exelastealer | 0fbad2885a4929b5dcf00028824c22b7dd8e276d13a1c8c341445f47852004ae

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
09-11-2024 18:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Waltuhium.exe
Size

11.1MB
MD5

1367126f6694188447c383594bd1341d
SHA1

118660944b0cc7a0352c9749f359b10e106e0724
SHA256

0fbad2885a4929b5dcf00028824c22b7dd8e276d13a1c8c341445f47852004ae
SHA512

486379c7993161213de3ccdc4694d21b4b69879babd1f92ad9a4274f1934fbec36ade3386360c86baade860183bd32bceffa0ffe76cff4175893494c57a3de7a
SSDEEP

196608:kR8JpjDDIK63UtauZijdDfyGg3wBdnpkYRM+82KiuW:163huc5DfDg3c692q

Score

10^/10

exelastealer collection defense_evasion discovery evasion persistence privilege_escalation pyinstaller spyware stealer

Malware Config

Signatures

Exela Stealer
Exela Stealer is an open source stealer originally written in .NET and later transitioned to Python that was first observed in August 2023.
stealer exelastealer
Exelastealer family
exelastealer
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.

Account Manipulation
T1098

Modifies Windows Firewall 2 TTPs 2 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
4456	netsh.exe
4756	netsh.exe

Clipboard Data 1 TTPs 2 IoCs

Adversaries may collect data stored in the clipboard from users copying information within or between applications.

collection

Clipboard Data

T1115

pid	Process
3012	cmd.exe
4460	powershell.exe

Loads dropped DLL 28 IoCs

pid	Process
1152	Waltuhium.exe
1152	Waltuhium.exe
1152	Waltuhium.exe
1152	Waltuhium.exe
1152	Waltuhium.exe
1152	Waltuhium.exe
1152	Waltuhium.exe
1152	Waltuhium.exe
1152	Waltuhium.exe
1152	Waltuhium.exe
1152	Waltuhium.exe
1152	Waltuhium.exe
1152	Waltuhium.exe
1152	Waltuhium.exe
1152	Waltuhium.exe
1152	Waltuhium.exe
1152	Waltuhium.exe
1152	Waltuhium.exe
1152	Waltuhium.exe
1152	Waltuhium.exe
1152	Waltuhium.exe
1152	Waltuhium.exe
1152	Waltuhium.exe
1152	Waltuhium.exe
1152	Waltuhium.exe
1152	Waltuhium.exe
1152	Waltuhium.exe
1152	Waltuhium.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Legitimate hosting services abused for malware hosting/C2 1 TTPs 5 IoCs

Web Service

T1102

flow	ioc
27	discord.com
28	discord.com
30	discord.com
56	discord.com
67	discord.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
8	ip-api.com

Network Service Discovery 1 TTPs 2 IoCs

Attempt to gather information on host's network.

discovery

Network Service Discovery

T1046

pid	Process
4848	cmd.exe
2152	ARP.EXE

Enumerates processes with tasklist 1 TTPs 5 IoCs

discovery

Process Discovery

T1057

pid	Process
4244	tasklist.exe
2688	tasklist.exe
1080	tasklist.exe
3880	tasklist.exe
1240	tasklist.exe

Hide Artifacts: Hidden Files and Directories 1 TTPs 1 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
4456	cmd.exe

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
1500	sc.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Detects Pyinstaller 1 IoCs

pyinstaller

resource	yara_rule
behavioral2/files/0x0008000000023cdd-110.dat	pyinstaller

Embeds OpenSSL 1 IoCs

Embeds OpenSSL, may be used to circumvent TLS interception.

resource	yara_rule
behavioral2/files/0x0007000000023ccc-80.dat	embeds_openssl

Event Triggered Execution: Netsh Helper DLL 1 TTPs 9 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

Permission Groups Discovery: Local Groups 1 TTPs
Attempt to find local system groups and permission settings.
discovery

Local Groups
T1069.001

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs

Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

discovery

Wi-Fi Discovery

T1016.002

pid	Process
3588	cmd.exe
3624	netsh.exe

System Network Connections Discovery 1 TTPs 1 IoCs

Attempt to get a listing of network connections.

discovery

System Network Connections Discovery

T1049

pid	Process
3972	NETSTAT.EXE

Collects information from the system 1 TTPs 1 IoCs

Uses WMIC.exe to find detailed system information.

Data from Local System

T1005

pid	Process
3456	WMIC.exe

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
1484	WMIC.exe

Gathers network information 2 TTPs 2 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
4792	ipconfig.exe
3972	NETSTAT.EXE

Gathers system information 1 TTPs 1 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
2452	systeminfo.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4460	powershell.exe
4460	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	1484	WMIC.exe
Token: SeSecurityPrivilege	1484	WMIC.exe
Token: SeTakeOwnershipPrivilege	1484	WMIC.exe
Token: SeLoadDriverPrivilege	1484	WMIC.exe
Token: SeSystemProfilePrivilege	1484	WMIC.exe
Token: SeSystemtimePrivilege	1484	WMIC.exe
Token: SeProfSingleProcessPrivilege	1484	WMIC.exe
Token: SeIncBasePriorityPrivilege	1484	WMIC.exe
Token: SeCreatePagefilePrivilege	1484	WMIC.exe
Token: SeBackupPrivilege	1484	WMIC.exe
Token: SeRestorePrivilege	1484	WMIC.exe
Token: SeShutdownPrivilege	1484	WMIC.exe
Token: SeDebugPrivilege	1484	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1484	WMIC.exe
Token: SeRemoteShutdownPrivilege	1484	WMIC.exe
Token: SeUndockPrivilege	1484	WMIC.exe
Token: SeManageVolumePrivilege	1484	WMIC.exe
Token: 33	1484	WMIC.exe
Token: 34	1484	WMIC.exe
Token: 35	1484	WMIC.exe
Token: 36	1484	WMIC.exe
Token: SeIncreaseQuotaPrivilege	680	WMIC.exe
Token: SeSecurityPrivilege	680	WMIC.exe
Token: SeTakeOwnershipPrivilege	680	WMIC.exe
Token: SeLoadDriverPrivilege	680	WMIC.exe
Token: SeSystemProfilePrivilege	680	WMIC.exe
Token: SeSystemtimePrivilege	680	WMIC.exe
Token: SeProfSingleProcessPrivilege	680	WMIC.exe
Token: SeIncBasePriorityPrivilege	680	WMIC.exe
Token: SeCreatePagefilePrivilege	680	WMIC.exe
Token: SeBackupPrivilege	680	WMIC.exe
Token: SeRestorePrivilege	680	WMIC.exe
Token: SeShutdownPrivilege	680	WMIC.exe
Token: SeDebugPrivilege	680	WMIC.exe
Token: SeSystemEnvironmentPrivilege	680	WMIC.exe
Token: SeRemoteShutdownPrivilege	680	WMIC.exe
Token: SeUndockPrivilege	680	WMIC.exe
Token: SeManageVolumePrivilege	680	WMIC.exe
Token: 33	680	WMIC.exe
Token: 34	680	WMIC.exe
Token: 35	680	WMIC.exe
Token: 36	680	WMIC.exe
Token: SeDebugPrivilege	4244	tasklist.exe
Token: SeIncreaseQuotaPrivilege	1484	WMIC.exe
Token: SeSecurityPrivilege	1484	WMIC.exe
Token: SeTakeOwnershipPrivilege	1484	WMIC.exe
Token: SeLoadDriverPrivilege	1484	WMIC.exe
Token: SeSystemProfilePrivilege	1484	WMIC.exe
Token: SeSystemtimePrivilege	1484	WMIC.exe
Token: SeProfSingleProcessPrivilege	1484	WMIC.exe
Token: SeIncBasePriorityPrivilege	1484	WMIC.exe
Token: SeCreatePagefilePrivilege	1484	WMIC.exe
Token: SeBackupPrivilege	1484	WMIC.exe
Token: SeRestorePrivilege	1484	WMIC.exe
Token: SeShutdownPrivilege	1484	WMIC.exe
Token: SeDebugPrivilege	1484	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1484	WMIC.exe
Token: SeRemoteShutdownPrivilege	1484	WMIC.exe
Token: SeUndockPrivilege	1484	WMIC.exe
Token: SeManageVolumePrivilege	1484	WMIC.exe
Token: 33	1484	WMIC.exe
Token: 34	1484	WMIC.exe
Token: 35	1484	WMIC.exe
Token: 36	1484	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2336 wrote to memory of 1152	2336	Waltuhium.exe	83
PID 2336 wrote to memory of 1152	2336	Waltuhium.exe	83
PID 1152 wrote to memory of 5056	1152	Waltuhium.exe	86
PID 1152 wrote to memory of 5056	1152	Waltuhium.exe	86
PID 1152 wrote to memory of 544	1152	Waltuhium.exe	87
PID 1152 wrote to memory of 544	1152	Waltuhium.exe	87
PID 1152 wrote to memory of 668	1152	Waltuhium.exe	88
PID 1152 wrote to memory of 668	1152	Waltuhium.exe	88
PID 5056 wrote to memory of 1484	5056	cmd.exe	92
PID 5056 wrote to memory of 1484	5056	cmd.exe	92
PID 1152 wrote to memory of 4376	1152	Waltuhium.exe	93
PID 1152 wrote to memory of 4376	1152	Waltuhium.exe	93
PID 1152 wrote to memory of 2372	1152	Waltuhium.exe	94
PID 1152 wrote to memory of 2372	1152	Waltuhium.exe	94
PID 544 wrote to memory of 680	544	cmd.exe	95
PID 544 wrote to memory of 680	544	cmd.exe	95
PID 2372 wrote to memory of 4244	2372	cmd.exe	98
PID 2372 wrote to memory of 4244	2372	cmd.exe	98
PID 1152 wrote to memory of 1704	1152	Waltuhium.exe	100
PID 1152 wrote to memory of 1704	1152	Waltuhium.exe	100
PID 1704 wrote to memory of 1400	1704	cmd.exe	102
PID 1704 wrote to memory of 1400	1704	cmd.exe	102
PID 1152 wrote to memory of 1064	1152	Waltuhium.exe	103
PID 1152 wrote to memory of 1064	1152	Waltuhium.exe	103
PID 1152 wrote to memory of 508	1152	Waltuhium.exe	104
PID 1152 wrote to memory of 508	1152	Waltuhium.exe	104
PID 1064 wrote to memory of 3980	1064	cmd.exe	107
PID 1064 wrote to memory of 3980	1064	cmd.exe	107
PID 508 wrote to memory of 2688	508	cmd.exe	108
PID 508 wrote to memory of 2688	508	cmd.exe	108
PID 1152 wrote to memory of 4456	1152	Waltuhium.exe	109
PID 1152 wrote to memory of 4456	1152	Waltuhium.exe	109
PID 4456 wrote to memory of 2632	4456	cmd.exe	111
PID 4456 wrote to memory of 2632	4456	cmd.exe	111
PID 1152 wrote to memory of 3648	1152	Waltuhium.exe	112
PID 1152 wrote to memory of 3648	1152	Waltuhium.exe	112
PID 3648 wrote to memory of 1080	3648	cmd.exe	115
PID 3648 wrote to memory of 1080	3648	cmd.exe	115
PID 1152 wrote to memory of 2896	1152	Waltuhium.exe	116
PID 1152 wrote to memory of 2896	1152	Waltuhium.exe	116
PID 1152 wrote to memory of 3132	1152	Waltuhium.exe	117
PID 1152 wrote to memory of 3132	1152	Waltuhium.exe	117
PID 1152 wrote to memory of 2904	1152	Waltuhium.exe	118
PID 1152 wrote to memory of 2904	1152	Waltuhium.exe	118
PID 1152 wrote to memory of 3012	1152	Waltuhium.exe	119
PID 1152 wrote to memory of 3012	1152	Waltuhium.exe	119
PID 3012 wrote to memory of 4460	3012	cmd.exe	124
PID 3012 wrote to memory of 4460	3012	cmd.exe	124
PID 2896 wrote to memory of 3096	2896	cmd.exe	125
PID 2896 wrote to memory of 3096	2896	cmd.exe	125
PID 3096 wrote to memory of 920	3096	cmd.exe	126
PID 3096 wrote to memory of 920	3096	cmd.exe	126
PID 2904 wrote to memory of 3880	2904	cmd.exe	127
PID 2904 wrote to memory of 3880	2904	cmd.exe	127
PID 3132 wrote to memory of 1668	3132	cmd.exe	128
PID 3132 wrote to memory of 1668	3132	cmd.exe	128
PID 1668 wrote to memory of 1800	1668	cmd.exe	129
PID 1668 wrote to memory of 1800	1668	cmd.exe	129
PID 1152 wrote to memory of 4848	1152	Waltuhium.exe	130
PID 1152 wrote to memory of 4848	1152	Waltuhium.exe	130
PID 1152 wrote to memory of 3588	1152	Waltuhium.exe	132
PID 1152 wrote to memory of 3588	1152	Waltuhium.exe	132
PID 4848 wrote to memory of 2452	4848	cmd.exe	134
PID 4848 wrote to memory of 2452	4848	cmd.exe	134

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
2632	attrib.exe

C:\Users\Admin\AppData\Local\Temp\Waltuhium.exe
"C:\Users\Admin\AppData\Local\Temp\Waltuhium.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2336
- C:\Users\Admin\AppData\Local\Temp\Waltuhium.exe
  "C:\Users\Admin\AppData\Local\Temp\Waltuhium.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1152
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5056
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      Suspicious use of AdjustPrivilegeToken
      PID:1484
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic computersystem get Manufacturer"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:544
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic computersystem get Manufacturer
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:680
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "ver"
    3⤵
    PID:668
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "gdb --version"
    3⤵
    PID:4376
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2372
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:4244
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path Win32_ComputerSystem get Manufacturer"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1704
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path Win32_ComputerSystem get Manufacturer
      4⤵
      PID:1400
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1064
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      PID:3980
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:508
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      PID:2688
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "attrib +h +s "C:\Users\Admin\AppData\Local\WaltuhiumUpdateService\Waltuhium.exe""
    3⤵
    - Hide Artifacts: Hidden Files and Directories
    - Suspicious use of WriteProcessMemory
    PID:4456
  - - C:\Windows\system32\attrib.exe
      attrib +h +s "C:\Users\Admin\AppData\Local\WaltuhiumUpdateService\Waltuhium.exe"
      4⤵
      Views/modifies file attributes
      PID:2632
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3648
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      PID:1080
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "cmd.exe /c chcp"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2896
  - - C:\Windows\system32\cmd.exe
      cmd.exe /c chcp
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3096
    - - C:\Windows\system32\chcp.com
        
        chcp
        5⤵
        
        PID:920
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "cmd.exe /c chcp"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3132
  - - C:\Windows\system32\cmd.exe
      cmd.exe /c chcp
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1668
    - - C:\Windows\system32\chcp.com
        
        chcp
        5⤵
        
        PID:1800
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2904
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:3880
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell.exe Get-Clipboard"
    3⤵
    - Clipboard Data
    - Suspicious use of WriteProcessMemory
    PID:3012
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe Get-Clipboard
      4⤵
      Clipboard Data
      Suspicious behavior: EnumeratesProcesses
      PID:4460
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "echo ####System Info#### & systeminfo & echo ####System Version#### & ver & echo ####Host Name#### & hostname & echo ####Environment Variable#### & set & echo ####Logical Disk#### & wmic logicaldisk get caption,description,providername & echo ####User Info#### & net user & echo ####Online User#### & query user & echo ####Local Group#### & net localgroup & echo ####Administrators Info#### & net localgroup administrators & echo ####Guest User Info#### & net user guest & echo ####Administrator User Info#### & net user administrator & echo ####Startup Info#### & wmic startup get caption,command & echo ####Tasklist#### & tasklist /svc & echo ####Ipconfig#### & ipconfig/all & echo ####Hosts#### & type C:\WINDOWS\System32\drivers\etc\hosts & echo ####Route Table#### & route print & echo ####Arp Info#### & arp -a & echo ####Netstat#### & netstat -ano & echo ####Service Info#### & sc query type= service state= all & echo ####Firewallinfo#### & netsh firewall show state & netsh firewall show config"
    3⤵
    - Network Service Discovery
    - Suspicious use of WriteProcessMemory
    PID:4848
  - - C:\Windows\system32\systeminfo.exe
      systeminfo
      4⤵
      Gathers system information
      PID:2452
  - - C:\Windows\system32\HOSTNAME.EXE
      hostname
      4⤵
      PID:2012
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic logicaldisk get caption,description,providername
      4⤵
      Collects information from the system
      PID:3456
  - - C:\Windows\system32\net.exe
      net user
      4⤵
      PID:2344
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user
        5⤵
        
        PID:3136
  - - C:\Windows\system32\query.exe
      query user
      4⤵
      PID:684
    - - C:\Windows\system32\quser.exe
        
        "C:\Windows\system32\quser.exe"
        5⤵
        
        PID:1236
  - - C:\Windows\system32\net.exe
      net localgroup
      4⤵
      PID:3916
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 localgroup
        5⤵
        
        PID:3428
  - - C:\Windows\system32\net.exe
      net localgroup administrators
      4⤵
      PID:3688
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 localgroup administrators
        5⤵
        
        PID:2784
  - - C:\Windows\system32\net.exe
      net user guest
      4⤵
      PID:2464
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user guest
        5⤵
        
        PID:3980
  - - C:\Windows\system32\net.exe
      net user administrator
      4⤵
      PID:780
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user administrator
        5⤵
        
        PID:3576
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic startup get caption,command
      4⤵
      PID:2624
  - - C:\Windows\system32\tasklist.exe
      tasklist /svc
      4⤵
      Enumerates processes with tasklist
      PID:1240
  - - C:\Windows\system32\ipconfig.exe
      ipconfig /all
      4⤵
      Gathers network information
      PID:4792
  - - C:\Windows\system32\ROUTE.EXE
      route print
      4⤵
      PID:4616
  - - C:\Windows\system32\ARP.EXE
      arp -a
      4⤵
      Network Service Discovery
      PID:2152
  - - C:\Windows\system32\NETSTAT.EXE
      netstat -ano
      4⤵
      System Network Connections Discovery
      Gathers network information
      PID:3972
  - - C:\Windows\system32\sc.exe
      sc query type= service state= all
      4⤵
      Launches sc.exe
      PID:1500
  - - C:\Windows\system32\netsh.exe
      netsh firewall show state
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      PID:4456
  - - C:\Windows\system32\netsh.exe
      netsh firewall show config
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      PID:4756
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "netsh wlan show profiles"
    3⤵
    - System Network Configuration Discovery: Wi-Fi Discovery
    PID:3588
  - - C:\Windows\system32\netsh.exe
      netsh wlan show profiles
      4⤵
      Event Triggered Execution: Netsh Helper DLL
      System Network Configuration Discovery: Wi-Fi Discovery
      PID:3624
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    PID:4252
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      PID:3656
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    PID:1792
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      PID:3636

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Account Manipulation

T1098

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Account Manipulation

T1098

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Network Service Discovery

T1046

Permission Groups Discovery

T1069

Local Groups

T1069.001

Process Discovery

T1057

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Wi-Fi Discovery

T1016.002

System Network Connections Discovery

T1049

Lateral Movement

Collection

Clipboard Data

T1115

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\StealedFilesByWaltuhium\Desktop\ClearWait.xls

Filesize
455KB

MD5
f73dcac1879ac65ab8c0a879c00f25d8

SHA1
9299450dc16d0ad7a9f0950fb3a99fb6e13a8210

SHA256
c49e9eaab2831a01c31d66929a11aa27a222303dfeb75cc0163d21b0e4ec7416

SHA512
61f4992b3765b38ffed87407dc181e808d6c15bba07be10cc80ac1c4e43c3536ac35ad12e27a0a8ab4653df668cc3a1e6552ba52ba6c7b1443d4007d89c5e7f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\StealedFilesByWaltuhium\Desktop\CompareFind.xlsx

Filesize
11KB

MD5
84685b4db5144897ab59f487dadb547e

SHA1
4e04789059d6551d8582997b6c50b36bdbd1d0c1

SHA256
b524df93be13f7b8c688601e5d97f206efe62c671dbc4db8890d0fa63badd1bc

SHA512
bac7e64b8ecd462a6e3e6b7425e700a2c0f09ad76de244d4002ae495cbe46441417460849079d9a8351af09620e7b43154479e590037031cb13b300af73adddb

Download Submit
C:\Users\Admin\AppData\Local\Temp\StealedFilesByWaltuhium\Desktop\ConvertFromSend.docx

Filesize
21KB

MD5
081f2d7807de62488c68f9b1e1c76bca

SHA1
7b79eb9be1e04a2fcd3e5bd8fbbd0c1648e23a0b

SHA256
e06100cef9ee05365343afedd3ba8751932ae563fc072fd31b38c7b5d08eebec

SHA512
9ef5ade72ffd21f6f685c580f26ef4ee3b0fb336a7caf913ca2d0917e8317df92e0fabcefa38087ee7c6d1bb7e5194904eb6febb1a1044ff8ea381f91e57561d

Download Submit
C:\Users\Admin\AppData\Local\Temp\StealedFilesByWaltuhium\Desktop\FindClear.xlsx

Filesize
11KB

MD5
45c48ab11809ae2818745a831528123a

SHA1
2fcdebb51c3f6cc51861f88a34c4c31f8211194d

SHA256
d200ef032f8a3905b6890c7ea44517df54835ace320a6612eba53430749268b9

SHA512
58b52d2c286eeffd6b92ae6e577e08a1dfa5b29ce2687d0ea07381a42c98af6dfdbf4b9ff6737ae13d46c37abd956496d3321cba38c1e82c5ffd6461d8a1f757

Download Submit
C:\Users\Admin\AppData\Local\Temp\StealedFilesByWaltuhium\Desktop\LimitApprove.docx

Filesize
17KB

MD5
f0aa8de62c16b22aed4618c1f8c5c5f6

SHA1
79256b5ffc2ccd1d2a7a712d1a2790664d79b1d3

SHA256
7b3b0b17173d949c0fce3a77893226f713e2a26a1d845e579dece0e750d8cebe

SHA512
ab3a294ab83a23c35305a0d2bf6e377c263b08348e06f719d87d09e92f626976cfe4f4c73cab792d810d136220ee3b7d649ac93191b4073f40f638a59082354f

Download Submit
C:\Users\Admin\AppData\Local\Temp\StealedFilesByWaltuhium\Desktop\LockGet.zip

Filesize
938KB

MD5
51724b826bf71a47b68e6588bdce5004

SHA1
4efedcbef4e1c2b9eb0267cd330bdf114d183c9c

SHA256
7e56c591f160392b47c5a6a1b0765de4289d6b45add74bf93d683592a1df510b

SHA512
0bdc8f1e9a200e76d4540e10823d00cc2c894b7a9aa0f2e8ef5c3283f142d059447a382dcb48c77694b0d49c99b33316cffd8f43ec764bb9915a447e5329d90c

Download Submit
C:\Users\Admin\AppData\Local\Temp\StealedFilesByWaltuhium\Desktop\TraceUse.jpeg

Filesize
711KB

MD5
dad2010bb1b4231da3c7fd1ec5b6bd0e

SHA1
8086ae380210cd0d07588930048f61dabb7c923b

SHA256
d163d90468901dd8c555af0daf711a28a169111349b266bd5b29bb35e105999e

SHA512
d5da815bb96da6bf37452d9a6d214f0f33478bdc5379cbeb2d78c0799fe915fc5adce8e433b9507d02ab558a214b069ec200ea8069ba65b9d2cea7bcfa06c831

Download Submit
C:\Users\Admin\AppData\Local\Temp\StealedFilesByWaltuhium\Desktop\UnblockUnlock.docx

Filesize
19KB

MD5
60f24e652769b6e613df17e045721801

SHA1
89f81d080bcdacd04e2f4893be5d30e385d97f5b

SHA256
e1d4762eca0c1ff8ad4f3f9894394bdf4a4c396981d139471715ab95d9ca861d

SHA512
c06af388c9a4369fde241ac2447c8bacf342fabbdbaefb8c70d18344efa38cf68cd86a5ab784f790d6b3b59c130bcb777d851784a08b4315e91b9867d8c48d7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\StealedFilesByWaltuhium\Desktop\UninstallWrite.docx

Filesize
21KB

MD5
3cf5afec63efe497b2877c8afa888f73

SHA1
5f8fd4b2a6c059291196e5cdb7d0c35f27c66b18

SHA256
610edf7796b2ce2bddfe3104289fd5840382d42f327aeb23fcf78ca7acfd1a90

SHA512
ead3fc49a922138ee46f161e8d179876866b54cd5a44f80807851d88a4347e85de48689a9578bee052afd005dbd802c664516bcb34b6eafeafb4426d9360ae9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\StealedFilesByWaltuhium\Desktop\UnlockDismount.jpg

Filesize
511KB

MD5
58b53a04eb9d8ca66281e51c041261f3

SHA1
138e5d2028dce922d23ece500ac4fd2ae9f6f106

SHA256
5681dce9769e4585b14527f34be5938cf9bebe121d0a319a798c46accda0abe7

SHA512
da32c894638e976c383a965293590ea4cd2a43857405e40037c9954943a53043b00d493da286b7d5f5fc64d9c0e4d8c3bce73e8262aabf50e2efaae773f47e8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\StealedFilesByWaltuhium\Documents\BackupDeny.odt

Filesize
397KB

MD5
347168b6895e678e86244377281e795f

SHA1
4a0694dee2f0d2343c54b44eda626cdb9d18b30d

SHA256
c17dd498e39d97a906f623f6c7e06f1037ddb198bfab4169117caddb3103c2d5

SHA512
5dd9bbf978b5ca9d6ef30e057545a9017f415fba9db5bdad8fe70fd74177bf210380a6aa358af2ae14823ed4773c1d0094ea741d7d19f26e6a2fdf7103b69203

Download Submit
C:\Users\Admin\AppData\Local\Temp\StealedFilesByWaltuhium\Documents\CopyUnpublish.xlsx

Filesize
10KB

MD5
2ca0f4fcbf3a15d152668e5444140cca

SHA1
005877ce100f3a234879d278f9e093855974c174

SHA256
0603ecc9e41667df31f7252f0b5743923073153152a2a9acffe3015cfc602ba8

SHA512
99f7e6e0f3d1abe52d3330c3df03a7aeea2a94136e5bc3fa1514540b41169560efe13e8f99fef8efa21b18d0c7bffed00508090e51d8966e9f832596e797a6e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\StealedFilesByWaltuhium\Documents\MountLimit.docx

Filesize
19KB

MD5
75f98b5c2637d048ceec92f9294844e7

SHA1
6806e2f9818f24fd0303e7c168146013421de70e

SHA256
af3b6fcb4c5f75cc7cebbfffe5a1e693c0040c0025b1fdf44efcb003f175f254

SHA512
2d7a0c16a213004810d3079a775b34cf16b108f78177a1e808441e9c722096acd9f04e151aa907bf6a1f6fd64583a9c4b6c91e257a3911f1b7af7fb0a7c6d8fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\StealedFilesByWaltuhium\Documents\SelectGet.xlsx

Filesize
10KB

MD5
262d28311ab0740c41851ea2c782703a

SHA1
5f8546f2d6f2b7ed0265a7304325286fedb9ecb2

SHA256
95ec8f4134d084ab3cf26bfb3a77a911f1e7de90398d6cbb91ebc77553aa2572

SHA512
d83f20be50c7cfd52e2e19585bc5af9ae0b85ec25be470b20cee322289a8ed7ae319db0c73b4ebd8d13d8b6ff6713742738d9c013661124e2c55e1552975833a

Download Submit
C:\Users\Admin\AppData\Local\Temp\StealedFilesByWaltuhium\Documents\SelectMeasure.pdf

Filesize
943KB

MD5
7cbd95dcd2f196cca05650ac537f8fe1

SHA1
38f6de78bfcfb599a82c2309879e67414bb49d5f

SHA256
1336710b839276fac367a7067fb4d3235c90054cc928dca552f5a5edf9949227

SHA512
9541af99fbc7dee88b4efc23f00ea893f8b4886399fe8e878adfdfc8396176498b6f3b921599ca85a8ecfd98c2879840492a8937690600f1144fa01935effe1c

Download Submit
C:\Users\Admin\AppData\Local\Temp\StealedFilesByWaltuhium\Documents\SuspendGroup.csv

Filesize
620KB

MD5
ae54904b28a69ad041a888b55754c363

SHA1
17ec66de89e1d05ff3792deefad53e574da7c3a4

SHA256
bea48781fc1a1de2cc1f091b3655120fb7c5d7e54c45775d2f41c89dd7eb6897

SHA512
e5cef3e9effde46b39ea73a607f7bc4452c0c22ea44ee4eec52ff16e67f4be84882ef3826d91a6779c46cce0f51686082c9dd1dce9ebfffca82cfb8f804b404e

Download Submit
C:\Users\Admin\AppData\Local\Temp\StealedFilesByWaltuhium\Downloads\GrantResume.docx

Filesize
1.2MB

MD5
ea906a106390b2c05c3de24405adcc8e

SHA1
2cccfc7e0feb75f4c3ef20882f758459ffefd9ab

SHA256
fa68704f7bee993a5f8621f7f5f4eb6b8d0d5a220dcd1710b8d971708c688e7e

SHA512
c649b3d81e2a2bdaace10933e6c0300a29c1d28fc3c07debc1d562051e8c7ee7922257c0bcbefe27f1df8f0a1e5b398fb0a2a041f9b821dd6aa1ce65832040e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\StealedFilesByWaltuhium\Downloads\InstallWrite.mp3

Filesize
516KB

MD5
cfed834d9ba443189fce89816589be7c

SHA1
8f58d5b6f394e58886bc455f15faae2e9664919e

SHA256
f41f87bad9df6a4e7feaaaf1e3503a09212a032e8ecfaa6078a4094ea4e8f159

SHA512
08b94c9eb45912223471931c7ba8ebeecfadd5a541b6b0b6055b91c857fc1eb6ff253e17346778c6cd9aa790a3e22540b9aa9df9ba934e98014041fbfc3fbf0b

Download Submit
C:\Users\Admin\AppData\Local\Temp\StealedFilesByWaltuhium\Downloads\SkipTrace.txt

Filesize
455KB

MD5
d7616d97508168909c74db06521a2a93

SHA1
c210f7b35cf27a0ef20134d229252dd0d3e4edb7

SHA256
37b6f796847a837550c65cdbe4f809f73c973644130dd8687e2551ce9c0e0737

SHA512
c88aa853d8b7bfc98cb3350b361e455f6bc5a92f7e6416c6fc8dc338c92dc4ce3847856039640d7061a0a4120783c2827aed498aa8c74573cd88e94403226d56

Download Submit
C:\Users\Admin\AppData\Local\Temp\StealedFilesByWaltuhium\Downloads\TestRedo.jpeg

Filesize
698KB

MD5
a3ff44c8752e0c09c795216efbe03fac

SHA1
0e740cc6a7362a09e112a73584ca7d14c376ff6f

SHA256
aa6cbb5810f176b9df8b045fef18ecb22b2e336995a330d6f5996694643082eb

SHA512
f0d9ab3dcf8ce3a4126fa04ec3a5b4aa84b6c38fdb3261079eaecf18bd108f57e6cdf5e2ea158f7c78a004b5e35e5cf0fd2b429272d7e541ac0cdb5d78a2d8f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\StealedFilesByWaltuhium\Music\BackupClose.mov

Filesize
570KB

MD5
d6758186e4c79ea4c9ae632744129a38

SHA1
4f1773244a471251647cb3cb99fdc918345ec402

SHA256
832d8c794e7f698c9204f8727cd807973afa2ff5048617212aa9f80aacdfdbd3

SHA512
c4b167b4949af9693d1cdee089c13666fc8b29df00f7675bb53f5b155ec015d579a387e5e4ace5837e5f11a9676e5eec7af9fa859154f12094bc43275d66317c

Download Submit
C:\Users\Admin\AppData\Local\Temp\StealedFilesByWaltuhium\Music\CopyConvertFrom.xls

Filesize
465KB

MD5
1beea1c53674f121314d124db0c05b6a

SHA1
4aa1bd3b1a63fa682af833bbd5ada218773fe272

SHA256
09e9f029472be1ad79442bfbf39885a8c45c8b7e77bb4eb00354df4538c16da7

SHA512
ab26438c103161eafac726bfb13ea96aff9c91e32703db77d690923dfabe4ce51636cf55f7d331f24c1501c120bc68d9e0612698ca46a779160da3255b2b4f1a

Download Submit
C:\Users\Admin\AppData\Local\Temp\StealedFilesByWaltuhium\Music\DebugLimit.zip

Filesize
1.0MB

MD5
ed3e5f4613f5452abdcae1a4dd88ee9f

SHA1
68cfe813ac4c1a2e1fdc4242601285ae6faa58f5

SHA256
b49f01e67374c8f9880c75fab6abee25cb75c0df0c08fd9d4c2dbf4e0c6004aa

SHA512
5926a94690bc90ed96d751d1f6f08a182dfd1df642cc39a92064a563161d9a74f7afe7204173effef1ce6ced296433553c962d087c73c5e35bbf85e412195a7f

Download Submit
C:\Users\Admin\AppData\Local\Temp\StealedFilesByWaltuhium\Music\EditRestore.docx

Filesize
525KB

MD5
903a99712626eee536152dce74d3a3d5

SHA1
6278b0055b3eae2e03ffcb485d124fcad9635175

SHA256
0f883078910840d14fc3c2552063b52084fbc6b4286b69eec57c1348514f1160

SHA512
256e339d4fde3fd6fb57d769f749413e36b07683d42ab646fca8154b749b62b7e0b4d28c9b79640c7745ebaf05b966066f1811b8fbda65a801b2e804e42fef33

Download Submit
C:\Users\Admin\AppData\Local\Temp\StealedFilesByWaltuhium\Music\EnableRestart.png

Filesize
270KB

MD5
382c96a518c2d22d16e739b8d0779f82

SHA1
90bb1d8df15b0dd1a28976c09dd2d871fb985367

SHA256
657b8e70bad7b36c885d442d04e95543d5cc40eb3ebcc0d6920a9f6671b5b14e

SHA512
834a12043900759f9051f94538af742eb676c10e7420acf715340d258a6c432d6d6600dc6632e9670818b193c58be133c99f56a4153ca4d31c28634652e32ad3

Download Submit
C:\Users\Admin\AppData\Local\Temp\StealedFilesByWaltuhium\Music\ExitBackup.txt

Filesize
315KB

MD5
061751ba1a5edbe1ef1c94ae5f56013e

SHA1
8f5deceb9b949e7af10840c0e245c4fd3e1a9477

SHA256
02c9894f4fbbe5d9fe89b645007568e1ed20964592a87bf00c50289e46ba69db

SHA512
0dd349be8dd93a59ceee0a81c4bfa1648ed4d417add3e0d006554ec46ffc05e31d4abea16b116fafa608f94ed2ae1a9eec86f93c6da3143830ecbdc11e220e0f

Download Submit
C:\Users\Admin\AppData\Local\Temp\StealedFilesByWaltuhium\Music\ExitFormat.docx

Filesize
555KB

MD5
703694cce6b6a2c73bcf08bfb69c0718

SHA1
6d3870d16d6eeacc546e05fe2baef11165d1023e

SHA256
2bc97e2dbb49cb56cbe9fc264b950eca3750590f11f5362df65a504a4639ee55

SHA512
6e82e399de491612043a9e2d77501bb085da8a46e408bf3617dd93dedec16652f952c169877bed0633aa6a69bda74feeca19734eb8dd9b35fc39bd9d28b7bb9e

Download Submit
C:\Users\Admin\AppData\Local\Temp\StealedFilesByWaltuhium\Music\InstallSwitch.jpeg

Filesize
405KB

MD5
f8ebfd80cc38e43523561c8a76fa66c7

SHA1
dc5766e0bd0ebc10afe6d5494e324c350ef08013

SHA256
398b0fb21f0b0cc8ab96955cd5a70a6fee968f037ee2973f1fa388e8fc3ed760

SHA512
fc15a6c94ebd1f781fb53d2f4f9ce65a534bca21d5eca39242f7d620ce3fd4e08ac0ad313ac6a170151cf34777bb39005829df62e4e367658462df87c8f0dcd9

Download Submit
C:\Users\Admin\AppData\Local\Temp\StealedFilesByWaltuhium\Music\ResolveInstall.jpg

Filesize
585KB

MD5
aa988e46250962b01ca3f95c06c2399c

SHA1
e4e1f1e46ebf99605c8d9b2ca81f8232092f2c8e

SHA256
cecc2e2c79b1ccd5f731e502352755e03720ce16e741916b28c43f86b18820f1

SHA512
881e5a20ec01dee9cc0ab5c2a7a3c41321b23a1bff1e51633658a145e153757e17a71b6f43916c060ced27936d6458b580bba26297b055929b10748b0950a9e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\StealedFilesByWaltuhium\Music\RestoreSave.jpeg

Filesize
390KB

MD5
41a344b1345397bc0135fe93d676984b

SHA1
804cf9394cd0c02a0c7142b5ffd01c4f3b965bc7

SHA256
097386ebc6742159e7f375362140096c2a47576c37f47fac29284c453875b3d5

SHA512
37eda107fd34415791e68f5416d0809642397f0fda122d6162fb6ea4081cc20b9b6b91173bcd1d940daa2528621591caadc94f7b2632b5d8c858fbbf92cbfdab

Download Submit
C:\Users\Admin\AppData\Local\Temp\StealedFilesByWaltuhium\Music\ShowSwitch.docx

Filesize
615KB

MD5
e0c0bf0bec7bb6edc1279c8069308782

SHA1
9e228a75b69802cbf18a726a01e356f0584e3421

SHA256
1f4aee0447b8ce1450d2e595852dda6cd7ad2b132334a2fdb4ead1550adb1639

SHA512
add4034fb200bc2b175eaca158c653fcc5d32bb2abaa1d3a66555e4d54cfc07ef4a96c10c9b8a6e5a7dcd68d6f1ffd9f92a7a7d3cfe41b29ee3e9f422887539a

Download Submit
C:\Users\Admin\AppData\Local\Temp\StealedFilesByWaltuhium\Music\UnpublishConvert.mp4

Filesize
675KB

MD5
225837ef4215072bd9a71488df7622b1

SHA1
8f97d2afe779e7d33c5fa91e289e84629f474ad7

SHA256
745cdba6821a6de41d3d75ca178654d1d3d88066defc77dabef9e20b240d39f7

SHA512
e8b3b0f7aa5deb10268dbc7ccf02b80a9dd44a634d9d79ccea83d1e6fb432d66fd33dc228e9d27b9821feba3a1f88faaf7ae7a2bf0a3afad85503f80592dd48b

Download Submit
C:\Users\Admin\AppData\Local\Temp\StealedFilesByWaltuhium\Music\UpdateConnect.txt

Filesize
450KB

MD5
d84d3c909738f807dce7db54ab25a773

SHA1
6731e45b5a1f55367736944f4c399aefd2ffc1e7

SHA256
68f57b79daf609fbef3cf790ed4ed49b35213ffcb7f0876853af97cbea65daca

SHA512
2c4f590e3f638ea3d064a56b1c4adb83034d39e95315f38f7f04e36a7432638ee501dffa9176fe71f11c076383093fadbd275f242fe010f252f30297e555b5e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\StealedFilesByWaltuhium\Pictures\MergeFind.jpg

Filesize
368KB

MD5
bf8f1e1f6b79b6da1b15f01a93d464f1

SHA1
630b40486638bf9bccc657ee84fc74e62ac61af3

SHA256
0c1f2f358f68c6256e34e88a248d2d2662964dd4afa76343043d8ff76b81f5e4

SHA512
e8ea5ebc3885d04603c7719e2ef84cac65466a8ff1e6e7cfa534c2e2c10818f6db3fdf997b4aacc8791b5b84cfba2148eba9b5d0bf1468dd0b382bc993c9b350

Download Submit
C:\Users\Admin\AppData\Local\Temp\StealedFilesByWaltuhium\Pictures\My Wallpaper.jpg

Filesize
24KB

MD5
a51464e41d75b2aa2b00ca31ea2ce7eb

SHA1
5b94362ac6a23c5aba706e8bfd11a5d8bab6097d

SHA256
16d5506b6663085b1acd80644ffa5363c158e390da67ed31298b85ddf0ad353f

SHA512
b2a09d52c211e7100e3e68d88c13394c64f23bf2ec3ca25b109ffb1e1a96a054f0e0d25d2f2a0c2145616eabc88c51d63023cef5faa7b49129d020f67ab0b1ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\StealedFilesByWaltuhium\Pictures\UndoDeny.jpeg

Filesize
448KB

MD5
4c0d926e362c33b61b35e8629c065d49

SHA1
bebac1e7de4a9ab57bf0dd7a97de034968bb5eea

SHA256
5bd0969da4b544411bff3b4ffd0b8834d75a27b7c1e0fd64b2cb67f2d386d08f

SHA512
3a100aa2c65a139a1a807741cfd25a250b74d915637a4d3f7be60b7f366205c10778992717ec9b5ab88bdd4e817fe721f4f9cfa9b784bc14aa091205fbb7e2d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\StealedFilesByWaltuhium\Pictures\UpdateOut.jpg

Filesize
304KB

MD5
8836f85718678fd866424c3b9a9ca7b0

SHA1
cc725ff801bca489e6327dcd96748ef0f82b284e

SHA256
ca691dc78520995d6b63bb974e9c9bfe3a7898c9f1238a2f91f98476c63d9465

SHA512
b51411145934ff9e38ce02463a75ced1b67f4885d1e76cd3749cd3fb250314dfaa19a36cde502a0af87c450d931c4ce2d2a8fe06d890597d1fc1eddbffd108ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI23362\VCRUNTIME140.dll

Filesize
95KB

MD5
f34eb034aa4a9735218686590cba2e8b

SHA1
2bc20acdcb201676b77a66fa7ec6b53fa2644713

SHA256
9d2b40f0395cc5d1b4d5ea17b84970c29971d448c37104676db577586d4ad1b1

SHA512
d27d5e65e8206bd7923cf2a3c4384fec0fc59e8bc29e25f8c03d039f3741c01d1a8c82979d7b88c10b209db31fbbec23909e976b3ee593dc33481f0050a445af

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI23362\_asyncio.pyd

Filesize
63KB

MD5
33d0b6de555ddbbbd5ca229bfa91c329

SHA1
03034826675ac93267ce0bf0eaec9c8499e3fe17

SHA256
a9a99a2b847e46c0efce7fcfefd27f4bce58baf9207277c17bffd09ef4d274e5

SHA512
dbbd1ddfa445e22a0170a628387fcf3cb95e6f8b09465d76595555c4a67da4274974ba7b348c4c81fe71c68d735c13aacb8063d3a964a8a0556fb000d68686b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI23362\_brotli.cp310-win_amd64.pyd

Filesize
801KB

MD5
ee3d454883556a68920caaedefbc1f83

SHA1
45b4d62a6e7db022e52c6159eef17e9d58bec858

SHA256
791e7195d7df47a21466868f3d7386cff13f16c51fcd0350bf4028e96278dff1

SHA512
e404adf831076d27680cc38d3879af660a96afc8b8e22ffd01647248c601f3c6c4585d7d7dc6bbd187660595f6a48f504792106869d329aa1a0f3707d7f777c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI23362\_bz2.pyd

Filesize
81KB

MD5
86d1b2a9070cd7d52124126a357ff067

SHA1
18e30446fe51ced706f62c3544a8c8fdc08de503

SHA256
62173a8fadd4bf4dd71ab89ea718754aa31620244372f0c5bbbae102e641a60e

SHA512
7db4b7e0c518a02ae901f4b24e3860122acc67e38e73f98f993fe99eb20bb3aa539db1ed40e63d6021861b54f34a5f5a364907ffd7da182adea68bbdd5c2b535

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI23362\_cffi_backend.cp310-win_amd64.pyd

Filesize
174KB

MD5
2baaa98b744915339ae6c016b17c3763

SHA1
483c11673b73698f20ca2ff0748628c789b4dc68

SHA256
4f1ce205c2be986c9d38b951b6bcb6045eb363e06dacc069a41941f80be9068c

SHA512
2ae8df6e764c0813a4c9f7ac5a08e045b44daac551e8ff5f8aa83286be96aa0714d373b8d58e6d3aa4b821786a919505b74f118013d9fcd1ebc5a9e4876c2b5f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI23362\_ctypes.pyd

Filesize
120KB

MD5
1635a0c5a72df5ae64072cbb0065aebe

SHA1
c975865208b3369e71e3464bbcc87b65718b2b1f

SHA256
1ea3dd3df393fa9b27bf6595be4ac859064cd8ef9908a12378a6021bba1cb177

SHA512
6e34346ea8a0aacc29ccd480035da66e280830a7f3d220fd2f12d4cfa3e1c03955d58c0b95c2674aea698a36a1b674325d3588483505874c2ce018135320ff99

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI23362\_decimal.pyd

Filesize
248KB

MD5
20c77203ddf9ff2ff96d6d11dea2edcf

SHA1
0d660b8d1161e72c993c6e2ab0292a409f6379a5

SHA256
9aac010a424c757c434c460c3c0a6515d7720966ab64bad667539282a17b4133

SHA512
2b24346ece2cbd1e9472a0e70768a8b4a5d2c12b3d83934f22ebdc9392d9023dcb44d2322ada9edbe2eb0e2c01b5742d2a83fa57ca23054080909ec6eb7cf3ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI23362\_hashlib.pyd

Filesize
63KB

MD5
d4674750c732f0db4c4dd6a83a9124fe

SHA1
fd8d76817abc847bb8359a7c268acada9d26bfd5

SHA256
caa4d2f8795e9a55e128409cc016e2cc5c694cb026d7058fc561e4dd131ed1c9

SHA512
97d57cfb80dd9dd822f2f30f836e13a52f771ee8485bc0fd29236882970f6bfbdfaac3f2e333bba5c25c20255e8c0f5ad82d8bc8a6b6e2f7a07ea94a9149c81e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI23362\_lzma.pyd

Filesize
154KB

MD5
7447efd8d71e8a1929be0fac722b42dc

SHA1
6080c1b84c2dcbf03dcc2d95306615ff5fce49a6

SHA256
60793c8592193cfbd00fd3e5263be4315d650ba4f9e4fda9c45a10642fd998be

SHA512
c6295d45ed6c4f7534c1a38d47ddc55fea8b9f62bbdc0743e4d22e8ad0484984f8ab077b73e683d0a92d11bf6588a1ae395456cfa57da94bb2a6c4a1b07984de

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI23362\_multiprocessing.pyd

Filesize
33KB

MD5
a9a0588711147e01eed59be23c7944a9

SHA1
122494f75e8bb083ddb6545740c4fae1f83970c9

SHA256
7581edea33c1db0a49b8361e51e6291688601640e57d75909fb2007b2104fa4c

SHA512
6b580f5c53000db5954deb5b2400c14cb07f5f8bbcfc069b58c2481719a0f22f0d40854ca640ef8425c498fbae98c9de156b5cc04b168577f0da0c6b13846a88

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI23362\_overlapped.pyd

Filesize
48KB

MD5
fdf8663b99959031780583cce98e10f5

SHA1
6c0bafc48646841a91625d74d6b7d1d53656944d

SHA256
2ebbb0583259528a5178dd37439a64affcb1ab28cf323c6dc36a8c30362aa992

SHA512
a5371d6f6055b92ac119a3e3b52b21e2d17604e5a5ac241c008ec60d1db70b3ce4507d82a3c7ce580ed2eb7d83bb718f4edc2943d10cb1d377fa006f4d0026b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI23362\_queue.pyd

Filesize
30KB

MD5
d8c1b81bbc125b6ad1f48a172181336e

SHA1
3ff1d8dcec04ce16e97e12263b9233fbf982340c

SHA256
925f05255f4aae0997dc4ec94d900fd15950fd840685d5b8aa755427c7422b14

SHA512
ccc9f0d3aca66729832f26be12f8e7021834bbee1f4a45da9451b1aa5c2e63126c0031d223af57cf71fad2c85860782a56d78d8339b35720194df139076e0772

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI23362\_socket.pyd

Filesize
77KB

MD5
819166054fec07efcd1062f13c2147ee

SHA1
93868ebcd6e013fda9cd96d8065a1d70a66a2a26

SHA256
e6deb751039cd5424a139708475ce83f9c042d43e650765a716cb4a924b07e4f

SHA512
da3a440c94cb99b8af7d2bc8f8f0631ae9c112bd04badf200edbf7ea0c48d012843b4a9fb9f1e6d3a9674fd3d4eb6f0fa78fd1121fad1f01f3b981028538b666

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI23362\_sqlite3.pyd

Filesize
96KB

MD5
5279d497eee4cf269d7b4059c72b14c2

SHA1
aff2f5de807ae03e599979a1a5c605fc4bad986e

SHA256
b298a44af162be7107fd187f04b63fb3827f1374594e22910ec38829da7a12dc

SHA512
20726fc5b46a6d07a3e58cdf1bed821db57ce2d9f5bee8cfd59fce779c8d5c4b517d3eb70cd2a0505e48e465d628a674d18030a909f5b73188d07cc80dcda925

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI23362\_ssl.pyd

Filesize
156KB

MD5
7910fb2af40e81bee211182cffec0a06

SHA1
251482ed44840b3c75426dd8e3280059d2ca06c6

SHA256
d2a7999e234e33828888ad455baa6ab101d90323579abc1095b8c42f0f723b6f

SHA512
bfe6506feb27a592fe9cf1db7d567d0d07f148ef1a2c969f1e4f7f29740c6bb8ccf946131e65fe5aa8ede371686c272b0860bd4c0c223195aaa1a44f59301b27

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI23362\_uuid.pyd

Filesize
24KB

MD5
b68c98113c8e7e83af56ba98ff3ac84a

SHA1
448938564559570b269e05e745d9c52ecda37154

SHA256
990586f2a2ba00d48b59bdd03d3c223b8e9fb7d7fab6d414bac2833eb1241ca2

SHA512
33c69199cba8e58e235b96684346e748a17cc7f03fc068cfa8a7ec7b5f9f6fa90d90b5cdb43285abf8b4108e71098d4e87fb0d06b28e2132357964b3eea3a4f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI23362\attrs-24.2.0.dist-info\INSTALLER

Filesize
4B

MD5
365c9bfeb7d89244f2ce01c1de44cb85

SHA1
d7a03141d5d6b1e88b6b59ef08b6681df212c599

SHA256
ceebae7b8927a3227e5303cf5e0f1f7b34bb542ad7250ac03fbcde36ec2f1508

SHA512
d220d322a4053d84130567d626a9f7bb2fb8f0b854da1621f001826dc61b0ed6d3f91793627e6f0ac2ac27aea2b986b6a7a63427f05fe004d8a2adfbdadc13c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI23362\attrs-24.2.0.dist-info\METADATA

Filesize
11KB

MD5
49cabcb5f8da14c72c8c3d00adb3c115

SHA1
f575becf993ecdf9c6e43190c1cb74d3556cf912

SHA256
dc9824e25afd635480a8073038b3cdfe6a56d3073a54e1a6fb21edd4bb0f207c

SHA512
923daeee0861611d230df263577b3c382ae26400ca5f1830ee309bd6737eed2ad934010d61cdd4796618bedb3436cd772d9429a5bed0a106ef7de60e114e505c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI23362\base_library.zip

Filesize
859KB

MD5
3ae8624c9c1224f10a3135a7039c951f

SHA1
08c18204e598708ba5ea59e928ef80ca4485b592

SHA256
64dfc4067a99c71094b4a9aa8e50344e7d42ea9a0d376cbcd419c04e53384285

SHA512
c47ea6b8e004c27fa29e84f6363f97e775c83a239eb3ae75dedca79e69db02b431a586877ee8f948f83b522b00c20e6b1d5864628c2aef9e33e0be95fe6e3254

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI23362\cryptography\hazmat\bindings\_rust.pyd

Filesize
7.5MB

MD5
bfd28b03a4c32a9bcb001451fd002f67

SHA1
dd528fd5f4775e16b2e743d3188b66f1174807b2

SHA256
8ef0f404a8bff12fd6621d8f4f209499613f565777fe1c2a680e8a18f312d5a7

SHA512
6dc39638435f147b399826e34f78571d7ed2ed1232275e213a2b020224c0645e379f74a0ca5de86930d3348981c8bb03bbbecfa601f8ba781417e7114662ddee

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI23362\libcrypto-1_1.dll

Filesize
3.3MB

MD5
9d7a0c99256c50afd5b0560ba2548930

SHA1
76bd9f13597a46f5283aa35c30b53c21976d0824

SHA256
9b7b4a0ad212095a8c2e35c71694d8a1764cd72a829e8e17c8afe3a55f147939

SHA512
cb39aa99b9d98c735fdacf1c5ed68a4d09d11f30262b91f6aa48c3f8520eff95e499400d0ce7e280ca7a90ff6d7141d2d893ef0b33a8803a1cadb28ba9a9e3e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI23362\libffi-7.dll

Filesize
32KB

MD5
eef7981412be8ea459064d3090f4b3aa

SHA1
c60da4830ce27afc234b3c3014c583f7f0a5a925

SHA256
f60dd9f2fcbd495674dfc1555effb710eb081fc7d4cae5fa58c438ab50405081

SHA512
dc9ff4202f74a13ca9949a123dff4c0223da969f49e9348feaf93da4470f7be82cfa1d392566eaaa836d77dde7193fed15a8395509f72a0e9f97c66c0a096016

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI23362\libssl-1_1.dll

Filesize
688KB

MD5
bec0f86f9da765e2a02c9237259a7898

SHA1
3caa604c3fff88e71f489977e4293a488fb5671c

SHA256
d74ce01319ae6f54483a19375524aa39d9f5fd91f06cf7df238ca25e043130fd

SHA512
ffbc4e5ffdb49704e7aa6d74533e5af76bbe5db297713d8e59bd296143fe5f145fbb616b343eed3c48eceaccccc2431630470d8975a4a17c37eafcc12edd19f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI23362\multidict\_multidict.cp310-win_amd64.pyd

Filesize
46KB

MD5
95463f615865a472f75ddb365644a571

SHA1
91f22ef3f2ffd3e9d6ce6e58beea9a96287b090b

SHA256
9ee77474d244a17337d4ccc5113fe4af7b4d86f9969293a884927718d06e63c8

SHA512
e3cccce9ebf5e7cf33e68046d3e7b59e454ccb791635eb5f405977fd270126ef8b58e6288dbe58c96b681361d81ef28720eba8d0bd389bfb0f4c3114d098a117

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI23362\propcache\_helpers_c.cp310-win_amd64.pyd

Filesize
73KB

MD5
41e139669cacb62ee4e06ef7eb1a647e

SHA1
1fa1274a9f7a0e53458f641c115f7407910e6cb1

SHA256
b6fbac3a2baa833f34c327be227a816df47b11f45ac8a42e7b75c42e90c65353

SHA512
98e9810a91c74b2241826d96cae0b124cd8eaced629b502654c537c8ef7f1d3462accfb5bf3fb91069616c9501eb68b6a66f42e51927c3a167e1ad81cc27c8c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI23362\pyexpat.pyd

Filesize
194KB

MD5
1118c1329f82ce9072d908cbd87e197c

SHA1
c59382178fe695c2c5576dca47c96b6de4bbcffd

SHA256
4a2d59993bce76790c6d923af81bf404f8e2cb73552e320113663b14cf78748c

SHA512
29f1b74e96a95b0b777ef00448da8bd0844e2f1d8248788a284ec868ae098c774a694d234a00bd991b2d22c2372c34f762cdbd9ec523234861e39c0ca752dcaa

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI23362\python3.dll

Filesize
64KB

MD5
fd4a39e7c1f7f07cf635145a2af0dc3a

SHA1
05292ba14acc978bb195818499a294028ab644bd

SHA256
dc909eb798a23ba8ee9f8e3f307d97755bc0d2dc0cb342cedae81fbbad32a8a9

SHA512
37d3218bc767c44e8197555d3fa18d5aad43a536cfe24ac17bf8a3084fb70bd4763ccfd16d2df405538b657f720871e0cd312dfeb7f592f3aac34d9d00d5a643

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI23362\python310.dll

Filesize
4.3MB

MD5
63a1fa9259a35eaeac04174cecb90048

SHA1
0dc0c91bcd6f69b80dcdd7e4020365dd7853885a

SHA256
14b06796f288bc6599e458fb23a944ab0c843e9868058f02a91d4606533505ed

SHA512
896caa053f48b1e4102e0f41a7d13d932a746eea69a894ae564ef5a84ef50890514deca6496e915aae40a500955220dbc1b1016fe0b8bcdde0ad81b2917dea8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI23362\select.pyd

Filesize
29KB

MD5
a653f35d05d2f6debc5d34daddd3dfa1

SHA1
1a2ceec28ea44388f412420425665c3781af2435

SHA256
db85f2f94d4994283e1055057372594538ae11020389d966e45607413851d9e9

SHA512
5aede99c3be25b1a962261b183ae7a7fb92cb0cb866065dc9cd7bb5ff6f41cc8813d2cc9de54670a27b3ad07a33b833eaa95a5b46dad7763ca97dfa0c1ce54c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI23362\sqlite3.dll

Filesize
1.4MB

MD5
914925249a488bd62d16455d156bd30d

SHA1
7e66ba53f3512f81c9014d322fcb7dd895f62c55

SHA256
fbd8832b5bc7e5c9adcf7320c051a67ee1c33fd198105283058533d132785ab4

SHA512
21a468929b15b76b313b32be65cfc50cad8f03c3b2e9bf11ca3b02c88a0482b7bc15646ce40df7fb42fbc96bd12362a54cffe0563c4ddc3fc78622622c699186

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI23362\unicodedata.pyd

Filesize
1.1MB

MD5
81d62ad36cbddb4e57a91018f3c0816e

SHA1
fe4a4fc35df240b50db22b35824e4826059a807b

SHA256
1fb2d66c056f69e8bbdd8c6c910e72697874dae680264f8fb4b4df19af98aa2e

SHA512
7d15d741378e671591356dfaad4e1e03d3f5456cbdf87579b61d02a4a52ab9b6ecbffad3274cede8c876ea19eaeb8ba4372ad5986744d430a29f50b9caffb75d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI23362\yarl\_quoting_c.cp310-win_amd64.pyd

Filesize
93KB

MD5
01703fd29061aedb98f707266c9e1657

SHA1
2711da2f3359d4a16ad66565eabc617a958232a8

SHA256
bbfaa11a2075c7107949092a6376e6ee8592ce70e0337e11f7b38768207ec68e

SHA512
aaf2b74207dbceba38ad09d6408cf5e8bf2812776b9830965a52611d1f087e437e24259dd86f336c86cb80476f7ca1e74bd49a46b48857f1b5754787af4c5e6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_g40ls0nl.xds.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\WaltuhiumUpdateService\Waltuhium.exe

Filesize
11.1MB

MD5
1367126f6694188447c383594bd1341d

SHA1
118660944b0cc7a0352c9749f359b10e106e0724

SHA256
0fbad2885a4929b5dcf00028824c22b7dd8e276d13a1c8c341445f47852004ae

SHA512
486379c7993161213de3ccdc4694d21b4b69879babd1f92ad9a4274f1934fbec36ade3386360c86baade860183bd32bceffa0ffe76cff4175893494c57a3de7a

Download Submit
memory/4460-150-0x000002D1FA7B0000-0x000002D1FA7D2000-memory.dmp

Filesize
136KB

Download