15a6ed6473a07715f51293d0265be799adf49346a7d8b5e2e018ec4aa6ea7650

Analysis

max time kernel
214s
max time network
247s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20250217-fr
resource tags

arch:x64arch:x86image:win10ltsc2021-20250217-frlocale:fr-fros:windows10-ltsc 2021-x64systemwindows
submitted
13/03/2025, 08:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

15a6ed6473a07715f51293d0265be799adf49346a7d8b5e2e018ec4aa6ea7650.exe
Size

34.2MB
MD5

02df5098b7374aaad4c759c7d071c6c8
SHA1

6337b159380f0c1aa2b1e62be60e98300775298a
SHA256

15a6ed6473a07715f51293d0265be799adf49346a7d8b5e2e018ec4aa6ea7650
SHA512

e05cc039d50d8c8460febec638a882b63d9d2b03fbb29b6b399a2e3134227d062e34ab5777d9eb38f464dd11dd2eb33c51482f07522250a39843a6a1273abbe8
SSDEEP

786432:dadQ7nOd9NhW8QPLFXNRh50DQ8yAE7BEK38EqxTQ:QhWBLFdfIQ8XEdoTQ

Score

7^/10

discovery persistence privilege_escalation pyinstaller spyware stealer upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1639757381-2759246526-4253643256-1000\Control Panel\International\Geo\Nation	15a6ed6473a07715f51293d0265be799adf49346a7d8b5e2e018ec4aa6ea7650.exe

Executes dropped EXE 6 IoCs

pid	Process
3592	Brute Force .exe
3016	main.exe
3064	main.exe
1364	Brute Force .exe
1084	dat.txt
2052	dat.txt

Loads dropped DLL 64 IoCs

pid	Process
3064	main.exe
3064	main.exe
3064	main.exe
1364	Brute Force .exe
1364	Brute Force .exe
1364	Brute Force .exe
1364	Brute Force .exe
1364	Brute Force .exe
1364	Brute Force .exe
3064	main.exe
3064	main.exe
3064	main.exe
3064	main.exe
3064	main.exe
3064	main.exe
3064	main.exe
3064	main.exe
3064	main.exe
3064	main.exe
3064	main.exe
3064	main.exe
3064	main.exe
3064	main.exe
3064	main.exe
3064	main.exe
3064	main.exe
3064	main.exe
3064	main.exe
3064	main.exe
3064	main.exe
3064	main.exe
3064	main.exe
3064	main.exe
3064	main.exe
3064	main.exe
3064	main.exe
3064	main.exe
3064	main.exe
3064	main.exe
3064	main.exe
3064	main.exe
3064	main.exe
3064	main.exe
3064	main.exe
3064	main.exe
3064	main.exe
3064	main.exe
3064	main.exe
3064	main.exe
3064	main.exe
3064	main.exe
3064	main.exe
3064	main.exe
3064	main.exe
3064	main.exe
3064	main.exe
3064	main.exe
3064	main.exe
3064	main.exe
3064	main.exe
3064	main.exe
3064	main.exe
3064	main.exe
3064	main.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1639757381-2759246526-4253643256-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\empyrean = "C:\\Users\\Admin\\AppData\\Roaming\\empyrean\\run.bat"	reg.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 8 IoCs

Web Service

T1102

flow	ioc
16	discord.com
17	discord.com
20	raw.githubusercontent.com
21	raw.githubusercontent.com
35	discord.com
72	discord.com
73	raw.githubusercontent.com
80	discord.com

Looks up external IP address via web service 9 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
15	ipapi.co
28	ipapi.co
30	ipapi.co
71	ipapi.co
75	ipapi.co
77	ipapi.co
14	ipapi.co
26	ipapi.co
79	ipapi.co

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0007000000028025-540.dat	upx
behavioral1/memory/3064-610-0x00007FF9BCD90000-0x00007FF9BD1FE000-memory.dmp	upx
behavioral1/memory/3064-1259-0x00007FF9CC5E0000-0x00007FF9CC60D000-memory.dmp	upx
behavioral1/memory/3064-1263-0x00007FF9CC730000-0x00007FF9CC73D000-memory.dmp	upx
behavioral1/memory/3064-1267-0x00007FF9BD720000-0x00007FF9BD74B000-memory.dmp	upx
behavioral1/memory/3064-1272-0x00007FF9CBC70000-0x00007FF9CBC8C000-memory.dmp	upx
behavioral1/memory/3064-1275-0x00007FF9CBE90000-0x00007FF9CBEA9000-memory.dmp	upx
behavioral1/memory/3064-1276-0x00007FF9BBD10000-0x00007FF9BBDC8000-memory.dmp	upx
behavioral1/memory/3064-1281-0x00007FF9BBB30000-0x00007FF9BBC48000-memory.dmp	upx
behavioral1/memory/3064-1285-0x00007FF9BB970000-0x00007FF9BB9A8000-memory.dmp	upx
behavioral1/memory/3064-1299-0x00007FF9BB900000-0x00007FF9BB90C000-memory.dmp	upx
behavioral1/memory/3064-1315-0x00007FF9BB7A0000-0x00007FF9BB7E9000-memory.dmp	upx
behavioral1/memory/3064-1321-0x00007FF9BB730000-0x00007FF9BB759000-memory.dmp	upx
behavioral1/memory/3064-1323-0x00007FF9BB450000-0x00007FF9BB6A2000-memory.dmp	upx
behavioral1/memory/3064-1322-0x00007FF9BB6B0000-0x00007FF9BB6D4000-memory.dmp	upx
behavioral1/memory/3064-1320-0x00007FF9BB970000-0x00007FF9BB9A8000-memory.dmp	upx
behavioral1/memory/3064-1317-0x0000000071080000-0x000000007111D000-memory.dmp	upx
behavioral1/memory/3064-1316-0x00007FF9BB760000-0x00007FF9BB77E000-memory.dmp	upx
behavioral1/memory/3064-1314-0x00007FF9BB780000-0x00007FF9BB791000-memory.dmp	upx
behavioral1/memory/3064-1313-0x00007FF9BB7F0000-0x00007FF9BB809000-memory.dmp	upx
behavioral1/memory/3064-1312-0x00007FF9BB810000-0x00007FF9BB827000-memory.dmp	upx
behavioral1/memory/3064-1311-0x00007FF9BBC50000-0x00007FF9BBC76000-memory.dmp	upx
behavioral1/memory/3064-1310-0x00007FF9BB830000-0x00007FF9BB852000-memory.dmp	upx
behavioral1/memory/3064-1309-0x00007FF9BB860000-0x00007FF9BB874000-memory.dmp	upx
behavioral1/memory/3064-1308-0x00007FF9BBD10000-0x00007FF9BBDC8000-memory.dmp	upx
behavioral1/memory/3064-1307-0x00007FF9BB880000-0x00007FF9BB890000-memory.dmp	upx
behavioral1/memory/3064-1306-0x00007FF9BB8C0000-0x00007FF9BB8D2000-memory.dmp	upx
behavioral1/memory/3064-1305-0x00007FF9C33F0000-0x00007FF9C33FC000-memory.dmp	upx
behavioral1/memory/3064-1304-0x00007FF9BC150000-0x00007FF9BC17E000-memory.dmp	upx
behavioral1/memory/3064-1303-0x00007FF9BB890000-0x00007FF9BB8A5000-memory.dmp	upx
behavioral1/memory/3064-1302-0x00007FF9BB8B0000-0x00007FF9BB8BC000-memory.dmp	upx
behavioral1/memory/3064-1301-0x00007FF9BB8E0000-0x00007FF9BB8ED000-memory.dmp	upx
behavioral1/memory/3064-1300-0x00007FF9BB8F0000-0x00007FF9BB8FC000-memory.dmp	upx
behavioral1/memory/3064-1298-0x00007FF9BB910000-0x00007FF9BB91B000-memory.dmp	upx
behavioral1/memory/3064-1297-0x00007FF9BB920000-0x00007FF9BB92B000-memory.dmp	upx
behavioral1/memory/3064-1296-0x00007FF9BB930000-0x00007FF9BB93C000-memory.dmp	upx
behavioral1/memory/3064-1295-0x00007FF9BB940000-0x00007FF9BB94C000-memory.dmp	upx
behavioral1/memory/3064-1294-0x00007FF9BB950000-0x00007FF9BB95E000-memory.dmp	upx
behavioral1/memory/3064-1293-0x00007FF9BB960000-0x00007FF9BB96D000-memory.dmp	upx
behavioral1/memory/3064-1292-0x00007FF9C54E0000-0x00007FF9C54EB000-memory.dmp	upx
behavioral1/memory/3064-1291-0x00007FF9BBDD0000-0x00007FF9BC145000-memory.dmp	upx
behavioral1/memory/3064-1290-0x00007FF9CBC00000-0x00007FF9CBC0B000-memory.dmp	upx
behavioral1/memory/3064-1289-0x00007FF9C82F0000-0x00007FF9C82FC000-memory.dmp	upx
behavioral1/memory/3064-1288-0x00007FF9C84B0000-0x00007FF9C84BB000-memory.dmp	upx
behavioral1/memory/3064-1287-0x00007FF9C8B60000-0x00007FF9C8B6C000-memory.dmp	upx
behavioral1/memory/3064-1286-0x00007FF9CA2E0000-0x00007FF9CA2EB000-memory.dmp	upx
behavioral1/memory/3064-1284-0x00007FF9BB9B0000-0x00007FF9BBB21000-memory.dmp	upx
behavioral1/memory/3064-1283-0x00007FF9BD2A0000-0x00007FF9BD2BF000-memory.dmp	upx
behavioral1/memory/3064-1282-0x00007FF9BC180000-0x00007FF9BC23C000-memory.dmp	upx
behavioral1/memory/3064-1280-0x00007FF9BBC50000-0x00007FF9BBC76000-memory.dmp	upx
behavioral1/memory/3064-1279-0x00007FF9BD700000-0x00007FF9BD714000-memory.dmp	upx
behavioral1/memory/3064-1278-0x00007FF9CBD70000-0x00007FF9CBD7B000-memory.dmp	upx
behavioral1/memory/3064-1277-0x00007FF9BBC80000-0x00007FF9BBD07000-memory.dmp	upx
behavioral1/memory/3064-1274-0x00007FF9BBDD0000-0x00007FF9BC145000-memory.dmp	upx
behavioral1/memory/3064-1273-0x00007FF9BC150000-0x00007FF9BC17E000-memory.dmp	upx
behavioral1/memory/3064-1271-0x00007FF9CBD80000-0x00007FF9CBD8A000-memory.dmp	upx
behavioral1/memory/3064-1270-0x00007FF9BD2C0000-0x00007FF9BD302000-memory.dmp	upx
behavioral1/memory/3064-1266-0x00007FF9BC180000-0x00007FF9BC23C000-memory.dmp	upx
behavioral1/memory/3064-1265-0x00007FF9CBDA0000-0x00007FF9CBDCE000-memory.dmp	upx
behavioral1/memory/3064-1264-0x00007FF9BCD90000-0x00007FF9BD1FE000-memory.dmp	upx
behavioral1/memory/3064-1262-0x00007FF9CCB80000-0x00007FF9CCB8D000-memory.dmp	upx
behavioral1/memory/3064-1261-0x00007FF9CBE90000-0x00007FF9CBEA9000-memory.dmp	upx
behavioral1/memory/3064-1260-0x00007FF9CBEB0000-0x00007FF9CBEE4000-memory.dmp	upx
behavioral1/memory/3064-1258-0x00007FF9CC610000-0x00007FF9CC629000-memory.dmp	upx

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Detects Pyinstaller 2 IoCs

pyinstaller

resource	yara_rule
behavioral1/files/0x000b000000027de6-14.dat	pyinstaller
behavioral1/files/0x000b000000027de7-21.dat	pyinstaller

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 18 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 12 IoCs

Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

discovery

Wi-Fi Discovery

T1016.002

pid	Process
3788	netsh.exe
4052	netsh.exe
4580	netsh.exe
3980	cmd.exe
4340	netsh.exe
2968	cmd.exe
4532	netsh.exe
4460	cmd.exe
4896	netsh.exe
1132	cmd.exe
4548	cmd.exe
3468	cmd.exe

Modifies registry class 38 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1639757381-2759246526-4253643256-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	NOTEPAD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	NOTEPAD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1639757381-2759246526-4253643256-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	NOTEPAD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1639757381-2759246526-4253643256-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	NOTEPAD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1639757381-2759246526-4253643256-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	NOTEPAD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1639757381-2759246526-4253643256-1000_Classes\Local Settings	NOTEPAD.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1639757381-2759246526-4253643256-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2 = 14001f44471a0359723fa74489c55595fe6b30ee0000	NOTEPAD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1639757381-2759246526-4253643256-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\0\0\0	NOTEPAD.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1639757381-2759246526-4253643256-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\0\0\MRUListEx = 00000000ffffffff	NOTEPAD.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1639757381-2759246526-4253643256-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202020202020202	NOTEPAD.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1639757381-2759246526-4253643256-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\0\0\0\MRUListEx = ffffffff	NOTEPAD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1639757381-2759246526-4253643256-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	NOTEPAD.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1639757381-2759246526-4253643256-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0100000000000000ffffffff	NOTEPAD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1639757381-2759246526-4253643256-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8	NOTEPAD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1639757381-2759246526-4253643256-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	NOTEPAD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1639757381-2759246526-4253643256-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	NOTEPAD.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1639757381-2759246526-4253643256-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\0\MRUListEx = 00000000ffffffff	NOTEPAD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1639757381-2759246526-4253643256-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	NOTEPAD.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1639757381-2759246526-4253643256-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02020202020202	NOTEPAD.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1639757381-2759246526-4253643256-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\0\0 = 56003100000000006d5a58461000526f616d696e6700400009000400efbe515a398e6d5a69462e00000001060100000002000000000000000000000000000000e892ad0052006f0061006d0069006e006700000016000000	NOTEPAD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1639757381-2759246526-4253643256-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\0\0	NOTEPAD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1639757381-2759246526-4253643256-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	NOTEPAD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1639757381-2759246526-4253643256-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2	NOTEPAD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1639757381-2759246526-4253643256-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\Shell\SniffedFolderType = "Generic"	NOTEPAD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1639757381-2759246526-4253643256-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	NOTEPAD.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1639757381-2759246526-4253643256-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\MRUListEx = 00000000ffffffff	NOTEPAD.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1639757381-2759246526-4253643256-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\0\0\0 = 5a003100000000006d5aa3461000656d70797265616e0000420009000400efbe6d5a58466d5aa3462e00000067830200000009000000000000000000000000000000a3b6700065006d00700079007200650061006e00000018000000	NOTEPAD.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1639757381-2759246526-4253643256-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	NOTEPAD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1639757381-2759246526-4253643256-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	NOTEPAD.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1639757381-2759246526-4253643256-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 020000000100000000000000ffffffff	NOTEPAD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1639757381-2759246526-4253643256-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\0	NOTEPAD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1639757381-2759246526-4253643256-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\0\0\0\NodeSlot = "8"	NOTEPAD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1639757381-2759246526-4253643256-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg	NOTEPAD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1639757381-2759246526-4253643256-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	NOTEPAD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1639757381-2759246526-4253643256-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	NOTEPAD.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1639757381-2759246526-4253643256-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\0 = 820074001c00434653461600310000000000515a398e120041707044617461000000741a595e96dfd3488d671733bcee28bac5cdfadf9f6756418947c5c76bc0b67f400009000400efbe515a398e6d5a52462e00000000060100000002000000000000000000000000000000ef685a004100700070004400610074006100000042000000	NOTEPAD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1639757381-2759246526-4253643256-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\Shell	NOTEPAD.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1639757381-2759246526-4253643256-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	NOTEPAD.EXE

Modifies registry key 1 TTPs 2 IoCs

Modify Registry

T1112

pid	Process
2728	reg.exe
4416	reg.exe

Opens file in notepad (likely ransom note) 3 IoCs

ransomware

pid	Process
1572	NOTEPAD.EXE
4632	NOTEPAD.EXE
4368	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 47 IoCs

pid	Process
3064	main.exe
3064	main.exe
3064	main.exe
3064	main.exe
324	WMIC.exe
324	WMIC.exe
324	WMIC.exe
324	WMIC.exe
3064	main.exe
3064	main.exe
3064	main.exe
1636	WMIC.exe
1636	WMIC.exe
1636	WMIC.exe
1636	WMIC.exe
660	WMIC.exe
660	WMIC.exe
660	WMIC.exe
660	WMIC.exe
3580	WMIC.exe
3580	WMIC.exe
3580	WMIC.exe
3580	WMIC.exe
2052	dat.txt
2052	dat.txt
2052	dat.txt
2052	dat.txt
2028	WMIC.exe
2028	WMIC.exe
2028	WMIC.exe
2028	WMIC.exe
2052	dat.txt
2052	dat.txt
2052	dat.txt
2052	dat.txt
3736	WMIC.exe
3736	WMIC.exe
3736	WMIC.exe
3736	WMIC.exe
1496	WMIC.exe
1496	WMIC.exe
1496	WMIC.exe
1496	WMIC.exe
1932	WMIC.exe
1932	WMIC.exe
1932	WMIC.exe
1932	WMIC.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3064	main.exe
Token: SeIncreaseQuotaPrivilege	324	WMIC.exe
Token: SeSecurityPrivilege	324	WMIC.exe
Token: SeTakeOwnershipPrivilege	324	WMIC.exe
Token: SeLoadDriverPrivilege	324	WMIC.exe
Token: SeSystemProfilePrivilege	324	WMIC.exe
Token: SeSystemtimePrivilege	324	WMIC.exe
Token: SeProfSingleProcessPrivilege	324	WMIC.exe
Token: SeIncBasePriorityPrivilege	324	WMIC.exe
Token: SeCreatePagefilePrivilege	324	WMIC.exe
Token: SeBackupPrivilege	324	WMIC.exe
Token: SeRestorePrivilege	324	WMIC.exe
Token: SeShutdownPrivilege	324	WMIC.exe
Token: SeDebugPrivilege	324	WMIC.exe
Token: SeSystemEnvironmentPrivilege	324	WMIC.exe
Token: SeRemoteShutdownPrivilege	324	WMIC.exe
Token: SeUndockPrivilege	324	WMIC.exe
Token: SeManageVolumePrivilege	324	WMIC.exe
Token: 33	324	WMIC.exe
Token: 34	324	WMIC.exe
Token: 35	324	WMIC.exe
Token: 36	324	WMIC.exe
Token: SeIncreaseQuotaPrivilege	324	WMIC.exe
Token: SeSecurityPrivilege	324	WMIC.exe
Token: SeTakeOwnershipPrivilege	324	WMIC.exe
Token: SeLoadDriverPrivilege	324	WMIC.exe
Token: SeSystemProfilePrivilege	324	WMIC.exe
Token: SeSystemtimePrivilege	324	WMIC.exe
Token: SeProfSingleProcessPrivilege	324	WMIC.exe
Token: SeIncBasePriorityPrivilege	324	WMIC.exe
Token: SeCreatePagefilePrivilege	324	WMIC.exe
Token: SeBackupPrivilege	324	WMIC.exe
Token: SeRestorePrivilege	324	WMIC.exe
Token: SeShutdownPrivilege	324	WMIC.exe
Token: SeDebugPrivilege	324	WMIC.exe
Token: SeSystemEnvironmentPrivilege	324	WMIC.exe
Token: SeRemoteShutdownPrivilege	324	WMIC.exe
Token: SeUndockPrivilege	324	WMIC.exe
Token: SeManageVolumePrivilege	324	WMIC.exe
Token: 33	324	WMIC.exe
Token: 34	324	WMIC.exe
Token: 35	324	WMIC.exe
Token: 36	324	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1636	WMIC.exe
Token: SeSecurityPrivilege	1636	WMIC.exe
Token: SeTakeOwnershipPrivilege	1636	WMIC.exe
Token: SeLoadDriverPrivilege	1636	WMIC.exe
Token: SeSystemProfilePrivilege	1636	WMIC.exe
Token: SeSystemtimePrivilege	1636	WMIC.exe
Token: SeProfSingleProcessPrivilege	1636	WMIC.exe
Token: SeIncBasePriorityPrivilege	1636	WMIC.exe
Token: SeCreatePagefilePrivilege	1636	WMIC.exe
Token: SeBackupPrivilege	1636	WMIC.exe
Token: SeRestorePrivilege	1636	WMIC.exe
Token: SeShutdownPrivilege	1636	WMIC.exe
Token: SeDebugPrivilege	1636	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1636	WMIC.exe
Token: SeRemoteShutdownPrivilege	1636	WMIC.exe
Token: SeUndockPrivilege	1636	WMIC.exe
Token: SeManageVolumePrivilege	1636	WMIC.exe
Token: 33	1636	WMIC.exe
Token: 34	1636	WMIC.exe
Token: 35	1636	WMIC.exe
Token: 36	1636	WMIC.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4632	NOTEPAD.EXE

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4632	NOTEPAD.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4532 wrote to memory of 3592	4532	15a6ed6473a07715f51293d0265be799adf49346a7d8b5e2e018ec4aa6ea7650.exe	84
PID 4532 wrote to memory of 3592	4532	15a6ed6473a07715f51293d0265be799adf49346a7d8b5e2e018ec4aa6ea7650.exe	84
PID 4532 wrote to memory of 3016	4532	15a6ed6473a07715f51293d0265be799adf49346a7d8b5e2e018ec4aa6ea7650.exe	87
PID 4532 wrote to memory of 3016	4532	15a6ed6473a07715f51293d0265be799adf49346a7d8b5e2e018ec4aa6ea7650.exe	87
PID 3016 wrote to memory of 3064	3016	main.exe	89
PID 3016 wrote to memory of 3064	3016	main.exe	89
PID 3592 wrote to memory of 1364	3592	Brute Force .exe	91
PID 3592 wrote to memory of 1364	3592	Brute Force .exe	91
PID 3064 wrote to memory of 3956	3064	main.exe	92
PID 3064 wrote to memory of 3956	3064	main.exe	92
PID 3064 wrote to memory of 2348	3064	main.exe	94
PID 3064 wrote to memory of 2348	3064	main.exe	94
PID 2348 wrote to memory of 324	2348	cmd.exe	96
PID 2348 wrote to memory of 324	2348	cmd.exe	96
PID 3064 wrote to memory of 2496	3064	main.exe	98
PID 3064 wrote to memory of 2496	3064	main.exe	98
PID 2496 wrote to memory of 4416	2496	cmd.exe	100
PID 2496 wrote to memory of 4416	2496	cmd.exe	100
PID 3064 wrote to memory of 4588	3064	main.exe	101
PID 3064 wrote to memory of 4588	3064	main.exe	101
PID 4588 wrote to memory of 2728	4588	cmd.exe	103
PID 4588 wrote to memory of 2728	4588	cmd.exe	103
PID 3064 wrote to memory of 2876	3064	main.exe	104
PID 3064 wrote to memory of 2876	3064	main.exe	104
PID 2876 wrote to memory of 1636	2876	cmd.exe	106
PID 2876 wrote to memory of 1636	2876	cmd.exe	106
PID 3064 wrote to memory of 4808	3064	main.exe	107
PID 3064 wrote to memory of 4808	3064	main.exe	107
PID 4808 wrote to memory of 660	4808	cmd.exe	109
PID 4808 wrote to memory of 660	4808	cmd.exe	109
PID 3064 wrote to memory of 2264	3064	main.exe	111
PID 3064 wrote to memory of 2264	3064	main.exe	111
PID 2264 wrote to memory of 3580	2264	cmd.exe	113
PID 2264 wrote to memory of 3580	2264	cmd.exe	113
PID 3064 wrote to memory of 3980	3064	main.exe	114
PID 3064 wrote to memory of 3980	3064	main.exe	114
PID 3980 wrote to memory of 4340	3980	cmd.exe	116
PID 3980 wrote to memory of 4340	3980	cmd.exe	116
PID 3064 wrote to memory of 2968	3064	main.exe	117
PID 3064 wrote to memory of 2968	3064	main.exe	117
PID 2968 wrote to memory of 4532	2968	cmd.exe	119
PID 2968 wrote to memory of 4532	2968	cmd.exe	119
PID 3064 wrote to memory of 4460	3064	main.exe	121
PID 3064 wrote to memory of 4460	3064	main.exe	121
PID 4460 wrote to memory of 4896	4460	cmd.exe	123
PID 4460 wrote to memory of 4896	4460	cmd.exe	123
PID 4224 wrote to memory of 1084	4224	cmd.exe	137
PID 4224 wrote to memory of 1084	4224	cmd.exe	137
PID 1084 wrote to memory of 2052	1084	dat.txt	138
PID 1084 wrote to memory of 2052	1084	dat.txt	138
PID 2052 wrote to memory of 2884	2052	dat.txt	139
PID 2052 wrote to memory of 2884	2052	dat.txt	139
PID 2052 wrote to memory of 4364	2052	dat.txt	141
PID 2052 wrote to memory of 4364	2052	dat.txt	141
PID 4364 wrote to memory of 2028	4364	cmd.exe	143
PID 4364 wrote to memory of 2028	4364	cmd.exe	143
PID 2052 wrote to memory of 3956	2052	dat.txt	146
PID 2052 wrote to memory of 3956	2052	dat.txt	146
PID 3956 wrote to memory of 3736	3956	cmd.exe	148
PID 3956 wrote to memory of 3736	3956	cmd.exe	148
PID 2052 wrote to memory of 4644	2052	dat.txt	149
PID 2052 wrote to memory of 4644	2052	dat.txt	149
PID 4644 wrote to memory of 1496	4644	cmd.exe	151
PID 4644 wrote to memory of 1496	4644	cmd.exe	151

C:\Users\Admin\AppData\Local\Temp\15a6ed6473a07715f51293d0265be799adf49346a7d8b5e2e018ec4aa6ea7650.exe
"C:\Users\Admin\AppData\Local\Temp\15a6ed6473a07715f51293d0265be799adf49346a7d8b5e2e018ec4aa6ea7650.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4532
- C:\Users\Admin\AppData\Local\Temp\Brute Force .exe
  "C:\Users\Admin\AppData\Local\Temp\Brute Force .exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3592
- - C:\Users\Admin\AppData\Local\Temp\Brute Force .exe
    "C:\Users\Admin\AppData\Local\Temp\Brute Force .exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:1364
- C:\Users\Admin\AppData\Local\Temp\main.exe
  "C:\Users\Admin\AppData\Local\Temp\main.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3016
- - C:\Users\Admin\AppData\Local\Temp\main.exe
    "C:\Users\Admin\AppData\Local\Temp\main.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3064
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "ver"
      4⤵
      PID:3956
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Windows\System32\wbem\WMIC.exe csproduct get uuid"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2348
    - - C:\Windows\System32\wbem\WMIC.exe
        
        C:\Windows\System32\wbem\WMIC.exe csproduct get uuid
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:324
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "reg delete HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v empyrean /f"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2496
    - - C:\Windows\system32\reg.exe
        
        reg delete HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v empyrean /f
        5⤵
        Modifies registry key
        
        PID:4416
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v empyrean /t REG_SZ /d C:\Users\Admin\AppData\Roaming\empyrean\run.bat /f"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4588
    - - C:\Windows\system32\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v empyrean /t REG_SZ /d C:\Users\Admin\AppData\Roaming\empyrean\run.bat /f
        5⤵
        Adds Run key to start application
        Modifies registry key
        
        PID:2728
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Windows\System32\wbem\WMIC.exe csproduct get uuid"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2876
    - - C:\Windows\System32\wbem\WMIC.exe
        
        C:\Windows\System32\wbem\WMIC.exe csproduct get uuid
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1636
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Windows\System32\wbem\WMIC.exe csproduct get uuid"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4808
    - - C:\Windows\System32\wbem\WMIC.exe
        
        C:\Windows\System32\wbem\WMIC.exe csproduct get uuid
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:660
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Windows\System32\wbem\WMIC.exe csproduct get uuid"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2264
    - - C:\Windows\System32\wbem\WMIC.exe
        
        C:\Windows\System32\wbem\WMIC.exe csproduct get uuid
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3580
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "netsh wlan show profiles"
      4⤵
      System Network Configuration Discovery: Wi-Fi Discovery
      Suspicious use of WriteProcessMemory
      PID:3980
    - - C:\Windows\system32\netsh.exe
        
        netsh wlan show profiles
        5⤵
        Event Triggered Execution: Netsh Helper DLL
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:4340
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "netsh wlan show profiles"
      4⤵
      System Network Configuration Discovery: Wi-Fi Discovery
      Suspicious use of WriteProcessMemory
      PID:2968
    - - C:\Windows\system32\netsh.exe
        
        netsh wlan show profiles
        5⤵
        Event Triggered Execution: Netsh Helper DLL
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:4532
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "netsh wlan show profiles"
      4⤵
      System Network Configuration Discovery: Wi-Fi Discovery
      Suspicious use of WriteProcessMemory
      PID:4460
    - - C:\Windows\system32\netsh.exe
        
        netsh wlan show profiles
        5⤵
        Event Triggered Execution: Netsh Helper DLL
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:4896

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4276

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Roaming\empyrean\dat.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:1572

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\empyrean\run.bat" "
1⤵
- Suspicious use of WriteProcessMemory
PID:4224
- C:\Users\Admin\AppData\Roaming\empyrean\dat.txt
  C:\Users\Admin\AppData\Roaming\empyrean\dat.txt
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1084
- - C:\Users\Admin\AppData\Roaming\empyrean\dat.txt
    C:\Users\Admin\AppData\Roaming\empyrean\dat.txt
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2052
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "ver"
      4⤵
      PID:2884
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Windows\System32\wbem\WMIC.exe csproduct get uuid"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4364
    - - C:\Windows\System32\wbem\WMIC.exe
        
        C:\Windows\System32\wbem\WMIC.exe csproduct get uuid
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2028
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Windows\System32\wbem\WMIC.exe csproduct get uuid"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3956
    - - C:\Windows\System32\wbem\WMIC.exe
        
        C:\Windows\System32\wbem\WMIC.exe csproduct get uuid
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3736
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Windows\System32\wbem\WMIC.exe csproduct get uuid"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4644
    - - C:\Windows\System32\wbem\WMIC.exe
        
        C:\Windows\System32\wbem\WMIC.exe csproduct get uuid
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1496
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Windows\System32\wbem\WMIC.exe csproduct get uuid"
      4⤵
      PID:964
    - - C:\Windows\System32\wbem\WMIC.exe
        
        C:\Windows\System32\wbem\WMIC.exe csproduct get uuid
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1932
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "netsh wlan show profiles"
      4⤵
      System Network Configuration Discovery: Wi-Fi Discovery
      PID:3468
    - - C:\Windows\system32\netsh.exe
        
        netsh wlan show profiles
        5⤵
        Event Triggered Execution: Netsh Helper DLL
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:3788
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "netsh wlan show profiles"
      4⤵
      System Network Configuration Discovery: Wi-Fi Discovery
      PID:1132
    - - C:\Windows\system32\netsh.exe
        
        netsh wlan show profiles
        5⤵
        Event Triggered Execution: Netsh Helper DLL
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:4052
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "netsh wlan show profiles"
      4⤵
      System Network Configuration Discovery: Wi-Fi Discovery
      PID:4548
    - - C:\Windows\system32\netsh.exe
        
        netsh wlan show profiles
        5⤵
        Event Triggered Execution: Netsh Helper DLL
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:4580

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Roaming\empyrean\dat.txt
1⤵
- Modifies registry class
- Opens file in notepad (likely ransom note)
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:4632

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Roaming\empyrean\dat.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:4368

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Wi-Fi Discovery

T1016.002

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Brute Force .exe

Filesize
8.9MB

MD5
27425122cb1b151e41041a1a99466034

SHA1
95292deb96ab2583d49cc2d9e39f307afaf47c1e

SHA256
f02b552a1879b8aeb3da70c3f9b01f7452568f59d7a9682a478558bf031db060

SHA512
66c855d6424f1dd765730156d7069449f880cebfc27fb34ed68abf2fcf9b5e95337df494de73404c707ea405594c4ee090dd490ba7efe7dcfca431333a2c263f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI30162\VCRUNTIME140.dll

Filesize
106KB

MD5
870fea4e961e2fbd00110d3783e529be

SHA1
a948e65c6f73d7da4ffde4e8533c098a00cc7311

SHA256
76fdb83fde238226b5bebaf3392ee562e2cb7ca8d3ef75983bf5f9d6c7119644

SHA512
0b636a3cdefa343eb4cb228b391bb657b5b4c20df62889cd1be44c7bee94ffad6ec82dc4db79949edef576bff57867e0d084e0a597bf7bf5c8e4ed1268477e88

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI30162\_bz2.pyd

Filesize
47KB

MD5
758fff1d194a7ac7a1e3d98bcf143a44

SHA1
de1c61a8e1fb90666340f8b0a34e4d8bfc56da07

SHA256
f5e913a9f2adf7d599ea9bb105e144ba11699bbcb1514e73edcf7e062354e708

SHA512
468d7c52f14812d5bde1e505c95cb630e22d71282bda05bf66324f31560bfa06095cf60fc0d34877f8b361ccd65a1b61d0fd1f91d52facb0baf8e74f3fed31cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI30162\_ctypes.pyd

Filesize
56KB

MD5
6ca9a99c75a0b7b6a22681aa8e5ad77b

SHA1
dd1118b7d77be6bb33b81da65f6b5dc153a4b1e8

SHA256
d39390552c55d8fd4940864905cd4437bc3f8efe7ff3ca220543b2c0efab04f8

SHA512
b0b5f2979747d2f6796d415dd300848f32b4e79ede59827ac447af0f4ea8709b60d6935d09e579299b3bc54b6c0f10972f17f6c0d1759c5388ad5b14689a23fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI30162\_lzma.pyd

Filesize
84KB

MD5
abceeceaeff3798b5b0de412af610f58

SHA1
c3c94c120b5bed8bccf8104d933e96ac6e42ca90

SHA256
216aa4bb6f62dd250fd6d2dcde14709aa82e320b946a21edeec7344ed6c2c62e

SHA512
3e1a2eb86605aa851a0c5153f7be399f6259ecaad86dbcbf12eeae5f985dc2ea2ab25683285e02b787a5b75f7df70b4182ae8f1567946f99ad2ec7b27d4c7955

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI30162\libffi-7.dll

Filesize
23KB

MD5
b5150b41ca910f212a1dd236832eb472

SHA1
a17809732c562524b185953ffe60dfa91ba3ce7d

SHA256
1a106569ac0ad3152f3816ff361aa227371d0d85425b357632776ac48d92ea8a

SHA512
9e82b0caa3d72bb4a7ad7d66ebfb10edb778749e89280bca67c766e72dc794e99aab2bc2980d64282a384699929ce6cc996462a73584898d2df67a57bff2a9c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI30162\python3.dll

Filesize
63KB

MD5
c17b7a4b853827f538576f4c3521c653

SHA1
6115047d02fbbad4ff32afb4ebd439f5d529485a

SHA256
d21e60f3dfbf2bab0cc8a06656721fa3347f026df10297674fc635ebf9559a68

SHA512
8e08e702d69df6840781d174c4565e14a28022b40f650fda88d60172be2d4ffd96a3e9426d20718c54072ca0da27e0455cc0394c098b75e062a27559234a3df7

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI30162\python310.dll

Filesize
1.4MB

MD5
69d4f13fbaeee9b551c2d9a4a94d4458

SHA1
69540d8dfc0ee299a7ff6585018c7db0662aa629

SHA256
801317463bd116e603878c7c106093ba7db2bece11e691793e93065223fc7046

SHA512
8e632f141daf44bc470f8ee677c6f0fdcbcacbfce1472d928576bf7b9f91d6b76639d18e386d5e1c97e538a8fe19dd2d22ea47ae1acf138a0925e3c6dd156378

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI30162\setuptools-65.5.0.dist-info\INSTALLER

Filesize
4B

MD5
365c9bfeb7d89244f2ce01c1de44cb85

SHA1
d7a03141d5d6b1e88b6b59ef08b6681df212c599

SHA256
ceebae7b8927a3227e5303cf5e0f1f7b34bb542ad7250ac03fbcde36ec2f1508

SHA512
d220d322a4053d84130567d626a9f7bb2fb8f0b854da1621f001826dc61b0ed6d3f91793627e6f0ac2ac27aea2b986b6a7a63427f05fe004d8a2adfbdadc13c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI30162\ucrtbase.dll

Filesize
992KB

MD5
0e0bac3d1dcc1833eae4e3e4cf83c4ef

SHA1
4189f4459c54e69c6d3155a82524bda7549a75a6

SHA256
8a91052ef261b5fbf3223ae9ce789af73dfe1e9b0ba5bdbc4d564870a24f2bae

SHA512
a45946e3971816f66dd7ea3788aacc384a9e95011500b458212dc104741315b85659e0d56a41570731d338bdf182141c093d3ced222c007038583ceb808e26fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35922\_tkinter.pyd

Filesize
63KB

MD5
470364d8abdc5c22828df8e22c095ed2

SHA1
4c707b1061012deb8ce4ab38772a21d3195624c2

SHA256
4262cabac7e97220d0e4bd72deb337ffd9df429860ab298b3e2d5c9223874705

SHA512
70eb15796ead54cdadf696ea6581ff2f979057c3be8c95c12ab89be51c02b2aba591f9ee9671e8c4f376c973b154d0f2e0614498c5835397411c876346429cd5

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35922\base_library.zip

Filesize
812KB

MD5
524a85217dc9edc8c9efc73159ca955d

SHA1
a4238cbde50443262d00a843ffe814435fb0f4e2

SHA256
808549964adb09afafb410cdc030df4813c5c2a7276a94e7f116103af5de7621

SHA512
f5a929b35a63f073bdc7600155ba2f0f262e6f60cf67efb38fa44e8b3be085cf1d5741d66d25a1ecaaf3f94abfe9bbe97d135f8a47c11f2b811d2aac6876f46c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35922\python310.dll

Filesize
4.3MB

MD5
deaf0c0cc3369363b800d2e8e756a402

SHA1
3085778735dd8badad4e39df688139f4eed5f954

SHA256
156cf2b64dd0f4d9bdb346b654a11300d6e9e15a65ef69089923dafc1c71e33d

SHA512
5cac1d92af7ee18425b5ee8e7cd4e941a9ddffb4bc1c12bb8aeabeed09acec1ff0309abc41a2e0c8db101fee40724f8bfb27a78898128f8746c8fe01c1631989

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35922\tcl86t.dll

Filesize
1.8MB

MD5
75909678c6a79ca2ca780a1ceb00232e

SHA1
39ddbeb1c288335abe910a5011d7034345425f7d

SHA256
fbfd065f861ec0a90dd513bc209c56bbc23c54d2839964a0ec2df95848af7860

SHA512
91689413826d3b2e13fc7f579a71b676547bc4c06d2bb100b4168def12ab09b65359d1612b31a15d21cb55147bbab4934e6711351a0440c1533fb94fe53313bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35922\tcl8\8.5\msgcat-1.6.1.tm

Filesize
34KB

MD5
bd4ff2a1f742d9e6e699eeee5e678ad1

SHA1
811ad83aff80131ba73abc546c6bd78453bf3eb9

SHA256
6774519f179872ec5292523f2788b77b2b839e15665037e097a0d4edddd1c6fb

SHA512
b77e4a68017ba57c06876b21b8110c636f9ba1dd0ba9d7a0c50096f3f6391508cf3562dd94aceaf673113dbd336109da958044aefac0afb0f833a652e4438f43

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35922\tcl\auto.tcl

Filesize
21KB

MD5
08edf746b4a088cb4185c165177bd604

SHA1
395cda114f23e513eef4618da39bb86d034124bf

SHA256
517204ee436d08efc287abc97433c3bffcaf42ec6592a3009b9fd3b985ad772c

SHA512
c1727e265a6b0b54773c886a1bce73512e799ba81a4fceeeb84cdc33f5505a5e0984e96326a78c46bf142bc4652a80e213886f60eb54adf92e4dffe953c87f6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35922\tcl\encoding\cp1252.enc

Filesize
1KB

MD5
e9117326c06fee02c478027cb625c7d8

SHA1
2ed4092d573289925a5b71625cf43cc82b901daf

SHA256
741859cf238c3a63bbb20ec6ed51e46451372bb221cfff438297d261d0561c2e

SHA512
d0a39bc41adc32f2f20b1a0ebad33bf48dfa6ed5cc1d8f92700cdd431db6c794c09d9f08bb5709b394acf54116c3a1e060e2abcc6b503e1501f8364d3eebcd52

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35922\tcl\http1.0\pkgIndex.tcl

Filesize
746B

MD5
a387908e2fe9d84704c2e47a7f6e9bc5

SHA1
f3c08b3540033a54a59cb3b207e351303c9e29c6

SHA256
77265723959c092897c2449c5b7768ca72d0efcd8c505bddbb7a84f6aa401339

SHA512
7ac804d23e72e40e7b5532332b4a8d8446c6447bb79b4fe32402b13836079d348998ea0659802ab0065896d4f3c06f5866c6b0d90bf448f53e803d8c243bbc63

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35922\tcl\init.tcl

Filesize
25KB

MD5
982eae7a49263817d83f744ffcd00c0e

SHA1
81723dfea5576a0916abeff639debe04ce1d2c83

SHA256
331bcf0f9f635bd57c3384f2237260d074708b0975c700cfcbdb285f5f59ab1f

SHA512
31370d8390c4608e7a727eed9ee7f4c568ecb913ae50184b6f105da9c030f3b9f4b5f17968d8975b2f60df1b0c5e278512e74267c935fe4ec28f689ac6a97129

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35922\tcl\opt0.4\pkgIndex.tcl

Filesize
620B

MD5
07532085501876dcc6882567e014944c

SHA1
6bc7a122429373eb8f039b413ad81c408a96cb80

SHA256
6a4abd2c519a745325c26fb23be7bbf95252d653a24806eb37fd4aa6a6479afe

SHA512
0d604e862f3a1a19833ead99aaf15a9f142178029ab64c71d193cee4901a0196c1eeddc2bce715b7fa958ac45c194e63c77a71e4be4f9aedfd5b44cf2a726e76

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35922\tcl\package.tcl

Filesize
23KB

MD5
ddb0ab9842b64114138a8c83c4322027

SHA1
eccacdc2ccd86a452b21f3cf0933fd41125de790

SHA256
f46ab61cdebe3aa45fa7e61a48930d64a0d0e7e94d04d6bf244f48c36cafe948

SHA512
c0cf718258b4d59675c088551060b34ce2bc8638958722583ac2313dc354223bfef793b02f1316e522a14c7ba9bed219531d505de94dc3c417fc99d216a01463

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35922\tcl\tclIndex

Filesize
5KB

MD5
c62fb22f4c9a3eff286c18421397aaf4

SHA1
4a49b8768cff68f2effaf21264343b7c632a51b2

SHA256
ddf7e42def37888ad0a564aa4f8ca95f4eec942cebebfca851d35515104d5c89

SHA512
558d401cb6af8ce3641af55caebc9c5005ab843ee84f60c6d55afbbc7f7129da9c58c2f55c887c3159107546fa6bc13ffc4cca63ea8841d7160b8aa99161a185

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35922\tcl\tm.tcl

Filesize
11KB

MD5
215262a286e7f0a14f22db1aa7875f05

SHA1
66b942ba6d3120ef8d5840fcdeb06242a47491ff

SHA256
4b7ed9fd2363d6876092db3f720cbddf97e72b86b519403539ba96e1c815ed8f

SHA512
6ecd745d7da9d826240c0ab59023c703c94b158ae48c1410faa961a8edb512976a4f15ae8def099b58719adf0d2a9c37e6f29f54d39c1ab7ee81fa333a60f39b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35922\tk86t.dll

Filesize
1.5MB

MD5
4b6270a72579b38c1cc83f240fb08360

SHA1
1a161a014f57fe8aa2fadaab7bc4f9faaac368de

SHA256
cd2f60075064dfc2e65c88b239a970cb4bd07cb3eec7cc26fb1bf978d4356b08

SHA512
0c81434d8c205892bba8a4c93ff8fc011fb8cfb72cfec172cf69093651b86fd9837050bd0636315840290b28af83e557f2205a03e5c344239356874fce0c72b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35922\tk\button.tcl

Filesize
21KB

MD5
aeb53f7f1506cdfdfe557f54a76060ce

SHA1
ebb3666ee444b91a0d335da19c8333f73b71933b

SHA256
1f5dd8d81b26f16e772e92fd2a22accb785004d0ed3447e54f87005d9c6a07a5

SHA512
acdad4df988df6b2290fc9622e8eaccc31787fecdc98dcca38519cb762339d4d3fb344ae504b8c7918d6f414f4ad05d15e828df7f7f68f363bec54b11c9b7c43

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35922\tk\entry.tcl

Filesize
17KB

MD5
f109865c52d1fd602e2d53e559e56c22

SHA1
5884a3bb701c27ba1bf35c6add7852e84d73d81f

SHA256
af1de90270693273b52fc735da6b5cd5ca794f5afd4cf03ffd95147161098048

SHA512
b2f92b0ac03351cdb785d3f7ef107b61252398540b5f05f0cc9802b4d28b882ba6795601a68e88d3abc53f216b38f07fcc03660ab6404cf6685f6d80cc4357fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35922\tk\icons.tcl

Filesize
10KB

MD5
995a0a8f7d0861c268aead5fc95a42ea

SHA1
21e121cf85e1c4984454237a646e58ec3c725a72

SHA256
1264940e62b9a37967925418e9d0dc0befd369e8c181b9bab3d1607e3cc14b85

SHA512
db7f5e0bc7d5c5f750e396e645f50a3e0cde61c9e687add0a40d0c1aa304ddfbceeb9f33ad201560c6e2b051f2eded07b41c43d00f14ee435cdeee73b56b93c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35922\tk\listbox.tcl

Filesize
14KB

MD5
804e6dce549b2e541986c0ce9e75e2d1

SHA1
c44ee09421f127cf7f4070a9508f22709d06d043

SHA256
47c75f9f8348bf8f2c086c57b97b73741218100ca38d10b8abdf2051c95b9801

SHA512
029426c4f659848772e6bb1d8182eb03d2b43adf68fcfcc1ea1c2cc7c883685deda3fffda7e071912b9bda616ad7af2e1cb48ce359700c1a22e1e53e81cae34b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35922\tk\menu.tcl

Filesize
38KB

MD5
078782cd05209012a84817ac6ef11450

SHA1
dba04f7a6cf34c54a961f25e024b6a772c2b751d

SHA256
d1283f67e435aab0bdbe9fdaa540a162043f8d652c02fe79f3843a451f123d89

SHA512
79a031f7732aee6e284cd41991049f1bb715233e011562061cd3405e5988197f6a7fb5c2bbddd1fb9b7024047f6003a2bf161fc0ec04876eff5335c3710d9562

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35922\tk\panedwindow.tcl

Filesize
5KB

MD5
286c01a1b12261bc47f5659fd1627abd

SHA1
4ca36795cab6dfe0bbba30bb88a2ab71a0896642

SHA256
aa4f87e41ac8297f51150f2a9f787607690d01793456b93f0939c54d394731f9

SHA512
d54d5a89b7408a9724a1ca1387f6473bdad33885194b2ec5a524c7853a297fd65ce2a57f571c51db718f6a00dce845de8cf5f51698f926e54ed72cdc81bcfe54

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35922\tk\pkgIndex.tcl

Filesize
376B

MD5
3367ce12a4ba9baaf7c5127d7412aa6a

SHA1
865c775bb8f56c3c5dfc8c71bfaf9ef58386161d

SHA256
3f2539e85e2a9017913e61fe2600b499315e1a6f249a4ff90e0b530a1eeb8898

SHA512
f5d858f17fe358762e8fdbbf3d78108dba49be5c5ed84b964143c0adce76c140d904cd353646ec0831ff57cd0a0af864d1833f3946a235725fff7a45c96872eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35922\tk\scale.tcl

Filesize
7KB

MD5
857add6060a986063b0ed594f6b0cd26

SHA1
b1981d33ddea81cfffa838e5ac80e592d9062e43

SHA256
0da2dc955ffd71062a21c3b747d9d59d66a5b09a907b9ed220be1b2342205a05

SHA512
7d9829565efc8cdbf9249913da95b02d8dadfdb3f455fd3c10c5952b5454fe6e54d95c07c94c1e0d7568c9742caa56182b3656e234452aec555f0fcb76a59fb1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35922\tk\scrlbar.tcl

Filesize
12KB

MD5
5249cd1e97e48e3d6dec15e70b9d7792

SHA1
612e021ba25b5e512a0dfd48b6e77fc72894a6b9

SHA256
eec90404f702d3cfbfaec0f13bf5ed1ebeb736bee12d7e69770181a25401c61f

SHA512
e4e0ab15eb9b3118c30cd2ff8e5af87c549eaa9b640ffd809a928d96b4addefb9d25efdd1090fbd0019129cdf355bb2f277bc7194001ba1d2ed4a581110ceafc

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35922\tk\spinbox.tcl

Filesize
16KB

MD5
77dfe1baccd165a0c7b35cdeaa2d1a8c

SHA1
426ba77fc568d4d3a6e928532e5beb95388f36a0

SHA256
2ff791a44406dc8339c7da6116e6ec92289bee5fc1367d378f48094f4abea277

SHA512
e56db85296c8661ab2ea0a56d9810f1a4631a9f9b41337560cbe38ccdf7dd590a3e65c22b435ce315eff55ee5b8e49317d4e1b7577e25fc3619558015dd758eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35922\tk\text.tcl

Filesize
34KB

MD5
7c2ac370de0b941ae13572152419c642

SHA1
7598cc20952fa590e32da063bf5c0f46b0e89b15

SHA256
4a42ad370e0cd93d4133b49788c0b0e1c7cd78383e88bacb51cb751e8bfda15e

SHA512
8325a33bfd99f0fce4f14ed5dc6e03302f6ffabce9d1abfefc24d16a09ab3439a4b753cbf06b28d8c95e4ddabfb9082c9b030619e8955a7e656bd6c61b9256c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35922\tk\tk.tcl

Filesize
23KB

MD5
338184e46bd23e508daedbb11a4f0950

SHA1
437db31d487c352472212e8791c8252a1412cb0e

SHA256
0f617d96cbf213296d7a5f7fcffbb4ae1149840d7d045211ef932e8dd66683e9

SHA512
8fb8a353eecd0d19638943f0a9068dccebf3fb66d495ea845a99a89229d61a77c85b530f597fd214411202055c1faa9229b6571c591c9f4630490e1eb30b9cd3

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35922\tk\ttk\button.tcl

Filesize
2KB

MD5
d4bf1af5dcdd85e3bd11dbf52eb2c146

SHA1
b1691578041319e671d31473a1dd404855d2038b

SHA256
e38a9d1f437981aa6bf0bdd074d57b769a4140c0f7d9aff51743fe4ecc6dfddf

SHA512
25834b4b231f4ff1a88eef67e1a102d1d0546ec3b0d46856258a6be6bbc4b381389c28e2eb60a01ff895df24d6450cd16ca449c71f82ba53ba438a4867a47dcd

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35922\tk\ttk\cursors.tcl

Filesize
4KB

MD5
18ec3e60b8dd199697a41887be6ce8c2

SHA1
13ff8ce95289b802a5247b1fd9dea90d2875cb5d

SHA256
7a2ed9d78fabcafff16694f2f4a2e36ff5aa313f912d6e93484f3bcd0466ad91

SHA512
4848044442efe75bcf1f89d8450c8ecbd441f38a83949a3cd2a56d9000cacaa2ea440ca1b32c856ab79358ace9c7e3f70ddf0ec54aa93866223d8fef76930b19

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35922\tk\ttk\fonts.tcl

Filesize
5KB

MD5
80331fcbe4c049ff1a0d0b879cb208de

SHA1
4eb3efdfe3731bd1ae9fd52ce32b1359241f13cf

SHA256
b94c319e5a557a5665b1676d602b6495c0887c5bacf7fa5b776200112978bb7b

SHA512
a4bd2d91801c121a880225f1f3d0c4e30bf127190cf375f6f7a49eb4239a35c49c44f453d6d3610df0d6a7b3cb15f4e79bd9c129025cc496ceb856fcc4b6de87

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35922\tk\ttk\menubutton.tcl

Filesize
6KB

MD5
4c8d90257d073f263b258f00b2a518c2

SHA1
7b58859e9b70fb37f53809cd3ffd7cf69ab310d8

SHA256
972b13854d0e9b84de338d6753f0f11f3a8534e7d0e51838796dae5a1e2e3085

SHA512
ed67f41578ee834ee8db1fded8aa069c0045e7058e338c451fa8e1ade52907bed0c95631c21b8e88461571903b3da2698a29e47f990b7a0f0dd3073e7a1bcadc

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35922\tk\ttk\scrollbar.tcl

Filesize
3KB

MD5
3fb31a225cec64b720b8e579582f2749

SHA1
9c0151d9e2543c217cf8699ff5d4299a72e8f13c

SHA256
6eaa336b13815a7fc18bcd6b9adf722e794da2888d053c229044784c8c8e9de8

SHA512
e6865655585e3d2d6839b56811f3fd86b454e8cd44e258bb1ac576ad245ff8a4d49fbb7f43458ba8a6c9daac8dfa923a176f0dd8a9976a11bea09e6e2d17bf45

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35922\tk\ttk\ttk.tcl

Filesize
4KB

MD5
af45b2c8b43596d1bdeca5233126bd14

SHA1
a99e75d299c4579e10fcdd59389b98c662281a26

SHA256
2c48343b1a47f472d1a6b9ee8d670ce7fb428db0db7244dc323ff4c7a8b4f64b

SHA512
c8a8d01c61774321778ab149f6ca8dda68db69133cb5ba7c91938e4fd564160ecdcec473222affb241304a9acc73a36b134b3a602fd3587c711f2adbb64afa80

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35922\tk\ttk\utils.tcl

Filesize
8KB

MD5
d98edc491da631510f124cd3934f535f

SHA1
33037a966067c9f5c9074ae5532ff3b51b4082d4

SHA256
d58610a34301bb6e61a60bec69a7cecf4c45c6a034a9fc123977174b586278be

SHA512
23faed8298e561f490997fe44ab61cd8ccb9f1f63d48bb4cf51fc9e591e463ff9297973622180d6a599cabb541c82b8fe33bf38a82c5d5905bbfa52ca0341399

Download Submit
C:\Users\Admin\AppData\Local\Temp\downloads_db

Filesize
124KB

MD5
9618e15b04a4ddb39ed6c496575f6f95

SHA1
1c28f8750e5555776b3c80b187c5d15a443a7412

SHA256
a4cd72e529e60b5f74c50e4e5b159efaf80625f23534dd15a28203760b8b28ab

SHA512
f802582aa7510f6b950e3343b0560ffa9037c6d22373a6a33513637ab0f8e60ed23294a13ad8890935b02c64830b5232ba9f60d0c0fe90df02b5da30ecd7fa26

Download Submit
C:\Users\Admin\AppData\Local\Temp\downloads_db

Filesize
160KB

MD5
f310cf1ff562ae14449e0167a3e1fe46

SHA1
85c58afa9049467031c6c2b17f5c12ca73bb2788

SHA256
e187946249cd390a3c1cf5d4e3b0d8f554f9acdc416bf4e7111fff217bb08855

SHA512
1196371de08c964268c44103ccaed530bda6a145df98e0f480d8ee5ad58cb6fb33ca4c9195a52181fe864726dcf52e6a7a466d693af0cda43400a3a7ef125fad

Download Submit
C:\Users\Admin\AppData\Local\Temp\main.exe

Filesize
25.4MB

MD5
f9c95c0043088c773a4a023ba962b3a3

SHA1
c0b017c5033aa00e18f58c226b320e1e8b67ffb1

SHA256
ea4177c3a37ed5711e1283d12a43b85b1258bdb2f9bb8cd797281d415199ccf3

SHA512
33bcdc5efb559a2ed8c932df01597b5bc311c95d4383aa812d0e8b024fcfbc5231622dfaeb65f4e80b71627c7e8ea752171f9afdcb2e0610c3d51350a789e8a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\vault\cookies.txt

Filesize
259B

MD5
8ca94bfbc0a8ef312fa1f86cb3638432

SHA1
099ff5aa2082f78f3036076e9ff9586f11dddd35

SHA256
7d2c23c625df798c0608bf934d980fa677ba63080a08850b77758a01ee4c9f7b

SHA512
0f7008f7630f1efdb2d17eb443f8f26fd39f57fbbeb1820929b89fc3073fc03e9186252e4ded4e122a6b3b257aa9d26b4f5bf85820a6d434e917239198f07e58

Download Submit
C:\Users\Admin\AppData\Roaming\empyrean\cards_db

Filesize
114KB

MD5
94834ae06f8cd796ce2fab0c49966f58

SHA1
d863d5d212474d5f93c5a9fe9660116fbab810ae

SHA256
b90495b3d3e7f3b7202fc22221fc2be0c20517d788c5457702783605eb61c35c

SHA512
0445889c02afc78bf974438bf59f4012a576f96e9bea1450afc9710b0fb7c0426eab5c5cb88aa2433892d32aa581115cdbaee6dc65b1d50902b09a1d47a48268

Download Submit
C:\Users\Admin\AppData\Roaming\empyrean\cards_db

Filesize
112KB

MD5
30e375798049100677ea16b7c578a4ee

SHA1
bcab7401a5f34ac0e6f795ece8d3ed12944ae99f

SHA256
ea5c90cfc97f429a2f9e0b1e9b16778b5b19bd8e83a896a30002de70af84e1ce

SHA512
f8ae930e26ecfe06dc30d4f39858b0eec6b4a81a8139883712505b5c6b58504d463d986ef58c7151a247fe157c6013b570b9d39e1d4a860061e37e0419900582

Download Submit
C:\Users\Admin\AppData\Roaming\empyrean\cookie_db

Filesize
20KB

MD5
bb264a4dc44c5697aec8b222364c32fa

SHA1
262822f272bc50ac42af3888f78b7a1df0b720dd

SHA256
0be6c28c33573964e460fa617dabe856bf337254e4ede441cc9086a480abaee8

SHA512
c74439f441cc3fc49bd6853db640adc4d36c1b3bd7b9362af63edc13a632862afb473fb4ac0f0ec511caa96bf643fd1faea29be60aa552473ce518755e3025b0

Download Submit
C:\Users\Admin\AppData\Roaming\empyrean\login_db

Filesize
40KB

MD5
a182561a527f929489bf4b8f74f65cd7

SHA1
8cd6866594759711ea1836e86a5b7ca64ee8911f

SHA256
42aad7886965428a941508b776a666a4450eb658cb90e80fae1e7457fc71f914

SHA512
9bc3bf5a82f6f057e873adebd5b7a4c64adef966537ab9c565fe7c4bb3582e2e485ff993d5ab8a6002363231958fabd0933b48811371b8c155eaa74592b66558

Download Submit
C:\Users\Admin\AppData\Roaming\empyrean\login_db

Filesize
48KB

MD5
349e6eb110e34a08924d92f6b334801d

SHA1
bdfb289daff51890cc71697b6322aa4b35ec9169

SHA256
c9fd7be4579e4aa942e8c2b44ab10115fa6c2fe6afd0c584865413d9d53f3b2a

SHA512
2a635b815a5e117ea181ee79305ee1baf591459427acc5210d8c6c7e447be3513ead871c605eb3d32e4ab4111b2a335f26520d0ef8c1245a4af44e1faec44574

Download Submit
memory/2052-1913-0x00007FF9BA650000-0x00007FF9BAABE000-memory.dmp

Filesize
4.4MB

Download
memory/2052-1931-0x00007FF9BB270000-0x00007FF9BB2F7000-memory.dmp

Filesize
540KB

Download
memory/2052-1923-0x00007FF9BB3C0000-0x00007FF9BB47C000-memory.dmp

Filesize
752KB

Download
memory/3064-1287-0x00007FF9C8B60000-0x00007FF9C8B6C000-memory.dmp

Filesize
48KB

Download
memory/3064-1276-0x00007FF9BBD10000-0x00007FF9BBDC8000-memory.dmp

Filesize
736KB

Download
memory/3064-1291-0x00007FF9BBDD0000-0x00007FF9BC145000-memory.dmp

Filesize
3.5MB

Download
memory/3064-1290-0x00007FF9CBC00000-0x00007FF9CBC0B000-memory.dmp

Filesize
44KB

Download
memory/3064-1289-0x00007FF9C82F0000-0x00007FF9C82FC000-memory.dmp

Filesize
48KB

Download
memory/3064-1288-0x00007FF9C84B0000-0x00007FF9C84BB000-memory.dmp

Filesize
44KB

Download
memory/3064-1293-0x00007FF9BB960000-0x00007FF9BB96D000-memory.dmp

Filesize
52KB

Download
memory/3064-1286-0x00007FF9CA2E0000-0x00007FF9CA2EB000-memory.dmp

Filesize
44KB

Download
memory/3064-1284-0x00007FF9BB9B0000-0x00007FF9BBB21000-memory.dmp

Filesize
1.4MB

Download
memory/3064-1283-0x00007FF9BD2A0000-0x00007FF9BD2BF000-memory.dmp

Filesize
124KB

Download
memory/3064-1282-0x00007FF9BC180000-0x00007FF9BC23C000-memory.dmp

Filesize
752KB

Download
memory/3064-1280-0x00007FF9BBC50000-0x00007FF9BBC76000-memory.dmp

Filesize
152KB

Download
memory/3064-1279-0x00007FF9BD700000-0x00007FF9BD714000-memory.dmp

Filesize
80KB

Download
memory/3064-1278-0x00007FF9CBD70000-0x00007FF9CBD7B000-memory.dmp

Filesize
44KB

Download
memory/3064-1277-0x00007FF9BBC80000-0x00007FF9BBD07000-memory.dmp

Filesize
540KB

Download
memory/3064-1274-0x00007FF9BBDD0000-0x00007FF9BC145000-memory.dmp

Filesize
3.5MB

Download
memory/3064-1273-0x00007FF9BC150000-0x00007FF9BC17E000-memory.dmp

Filesize
184KB

Download
memory/3064-1271-0x00007FF9CBD80000-0x00007FF9CBD8A000-memory.dmp

Filesize
40KB

Download
memory/3064-1270-0x00007FF9BD2C0000-0x00007FF9BD302000-memory.dmp

Filesize
264KB

Download
memory/3064-1266-0x00007FF9BC180000-0x00007FF9BC23C000-memory.dmp

Filesize
752KB

Download
memory/3064-1265-0x00007FF9CBDA0000-0x00007FF9CBDCE000-memory.dmp

Filesize
184KB

Download
memory/3064-1264-0x00007FF9BCD90000-0x00007FF9BD1FE000-memory.dmp

Filesize
4.4MB

Download
memory/3064-1262-0x00007FF9CCB80000-0x00007FF9CCB8D000-memory.dmp

Filesize
52KB

Download
memory/3064-1261-0x00007FF9CBE90000-0x00007FF9CBEA9000-memory.dmp

Filesize
100KB

Download
memory/3064-1260-0x00007FF9CBEB0000-0x00007FF9CBEE4000-memory.dmp

Filesize
208KB

Download
memory/3064-1258-0x00007FF9CC610000-0x00007FF9CC629000-memory.dmp

Filesize
100KB

Download
memory/3064-1294-0x00007FF9BB950000-0x00007FF9BB95E000-memory.dmp

Filesize
56KB

Download
memory/3064-1295-0x00007FF9BB940000-0x00007FF9BB94C000-memory.dmp

Filesize
48KB

Download
memory/3064-1254-0x00007FF9CFB50000-0x00007FF9CFB5F000-memory.dmp

Filesize
60KB

Download
memory/3064-1253-0x00007FF9CC630000-0x00007FF9CC654000-memory.dmp

Filesize
144KB

Download
memory/3064-1296-0x00007FF9BB930000-0x00007FF9BB93C000-memory.dmp

Filesize
48KB

Download
memory/3064-1297-0x00007FF9BB920000-0x00007FF9BB92B000-memory.dmp

Filesize
44KB

Download
memory/3064-610-0x00007FF9BCD90000-0x00007FF9BD1FE000-memory.dmp

Filesize
4.4MB

Download
memory/3064-1299-0x00007FF9BB900000-0x00007FF9BB90C000-memory.dmp

Filesize
48KB

Download
memory/3064-1298-0x00007FF9BB910000-0x00007FF9BB91B000-memory.dmp

Filesize
44KB

Download
memory/3064-1300-0x00007FF9BB8F0000-0x00007FF9BB8FC000-memory.dmp

Filesize
48KB

Download
memory/3064-1301-0x00007FF9BB8E0000-0x00007FF9BB8ED000-memory.dmp

Filesize
52KB

Download
memory/3064-1302-0x00007FF9BB8B0000-0x00007FF9BB8BC000-memory.dmp

Filesize
48KB

Download
memory/3064-1303-0x00007FF9BB890000-0x00007FF9BB8A5000-memory.dmp

Filesize
84KB

Download
memory/3064-1304-0x00007FF9BC150000-0x00007FF9BC17E000-memory.dmp

Filesize
184KB

Download
memory/3064-1305-0x00007FF9C33F0000-0x00007FF9C33FC000-memory.dmp

Filesize
48KB

Download
memory/3064-1306-0x00007FF9BB8C0000-0x00007FF9BB8D2000-memory.dmp

Filesize
72KB

Download
memory/3064-1307-0x00007FF9BB880000-0x00007FF9BB890000-memory.dmp

Filesize
64KB

Download
memory/3064-1308-0x00007FF9BBD10000-0x00007FF9BBDC8000-memory.dmp

Filesize
736KB

Download
memory/3064-1309-0x00007FF9BB860000-0x00007FF9BB874000-memory.dmp

Filesize
80KB

Download
memory/3064-1310-0x00007FF9BB830000-0x00007FF9BB852000-memory.dmp

Filesize
136KB

Download
memory/3064-1311-0x00007FF9BBC50000-0x00007FF9BBC76000-memory.dmp

Filesize
152KB

Download
memory/3064-1312-0x00007FF9BB810000-0x00007FF9BB827000-memory.dmp

Filesize
92KB

Download
memory/3064-1313-0x00007FF9BB7F0000-0x00007FF9BB809000-memory.dmp

Filesize
100KB

Download
memory/3064-1314-0x00007FF9BB780000-0x00007FF9BB791000-memory.dmp

Filesize
68KB

Download
memory/3064-1316-0x00007FF9BB760000-0x00007FF9BB77E000-memory.dmp

Filesize
120KB

Download
memory/3064-1317-0x0000000071080000-0x000000007111D000-memory.dmp

Filesize
628KB

Download
memory/3064-1320-0x00007FF9BB970000-0x00007FF9BB9A8000-memory.dmp

Filesize
224KB

Download
memory/3064-1322-0x00007FF9BB6B0000-0x00007FF9BB6D4000-memory.dmp

Filesize
144KB

Download
memory/3064-1323-0x00007FF9BB450000-0x00007FF9BB6A2000-memory.dmp

Filesize
2.3MB

Download
memory/3064-1321-0x00007FF9BB730000-0x00007FF9BB759000-memory.dmp

Filesize
164KB

Download
memory/3064-1315-0x00007FF9BB7A0000-0x00007FF9BB7E9000-memory.dmp

Filesize
292KB

Download
memory/3064-1285-0x00007FF9BB970000-0x00007FF9BB9A8000-memory.dmp

Filesize
224KB

Download
memory/3064-1281-0x00007FF9BBB30000-0x00007FF9BBC48000-memory.dmp

Filesize
1.1MB

Download
memory/3064-1292-0x00007FF9C54E0000-0x00007FF9C54EB000-memory.dmp

Filesize
44KB

Download
memory/3064-1275-0x00007FF9CBE90000-0x00007FF9CBEA9000-memory.dmp

Filesize
100KB

Download
memory/3064-1272-0x00007FF9CBC70000-0x00007FF9CBC8C000-memory.dmp

Filesize
112KB

Download
memory/3064-1267-0x00007FF9BD720000-0x00007FF9BD74B000-memory.dmp

Filesize
172KB

Download
memory/3064-1373-0x00007FF9BB830000-0x00007FF9BB852000-memory.dmp

Filesize
136KB

Download
memory/3064-1375-0x00007FF9CC630000-0x00007FF9CC654000-memory.dmp

Filesize
144KB

Download
memory/3064-1380-0x00007FF9CBE90000-0x00007FF9CBEA9000-memory.dmp

Filesize
100KB

Download
memory/3064-1390-0x00007FF9BBDD0000-0x00007FF9BC145000-memory.dmp

Filesize
3.5MB

Download
memory/3064-1391-0x00007FF9BBD10000-0x00007FF9BBDC8000-memory.dmp

Filesize
736KB

Download
memory/3064-1389-0x00007FF9BC150000-0x00007FF9BC17E000-memory.dmp

Filesize
184KB

Download
memory/3064-1388-0x00007FF9CBC70000-0x00007FF9CBC8C000-memory.dmp

Filesize
112KB

Download
memory/3064-1384-0x00007FF9BC180000-0x00007FF9BC23C000-memory.dmp

Filesize
752KB

Download
memory/3064-1383-0x00007FF9CBDA0000-0x00007FF9CBDCE000-memory.dmp

Filesize
184KB

Download
memory/3064-1374-0x00007FF9BCD90000-0x00007FF9BD1FE000-memory.dmp

Filesize
4.4MB

Download
memory/3064-1413-0x00007FF9BC180000-0x00007FF9BC23C000-memory.dmp

Filesize
752KB

Download
memory/3064-1427-0x00007FF9CC630000-0x00007FF9CC654000-memory.dmp

Filesize
144KB

Download
memory/3064-1437-0x00007FF9BD720000-0x00007FF9BD74B000-memory.dmp

Filesize
172KB

Download
memory/3064-1446-0x0000000071080000-0x000000007111D000-memory.dmp

Filesize
628KB

Download
memory/3064-1445-0x00007FF9BB810000-0x00007FF9BB827000-memory.dmp

Filesize
92KB

Download
memory/3064-1444-0x00007FF9BB7A0000-0x00007FF9BB7E9000-memory.dmp

Filesize
292KB

Download
memory/3064-1443-0x00007FF9BB890000-0x00007FF9BB8A5000-memory.dmp

Filesize
84KB

Download
memory/3064-1442-0x00007FF9BB880000-0x00007FF9BB890000-memory.dmp

Filesize
64KB

Download
memory/3064-1441-0x00007FF9BB970000-0x00007FF9BB9A8000-memory.dmp

Filesize
224KB

Download
memory/3064-1440-0x00007FF9BD2A0000-0x00007FF9BD2BF000-memory.dmp

Filesize
124KB

Download
memory/3064-1439-0x00007FF9BB860000-0x00007FF9BB874000-memory.dmp

Filesize
80KB

Download
memory/3064-1438-0x00007FF9BB830000-0x00007FF9BB852000-memory.dmp

Filesize
136KB

Download
memory/3064-1436-0x00007FF9BB9B0000-0x00007FF9BBB21000-memory.dmp

Filesize
1.4MB

Download
memory/3064-1435-0x00007FF9CBDA0000-0x00007FF9CBDCE000-memory.dmp

Filesize
184KB

Download
memory/3064-1434-0x00007FF9CC730000-0x00007FF9CC73D000-memory.dmp

Filesize
52KB

Download
memory/3064-1433-0x00007FF9BD700000-0x00007FF9BD714000-memory.dmp

Filesize
80KB

Download
memory/3064-1432-0x00007FF9CBE90000-0x00007FF9CBEA9000-memory.dmp

Filesize
100KB

Download
memory/3064-1431-0x00007FF9CBEB0000-0x00007FF9CBEE4000-memory.dmp

Filesize
208KB

Download
memory/3064-1430-0x00007FF9CC5E0000-0x00007FF9CC60D000-memory.dmp

Filesize
180KB

Download
memory/3064-1429-0x00007FF9CC610000-0x00007FF9CC629000-memory.dmp

Filesize
100KB

Download
memory/3064-1428-0x00007FF9BCD90000-0x00007FF9BD1FE000-memory.dmp

Filesize
4.4MB

Download
memory/3064-1426-0x00007FF9CFB50000-0x00007FF9CFB5F000-memory.dmp

Filesize
60KB

Download
memory/3064-1425-0x00007FF9BBB30000-0x00007FF9BBC48000-memory.dmp

Filesize
1.1MB

Download
memory/3064-1424-0x00007FF9BBC50000-0x00007FF9BBC76000-memory.dmp

Filesize
152KB

Download
memory/3064-1423-0x00007FF9CBD70000-0x00007FF9CBD7B000-memory.dmp

Filesize
44KB

Download
memory/3064-1421-0x00007FF9BBC80000-0x00007FF9BBD07000-memory.dmp

Filesize
540KB

Download
memory/3064-1420-0x00007FF9BBD10000-0x00007FF9BBDC8000-memory.dmp

Filesize
736KB

Download
memory/3064-1419-0x00007FF9BBDD0000-0x00007FF9BC145000-memory.dmp

Filesize
3.5MB

Download
memory/3064-1418-0x00007FF9BC150000-0x00007FF9BC17E000-memory.dmp

Filesize
184KB

Download
memory/3064-1417-0x00007FF9CBC70000-0x00007FF9CBC8C000-memory.dmp

Filesize
112KB

Download
memory/3064-1416-0x00007FF9CBD80000-0x00007FF9CBD8A000-memory.dmp

Filesize
40KB

Download
memory/3064-1415-0x00007FF9BD2C0000-0x00007FF9BD302000-memory.dmp

Filesize
264KB

Download
memory/3064-1410-0x00007FF9CCB80000-0x00007FF9CCB8D000-memory.dmp

Filesize
52KB

Download
memory/3064-1263-0x00007FF9CC730000-0x00007FF9CC73D000-memory.dmp

Filesize
52KB

Download
memory/3064-1259-0x00007FF9CC5E0000-0x00007FF9CC60D000-memory.dmp

Filesize
180KB

Download
memory/4532-0-0x00007FF9BCB05000-0x00007FF9BCB06000-memory.dmp

Filesize
4KB

Download
memory/4532-5-0x000000001C570000-0x000000001C60C000-memory.dmp

Filesize
624KB

Download
memory/4532-4-0x00007FF9BC850000-0x00007FF9BD1F1000-memory.dmp

Filesize
9.6MB

Download
memory/4532-3-0x000000001BFF0000-0x000000001C4BE000-memory.dmp

Filesize
4.8MB

Download
memory/4532-2-0x00007FF9BC850000-0x00007FF9BD1F1000-memory.dmp

Filesize
9.6MB

Download
memory/4532-1-0x000000001BA50000-0x000000001BAF6000-memory.dmp

Filesize
664KB

Download
memory/4532-6-0x0000000001310000-0x0000000001318000-memory.dmp

Filesize
32KB

Download
memory/4532-7-0x000000001C6D0000-0x000000001C71C000-memory.dmp

Filesize
304KB

Download
memory/4532-392-0x00007FF9BC850000-0x00007FF9BD1F1000-memory.dmp

Filesize
9.6MB

Download