469524f86ccd37892dc49f7f11e43f25b10d96e196a15a673bdbc2f64e0d3ccb

Analysis

max time kernel
141s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
12-02-2024 12:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-02-12_6c56ef49ab649a4cde50ac66112feed2_ryuk.exe
Size

55.7MB
MD5

6c56ef49ab649a4cde50ac66112feed2
SHA1

50e80b1a8bf5f5387d37e704f1d330d5ef390b65
SHA256

469524f86ccd37892dc49f7f11e43f25b10d96e196a15a673bdbc2f64e0d3ccb
SHA512

3f5b2a85a08a5994b31019ad940809d1417e0ffbbb58c9c8fe64c25fbe59966cd035124dfbbe3902ec0bcc50dc55c6ce2914324cc206a3460cbaf7fa607c3061
SSDEEP

1572864:+10G/gK4o7B2VdNJEX03SU0WYbeJEQs9usdrUco3H:0342BcdN2bU0tAEQsoIU

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Control Panel\International\Geo\Nation	cmd.exe

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\discsv.cmd	acatc.exe

Executes dropped EXE 4 IoCs

pid	Process
2348	acatc.exe
3664	usruho.exe
3056	usruho.exe
732	tor.exe

Loads dropped DLL 50 IoCs

pid	Process
2348	acatc.exe
2348	acatc.exe
2348	acatc.exe
2348	acatc.exe
2348	acatc.exe
2348	acatc.exe
2348	acatc.exe
2348	acatc.exe
2348	acatc.exe
2348	acatc.exe
2348	acatc.exe
2348	acatc.exe
3056	usruho.exe
3056	usruho.exe
3056	usruho.exe
3056	usruho.exe
3056	usruho.exe
3056	usruho.exe
3056	usruho.exe
3056	usruho.exe
3056	usruho.exe
3056	usruho.exe
3056	usruho.exe
3056	usruho.exe
3056	usruho.exe
3056	usruho.exe
3056	usruho.exe
3056	usruho.exe
3056	usruho.exe
3056	usruho.exe
3056	usruho.exe
3056	usruho.exe
3056	usruho.exe
3056	usruho.exe
3056	usruho.exe
3056	usruho.exe
3056	usruho.exe
3056	usruho.exe
3056	usruho.exe
3056	usruho.exe
3056	usruho.exe
3056	usruho.exe
3056	usruho.exe
3056	usruho.exe
3056	usruho.exe
3056	usruho.exe
3056	usruho.exe
3056	usruho.exe
3056	usruho.exe
3056	usruho.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
2884	powershell.exe
2884	powershell.exe
2884	powershell.exe
2884	powershell.exe
4760	powershell.exe
4760	powershell.exe
4760	powershell.exe
4760	powershell.exe
224	powershell.exe
224	powershell.exe
1688	powershell.exe
1688	powershell.exe
1688	powershell.exe
1688	powershell.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	2884	powershell.exe
Token: SeDebugPrivilege	4760	powershell.exe
Token: SeDebugPrivilege	224	powershell.exe
Token: SeDebugPrivilege	1688	powershell.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 4160 wrote to memory of 2348	4160	2024-02-12_6c56ef49ab649a4cde50ac66112feed2_ryuk.exe	86
PID 4160 wrote to memory of 2348	4160	2024-02-12_6c56ef49ab649a4cde50ac66112feed2_ryuk.exe	86
PID 2348 wrote to memory of 4964	2348	acatc.exe	87
PID 2348 wrote to memory of 4964	2348	acatc.exe	87
PID 4964 wrote to memory of 4956	4964	cmd.exe	89
PID 4964 wrote to memory of 4956	4964	cmd.exe	89
PID 4956 wrote to memory of 2884	4956	cmd.exe	90
PID 4956 wrote to memory of 2884	4956	cmd.exe	90
PID 2884 wrote to memory of 4000	2884	powershell.exe	91
PID 2884 wrote to memory of 4000	2884	powershell.exe	91
PID 4000 wrote to memory of 3976	4000	cmd.exe	94
PID 4000 wrote to memory of 3976	4000	cmd.exe	94
PID 3976 wrote to memory of 4760	3976	cmd.exe	96
PID 3976 wrote to memory of 4760	3976	cmd.exe	96
PID 4760 wrote to memory of 4736	4760	powershell.exe	97
PID 4760 wrote to memory of 4736	4760	powershell.exe	97
PID 4736 wrote to memory of 3664	4736	cmd.exe	98
PID 4736 wrote to memory of 3664	4736	cmd.exe	98
PID 3664 wrote to memory of 3056	3664	usruho.exe	102
PID 3664 wrote to memory of 3056	3664	usruho.exe	102
PID 3056 wrote to memory of 332	3056	usruho.exe	106
PID 3056 wrote to memory of 332	3056	usruho.exe	106
PID 332 wrote to memory of 224	332	cmd.exe	108
PID 332 wrote to memory of 224	332	cmd.exe	108
PID 224 wrote to memory of 1688	224	powershell.exe	109
PID 224 wrote to memory of 1688	224	powershell.exe	109
PID 1688 wrote to memory of 732	1688	powershell.exe	110
PID 1688 wrote to memory of 732	1688	powershell.exe	110

C:\Users\Admin\AppData\Local\Temp\2024-02-12_6c56ef49ab649a4cde50ac66112feed2_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-12_6c56ef49ab649a4cde50ac66112feed2_ryuk.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4160
- C:\Users\Admin\AppData\Local\Temp\onefile_4160_133522161839611103\acatc.exe
  "C:\Users\Admin\AppData\Local\Temp\2024-02-12_6c56ef49ab649a4cde50ac66112feed2_ryuk.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2348
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "cmd.exe /c powershell Start-Process -NoNewWindow -FilePath "C:\Windows\System32\cmd.exe" -ArgumentList @('/c "start C:\Users\Admin\AppData\Local\Temp\onefile_4160_133522161839611103\mpr.lnk"')"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4964
  - - C:\Windows\system32\cmd.exe
      cmd.exe /c powershell Start-Process -NoNewWindow -FilePath "C:\Windows\System32\cmd.exe" -ArgumentList @('/c "start C:\Users\Admin\AppData\Local\Temp\onefile_4160_133522161839611103\mpr.lnk"')
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4956
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Start-Process -NoNewWindow -FilePath "C:\Windows\System32\cmd.exe" -ArgumentList @('/c "start C:\Users\Admin\AppData\Local\Temp\onefile_4160_133522161839611103\mpr.lnk"')
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2884
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c start C:\Users\Admin\AppData\Local\Temp\onefile_4160_133522161839611103\mpr.lnk
        6⤵
        Checks computer location settings
        Suspicious use of WriteProcessMemory
        
        PID:4000
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c powershell Start-Process -NoNewWindow -FilePath "C:\Windows\System32\cmd.exe" -ArgumentList @('/c "start C:\\Users\\Admin\\.helena\\usruho.exe --ee --aa1 -f"')
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:3976
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Start-Process -NoNewWindow -FilePath "C:\Windows\System32\cmd.exe" -ArgumentList @('/c "start C:\\Users\\Admin\\.helena\\usruho.exe --ee --aa1 -f"')
        8⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4760
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c start C:\\Users\\Admin\\.helena\\usruho.exe --ee --aa1 -f
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:4736
        
        C:\Users\Admin\.helena\usruho.exe
        
        C:\\Users\\Admin\\.helena\\usruho.exe --ee --aa1 -f
        10⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3664
        
        C:\Users\Admin\AppData\Local\Temp\onefile_3664_133522161917267491\usruho.exe
        
        C:\\Users\\Admin\\.helena\\usruho.exe --ee --aa1 -f
        11⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:3056
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Start-Process -NoNewWindow -FilePath "C:\Users\Admin\.helena\tor.exe" -ArgumentList @('--DisableNetwork, "0"')"
        12⤵
        Suspicious use of WriteProcessMemory
        
        PID:332
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Start-Process -NoNewWindow -FilePath "C:\Users\Admin\.helena\tor.exe" -ArgumentList @('--DisableNetwork, "0"')
        13⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:224
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Start-Process -NoNewWindow -FilePath C:\Users\Admin\.helena\tor.exe -ArgumentList "--DisableNetwork, 0"
        14⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1688
        
        C:\Users\Admin\.helena\tor.exe
        
        "C:\Users\Admin\.helena\tor.exe" --DisableNetwork 0
        15⤵
        Executes dropped EXE
        
        PID:732

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\.helena\usruho.exe

Filesize
22.8MB

MD5
088f19e780ff0aa7626a4c27a7e7a116

SHA1
fa274188befa787d968b690ab3b1c98d6966cab2

SHA256
303187aa855f3fcde456582c5c8f25369f3e5353cbde71b65e61927f5170576f

SHA512
38aa831b16dea65c7f97ef7c2bfcbe5902193e8f35e46dcddaa142d5be17ea26da510363fb3d103566afd1bf4b71a542ae73dbb6b02c4b23402c4670bf1b5a5c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
6cf293cb4d80be23433eecf74ddb5503

SHA1
24fe4752df102c2ef492954d6b046cb5512ad408

SHA256
b1f292b6199aa29c7fafbca007e5f9e3f68edcbbca1965bc828cc92dc0f18bb8

SHA512
0f91e2da0da8794b9797c7b50eb5dfd27bde4546ceb6902a776664ce887dd6f12a0dd8773d612ccc76dfd029cd280778a0f0ae17ce679b3d2ffd968dd7e94a00

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
3ca1082427d7b2cd417d7c0b7fd95e4e

SHA1
b0482ff5b58ffff4f5242d77330b064190f269d3

SHA256
31f15dc6986680b158468bf0b4a1c00982b07b2889f360befd8a466113940d8f

SHA512
bbcfd8ea1e815524fda500b187483539be4a8865939f24c6e713f0a3bd90b69b4367c36aa2b09886b2006b685f81f0a77eec23ab58b7e2fb75304b412deb6ca3

Download Submit
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\_ctypes.pyd

Filesize
120KB

MD5
9b344f8d7ce5b57e397a475847cc5f66

SHA1
aff1ccc2608da022ecc8d0aba65d304fe74cdf71

SHA256
b1214d7b7efd9d4b0f465ec3463512a1cbc5f59686267030f072e6ce4b2a95cf

SHA512
2b0d9e1b550bf108fa842324ab26555f2a224aefff517fdb16df85693e05adaf0d77ebe49382848f1ec68dc9b5ae75027a62c33721e42a1566274d1a2b1baa41

Download Submit
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\cryptography\hazmat\bindings\_rust.pyd

Filesize
6.2MB

MD5
e254d41da688f8d7bc0c373c6642f82e

SHA1
3484a9398f84f6a726db58d53f4ba3fb579f524c

SHA256
5c79f0e9b6a4e634c8f4e5741a68d2ae8ae4793be2f0efdb423df883a4d57347

SHA512
bc317422d8fc5d58a0ebdbb4731332260903be3898eedf4788cfade0fb1a1283b89abcb9bb10619a1c7cb39cd9f0c52dace206bb539e55c9b422fd83f8f1ac00

Download Submit
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\libcrypto-1_1.dll

Filesize
3.3MB

MD5
9d7a0c99256c50afd5b0560ba2548930

SHA1
76bd9f13597a46f5283aa35c30b53c21976d0824

SHA256
9b7b4a0ad212095a8c2e35c71694d8a1764cd72a829e8e17c8afe3a55f147939

SHA512
cb39aa99b9d98c735fdacf1c5ed68a4d09d11f30262b91f6aa48c3f8520eff95e499400d0ce7e280ca7a90ff6d7141d2d893ef0b33a8803a1cadb28ba9a9e3e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\zstandard\backend_c.pyd

Filesize
513KB

MD5
baf4db7977e04eca7e4151da57dc35d6

SHA1
80c70496375037ca084365e392d903dea962566c

SHA256
1a2ec2389c1111d3992c788b58282aaf1fc877b665b195847faf58264bf9bc33

SHA512
9b04f24ee61efa685c3af3e05000206384ec531a120209288f8fdc4fb1ec186c946fd59e9eb7381e9077bfbcfc7168b86a71c12d06529e70a7f30e44658a4950

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_lnvzst0i.qqt.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_3664_133522161917267491\_brotli.pyd

Filesize
732KB

MD5
0606e7d1af5d7420ea2f363a9b22e647

SHA1
949e2661c8abf1f108e49ddc431892af5c4eb5ae

SHA256
79e60cd8bfd29ad1f7d0bf7a1eec3d9abadfce90587438ea172034074bc174ee

SHA512
0fbb16af2523f374c6057e2cb2397cd7ff7eee7e224372fd56a5feada58b0cebb992a9889865d3b971f960ca5f3bc37ff3017474b79ccc9b74aa4d341b7e06fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_3664_133522161917267491\_queue.pyd

Filesize
31KB

MD5
06248702a6cd9d2dd20c0b1c6b02174d

SHA1
3f14d8af944fe0d35d17701033ff1501049e856f

SHA256
ac177cd84c12e03e3a68bca30290bc0b8f173eee518ef1fa6a9dce3a3e755a93

SHA512
5b22bbff56a8b48655332ebd77387d307f5c0a526626f3654267a34bc4863d8afaf08ff3946606f3cf00b660530389c37bdfac91843808dbebc7373040fec4c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_3664_133522161917267491\_ssl.pyd

Filesize
157KB

MD5
ab0e4fbffb6977d0196c7d50bc76cf2d

SHA1
680e581c27d67cd1545c810dbb175c2a2a4ef714

SHA256
680ad2de8a6cff927822c1d7dd22112a3e8a824e82a7958ee409a7b9ce45ec70

SHA512
2bff84a8ec7a26dde8d1bb09792ead8636009c8ef3fa68300a75420197cd7b6c8eaaf8db6a5f97442723e5228afa62961f002948e0eeee8c957c6517547dffba

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_3664_133522161917267491\charset_normalizer\md.pyd

Filesize
10KB

MD5
fa50d9f8bce6bd13652f5090e7b82c4d

SHA1
ee137da302a43c2f46d4323e98ffd46d92cf4bef

SHA256
fff69928dea1432e0c7cb1225ab96f94fd38d5d852de9a6bb8bf30b7d2bedceb

SHA512
341cec015e74348eab30d86ebb35c028519703006814a2ecd19b9fe5e6fcb05eda6dde0aaf4fe624d254b0d0180ec32adf3b93ee96295f8f0f4c9d4ed27a7c0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_3664_133522161917267491\charset_normalizer\md__mypyc.pyd

Filesize
113KB

MD5
2d1f2ffd0fecf96a053043daad99a5df

SHA1
b03d5f889e55e802d3802d0f0caa4d29c538406b

SHA256
207bbae9ddf8bdd64e65a8d600fe1dd0465f2afcd6dc6e28d4d55887cd6cbd13

SHA512
4f7d68f241a7f581e143a010c78113154072c63adff5f200ef67eb34d766d14ce872d53183eb2b96b1895aa9c8d4ca82ee5e61e1c5e655ff5be56970be9ebe3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_3664_133522161917267491\libssl-1_1.dll

Filesize
688KB

MD5
bec0f86f9da765e2a02c9237259a7898

SHA1
3caa604c3fff88e71f489977e4293a488fb5671c

SHA256
d74ce01319ae6f54483a19375524aa39d9f5fd91f06cf7df238ca25e043130fd

SHA512
ffbc4e5ffdb49704e7aa6d74533e5af76bbe5db297713d8e59bd296143fe5f145fbb616b343eed3c48eceaccccc2431630470d8975a4a17c37eafcc12edd19f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_3664_133522161917267491\usruho.exe

Filesize
11.1MB

MD5
a21ff0790604328037de7998fbf17d19

SHA1
4d5274045e2297d9ea7ee4b5e754a144823e164f

SHA256
eaa4336c1d71aacc75f7f04e8750989b9c0a15cf4ab4e7bb9a73e241a36d5275

SHA512
9affa450fe479384653321d88dde71bb3377bc54fcd2cd527b93769ed9ce65de0e27131c470dc382f6b3c243c3f795e8767fbd06edd232a0b3628348d12bb796

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_3664_133522161917267491\vcruntime140_1.dll

Filesize
48KB

MD5
7e668ab8a78bd0118b94978d154c85bc

SHA1
dbac42a02a8d50639805174afd21d45f3c56e3a0

SHA256
e4b533a94e02c574780e4b333fcf0889f65ed00d39e32c0fbbda2116f185873f

SHA512
72bb41db17256141b06e2eaeb8fc65ad4abdb65e4b5f604c82b9e7e7f60050734137d602e0f853f1a38201515655b6982f2761ee0fa77c531aa58591c95f0032

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_4160_133522161839611103\VCRUNTIME140.dll

Filesize
106KB

MD5
4585a96cc4eef6aafd5e27ea09147dc6

SHA1
489cfff1b19abbec98fda26ac8958005e88dd0cb

SHA256
a8f950b4357ec12cfccddc9094cca56a3d5244b95e09ea6e9a746489f2d58736

SHA512
d78260c66331fe3029d2cc1b41a5d002ec651f2e3bbf55076d65839b5e3c6297955afd4d9ab8951fbdc9f929dbc65eb18b14b59bce1f2994318564eb4920f286

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_4160_133522161839611103\_cffi_backend.pyd

Filesize
177KB

MD5
fde9a1d6590026a13e81712cd2f23522

SHA1
ca99a48caea0dbaccf4485afd959581f014277ed

SHA256
16eccc4baf6cf4ab72acd53c72a1f2b04d952e07e385e9050a933e78074a7d5b

SHA512
a522661f5c3eeea89a39df8bbb4d23e6428c337aac1d231d32b39005ea8810fce26af18454586e0e94e51ea4ac0e034c88652c1c09b1ed588aeac461766981f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_4160_133522161839611103\_hashlib.pyd

Filesize
63KB

MD5
787b82d4466f393366657b8f1bc5f1a9

SHA1
658639cddda55ac3bfc452db4ec9cf88851e606b

SHA256
241322647ba9f94bdc3ae387413ffb57ae14c8cf88bd564a31fe193c6ca43e37

SHA512
afcf66962958f38eec8b591aa30d380eb0e1b41028836058ff91b4d1472658de9fba3262f5c27ba688bd73da018e938f398e45911cd37584f623073067f575b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_4160_133522161839611103\_socket.pyd

Filesize
77KB

MD5
26dd19a1f5285712068b9e41808e8fa0

SHA1
90c9a112dd34d45256b4f2ed38c1cbbc9f24dba5

SHA256
eaabf6b78840daeaf96b5bdbf06adf0e4e2994dfeee5c5e27fefd824dbda5220

SHA512
173e1eda05d297d7da2193e8566201f05428437adcac80aecefe80f82d46295b15ce10990b5c080325dc59a432a587eef84a15ec688a62b82493ad501a1e4520

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_4160_133522161839611103\acatc.exe

Filesize
448KB

MD5
55d1dae869c7afb5093a29cb6db53309

SHA1
2db52062078f1b299c5760865386464560301015

SHA256
583d844910c86a9752d9f59ab98c2989089b9fb21117fbfcecf5d8f5f642ad29

SHA512
53fe78da1ed6e18d512348aaeef062d540951ae163c05edec2539722bcf483d1902a7950ac953b1a79b4d362d82ca274baa9008d919f3e6fd02e83fcfac1a89b

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_4160_133522161839611103\discsv.pyo

Filesize
59B

MD5
296a4d694e0da567dea39119a6e26306

SHA1
9f1b388c574980f957cc04a639f55a738cfd652d

SHA256
dafb0e3c2aa4f19873e623dc418a90febaf6c32252c655c93b8b31a271702b9a

SHA512
0324d6c01715cbe42b98ffc16afd7668f77aa1899fff81e44b9949398e3c29233e7e872f0bfb65ed7988abc2196350537452983a39ab4461ed6490559946e29d

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_4160_133522161839611103\endi.pyo

Filesize
5KB

MD5
ca85285a8dbac0b5f8315a3ebc21c044

SHA1
0d0b7b4152d9a5eb26bf3e36e29e9b674068b526

SHA256
17f7bda7b3fe38a0d066e059e3f00e50d6c75d6797dc984ccb6d392f6322786b

SHA512
fe28dba630dd0aa63b7ed953558a8735266626d6049d16d3e6b7bef42169208873976375da5923b0d54459d8504c762e2218dfa8e91600849427b23b94d96756

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_4160_133522161839611103\libffi-8.dll

Filesize
38KB

MD5
0f8e4992ca92baaf54cc0b43aaccce21

SHA1
c7300975df267b1d6adcbac0ac93fd7b1ab49bd2

SHA256
eff52743773eb550fcc6ce3efc37c85724502233b6b002a35496d828bd7b280a

SHA512
6e1b223462dc124279bfca74fd2c66fe18b368ffbca540c84e82e0f5bcbea0e10cc243975574fa95ace437b9d8b03a446ed5ee0c9b1b094147cefaf704dfe978

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_4160_133522161839611103\mpr.pyo

Filesize
1KB

MD5
e99d64551ba194e3889c5d6386640d32

SHA1
477bdcc45ae7c1c8808651040326a26754f3a224

SHA256
e27e5c68921f21b5339d8ebaa16b94e6a20e78d3885bb772a4dc29142a9bfbcd

SHA512
6ba8ba711fff7c766ba288e5328877db0dd7250c2506a5e3b1bde4abffaa019592207a744a6af78445fc87cbae6c5414ea731e6264985e58968ba88663a4c2b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_4160_133522161839611103\pt1.pyo

Filesize
116B

MD5
2df9b20c496f40ccae69a862d968f273

SHA1
b4e8302949649a11d0482d18ba15253cd7b70fe6

SHA256
0e34a300a1ac5c1ac5bb31b7fe5f3b6e6dfcb1f5cc420f17744cace150d2415b

SHA512
66b54ba482ffb6194810d0ee0817dd8ea204c7e934661aa2d2d507a16f8f8e771a2b2a6ab91baab4e7fe38320f95c1eea80d9181c7e10f27d9e31d62dc9a9697

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_4160_133522161839611103\pt2.pyo

Filesize
65B

MD5
8d96874bf96bc22cf06b7374b35906e4

SHA1
459dc28d49c18b136efc7df0cd441ce8189e3dcc

SHA256
a35f1181068311da4d44eabc6a5359bc5aabd6031ddd8deb07915f23a9fda44c

SHA512
60f63f991f8ff5ab0af24f0a1b4ed75c9e87599fb9963d91c7fb4289fe8bee9dad153f0c638ddfbe40133715db7065255382e8cbcab53e13bc6eb0f452c7f367

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_4160_133522161839611103\pt3.pyo

Filesize
59B

MD5
4aa660a40f29681407c74ef530611d39

SHA1
ca9261ef092c53a6613e70c6cb02b80c4666c758

SHA256
374015ea372d3f89b31053bd5c330ec804fac078730916555173efb55ce6e06d

SHA512
ca4bd5890674a797ff29a284397b45c45b3923e24d345411aba458ff1731adfd58da6eb551d77db795bf309fc2093aefac06f6a433a13cf3dd21f7c3e4ab3014

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_4160_133522161839611103\python3.dll

Filesize
65KB

MD5
7442c154565f1956d409092ede9cc310

SHA1
c72f9c99ea56c8fb269b4d6b3507b67e80269c2d

SHA256
95086ac060ffe6933ac04a6aa289b1c7d321f14380315e24ba0d6c4adfa0842b

SHA512
2bf96828534bcdf71e48d1948b989011d8e3ba757c38cc17905a13d3021ea5deb57e2c68d79507a6acbb62be009cfc85b24d14543958dba1d3bc3e4ca7d4f844

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_4160_133522161839611103\python311.dll

Filesize
64KB

MD5
f17994bc50dcb1ecdf63681c0a139440

SHA1
860e873820d84b8d718028bf6141c777e762126d

SHA256
38f5d72d1b4f52bde24d95a7018be5d68bf8239b3fd00ce8eb5919d3c36788b5

SHA512
5f22c89ec9343be8a93e17d8dd67c105d5d118ee95eedad667f2589bfb8bc13df85cae3b7f0da8a936d7946dd103ef36bbc65dd81637db6e003451104ad16ca9

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_4160_133522161839611103\python311.dll

Filesize
5.5MB

MD5
e2bd5ae53427f193b42d64b8e9bf1943

SHA1
7c317aad8e2b24c08d3b8b3fba16dd537411727f

SHA256
c4844b05e3a936b130adedb854d3c04d49ee54edb43e9d36f8c4ae94ccb78400

SHA512
ae23a6707e539c619fd5c5b4fc6e4734edc91f89ebe024d25ff2a70168da6105ac0bd47cf6bf3715af6411963caf0acbb4632464e1619ca6361abf53adfe7036

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_4160_133522161839611103\select.pyd

Filesize
29KB

MD5
756c95d4d9b7820b00a3099faf3f4f51

SHA1
893954a45c75fb45fe8048a804990ca33f7c072d

SHA256
13e4d9a734a453a3613e11b6a518430099ad7e3d874ea407d1f9625b7f60268a

SHA512
0f54f0262cf8d71f00bf5666eb15541c6ecc5246cd298efd3b7dd39cdd29553a8242d204c42cfb28c537c3d61580153200373c34a94769f102b3baa288f6c398

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_4160_133522161839611103\tor.pyo

Filesize
7.4MB

MD5
88590909765350c0d70c6c34b1f31dd2

SHA1
129b27c3926e53e5df6d44cc6adf39c3a8d9ebf7

SHA256
46fe244b548265c78ab961e8f787bc8bf21edbcaaf175fa3b8be3137c6845a82

SHA512
a8af08d9169a31a1c3419d4e6e8fbe608c800d323840563b5a560d3e09e78a492201f07cc0d3864efbff8ad81e59885fc43a6b749e0a3377aa8555df258af192

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_4160_133522161839611103\usruho.pyo

Filesize
12.7MB

MD5
6624634b57d9e0043d55b36942313a70

SHA1
52c0d20734cb98abe8a1b68f196308078bdebe9d

SHA256
e89a4dc76b410ca1cf704e5e46d19e2ad4d26aa9389ae3555bbdad0d2e1a2cd7

SHA512
c6346dc92a79e238c9ddf59927613ed8b8a2f018a3d612460e231dc8b9e395324d85190cdf9bbfda8ffe15308abd7f8743a1713afbc66a342032012960d83e7e

Download Submit
C:\Users\Admin\AppData\Roaming\tor\cached-microdesc-consensus.tmp

Filesize
529KB

MD5
827b2aa4144220a4ea6014bbd1572f6c

SHA1
265e4312b4886c38aae8139d93b9d6c249d53d8d

SHA256
546921bef917c134e55229b2a9910970d3dac69c0befb6108bb4c24c5d0934b5

SHA512
b5caa28f436217780b7b35df17e9e15b36e2cafdee460b799a3ad063b884a71d08c9c5021da994a497812d52bdb4bde7a12bc4f36a754dcb936cf47735c04664

Download Submit
C:\Users\Admin\AppData\Roaming\tor\cached-microdescs.new

Filesize
10.2MB

MD5
3c2c355e38c68c0076ac146a269e14bb

SHA1
73fe0dbaaaaa2de6893c116307f5a3675109bfcc

SHA256
e1b53606987dc42db0a03819838f25bdc0bf1d727fef6d5c8794da1e9cf7d21d

SHA512
c351b90e07a28e7348d7ef7c2a417f0e64a7cb969341b741a778dd8d02d97f7a43e894958b8e25fb0f4df1d32f138fd5b7beeede69caa9bff8cc0e0f307c5c73

Download Submit
memory/224-205-0x000001D289A20000-0x000001D289A30000-memory.dmp

Filesize
64KB

Download
memory/224-203-0x00007FFDDADF0000-0x00007FFDDB8B1000-memory.dmp

Filesize
10.8MB

Download
memory/224-224-0x00007FFDDADF0000-0x00007FFDDB8B1000-memory.dmp

Filesize
10.8MB

Download
memory/224-204-0x000001D289A20000-0x000001D289A30000-memory.dmp

Filesize
64KB

Download
memory/1688-206-0x00007FFDDADF0000-0x00007FFDDB8B1000-memory.dmp

Filesize
10.8MB

Download
memory/1688-207-0x000002147CFC0000-0x000002147CFD0000-memory.dmp

Filesize
64KB

Download
memory/1688-208-0x000002147CFC0000-0x000002147CFD0000-memory.dmp

Filesize
64KB

Download
memory/1688-220-0x00007FFDDADF0000-0x00007FFDDB8B1000-memory.dmp

Filesize
10.8MB

Download
memory/2884-77-0x000001F5F12E0000-0x000001F5F12F0000-memory.dmp

Filesize
64KB

Download
memory/2884-80-0x00007FFDDF070000-0x00007FFDDFB31000-memory.dmp

Filesize
10.8MB

Download
memory/2884-71-0x000001F5F3360000-0x000001F5F3382000-memory.dmp

Filesize
136KB

Download
memory/2884-76-0x00007FFDDF070000-0x00007FFDDFB31000-memory.dmp

Filesize
10.8MB

Download
memory/3056-233-0x00007FFDDCA80000-0x00007FFDDE92F000-memory.dmp

Filesize
30.7MB

Download
memory/4760-95-0x0000017BDAAA0000-0x0000017BDAAB0000-memory.dmp

Filesize
64KB

Download
memory/4760-107-0x00007FFDDFFF0000-0x00007FFDE0AB1000-memory.dmp

Filesize
10.8MB

Download
memory/4760-94-0x0000017BDAAA0000-0x0000017BDAAB0000-memory.dmp

Filesize
64KB

Download
memory/4760-93-0x00007FFDDFFF0000-0x00007FFDE0AB1000-memory.dmp

Filesize
10.8MB

Download