aa9931c0ff214bf520c5e82d8e73ceeb08af27c
SHA256 b98297fd093e8af7fca2628c23a9916e767540c3c6fa8894394b5b97ffec3174
SHA512 2b40a9b39f5d09eb8d7ddad849c8a08ab2e73574ee0d5db132fe8c8c3772e60298e0545516c9c26ee0b257ebda59cfe1f56ef6c4357ef5be9017c4db4770d238

C:\Users\Admin\AppData\Local\Temp\_MEI47682\Crypto\Cipher\_raw_cfb.pyd

MD5 ff64fd41b794e0ef76a9eeae1835863c
SHA1 bf14e9d12b8187ca4cc9528d7331f126c3f5ca1e
SHA256 5d2d1a5f79b44f36ac87d9c6d886404d9be35d1667c4b2eb8aab59fb77bf8bac
SHA512 03673f94525b63644a7da45c652267077753f29888fb8966da5b2b560578f961fdc67696b69a49d9577a8033ffcc7b4a6b98c051b4f53380227c392761562734

C:\Users\Admin\AppData\Local\Temp\_MEI47682\Crypto\Cipher\_raw_cbc.pyd

MD5 fe44f698198190de574dc193a0e1b967
SHA1 5bad88c7cc50e61487ec47734877b31f201c5668
SHA256 32fa416a29802eb0017a2c7360bf942edb132d4671168de26bd4c3e94d8de919
SHA512 c841885dd7696f337635ef759e3f61ee7f4286b622a9fb8b695988d93219089e997b944321ca49ca3bd19d41440ee7c8e1d735bd3558052f67f762bf4d1f5fc3

memory/2324-218-0x000001DB32CD0000-0x000001DB33045000-memory.dmp

memory/2324-222-0x00007FFCC3C90000-0x00007FFCC3C9C000-memory.dmp

memory/2324-221-0x00007FFCC3CA0000-0x00007FFCC3CAB000-memory.dmp

memory/2324-223-0x00007FFCC3C80000-0x00007FFCC3C8B000-memory.dmp

memory/2324-224-0x00007FFCC3C70000-0x00007FFCC3C7C000-memory.dmp

memory/2324-226-0x00007FFCC3C60000-0x00007FFCC3C6D000-memory.dmp

memory/2324-227-0x00007FFCC3C50000-0x00007FFCC3C5E000-memory.dmp

memory/2324-229-0x00007FFCC3C40000-0x00007FFCC3C4C000-memory.dmp

memory/2324-231-0x00007FFCC38B0000-0x00007FFCC38BB000-memory.dmp

memory/2324-234-0x00007FFCC3160000-0x00007FFCC316C000-memory.dmp

memory/2324-235-0x00007FFCC1790000-0x00007FFCC179D000-memory.dmp

memory/2324-237-0x00007FFCC1760000-0x00007FFCC176C000-memory.dmp

memory/2324-238-0x00007FFCC0840000-0x00007FFCC0855000-memory.dmp

memory/2324-236-0x00007FFCC1770000-0x00007FFCC1782000-memory.dmp

memory/2324-240-0x00007FFCBFD50000-0x00007FFCBFD64000-memory.dmp

memory/2324-241-0x00007FFCBEB80000-0x00007FFCBEBA2000-memory.dmp

memory/2324-239-0x00007FFCC0830000-0x00007FFCC0840000-memory.dmp

memory/2324-242-0x00007FFCBFD30000-0x00007FFCBFD47000-memory.dmp

memory/2324-243-0x00007FFCBEB60000-0x00007FFCBEB79000-memory.dmp

memory/2324-244-0x00007FFCB3A40000-0x00007FFCB3A8C000-memory.dmp

memory/2324-233-0x00007FFCC3280000-0x00007FFCC328C000-memory.dmp

memory/2324-232-0x00007FFCC33E0000-0x00007FFCC33EB000-memory.dmp

memory/2324-230-0x00007FFCC3C30000-0x00007FFCC3C3C000-memory.dmp

memory/2324-228-0x00007FFCC40B0000-0x00007FFCC40CF000-memory.dmp

memory/2324-225-0x00007FFCC40D0000-0x00007FFCC40F6000-memory.dmp

memory/2324-220-0x00007FFCC4080000-0x00007FFCC408C000-memory.dmp

memory/2324-219-0x00007FFCB3D30000-0x00007FFCB40A5000-memory.dmp

memory/2324-217-0x00007FFCC4090000-0x00007FFCC409B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI47682\Crypto\Cipher\_raw_ofb.pyd

MD5 eea83b9021675c8ca837dfe78b5a3a58
SHA1 3660833ff743781e451342bb623fa59229ae614d
SHA256 45a4e35231e504b0d50a5fd5968ab6960cb27d197f86689477701d79d8b95b3b
SHA512 fcdccea603737364dbdbbcd5763fd85aeb0c175e6790128c93360af43e2587d0fd173bee4843c681f43fb63d57fcaef1a58be683625c905416e0c58af5bf1d6c

memory/2324-214-0x00007FFCB40B0000-0x00007FFCB4168000-memory.dmp

memory/2324-211-0x00007FFCC40A0000-0x00007FFCC40AB000-memory.dmp

memory/2324-210-0x00007FFCC4290000-0x00007FFCC42BE000-memory.dmp

memory/2324-245-0x00007FFCBEB40000-0x00007FFCBEB51000-memory.dmp

memory/2324-246-0x00007FFCBE6C0000-0x00007FFCBE6DE000-memory.dmp

memory/2324-247-0x00007FFCB3A10000-0x00007FFCB3A39000-memory.dmp

memory/2324-251-0x00007FFCB3760000-0x00007FFCB39B2000-memory.dmp

memory/2324-250-0x00007FFCC0840000-0x00007FFCC0855000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\downloads_db

MD5 f310cf1ff562ae14449e0167a3e1fe46
SHA1 85c58afa9049467031c6c2b17f5c12ca73bb2788
SHA256 e187946249cd390a3c1cf5d4e3b0d8f554f9acdc416bf4e7111fff217bb08855
SHA512 1196371de08c964268c44103ccaed530bda6a145df98e0f480d8ee5ad58cb6fb33ca4c9195a52181fe864726dcf52e6a7a466d693af0cda43400a3a7ef125fad

C:\Users\Admin\AppData\Local\Temp\downloads_db

MD5 9618e15b04a4ddb39ed6c496575f6f95
SHA1 1c28f8750e5555776b3c80b187c5d15a443a7412
SHA256 a4cd72e529e60b5f74c50e4e5b159efaf80625f23534dd15a28203760b8b28ab
SHA512 f802582aa7510f6b950e3343b0560ffa9037c6d22373a6a33513637ab0f8e60ed23294a13ad8890935b02c64830b5232ba9f60d0c0fe90df02b5da30ecd7fa26

C:\Users\Admin\AppData\Local\Temp\vault\cookies.txt

MD5 48692fea53e298e7efb866adee48b87b
SHA1 b240f43e79a389f030d8854d50f1a7c2e19f8571
SHA256 0f577ce468abd1ab81d020b9191d8358c03639572e172b781cf84837c7314a0d
SHA512 2c9bce0570a40d5573b80c7f693b9a47d059980cfe5bc71345faab0f28cc285890cd0cebeb2aa6e3620d514c5030c00720a6039a82e5eec3842f2af00a088f06

memory/2324-299-0x00007FFCBEB80000-0x00007FFCBEBA2000-memory.dmp

memory/2324-300-0x00007FFCBFD30000-0x00007FFCBFD47000-memory.dmp

memory/2324-301-0x00007FFCB3A40000-0x00007FFCB3A8C000-memory.dmp

memory/2324-308-0x00007FFCC8830000-0x00007FFCC8849000-memory.dmp

memory/2324-326-0x00007FFCBE6C0000-0x00007FFCBE6DE000-memory.dmp

memory/2324-325-0x00007FFCB3A90000-0x00007FFCB3C01000-memory.dmp

memory/2324-324-0x00007FFCC40B0000-0x00007FFCC40CF000-memory.dmp

memory/2324-318-0x00007FFCB40B0000-0x00007FFCB4168000-memory.dmp

memory/2324-317-0x00007FFCC4290000-0x00007FFCC42BE000-memory.dmp

memory/2324-316-0x00007FFCC45D0000-0x00007FFCC45EC000-memory.dmp

memory/2324-312-0x00007FFCC4120000-0x00007FFCC41DC000-memory.dmp

memory/2324-311-0x00007FFCC4450000-0x00007FFCC447E000-memory.dmp

memory/2324-302-0x00007FFCB4660000-0x00007FFCB4ACE000-memory.dmp

memory/2324-303-0x00007FFCC4310000-0x00007FFCC4334000-memory.dmp

memory/2324-319-0x00007FFCB3D30000-0x00007FFCB40A5000-memory.dmp

memory/2324-327-0x00007FFCB3A10000-0x00007FFCB3A39000-memory.dmp

memory/2324-328-0x00007FFCB3760000-0x00007FFCB39B2000-memory.dmp

memory/2324-359-0x00007FFCB4660000-0x00007FFCB4ACE000-memory.dmp

memory/2324-355-0x00007FFCC40D0000-0x00007FFCC40F6000-memory.dmp

memory/2324-370-0x00007FFCC4120000-0x00007FFCC41DC000-memory.dmp

memory/2324-375-0x00007FFCC4090000-0x00007FFCC409B000-memory.dmp

memory/2324-374-0x00007FFCC4080000-0x00007FFCC408C000-memory.dmp

memory/2324-373-0x00007FFCC40A0000-0x00007FFCC40AB000-memory.dmp

memory/2324-372-0x00007FFCC3C90000-0x00007FFCC3C9C000-memory.dmp

memory/2324-371-0x00007FFCC3160000-0x00007FFCC316C000-memory.dmp

memory/2324-369-0x00007FFCC4420000-0x00007FFCC444B000-memory.dmp

memory/2324-368-0x00007FFCC4450000-0x00007FFCC447E000-memory.dmp

memory/2324-367-0x00007FFCC8740000-0x00007FFCC874D000-memory.dmp

memory/2324-366-0x00007FFCC8960000-0x00007FFCC896D000-memory.dmp

memory/2324-365-0x00007FFCC8830000-0x00007FFCC8849000-memory.dmp

memory/2324-364-0x00007FFCC4480000-0x00007FFCC44B4000-memory.dmp

memory/2324-363-0x00007FFCC44C0000-0x00007FFCC44ED000-memory.dmp

memory/2324-362-0x00007FFCC9BB0000-0x00007FFCC9BC9000-memory.dmp

memory/2324-361-0x00007FFCC9C80000-0x00007FFCC9C8F000-memory.dmp

memory/2324-360-0x00007FFCC4310000-0x00007FFCC4334000-memory.dmp

memory/2324-358-0x00007FFCB3A90000-0x00007FFCB3C01000-memory.dmp

memory/2324-357-0x00007FFCC40B0000-0x00007FFCC40CF000-memory.dmp

memory/2324-356-0x00007FFCB3C10000-0x00007FFCB3D28000-memory.dmp

memory/2324-352-0x00007FFCB3D30000-0x00007FFCB40A5000-memory.dmp

memory/2324-351-0x00007FFCB40B0000-0x00007FFCB4168000-memory.dmp

memory/2324-350-0x00007FFCC4290000-0x00007FFCC42BE000-memory.dmp

memory/2324-349-0x00007FFCC45D0000-0x00007FFCC45EC000-memory.dmp

memory/2324-348-0x00007FFCC46B0000-0x00007FFCC46BA000-memory.dmp

memory/2324-347-0x00007FFCC42C0000-0x00007FFCC4302000-memory.dmp

memory/2324-354-0x00007FFCC4410000-0x00007FFCC441B000-memory.dmp

memory/2324-353-0x00007FFCC4100000-0x00007FFCC4114000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

MD5 d751713988987e9331980363e24189ce
SHA1 97d170e1550eee4afc0af065b78cda302a97674c
SHA256 4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512 b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

MD5 c9d5328717b18e3e2906af398e66b399
SHA1 c7b547ac144c1efa745dee7680b461c59eb75561
SHA256 feb8ce3dc0083465e559e37e75ab2b642f67dbe882a7d7bc16a3cb9921d49913
SHA512 4aa9cf9c50230a853f4be55770f0af01cdd0ac18102bd18ef67a4d235b108b93eab859d0068af55a5803450e98d656986c351167295908208639e103b6d48704

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 ebb9fb4965be4798fe1e6ff591d28d53
SHA1 c516ea55b2469e2e355fb5a2eef3221db6828ecc
SHA256 39c6a26986e13a7065a97b5e5567b02f80658d57c0b5bee7753f199178e6fbc7
SHA512 69deca6a8272d47793e45298e10044f3dbaf64ce2dc14e9555c64e056e6d3f44e872177d203cfe930794ab018932464748bc29746c635a9bb929616e4edff5a9

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

MD5 2a8b1fd79f8a92ca2cf715aeddb8c607
SHA1 f8c22f668d84ab0110ecee95c6c0942a8e940d99
SHA256 9dcdc11fd660ba28432dd55c8975b7a189a39051c0ef7f2def41298445e71a8b
SHA512 8197f6c037079df5fa08f42e57c6496bd1439e71f21cf82d32b2ffaf2140d54203717a6fa3acbf90f6409a2d1261c4552d59f48838afa802bef0374f71277a45

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

MD5 db6da0249e490d6a2c7efb0e07d45bac
SHA1 3db68edf6f4ba2ed30ec5a228823934008882280
SHA256 51eb33051142e0de2560e395d1957b87577daf91f4f7a1213fd27e15d04143b2
SHA512 5b6a6705b5f581632d97f04d8f592bc5ed7898c6c6631c22ca98b066721d4906b30c7bf370d23d80727afdfbd356ed69bcec1bc86ec34889b2cdef26ded5c3c2

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 0de1995f1f615cd505311899a870ee0c
SHA1 201c391bfc564d09a254cb852b4cb99c1a0e236f
SHA256 50f576000cd0f346d1980376e533976f7bb7227bb4fde8f6f7d464cbeacdb18c
SHA512 2bfc67b2bf7cef57968fc759b0d73e3e20cda1a5c60d4d73123c3f1033ea6738d77be7ef0a68c5fdb259b9b39f0462b4ff8fc249899b169004b8df92e64b64c5

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 51743b33a4d17f389f3220e792aa8ef9
SHA1 a91324cf74c2cb36d896a7ab38644d34deccfd4a
SHA256 255718c5656dc08189110f60fa8f8fbb8b35b609486e0a0402068ca26301bd95
SHA512 b10567ebc22fe2e957e8f5e36fc49b5118c357ea95cbf0970dc930d139fb1758214c4acff04e3bfa8a7a889c0c5f9cdd99240248743e5efcc026f931661dbf83

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

MD5 6f283ea89accdf790ab261f17e578d6b
SHA1 1e96726e0e8299b8be38822b51006783bd9c28c1
SHA256 f58333a95a550ae91ef7242c113d38c95a71d226ece085140ad07ed719decf76
SHA512 7e2a09decfb563b979dee392cad80e14fa63f0bd2d5a92083b170c23f042964522f7873450baef24ad0cefe482d5c34afd83a41906c4f67ea0b15978c0df6a90

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

MD5 a373b71f18ba43d3fb63c4f30e1e3211
SHA1 645ae98e45e0c037d4106a946eee81d65ac28d39
SHA256 3dd23ec804550e6590af3c4ddaa0ace7696cc7c28de87c186ab6558c7bc26909
SHA512 87200fa7048c63384674ad48db27814910a2d0c192fc76c3b648ed8a4cb3239579c8358c880e714c848503aac68f44b1f7e8f9fda59d7451004a0ab6887f8b9f

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\DawnCache\data_1

MD5 a9be07ab51f010640344c8e8c1ee87b3
SHA1 01e73c02dde1fe24a3d125dab7f08385e3ae2c83
SHA256 b1234ce98ddf58a6e28de75ec9ccc169476d05a3d0969b91cc0d25423d1acee3
SHA512 0072941628e33576f4a073ce43cd0b72bd46d5f16262d378262a5f1c8aa7c9f71206e2f3a68f3745c8850822960a9578f17fdda0170d631afe21e043ecff7381

Analysis: behavioral2

Detonation Overview

Submitted

2025-02-18 17:34

Reported

2025-02-18 17:37

Platform

win11-20250217-en

Max time kernel

149s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\zoom_64789348756.exe"

Signatures

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\zoom_64789348756.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zoom_64789348756.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zoom_64789348756.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zoom_64789348756.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zoom_64789348756.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zoom_64789348756.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zoom_64789348756.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zoom_64789348756.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zoom_64789348756.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zoom_64789348756.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zoom_64789348756.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zoom_64789348756.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zoom_64789348756.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zoom_64789348756.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zoom_64789348756.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zoom_64789348756.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zoom_64789348756.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zoom_64789348756.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zoom_64789348756.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zoom_64789348756.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zoom_64789348756.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zoom_64789348756.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zoom_64789348756.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zoom_64789348756.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zoom_64789348756.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zoom_64789348756.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zoom_64789348756.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zoom_64789348756.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zoom_64789348756.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zoom_64789348756.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zoom_64789348756.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zoom_64789348756.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zoom_64789348756.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zoom_64789348756.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zoom_64789348756.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zoom_64789348756.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zoom_64789348756.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zoom_64789348756.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zoom_64789348756.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zoom_64789348756.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zoom_64789348756.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zoom_64789348756.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zoom_64789348756.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zoom_64789348756.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zoom_64789348756.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zoom_64789348756.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zoom_64789348756.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zoom_64789348756.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zoom_64789348756.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zoom_64789348756.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zoom_64789348756.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zoom_64789348756.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zoom_64789348756.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zoom_64789348756.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zoom_64789348756.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zoom_64789348756.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zoom_64789348756.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zoom_64789348756.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2250935964-4080446702-2776729278-1000\Software\Microsoft\Windows\CurrentVersion\Run\empyrean = "C:\\Users\\Admin\\AppData\\Roaming\\empyrean\\run.bat" C:\Windows\system32\reg.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A raw.githubusercontent.com N/A N/A
N/A discord.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A discord.com N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ipapi.co N/A N/A
N/A ipapi.co N/A N/A
N/A ipapi.co N/A N/A
N/A ipapi.co N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Panther\UnattendGC\diagwrn.xml C:\Windows\System32\oobe\UserOOBEBroker.exe N/A
File opened for modification C:\Windows\Panther\UnattendGC\setupact.log C:\Windows\System32\oobe\UserOOBEBroker.exe N/A
File opened for modification C:\Windows\Panther\UnattendGC\setuperr.log C:\Windows\System32\oobe\UserOOBEBroker.exe N/A
File opened for modification C:\Windows\Panther\UnattendGC\diagerr.xml C:\Windows\System32\oobe\UserOOBEBroker.exe N/A

Browser Information Discovery

discovery

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\DllHost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2250935964-4080446702-2776729278-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:" C:\Windows\system32\BackgroundTransferHost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2250935964-4080446702-2776729278-1000_Classes\Local Settings\MuiCache C:\Windows\system32\BackgroundTransferHost.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2250935964-4080446702-2776729278-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix C:\Windows\system32\BackgroundTransferHost.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2250935964-4080446702-2776729278-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:" C:\Windows\system32\BackgroundTransferHost.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\system32\reg.exe N/A
N/A N/A C:\Windows\system32\reg.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\zoom_64789348756.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\wbem\WMIC.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2968 wrote to memory of 1272 N/A C:\Users\Admin\AppData\Local\Temp\zoom_64789348756.exe C:\Users\Admin\AppData\Local\Temp\zoom_64789348756.exe
PID 2968 wrote to memory of 1272 N/A C:\Users\Admin\AppData\Local\Temp\zoom_64789348756.exe C:\Users\Admin\AppData\Local\Temp\zoom_64789348756.exe
PID 1272 wrote to memory of 5600 N/A C:\Users\Admin\AppData\Local\Temp\zoom_64789348756.exe C:\Windows\system32\cmd.exe
PID 1272 wrote to memory of 5600 N/A C:\Users\Admin\AppData\Local\Temp\zoom_64789348756.exe C:\Windows\system32\cmd.exe
PID 1272 wrote to memory of 3908 N/A C:\Users\Admin\AppData\Local\Temp\zoom_64789348756.exe C:\Windows\system32\cmd.exe
PID 1272 wrote to memory of 3908 N/A C:\Users\Admin\AppData\Local\Temp\zoom_64789348756.exe C:\Windows\system32\cmd.exe
PID 3908 wrote to memory of 4280 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\wbem\WMIC.exe
PID 3908 wrote to memory of 4280 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\wbem\WMIC.exe
PID 1272 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\zoom_64789348756.exe C:\Windows\system32\cmd.exe
PID 1272 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\zoom_64789348756.exe C:\Windows\system32\cmd.exe
PID 2540 wrote to memory of 6012 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2540 wrote to memory of 6012 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 1272 wrote to memory of 4116 N/A C:\Users\Admin\AppData\Local\Temp\zoom_64789348756.exe C:\Windows\system32\cmd.exe
PID 1272 wrote to memory of 4116 N/A C:\Users\Admin\AppData\Local\Temp\zoom_64789348756.exe C:\Windows\system32\cmd.exe
PID 4116 wrote to memory of 864 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 4116 wrote to memory of 864 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 1272 wrote to memory of 5796 N/A C:\Users\Admin\AppData\Local\Temp\zoom_64789348756.exe C:\Windows\system32\cmd.exe
PID 1272 wrote to memory of 5796 N/A C:\Users\Admin\AppData\Local\Temp\zoom_64789348756.exe C:\Windows\system32\cmd.exe
PID 5796 wrote to memory of 1484 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\wbem\WMIC.exe
PID 5796 wrote to memory of 1484 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\wbem\WMIC.exe
PID 1272 wrote to memory of 4852 N/A C:\Users\Admin\AppData\Local\Temp\zoom_64789348756.exe C:\Windows\system32\cmd.exe
PID 1272 wrote to memory of 4852 N/A C:\Users\Admin\AppData\Local\Temp\zoom_64789348756.exe C:\Windows\system32\cmd.exe
PID 4852 wrote to memory of 4224 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\wbem\WMIC.exe
PID 4852 wrote to memory of 4224 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\wbem\WMIC.exe
PID 1272 wrote to memory of 1948 N/A C:\Users\Admin\AppData\Local\Temp\zoom_64789348756.exe C:\Windows\system32\cmd.exe
PID 1272 wrote to memory of 1948 N/A C:\Users\Admin\AppData\Local\Temp\zoom_64789348756.exe C:\Windows\system32\cmd.exe
PID 1948 wrote to memory of 5436 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\wbem\WMIC.exe
PID 1948 wrote to memory of 5436 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\wbem\WMIC.exe
PID 2268 wrote to memory of 3828 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2268 wrote to memory of 3828 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2268 wrote to memory of 3828 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2268 wrote to memory of 3828 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2268 wrote to memory of 3828 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2268 wrote to memory of 3828 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2268 wrote to memory of 3828 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2268 wrote to memory of 3828 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2268 wrote to memory of 3828 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2268 wrote to memory of 3828 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2268 wrote to memory of 3828 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3828 wrote to memory of 1988 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3828 wrote to memory of 1988 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3828 wrote to memory of 1988 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3828 wrote to memory of 1988 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3828 wrote to memory of 1988 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3828 wrote to memory of 1988 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3828 wrote to memory of 1988 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3828 wrote to memory of 1988 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3828 wrote to memory of 1988 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3828 wrote to memory of 1988 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3828 wrote to memory of 1988 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3828 wrote to memory of 1988 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3828 wrote to memory of 1988 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3828 wrote to memory of 1988 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3828 wrote to memory of 1988 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3828 wrote to memory of 1988 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3828 wrote to memory of 1988 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3828 wrote to memory of 1988 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3828 wrote to memory of 1988 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3828 wrote to memory of 1988 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3828 wrote to memory of 1988 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3828 wrote to memory of 1988 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3828 wrote to memory of 1988 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3828 wrote to memory of 1988 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3828 wrote to memory of 1988 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\zoom_64789348756.exe

"C:\Users\Admin\AppData\Local\Temp\zoom_64789348756.exe"

C:\Users\Admin\AppData\Local\Temp\zoom_64789348756.exe

"C:\Users\Admin\AppData\Local\Temp\zoom_64789348756.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "ver"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Windows\System32\wbem\WMIC.exe csproduct get uuid"

C:\Windows\System32\wbem\WMIC.exe

C:\Windows\System32\wbem\WMIC.exe csproduct get uuid

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "reg delete HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v empyrean /f"

C:\Windows\system32\reg.exe

reg delete HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v empyrean /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v empyrean /t REG_SZ /d C:\Users\Admin\AppData\Roaming\empyrean\run.bat /f"

C:\Windows\system32\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v empyrean /t REG_SZ /d C:\Users\Admin\AppData\Roaming\empyrean\run.bat /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Windows\System32\wbem\WMIC.exe csproduct get uuid"

C:\Windows\System32\wbem\WMIC.exe

C:\Windows\System32\wbem\WMIC.exe csproduct get uuid

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Windows\System32\wbem\WMIC.exe csproduct get uuid"

C:\Windows\System32\wbem\WMIC.exe

C:\Windows\System32\wbem\WMIC.exe csproduct get uuid

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Windows\System32\wbem\WMIC.exe csproduct get uuid"

C:\Windows\System32\wbem\WMIC.exe

C:\Windows\System32\wbem\WMIC.exe csproduct get uuid

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1996 -parentBuildID 20240401114208 -prefsHandle 1924 -prefMapHandle 1916 -prefsLen 27661 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {a90679a1-ba33-4a60-9d3c-d988cd806595} 3828 "\\.\pipe\gecko-crash-server-pipe.3828" gpu

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2396 -parentBuildID 20240401114208 -prefsHandle 2388 -prefMapHandle 2376 -prefsLen 27539 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7837172f-8225-45d9-bebd-a5f70ca0ee27} 3828 "\\.\pipe\gecko-crash-server-pipe.3828" socket

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3260 -childID 1 -isForBrowser -prefsHandle 3264 -prefMapHandle 3268 -prefsLen 22698 -prefMapSize 244658 -jsInitHandle 1188 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {57f1e250-ffe2-4c5e-8ffe-043bd6da3bb9} 3828 "\\.\pipe\gecko-crash-server-pipe.3828" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3972 -childID 2 -isForBrowser -prefsHandle 3964 -prefMapHandle 1328 -prefsLen 32913 -prefMapSize 244658 -jsInitHandle 1188 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {68fa74c7-4dcd-48ba-9d90-18a5331a4728} 3828 "\\.\pipe\gecko-crash-server-pipe.3828" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4100 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4168 -prefMapHandle 4324 -prefsLen 32913 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {272eba80-c7e8-4603-a26b-6e4d3d43892f} 3828 "\\.\pipe\gecko-crash-server-pipe.3828" utility

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5408 -childID 3 -isForBrowser -prefsHandle 5420 -prefMapHandle 5416 -prefsLen 26990 -prefMapSize 244658 -jsInitHandle 1188 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {19e8b26c-0148-49fe-adb0-cdfc56bde596} 3828 "\\.\pipe\gecko-crash-server-pipe.3828" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5556 -childID 4 -isForBrowser -prefsHandle 5564 -prefMapHandle 5568 -prefsLen 26990 -prefMapSize 244658 -jsInitHandle 1188 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d6103588-2835-46d0-a95e-db43573d717e} 3828 "\\.\pipe\gecko-crash-server-pipe.3828" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5764 -childID 5 -isForBrowser -prefsHandle 5772 -prefMapHandle 5776 -prefsLen 26990 -prefMapSize 244658 -jsInitHandle 1188 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1998752e-a3dc-4e06-87a2-d8da9e6c3249} 3828 "\\.\pipe\gecko-crash-server-pipe.3828" tab

C:\Windows\system32\BackgroundTransferHost.exe

"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.13

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc

C:\Windows\SysWOW64\DllHost.exe

C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,Control_RunDLL C:\Windows\System32\srchadmin.dll ,

C:\Windows\System32\oobe\UserOOBEBroker.exe

C:\Windows\System32\oobe\UserOOBEBroker.exe -Embedding

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 ipapi.co udp
US 104.26.8.44:443 ipapi.co tcp
US 162.159.128.233:443 discord.com tcp
US 185.199.110.133:443 raw.githubusercontent.com tcp
US 104.16.124.96:443 www.cloudflare.com tcp
US 104.26.8.44:443 ipapi.co tcp
US 104.16.124.96:443 www.cloudflare.com tcp
US 104.26.8.44:443 ipapi.co tcp
GB 2.18.66.65:443 tcp
US 20.189.173.2:443 browser.pipe.aria.microsoft.com tcp
N/A 127.0.0.1:50226 tcp
US 8.8.8.8:53 spocs.getpocket.com udp
US 151.101.3.19:443 www-mozilla.fastly-edge.com tcp
US 151.101.3.19:443 www-mozilla.fastly-edge.com tcp
US 151.101.3.19:443 www-mozilla.fastly-edge.com tcp
US 34.149.97.1:443 firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net udp
US 34.149.97.1:443 firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net tcp
US 34.149.97.1:443 firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net tcp
US 8.8.8.8:53 prod.ads.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 www-mozilla.fastly-edge.com udp
US 8.8.8.8:53 firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net udp
N/A 127.0.0.1:50234 tcp
GB 2.18.27.82:443 www.bing.com tcp
US 8.8.8.8:53 cxcs.microsoft.net udp
GB 2.18.27.76:443 www.bing.com tcp
GB 23.62.195.195:443 cxcs.microsoft.net tcp
US 8.8.8.8:53 redirector.gvt1.com udp
GB 142.250.187.206:443 redirector.gvt1.com tcp
GB 142.250.187.206:443 redirector.gvt1.com tcp
US 8.8.8.8:53 ciscobinary.openh264.org udp
DE 23.55.161.185:80 a19.dscg10.akamai.net tcp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 redirector.gvt1.com udp
GB 142.250.187.206:443 redirector.gvt1.com udp
GB 74.125.105.7:443 r2---sn-aigl6ns6.gvt1.com tcp
US 8.8.8.8:53 r2.sn-aigl6ns6.gvt1.com udp
GB 74.125.105.7:443 r2.sn-aigl6ns6.gvt1.com udp
US 13.107.226.254:443 t-ring-fallback-s2.msedge.net tcp
GB 23.62.195.195:443 cxcs.microsoft.net tcp
GB 2.18.66.169:443 www.bing.com tcp

Files

C:\Users\Admin\AppData\Local\Temp\_MEI29682\python310.dll

MD5 69d4f13fbaeee9b551c2d9a4a94d4458
SHA1 69540d8dfc0ee299a7ff6585018c7db0662aa629
SHA256 801317463bd116e603878c7c106093ba7db2bece11e691793e93065223fc7046
SHA512 8e632f141daf44bc470f8ee677c6f0fdcbcacbfce1472d928576bf7b9f91d6b76639d18e386d5e1c97e538a8fe19dd2d22ea47ae1acf138a0925e3c6dd156378

C:\Users\Admin\AppData\Local\Temp\_MEI29682\VCRUNTIME140.dll

MD5 870fea4e961e2fbd00110d3783e529be
SHA1 a948e65c6f73d7da4ffde4e8533c098a00cc7311
SHA256 76fdb83fde238226b5bebaf3392ee562e2cb7ca8d3ef75983bf5f9d6c7119644
SHA512 0b636a3cdefa343eb4cb228b391bb657b5b4c20df62889cd1be44c7bee94ffad6ec82dc4db79949edef576bff57867e0d084e0a597bf7bf5c8e4ed1268477e88

memory/1272-115-0x00007FFF4CE00000-0x00007FFF4D26E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI29682\base_library.zip

MD5 fbd6be906ac7cd45f1d98f5cb05f8275
SHA1 5d563877a549f493da805b4d049641604a6a0408
SHA256 ae35709e6b8538827e3999e61a0345680c5167962296ac7bef62d6b813227fb0
SHA512 1547b02875f3e547c4f5e15c964719c93d7088c7f4fd044f6561bebd29658a54ef044211f9d5cfb4570ca49ed0f17b08011d27fe85914e8c3ea12024c8071e8a

C:\Users\Admin\AppData\Local\Temp\_MEI29682\_ctypes.pyd

MD5 6ca9a99c75a0b7b6a22681aa8e5ad77b
SHA1 dd1118b7d77be6bb33b81da65f6b5dc153a4b1e8
SHA256 d39390552c55d8fd4940864905cd4437bc3f8efe7ff3ca220543b2c0efab04f8
SHA512 b0b5f2979747d2f6796d415dd300848f32b4e79ede59827ac447af0f4ea8709b60d6935d09e579299b3bc54b6c0f10972f17f6c0d1759c5388ad5b14689a23fe

C:\Users\Admin\AppData\Local\Temp\_MEI29682\python3.DLL

MD5 c17b7a4b853827f538576f4c3521c653
SHA1 6115047d02fbbad4ff32afb4ebd439f5d529485a
SHA256 d21e60f3dfbf2bab0cc8a06656721fa3347f026df10297674fc635ebf9559a68
SHA512 8e08e702d69df6840781d174c4565e14a28022b40f650fda88d60172be2d4ffd96a3e9426d20718c54072ca0da27e0455cc0394c098b75e062a27559234a3df7

C:\Users\Admin\AppData\Local\Temp\_MEI29682\libffi-7.dll

MD5 b5150b41ca910f212a1dd236832eb472
SHA1 a17809732c562524b185953ffe60dfa91ba3ce7d
SHA256 1a106569ac0ad3152f3816ff361aa227371d0d85425b357632776ac48d92ea8a
SHA512 9e82b0caa3d72bb4a7ad7d66ebfb10edb778749e89280bca67c766e72dc794e99aab2bc2980d64282a384699929ce6cc996462a73584898d2df67a57bff2a9c6

memory/1272-123-0x00007FFF51300000-0x00007FFF51324000-memory.dmp

memory/1272-125-0x00007FFF567A0000-0x00007FFF567AF000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI29682\_bz2.pyd

MD5 758fff1d194a7ac7a1e3d98bcf143a44
SHA1 de1c61a8e1fb90666340f8b0a34e4d8bfc56da07
SHA256 f5e913a9f2adf7d599ea9bb105e144ba11699bbcb1514e73edcf7e062354e708
SHA512 468d7c52f14812d5bde1e505c95cb630e22d71282bda05bf66324f31560bfa06095cf60fc0d34877f8b361ccd65a1b61d0fd1f91d52facb0baf8e74f3fed31cc

C:\Users\Admin\AppData\Local\Temp\_MEI29682\_lzma.pyd

MD5 abceeceaeff3798b5b0de412af610f58
SHA1 c3c94c120b5bed8bccf8104d933e96ac6e42ca90
SHA256 216aa4bb6f62dd250fd6d2dcde14709aa82e320b946a21edeec7344ed6c2c62e
SHA512 3e1a2eb86605aa851a0c5153f7be399f6259ecaad86dbcbf12eeae5f985dc2ea2ab25683285e02b787a5b75f7df70b4182ae8f1567946f99ad2ec7b27d4c7955

C:\Users\Admin\AppData\Local\Temp\_MEI29682\pyexpat.pyd

MD5 5a328b011fa748939264318a433297e2
SHA1 d46dd2be7c452e5b6525e88a2d29179f4c07de65
SHA256 e8a81b47029e8500e0f4e04ccf81f8bdf23a599a2b5cd627095678cdf2fabc14
SHA512 06fa8262378634a42f5ab8c1e5f6716202544c8b304de327a08aa20c8f888114746f69b725ed3088d975d09094df7c3a37338a93983b957723aa2b7fda597f87

memory/1272-132-0x00007FFF512D0000-0x00007FFF512FD000-memory.dmp

memory/1272-129-0x00007FFF565A0000-0x00007FFF565B9000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI29682\_socket.pyd

MD5 afd296823375e106c4b1ac8b39927f8b
SHA1 b05d811e5a5921d5b5cc90b9e4763fd63783587b
SHA256 e423a7c2ce5825dfdd41cfc99c049ff92abfb2aa394c85d0a9a11de7f8673007
SHA512 95e98a24be9e603b2870b787349e2aa7734014ac088c691063e4078e11a04898c9c547d6998224b1b171fc4802039c3078a28c7e81d59f6497f2f9230d8c9369

memory/1272-138-0x00007FFF55A50000-0x00007FFF55A69000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI29682\select.pyd

MD5 72009cde5945de0673a11efb521c8ccd
SHA1 bddb47ac13c6302a871a53ba303001837939f837
SHA256 5aaa15868421a46461156e7817a69eeeb10b29c1e826a9155b5f8854facf3dca
SHA512 d00a42700c9201f23a44fd9407fea7ea9df1014c976133f33ff711150727bf160941373d53f3a973f7dd6ca7b5502e178c2b88ea1815ca8bce1a239ed5d8256d

memory/1272-141-0x00007FFF52420000-0x00007FFF5242D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI29682\_queue.pyd

MD5 0d267bb65918b55839a9400b0fb11aa2
SHA1 54e66a14bea8ae551ab6f8f48d81560b2add1afc
SHA256 13ee41980b7d0fb9ce07f8e41ee6a309e69a30bbf5b801942f41cbc357d59e9c
SHA512 c2375f46a98e44f54e2dd0a5cc5f016098500090bb78de520dc5e05aef8e6f11405d8f6964850a03060caed3628d0a6303091cba1f28a0aa9b3b814217d71e56

memory/1272-144-0x00007FFF52410000-0x00007FFF5241D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI29682\VCRUNTIME140_1.dll

MD5 bba9680bc310d8d25e97b12463196c92
SHA1 9a480c0cf9d377a4caedd4ea60e90fa79001f03a
SHA256 e0b66601cc28ecb171c3d4b7ac690c667f47da6b6183bff80604c84c00d265ab
SHA512 1575c786ac3324b17057255488da5f0bc13ad943ac9383656baf98db64d4ec6e453230de4cd26b535ce7e8b7d41a9f2d3f569a0eff5a84aeb1c2f9d6e3429739

memory/1272-147-0x00007FFF51080000-0x00007FFF510AE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI29682\pythoncom310.dll

MD5 9051abae01a41ea13febdea7d93470c0
SHA1 b06bd4cd4fd453eb827a108e137320d5dc3a002f
SHA256 f12c8141d4795719035c89ff459823ed6174564136020739c106f08a6257b399
SHA512 58d8277ec4101ad468dd8c4b4a9353ab684ecc391e5f9db37de44d5c3316c17d4c7a5ffd547ce9b9a08c56e3dd6d3c87428eae12144dfb72fc448b0f2cfc47da

C:\Users\Admin\AppData\Local\Temp\_MEI29682\pywintypes310.dll

MD5 6f2aa8fa02f59671f99083f9cef12cda
SHA1 9fd0716bcde6ac01cd916be28aa4297c5d4791cd
SHA256 1a15d98d4f9622fa81b60876a5f359707a88fbbbae3ae4e0c799192c378ef8c6
SHA512 f5d5112e63307068cdb1d0670fe24b65a9f4942a39416f537bdbc17dedfd99963861bf0f4e94299cdce874816f27b3d86c4bebb889c3162c666d5ee92229c211

memory/1272-135-0x00007FFF4FF00000-0x00007FFF4FF34000-memory.dmp

memory/1272-152-0x00007FFF4D450000-0x00007FFF4D50C000-memory.dmp

memory/1272-151-0x00007FFF4CE00000-0x00007FFF4D26E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI29682\win32api.pyd

MD5 561f419a2b44158646ee13cd9af44c60
SHA1 93212788de48e0a91e603d74f071a7c8f42fe39b
SHA256 631465da2a1dad0cb11cd86b14b4a0e4c7708d5b1e8d6f40ae9e794520c3aaf7
SHA512 d76ab089f6dc1beffd5247e81d267f826706e60604a157676e6cbc3b3447f5bcee66a84bf35c21696c020362fadd814c3e0945942cdc5e0dfe44c0bca169945c

memory/1272-156-0x00007FFF4FED0000-0x00007FFF4FEFB000-memory.dmp

memory/1272-155-0x00007FFF51300000-0x00007FFF51324000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI29682\_decimal.pyd

MD5 eb45ea265a48348ce0ac4124cb72df22
SHA1 ecdc1d76a205f482d1ed9c25445fa6d8f73a1422
SHA256 3881f00dbc4aadf9e87b44c316d93425a8f6ba73d72790987226238defbc7279
SHA512 f7367bf2a2d221a7508d767ad754b61b2b02cdd7ae36ae25b306f3443d4800d50404ac7e503f589450ed023ff79a2fb1de89a30a49aa1dd32746c3e041494013

memory/1272-161-0x00007FFF4CDB0000-0x00007FFF4CDF2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI29682\_uuid.pyd

MD5 81dfa68ca3cb20ced73316dbc78423f6
SHA1 8841cf22938aa6ee373ff770716bb9c6d9bc3e26
SHA256 d0cb6dd98a2c9d4134c6ec74e521bad734bc722d6a3b4722428bf79e7b66f190
SHA512 e24288ae627488251682cd47c1884f2dc5f4cd834d7959b9881e5739c42d91fd0a30e75f0de77f5b5a0d63d9baebcafa56851e7e40812df367fd433421c0ccdb

C:\Users\Admin\AppData\Local\Temp\_MEI29682\psutil\_psutil_windows.pyd

MD5 fb17b2f2f09725c3ffca6345acd7f0a8
SHA1 b8d747cc0cb9f7646181536d9451d91d83b9fc61
SHA256 9c7d401418db14353db85b54ff8c7773ee5d17cbf9a20085fde4af652bd24fc4
SHA512 b4acb60045da8639779b6bb01175b13344c3705c92ea55f9c2942f06c89e5f43cedae8c691836d63183cacf2d0a98aa3bcb0354528f1707956b252206991bf63

memory/1272-164-0x00007FFF522B0000-0x00007FFF522BA000-memory.dmp

memory/1272-167-0x00007FFF4FEB0000-0x00007FFF4FECC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI29682\_ssl.pyd

MD5 1e643c629f993a63045b0ff70d6cf7c6
SHA1 9af2d22226e57dc16c199cad002e3beb6a0a0058
SHA256 4a50b4b77bf9e5d6f62c7850589b80b4caa775c81856b0d84cb1a73d397eb38a
SHA512 9d8cd6e9c03880cc015e87059db28ff588881679f8e3f5a26a90f13e2c34a5bd03fb7329d9a4e33c4a01209c85a36fc999e77d9ece42cebdb738c2f1fd6775af

C:\Users\Admin\AppData\Local\Temp\_MEI29682\libcrypto-1_1.dll

MD5 da5fe6e5cfc41381025994f261df7148
SHA1 13998e241464952d2d34eb6e8ecfcd2eb1f19a64
SHA256 de045c36ae437a5b40fc90a8a7cc037facd5b7e307cfcf9a9087c5f1a6a2cf18
SHA512 a0d7ebf83204065236439d495eb3c97be093c41daac2e6cfbbb1aa8ffeac049402a3dea7139b1770d2e1a45e08623a56a94d64c8f0c5be74c5bae039a2bc6ca9

C:\Users\Admin\AppData\Local\Temp\_MEI29682\libssl-1_1.dll

MD5 48d792202922fffe8ea12798f03d94de
SHA1 f8818be47becb8ccf2907399f62019c3be0efeb5
SHA256 8221a76831a103b2b2ae01c3702d0bba4f82f2afd4390a3727056e60b28650cc
SHA512 69f3a8b556dd517ae89084623f499ef89bd0f97031e3006677ceed330ed13fcc56bf3cde5c9ed0fc6c440487d13899ffda775e6a967966294cadfd70069b2833

memory/1272-179-0x00007FFF4CCA0000-0x00007FFF4CD58000-memory.dmp

memory/1272-178-0x00007FFF55A50000-0x00007FFF55A69000-memory.dmp

memory/1272-177-0x00007FFF4C920000-0x00007FFF4CC95000-memory.dmp

memory/1272-176-0x000002C1CFF70000-0x000002C1D02E5000-memory.dmp

memory/1272-175-0x00007FFF4D350000-0x00007FFF4D37E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI29682\_hashlib.pyd

MD5 0d723bc34592d5bb2b32cf259858d80e
SHA1 eacfabd037ba5890885656f2485c2d7226a19d17
SHA256 f2b927aaa856d23f628b01380d5a19bfe9233db39c9078c0e0585d376948c13f
SHA512 3e79455554d527d380adca39ac10dbf3914ca4980d8ee009b7daf30aeb4e9359d9d890403da9cc2b69327c695c57374c390fa780a8fd6148bbea3136138ead33

memory/1272-182-0x00007FFF4D430000-0x00007FFF4D444000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI29682\charset_normalizer\md.cp310-win_amd64.pyd

MD5 79f58590559566a010140b0b94a9ff3f
SHA1 e3b6b62886bba487e524cbba4530ca703b24cbda
SHA256 f8eae2b1020024ee92ba116c29bc3c8f80906be2029ddbe0c48ca1d02bf1ea73
SHA512 ecfcd6c58175f3e95195abe9a18bb6dd1d10b989539bf24ea1bcdbd3c435a10bbd2d8835a4c3acf7f9aeb44b160307ae0c377125202b9dbf0dd6e8cfd2603131

memory/1272-186-0x00007FFF512C0000-0x00007FFF512CB000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI29682\charset_normalizer\md__mypyc.cp310-win_amd64.pyd

MD5 9bb72ad673c91050ecb9f4a3f98b91ef
SHA1 67ff2d6ab21e2bbe84f43a84ecd2fd64161e25f4
SHA256 17fc896275afcd3cdd20836a7379d565d156cd409dc28f95305c32f1b3e99c4f
SHA512 4c1236f9cfbb2ec8e895c134b7965d1ebf5404e5d00acf543b9935bc22d07d58713a75eee793c02dfda29b128412972f00e82a636d33ec8c9e0d9804f465bc40

memory/1272-188-0x00007FFF51080000-0x00007FFF510AE000-memory.dmp

memory/1272-189-0x00007FFF4C8F0000-0x00007FFF4C916000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI29682\unicodedata.pyd

MD5 ca3baebf8725c7d785710f1dfbb2736d
SHA1 8f9aec2732a252888f3873967d8cc0139ff7f4e5
SHA256 f2d03a39556491d1ace63447b067b38055f32f5f1523c01249ba18052c599b4c
SHA512 5c2397e4dcb361a154cd3887c229bcf7ef980acbb4b851a16294d5df6245b2615cc4b42f6a95cf1d3c49b735c2f7025447247d887ccf4cd964f19f14e4533470

memory/1272-193-0x00007FFF4C6B0000-0x00007FFF4C7C8000-memory.dmp

memory/1272-192-0x00007FFF4D450000-0x00007FFF4D50C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI29682\_sqlite3.pyd

MD5 7b45afc909647c373749ef946c67d7cf
SHA1 81f813c1d8c4b6497c01615dcb6aa40b92a7bd20
SHA256 a5f39bfd2b43799922e303a3490164c882f6e630777a3a0998e89235dc513b5e
SHA512 fe67e58f30a2c95d7d42a102ed818f4d57baa524c5c2d781c933de201028c75084c3e836ff4237e066f3c7dd6a5492933c3da3fee76eb2c50a6915996ef6d7fb

memory/1272-197-0x00007FFF4C8D0000-0x00007FFF4C8EF000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI29682\sqlite3.dll

MD5 b70d218798c0fec39de1199c796ebce8
SHA1 73b9f8389706790a0fec3c7662c997d0a238a4a0
SHA256 4830e8d4ae005a73834371fe7bb5b91ca8a4c4c3a4b9a838939f18920f10faff
SHA512 2ede15cc8a229bfc599980ce7180a7a3c37c0264415470801cf098ef4dac7bcf857821f647614490c1b0865882619a24e3ac0848b5aea1796fad054c0dd6f718

memory/1272-199-0x00007FFF4CDB0000-0x00007FFF4CDF2000-memory.dmp

memory/1272-200-0x00007FFF4A850000-0x00007FFF4A9C1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI29682\Crypto\Cipher\_raw_ecb.pyd

MD5 f94726f6b584647142ea6d5818b0349d
SHA1 4aa9931c0ff214bf520c5e82d8e73ceeb08af27c
SHA256 b98297fd093e8af7fca2628c23a9916e767540c3c6fa8894394b5b97ffec3174
SHA512 2b40a9b39f5d09eb8d7ddad849c8a08ab2e73574ee0d5db132fe8c8c3772e60298e0545516c9c26ee0b257ebda59cfe1f56ef6c4357ef5be9017c4db4770d238

C:\Users\Admin\AppData\Local\Temp\_MEI29682\Crypto\Cipher\_raw_cfb.pyd

MD5 ff64fd41b794e0ef76a9eeae1835863c
SHA1 bf14e9d12b8187ca4cc9528d7331f126c3f5ca1e
SHA256 5d2d1a5f79b44f36ac87d9c6d886404d9be35d1667c4b2eb8aab59fb77bf8bac
SHA512 03673f94525b63644a7da45c652267077753f29888fb8966da5b2b560578f961fdc67696b69a49d9577a8033ffcc7b4a6b98c051b4f53380227c392761562734

C:\Users\Admin\AppData\Local\Temp\_MEI29682\Crypto\Cipher\_raw_ofb.pyd

MD5 eea83b9021675c8ca837dfe78b5a3a58
SHA1 3660833ff743781e451342bb623fa59229ae614d
SHA256 45a4e35231e504b0d50a5fd5968ab6960cb27d197f86689477701d79d8b95b3b
SHA512 fcdccea603737364dbdbbcd5763fd85aeb0c175e6790128c93360af43e2587d0fd173bee4843c681f43fb63d57fcaef1a58be683625c905416e0c58af5bf1d6c

C:\Users\Admin\AppData\Local\Temp\_MEI29682\Crypto\Cipher\_raw_cbc.pyd

MD5 fe44f698198190de574dc193a0e1b967
SHA1 5bad88c7cc50e61487ec47734877b31f201c5668
SHA256 32fa416a29802eb0017a2c7360bf942edb132d4671168de26bd4c3e94d8de919
SHA512 c841885dd7696f337635ef759e3f61ee7f4286b622a9fb8b695988d93219089e997b944321ca49ca3bd19d41440ee7c8e1d735bd3558052f67f762bf4d1f5fc3

memory/1272-208-0x00007FFF51000000-0x00007FFF5100B000-memory.dmp

memory/1272-223-0x00007FFF4C690000-0x00007FFF4C69C000-memory.dmp

memory/1272-219-0x00007FFF4C6A0000-0x00007FFF4C6AC000-memory.dmp

memory/1272-231-0x00007FFF4C450000-0x00007FFF4C465000-memory.dmp

memory/1272-232-0x00007FFF4C440000-0x00007FFF4C450000-memory.dmp

memory/1272-230-0x00007FFF4C480000-0x00007FFF4C492000-memory.dmp

memory/1272-229-0x00007FFF4C4B0000-0x00007FFF4C4BC000-memory.dmp

memory/1272-234-0x00007FFF4C420000-0x00007FFF4C434000-memory.dmp

memory/1272-235-0x00007FFF4C3F0000-0x00007FFF4C412000-memory.dmp

memory/1272-233-0x00007FFF4C8F0000-0x00007FFF4C916000-memory.dmp

memory/1272-228-0x00007FFF4C470000-0x00007FFF4C47C000-memory.dmp

memory/1272-227-0x00007FFF4C4A0000-0x00007FFF4C4AD000-memory.dmp

memory/1272-226-0x00007FFF4C680000-0x00007FFF4C68B000-memory.dmp

memory/1272-236-0x00007FFF4C6B0000-0x00007FFF4C7C8000-memory.dmp

memory/1272-225-0x00007FFF4CCA0000-0x00007FFF4CD58000-memory.dmp

memory/1272-224-0x00007FFF4C920000-0x00007FFF4CC95000-memory.dmp

memory/1272-222-0x00007FFF4C4C0000-0x00007FFF4C4CC000-memory.dmp

memory/1272-221-0x00007FFF4C610000-0x00007FFF4C61B000-memory.dmp

memory/1272-220-0x000002C1CFF70000-0x000002C1D02E5000-memory.dmp

memory/1272-218-0x00007FFF4D350000-0x00007FFF4D37E000-memory.dmp

memory/1272-217-0x00007FFF4FEA0000-0x00007FFF4FEAC000-memory.dmp

memory/1272-216-0x00007FFF4FEB0000-0x00007FFF4FECC000-memory.dmp

memory/1272-215-0x00007FFF4C890000-0x00007FFF4C89E000-memory.dmp

memory/1272-214-0x00007FFF4C8A0000-0x00007FFF4C8AD000-memory.dmp

memory/1272-213-0x00007FFF4C8B0000-0x00007FFF4C8BC000-memory.dmp

memory/1272-212-0x00007FFF4C8C0000-0x00007FFF4C8CB000-memory.dmp

memory/1272-211-0x00007FFF4D340000-0x00007FFF4D34C000-memory.dmp

memory/1272-210-0x00007FFF4D3A0000-0x00007FFF4D3AB000-memory.dmp

memory/1272-209-0x00007FFF502C0000-0x00007FFF502CB000-memory.dmp

memory/1272-246-0x00007FFF4A770000-0x00007FFF4A799000-memory.dmp

memory/1272-245-0x00007FFF4A850000-0x00007FFF4A9C1000-memory.dmp

memory/1272-242-0x00007FFF4A7A0000-0x00007FFF4A7BE000-memory.dmp

memory/1272-241-0x00007FFF4C8D0000-0x00007FFF4C8EF000-memory.dmp

memory/1272-240-0x00007FFF4A7E0000-0x00007FFF4A82C000-memory.dmp

memory/1272-239-0x00007FFF4A7C0000-0x00007FFF4A7D1000-memory.dmp

memory/1272-238-0x00007FFF4A830000-0x00007FFF4A849000-memory.dmp

memory/1272-237-0x00007FFF4C350000-0x00007FFF4C367000-memory.dmp

memory/1272-247-0x00007FFF4A4C0000-0x00007FFF4A712000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\downloads_db

MD5 f310cf1ff562ae14449e0167a3e1fe46
SHA1 85c58afa9049467031c6c2b17f5c12ca73bb2788
SHA256 e187946249cd390a3c1cf5d4e3b0d8f554f9acdc416bf4e7111fff217bb08855
SHA512 1196371de08c964268c44103ccaed530bda6a145df98e0f480d8ee5ad58cb6fb33ca4c9195a52181fe864726dcf52e6a7a466d693af0cda43400a3a7ef125fad

C:\Users\Admin\AppData\Local\Temp\downloads_db

MD5 4e2922249bf476fb3067795f2fa5e794
SHA1 d2db6b2759d9e650ae031eb62247d457ccaa57d2
SHA256 c2c17166e7468877d1e80822f8a5f35a7700ac0b68f3b369a1f4154ae4f811e1
SHA512 8e5e12daf11f9f6e73fb30f563c8f2a64bbc7bb9deffe4969e23081ec1c4073cdf6c74e8dbcc65a271142083ad8312ec7d59505c90e718a5228d369f4240e1da

C:\Users\Admin\AppData\Local\Temp\vault\cookies.txt

MD5 ed3a7837842b6b17a6d72574e0db7953
SHA1 36f2685496d1cfdd4349a57b150cf3bbe233c822
SHA256 3929a73140b586d3cdcc1f227765e74b3d537dd1e432d95f766d11a813715fd6
SHA512 a83f5ebdfddf6a5b316d9979584a708a27b6fdb642f387f414c474489e67ea96ad4910837074fd6bd94f9243d49afc3e54fe781842e4bdcb63c63bf9c6ddb44d

memory/1272-295-0x00007FFF4C450000-0x00007FFF4C465000-memory.dmp

memory/1272-296-0x00007FFF4C3F0000-0x00007FFF4C412000-memory.dmp

memory/1272-315-0x00007FFF4CCA0000-0x00007FFF4CD58000-memory.dmp

memory/1272-348-0x00007FFF4A850000-0x00007FFF4A9C1000-memory.dmp

memory/1272-347-0x00007FFF4C8D0000-0x00007FFF4C8EF000-memory.dmp

memory/1272-346-0x00007FFF4A7E0000-0x00007FFF4A82C000-memory.dmp

memory/1272-345-0x00007FFF4C6A0000-0x00007FFF4C6AC000-memory.dmp

memory/1272-344-0x00007FFF512C0000-0x00007FFF512CB000-memory.dmp

memory/1272-343-0x00007FFF4D430000-0x00007FFF4D444000-memory.dmp

memory/1272-342-0x00007FFF4D350000-0x00007FFF4D37E000-memory.dmp

memory/1272-341-0x00007FFF4C480000-0x00007FFF4C492000-memory.dmp

memory/1272-340-0x00007FFF4C4B0000-0x00007FFF4C4BC000-memory.dmp

memory/1272-339-0x00007FFF4FEA0000-0x00007FFF4FEAC000-memory.dmp

memory/1272-338-0x00007FFF4FEB0000-0x00007FFF4FECC000-memory.dmp

memory/1272-337-0x00007FFF522B0000-0x00007FFF522BA000-memory.dmp

memory/1272-336-0x00007FFF4CDB0000-0x00007FFF4CDF2000-memory.dmp

memory/1272-335-0x00007FFF4FED0000-0x00007FFF4FEFB000-memory.dmp

memory/1272-334-0x00007FFF4D450000-0x00007FFF4D50C000-memory.dmp

memory/1272-333-0x00007FFF51080000-0x00007FFF510AE000-memory.dmp

memory/1272-332-0x00007FFF52410000-0x00007FFF5241D000-memory.dmp

memory/1272-331-0x00007FFF52420000-0x00007FFF5242D000-memory.dmp

memory/1272-330-0x00007FFF55A50000-0x00007FFF55A69000-memory.dmp

memory/1272-329-0x00007FFF4FF00000-0x00007FFF4FF34000-memory.dmp

memory/1272-328-0x00007FFF512D0000-0x00007FFF512FD000-memory.dmp

memory/1272-327-0x00007FFF565A0000-0x00007FFF565B9000-memory.dmp

memory/1272-326-0x00007FFF567A0000-0x00007FFF567AF000-memory.dmp

memory/1272-325-0x00007FFF51300000-0x00007FFF51324000-memory.dmp

memory/1272-324-0x00007FFF4CE00000-0x00007FFF4D26E000-memory.dmp

memory/1272-320-0x00007FFF4C6B0000-0x00007FFF4C7C8000-memory.dmp

memory/1272-316-0x00007FFF4C920000-0x00007FFF4CC95000-memory.dmp

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\mv6obieq.default-release\activity-stream.discovery_stream.json.tmp

MD5 1b9d63b79883b24e7c43f9b936c8051c
SHA1 a770eaf35a0724bc90bcb909f2b25fce46814f5c
SHA256 9eab4a69e16149b1ae16e7cf5c151488563683646ee5882d0c150578828e1c5c
SHA512 c2bd9c103369b5cf8f48ad4b4ba315c027df50a42246ff1feda0a2fea0a7174f99549f99632f758097d1e5449c5bcf904074cc6b45ab917b6f8fd23a48f7d67c

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\mv6obieq.default-release\datareporting\glean\pending_pings\c4fd4c51-653a-4c28-9438-18da17e6452c

MD5 f0c932f1c4b0deb1356b50bdcaa56ff1
SHA1 0f2667ff23652a82aaba4831d4c92b1d5272fe2e
SHA256 bfe68cc3bca531599a2c54f679f2307359828e6d785df4571ebfbdfe5d7111fc
SHA512 fe28938f97ffa026de06a8f318ca48cabf6ba7ecb55ee3a2fb83462434a4401910d8085c27b8c38fc2fe4e86749a91d87554d5c925d397b5bfb3eef8e326c7df

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\mv6obieq.default-release\datareporting\glean\db\data.safe.tmp

MD5 5f72d2daf3f2e75525408f56c4a1edf4
SHA1 1914ffe8f41ac1379295b70b0b0853660445aafa
SHA256 70d3ab9f1bce9cb22b26788bdedc97c9aa35eeab6cb79bea7c86984f22ce818d
SHA512 aeb56edd7deb1da459b5f0d5e29f5a9ad035a7569b2b1190ac57e117a7a2bd00a0b27d0d095aa3c7c4769e66e54f240f21ba953db064cb7028e59691487540d1

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\mv6obieq.default-release\datareporting\glean\pending_pings\53f7e8f5-89d7-4f06-a55c-326b86c9397f

MD5 41a76d76750008700cc937f8c1b2e912
SHA1 1f3cbe551d915a35001fea333a84aae781d5c0b0
SHA256 2a248f81f9d0df2bd350f28c2939b9960f9473ee7fa7201c65e7325fc2976e4c
SHA512 b41a869d8b8e49b96bf1caf2376ecdda4ff843ba39bbe4c567a72b1f8fd7738c6e78fc6e4226da55132e31babf4009a0e787271e57de2775b23ef660cc699f2f

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\mv6obieq.default-release\datareporting\glean\pending_pings\2d08c9d3-14e4-4191-940a-fee1863b1722

MD5 d4a953643d097b1956e56424723acfbf
SHA1 162e65e5a95e62cd4efd22d44c1982e5a49b04e2
SHA256 d77ba08b97afaa8707d57df996ea921d8563d4562ede6ee59b000b352e30acd9
SHA512 7db99ee6e8808f5c8ac49cf686f49390d0f34a8a9d95f78fd4c9645dee27428ad3951ac6cd9e2181f1f4a9f3e5849df7b85725a6f32d5b9e91b12938a3823ec1

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\mv6obieq.default-release\datareporting\glean\db\data.safe.tmp

MD5 b66072fdb3a8bb657a33c6231ddc9913
SHA1 b4bad9f1a4cb78267129c1f50c4e304c6c04edf4
SHA256 3bc073358fd269c3aa2a92866f58dddc39446e484e689c9e42429767fd4ecdb1
SHA512 08b301450e866d09f4840fe705b5884b3696d0e202660e7ece5762ce4b190d762ffc67196a544ce19bc181b910bad585501478f0e79d35cb530d9aebf3d2b568

C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\BackgroundTransferApi\56658318-1114-4a42-a52f-c685fc67ed93.down_data

MD5 5683c0028832cae4ef93ca39c8ac5029
SHA1 248755e4e1db552e0b6f8651b04ca6d1b31a86fb
SHA256 855abd360d8a8d6974eba92b70cbd09ce519bc8773439993f9ab37cb6847309e
SHA512 aba434bd29be191c823b02ea9b639beb10647bbe7759bbffdaa790dfb1ec2c58d74c525ef11aacda209e4effe322d1d3a07b115446c8914b07a3bce4d8a0e2c3

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\mv6obieq.default-release\prefs-1.js

MD5 7b4bc733029e55bb092c10ecfb2fe1c8
SHA1 5cb29a7e890bc0821e9a36976bd8c41074993705
SHA256 30be3de1eb6f45ea23498234217dcedf5a2c4bb187088fa3c03a5a80e5f41172
SHA512 4de00d6a87ca861e3634d93acd6569f17449b99c947a02514e8f3ee4aa28e5bf4705b77d0982a35b43170c333dac97a16875592c9904fb8a487c0fe0cf12b057

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\mv6obieq.default-release\sessionstore-backups\recovery.baklz4

MD5 041af769b62a374653aaf9c64ec64c64
SHA1 b3b4985c2bb9dee7ac80684bb1eb9dcb81091dae
SHA256 c25d1549b30e85e499d70bfc1ef96da5ea1755901e5f969e0249251968c968e3
SHA512 00fc6db5c63cf65389be39da5c313fdd90767026440f49a8b37ca6df1a421a58d68b998b21a3415549800d10fe9821eef3555fc5cf18e5a26d8e4149e43aa1cd

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\mv6obieq.default-release\prefs-1.js

MD5 e49ed6381526f8b81eb08865ab4793d1
SHA1 1dc2a2fe386a43ef19a0da8e20c032a92aea2792
SHA256 01919eb221d4c9e06c91e2946d90f58e0daad62d280d393c1e51d3dc56101089
SHA512 136f1c8170423a8e907dfb5a9b43cdad0943747e89eebea25b7002f15852050904f4d39d63791cce09213d03126d54f2024492c04793ebafbc3170323a3c0aa0

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\mv6obieq.default-release\sessionstore-backups\recovery.baklz4

MD5 a8a43c9bd5f5ebfdbe9bc90802f1d520
SHA1 6957847bee8c13173d6ee500a9aebdc176165670
SHA256 bfdc4410ca81c7c85fdb898d98717f52836e6e0626cf16f95c52cead59610252
SHA512 8b642c164f6c41f2708124f947dfed90841c6c789f021133c0d6eb99ba0924ddcb407348a02f81936a6faa3a51884e3b58f59069516d4f73322ce9fecc6ed5e2

C:\Users\Admin\AppData\Local\Temp\tmpaddon

MD5 09372174e83dbbf696ee732fd2e875bb
SHA1 ba360186ba650a769f9303f48b7200fb5eaccee1
SHA256 c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f
SHA512 b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\mv6obieq.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

MD5 2a461e9eb87fd1955cea740a3444ee7a
SHA1 b10755914c713f5a4677494dbe8a686ed458c3c5
SHA256 4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA512 34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\mv6obieq.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

MD5 842039753bf41fa5e11b3a1383061a87
SHA1 3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256 d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512 d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\mv6obieq.default-release\AlternateServices.bin

MD5 e38617475bd8241af656de439342b024
SHA1 a2bff975bc98b39c292d33e38b0829b7c15cb4f9
SHA256 78aa342d7777d7fe393154cea8db139558a3206fba1c722b1f04e739b52dd42c
SHA512 57ca46e0e3eeb7dde7c5bdbce2910b423bf90c496ce7c9f4caebf406d91ebaf1b2dcfe795c81f86ea9c0b471410b8521e963a074b31f2db5216b5df8b2a7b5b2

C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

MD5 0a8747a2ac9ac08ae9508f36c6d75692
SHA1 b287a96fd6cc12433adb42193dfe06111c38eaf0
SHA256 32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03
SHA512 59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\mv6obieq.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

MD5 bf957ad58b55f64219ab3f793e374316
SHA1 a11adc9d7f2c28e04d9b35e23b7616d0527118a1
SHA256 bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda
SHA512 79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\mv6obieq.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

MD5 daf7ef3acccab478aaa7d6dc1c60f865
SHA1 f8246162b97ce4a945feced27b6ea114366ff2ad
SHA256 bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e
SHA512 5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75