wannacry | e6757b4abdad7234bf572539e215f2689c68e84cff75ac05d9be6e4c48f3c6f8

Analysis

max time kernel
81s
max time network
70s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
17-10-2024 21:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Cluxy_multitool.exe
Size

56.4MB
MD5

4a39b0b561dd36d51bf0f92a63ffbfda
SHA1

fa12ad3b53f205a38e49967df8954af385c302dc
SHA256

e6757b4abdad7234bf572539e215f2689c68e84cff75ac05d9be6e4c48f3c6f8
SHA512

b546be3fd2a242b74e9bfa0368271cd9f667594c9a415231638cfc008347ec7ee6279d43f3917490fe43c5ca7e07221471f1d386fe8f604885c3d08ccd387efe
SSDEEP

1572864:O+wGIpeQqMrlpA+Ql4cxTivfS4qrBBGcm1:O+wpeyklDxenZynGH1

Score

10^/10

wannacry credential_access defense_evasion discovery execution impact persistence privilege_escalation ransomware spyware stealer upx worm

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\@[email protected]

Family

wannacry

Ransom Note

Q: What's wrong with my files? A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted. If you follow our instructions, we guarantee that you can decrypt all your files quickly and safely! Let's start decrypting! Q: What do I do? A: First, you need to pay service fees for the decryption. Please send $300 worth of bitcoin to this bitcoin address: 12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw Next, please find an application file named "@[email protected]". It is the decrypt software. Run and follow the instructions! (You may need to disable your antivirus for a while.) Q: How can I trust? A: Don't worry about decryption. We will decrypt your files surely because nobody will trust us if we cheat users. * If you need our assistance, send a message by clicking <Contact Us> on the decryptor window. �

Wallets

12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047

Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1468	powershell.exe
3728	powershell.exe
2188	powershell.exe
2824	powershell.exe
444	powershell.exe

Drops startup file 5 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ .scr	Cluxy_multitool.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ .scr	Cluxy_multitool.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ .scr	attrib.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SDA231.tmp	bound.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\~SDA238.tmp	bound.exe

Executes dropped EXE 12 IoCs

pid	Process
2684	bound.exe
404	taskdl.exe
1064	@[email protected]
1872	@[email protected]
3840	taskhsvc.exe
5008	@[email protected]
4412	taskse.exe
528	taskdl.exe
4888	@[email protected]
5072	taskse.exe
2704	taskdl.exe
4832	@[email protected]

Loads dropped DLL 61 IoCs

pid	Process
4480	Cluxy_multitool.exe
4480	Cluxy_multitool.exe
4480	Cluxy_multitool.exe
4480	Cluxy_multitool.exe
4480	Cluxy_multitool.exe
4480	Cluxy_multitool.exe
4480	Cluxy_multitool.exe
4480	Cluxy_multitool.exe
4480	Cluxy_multitool.exe
4480	Cluxy_multitool.exe
4480	Cluxy_multitool.exe
4480	Cluxy_multitool.exe
4480	Cluxy_multitool.exe
4480	Cluxy_multitool.exe
4480	Cluxy_multitool.exe
4480	Cluxy_multitool.exe
4480	Cluxy_multitool.exe
4480	Cluxy_multitool.exe
4480	Cluxy_multitool.exe
4480	Cluxy_multitool.exe
4480	Cluxy_multitool.exe
4480	Cluxy_multitool.exe
4480	Cluxy_multitool.exe
4480	Cluxy_multitool.exe
4480	Cluxy_multitool.exe
4480	Cluxy_multitool.exe
4480	Cluxy_multitool.exe
4480	Cluxy_multitool.exe
4480	Cluxy_multitool.exe
4480	Cluxy_multitool.exe
4480	Cluxy_multitool.exe
4480	Cluxy_multitool.exe
4480	Cluxy_multitool.exe
4480	Cluxy_multitool.exe
4480	Cluxy_multitool.exe
4480	Cluxy_multitool.exe
4480	Cluxy_multitool.exe
4480	Cluxy_multitool.exe
4480	Cluxy_multitool.exe
4480	Cluxy_multitool.exe
4480	Cluxy_multitool.exe
4480	Cluxy_multitool.exe
4480	Cluxy_multitool.exe
4480	Cluxy_multitool.exe
4480	Cluxy_multitool.exe
4480	Cluxy_multitool.exe
4480	Cluxy_multitool.exe
4480	Cluxy_multitool.exe
4480	Cluxy_multitool.exe
4480	Cluxy_multitool.exe
4480	Cluxy_multitool.exe
4480	Cluxy_multitool.exe
4480	Cluxy_multitool.exe
3840	taskhsvc.exe
3840	taskhsvc.exe
3840	taskhsvc.exe
3840	taskhsvc.exe
3840	taskhsvc.exe
3840	taskhsvc.exe
3840	taskhsvc.exe
4480	Cluxy_multitool.exe

Modifies file permissions 1 TTPs 1 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
4792	icacls.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\hbqpqaznjyrqx231 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\tasksche.exe\""	reg.exe

File and Directory Permissions Modification: Windows File and Directory Permissions Modification 1 TTPs
defense_evasion

Windows File and Directory Permissions Modification
T1222.001

Legitimate hosting services abused for malware hosting/C2 1 TTPs 6 IoCs

Web Service

T1102

flow	ioc
29	raw.githubusercontent.com
30	raw.githubusercontent.com
32	discord.com
33	discord.com
43	discord.com
46	discord.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
41	ip-api.com

Hide Artifacts: Hidden Files and Directories 1 TTPs 1 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
3056	cmd.exe

Sets desktop wallpaper using registry 2 TTPs 2 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\@[email protected]"	bound.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\@[email protected]"	@[email protected]

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x0007000000024075-739.dat	upx
behavioral2/memory/4480-742-0x00007FF867D70000-0x00007FF868435000-memory.dmp	upx
behavioral2/files/0x0007000000023caa-751.dat	upx
behavioral2/files/0x0008000000023c6d-757.dat	upx
behavioral2/files/0x0007000000023c79-776.dat	upx
behavioral2/memory/4480-784-0x00007FF878170000-0x00007FF87817D000-memory.dmp	upx
behavioral2/files/0x0007000000024078-783.dat	upx
behavioral2/memory/4480-789-0x00007FF877360000-0x00007FF877396000-memory.dmp	upx
behavioral2/files/0x0007000000023ca9-793.dat	upx
behavioral2/files/0x0008000000023c6c-792.dat	upx
behavioral2/memory/4480-797-0x00007FF878200000-0x00007FF878225000-memory.dmp	upx
behavioral2/memory/4480-799-0x00007FF876500000-0x00007FF876533000-memory.dmp	upx
behavioral2/memory/4480-801-0x00007FF868AE0000-0x00007FF868BAE000-memory.dmp	upx
behavioral2/files/0x0007000000023cab-800.dat	upx
behavioral2/memory/4480-805-0x00007FF867560000-0x00007FF86767A000-memory.dmp	upx
behavioral2/memory/4480-804-0x00007FF8781A0000-0x00007FF8781CD000-memory.dmp	upx
behavioral2/files/0x000700000002408f-803.dat	upx
behavioral2/files/0x0007000000023c7b-798.dat	upx
behavioral2/memory/4480-796-0x00007FF867830000-0x00007FF867D63000-memory.dmp	upx
behavioral2/memory/4480-795-0x00007FF878120000-0x00007FF878134000-memory.dmp	upx
behavioral2/memory/4480-794-0x00007FF867D70000-0x00007FF868435000-memory.dmp	upx
behavioral2/memory/4480-791-0x00007FF878140000-0x00007FF87814D000-memory.dmp	upx
behavioral2/files/0x0007000000023c78-790.dat	upx
behavioral2/files/0x0007000000024073-788.dat	upx
behavioral2/memory/4480-786-0x00007FF878160000-0x00007FF87816F000-memory.dmp	upx
behavioral2/files/0x0007000000023c7d-785.dat	upx
behavioral2/memory/4480-808-0x00007FF868940000-0x00007FF8689C7000-memory.dmp	upx
behavioral2/memory/4480-816-0x00007FF86EBE0000-0x00007FF86EC07000-memory.dmp	upx
behavioral2/memory/4480-815-0x00007FF878160000-0x00007FF87816F000-memory.dmp	upx
behavioral2/files/0x0007000000023c85-813.dat	upx
behavioral2/memory/4480-812-0x00007FF877800000-0x00007FF87780B000-memory.dmp	upx
behavioral2/memory/4480-823-0x00007FF8674E0000-0x00007FF867504000-memory.dmp	upx
behavioral2/files/0x000700000002408e-824.dat	upx
behavioral2/files/0x000a000000023baf-828.dat	upx
behavioral2/memory/4480-826-0x00007FF867360000-0x00007FF8674DF000-memory.dmp	upx
behavioral2/memory/4480-849-0x00007FF867230000-0x00007FF86725F000-memory.dmp	upx
behavioral2/memory/4480-848-0x00007FF876500000-0x00007FF876533000-memory.dmp	upx
behavioral2/memory/4480-853-0x00007FF867200000-0x00007FF86721C000-memory.dmp	upx
behavioral2/memory/4480-855-0x00007FF866DD0000-0x00007FF8671F5000-memory.dmp	upx
behavioral2/memory/4480-854-0x00007FF868940000-0x00007FF8689C7000-memory.dmp	upx
behavioral2/memory/4480-852-0x00007FF867560000-0x00007FF86767A000-memory.dmp	upx
behavioral2/memory/4480-851-0x00007FF867220000-0x00007FF86722B000-memory.dmp	upx
behavioral2/memory/4480-856-0x00007FF865A20000-0x00007FF866DC7000-memory.dmp	upx
behavioral2/memory/4480-850-0x00007FF868AE0000-0x00007FF868BAE000-memory.dmp	upx
behavioral2/memory/4480-847-0x00007FF868930000-0x00007FF86893C000-memory.dmp	upx
behavioral2/memory/4480-846-0x00007FF867260000-0x00007FF86728A000-memory.dmp	upx
behavioral2/memory/4480-845-0x00007FF867290000-0x00007FF86729C000-memory.dmp	upx
behavioral2/memory/4480-844-0x00007FF8672A0000-0x00007FF8672B2000-memory.dmp	upx
behavioral2/memory/4480-843-0x00007FF8672C0000-0x00007FF8672CD000-memory.dmp	upx
behavioral2/memory/4480-842-0x00007FF8672D0000-0x00007FF8672DB000-memory.dmp	upx
behavioral2/memory/4480-841-0x00007FF8672E0000-0x00007FF8672EC000-memory.dmp	upx
behavioral2/memory/4480-840-0x00007FF8672F0000-0x00007FF8672FB000-memory.dmp	upx
behavioral2/memory/4480-839-0x00007FF867300000-0x00007FF86730B000-memory.dmp	upx
behavioral2/memory/4480-838-0x00007FF867310000-0x00007FF86731C000-memory.dmp	upx
behavioral2/memory/4480-857-0x00007FF865950000-0x00007FF865972000-memory.dmp	upx
behavioral2/memory/4480-837-0x00007FF867320000-0x00007FF86732E000-memory.dmp	upx
behavioral2/memory/4480-836-0x00007FF867330000-0x00007FF86733D000-memory.dmp	upx
behavioral2/memory/4480-835-0x00007FF867340000-0x00007FF86734C000-memory.dmp	upx
behavioral2/memory/4480-834-0x00007FF867350000-0x00007FF86735B000-memory.dmp	upx
behavioral2/memory/4480-833-0x00007FF86E630000-0x00007FF86E63B000-memory.dmp	upx
behavioral2/memory/4480-832-0x00007FF870F90000-0x00007FF870F9C000-memory.dmp	upx
behavioral2/memory/4480-831-0x00007FF872340000-0x00007FF87234B000-memory.dmp	upx
behavioral2/memory/4480-830-0x00007FF876560000-0x00007FF87656B000-memory.dmp	upx
behavioral2/memory/4480-829-0x00007FF867830000-0x00007FF867D63000-memory.dmp	upx

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 19 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bound.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskhsvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
3928	cmd.exe
2392	PING.EXE

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 1 IoCs

Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

discovery

Wi-Fi Discovery

T1016.002

pid	Process
460	netsh.exe

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
2580	WMIC.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3442511616-637977696-3186306149-1000\{07F3894A-051E-4BE2-AB12-CF234693EC20}	Cluxy_multitool.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
4360	reg.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2392	PING.EXE

Suspicious behavior: EnumeratesProcesses 28 IoCs

pid	Process
4480	Cluxy_multitool.exe
4480	Cluxy_multitool.exe
4480	Cluxy_multitool.exe
4480	Cluxy_multitool.exe
4480	Cluxy_multitool.exe
1468	powershell.exe
1468	powershell.exe
2824	powershell.exe
2824	powershell.exe
1468	powershell.exe
2824	powershell.exe
3728	powershell.exe
3728	powershell.exe
3728	powershell.exe
2188	powershell.exe
2188	powershell.exe
2188	powershell.exe
444	powershell.exe
444	powershell.exe
4480	Cluxy_multitool.exe
4480	Cluxy_multitool.exe
444	powershell.exe
3840	taskhsvc.exe
3840	taskhsvc.exe
3840	taskhsvc.exe
3840	taskhsvc.exe
3840	taskhsvc.exe
3840	taskhsvc.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
5008	@[email protected]

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4480	Cluxy_multitool.exe
Token: SeDebugPrivilege	1468	powershell.exe
Token: SeDebugPrivilege	2824	powershell.exe
Token: SeDebugPrivilege	3728	powershell.exe
Token: SeDebugPrivilege	2188	powershell.exe
Token: SeDebugPrivilege	444	powershell.exe
Token: SeIncreaseQuotaPrivilege	1480	WMIC.exe
Token: SeSecurityPrivilege	1480	WMIC.exe
Token: SeTakeOwnershipPrivilege	1480	WMIC.exe
Token: SeLoadDriverPrivilege	1480	WMIC.exe
Token: SeSystemProfilePrivilege	1480	WMIC.exe
Token: SeSystemtimePrivilege	1480	WMIC.exe
Token: SeProfSingleProcessPrivilege	1480	WMIC.exe
Token: SeIncBasePriorityPrivilege	1480	WMIC.exe
Token: SeCreatePagefilePrivilege	1480	WMIC.exe
Token: SeBackupPrivilege	1480	WMIC.exe
Token: SeRestorePrivilege	1480	WMIC.exe
Token: SeShutdownPrivilege	1480	WMIC.exe
Token: SeDebugPrivilege	1480	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1480	WMIC.exe
Token: SeRemoteShutdownPrivilege	1480	WMIC.exe
Token: SeUndockPrivilege	1480	WMIC.exe
Token: SeManageVolumePrivilege	1480	WMIC.exe
Token: 33	1480	WMIC.exe
Token: 34	1480	WMIC.exe
Token: 35	1480	WMIC.exe
Token: 36	1480	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1480	WMIC.exe
Token: SeSecurityPrivilege	1480	WMIC.exe
Token: SeTakeOwnershipPrivilege	1480	WMIC.exe
Token: SeLoadDriverPrivilege	1480	WMIC.exe
Token: SeSystemProfilePrivilege	1480	WMIC.exe
Token: SeSystemtimePrivilege	1480	WMIC.exe
Token: SeProfSingleProcessPrivilege	1480	WMIC.exe
Token: SeIncBasePriorityPrivilege	1480	WMIC.exe
Token: SeCreatePagefilePrivilege	1480	WMIC.exe
Token: SeBackupPrivilege	1480	WMIC.exe
Token: SeRestorePrivilege	1480	WMIC.exe
Token: SeShutdownPrivilege	1480	WMIC.exe
Token: SeDebugPrivilege	1480	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1480	WMIC.exe
Token: SeRemoteShutdownPrivilege	1480	WMIC.exe
Token: SeUndockPrivilege	1480	WMIC.exe
Token: SeManageVolumePrivilege	1480	WMIC.exe
Token: 33	1480	WMIC.exe
Token: 34	1480	WMIC.exe
Token: 35	1480	WMIC.exe
Token: 36	1480	WMIC.exe
Token: SeIncreaseQuotaPrivilege	32	wmic.exe
Token: SeSecurityPrivilege	32	wmic.exe
Token: SeTakeOwnershipPrivilege	32	wmic.exe
Token: SeLoadDriverPrivilege	32	wmic.exe
Token: SeSystemProfilePrivilege	32	wmic.exe
Token: SeSystemtimePrivilege	32	wmic.exe
Token: SeProfSingleProcessPrivilege	32	wmic.exe
Token: SeIncBasePriorityPrivilege	32	wmic.exe
Token: SeCreatePagefilePrivilege	32	wmic.exe
Token: SeBackupPrivilege	32	wmic.exe
Token: SeRestorePrivilege	32	wmic.exe
Token: SeShutdownPrivilege	32	wmic.exe
Token: SeDebugPrivilege	32	wmic.exe
Token: SeSystemEnvironmentPrivilege	32	wmic.exe
Token: SeRemoteShutdownPrivilege	32	wmic.exe
Token: SeUndockPrivilege	32	wmic.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
1064	@[email protected]
1872	@[email protected]
1872	@[email protected]
1064	@[email protected]
5008	@[email protected]
5008	@[email protected]
4888	@[email protected]
4832	@[email protected]

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3532 wrote to memory of 4480	3532	Cluxy_multitool.exe	88
PID 3532 wrote to memory of 4480	3532	Cluxy_multitool.exe	88
PID 4480 wrote to memory of 4852	4480	Cluxy_multitool.exe	93
PID 4480 wrote to memory of 4852	4480	Cluxy_multitool.exe	93
PID 4480 wrote to memory of 4080	4480	Cluxy_multitool.exe	94
PID 4480 wrote to memory of 4080	4480	Cluxy_multitool.exe	94
PID 4480 wrote to memory of 3056	4480	Cluxy_multitool.exe	97
PID 4480 wrote to memory of 3056	4480	Cluxy_multitool.exe	97
PID 4852 wrote to memory of 1468	4852	cmd.exe	99
PID 4852 wrote to memory of 1468	4852	cmd.exe	99
PID 4080 wrote to memory of 2684	4080	cmd.exe	100
PID 4080 wrote to memory of 2684	4080	cmd.exe	100
PID 4080 wrote to memory of 2684	4080	cmd.exe	100
PID 3056 wrote to memory of 2344	3056	cmd.exe	101
PID 3056 wrote to memory of 2344	3056	cmd.exe	101
PID 2684 wrote to memory of 3336	2684	bound.exe	102
PID 2684 wrote to memory of 3336	2684	bound.exe	102
PID 2684 wrote to memory of 3336	2684	bound.exe	102
PID 2684 wrote to memory of 4792	2684	bound.exe	103
PID 2684 wrote to memory of 4792	2684	bound.exe	103
PID 2684 wrote to memory of 4792	2684	bound.exe	103
PID 4480 wrote to memory of 1172	4480	Cluxy_multitool.exe	106
PID 4480 wrote to memory of 1172	4480	Cluxy_multitool.exe	106
PID 1172 wrote to memory of 2824	1172	cmd.exe	108
PID 1172 wrote to memory of 2824	1172	cmd.exe	108
PID 2684 wrote to memory of 404	2684	bound.exe	109
PID 2684 wrote to memory of 404	2684	bound.exe	109
PID 2684 wrote to memory of 404	2684	bound.exe	109
PID 4480 wrote to memory of 1128	4480	Cluxy_multitool.exe	111
PID 4480 wrote to memory of 1128	4480	Cluxy_multitool.exe	111
PID 2684 wrote to memory of 2780	2684	bound.exe	113
PID 2684 wrote to memory of 2780	2684	bound.exe	113
PID 2684 wrote to memory of 2780	2684	bound.exe	113
PID 1128 wrote to memory of 3728	1128	cmd.exe	115
PID 1128 wrote to memory of 3728	1128	cmd.exe	115
PID 2780 wrote to memory of 1092	2780	cmd.exe	116
PID 2780 wrote to memory of 1092	2780	cmd.exe	116
PID 2780 wrote to memory of 1092	2780	cmd.exe	116
PID 1128 wrote to memory of 2188	1128	cmd.exe	117
PID 1128 wrote to memory of 2188	1128	cmd.exe	117
PID 2684 wrote to memory of 2884	2684	bound.exe	118
PID 2684 wrote to memory of 2884	2684	bound.exe	118
PID 2684 wrote to memory of 2884	2684	bound.exe	118
PID 1128 wrote to memory of 444	1128	cmd.exe	120
PID 1128 wrote to memory of 444	1128	cmd.exe	120
PID 4480 wrote to memory of 460	4480	Cluxy_multitool.exe	121
PID 4480 wrote to memory of 460	4480	Cluxy_multitool.exe	121
PID 4480 wrote to memory of 2256	4480	Cluxy_multitool.exe	124
PID 4480 wrote to memory of 2256	4480	Cluxy_multitool.exe	124
PID 2684 wrote to memory of 1064	2684	bound.exe	128
PID 2684 wrote to memory of 1064	2684	bound.exe	128
PID 2684 wrote to memory of 1064	2684	bound.exe	128
PID 2684 wrote to memory of 4628	2684	bound.exe	129
PID 2684 wrote to memory of 4628	2684	bound.exe	129
PID 2684 wrote to memory of 4628	2684	bound.exe	129
PID 4628 wrote to memory of 1872	4628	cmd.exe	131
PID 4628 wrote to memory of 1872	4628	cmd.exe	131
PID 4628 wrote to memory of 1872	4628	cmd.exe	131
PID 4480 wrote to memory of 3872	4480	Cluxy_multitool.exe	132
PID 4480 wrote to memory of 3872	4480	Cluxy_multitool.exe	132
PID 3872 wrote to memory of 1480	3872	cmd.exe	134
PID 3872 wrote to memory of 1480	3872	cmd.exe	134
PID 4480 wrote to memory of 32	4480	Cluxy_multitool.exe	156
PID 4480 wrote to memory of 32	4480	Cluxy_multitool.exe	156

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

Views/modifies file attributes 1 TTPs 3 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
2344	attrib.exe
3336	attrib.exe
2884	attrib.exe

C:\Users\Admin\AppData\Local\Temp\Cluxy_multitool.exe
"C:\Users\Admin\AppData\Local\Temp\Cluxy_multitool.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3532
- C:\Users\Admin\AppData\Local\Temp\Cluxy_multitool.exe
  "C:\Users\Admin\AppData\Local\Temp\Cluxy_multitool.exe"
  2⤵
  - Drops startup file
  - Loads dropped DLL
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4480
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\bound.exe'"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4852
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\bound.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1468
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "start bound.exe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4080
  - - C:\Users\Admin\AppData\Local\Temp\bound.exe
      bound.exe
      4⤵
      Drops startup file
      Executes dropped EXE
      Sets desktop wallpaper using registry
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2684
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib +h .
        5⤵
        System Location Discovery: System Language Discovery
        Views/modifies file attributes
        
        PID:3336
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls . /grant Everyone:F /T /C /Q
        5⤵
        Modifies file permissions
        System Location Discovery: System Language Discovery
        
        PID:4792
    - - C:\Users\Admin\AppData\Local\Temp\taskdl.exe
        
        taskdl.exe
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:404
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c 217261729199228.bat
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2780
      - C:\Windows\SysWOW64\cscript.exe
        
        cscript.exe //nologo m.vbs
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1092
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib +h +s F:\$RECYCLE
        5⤵
        System Location Discovery: System Language Discovery
        Views/modifies file attributes
        
        PID:2884
    - - C:\Users\Admin\AppData\Local\Temp\@[email protected]
        
        @[email protected] co
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1064
      - C:\Users\Admin\AppData\Local\Temp\TaskData\Tor\taskhsvc.exe
        
        TaskData\Tor\taskhsvc.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:3840
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c start /b @[email protected] vs
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4628
      - C:\Users\Admin\AppData\Local\Temp\@[email protected]
        
        @[email protected] vs
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1872
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:5076
        
        C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        wmic shadowcopy delete
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:4588
    - - C:\Users\Admin\AppData\Local\Temp\taskse.exe
        
        taskse.exe C:\Users\Admin\AppData\Local\Temp\@[email protected]
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4412
    - - C:\Users\Admin\AppData\Local\Temp\@[email protected]
        
        @[email protected]
        5⤵
        Executes dropped EXE
        Sets desktop wallpaper using registry
        System Location Discovery: System Language Discovery
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of SetWindowsHookEx
        
        PID:5008
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "hbqpqaznjyrqx231" /t REG_SZ /d "\"C:\Users\Admin\AppData\Local\Temp\tasksche.exe\"" /f
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3064
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "hbqpqaznjyrqx231" /t REG_SZ /d "\"C:\Users\Admin\AppData\Local\Temp\tasksche.exe\"" /f
        6⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:4360
    - - C:\Users\Admin\AppData\Local\Temp\taskdl.exe
        
        taskdl.exe
        5⤵
        Executes dropped EXE
        
        PID:528
    - - C:\Users\Admin\AppData\Local\Temp\taskse.exe
        
        taskse.exe C:\Users\Admin\AppData\Local\Temp\@[email protected]
        5⤵
        Executes dropped EXE
        
        PID:5072
    - - C:\Users\Admin\AppData\Local\Temp\@[email protected]
        
        @[email protected]
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4888
    - - C:\Users\Admin\AppData\Local\Temp\taskdl.exe
        
        taskdl.exe
        5⤵
        Executes dropped EXE
        
        PID:2704
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c attrib +h +s "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ .scr"
    3⤵
    - Hide Artifacts: Hidden Files and Directories
    - Suspicious use of WriteProcessMemory
    PID:3056
  - - C:\Windows\system32\attrib.exe
      attrib +h +s "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ .scr"
      4⤵
      Drops startup file
      Views/modifies file attributes
      PID:2344
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell.exe Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1172
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2824
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell.exe -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath %USERPROFILE%\AppData" & powershell.exe -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath %USERPROFILE%\Local" & powershell.exe -command "Set-MpPreference -ExclusionExtension '.exe','.py'""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1128
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath C:\Users\Admin\AppData"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3728
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath C:\Users\Admin\Local"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2188
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -command "Set-MpPreference -ExclusionExtension '.exe','.py'"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:444
- - C:\Windows\SYSTEM32\netsh.exe
    netsh wlan show profiles
    3⤵
    - Event Triggered Execution: Netsh Helper DLL
    - System Network Configuration Discovery: Wi-Fi Discovery
    PID:460
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "ver"
    3⤵
    PID:2256
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic os get Caption"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3872
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic os get Caption
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1480
- - C:\Windows\System32\Wbem\wmic.exe
    wmic cpu get Name
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:32
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    PID:1288
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      PID:2580
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
    3⤵
    PID:2208
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic computersystem get totalphysicalmemory
      4⤵
      PID:2164
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\\Windows\\System32\\wbem\\WMIC.exe csproduct get uuid"
    3⤵
    PID:3240
  - - C:\Windows\System32\wbem\WMIC.exe
      C:\\Windows\\System32\\wbem\\WMIC.exe csproduct get uuid
      4⤵
      PID:4772
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path softwarelicensingservice get OA3xOriginalProductKey"
    3⤵
    PID:4888
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path softwarelicensingservice get OA3xOriginalProductKey
      4⤵
      PID:5076
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
    3⤵
    PID:1468
  - - C:\Windows\System32\Wbem\WMIC.exe
      WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
      4⤵
      PID:3196
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "ping localhost -n 3 > NUL && del /A H /F "C:\Users\Admin\AppData\Local\Temp\Cluxy_multitool.exe""
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    PID:3928
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:32
  - - C:\Windows\system32\PING.EXE
      ping localhost -n 3
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:2392

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:4848

C:\Users\Public\Desktop\@[email protected]
"C:\Users\Public\Desktop\@[email protected]"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4832

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

File and Directory Permissions Modification

T1222

Windows File and Directory Permissions Modification

T1222.001

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Wi-Fi Discovery

T1016.002

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Defacement

T1491

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\AppV\Setup\@[email protected]

Filesize
1KB

MD5
1dd4745d64b7afe9e105d58d72055466

SHA1
78b46e08cad28187ff2060d49fd1bcf8fe6d5ce7

SHA256
668f216b2a13d85c07c453e732fd16b4b31daadf27ce712cd3724bcd37a54264

SHA512
6fccacfbabbf6af7444daf19bd8f8d07f15054177ed32b5877a062f7b484510b7f16702e6f6477cfa43a144826c873012838cbfe03a804cfa03d9f11f21ce4f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\@[email protected]

Filesize
933B

MD5
7a2726bb6e6a79fb1d092b7f2b688af0

SHA1
b3effadce8b76aee8cd6ce2eccbb8701797468a2

SHA256
840ab19c411c918ea3e7526d0df4b9cb002de5ea15e854389285df0d1ea9a8e5

SHA512
4e107f661e6be183659fdd265e131a64cce2112d842226305f6b111d00109a970fda0b5abfb1daa9f64428e445e3b472332392435707c9aebbfe94c480c72e54

Download Submit
C:\Users\Admin\AppData\Local\Temp\@[email protected]

Filesize
240KB

MD5
7bf2b57f2a205768755c07f238fb32cc

SHA1
45356a9dd616ed7161a3b9192e2f318d0ab5ad10

SHA256
b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25

SHA512
91a39e919296cb5c6eccba710b780519d90035175aa460ec6dbe631324e5e5753bd8d87f395b5481bcd7e1ad623b31a34382d81faae06bef60ec28b49c3122a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\TaskData\Tor\tor.exe

Filesize
3.0MB

MD5
fe7eb54691ad6e6af77f8a9a0b6de26d

SHA1
53912d33bec3375153b7e4e68b78d66dab62671a

SHA256
e48673680746fbe027e8982f62a83c298d6fb46ad9243de8e79b7e5a24dcd4eb

SHA512
8ac6dc5bb016afc869fcbb713f6a14d3692e866b94f4f1ee83b09a7506a8cb58768bd47e081cf6e97b2dacf9f9a6a8ca240d7d20d0b67dbd33238cc861deae8f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35322\Cryptodome\Cipher\_raw_ecb.pyd

Filesize
9KB

MD5
5ca4837fc45cd28f290b54bd2e0a67f5

SHA1
8aaee26a61a0945ddaffdbf9fd2a87272eeb8822

SHA256
77ece4effae2152c6b2e70945ce0779b95b5ca8ecd29b3a6e857b95461399534

SHA512
d6f0d2b572cc770d8c452d4d2df575c3b988dc6490a506c5602ab4599e88502e1555f5c1af33582295380c9e56d46ff9ccde9a5dba61776958173ece4c1c64c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35322\VCRUNTIME140.dll

Filesize
116KB

MD5
be8dbe2dc77ebe7f88f910c61aec691a

SHA1
a19f08bb2b1c1de5bb61daf9f2304531321e0e40

SHA256
4d292623516f65c80482081e62d5dadb759dc16e851de5db24c3cbb57b87db83

SHA512
0da644472b374f1da449a06623983d0477405b5229e386accadb154b43b8b083ee89f07c3f04d2c0c7501ead99ad95aecaa5873ff34c5eeb833285b598d5a655

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35322\VCRUNTIME140_1.dll

Filesize
48KB

MD5
f8dfa78045620cf8a732e67d1b1eb53d

SHA1
ff9a604d8c99405bfdbbf4295825d3fcbc792704

SHA256
a113f192195f245f17389e6ecbed8005990bcb2476ddad33f7c4c6c86327afe5

SHA512
ba7f8b7ab0deb7a7113124c28092b543e216ca08d1cf158d9f40a326fb69f4a2511a41a59ea8482a10c9ec4ec8ac69b70dfe9ca65e525097d93b819d498da371

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35322\_asyncio.pyd

Filesize
38KB

MD5
07fb4d6d21ce007476a53655659f69ae

SHA1
0e5618325c0128ef77118c692c14c12e68e51e90

SHA256
d4d85776c7bab9726d27b1fc5fb92ae7d38657cc18960f72acdfb51276d7ac67

SHA512
86c77a3617588baa94bc1fdd6fdd530a438f5270ca95f104242c29facebfe3a55d0c76ea704ef2b31ecc01eeccc56586188cc3fbd228fedf6d4ee94c85b735ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35322\_bz2.pyd

Filesize
48KB

MD5
c9f84cbfff18bf88923802116a013aa0

SHA1
4aabe0b93098c3ac5b843599bd3cb6b9a7d464a1

SHA256
5f33cd309ae6f049a4d8c2b6b2a8cd5ade5e8886408ed2b81719e686b68b7d13

SHA512
d3b2a8b0fa84ce3bf34f3d04535c89c58ea5c359757f2924fecea613a7a041c9bd9a47ca5df254690c92705bbd7e8f4f4be4801414437d7a5749cffde5272fe7

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35322\_cffi_backend.cp312-win_amd64.pyd

Filesize
71KB

MD5
27004b1f01511fd6743ee5535de8f570

SHA1
b97baa60d6c335670b8a923fa7e6411c8e602e55

SHA256
d2d3e9d9e5855a003e3d8c7502a9814191cf2b77b99ba67777ac170440dfdccf

SHA512
bdcd7a9b9bea5a16186d1a4e097253008d5ecd37a8d8652ec21b034abafbc7e5ff9ca838c5c4cb5618d87b1aceda09e920878c403abafafa867e2d679d4d98d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35322\_ctypes.pyd

Filesize
59KB

MD5
dfd13a29d4871d14aeb3ef6e0aafae71

SHA1
b159bdbd5820dc3007a9b56b9489037aed7624d4

SHA256
d74b1c5b0b14e2379aad50ca5af0b1cd5979fd2f065b1beee47514e6f11deb2f

SHA512
45035d17f1aadd555edb595a4a0e656d4720771a58a7d8cd80b66740fe7f7565acae4b6a03fea4994a896f67fc5ca883d15dacb80d6146bfbf0ccb2bec9ef588

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35322\_decimal.pyd

Filesize
107KB

MD5
423186e586039fa189a65e843acf87e0

SHA1
8849f6038914de79f64daff868f69133c3354012

SHA256
302bd83bc48ca64cd9fe82465b5db16724f171ee7e91f28aa60b9074e9f92a7a

SHA512
c91030f91d9e0ba4ea5fcbadf2b4077d736bd7e9fa71351a85dbcca7204fecdbfd04c6afe451adb8ae1ab0c880c879e42e624645717a690ec75b5b88cac90f1a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35322\_elementtree.pyd

Filesize
59KB

MD5
39ac9ef240c031a8ee97cd8df897d859

SHA1
0f0233ac96fc493837dad7dce6f4b919aaae4613

SHA256
6d01d4b4d48c0d8b44e2fefd78b0f3bf0e4c6fab5a6b4e4e6e85c18b972c7bcc

SHA512
83e82cbcb9e1e00b144d0453af41b090f71809313ab652a9d6dbc27524b4f67336dbb50d9422846d6ab4b9fb775a1e4e68cf796eaef26d4cbf5cffd57ecefc87

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35322\_hashlib.pyd

Filesize
35KB

MD5
2e27d0a121f60b37c72ac44b210e0f4f

SHA1
7e880cf5f2e49ca56f8a422c74ca4f4b34017a09

SHA256
cebc38091bd20b4e74bcb1f0b1920e2422eed044aa8d1fd4e1e3adc55dcf3501

SHA512
93362cd566d4a9d3d9253abd461c2c49ab0efe972d1a946a0eb2e34bb37b7723e3164a438b3378b8b1c9e87ac987b335a2ce0499d9a50bdf7104657bb6b28647

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35322\_lzma.pyd

Filesize
86KB

MD5
96e99c539e2cb0683b148da367ce4389

SHA1
098c7b3ff65823236cd935d7cb80aa8009cecc3d

SHA256
72a7d452b3a164195b4a09b85a8e33ad4e6b658c10396b1a313e61da8f814304

SHA512
7572291adad01c60b9c1f266aff44ed63474436e2087a834103fc5f9e380d9c33adcdb3b82cc13f1e13caf4a84d0a8dac0511d39bf90966a821f80cafcc6eca0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35322\_multiprocessing.pyd

Filesize
27KB

MD5
7016551a054fe5e51b83e71242cb4662

SHA1
cec3cc32a79d77f212055a57856cac2cfe4096be

SHA256
5fb8194f04e0f05ab8ede8a68f906984c7f6770f19a76c0fca30dbbdaa069135

SHA512
5fae6fe874dcf74b78fd7978a804addd086001f3bf54b2a26bea48d36b04c5f5d02fdc9ded82b5e02757921db34afcc2c793ac4bd0c2bfa519ab97ca0a8c005e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35322\_overlapped.pyd

Filesize
33KB

MD5
a849bfcef664851201326a739e1dba41

SHA1
f64332ffdb1dfcfc853f2b00914e7422a33b1ae3

SHA256
7e23125519f4c79b0651a36dd7820e278c0b124395d7f1fb0bc7dca78d14834b

SHA512
e33684226f445d2ec7df4452e482c4804ffd735e6c73aaa441fa3f476113de678b3945ef49d35653b614c605403f5c79cb497eb3d23025d88fc80c26206abfb3

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35322\_queue.pyd

Filesize
26KB

MD5
51c7b2ca2871fa9d4a948f2abd22de05

SHA1
a915c58f1090a5cfa4386efbd31cbdd0391547cf

SHA256
36ec2ef3f553257912e3e3d17706920c1a52c3619d5c7b157c386c1dbe6e3f52

SHA512
f398891a152049506ed278b7383d6d7df1e304b6afb41ffe15b732b0c07fced977c29fe22bfa26cd454dc0d3576ec0218e8f0dedeff6ed7b7dd55daa9b10db62

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35322\_socket.pyd

Filesize
44KB

MD5
0a4bec3acc2db020d129e0e3f2d0cd95

SHA1
180b4d4c5802ae94fc041360bb652cde72eca620

SHA256
3c6bb84d34e46e4fdf1ba192a4b78c4caf9217f49208147e7c46e654d444f222

SHA512
5ffde27846b7acf5ff1da513930ead85c6e95f92c71ee630bcc8932fdf5e4f9c42b027e14df8e9596adf67f9d6467c5454b3bda5a39d69e20745f71eca7ed685

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35322\_sqlite3.pyd

Filesize
57KB

MD5
337889448ecd97a305a96cf61f1b84b9

SHA1
c981100ec4b5921d5b7c865d4458b67af67cf325

SHA256
a35a017ee1c003290f4850b4c3d7140f5f0df98d2178bf67923a610aee1679be

SHA512
6f7789bcf2c63faff5842ecf8494a0f47446fa0dcb6890bf664cc661f030309d28fa3d5d18f20c7ddd9fda036068902b42fff7ae34b84ca035b2729ba4ef6306

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35322\_ssl.pyd

Filesize
66KB

MD5
4dc99d3cbe1bb4b474d8c1bc70b5b7d0

SHA1
356565045cc67ee517900f13fb9b3042e336804a

SHA256
570e29e73fc398c52abeebb92654ac321dad50e625c1230d919d88da1fd8d8d0

SHA512
bc35069e407ba14c859e5d1372d19ca6dbdc2449f93760c012a492eee404e11255e9ea0d883b7a3807e1e0afcc223e27694acd794b7986f5ed5fdd6b7abd0000

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35322\_uuid.pyd

Filesize
25KB

MD5
d8c6d60ea44694015ba6123ff75bd38d

SHA1
813deb632f3f3747fe39c5b8ef67bada91184f62

SHA256
8ae23bfa84ce64c3240c61bedb06172bfd76be2ad30788d4499cb24047fce09f

SHA512
d3d408c79e291ed56ca3135b5043e555e53b70dff45964c8c8d7ffa92b27c6cdea1e717087b79159181f1258f9613fe6d05e3867d9c944f43a980b5bf27a75ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35322\_wmi.pyd

Filesize
28KB

MD5
d6731fc47332f01c741d8b64521d86a0

SHA1
29751383560d17029952fd1fa0e92168f8096b3d

SHA256
5632cc7e014771e3bfd0580d24244ed3b56447689d97bd851d02601f615baae4

SHA512
88838be8ca11afc5951a373ccd6e34b91e69a68a2ad9f3b042f708b54e1e7d9745ec59eab9ab58398de9ab1205546eb20c96469c59fa5809d350ccda35d29cc4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35322\base_library.zip

Filesize
1.3MB

MD5
21bf7b131747990a41b9f8759c119302

SHA1
70d4da24b4c5a12763864bf06ebd4295c16092d9

SHA256
f36454a982f5665d4e7fcc69ee81146965358fcb7f5d59f2cd8861ca89c66efa

SHA512
4cb45e9c48d4544c1a171d88581f857d8c5cf74e273bb2acf40a50a35c5148fe7d6e9afcf5e1046a7d7ae77f9196f7308ae3869c18d813fcd48021b4d112deb5

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35322\bound.luna

Filesize
3.3MB

MD5
c73e7a81326a8451950f3e047c90c7cd

SHA1
7d4abe38d0d5026d27bd4c96a2cfebc5553a795d

SHA256
b202850236ba754162aff91ea1181e16b10e2b2983323357ad1e5d0f42f4e631

SHA512
3d5076ae4c011fdcfbfc637f3d4c2006713312c36d239c467ac634c39631d857c60290a8de1b2470c8f7c54917dae1c60b36109bd029b2ce28a78e5d439c1fef

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35322\certifi\cacert.pem

Filesize
292KB

MD5
50ea156b773e8803f6c1fe712f746cba

SHA1
2c68212e96605210eddf740291862bdf59398aef

SHA256
94edeb66e91774fcae93a05650914e29096259a5c7e871a1f65d461ab5201b47

SHA512
01ed2e7177a99e6cb3fbef815321b6fa036ad14a3f93499f2cb5b0dae5b713fd2e6955aa05f6bda11d80e9e0275040005e5b7d616959b28efc62abb43a3238f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35322\charset_normalizer\md.cp312-win_amd64.pyd

Filesize
9KB

MD5
e7bc35f372642dd06c9d21a1db3ea4fc

SHA1
e5ea4bf23ee6e21925ea0c19562b9ea586b06e9e

SHA256
d28c01169a704d1ba33c7c650775b206af3d07abcd4168235bc2416d193985c1

SHA512
3d294427b21ac6a4ecaa2a95d8cee097d2c7e74b4c0c85c03700c05ecc794df32a988af8d9a725afddca98b1f4eba3ed2b7f3155847330aefbc09214832d8e30

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35322\charset_normalizer\md__mypyc.cp312-win_amd64.pyd

Filesize
39KB

MD5
044aa54c359f57f827647c7eee04d267

SHA1
88b6e44d3c40173a06e9e3378494e0eb9b06d8e0

SHA256
f03556de88030fa893711275b4daeff39f1f14c30b1967ea3a9b140cc8632bb5

SHA512
d22cad7389020f0ed895ffcfa6cc17f3a6cb7f73ffebb5636df7b64d6ab3caf7c503e7d407f47f4250fd5981156789b2f7235eb49830b1d86a268ef2c53ed441

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35322\libcrypto-3.dll

Filesize
1.6MB

MD5
64c76a85cbc744a0a930e9cfc29e20a1

SHA1
e67b24269797d67e3e94042b8c333dc984bdddb8

SHA256
5bcb5de3eff2a80e7d57725ab9e5013f2df728e8a41278fe06d5ac4de91bd26c

SHA512
7e7fdb2356b18a188fd156e332f7ff03b29781063cadc80204159a789910763515b8150292b27f2ce2e9bdaf6c704e377561601d8a5871dcb6b9dd967d9ffa7f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35322\libffi-8.dll

Filesize
29KB

MD5
be8ceb4f7cb0782322f0eb52bc217797

SHA1
280a7cc8d297697f7f818e4274a7edd3b53f1e4d

SHA256
7d08df2c496c32281bf9a010b62e8898b9743db8b95a7ebee12d746c2e95d676

SHA512
07318c71c3137114e0cfec7d8b4815fd6efa51ce70b377121f26dc469cefe041d5098e1c92af8ed0c53b21e9c845fddee4d6646d5bd8395a3f1370ba56a59571

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35322\libssl-3.dll

Filesize
221KB

MD5
860af4bc2bad883faef1715a1cebb0dd

SHA1
9e498e8267f0d680b7f8f572bc67ef9ec47e5dd9

SHA256
5027010163bfecded82cb733e971c37a4d71653974813e96839f1b4e99412a60

SHA512
9f5a130d566cf81d735b4d4f7816e7796becd5f9768391c0f73c6e9b45e69d72ee27ec9e2694648310f9de317ae0e42fab646a457758e4d506c5d4d460660b0f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35322\luna.aes

Filesize
297KB

MD5
026f8783612ec71aa88b056197340215

SHA1
287e2f7becb593937f75b4616df63326135a0607

SHA256
5bed9186614e23ad03687998892c52947bf30b1ea77b1f33104195c7b9f9140e

SHA512
310169e11c14748c737f102426e03abfac98276a73f81f77b3fe3dabefee1d2fa94c701c986499e5999c2613180459f67d4e31c5604067138941a8a2406fee2f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35322\psutil\_psutil_windows.pyd

Filesize
31KB

MD5
3adca2ff39adeb3567b73a4ca6d0253c

SHA1
ae35dde2348c8490f484d1afd0648380090e74fc

SHA256
92202b877579b74a87be769d58f9d1e8aced8a97336ad70e97d09685a10afeb3

SHA512
358d109b23cf99eb7396c450660f193e9e16f85f13737ecf29f4369b44f8356041a08443d157b325ccb5125a5f10410659761eda55f24fcc03a082ac8acdd345

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35322\pyexpat.pyd

Filesize
88KB

MD5
228e59c72c273970a4a7ab134f9cf282

SHA1
a19ff9c27f969c3657865ecc4202613a721c4610

SHA256
b255658ed4c5f8dc2d8de1652237f3199d3f10d560e8f4c9e8b81168b994849f

SHA512
5cc585172c65443f72f17dce87faafddf6c055a201c7899d046b14c67696aef4a1416faad81718476982f6fd191683e1126b9bb35666d9905b9c855aa8d9dedd

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35322\python3.dll

Filesize
66KB

MD5
5eace36402143b0205635818363d8e57

SHA1
ae7b03251a0bac083dec3b1802b5ca9c10132b4c

SHA256
25a39e721c26e53bec292395d093211bba70465280acfa2059fa52957ec975b2

SHA512
7cb3619ea46fbaaf45abfa3d6f29e7a5522777980e0a9d2da021d6c68bcc380abe38e8004e1f31d817371fb3cdd5425d4bb115cb2dc0d40d59d111a2d98b21d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35322\python312.dll

Filesize
1.7MB

MD5
5750b5cbbb8628436ce9a3557efad861

SHA1
fb6fda4ca5dd9415a2031a581c1e0f055fed63b5

SHA256
587598b6c81f4f4dce3afd40ca6d4814d6cfdb9161458d2161c33abfdadc9e48

SHA512
d23938796b4e7b6ae7601c3ab9c513eb458cccb13b597b2e20762e829ce4ace7b810039c713ec996c7e2ce8cfb12d1e7231903f06f424266f460a004bd3f6f53

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35322\select.pyd

Filesize
25KB

MD5
b14ab29e811eaa90076840426ab1ab1b

SHA1
14f18ed4eebcc9567dec7967a23d35429ab2edba

SHA256
231d5f116b86a46dad697b5f2725b58df0ceee5de057eec9363f86136c162707

SHA512
a382c0d311953b8fcf06c0758ac92060ccf04b344485025af4a466ecd8f84f5665e29b4169fe5ed4b1c2daeeaa5e44069a5f1cdf5fc59a00a16b8bd883a5d658

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35322\setuptools\_vendor\jaraco\text\Lorem ipsum.txt

Filesize
1KB

MD5
4ce7501f6608f6ce4011d627979e1ae4

SHA1
78363672264d9cd3f72d5c1d3665e1657b1a5071

SHA256
37fedcffbf73c4eb9f058f47677cb33203a436ff9390e4d38a8e01c9dad28e0b

SHA512
a4cdf92725e1d740758da4dd28df5d1131f70cef46946b173fe6956cc0341f019d7c4fecc3c9605f354e1308858721dada825b4c19f59c5ad1ce01ab84c46b24

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35322\setuptools\_vendor\wheel-0.43.0.dist-info\INSTALLER

Filesize
4B

MD5
365c9bfeb7d89244f2ce01c1de44cb85

SHA1
d7a03141d5d6b1e88b6b59ef08b6681df212c599

SHA256
ceebae7b8927a3227e5303cf5e0f1f7b34bb542ad7250ac03fbcde36ec2f1508

SHA512
d220d322a4053d84130567d626a9f7bb2fb8f0b854da1621f001826dc61b0ed6d3f91793627e6f0ac2ac27aea2b986b6a7a63427f05fe004d8a2adfbdadc13c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35322\sqlite3.dll

Filesize
644KB

MD5
89c7a4482b66a862b282a25a1903fde3

SHA1
15d9d4df5d6bdfef70e50cfaf56c405293ddd835

SHA256
1f7c0eef1a1c27826f056f8c931b130001b45337d6984b27f6f10355c119bba8

SHA512
e234c1769e8881683c821d2bf5b1c713493b4212fbfecec95eba3cf33ca23d66bcd07767f6e46506a4acc25f2db71c8b682a60be0ae8e349df1c844a5ccce067

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35322\unicodedata.pyd

Filesize
296KB

MD5
129b358732e77d400bcf38f00cdd197e

SHA1
384b16e35ed4b9a55f35cedbb71be354fa78242a

SHA256
e397fc3ccaee0233f1b793c953f7506426d64765a801a05259afd1a10a25b05a

SHA512
8af8e97fd52e9026da877ebe94b1c82e32ab19233f312f170bf589db9ec15b0736cfa39abd5cf6e1e4d9a3bc6a212578f81fdd9c04758b6ab5a2834b203067da

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35322\zstandard\backend_c.cp312-win_amd64.pyd

Filesize
167KB

MD5
2f12da584a362bad45c6b9b3ddd2445c

SHA1
86adc05435a9a7dc0b0c676456b15f64d7df6f44

SHA256
da95d86762fb4ea6a479990e1b91591ccad7d0f88072a7805052cd71168db115

SHA512
6113292936ea39c45764c240e04a92479403ef6c64aa959922e94f990f8d405299793acbdeb8a4c924d81857e12b3d83e7c8c93c261e8101f4eee44ab77dc92e

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_a0j5ojhk.hc5.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\msg\m_finnish.wnry

Filesize
37KB

MD5
35c2f97eea8819b1caebd23fee732d8f

SHA1
e354d1cc43d6a39d9732adea5d3b0f57284255d2

SHA256
1adfee058b98206cb4fbe1a46d3ed62a11e1dee2c7ff521c1eef7c706e6a700e

SHA512
908149a6f5238fcccd86f7c374986d486590a0991ef5243f0cd9e63cc8e208158a9a812665233b09c3a478233d30f21e3d355b94f36b83644795556f147345bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\oPtzNbGTSX\Browser\cc's.txt

Filesize
91B

MD5
5aa796b6950a92a226cc5c98ed1c47e8

SHA1
6706a4082fc2c141272122f1ca424a446506c44d

SHA256
c4c83da3a904a4e7114f9bd46790db502cdd04800e684accb991cd1a08ee151c

SHA512
976f403257671e8f652bf988f4047202e1a0fd368fdb2bab2e79ece1c20c7eb775c4b3a8853c223d4f750f4192cd09455ff024918276dc1dd1442fa3b36623ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\oPtzNbGTSX\Browser\history.txt

Filesize
23B

MD5
5638715e9aaa8d3f45999ec395e18e77

SHA1
4e3dc4a1123edddf06d92575a033b42a662fe4ad

SHA256
4db7f6559c454d34d9c2d557524603c3f52649c2d69b26b6e8384a3d179aeae6

SHA512
78c96efab1d941e34d3137eae32cef041e2db5b0ebbf883e6a2effa79a323f66e00cfb7c45eb3398b3cbd0469a2be513c3ff63e5622261857eefc1685f77f76b

Download Submit
C:\Users\Admin\AppData\Local\Temp\oPtzNbGTSX\Common Files\BackupExport.xltx

Filesize
1.5MB

MD5
e44fe781635b14ce9b2099bd3a07406e

SHA1
cae102ba1b1195b63e0607140a88f6020769802a

SHA256
b933167b1a01b2ab9ed19ed4498218dcadc89e0fcc4891d72b9e5cc6187c2c76

SHA512
b9cfb8de0a46d47360214b928c4aebc071ad8e7b431c0025afc0ef85d82b0b291e05fd1e7ab027306bbdd505dd0fb1af56ec610bd864ed97624e4f927c69a987

Download Submit
C:\Users\Admin\AppData\Local\Temp\oPtzNbGTSX\Common Files\BackupExport.xltx.WNCRY

Filesize
1.5MB

MD5
b72f019dedb805f78a8337964f6c559a

SHA1
92bc6a7b0a364e464e4b9459f3da675d7a2bf8e2

SHA256
f1825bfb66ff5ff5b215923f774dabf2855ee06017745ea0553d753c21ee12fa

SHA512
c6d4791243af1a001862bad2f71449555cd96081b079fab34fe837ce76703f9909eab97ace3eba09bcdfc6ecf45b7f45dd09bb4680ab0059d75688546bd5604b

Download Submit
C:\Users\Admin\AppData\Local\Temp\oPtzNbGTSX\Common Files\BackupUnpublish.dwg

Filesize
253KB

MD5
59f9ee67f489f25ec9a7a3557edc7bcc

SHA1
718b5462bdd5df7d7c9a72022e6d8e7c0e4098ef

SHA256
ecf45b9b1db125edff065ba41b8e4f0a8b1d195a64a55e9ff6801ff6355b9872

SHA512
6bee3b6c5904ca30fbdfb8d6849e8b0e080cd0ca73bb12f85d97e71803421c221c1c23d6aaf68e0b2a0a7598d29c1431f76c426f2c4a01eec3f63327749a777e

Download Submit
C:\Users\Admin\AppData\Local\Temp\oPtzNbGTSX\Common Files\BackupUnpublish.dwg.WNCRY

Filesize
254KB

MD5
b779c203f083daa466684c073fb5bfce

SHA1
6d3f603d11b7b67ff44767a5da780497dccc7983

SHA256
c5ae5fd1d205df556be4a3775c68c6ec55c67fe87b6c0144a2eccc2967441252

SHA512
7e1a49837fb48593ca0a81d7573fdce56e472c6ea8fc5aaf75a5117841cb4545705c4ea1f1884be4878360140ea4d7e5f0608c9d3c46822205a79863767c253c

Download Submit
C:\Users\Admin\AppData\Local\Temp\oPtzNbGTSX\Common Files\ConvertToSend.doc

Filesize
516KB

MD5
cd5fbb14175f9487c72b6f6b69b225dc

SHA1
7bc1b7e84631cf867e72734f3b237b1f42bdfb26

SHA256
535cd225add3b0daa5edf39b8c356c3ecf7fd9dd19f16784bf604063629ca7ad

SHA512
6921defc1af719adddaf60dafd8e0f7b69a23fa41ddae0bd8935761089a41b8a222add6b59ec40ac9d3d385bfd52dc3d7b56f0e481737f73c9c08dd17f70ee90

Download Submit
C:\Users\Admin\AppData\Local\Temp\oPtzNbGTSX\Common Files\EnterRedo.txt

Filesize
417KB

MD5
6fe48e69d759e013998e4b79c559353d

SHA1
af33dd2d91b741f7fa101c2864264d8f5fc90495

SHA256
8f5837fb064d36b0476310168ce4de58501c84625e457ebfa9108fcc24a349ce

SHA512
2bc3ba7e2b9ed632e03d34badecd692eb9a9c521cdbeea835a8fae2b7bbae456a4a03524bcb97bd8c0894d043044a1fc62991b1723e06efa156aaae33f5bdb6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\oPtzNbGTSX\Common Files\SkipConvert.odt

Filesize
204KB

MD5
85bbfa38a737b89868eb512db89fb875

SHA1
720a118925c65075f605a335b2ceb16291cc2f87

SHA256
006e36389724b8fd1784bd8eaacd0e8587ddb146e30f71019afd6147f890a8e3

SHA512
e7558624ed365649055cfa36ab7109542a53e27f3d63266073327fba649b14a3265d5ddecdbab56faafc43f4c7b5f38649a096c676d95b2e4552d31d4b05efe1

Download Submit
C:\Users\Admin\AppData\Roaming\tor\cached-microdescs.new

Filesize
4.9MB

MD5
abc94a3172a038e77f3000bb5ecee3f4

SHA1
c89f404e8a8c266e07c7da54c054eaec2be7e6ae

SHA256
6774d6aaa8b3d419c206ea6f362aa8cffd304ca5d7fc6b83bc6493e7791915af

SHA512
544c325e00a2dbff1618a0f09592ce759112f983c795b5332cec5d7ab758222b7eadb98bdda45d64ccfb36e1787c1b2b04c77af710019cd33512b9a5daec3c9e

Download Submit
C:\Users\Default\Desktop\@[email protected]

Filesize
1.4MB

MD5
c17170262312f3be7027bc2ca825bf0c

SHA1
f19eceda82973239a1fdc5826bce7691e5dcb4fb

SHA256
d5e0e8694ddc0548d8e6b87c83d50f4ab85c1debadb106d6a6a794c3e746f4fa

SHA512
c6160fd03ad659c8dd9cf2a83f9fdcd34f2db4f8f27f33c5afd52aced49dfa9ce4909211c221a0479dbbb6e6c985385557c495fc04d3400ff21a0fbbae42ee7c

Download Submit
memory/1468-919-0x000001D39C360000-0x000001D39C382000-memory.dmp

Filesize
136KB

Download
memory/2684-910-0x0000000010000000-0x0000000010010000-memory.dmp

Filesize
64KB

Download
memory/3840-2473-0x00000000738E0000-0x0000000073902000-memory.dmp

Filesize
136KB

Download
memory/3840-2471-0x00000000735B0000-0x00000000737CC000-memory.dmp

Filesize
2.1MB

Download
memory/3840-2472-0x0000000073850000-0x00000000738D2000-memory.dmp

Filesize
520KB

Download
memory/3840-2474-0x00000000006A0000-0x000000000099E000-memory.dmp

Filesize
3.0MB

Download
memory/3840-2470-0x0000000073930000-0x00000000739B2000-memory.dmp

Filesize
520KB

Download
memory/4480-2384-0x00007FF867360000-0x00007FF8674DF000-memory.dmp

Filesize
1.5MB

Download
memory/4480-830-0x00007FF876560000-0x00007FF87656B000-memory.dmp

Filesize
44KB

Download
memory/4480-835-0x00007FF867340000-0x00007FF86734C000-memory.dmp

Filesize
48KB

Download
memory/4480-834-0x00007FF867350000-0x00007FF86735B000-memory.dmp

Filesize
44KB

Download
memory/4480-833-0x00007FF86E630000-0x00007FF86E63B000-memory.dmp

Filesize
44KB

Download
memory/4480-832-0x00007FF870F90000-0x00007FF870F9C000-memory.dmp

Filesize
48KB

Download
memory/4480-831-0x00007FF872340000-0x00007FF87234B000-memory.dmp

Filesize
44KB

Download
memory/4480-2365-0x00007FF878200000-0x00007FF878225000-memory.dmp

Filesize
148KB

Download
memory/4480-829-0x00007FF867830000-0x00007FF867D63000-memory.dmp

Filesize
5.2MB

Download
memory/4480-825-0x00007FF878120000-0x00007FF878134000-memory.dmp

Filesize
80KB

Download
memory/4480-844-0x00007FF8672A0000-0x00007FF8672B2000-memory.dmp

Filesize
72KB

Download
memory/4480-821-0x00007FF8765C0000-0x00007FF8765D8000-memory.dmp

Filesize
96KB

Download
memory/4480-820-0x00007FF877360000-0x00007FF877396000-memory.dmp

Filesize
216KB

Download
memory/4480-845-0x00007FF867290000-0x00007FF86729C000-memory.dmp

Filesize
48KB

Download
memory/4480-846-0x00007FF867260000-0x00007FF86728A000-memory.dmp

Filesize
168KB

Download
memory/4480-847-0x00007FF868930000-0x00007FF86893C000-memory.dmp

Filesize
48KB

Download
memory/4480-782-0x00007FF878180000-0x00007FF878199000-memory.dmp

Filesize
100KB

Download
memory/4480-850-0x00007FF868AE0000-0x00007FF868BAE000-memory.dmp

Filesize
824KB

Download
memory/4480-856-0x00007FF865A20000-0x00007FF866DC7000-memory.dmp

Filesize
19.7MB

Download
memory/4480-851-0x00007FF867220000-0x00007FF86722B000-memory.dmp

Filesize
44KB

Download
memory/4480-852-0x00007FF867560000-0x00007FF86767A000-memory.dmp

Filesize
1.1MB

Download
memory/4480-854-0x00007FF868940000-0x00007FF8689C7000-memory.dmp

Filesize
540KB

Download
memory/4480-855-0x00007FF866DD0000-0x00007FF8671F5000-memory.dmp

Filesize
4.1MB

Download
memory/4480-853-0x00007FF867200000-0x00007FF86721C000-memory.dmp

Filesize
112KB

Download
memory/4480-848-0x00007FF876500000-0x00007FF876533000-memory.dmp

Filesize
204KB

Download
memory/4480-758-0x00007FF8781A0000-0x00007FF8781CD000-memory.dmp

Filesize
180KB

Download
memory/4480-755-0x00007FF8781D0000-0x00007FF8781EA000-memory.dmp

Filesize
104KB

Download
memory/4480-849-0x00007FF867230000-0x00007FF86725F000-memory.dmp

Filesize
188KB

Download
memory/4480-752-0x00007FF8781F0000-0x00007FF8781FF000-memory.dmp

Filesize
60KB

Download
memory/4480-750-0x00007FF878200000-0x00007FF878225000-memory.dmp

Filesize
148KB

Download
memory/4480-826-0x00007FF867360000-0x00007FF8674DF000-memory.dmp

Filesize
1.5MB

Download
memory/4480-823-0x00007FF8674E0000-0x00007FF867504000-memory.dmp

Filesize
144KB

Download
memory/4480-864-0x00007FF867360000-0x00007FF8674DF000-memory.dmp

Filesize
1.5MB

Download
memory/4480-863-0x00007FF8674E0000-0x00007FF867504000-memory.dmp

Filesize
144KB

Download
memory/4480-812-0x00007FF877800000-0x00007FF87780B000-memory.dmp

Filesize
44KB

Download
memory/4480-837-0x00007FF867320000-0x00007FF86732E000-memory.dmp

Filesize
56KB

Download
memory/4480-857-0x00007FF865950000-0x00007FF865972000-memory.dmp

Filesize
136KB

Download
memory/4480-815-0x00007FF878160000-0x00007FF87816F000-memory.dmp

Filesize
60KB

Download
memory/4480-816-0x00007FF86EBE0000-0x00007FF86EC07000-memory.dmp

Filesize
156KB

Download
memory/4480-808-0x00007FF868940000-0x00007FF8689C7000-memory.dmp

Filesize
540KB

Download
memory/4480-1084-0x00007FF867260000-0x00007FF86728A000-memory.dmp

Filesize
168KB

Download
memory/4480-1111-0x00007FF867230000-0x00007FF86725F000-memory.dmp

Filesize
188KB

Download
memory/4480-786-0x00007FF878160000-0x00007FF87816F000-memory.dmp

Filesize
60KB

Download
memory/4480-791-0x00007FF878140000-0x00007FF87814D000-memory.dmp

Filesize
52KB

Download
memory/4480-794-0x00007FF867D70000-0x00007FF868435000-memory.dmp

Filesize
6.8MB

Download
memory/4480-1973-0x00007FF866DD0000-0x00007FF8671F5000-memory.dmp

Filesize
4.1MB

Download
memory/4480-2364-0x00007FF867D70000-0x00007FF868435000-memory.dmp

Filesize
6.8MB

Download
memory/4480-843-0x00007FF8672C0000-0x00007FF8672CD000-memory.dmp

Filesize
52KB

Download
memory/4480-2397-0x00007FF865A20000-0x00007FF866DC7000-memory.dmp

Filesize
19.7MB

Download
memory/4480-2376-0x00007FF876500000-0x00007FF876533000-memory.dmp

Filesize
204KB

Download
memory/4480-842-0x00007FF8672D0000-0x00007FF8672DB000-memory.dmp

Filesize
44KB

Download
memory/4480-836-0x00007FF867330000-0x00007FF86733D000-memory.dmp

Filesize
52KB

Download
memory/4480-2382-0x00007FF8765C0000-0x00007FF8765D8000-memory.dmp

Filesize
96KB

Download
memory/4480-795-0x00007FF878120000-0x00007FF878134000-memory.dmp

Filesize
80KB

Download
memory/4480-796-0x00007FF867830000-0x00007FF867D63000-memory.dmp

Filesize
5.2MB

Download
memory/4480-804-0x00007FF8781A0000-0x00007FF8781CD000-memory.dmp

Filesize
180KB

Download
memory/4480-805-0x00007FF867560000-0x00007FF86767A000-memory.dmp

Filesize
1.1MB

Download
memory/4480-801-0x00007FF868AE0000-0x00007FF868BAE000-memory.dmp

Filesize
824KB

Download
memory/4480-799-0x00007FF876500000-0x00007FF876533000-memory.dmp

Filesize
204KB

Download
memory/4480-797-0x00007FF878200000-0x00007FF878225000-memory.dmp

Filesize
148KB

Download
memory/4480-789-0x00007FF877360000-0x00007FF877396000-memory.dmp

Filesize
216KB

Download
memory/4480-784-0x00007FF878170000-0x00007FF87817D000-memory.dmp

Filesize
52KB

Download
memory/4480-838-0x00007FF867310000-0x00007FF86731C000-memory.dmp

Filesize
48KB

Download
memory/4480-839-0x00007FF867300000-0x00007FF86730B000-memory.dmp

Filesize
44KB

Download
memory/4480-840-0x00007FF8672F0000-0x00007FF8672FB000-memory.dmp

Filesize
44KB

Download
memory/4480-841-0x00007FF8672E0000-0x00007FF8672EC000-memory.dmp

Filesize
48KB

Download
memory/4480-2371-0x00007FF878160000-0x00007FF87816F000-memory.dmp

Filesize
60KB

Download
memory/4480-2484-0x00007FF867D70000-0x00007FF868435000-memory.dmp

Filesize
6.8MB

Download
memory/4480-2503-0x00007FF8674E0000-0x00007FF867504000-memory.dmp

Filesize
144KB

Download
memory/4480-2485-0x00007FF878200000-0x00007FF878225000-memory.dmp

Filesize
148KB

Download
memory/4480-2562-0x00007FF878160000-0x00007FF87816F000-memory.dmp

Filesize
60KB

Download
memory/4480-2565-0x00007FF878120000-0x00007FF878134000-memory.dmp

Filesize
80KB

Download
memory/4480-2573-0x00007FF8765C0000-0x00007FF8765D8000-memory.dmp

Filesize
96KB

Download
memory/4480-2587-0x00007FF8672E0000-0x00007FF8672EC000-memory.dmp

Filesize
48KB

Download
memory/4480-2586-0x00007FF8672F0000-0x00007FF8672FB000-memory.dmp

Filesize
44KB

Download
memory/4480-2585-0x00007FF867300000-0x00007FF86730B000-memory.dmp

Filesize
44KB

Download
memory/4480-2584-0x00007FF867310000-0x00007FF86731C000-memory.dmp

Filesize
48KB

Download
memory/4480-2583-0x00007FF867320000-0x00007FF86732E000-memory.dmp

Filesize
56KB

Download
memory/4480-2582-0x00007FF867330000-0x00007FF86733D000-memory.dmp

Filesize
52KB

Download
memory/4480-2581-0x00007FF867340000-0x00007FF86734C000-memory.dmp

Filesize
48KB

Download
memory/4480-2580-0x00007FF867350000-0x00007FF86735B000-memory.dmp

Filesize
44KB

Download
memory/4480-2579-0x00007FF86E630000-0x00007FF86E63B000-memory.dmp

Filesize
44KB

Download
memory/4480-2578-0x00007FF870F90000-0x00007FF870F9C000-memory.dmp

Filesize
48KB

Download
memory/4480-2577-0x00007FF872340000-0x00007FF87234B000-memory.dmp

Filesize
44KB

Download
memory/4480-2575-0x00007FF867200000-0x00007FF86721C000-memory.dmp

Filesize
112KB

Download
memory/4480-2574-0x00007FF8674E0000-0x00007FF867504000-memory.dmp

Filesize
144KB

Download
memory/4480-2572-0x00007FF86EBE0000-0x00007FF86EC07000-memory.dmp

Filesize
156KB

Download
memory/4480-2571-0x00007FF877800000-0x00007FF87780B000-memory.dmp

Filesize
44KB

Download
memory/4480-2576-0x00007FF867230000-0x00007FF86725F000-memory.dmp

Filesize
188KB

Download
memory/4480-2569-0x00007FF867560000-0x00007FF86767A000-memory.dmp

Filesize
1.1MB

Download
memory/4480-2568-0x00007FF868AE0000-0x00007FF868BAE000-memory.dmp

Filesize
824KB

Download
memory/4480-2567-0x00007FF876500000-0x00007FF876533000-memory.dmp

Filesize
204KB

Download
memory/4480-2566-0x00007FF867D70000-0x00007FF868435000-memory.dmp

Filesize
6.8MB

Download
memory/4480-2564-0x00007FF878140000-0x00007FF87814D000-memory.dmp

Filesize
52KB

Download
memory/4480-2563-0x00007FF877360000-0x00007FF877396000-memory.dmp

Filesize
216KB

Download
memory/4480-2570-0x00007FF868940000-0x00007FF8689C7000-memory.dmp

Filesize
540KB

Download
memory/4480-2561-0x00007FF878180000-0x00007FF878199000-memory.dmp

Filesize
100KB

Download
memory/4480-2560-0x00007FF878170000-0x00007FF87817D000-memory.dmp

Filesize
52KB

Download
memory/4480-2559-0x00007FF8781A0000-0x00007FF8781CD000-memory.dmp

Filesize
180KB

Download
memory/4480-2558-0x00007FF8781D0000-0x00007FF8781EA000-memory.dmp

Filesize
104KB

Download
memory/4480-2557-0x00007FF8781F0000-0x00007FF8781FF000-memory.dmp

Filesize
60KB

Download
memory/4480-2556-0x00007FF878200000-0x00007FF878225000-memory.dmp

Filesize
148KB

Download
memory/4480-2555-0x00007FF868930000-0x00007FF86893C000-memory.dmp

Filesize
48KB

Download
memory/4480-742-0x00007FF867D70000-0x00007FF868435000-memory.dmp

Filesize
6.8MB

Download