Malware Analysis Report

2024-11-15 09:53

Sample ID 241109-weksgasjcp
Target stub.exe
SHA256 b710fd65e4f563895f1c410f56e2798d90e1e980d35bdd60b7111f2bf83ff1db
Tags
pyinstaller exelastealer collection discovery evasion persistence privilege_escalation spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

b710fd65e4f563895f1c410f56e2798d90e1e980d35bdd60b7111f2bf83ff1db

Threat Level: Known bad

The file stub.exe was found to be: Known bad.

Malicious Activity Summary

pyinstaller exelastealer collection discovery evasion persistence privilege_escalation spyware stealer

Exelastealer family

Exela Stealer

Grants admin privileges

Modifies Windows Firewall

Clipboard Data

Loads dropped DLL

Reads user/profile data of web browsers

Looks up external IP address via web service

Legitimate hosting services abused for malware hosting/C2

Network Service Discovery

Enumerates processes with tasklist

Launches sc.exe

System Network Configuration Discovery: Wi-Fi Discovery

Unsigned PE

System Network Connections Discovery

Embeds OpenSSL

Detects Pyinstaller

Permission Groups Discovery: Local Groups

Event Triggered Execution: Netsh Helper DLL

Browser Information Discovery

Suspicious use of WriteProcessMemory

Gathers system information

Collects information from the system

Runs net.exe

Suspicious use of AdjustPrivilegeToken

Detects videocard installed

Suspicious behavior: EnumeratesProcesses

Gathers network information

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-09 17:50

Signatures

Detects Pyinstaller

pyinstaller
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-09 17:50

Reported

2024-11-09 17:52

Platform

win7-20240729-en

Max time kernel

21s

Max time network

17s

Command Line

"C:\Users\Admin\AppData\Local\Temp\stub.exe"

Signatures

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\stub.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1456 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\stub.exe C:\Users\Admin\AppData\Local\Temp\stub.exe
PID 1456 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\stub.exe C:\Users\Admin\AppData\Local\Temp\stub.exe
PID 1456 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\stub.exe C:\Users\Admin\AppData\Local\Temp\stub.exe

Processes

C:\Users\Admin\AppData\Local\Temp\stub.exe

"C:\Users\Admin\AppData\Local\Temp\stub.exe"

C:\Users\Admin\AppData\Local\Temp\stub.exe

"C:\Users\Admin\AppData\Local\Temp\stub.exe"

Network

N/A

Files

C:\Users\Admin\AppData\Local\Temp\_MEI14562\python310.dll

MD5 63a1fa9259a35eaeac04174cecb90048
SHA1 0dc0c91bcd6f69b80dcdd7e4020365dd7853885a
SHA256 14b06796f288bc6599e458fb23a944ab0c843e9868058f02a91d4606533505ed
SHA512 896caa053f48b1e4102e0f41a7d13d932a746eea69a894ae564ef5a84ef50890514deca6496e915aae40a500955220dbc1b1016fe0b8bcdde0ad81b2917dea8b

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-09 17:50

Reported

2024-11-09 17:54

Platform

win10v2004-20241007-en

Max time kernel

96s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\stub.exe"

Signatures

Exela Stealer

stealer exelastealer

Exelastealer family

exelastealer

Grants admin privileges

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A

Clipboard Data

collection
Description Indicator Process Target
N/A N/A C:\Windows\system32\cmd.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\stub.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\stub.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\stub.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\stub.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\stub.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\stub.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\stub.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\stub.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\stub.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\stub.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\stub.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\stub.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\stub.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\stub.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\stub.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\stub.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\stub.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\stub.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\stub.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\stub.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\stub.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\stub.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\stub.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\stub.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\stub.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\stub.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\stub.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\stub.exe N/A

Reads user/profile data of web browsers

spyware stealer

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Network Service Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Windows\system32\cmd.exe N/A
N/A N/A C:\Windows\system32\ARP.EXE N/A

Enumerates processes with tasklist

discovery
Description Indicator Process Target
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\sc.exe N/A

Browser Information Discovery

discovery

Embeds OpenSSL

Description Indicator Process Target
N/A N/A N/A N/A

Event Triggered Execution: Netsh Helper DLL

persistence privilege_escalation
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A

Permission Groups Discovery: Local Groups

discovery

System Network Configuration Discovery: Wi-Fi Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Windows\system32\cmd.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A

System Network Connections Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Windows\system32\NETSTAT.EXE N/A

Collects information from the system

Description Indicator Process Target
N/A N/A C:\Windows\System32\Wbem\WMIC.exe N/A

Detects videocard installed

Description Indicator Process Target
N/A N/A C:\Windows\System32\Wbem\WMIC.exe N/A

Gathers network information

Description Indicator Process Target
N/A N/A C:\Windows\system32\ipconfig.exe N/A
N/A N/A C:\Windows\system32\NETSTAT.EXE N/A

Gathers system information

Description Indicator Process Target
N/A N/A C:\Windows\system32\systeminfo.exe N/A

Runs net.exe

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4440 wrote to memory of 2088 N/A C:\Users\Admin\AppData\Local\Temp\stub.exe C:\Users\Admin\AppData\Local\Temp\stub.exe
PID 4440 wrote to memory of 2088 N/A C:\Users\Admin\AppData\Local\Temp\stub.exe C:\Users\Admin\AppData\Local\Temp\stub.exe
PID 2088 wrote to memory of 4820 N/A C:\Users\Admin\AppData\Local\Temp\stub.exe C:\Windows\system32\cmd.exe
PID 2088 wrote to memory of 4820 N/A C:\Users\Admin\AppData\Local\Temp\stub.exe C:\Windows\system32\cmd.exe
PID 2088 wrote to memory of 3236 N/A C:\Users\Admin\AppData\Local\Temp\stub.exe C:\Windows\system32\cmd.exe
PID 2088 wrote to memory of 3236 N/A C:\Users\Admin\AppData\Local\Temp\stub.exe C:\Windows\system32\cmd.exe
PID 2088 wrote to memory of 1920 N/A C:\Users\Admin\AppData\Local\Temp\stub.exe C:\Windows\system32\cmd.exe
PID 2088 wrote to memory of 1920 N/A C:\Users\Admin\AppData\Local\Temp\stub.exe C:\Windows\system32\cmd.exe
PID 4820 wrote to memory of 444 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 4820 wrote to memory of 444 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 3236 wrote to memory of 1792 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 3236 wrote to memory of 1792 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 2088 wrote to memory of 4428 N/A C:\Users\Admin\AppData\Local\Temp\stub.exe C:\Windows\system32\cmd.exe
PID 2088 wrote to memory of 4428 N/A C:\Users\Admin\AppData\Local\Temp\stub.exe C:\Windows\system32\cmd.exe
PID 2088 wrote to memory of 1580 N/A C:\Users\Admin\AppData\Local\Temp\stub.exe C:\Windows\system32\cmd.exe
PID 2088 wrote to memory of 1580 N/A C:\Users\Admin\AppData\Local\Temp\stub.exe C:\Windows\system32\cmd.exe
PID 1580 wrote to memory of 2068 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tasklist.exe
PID 1580 wrote to memory of 2068 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tasklist.exe
PID 2088 wrote to memory of 2140 N/A C:\Users\Admin\AppData\Local\Temp\stub.exe C:\Windows\system32\cmd.exe
PID 2088 wrote to memory of 2140 N/A C:\Users\Admin\AppData\Local\Temp\stub.exe C:\Windows\system32\cmd.exe
PID 2140 wrote to memory of 2240 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 2140 wrote to memory of 2240 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 2088 wrote to memory of 3348 N/A C:\Users\Admin\AppData\Local\Temp\stub.exe C:\Windows\system32\cmd.exe
PID 2088 wrote to memory of 3348 N/A C:\Users\Admin\AppData\Local\Temp\stub.exe C:\Windows\system32\cmd.exe
PID 2088 wrote to memory of 3468 N/A C:\Users\Admin\AppData\Local\Temp\stub.exe C:\Windows\system32\cmd.exe
PID 2088 wrote to memory of 3468 N/A C:\Users\Admin\AppData\Local\Temp\stub.exe C:\Windows\system32\cmd.exe
PID 3348 wrote to memory of 3916 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 3348 wrote to memory of 3916 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 3468 wrote to memory of 3584 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tasklist.exe
PID 3468 wrote to memory of 3584 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tasklist.exe
PID 2088 wrote to memory of 3968 N/A C:\Users\Admin\AppData\Local\Temp\stub.exe C:\Windows\system32\cmd.exe
PID 2088 wrote to memory of 3968 N/A C:\Users\Admin\AppData\Local\Temp\stub.exe C:\Windows\system32\cmd.exe
PID 2088 wrote to memory of 756 N/A C:\Users\Admin\AppData\Local\Temp\stub.exe C:\Windows\system32\cmd.exe
PID 2088 wrote to memory of 756 N/A C:\Users\Admin\AppData\Local\Temp\stub.exe C:\Windows\system32\cmd.exe
PID 756 wrote to memory of 4472 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tasklist.exe
PID 756 wrote to memory of 4472 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tasklist.exe
PID 3968 wrote to memory of 988 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\mshta.exe
PID 3968 wrote to memory of 988 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\mshta.exe
PID 2088 wrote to memory of 4308 N/A C:\Users\Admin\AppData\Local\Temp\stub.exe C:\Windows\system32\cmd.exe
PID 2088 wrote to memory of 4308 N/A C:\Users\Admin\AppData\Local\Temp\stub.exe C:\Windows\system32\cmd.exe
PID 2088 wrote to memory of 4452 N/A C:\Users\Admin\AppData\Local\Temp\stub.exe C:\Windows\system32\cmd.exe
PID 2088 wrote to memory of 4452 N/A C:\Users\Admin\AppData\Local\Temp\stub.exe C:\Windows\system32\cmd.exe
PID 2088 wrote to memory of 1960 N/A C:\Users\Admin\AppData\Local\Temp\stub.exe C:\Windows\system32\cmd.exe
PID 2088 wrote to memory of 1960 N/A C:\Users\Admin\AppData\Local\Temp\stub.exe C:\Windows\system32\cmd.exe
PID 2088 wrote to memory of 3444 N/A C:\Users\Admin\AppData\Local\Temp\stub.exe C:\Windows\system32\cmd.exe
PID 2088 wrote to memory of 3444 N/A C:\Users\Admin\AppData\Local\Temp\stub.exe C:\Windows\system32\cmd.exe
PID 3444 wrote to memory of 2652 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3444 wrote to memory of 2652 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4308 wrote to memory of 4272 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 4308 wrote to memory of 4272 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 4272 wrote to memory of 1888 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 4272 wrote to memory of 1888 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 1960 wrote to memory of 1640 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tasklist.exe
PID 1960 wrote to memory of 1640 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tasklist.exe
PID 4452 wrote to memory of 3356 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 4452 wrote to memory of 3356 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 3356 wrote to memory of 2828 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 3356 wrote to memory of 2828 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 2088 wrote to memory of 4856 N/A C:\Users\Admin\AppData\Local\Temp\stub.exe C:\Windows\system32\cmd.exe
PID 2088 wrote to memory of 4856 N/A C:\Users\Admin\AppData\Local\Temp\stub.exe C:\Windows\system32\cmd.exe
PID 2088 wrote to memory of 2220 N/A C:\Users\Admin\AppData\Local\Temp\stub.exe C:\Windows\system32\cmd.exe
PID 2088 wrote to memory of 2220 N/A C:\Users\Admin\AppData\Local\Temp\stub.exe C:\Windows\system32\cmd.exe
PID 4856 wrote to memory of 4576 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\systeminfo.exe
PID 4856 wrote to memory of 4576 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\systeminfo.exe

Processes

C:\Users\Admin\AppData\Local\Temp\stub.exe

"C:\Users\Admin\AppData\Local\Temp\stub.exe"

C:\Users\Admin\AppData\Local\Temp\stub.exe

"C:\Users\Admin\AppData\Local\Temp\stub.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "wmic computersystem get Manufacturer"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "ver"

C:\Windows\System32\Wbem\WMIC.exe

wmic path win32_VideoController get name

C:\Windows\System32\Wbem\WMIC.exe

wmic computersystem get Manufacturer

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "gdb --version"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "tasklist"

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "wmic path Win32_ComputerSystem get Manufacturer"

C:\Windows\System32\Wbem\WMIC.exe

wmic path Win32_ComputerSystem get Manufacturer

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "tasklist"

C:\Windows\System32\Wbem\WMIC.exe

wmic csproduct get uuid

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('The Program can\x22t start because api-ms-win-crt-runtime-|l1-1-.dll is missing from your computer. Try reinstalling the program to fix this problem', 0, 'System Error', 0+16);close()""

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "tasklist"

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\mshta.exe

mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('The Program can\x22t start because api-ms-win-crt-runtime-|l1-1-.dll is missing from your computer. Try reinstalling the program to fix this problem', 0, 'System Error', 0+16);close()"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "cmd.exe /c chcp"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "cmd.exe /c chcp"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "powershell.exe Get-Clipboard"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe Get-Clipboard

C:\Windows\system32\cmd.exe

cmd.exe /c chcp

C:\Windows\system32\chcp.com

chcp

C:\Windows\system32\tasklist.exe

tasklist /FO LIST

C:\Windows\system32\cmd.exe

cmd.exe /c chcp

C:\Windows\system32\chcp.com

chcp

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "echo ####System Info#### & systeminfo & echo ####System Version#### & ver & echo ####Host Name#### & hostname & echo ####Environment Variable#### & set & echo ####Logical Disk#### & wmic logicaldisk get caption,description,providername & echo ####User Info#### & net user & echo ####Online User#### & query user & echo ####Local Group#### & net localgroup & echo ####Administrators Info#### & net localgroup administrators & echo ####Guest User Info#### & net user guest & echo ####Administrator User Info#### & net user administrator & echo ####Startup Info#### & wmic startup get caption,command & echo ####Tasklist#### & tasklist /svc & echo ####Ipconfig#### & ipconfig/all & echo ####Hosts#### & type C:\WINDOWS\System32\drivers\etc\hosts & echo ####Route Table#### & route print & echo ####Arp Info#### & arp -a & echo ####Netstat#### & netstat -ano & echo ####Service Info#### & sc query type= service state= all & echo ####Firewallinfo#### & netsh firewall show state & netsh firewall show config"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "netsh wlan show profiles"

C:\Windows\system32\systeminfo.exe

systeminfo

C:\Windows\system32\netsh.exe

netsh wlan show profiles

C:\Windows\system32\HOSTNAME.EXE

hostname

C:\Windows\System32\Wbem\WMIC.exe

wmic logicaldisk get caption,description,providername

C:\Windows\system32\net.exe

net user

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 user

C:\Windows\system32\query.exe

query user

C:\Windows\system32\quser.exe

"C:\Windows\system32\quser.exe"

C:\Windows\system32\net.exe

net localgroup

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 localgroup

C:\Windows\system32\net.exe

net localgroup administrators

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 localgroup administrators

C:\Windows\system32\net.exe

net user guest

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 user guest

C:\Windows\system32\net.exe

net user administrator

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 user administrator

C:\Windows\System32\Wbem\WMIC.exe

wmic startup get caption,command

C:\Windows\system32\tasklist.exe

tasklist /svc

C:\Windows\system32\ipconfig.exe

ipconfig /all

C:\Windows\system32\ROUTE.EXE

route print

C:\Windows\system32\ARP.EXE

arp -a

C:\Windows\system32\NETSTAT.EXE

netstat -ano

C:\Windows\system32\sc.exe

sc query type= service state= all

C:\Windows\system32\netsh.exe

netsh firewall show state

C:\Windows\system32\netsh.exe

netsh firewall show config

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"

C:\Windows\System32\Wbem\WMIC.exe

wmic csproduct get uuid

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"

C:\Windows\System32\Wbem\WMIC.exe

wmic csproduct get uuid

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
N/A 127.0.0.1:55853 tcp
US 8.8.8.8:53 68.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 1.112.95.208.in-addr.arpa udp
N/A 127.0.0.1:55864 tcp
N/A 127.0.0.1:55870 tcp
N/A 127.0.0.1:55872 tcp
US 8.8.8.8:53 discord.com udp
US 162.159.137.232:443 discord.com tcp
US 162.159.137.232:443 discord.com tcp
US 8.8.8.8:53 api.gofile.io udp
FR 45.112.123.126:443 api.gofile.io tcp
US 8.8.8.8:53 store1.gofile.io udp
FR 45.112.123.227:443 store1.gofile.io tcp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 232.137.159.162.in-addr.arpa udp
US 8.8.8.8:53 126.123.112.45.in-addr.arpa udp
US 8.8.8.8:53 227.123.112.45.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 162.159.137.232:443 discord.com tcp
N/A 127.0.0.1:55958 tcp
N/A 127.0.0.1:55960 tcp
FR 45.112.123.126:443 api.gofile.io tcp
FR 45.112.123.227:443 store1.gofile.io tcp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 162.159.137.232:443 discord.com tcp

Files

C:\Users\Admin\AppData\Local\Temp\_MEI44402\python310.dll

MD5 63a1fa9259a35eaeac04174cecb90048
SHA1 0dc0c91bcd6f69b80dcdd7e4020365dd7853885a
SHA256 14b06796f288bc6599e458fb23a944ab0c843e9868058f02a91d4606533505ed
SHA512 896caa053f48b1e4102e0f41a7d13d932a746eea69a894ae564ef5a84ef50890514deca6496e915aae40a500955220dbc1b1016fe0b8bcdde0ad81b2917dea8b

C:\Users\Admin\AppData\Local\Temp\_MEI44402\VCRUNTIME140.dll

MD5 f34eb034aa4a9735218686590cba2e8b
SHA1 2bc20acdcb201676b77a66fa7ec6b53fa2644713
SHA256 9d2b40f0395cc5d1b4d5ea17b84970c29971d448c37104676db577586d4ad1b1
SHA512 d27d5e65e8206bd7923cf2a3c4384fec0fc59e8bc29e25f8c03d039f3741c01d1a8c82979d7b88c10b209db31fbbec23909e976b3ee593dc33481f0050a445af

C:\Users\Admin\AppData\Local\Temp\_MEI44402\base_library.zip

MD5 4c60bcc38288ed81c09957fc6b4cd7cd
SHA1 e7f08d71e567ea73bb30656953837314c8d715a7
SHA256 9d6f7b75918990ec9cd5820624130af309a2045119209bd90b4f70bc3abd3733
SHA512 856d97b81a2cb53dcba0136afa0782e0f3f81bea46f98e0247582b2e28870b837be3c03e87562b918ec6bc76469eecc2c22599238d191d3fba467f7031a2acaa

C:\Users\Admin\AppData\Local\Temp\_MEI44402\python3.DLL

MD5 fd4a39e7c1f7f07cf635145a2af0dc3a
SHA1 05292ba14acc978bb195818499a294028ab644bd
SHA256 dc909eb798a23ba8ee9f8e3f307d97755bc0d2dc0cb342cedae81fbbad32a8a9
SHA512 37d3218bc767c44e8197555d3fa18d5aad43a536cfe24ac17bf8a3084fb70bd4763ccfd16d2df405538b657f720871e0cd312dfeb7f592f3aac34d9d00d5a643

C:\Users\Admin\AppData\Local\Temp\_MEI44402\_ctypes.pyd

MD5 1635a0c5a72df5ae64072cbb0065aebe
SHA1 c975865208b3369e71e3464bbcc87b65718b2b1f
SHA256 1ea3dd3df393fa9b27bf6595be4ac859064cd8ef9908a12378a6021bba1cb177
SHA512 6e34346ea8a0aacc29ccd480035da66e280830a7f3d220fd2f12d4cfa3e1c03955d58c0b95c2674aea698a36a1b674325d3588483505874c2ce018135320ff99

C:\Users\Admin\AppData\Local\Temp\_MEI44402\libffi-7.dll

MD5 eef7981412be8ea459064d3090f4b3aa
SHA1 c60da4830ce27afc234b3c3014c583f7f0a5a925
SHA256 f60dd9f2fcbd495674dfc1555effb710eb081fc7d4cae5fa58c438ab50405081
SHA512 dc9ff4202f74a13ca9949a123dff4c0223da969f49e9348feaf93da4470f7be82cfa1d392566eaaa836d77dde7193fed15a8395509f72a0e9f97c66c0a096016

C:\Users\Admin\AppData\Local\Temp\_MEI44402\libcrypto-1_1.dll

MD5 9d7a0c99256c50afd5b0560ba2548930
SHA1 76bd9f13597a46f5283aa35c30b53c21976d0824
SHA256 9b7b4a0ad212095a8c2e35c71694d8a1764cd72a829e8e17c8afe3a55f147939
SHA512 cb39aa99b9d98c735fdacf1c5ed68a4d09d11f30262b91f6aa48c3f8520eff95e499400d0ce7e280ca7a90ff6d7141d2d893ef0b33a8803a1cadb28ba9a9e3e2

C:\Users\Admin\AppData\Local\Temp\_MEI44402\_uuid.pyd

MD5 b68c98113c8e7e83af56ba98ff3ac84a
SHA1 448938564559570b269e05e745d9c52ecda37154
SHA256 990586f2a2ba00d48b59bdd03d3c223b8e9fb7d7fab6d414bac2833eb1241ca2
SHA512 33c69199cba8e58e235b96684346e748a17cc7f03fc068cfa8a7ec7b5f9f6fa90d90b5cdb43285abf8b4108e71098d4e87fb0d06b28e2132357964b3eea3a4f8

C:\Users\Admin\AppData\Local\Temp\_MEI44402\_ssl.pyd

MD5 7910fb2af40e81bee211182cffec0a06
SHA1 251482ed44840b3c75426dd8e3280059d2ca06c6
SHA256 d2a7999e234e33828888ad455baa6ab101d90323579abc1095b8c42f0f723b6f
SHA512 bfe6506feb27a592fe9cf1db7d567d0d07f148ef1a2c969f1e4f7f29740c6bb8ccf946131e65fe5aa8ede371686c272b0860bd4c0c223195aaa1a44f59301b27

C:\Users\Admin\AppData\Local\Temp\_MEI44402\_sqlite3.pyd

MD5 5279d497eee4cf269d7b4059c72b14c2
SHA1 aff2f5de807ae03e599979a1a5c605fc4bad986e
SHA256 b298a44af162be7107fd187f04b63fb3827f1374594e22910ec38829da7a12dc
SHA512 20726fc5b46a6d07a3e58cdf1bed821db57ce2d9f5bee8cfd59fce779c8d5c4b517d3eb70cd2a0505e48e465d628a674d18030a909f5b73188d07cc80dcda925

C:\Users\Admin\AppData\Local\Temp\_MEI44402\_socket.pyd

MD5 819166054fec07efcd1062f13c2147ee
SHA1 93868ebcd6e013fda9cd96d8065a1d70a66a2a26
SHA256 e6deb751039cd5424a139708475ce83f9c042d43e650765a716cb4a924b07e4f
SHA512 da3a440c94cb99b8af7d2bc8f8f0631ae9c112bd04badf200edbf7ea0c48d012843b4a9fb9f1e6d3a9674fd3d4eb6f0fa78fd1121fad1f01f3b981028538b666

C:\Users\Admin\AppData\Local\Temp\_MEI44402\_queue.pyd

MD5 d8c1b81bbc125b6ad1f48a172181336e
SHA1 3ff1d8dcec04ce16e97e12263b9233fbf982340c
SHA256 925f05255f4aae0997dc4ec94d900fd15950fd840685d5b8aa755427c7422b14
SHA512 ccc9f0d3aca66729832f26be12f8e7021834bbee1f4a45da9451b1aa5c2e63126c0031d223af57cf71fad2c85860782a56d78d8339b35720194df139076e0772

C:\Users\Admin\AppData\Local\Temp\_MEI44402\_overlapped.pyd

MD5 fdf8663b99959031780583cce98e10f5
SHA1 6c0bafc48646841a91625d74d6b7d1d53656944d
SHA256 2ebbb0583259528a5178dd37439a64affcb1ab28cf323c6dc36a8c30362aa992
SHA512 a5371d6f6055b92ac119a3e3b52b21e2d17604e5a5ac241c008ec60d1db70b3ce4507d82a3c7ce580ed2eb7d83bb718f4edc2943d10cb1d377fa006f4d0026b6

C:\Users\Admin\AppData\Local\Temp\_MEI44402\_multiprocessing.pyd

MD5 a9a0588711147e01eed59be23c7944a9
SHA1 122494f75e8bb083ddb6545740c4fae1f83970c9
SHA256 7581edea33c1db0a49b8361e51e6291688601640e57d75909fb2007b2104fa4c
SHA512 6b580f5c53000db5954deb5b2400c14cb07f5f8bbcfc069b58c2481719a0f22f0d40854ca640ef8425c498fbae98c9de156b5cc04b168577f0da0c6b13846a88

C:\Users\Admin\AppData\Local\Temp\_MEI44402\_lzma.pyd

MD5 7447efd8d71e8a1929be0fac722b42dc
SHA1 6080c1b84c2dcbf03dcc2d95306615ff5fce49a6
SHA256 60793c8592193cfbd00fd3e5263be4315d650ba4f9e4fda9c45a10642fd998be
SHA512 c6295d45ed6c4f7534c1a38d47ddc55fea8b9f62bbdc0743e4d22e8ad0484984f8ab077b73e683d0a92d11bf6588a1ae395456cfa57da94bb2a6c4a1b07984de

C:\Users\Admin\AppData\Local\Temp\_MEI44402\_hashlib.pyd

MD5 d4674750c732f0db4c4dd6a83a9124fe
SHA1 fd8d76817abc847bb8359a7c268acada9d26bfd5
SHA256 caa4d2f8795e9a55e128409cc016e2cc5c694cb026d7058fc561e4dd131ed1c9
SHA512 97d57cfb80dd9dd822f2f30f836e13a52f771ee8485bc0fd29236882970f6bfbdfaac3f2e333bba5c25c20255e8c0f5ad82d8bc8a6b6e2f7a07ea94a9149c81e

C:\Users\Admin\AppData\Local\Temp\_MEI44402\_decimal.pyd

MD5 20c77203ddf9ff2ff96d6d11dea2edcf
SHA1 0d660b8d1161e72c993c6e2ab0292a409f6379a5
SHA256 9aac010a424c757c434c460c3c0a6515d7720966ab64bad667539282a17b4133
SHA512 2b24346ece2cbd1e9472a0e70768a8b4a5d2c12b3d83934f22ebdc9392d9023dcb44d2322ada9edbe2eb0e2c01b5742d2a83fa57ca23054080909ec6eb7cf3ca

C:\Users\Admin\AppData\Local\Temp\_MEI44402\_cffi_backend.cp310-win_amd64.pyd

MD5 2baaa98b744915339ae6c016b17c3763
SHA1 483c11673b73698f20ca2ff0748628c789b4dc68
SHA256 4f1ce205c2be986c9d38b951b6bcb6045eb363e06dacc069a41941f80be9068c
SHA512 2ae8df6e764c0813a4c9f7ac5a08e045b44daac551e8ff5f8aa83286be96aa0714d373b8d58e6d3aa4b821786a919505b74f118013d9fcd1ebc5a9e4876c2b5f

C:\Users\Admin\AppData\Local\Temp\_MEI44402\_bz2.pyd

MD5 86d1b2a9070cd7d52124126a357ff067
SHA1 18e30446fe51ced706f62c3544a8c8fdc08de503
SHA256 62173a8fadd4bf4dd71ab89ea718754aa31620244372f0c5bbbae102e641a60e
SHA512 7db4b7e0c518a02ae901f4b24e3860122acc67e38e73f98f993fe99eb20bb3aa539db1ed40e63d6021861b54f34a5f5a364907ffd7da182adea68bbdd5c2b535

C:\Users\Admin\AppData\Local\Temp\_MEI44402\_brotli.cp310-win_amd64.pyd

MD5 ee3d454883556a68920caaedefbc1f83
SHA1 45b4d62a6e7db022e52c6159eef17e9d58bec858
SHA256 791e7195d7df47a21466868f3d7386cff13f16c51fcd0350bf4028e96278dff1
SHA512 e404adf831076d27680cc38d3879af660a96afc8b8e22ffd01647248c601f3c6c4585d7d7dc6bbd187660595f6a48f504792106869d329aa1a0f3707d7f777c6

C:\Users\Admin\AppData\Local\Temp\_MEI44402\_asyncio.pyd

MD5 33d0b6de555ddbbbd5ca229bfa91c329
SHA1 03034826675ac93267ce0bf0eaec9c8499e3fe17
SHA256 a9a99a2b847e46c0efce7fcfefd27f4bce58baf9207277c17bffd09ef4d274e5
SHA512 dbbd1ddfa445e22a0170a628387fcf3cb95e6f8b09465d76595555c4a67da4274974ba7b348c4c81fe71c68d735c13aacb8063d3a964a8a0556fb000d68686b7

C:\Users\Admin\AppData\Local\Temp\_MEI44402\unicodedata.pyd

MD5 81d62ad36cbddb4e57a91018f3c0816e
SHA1 fe4a4fc35df240b50db22b35824e4826059a807b
SHA256 1fb2d66c056f69e8bbdd8c6c910e72697874dae680264f8fb4b4df19af98aa2e
SHA512 7d15d741378e671591356dfaad4e1e03d3f5456cbdf87579b61d02a4a52ab9b6ecbffad3274cede8c876ea19eaeb8ba4372ad5986744d430a29f50b9caffb75d

C:\Users\Admin\AppData\Local\Temp\_MEI44402\sqlite3.dll

MD5 914925249a488bd62d16455d156bd30d
SHA1 7e66ba53f3512f81c9014d322fcb7dd895f62c55
SHA256 fbd8832b5bc7e5c9adcf7320c051a67ee1c33fd198105283058533d132785ab4
SHA512 21a468929b15b76b313b32be65cfc50cad8f03c3b2e9bf11ca3b02c88a0482b7bc15646ce40df7fb42fbc96bd12362a54cffe0563c4ddc3fc78622622c699186

C:\Users\Admin\AppData\Local\Temp\_MEI44402\select.pyd

MD5 a653f35d05d2f6debc5d34daddd3dfa1
SHA1 1a2ceec28ea44388f412420425665c3781af2435
SHA256 db85f2f94d4994283e1055057372594538ae11020389d966e45607413851d9e9
SHA512 5aede99c3be25b1a962261b183ae7a7fb92cb0cb866065dc9cd7bb5ff6f41cc8813d2cc9de54670a27b3ad07a33b833eaa95a5b46dad7763ca97dfa0c1ce54c9

C:\Users\Admin\AppData\Local\Temp\_MEI44402\pyexpat.pyd

MD5 1118c1329f82ce9072d908cbd87e197c
SHA1 c59382178fe695c2c5576dca47c96b6de4bbcffd
SHA256 4a2d59993bce76790c6d923af81bf404f8e2cb73552e320113663b14cf78748c
SHA512 29f1b74e96a95b0b777ef00448da8bd0844e2f1d8248788a284ec868ae098c774a694d234a00bd991b2d22c2372c34f762cdbd9ec523234861e39c0ca752dcaa

C:\Users\Admin\AppData\Local\Temp\_MEI44402\libssl-1_1.dll

MD5 bec0f86f9da765e2a02c9237259a7898
SHA1 3caa604c3fff88e71f489977e4293a488fb5671c
SHA256 d74ce01319ae6f54483a19375524aa39d9f5fd91f06cf7df238ca25e043130fd
SHA512 ffbc4e5ffdb49704e7aa6d74533e5af76bbe5db297713d8e59bd296143fe5f145fbb616b343eed3c48eceaccccc2431630470d8975a4a17c37eafcc12edd19f4

C:\Users\Admin\AppData\Local\Temp\_MEI44402\cryptography\hazmat\bindings\_rust.pyd

MD5 bfd28b03a4c32a9bcb001451fd002f67
SHA1 dd528fd5f4775e16b2e743d3188b66f1174807b2
SHA256 8ef0f404a8bff12fd6621d8f4f209499613f565777fe1c2a680e8a18f312d5a7
SHA512 6dc39638435f147b399826e34f78571d7ed2ed1232275e213a2b020224c0645e379f74a0ca5de86930d3348981c8bb03bbbecfa601f8ba781417e7114662ddee

C:\Users\Admin\AppData\Local\Temp\_MEI44402\multidict\_multidict.cp310-win_amd64.pyd

MD5 95463f615865a472f75ddb365644a571
SHA1 91f22ef3f2ffd3e9d6ce6e58beea9a96287b090b
SHA256 9ee77474d244a17337d4ccc5113fe4af7b4d86f9969293a884927718d06e63c8
SHA512 e3cccce9ebf5e7cf33e68046d3e7b59e454ccb791635eb5f405977fd270126ef8b58e6288dbe58c96b681361d81ef28720eba8d0bd389bfb0f4c3114d098a117

C:\Users\Admin\AppData\Local\Temp\_MEI44402\yarl\_quoting_c.cp310-win_amd64.pyd

MD5 01703fd29061aedb98f707266c9e1657
SHA1 2711da2f3359d4a16ad66565eabc617a958232a8
SHA256 bbfaa11a2075c7107949092a6376e6ee8592ce70e0337e11f7b38768207ec68e
SHA512 aaf2b74207dbceba38ad09d6408cf5e8bf2812776b9830965a52611d1f087e437e24259dd86f336c86cb80476f7ca1e74bd49a46b48857f1b5754787af4c5e6e

C:\Users\Admin\AppData\Local\Temp\_MEI44402\propcache\_helpers_c.cp310-win_amd64.pyd

MD5 41e139669cacb62ee4e06ef7eb1a647e
SHA1 1fa1274a9f7a0e53458f641c115f7407910e6cb1
SHA256 b6fbac3a2baa833f34c327be227a816df47b11f45ac8a42e7b75c42e90c65353
SHA512 98e9810a91c74b2241826d96cae0b124cd8eaced629b502654c537c8ef7f1d3462accfb5bf3fb91069616c9501eb68b6a66f42e51927c3a167e1ad81cc27c8c5

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_oony0pxr.3e0.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/2652-152-0x00000205A19B0000-0x00000205A19D2000-memory.dmp

\??\PIPE\lsarpc

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Temp\_MEI44402\attrs-24.2.0.dist-info\INSTALLER

MD5 365c9bfeb7d89244f2ce01c1de44cb85
SHA1 d7a03141d5d6b1e88b6b59ef08b6681df212c599
SHA256 ceebae7b8927a3227e5303cf5e0f1f7b34bb542ad7250ac03fbcde36ec2f1508
SHA512 d220d322a4053d84130567d626a9f7bb2fb8f0b854da1621f001826dc61b0ed6d3f91793627e6f0ac2ac27aea2b986b6a7a63427f05fe004d8a2adfbdadc13c1

C:\Users\Admin\AppData\Local\Temp\_MEI44402\attrs-24.2.0.dist-info\WHEEL

MD5 52adfa0c417902ee8f0c3d1ca2372ac3
SHA1 b67635615eef7e869d74f4813b5dc576104825dd
SHA256 d7215d7625cc9af60aed0613aad44db57eba589d0ccfc3d8122114a0e514c516
SHA512 bfa87e7b0e76e544c2108ef40b9fac8c5ff4327ab8ede9feb2891bd5d38fea117bd9eebaf62f6c357b4deaddad5a5220e0b4a54078c8c2de34cb1dd5e00f2d62

C:\Users\Admin\AppData\Local\Temp\_MEI44402\attrs-24.2.0.dist-info\RECORD

MD5 48c3e62c23b44c5c1b03f2634154c391
SHA1 7e674c4d1ec604bb62103dbeeb008350ff159ee7
SHA256 0b638f04d30b4ff714170ac499f89142868a36760532ed20017263e9cc85136c
SHA512 99b720af1775f6a264c28817e44112cd6422e8716e62221946629d08fa1ec06ffb4e9076e55429cb19a9f07c7e95b2bdc01c6523178e7dfb824841c954ed0c16

C:\Users\Admin\AppData\Local\Temp\_MEI44402\attrs-24.2.0.dist-info\METADATA

MD5 49cabcb5f8da14c72c8c3d00adb3c115
SHA1 f575becf993ecdf9c6e43190c1cb74d3556cf912
SHA256 dc9824e25afd635480a8073038b3cdfe6a56d3073a54e1a6fb21edd4bb0f207c
SHA512 923daeee0861611d230df263577b3c382ae26400ca5f1830ee309bd6737eed2ad934010d61cdd4796618bedb3436cd772d9429a5bed0a106ef7de60e114e505c

C:\Users\Admin\AppData\Local\Temp\StealedFilesByWaltuhium\Desktop\ConnectComplete.txt

MD5 7fd2a2352a376ca87b91e7ea583c0a4d
SHA1 f6353267667aa6c1076c50673c9fed1639eb151f
SHA256 1ad46f75ba025d9943bb373d7c5c3cb024edf74aa6871c5d742c284210230429
SHA512 728ea39f662cb87e67ed53f8bf1bcfcca430104d4da68abf88205670666b78846fd84e9a30e82601bf3feef3c3c8405840346dcbf171b7a580f13f0110f961e9

C:\Users\Admin\AppData\Local\Temp\StealedFilesByWaltuhium\Desktop\LockResume.mp3

MD5 5f975c174d57a776fa604a32abdc71ca
SHA1 1915835aacf2fd27142af16a8d69395f1cdc5bd8
SHA256 3d27b340d908b3c464941b39d69f3573ad76ed5f2cf41eaea982897bcf89acd6
SHA512 5a2296783a6af36c623f4c5f0d710fe04103560b84a99c98e2cf61c2a02bb90fb9f1f1cdb2eb9936c459b16e795289f7e945904334cf53390cebc9f0332b79b3

C:\Users\Admin\AppData\Local\Temp\StealedFilesByWaltuhium\Documents\BackupUninstall.vsdm

MD5 79df37f116732888473c4cad1cc88adf
SHA1 65733332298fdb216a50144db8e87a0f6cf8ceb3
SHA256 e1b6b3c02128231e64154206570056ba27121d330146bb360ea259f7f5c8dc9f
SHA512 cef2a0b2bf9754bbc66b4280bc9604f5fd84e587fa0f0e21b2ddc8abc69091b9227aa6f6ce743ec346d5bfbc3799bc2ece2ca49ebac1bc6b368be8aed92ac2e1

C:\Users\Admin\AppData\Local\Temp\StealedFilesByWaltuhium\Documents\BackupFind.dotm

MD5 37f16daed1b8abced7c927f2eef6dc0f
SHA1 cc8bb4e21eb766f23f90c8ae8bbf9327379bc240
SHA256 c8a211cfbea7b54ed2efbab3184048dbadba2eb63f2e27e9b7a35bce3e595cdd
SHA512 cc23fc0933a1246791598a05758cc4e25f8cd7b343aa18230ade8edc792d7c768b5a7d49cfd1aad3f3ccef69c30696694f23d77cf8655e2f9f5365707516cc58

C:\Users\Admin\AppData\Local\Temp\StealedFilesByWaltuhium\Desktop\UnpublishStep.docx

MD5 d289e28aabdb1a15ad99dfb03eae1a99
SHA1 74a5e6dad94b8a718e9a56f1f61227b664773393
SHA256 7f3107c234bae3103aaa2991d36b39ce37c4b5861e7242a41fcf028bfd503ec3
SHA512 351845c0348496dc569484b93baa4b2e32716a17201401e0f4f0c7a568e57bda7e57f7bc553b6b86314818931191fe0dd43f64883100ca2a296c18bfbfc33618

C:\Users\Admin\AppData\Local\Temp\StealedFilesByWaltuhium\Desktop\SelectLock.xlsx

MD5 9b4d91b04967d5e5c8cb8d6e783f5563
SHA1 a3cc66ae5d1f985889317552580d924798133e0f
SHA256 423560167ed8da1e240a068cdb0d81fbbc70ace4d2a69af6d5a8ab4af387c0f4
SHA512 c9d3662cf35f37dcb432fc19d2cd6142fe7eedbd8cad33c1343cde58efd0295b7a3fc9d01d8bc82ca771302226677b00a1b010d44399eaab13a4df7ce06c72e7

C:\Users\Admin\AppData\Local\Temp\StealedFilesByWaltuhium\Desktop\RemoveExport.xlsx

MD5 0af2e058940aa7c171cd01f0090c658e
SHA1 f4e660fadc93167bd337eb595f19a309d957a38f
SHA256 384561df972482e185feed13b22e5b492d292a43095a05b48432230eeb01374b
SHA512 da3d2fc617418eb5b5cbf581dc275c0e0efbaa39afb207645a498f0667fe761ff01a96b26f7feffce37929bb59065b925ea5fab480727985325cf14f7b8002ab

C:\Users\Admin\AppData\Local\Temp\StealedFilesByWaltuhium\Desktop\BlockDebug.docx

MD5 4aa7720ad06cd3a44f6bb492f4054a5a
SHA1 7e6e8824e9112cb4725b5095bb5926e3cc01cfd5
SHA256 ac9be75c10452529b9507a9da9d23a38201ba470450694bf61018d891e0ce61a
SHA512 f9277b9d785caf0bd2ec6dfdb2e40e856e28937f5259e089b9b9e4698c385a3180d9ec5cb993fc4aa8edccb6a4e33142ec2c6df69da4ac52672c2142fb382a89

C:\Users\Admin\AppData\Local\Temp\StealedFilesByWaltuhium\Documents\CheckpointResize.doc

MD5 bbd324ba50dcea4b20faddcdae44ba83
SHA1 7fc960e6cfc05e05a37e1562b87c6fd4d0e3e5e3
SHA256 f7af2ad24ba9e75b147d1f5fbbdfbaec78a2c030eea3500e153bc7521f259e02
SHA512 893397924f661ac60a8b0a56226f3bd5c45763759a30ba36aa7573dadc411941933d61a1d6ded27647666f6339743c34b91c8d526960bc2481ac4d0d5351c0fc

C:\Users\Admin\AppData\Local\Temp\StealedFilesByWaltuhium\Documents\ConvertFromSwitch.doc

MD5 e1e4cdebaf803c122801268d4ae48547
SHA1 73c2fb95b969359abc314dc25764663666fd1b6d
SHA256 05b4e9535d6e480144875d295befec4b0ba281324cfb633bb3f7a6bc889e86da
SHA512 0c9f1d4c99d876cb15ae5fb9c0a0addaf09729b1b47aed7633a4f76078e115ec79ccc13773628299dfdda746c5f12ac45c6e1a5a050342674d6edd0e5b55b93c

C:\Users\Admin\AppData\Local\Temp\StealedFilesByWaltuhium\Documents\DebugUninstall.pdf

MD5 f3b98e8c6122d212e7881073367237bb
SHA1 11d04ccd515e7f886f3ba279e5fe6c5cefef4965
SHA256 12ece6aab5ddd6c47c247d4138f48795ed0b1238f2a732cf77b1aa937c83a506
SHA512 09d65aa50083513c9f3c6724de848e2ae50c335ca630d0d0f968134e1e2043a09e6a015ed18819994ecce218c7bb3544847e8c82fefea17d27ff81efcebf99ae

C:\Users\Admin\AppData\Local\Temp\StealedFilesByWaltuhium\Documents\RemoveOptimize.docx

MD5 d8c57f77189060ab2eed928b839c5111
SHA1 c4aad4c62b3ec1d8669ee0918f316a944fad7a1e
SHA256 c550dea74b0c5e83c721a9fec3975619b85f893583a91b0f9de8a7d07c33c156
SHA512 a2dde41f5df819ba2288c8e4ee3f3f87ad79cdd41e4184c5cc0413f4de94e04632ac7a8e0986747db7bd82784a5ecf6aec461f0aff3fb48e5161b92b4db1fdd1

C:\Users\Admin\AppData\Local\Temp\StealedFilesByWaltuhium\Documents\PushMove.docx

MD5 3064b58d194605c847eaabb3f064ad89
SHA1 b7c0b16413ce01f1ab86950d590fe67d7c666da4
SHA256 fe3ea002eb4055851fee580e5271854ac5d579b5ec146ebac45472e8e1bcfd75
SHA512 04e80596c42aa6349be43f7e288889573cd395bff24c83491f74f4bec436e3d8f6501dde2516685e68b43d5d9c045fa4124000f8b63d525d616ac366b6f436a5

C:\Users\Admin\AppData\Local\Temp\StealedFilesByWaltuhium\Documents\InvokeConfirm.csv

MD5 c4d6a98c42f52cab546be715e30d2cf6
SHA1 dc348ea76f36813bcdf399c503d1b9f3ad44f35a
SHA256 da3bd6edf65ec67feb73c36af327314acfaa642677a5f5a65deb73a1392cfb68
SHA512 866b13b00e454bad18ceea24e2de658e735937eb978ab8e0e52a2a64599a94b7c7dec9a85fcf9aebec1cf1e9568bd090385691fccd8811bedb7e0b7786666960

C:\Users\Admin\AppData\Local\Temp\StealedFilesByWaltuhium\Documents\ConnectPing.docx

MD5 59b9c65e630062098a9070253ed65e06
SHA1 7694d14cbd9e928fd4aec1a84c90e728ba45d1ad
SHA256 9ba05bd4c2d500b997d42b4328e382ca63b7f7a189da38ebeb39fb522810d0e0
SHA512 9b9330692aa2963c465c3ddd0d70e52f9381489a1536e2541ec27ef2ef7ece23525951c46f1a986de58732c1639bf2ceb66dadd5f75470689922b695ef36dc2a

C:\Users\Admin\AppData\Local\Temp\StealedFilesByWaltuhium\Documents\BlockRedo.docx

MD5 545180fb335bdb929848eda3b7a7869b
SHA1 66611d315a0e4d38d6a008bacdcdd427b33dddd5
SHA256 a08892d22f3074600647afe22f3a82c72d0b27865bd1279f7c3ac47ca14a2279
SHA512 02bae68737b05bd1468e6d148a433897cc675e396cd0d11babf1338e04d34cd0c09d7101be177ce3baac3119ee7caf56d035a9ee0aa0dece9dbd49753b29cd5a

C:\Users\Admin\AppData\Local\Temp\StealedFilesByWaltuhium\Documents\ConnectEdit.csv

MD5 a07627fa6887e1b95d2a9e383e7b9b40
SHA1 cb9a9e48caa58b0cca87974d94af90aebc543113
SHA256 5251b2ed85340c91bcf38b8261789225e4a5a2fa2007fa9df2370fa0c7b50b20
SHA512 7aa50d0e2ff8e3ab39ad67e579c7a2688c11928c843f2be11d3dcc3982b02f3aeddd891119c6c36a1f026ba976e3de970ac58fc7f5834557f7b8d7bf128530fe

C:\Users\Admin\AppData\Local\Temp\StealedFilesByWaltuhium\Downloads\DisconnectSync.zip

MD5 fa811840d94fa1d97fdb8faf0693a3f7
SHA1 0858692fcd4453ba7008d6438cd6c06c0c8916d9
SHA256 ab7b482888e3399d9dea96e2afd1e344a687f993a9db3a48a63cb396ebe513a2
SHA512 4b4cd57d09ff32167e666d0434d370f6550d39b32daa8c9834800229c6f5a4f5dac10d07ef0f7b389af6d383bc9bfb0e5b4dbbae1bc9b5688e3fe48bb9630f2f

C:\Users\Admin\AppData\Local\Temp\StealedFilesByWaltuhium\Downloads\StartOut.txt

MD5 8df5477b0e0e9989391c60a173635ccd
SHA1 891869aee1d88910a320f43ed796386a16e5e54e
SHA256 36082410f0baf707bdba164d127de1bc1b0b3b14e34e5b5db2a916dcab87042e
SHA512 e16c509dbf2c8850cfe9b4ff4787873851c6a41f6cf1b554198dd36b380a358f08138f2ac8a5dd5162117abd8ea1e47455d2ab1df18c2a23d7ddd8a33212617d

C:\Users\Admin\AppData\Local\Temp\StealedFilesByWaltuhium\Music\ConvertFromLimit.xlsx

MD5 6bfd3a9a39cab7e0faff58e1e519e039
SHA1 0b08f4de75a39f859dede9a2aade55b5f86cc841
SHA256 9835c58b7376f4193f0e8c46fbde9dc53b7e215519daf0931ad04bfd742d1a38
SHA512 4248fc6b39a23f16c2e1a76fc13eed4c04b115f1106d5a5bc769b7d0680e030dae939a4ef1ca62b23cff4f887fbe96889fc13c1f681d278c819f5f560fd9dd33

C:\Users\Admin\AppData\Local\Temp\StealedFilesByWaltuhium\Pictures\WatchResume.jpg

MD5 21e09d81e7e3557a7b3fc3cc19ddbcff
SHA1 fe16af6c1b15ccda7cbdf2da5b71732919e22549
SHA256 1cba2d72d914d8cbac81a418f18c374b09e56a07c3de478fb395fbcc9f622dab
SHA512 368b96517d03f4004be6d4305359ff0fcd6c5013d8754041473aa8426c0b9e90bbab8c630cfcc81a5adfbdd15653a385c31d215b4e9d50cb3c55d733c0615c91

C:\Users\Admin\AppData\Local\Temp\StealedFilesByWaltuhium\Pictures\ProtectBackup.eps

MD5 93b28a39c2885e89868061675834d85c
SHA1 1b4f50be434e061855b507778a972953e016119d
SHA256 be88695064a9a4eb325d0650a720ae3284468deee15dc375fcd146de72b6bf7e
SHA512 0f158fa284c3805cd8566294947a109a8bff2c79468127d0133660e4138fc1fd910f32fa2fb6b3f2a82fbaed9b8a7650d4f177c9674887a64b75fc6cba78b162

C:\Users\Admin\AppData\Local\Temp\StealedFilesByWaltuhium\Pictures\My Wallpaper.jpg

MD5 a51464e41d75b2aa2b00ca31ea2ce7eb
SHA1 5b94362ac6a23c5aba706e8bfd11a5d8bab6097d
SHA256 16d5506b6663085b1acd80644ffa5363c158e390da67ed31298b85ddf0ad353f
SHA512 b2a09d52c211e7100e3e68d88c13394c64f23bf2ec3ca25b109ffb1e1a96a054f0e0d25d2f2a0c2145616eabc88c51d63023cef5faa7b49129d020f67ab0b1ff

C:\Users\Admin\AppData\Local\Temp\StealedFilesByWaltuhium\Pictures\EditDisconnect.png

MD5 718eda8f42c0dbbd0c63364cf0309659
SHA1 d639530a42f85459bf97f75365c7c31023315aaa
SHA256 14ac991e1c8ba6ba618e5b5268cfb432581efc00da946abccc14d04f79f98ee8
SHA512 fc15498d37853ee31e85fa3693376167f5d4258d5903d519f7538c6ec686e332b05a81a4e80038ac856d7f5ef8e1a0ae9c4c2846706eed8feb8b8b2defe8e597

C:\Users\Admin\AppData\Local\Temp\StealedFilesByWaltuhium\Pictures\BackupUnregister.tiff

MD5 24fac1043e8f24084257ab907b434996
SHA1 8d37e976cc5939d9b19256ee0a449db07500b279
SHA256 2170bde9273be67e91364a2bc6ceecd86dcf2c4ea86dddf6cb30d3e6a4908f80
SHA512 acbec155e87585d0d11e8679f7896496af1079eca3bad9f3e808f5672a521d6ebc8bb1ab4b87f49459c41b684c6a628d003af3d95402cef8912f6221b0c8c394

C:\Users\Admin\AppData\Local\Temp\StealedFilesByWaltuhium\Downloads\SwitchConvertTo.mp3

MD5 d959e140459967738f267ec61278c370
SHA1 220bdb380dc21b0a30cfe3cb8e58377da875ab47
SHA256 be84a8de42b504406f8ad4fca2b45ff82ede011c37efdeaab4d6a0e13e9f6493
SHA512 63a820f3201798f727ac7531020ddcd6fb3f1069e804857d5098a0aa2eca72502ad28b8c68d1c8fa9150f2abe79e9d05bde4ccd84ce9e3ea08f4389d8579d37a

C:\Users\Admin\AppData\Local\Temp\StealedFilesByWaltuhium\Downloads\SubmitDismount.txt

MD5 26711b145988dd7388939eeda2aaac04
SHA1 3d11e477789efcde6e7265cd6bd907a883e933d0
SHA256 a620c1d6c81ea569c4fe14a2e26f9c12214f396ec277200b297fca193a5866ed
SHA512 9d4603f3c7dba985fcb884419ceacfec7ca8cfecac554c2b1c4049db0e02660adf9f806a2dc045daefc3eff1a22ec85fed5e633d701c1a4061d8e4b6909d2cd3

C:\Users\Admin\AppData\Local\Temp\StealedFilesByWaltuhium\Documents\ShowRedo.csv

MD5 58631b975f7d12ececb14c3de095f596
SHA1 f363d7f31508c703cd195e96f64116045fe7dccd
SHA256 9358736882d0b776162f30508f647707a50593138f69199896a18deb855a3d8b
SHA512 622cac40e1d127990eeed070a422cf45d951069c0904344a427b439b015ef5e26b0bad5be64d2a0a6c3a7d253dd45610fb04c12e292f68d786a5fd51c29f1745

C:\Users\Admin\AppData\Local\Temp\StealedFilesByWaltuhium\Documents\ResizeMove.xls

MD5 7b3f0980933d76fd430b3ee3becd518a
SHA1 2372422c437f466804e2aebe933e6137a0c115ba
SHA256 ac962bc42bd1add2449f439c79506277f12e3b293d94ff591fcbfba287c8b27c
SHA512 64e14ab382bf1fb51a5a22437a936629a0766880b2d09d07f99fb6a31717e27715c12f4c7fe1dc42170730ea55da2da44df2b5da2d53e1eb830177ed786ea179

C:\Users\Admin\AppData\Local\Temp\StealedFilesByWaltuhium\Downloads\RenameOpen.jpg

MD5 1b82725e121e010f37c077e4db1cacdf
SHA1 097c8b5a06955d2bca108df9f14ab37d86894971
SHA256 72b5f93b97201242c1a3300a698300cb3846422b6beba8be07aac50cc3bffe95
SHA512 9e04e9570e6305a53f93a971379a8a186f62eb696525a1d595edfa9e837009f560cef8f8e55af1dd0d80f2b493926cebce02ecf57966d1531778d0f27ffeaf96