Malware Analysis Report

2024-11-15 09:53

Sample ID 241109-xbqd8azdmg
Target Waltuhium.exe
SHA256 0fbad2885a4929b5dcf00028824c22b7dd8e276d13a1c8c341445f47852004ae
Tags
pyinstaller exelastealer collection defense_evasion discovery evasion persistence privilege_escalation spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

0fbad2885a4929b5dcf00028824c22b7dd8e276d13a1c8c341445f47852004ae

Threat Level: Known bad

The file Waltuhium.exe was found to be: Known bad.

Malicious Activity Summary

pyinstaller exelastealer collection defense_evasion discovery evasion persistence privilege_escalation spyware stealer

Exela Stealer

Exelastealer family

Grants admin privileges

Modifies Windows Firewall

Reads user/profile data of web browsers

Loads dropped DLL

Clipboard Data

Legitimate hosting services abused for malware hosting/C2

Network Service Discovery

Looks up external IP address via web service

Hide Artifacts: Hidden Files and Directories

Enumerates processes with tasklist

Launches sc.exe

Detects Pyinstaller

Unsigned PE

Permission Groups Discovery: Local Groups

Embeds OpenSSL

Event Triggered Execution: Netsh Helper DLL

System Network Connections Discovery

System Network Configuration Discovery: Wi-Fi Discovery

Browser Information Discovery

Views/modifies file attributes

Suspicious behavior: EnumeratesProcesses

Gathers system information

Suspicious use of AdjustPrivilegeToken

Detects videocard installed

Gathers network information

Suspicious use of WriteProcessMemory

Collects information from the system

Runs net.exe

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-09 18:41

Signatures

Detects Pyinstaller

pyinstaller
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-09 18:41

Reported

2024-11-09 18:44

Platform

win7-20240708-en

Max time kernel

3s

Max time network

1s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Waltuhium.exe"

Signatures

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Waltuhium.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Waltuhium.exe

"C:\Users\Admin\AppData\Local\Temp\Waltuhium.exe"

C:\Users\Admin\AppData\Local\Temp\Waltuhium.exe

"C:\Users\Admin\AppData\Local\Temp\Waltuhium.exe"

Network

N/A

Files

C:\Users\Admin\AppData\Local\Temp\_MEI24922\python310.dll

MD5 63a1fa9259a35eaeac04174cecb90048
SHA1 0dc0c91bcd6f69b80dcdd7e4020365dd7853885a
SHA256 14b06796f288bc6599e458fb23a944ab0c843e9868058f02a91d4606533505ed
SHA512 896caa053f48b1e4102e0f41a7d13d932a746eea69a894ae564ef5a84ef50890514deca6496e915aae40a500955220dbc1b1016fe0b8bcdde0ad81b2917dea8b

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-09 18:41

Reported

2024-11-09 18:46

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Waltuhium.exe"

Signatures

Exela Stealer

stealer exelastealer

Exelastealer family

exelastealer

Grants admin privileges

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A

Clipboard Data

collection
Description Indicator Process Target
N/A N/A C:\Windows\system32\cmd.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Waltuhium.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Waltuhium.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Waltuhium.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Waltuhium.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Waltuhium.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Waltuhium.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Waltuhium.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Waltuhium.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Waltuhium.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Waltuhium.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Waltuhium.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Waltuhium.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Waltuhium.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Waltuhium.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Waltuhium.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Waltuhium.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Waltuhium.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Waltuhium.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Waltuhium.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Waltuhium.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Waltuhium.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Waltuhium.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Waltuhium.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Waltuhium.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Waltuhium.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Waltuhium.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Waltuhium.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Waltuhium.exe N/A

Reads user/profile data of web browsers

spyware stealer

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Network Service Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Windows\system32\cmd.exe N/A
N/A N/A C:\Windows\system32\ARP.EXE N/A

Enumerates processes with tasklist

discovery
Description Indicator Process Target
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A

Hide Artifacts: Hidden Files and Directories

defense_evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\cmd.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\sc.exe N/A

Browser Information Discovery

discovery

Detects Pyinstaller

pyinstaller
Description Indicator Process Target
N/A N/A N/A N/A

Embeds OpenSSL

Description Indicator Process Target
N/A N/A N/A N/A

Event Triggered Execution: Netsh Helper DLL

persistence privilege_escalation
Description Indicator Process Target
Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A

Permission Groups Discovery: Local Groups

discovery

System Network Configuration Discovery: Wi-Fi Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Windows\system32\cmd.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A

System Network Connections Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Windows\system32\NETSTAT.EXE N/A

Collects information from the system

Description Indicator Process Target
N/A N/A C:\Windows\System32\Wbem\WMIC.exe N/A

Detects videocard installed

Description Indicator Process Target
N/A N/A C:\Windows\System32\Wbem\WMIC.exe N/A

Gathers network information

Description Indicator Process Target
N/A N/A C:\Windows\system32\ipconfig.exe N/A
N/A N/A C:\Windows\system32\NETSTAT.EXE N/A

Gathers system information

Description Indicator Process Target
N/A N/A C:\Windows\system32\systeminfo.exe N/A

Runs net.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\tasklist.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2336 wrote to memory of 1152 N/A C:\Users\Admin\AppData\Local\Temp\Waltuhium.exe C:\Users\Admin\AppData\Local\Temp\Waltuhium.exe
PID 2336 wrote to memory of 1152 N/A C:\Users\Admin\AppData\Local\Temp\Waltuhium.exe C:\Users\Admin\AppData\Local\Temp\Waltuhium.exe
PID 1152 wrote to memory of 5056 N/A C:\Users\Admin\AppData\Local\Temp\Waltuhium.exe C:\Windows\system32\cmd.exe
PID 1152 wrote to memory of 5056 N/A C:\Users\Admin\AppData\Local\Temp\Waltuhium.exe C:\Windows\system32\cmd.exe
PID 1152 wrote to memory of 544 N/A C:\Users\Admin\AppData\Local\Temp\Waltuhium.exe C:\Windows\system32\cmd.exe
PID 1152 wrote to memory of 544 N/A C:\Users\Admin\AppData\Local\Temp\Waltuhium.exe C:\Windows\system32\cmd.exe
PID 1152 wrote to memory of 668 N/A C:\Users\Admin\AppData\Local\Temp\Waltuhium.exe C:\Windows\system32\cmd.exe
PID 1152 wrote to memory of 668 N/A C:\Users\Admin\AppData\Local\Temp\Waltuhium.exe C:\Windows\system32\cmd.exe
PID 5056 wrote to memory of 1484 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 5056 wrote to memory of 1484 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 1152 wrote to memory of 4376 N/A C:\Users\Admin\AppData\Local\Temp\Waltuhium.exe C:\Windows\system32\cmd.exe
PID 1152 wrote to memory of 4376 N/A C:\Users\Admin\AppData\Local\Temp\Waltuhium.exe C:\Windows\system32\cmd.exe
PID 1152 wrote to memory of 2372 N/A C:\Users\Admin\AppData\Local\Temp\Waltuhium.exe C:\Windows\system32\cmd.exe
PID 1152 wrote to memory of 2372 N/A C:\Users\Admin\AppData\Local\Temp\Waltuhium.exe C:\Windows\system32\cmd.exe
PID 544 wrote to memory of 680 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 544 wrote to memory of 680 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 2372 wrote to memory of 4244 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tasklist.exe
PID 2372 wrote to memory of 4244 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tasklist.exe
PID 1152 wrote to memory of 1704 N/A C:\Users\Admin\AppData\Local\Temp\Waltuhium.exe C:\Windows\system32\cmd.exe
PID 1152 wrote to memory of 1704 N/A C:\Users\Admin\AppData\Local\Temp\Waltuhium.exe C:\Windows\system32\cmd.exe
PID 1704 wrote to memory of 1400 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 1704 wrote to memory of 1400 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 1152 wrote to memory of 1064 N/A C:\Users\Admin\AppData\Local\Temp\Waltuhium.exe C:\Windows\system32\cmd.exe
PID 1152 wrote to memory of 1064 N/A C:\Users\Admin\AppData\Local\Temp\Waltuhium.exe C:\Windows\system32\cmd.exe
PID 1152 wrote to memory of 508 N/A C:\Users\Admin\AppData\Local\Temp\Waltuhium.exe C:\Windows\system32\cmd.exe
PID 1152 wrote to memory of 508 N/A C:\Users\Admin\AppData\Local\Temp\Waltuhium.exe C:\Windows\system32\cmd.exe
PID 1064 wrote to memory of 3980 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 1064 wrote to memory of 3980 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 508 wrote to memory of 2688 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tasklist.exe
PID 508 wrote to memory of 2688 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tasklist.exe
PID 1152 wrote to memory of 4456 N/A C:\Users\Admin\AppData\Local\Temp\Waltuhium.exe C:\Windows\system32\cmd.exe
PID 1152 wrote to memory of 4456 N/A C:\Users\Admin\AppData\Local\Temp\Waltuhium.exe C:\Windows\system32\cmd.exe
PID 4456 wrote to memory of 2632 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\attrib.exe
PID 4456 wrote to memory of 2632 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\attrib.exe
PID 1152 wrote to memory of 3648 N/A C:\Users\Admin\AppData\Local\Temp\Waltuhium.exe C:\Windows\system32\cmd.exe
PID 1152 wrote to memory of 3648 N/A C:\Users\Admin\AppData\Local\Temp\Waltuhium.exe C:\Windows\system32\cmd.exe
PID 3648 wrote to memory of 1080 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tasklist.exe
PID 3648 wrote to memory of 1080 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tasklist.exe
PID 1152 wrote to memory of 2896 N/A C:\Users\Admin\AppData\Local\Temp\Waltuhium.exe C:\Windows\system32\cmd.exe
PID 1152 wrote to memory of 2896 N/A C:\Users\Admin\AppData\Local\Temp\Waltuhium.exe C:\Windows\system32\cmd.exe
PID 1152 wrote to memory of 3132 N/A C:\Users\Admin\AppData\Local\Temp\Waltuhium.exe C:\Windows\system32\cmd.exe
PID 1152 wrote to memory of 3132 N/A C:\Users\Admin\AppData\Local\Temp\Waltuhium.exe C:\Windows\system32\cmd.exe
PID 1152 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\Waltuhium.exe C:\Windows\system32\cmd.exe
PID 1152 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\Waltuhium.exe C:\Windows\system32\cmd.exe
PID 1152 wrote to memory of 3012 N/A C:\Users\Admin\AppData\Local\Temp\Waltuhium.exe C:\Windows\system32\cmd.exe
PID 1152 wrote to memory of 3012 N/A C:\Users\Admin\AppData\Local\Temp\Waltuhium.exe C:\Windows\system32\cmd.exe
PID 3012 wrote to memory of 4460 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3012 wrote to memory of 4460 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2896 wrote to memory of 3096 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2896 wrote to memory of 3096 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 3096 wrote to memory of 920 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 3096 wrote to memory of 920 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 2904 wrote to memory of 3880 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tasklist.exe
PID 2904 wrote to memory of 3880 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tasklist.exe
PID 3132 wrote to memory of 1668 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 3132 wrote to memory of 1668 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 1668 wrote to memory of 1800 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 1668 wrote to memory of 1800 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 1152 wrote to memory of 4848 N/A C:\Users\Admin\AppData\Local\Temp\Waltuhium.exe C:\Windows\system32\cmd.exe
PID 1152 wrote to memory of 4848 N/A C:\Users\Admin\AppData\Local\Temp\Waltuhium.exe C:\Windows\system32\cmd.exe
PID 1152 wrote to memory of 3588 N/A C:\Users\Admin\AppData\Local\Temp\Waltuhium.exe C:\Windows\system32\cmd.exe
PID 1152 wrote to memory of 3588 N/A C:\Users\Admin\AppData\Local\Temp\Waltuhium.exe C:\Windows\system32\cmd.exe
PID 4848 wrote to memory of 2452 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\systeminfo.exe
PID 4848 wrote to memory of 2452 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\systeminfo.exe

Views/modifies file attributes

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\attrib.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Waltuhium.exe

"C:\Users\Admin\AppData\Local\Temp\Waltuhium.exe"

C:\Users\Admin\AppData\Local\Temp\Waltuhium.exe

"C:\Users\Admin\AppData\Local\Temp\Waltuhium.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "wmic computersystem get Manufacturer"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "ver"

C:\Windows\System32\Wbem\WMIC.exe

wmic path win32_VideoController get name

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "gdb --version"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "tasklist"

C:\Windows\System32\Wbem\WMIC.exe

wmic computersystem get Manufacturer

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "wmic path Win32_ComputerSystem get Manufacturer"

C:\Windows\System32\Wbem\WMIC.exe

wmic path Win32_ComputerSystem get Manufacturer

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "tasklist"

C:\Windows\System32\Wbem\WMIC.exe

wmic csproduct get uuid

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "attrib +h +s "C:\Users\Admin\AppData\Local\WaltuhiumUpdateService\Waltuhium.exe""

C:\Windows\system32\attrib.exe

attrib +h +s "C:\Users\Admin\AppData\Local\WaltuhiumUpdateService\Waltuhium.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "tasklist"

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "cmd.exe /c chcp"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "cmd.exe /c chcp"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "powershell.exe Get-Clipboard"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe Get-Clipboard

C:\Windows\system32\cmd.exe

cmd.exe /c chcp

C:\Windows\system32\chcp.com

chcp

C:\Windows\system32\tasklist.exe

tasklist /FO LIST

C:\Windows\system32\cmd.exe

cmd.exe /c chcp

C:\Windows\system32\chcp.com

chcp

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "echo ####System Info#### & systeminfo & echo ####System Version#### & ver & echo ####Host Name#### & hostname & echo ####Environment Variable#### & set & echo ####Logical Disk#### & wmic logicaldisk get caption,description,providername & echo ####User Info#### & net user & echo ####Online User#### & query user & echo ####Local Group#### & net localgroup & echo ####Administrators Info#### & net localgroup administrators & echo ####Guest User Info#### & net user guest & echo ####Administrator User Info#### & net user administrator & echo ####Startup Info#### & wmic startup get caption,command & echo ####Tasklist#### & tasklist /svc & echo ####Ipconfig#### & ipconfig/all & echo ####Hosts#### & type C:\WINDOWS\System32\drivers\etc\hosts & echo ####Route Table#### & route print & echo ####Arp Info#### & arp -a & echo ####Netstat#### & netstat -ano & echo ####Service Info#### & sc query type= service state= all & echo ####Firewallinfo#### & netsh firewall show state & netsh firewall show config"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "netsh wlan show profiles"

C:\Windows\system32\systeminfo.exe

systeminfo

C:\Windows\system32\netsh.exe

netsh wlan show profiles

C:\Windows\system32\HOSTNAME.EXE

hostname

C:\Windows\System32\Wbem\WMIC.exe

wmic logicaldisk get caption,description,providername

C:\Windows\system32\net.exe

net user

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 user

C:\Windows\system32\query.exe

query user

C:\Windows\system32\quser.exe

"C:\Windows\system32\quser.exe"

C:\Windows\system32\net.exe

net localgroup

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 localgroup

C:\Windows\system32\net.exe

net localgroup administrators

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 localgroup administrators

C:\Windows\system32\net.exe

net user guest

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 user guest

C:\Windows\system32\net.exe

net user administrator

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 user administrator

C:\Windows\System32\Wbem\WMIC.exe

wmic startup get caption,command

C:\Windows\system32\tasklist.exe

tasklist /svc

C:\Windows\system32\ipconfig.exe

ipconfig /all

C:\Windows\system32\ROUTE.EXE

route print

C:\Windows\system32\ARP.EXE

arp -a

C:\Windows\system32\NETSTAT.EXE

netstat -ano

C:\Windows\system32\sc.exe

sc query type= service state= all

C:\Windows\system32\netsh.exe

netsh firewall show state

C:\Windows\system32\netsh.exe

netsh firewall show config

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"

C:\Windows\System32\Wbem\WMIC.exe

wmic csproduct get uuid

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"

C:\Windows\System32\Wbem\WMIC.exe

wmic csproduct get uuid

Network

Country Destination Domain Proto
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
N/A 127.0.0.1:61458 tcp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 1.112.95.208.in-addr.arpa udp
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
N/A 127.0.0.1:61468 tcp
N/A 127.0.0.1:61474 tcp
N/A 127.0.0.1:61478 tcp
N/A 127.0.0.1:61480 tcp
US 8.8.8.8:53 discord.com udp
US 162.159.138.232:443 discord.com tcp
US 162.159.138.232:443 discord.com tcp
US 8.8.8.8:53 api.gofile.io udp
FR 45.112.123.126:443 api.gofile.io tcp
US 8.8.8.8:53 store1.gofile.io udp
FR 45.112.123.227:443 store1.gofile.io tcp
US 8.8.8.8:53 232.138.159.162.in-addr.arpa udp
US 8.8.8.8:53 126.123.112.45.in-addr.arpa udp
US 8.8.8.8:53 227.123.112.45.in-addr.arpa udp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 162.159.138.232:443 discord.com tcp
FR 45.112.123.126:443 api.gofile.io tcp
FR 45.112.123.227:443 store1.gofile.io tcp
N/A 127.0.0.1:61571 tcp
N/A 127.0.0.1:61573 tcp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
US 162.159.138.232:443 discord.com tcp
US 8.8.8.8:53 215.143.182.52.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\_MEI23362\python310.dll

MD5 63a1fa9259a35eaeac04174cecb90048
SHA1 0dc0c91bcd6f69b80dcdd7e4020365dd7853885a
SHA256 14b06796f288bc6599e458fb23a944ab0c843e9868058f02a91d4606533505ed
SHA512 896caa053f48b1e4102e0f41a7d13d932a746eea69a894ae564ef5a84ef50890514deca6496e915aae40a500955220dbc1b1016fe0b8bcdde0ad81b2917dea8b

C:\Users\Admin\AppData\Local\Temp\_MEI23362\VCRUNTIME140.dll

MD5 f34eb034aa4a9735218686590cba2e8b
SHA1 2bc20acdcb201676b77a66fa7ec6b53fa2644713
SHA256 9d2b40f0395cc5d1b4d5ea17b84970c29971d448c37104676db577586d4ad1b1
SHA512 d27d5e65e8206bd7923cf2a3c4384fec0fc59e8bc29e25f8c03d039f3741c01d1a8c82979d7b88c10b209db31fbbec23909e976b3ee593dc33481f0050a445af

C:\Users\Admin\AppData\Local\Temp\_MEI23362\base_library.zip

MD5 3ae8624c9c1224f10a3135a7039c951f
SHA1 08c18204e598708ba5ea59e928ef80ca4485b592
SHA256 64dfc4067a99c71094b4a9aa8e50344e7d42ea9a0d376cbcd419c04e53384285
SHA512 c47ea6b8e004c27fa29e84f6363f97e775c83a239eb3ae75dedca79e69db02b431a586877ee8f948f83b522b00c20e6b1d5864628c2aef9e33e0be95fe6e3254

C:\Users\Admin\AppData\Local\Temp\_MEI23362\_ctypes.pyd

MD5 1635a0c5a72df5ae64072cbb0065aebe
SHA1 c975865208b3369e71e3464bbcc87b65718b2b1f
SHA256 1ea3dd3df393fa9b27bf6595be4ac859064cd8ef9908a12378a6021bba1cb177
SHA512 6e34346ea8a0aacc29ccd480035da66e280830a7f3d220fd2f12d4cfa3e1c03955d58c0b95c2674aea698a36a1b674325d3588483505874c2ce018135320ff99

C:\Users\Admin\AppData\Local\Temp\_MEI23362\libffi-7.dll

MD5 eef7981412be8ea459064d3090f4b3aa
SHA1 c60da4830ce27afc234b3c3014c583f7f0a5a925
SHA256 f60dd9f2fcbd495674dfc1555effb710eb081fc7d4cae5fa58c438ab50405081
SHA512 dc9ff4202f74a13ca9949a123dff4c0223da969f49e9348feaf93da4470f7be82cfa1d392566eaaa836d77dde7193fed15a8395509f72a0e9f97c66c0a096016

C:\Users\Admin\AppData\Local\Temp\_MEI23362\_socket.pyd

MD5 819166054fec07efcd1062f13c2147ee
SHA1 93868ebcd6e013fda9cd96d8065a1d70a66a2a26
SHA256 e6deb751039cd5424a139708475ce83f9c042d43e650765a716cb4a924b07e4f
SHA512 da3a440c94cb99b8af7d2bc8f8f0631ae9c112bd04badf200edbf7ea0c48d012843b4a9fb9f1e6d3a9674fd3d4eb6f0fa78fd1121fad1f01f3b981028538b666

C:\Users\Admin\AppData\Local\Temp\_MEI23362\_uuid.pyd

MD5 b68c98113c8e7e83af56ba98ff3ac84a
SHA1 448938564559570b269e05e745d9c52ecda37154
SHA256 990586f2a2ba00d48b59bdd03d3c223b8e9fb7d7fab6d414bac2833eb1241ca2
SHA512 33c69199cba8e58e235b96684346e748a17cc7f03fc068cfa8a7ec7b5f9f6fa90d90b5cdb43285abf8b4108e71098d4e87fb0d06b28e2132357964b3eea3a4f8

C:\Users\Admin\AppData\Local\Temp\_MEI23362\select.pyd

MD5 a653f35d05d2f6debc5d34daddd3dfa1
SHA1 1a2ceec28ea44388f412420425665c3781af2435
SHA256 db85f2f94d4994283e1055057372594538ae11020389d966e45607413851d9e9
SHA512 5aede99c3be25b1a962261b183ae7a7fb92cb0cb866065dc9cd7bb5ff6f41cc8813d2cc9de54670a27b3ad07a33b833eaa95a5b46dad7763ca97dfa0c1ce54c9

C:\Users\Admin\AppData\Local\Temp\_MEI23362\cryptography\hazmat\bindings\_rust.pyd

MD5 bfd28b03a4c32a9bcb001451fd002f67
SHA1 dd528fd5f4775e16b2e743d3188b66f1174807b2
SHA256 8ef0f404a8bff12fd6621d8f4f209499613f565777fe1c2a680e8a18f312d5a7
SHA512 6dc39638435f147b399826e34f78571d7ed2ed1232275e213a2b020224c0645e379f74a0ca5de86930d3348981c8bb03bbbecfa601f8ba781417e7114662ddee

C:\Users\Admin\AppData\Local\Temp\_MEI23362\sqlite3.dll

MD5 914925249a488bd62d16455d156bd30d
SHA1 7e66ba53f3512f81c9014d322fcb7dd895f62c55
SHA256 fbd8832b5bc7e5c9adcf7320c051a67ee1c33fd198105283058533d132785ab4
SHA512 21a468929b15b76b313b32be65cfc50cad8f03c3b2e9bf11ca3b02c88a0482b7bc15646ce40df7fb42fbc96bd12362a54cffe0563c4ddc3fc78622622c699186

C:\Users\Admin\AppData\Local\Temp\_MEI23362\_sqlite3.pyd

MD5 5279d497eee4cf269d7b4059c72b14c2
SHA1 aff2f5de807ae03e599979a1a5c605fc4bad986e
SHA256 b298a44af162be7107fd187f04b63fb3827f1374594e22910ec38829da7a12dc
SHA512 20726fc5b46a6d07a3e58cdf1bed821db57ce2d9f5bee8cfd59fce779c8d5c4b517d3eb70cd2a0505e48e465d628a674d18030a909f5b73188d07cc80dcda925

C:\Users\Admin\AppData\Local\Temp\_MEI23362\libssl-1_1.dll

MD5 bec0f86f9da765e2a02c9237259a7898
SHA1 3caa604c3fff88e71f489977e4293a488fb5671c
SHA256 d74ce01319ae6f54483a19375524aa39d9f5fd91f06cf7df238ca25e043130fd
SHA512 ffbc4e5ffdb49704e7aa6d74533e5af76bbe5db297713d8e59bd296143fe5f145fbb616b343eed3c48eceaccccc2431630470d8975a4a17c37eafcc12edd19f4

C:\Users\Admin\AppData\Local\Temp\_MEI23362\_asyncio.pyd

MD5 33d0b6de555ddbbbd5ca229bfa91c329
SHA1 03034826675ac93267ce0bf0eaec9c8499e3fe17
SHA256 a9a99a2b847e46c0efce7fcfefd27f4bce58baf9207277c17bffd09ef4d274e5
SHA512 dbbd1ddfa445e22a0170a628387fcf3cb95e6f8b09465d76595555c4a67da4274974ba7b348c4c81fe71c68d735c13aacb8063d3a964a8a0556fb000d68686b7

C:\Users\Admin\AppData\Local\Temp\_MEI23362\_hashlib.pyd

MD5 d4674750c732f0db4c4dd6a83a9124fe
SHA1 fd8d76817abc847bb8359a7c268acada9d26bfd5
SHA256 caa4d2f8795e9a55e128409cc016e2cc5c694cb026d7058fc561e4dd131ed1c9
SHA512 97d57cfb80dd9dd822f2f30f836e13a52f771ee8485bc0fd29236882970f6bfbdfaac3f2e333bba5c25c20255e8c0f5ad82d8bc8a6b6e2f7a07ea94a9149c81e

C:\Users\Admin\AppData\Local\WaltuhiumUpdateService\Waltuhium.exe

MD5 1367126f6694188447c383594bd1341d
SHA1 118660944b0cc7a0352c9749f359b10e106e0724
SHA256 0fbad2885a4929b5dcf00028824c22b7dd8e276d13a1c8c341445f47852004ae
SHA512 486379c7993161213de3ccdc4694d21b4b69879babd1f92ad9a4274f1934fbec36ade3386360c86baade860183bd32bceffa0ffe76cff4175893494c57a3de7a

C:\Users\Admin\AppData\Local\Temp\_MEI23362\_brotli.cp310-win_amd64.pyd

MD5 ee3d454883556a68920caaedefbc1f83
SHA1 45b4d62a6e7db022e52c6159eef17e9d58bec858
SHA256 791e7195d7df47a21466868f3d7386cff13f16c51fcd0350bf4028e96278dff1
SHA512 e404adf831076d27680cc38d3879af660a96afc8b8e22ffd01647248c601f3c6c4585d7d7dc6bbd187660595f6a48f504792106869d329aa1a0f3707d7f777c6

C:\Users\Admin\AppData\Local\Temp\_MEI23362\yarl\_quoting_c.cp310-win_amd64.pyd

MD5 01703fd29061aedb98f707266c9e1657
SHA1 2711da2f3359d4a16ad66565eabc617a958232a8
SHA256 bbfaa11a2075c7107949092a6376e6ee8592ce70e0337e11f7b38768207ec68e
SHA512 aaf2b74207dbceba38ad09d6408cf5e8bf2812776b9830965a52611d1f087e437e24259dd86f336c86cb80476f7ca1e74bd49a46b48857f1b5754787af4c5e6e

C:\Users\Admin\AppData\Local\Temp\_MEI23362\propcache\_helpers_c.cp310-win_amd64.pyd

MD5 41e139669cacb62ee4e06ef7eb1a647e
SHA1 1fa1274a9f7a0e53458f641c115f7407910e6cb1
SHA256 b6fbac3a2baa833f34c327be227a816df47b11f45ac8a42e7b75c42e90c65353
SHA512 98e9810a91c74b2241826d96cae0b124cd8eaced629b502654c537c8ef7f1d3462accfb5bf3fb91069616c9501eb68b6a66f42e51927c3a167e1ad81cc27c8c5

C:\Users\Admin\AppData\Local\Temp\_MEI23362\unicodedata.pyd

MD5 81d62ad36cbddb4e57a91018f3c0816e
SHA1 fe4a4fc35df240b50db22b35824e4826059a807b
SHA256 1fb2d66c056f69e8bbdd8c6c910e72697874dae680264f8fb4b4df19af98aa2e
SHA512 7d15d741378e671591356dfaad4e1e03d3f5456cbdf87579b61d02a4a52ab9b6ecbffad3274cede8c876ea19eaeb8ba4372ad5986744d430a29f50b9caffb75d

C:\Users\Admin\AppData\Local\Temp\_MEI23362\multidict\_multidict.cp310-win_amd64.pyd

MD5 95463f615865a472f75ddb365644a571
SHA1 91f22ef3f2ffd3e9d6ce6e58beea9a96287b090b
SHA256 9ee77474d244a17337d4ccc5113fe4af7b4d86f9969293a884927718d06e63c8
SHA512 e3cccce9ebf5e7cf33e68046d3e7b59e454ccb791635eb5f405977fd270126ef8b58e6288dbe58c96b681361d81ef28720eba8d0bd389bfb0f4c3114d098a117

C:\Users\Admin\AppData\Local\Temp\_MEI23362\_overlapped.pyd

MD5 fdf8663b99959031780583cce98e10f5
SHA1 6c0bafc48646841a91625d74d6b7d1d53656944d
SHA256 2ebbb0583259528a5178dd37439a64affcb1ab28cf323c6dc36a8c30362aa992
SHA512 a5371d6f6055b92ac119a3e3b52b21e2d17604e5a5ac241c008ec60d1db70b3ce4507d82a3c7ce580ed2eb7d83bb718f4edc2943d10cb1d377fa006f4d0026b6

C:\Users\Admin\AppData\Local\Temp\_MEI23362\libcrypto-1_1.dll

MD5 9d7a0c99256c50afd5b0560ba2548930
SHA1 76bd9f13597a46f5283aa35c30b53c21976d0824
SHA256 9b7b4a0ad212095a8c2e35c71694d8a1764cd72a829e8e17c8afe3a55f147939
SHA512 cb39aa99b9d98c735fdacf1c5ed68a4d09d11f30262b91f6aa48c3f8520eff95e499400d0ce7e280ca7a90ff6d7141d2d893ef0b33a8803a1cadb28ba9a9e3e2

C:\Users\Admin\AppData\Local\Temp\_MEI23362\_ssl.pyd

MD5 7910fb2af40e81bee211182cffec0a06
SHA1 251482ed44840b3c75426dd8e3280059d2ca06c6
SHA256 d2a7999e234e33828888ad455baa6ab101d90323579abc1095b8c42f0f723b6f
SHA512 bfe6506feb27a592fe9cf1db7d567d0d07f148ef1a2c969f1e4f7f29740c6bb8ccf946131e65fe5aa8ede371686c272b0860bd4c0c223195aaa1a44f59301b27

C:\Users\Admin\AppData\Local\Temp\_MEI23362\_cffi_backend.cp310-win_amd64.pyd

MD5 2baaa98b744915339ae6c016b17c3763
SHA1 483c11673b73698f20ca2ff0748628c789b4dc68
SHA256 4f1ce205c2be986c9d38b951b6bcb6045eb363e06dacc069a41941f80be9068c
SHA512 2ae8df6e764c0813a4c9f7ac5a08e045b44daac551e8ff5f8aa83286be96aa0714d373b8d58e6d3aa4b821786a919505b74f118013d9fcd1ebc5a9e4876c2b5f

C:\Users\Admin\AppData\Local\Temp\_MEI23362\_lzma.pyd

MD5 7447efd8d71e8a1929be0fac722b42dc
SHA1 6080c1b84c2dcbf03dcc2d95306615ff5fce49a6
SHA256 60793c8592193cfbd00fd3e5263be4315d650ba4f9e4fda9c45a10642fd998be
SHA512 c6295d45ed6c4f7534c1a38d47ddc55fea8b9f62bbdc0743e4d22e8ad0484984f8ab077b73e683d0a92d11bf6588a1ae395456cfa57da94bb2a6c4a1b07984de

C:\Users\Admin\AppData\Local\Temp\_MEI23362\_bz2.pyd

MD5 86d1b2a9070cd7d52124126a357ff067
SHA1 18e30446fe51ced706f62c3544a8c8fdc08de503
SHA256 62173a8fadd4bf4dd71ab89ea718754aa31620244372f0c5bbbae102e641a60e
SHA512 7db4b7e0c518a02ae901f4b24e3860122acc67e38e73f98f993fe99eb20bb3aa539db1ed40e63d6021861b54f34a5f5a364907ffd7da182adea68bbdd5c2b535

C:\Users\Admin\AppData\Local\Temp\_MEI23362\_queue.pyd

MD5 d8c1b81bbc125b6ad1f48a172181336e
SHA1 3ff1d8dcec04ce16e97e12263b9233fbf982340c
SHA256 925f05255f4aae0997dc4ec94d900fd15950fd840685d5b8aa755427c7422b14
SHA512 ccc9f0d3aca66729832f26be12f8e7021834bbee1f4a45da9451b1aa5c2e63126c0031d223af57cf71fad2c85860782a56d78d8339b35720194df139076e0772

C:\Users\Admin\AppData\Local\Temp\_MEI23362\_multiprocessing.pyd

MD5 a9a0588711147e01eed59be23c7944a9
SHA1 122494f75e8bb083ddb6545740c4fae1f83970c9
SHA256 7581edea33c1db0a49b8361e51e6291688601640e57d75909fb2007b2104fa4c
SHA512 6b580f5c53000db5954deb5b2400c14cb07f5f8bbcfc069b58c2481719a0f22f0d40854ca640ef8425c498fbae98c9de156b5cc04b168577f0da0c6b13846a88

C:\Users\Admin\AppData\Local\Temp\_MEI23362\_decimal.pyd

MD5 20c77203ddf9ff2ff96d6d11dea2edcf
SHA1 0d660b8d1161e72c993c6e2ab0292a409f6379a5
SHA256 9aac010a424c757c434c460c3c0a6515d7720966ab64bad667539282a17b4133
SHA512 2b24346ece2cbd1e9472a0e70768a8b4a5d2c12b3d83934f22ebdc9392d9023dcb44d2322ada9edbe2eb0e2c01b5742d2a83fa57ca23054080909ec6eb7cf3ca

C:\Users\Admin\AppData\Local\Temp\_MEI23362\pyexpat.pyd

MD5 1118c1329f82ce9072d908cbd87e197c
SHA1 c59382178fe695c2c5576dca47c96b6de4bbcffd
SHA256 4a2d59993bce76790c6d923af81bf404f8e2cb73552e320113663b14cf78748c
SHA512 29f1b74e96a95b0b777ef00448da8bd0844e2f1d8248788a284ec868ae098c774a694d234a00bd991b2d22c2372c34f762cdbd9ec523234861e39c0ca752dcaa

C:\Users\Admin\AppData\Local\Temp\_MEI23362\python3.dll

MD5 fd4a39e7c1f7f07cf635145a2af0dc3a
SHA1 05292ba14acc978bb195818499a294028ab644bd
SHA256 dc909eb798a23ba8ee9f8e3f307d97755bc0d2dc0cb342cedae81fbbad32a8a9
SHA512 37d3218bc767c44e8197555d3fa18d5aad43a536cfe24ac17bf8a3084fb70bd4763ccfd16d2df405538b657f720871e0cd312dfeb7f592f3aac34d9d00d5a643

memory/4460-150-0x000002D1FA7B0000-0x000002D1FA7D2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_g40ls0nl.xds.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

\??\PIPE\lsarpc

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Temp\_MEI23362\attrs-24.2.0.dist-info\INSTALLER

MD5 365c9bfeb7d89244f2ce01c1de44cb85
SHA1 d7a03141d5d6b1e88b6b59ef08b6681df212c599
SHA256 ceebae7b8927a3227e5303cf5e0f1f7b34bb542ad7250ac03fbcde36ec2f1508
SHA512 d220d322a4053d84130567d626a9f7bb2fb8f0b854da1621f001826dc61b0ed6d3f91793627e6f0ac2ac27aea2b986b6a7a63427f05fe004d8a2adfbdadc13c1

C:\Users\Admin\AppData\Local\Temp\_MEI23362\attrs-24.2.0.dist-info\METADATA

MD5 49cabcb5f8da14c72c8c3d00adb3c115
SHA1 f575becf993ecdf9c6e43190c1cb74d3556cf912
SHA256 dc9824e25afd635480a8073038b3cdfe6a56d3073a54e1a6fb21edd4bb0f207c
SHA512 923daeee0861611d230df263577b3c382ae26400ca5f1830ee309bd6737eed2ad934010d61cdd4796618bedb3436cd772d9429a5bed0a106ef7de60e114e505c

C:\Users\Admin\AppData\Local\Temp\StealedFilesByWaltuhium\Desktop\ClearWait.xls

MD5 f73dcac1879ac65ab8c0a879c00f25d8
SHA1 9299450dc16d0ad7a9f0950fb3a99fb6e13a8210
SHA256 c49e9eaab2831a01c31d66929a11aa27a222303dfeb75cc0163d21b0e4ec7416
SHA512 61f4992b3765b38ffed87407dc181e808d6c15bba07be10cc80ac1c4e43c3536ac35ad12e27a0a8ab4653df668cc3a1e6552ba52ba6c7b1443d4007d89c5e7f0

C:\Users\Admin\AppData\Local\Temp\StealedFilesByWaltuhium\Desktop\ConvertFromSend.docx

MD5 081f2d7807de62488c68f9b1e1c76bca
SHA1 7b79eb9be1e04a2fcd3e5bd8fbbd0c1648e23a0b
SHA256 e06100cef9ee05365343afedd3ba8751932ae563fc072fd31b38c7b5d08eebec
SHA512 9ef5ade72ffd21f6f685c580f26ef4ee3b0fb336a7caf913ca2d0917e8317df92e0fabcefa38087ee7c6d1bb7e5194904eb6febb1a1044ff8ea381f91e57561d

C:\Users\Admin\AppData\Local\Temp\StealedFilesByWaltuhium\Desktop\CompareFind.xlsx

MD5 84685b4db5144897ab59f487dadb547e
SHA1 4e04789059d6551d8582997b6c50b36bdbd1d0c1
SHA256 b524df93be13f7b8c688601e5d97f206efe62c671dbc4db8890d0fa63badd1bc
SHA512 bac7e64b8ecd462a6e3e6b7425e700a2c0f09ad76de244d4002ae495cbe46441417460849079d9a8351af09620e7b43154479e590037031cb13b300af73adddb

C:\Users\Admin\AppData\Local\Temp\StealedFilesByWaltuhium\Desktop\FindClear.xlsx

MD5 45c48ab11809ae2818745a831528123a
SHA1 2fcdebb51c3f6cc51861f88a34c4c31f8211194d
SHA256 d200ef032f8a3905b6890c7ea44517df54835ace320a6612eba53430749268b9
SHA512 58b52d2c286eeffd6b92ae6e577e08a1dfa5b29ce2687d0ea07381a42c98af6dfdbf4b9ff6737ae13d46c37abd956496d3321cba38c1e82c5ffd6461d8a1f757

C:\Users\Admin\AppData\Local\Temp\StealedFilesByWaltuhium\Desktop\LockGet.zip

MD5 51724b826bf71a47b68e6588bdce5004
SHA1 4efedcbef4e1c2b9eb0267cd330bdf114d183c9c
SHA256 7e56c591f160392b47c5a6a1b0765de4289d6b45add74bf93d683592a1df510b
SHA512 0bdc8f1e9a200e76d4540e10823d00cc2c894b7a9aa0f2e8ef5c3283f142d059447a382dcb48c77694b0d49c99b33316cffd8f43ec764bb9915a447e5329d90c

C:\Users\Admin\AppData\Local\Temp\StealedFilesByWaltuhium\Desktop\LimitApprove.docx

MD5 f0aa8de62c16b22aed4618c1f8c5c5f6
SHA1 79256b5ffc2ccd1d2a7a712d1a2790664d79b1d3
SHA256 7b3b0b17173d949c0fce3a77893226f713e2a26a1d845e579dece0e750d8cebe
SHA512 ab3a294ab83a23c35305a0d2bf6e377c263b08348e06f719d87d09e92f626976cfe4f4c73cab792d810d136220ee3b7d649ac93191b4073f40f638a59082354f

C:\Users\Admin\AppData\Local\Temp\StealedFilesByWaltuhium\Desktop\TraceUse.jpeg

MD5 dad2010bb1b4231da3c7fd1ec5b6bd0e
SHA1 8086ae380210cd0d07588930048f61dabb7c923b
SHA256 d163d90468901dd8c555af0daf711a28a169111349b266bd5b29bb35e105999e
SHA512 d5da815bb96da6bf37452d9a6d214f0f33478bdc5379cbeb2d78c0799fe915fc5adce8e433b9507d02ab558a214b069ec200ea8069ba65b9d2cea7bcfa06c831

C:\Users\Admin\AppData\Local\Temp\StealedFilesByWaltuhium\Desktop\UnlockDismount.jpg

MD5 58b53a04eb9d8ca66281e51c041261f3
SHA1 138e5d2028dce922d23ece500ac4fd2ae9f6f106
SHA256 5681dce9769e4585b14527f34be5938cf9bebe121d0a319a798c46accda0abe7
SHA512 da32c894638e976c383a965293590ea4cd2a43857405e40037c9954943a53043b00d493da286b7d5f5fc64d9c0e4d8c3bce73e8262aabf50e2efaae773f47e8a

C:\Users\Admin\AppData\Local\Temp\StealedFilesByWaltuhium\Documents\BackupDeny.odt

MD5 347168b6895e678e86244377281e795f
SHA1 4a0694dee2f0d2343c54b44eda626cdb9d18b30d
SHA256 c17dd498e39d97a906f623f6c7e06f1037ddb198bfab4169117caddb3103c2d5
SHA512 5dd9bbf978b5ca9d6ef30e057545a9017f415fba9db5bdad8fe70fd74177bf210380a6aa358af2ae14823ed4773c1d0094ea741d7d19f26e6a2fdf7103b69203

C:\Users\Admin\AppData\Local\Temp\StealedFilesByWaltuhium\Downloads\GrantResume.docx

MD5 ea906a106390b2c05c3de24405adcc8e
SHA1 2cccfc7e0feb75f4c3ef20882f758459ffefd9ab
SHA256 fa68704f7bee993a5f8621f7f5f4eb6b8d0d5a220dcd1710b8d971708c688e7e
SHA512 c649b3d81e2a2bdaace10933e6c0300a29c1d28fc3c07debc1d562051e8c7ee7922257c0bcbefe27f1df8f0a1e5b398fb0a2a041f9b821dd6aa1ce65832040e5

C:\Users\Admin\AppData\Local\Temp\StealedFilesByWaltuhium\Documents\SuspendGroup.csv

MD5 ae54904b28a69ad041a888b55754c363
SHA1 17ec66de89e1d05ff3792deefad53e574da7c3a4
SHA256 bea48781fc1a1de2cc1f091b3655120fb7c5d7e54c45775d2f41c89dd7eb6897
SHA512 e5cef3e9effde46b39ea73a607f7bc4452c0c22ea44ee4eec52ff16e67f4be84882ef3826d91a6779c46cce0f51686082c9dd1dce9ebfffca82cfb8f804b404e

C:\Users\Admin\AppData\Local\Temp\StealedFilesByWaltuhium\Documents\SelectMeasure.pdf

MD5 7cbd95dcd2f196cca05650ac537f8fe1
SHA1 38f6de78bfcfb599a82c2309879e67414bb49d5f
SHA256 1336710b839276fac367a7067fb4d3235c90054cc928dca552f5a5edf9949227
SHA512 9541af99fbc7dee88b4efc23f00ea893f8b4886399fe8e878adfdfc8396176498b6f3b921599ca85a8ecfd98c2879840492a8937690600f1144fa01935effe1c

C:\Users\Admin\AppData\Local\Temp\StealedFilesByWaltuhium\Documents\SelectGet.xlsx

MD5 262d28311ab0740c41851ea2c782703a
SHA1 5f8546f2d6f2b7ed0265a7304325286fedb9ecb2
SHA256 95ec8f4134d084ab3cf26bfb3a77a911f1e7de90398d6cbb91ebc77553aa2572
SHA512 d83f20be50c7cfd52e2e19585bc5af9ae0b85ec25be470b20cee322289a8ed7ae319db0c73b4ebd8d13d8b6ff6713742738d9c013661124e2c55e1552975833a

C:\Users\Admin\AppData\Local\Temp\StealedFilesByWaltuhium\Documents\MountLimit.docx

MD5 75f98b5c2637d048ceec92f9294844e7
SHA1 6806e2f9818f24fd0303e7c168146013421de70e
SHA256 af3b6fcb4c5f75cc7cebbfffe5a1e693c0040c0025b1fdf44efcb003f175f254
SHA512 2d7a0c16a213004810d3079a775b34cf16b108f78177a1e808441e9c722096acd9f04e151aa907bf6a1f6fd64583a9c4b6c91e257a3911f1b7af7fb0a7c6d8fc

C:\Users\Admin\AppData\Local\Temp\StealedFilesByWaltuhium\Documents\CopyUnpublish.xlsx

MD5 2ca0f4fcbf3a15d152668e5444140cca
SHA1 005877ce100f3a234879d278f9e093855974c174
SHA256 0603ecc9e41667df31f7252f0b5743923073153152a2a9acffe3015cfc602ba8
SHA512 99f7e6e0f3d1abe52d3330c3df03a7aeea2a94136e5bc3fa1514540b41169560efe13e8f99fef8efa21b18d0c7bffed00508090e51d8966e9f832596e797a6e5

C:\Users\Admin\AppData\Local\Temp\StealedFilesByWaltuhium\Desktop\UninstallWrite.docx

MD5 3cf5afec63efe497b2877c8afa888f73
SHA1 5f8fd4b2a6c059291196e5cdb7d0c35f27c66b18
SHA256 610edf7796b2ce2bddfe3104289fd5840382d42f327aeb23fcf78ca7acfd1a90
SHA512 ead3fc49a922138ee46f161e8d179876866b54cd5a44f80807851d88a4347e85de48689a9578bee052afd005dbd802c664516bcb34b6eafeafb4426d9360ae9f

C:\Users\Admin\AppData\Local\Temp\StealedFilesByWaltuhium\Desktop\UnblockUnlock.docx

MD5 60f24e652769b6e613df17e045721801
SHA1 89f81d080bcdacd04e2f4893be5d30e385d97f5b
SHA256 e1d4762eca0c1ff8ad4f3f9894394bdf4a4c396981d139471715ab95d9ca861d
SHA512 c06af388c9a4369fde241ac2447c8bacf342fabbdbaefb8c70d18344efa38cf68cd86a5ab784f790d6b3b59c130bcb777d851784a08b4315e91b9867d8c48d7c

C:\Users\Admin\AppData\Local\Temp\StealedFilesByWaltuhium\Downloads\InstallWrite.mp3

MD5 cfed834d9ba443189fce89816589be7c
SHA1 8f58d5b6f394e58886bc455f15faae2e9664919e
SHA256 f41f87bad9df6a4e7feaaaf1e3503a09212a032e8ecfaa6078a4094ea4e8f159
SHA512 08b94c9eb45912223471931c7ba8ebeecfadd5a541b6b0b6055b91c857fc1eb6ff253e17346778c6cd9aa790a3e22540b9aa9df9ba934e98014041fbfc3fbf0b

C:\Users\Admin\AppData\Local\Temp\StealedFilesByWaltuhium\Downloads\SkipTrace.txt

MD5 d7616d97508168909c74db06521a2a93
SHA1 c210f7b35cf27a0ef20134d229252dd0d3e4edb7
SHA256 37b6f796847a837550c65cdbe4f809f73c973644130dd8687e2551ce9c0e0737
SHA512 c88aa853d8b7bfc98cb3350b361e455f6bc5a92f7e6416c6fc8dc338c92dc4ce3847856039640d7061a0a4120783c2827aed498aa8c74573cd88e94403226d56

C:\Users\Admin\AppData\Local\Temp\StealedFilesByWaltuhium\Music\BackupClose.mov

MD5 d6758186e4c79ea4c9ae632744129a38
SHA1 4f1773244a471251647cb3cb99fdc918345ec402
SHA256 832d8c794e7f698c9204f8727cd807973afa2ff5048617212aa9f80aacdfdbd3
SHA512 c4b167b4949af9693d1cdee089c13666fc8b29df00f7675bb53f5b155ec015d579a387e5e4ace5837e5f11a9676e5eec7af9fa859154f12094bc43275d66317c

C:\Users\Admin\AppData\Local\Temp\StealedFilesByWaltuhium\Music\CopyConvertFrom.xls

MD5 1beea1c53674f121314d124db0c05b6a
SHA1 4aa1bd3b1a63fa682af833bbd5ada218773fe272
SHA256 09e9f029472be1ad79442bfbf39885a8c45c8b7e77bb4eb00354df4538c16da7
SHA512 ab26438c103161eafac726bfb13ea96aff9c91e32703db77d690923dfabe4ce51636cf55f7d331f24c1501c120bc68d9e0612698ca46a779160da3255b2b4f1a

C:\Users\Admin\AppData\Local\Temp\StealedFilesByWaltuhium\Downloads\TestRedo.jpeg

MD5 a3ff44c8752e0c09c795216efbe03fac
SHA1 0e740cc6a7362a09e112a73584ca7d14c376ff6f
SHA256 aa6cbb5810f176b9df8b045fef18ecb22b2e336995a330d6f5996694643082eb
SHA512 f0d9ab3dcf8ce3a4126fa04ec3a5b4aa84b6c38fdb3261079eaecf18bd108f57e6cdf5e2ea158f7c78a004b5e35e5cf0fd2b429272d7e541ac0cdb5d78a2d8f1

C:\Users\Admin\AppData\Local\Temp\StealedFilesByWaltuhium\Music\DebugLimit.zip

MD5 ed3e5f4613f5452abdcae1a4dd88ee9f
SHA1 68cfe813ac4c1a2e1fdc4242601285ae6faa58f5
SHA256 b49f01e67374c8f9880c75fab6abee25cb75c0df0c08fd9d4c2dbf4e0c6004aa
SHA512 5926a94690bc90ed96d751d1f6f08a182dfd1df642cc39a92064a563161d9a74f7afe7204173effef1ce6ced296433553c962d087c73c5e35bbf85e412195a7f

C:\Users\Admin\AppData\Local\Temp\StealedFilesByWaltuhium\Music\EditRestore.docx

MD5 903a99712626eee536152dce74d3a3d5
SHA1 6278b0055b3eae2e03ffcb485d124fcad9635175
SHA256 0f883078910840d14fc3c2552063b52084fbc6b4286b69eec57c1348514f1160
SHA512 256e339d4fde3fd6fb57d769f749413e36b07683d42ab646fca8154b749b62b7e0b4d28c9b79640c7745ebaf05b966066f1811b8fbda65a801b2e804e42fef33

C:\Users\Admin\AppData\Local\Temp\StealedFilesByWaltuhium\Music\ExitBackup.txt

MD5 061751ba1a5edbe1ef1c94ae5f56013e
SHA1 8f5deceb9b949e7af10840c0e245c4fd3e1a9477
SHA256 02c9894f4fbbe5d9fe89b645007568e1ed20964592a87bf00c50289e46ba69db
SHA512 0dd349be8dd93a59ceee0a81c4bfa1648ed4d417add3e0d006554ec46ffc05e31d4abea16b116fafa608f94ed2ae1a9eec86f93c6da3143830ecbdc11e220e0f

C:\Users\Admin\AppData\Local\Temp\StealedFilesByWaltuhium\Music\ExitFormat.docx

MD5 703694cce6b6a2c73bcf08bfb69c0718
SHA1 6d3870d16d6eeacc546e05fe2baef11165d1023e
SHA256 2bc97e2dbb49cb56cbe9fc264b950eca3750590f11f5362df65a504a4639ee55
SHA512 6e82e399de491612043a9e2d77501bb085da8a46e408bf3617dd93dedec16652f952c169877bed0633aa6a69bda74feeca19734eb8dd9b35fc39bd9d28b7bb9e

C:\Users\Admin\AppData\Local\Temp\StealedFilesByWaltuhium\Music\EnableRestart.png

MD5 382c96a518c2d22d16e739b8d0779f82
SHA1 90bb1d8df15b0dd1a28976c09dd2d871fb985367
SHA256 657b8e70bad7b36c885d442d04e95543d5cc40eb3ebcc0d6920a9f6671b5b14e
SHA512 834a12043900759f9051f94538af742eb676c10e7420acf715340d258a6c432d6d6600dc6632e9670818b193c58be133c99f56a4153ca4d31c28634652e32ad3

C:\Users\Admin\AppData\Local\Temp\StealedFilesByWaltuhium\Music\ResolveInstall.jpg

MD5 aa988e46250962b01ca3f95c06c2399c
SHA1 e4e1f1e46ebf99605c8d9b2ca81f8232092f2c8e
SHA256 cecc2e2c79b1ccd5f731e502352755e03720ce16e741916b28c43f86b18820f1
SHA512 881e5a20ec01dee9cc0ab5c2a7a3c41321b23a1bff1e51633658a145e153757e17a71b6f43916c060ced27936d6458b580bba26297b055929b10748b0950a9e1

C:\Users\Admin\AppData\Local\Temp\StealedFilesByWaltuhium\Music\UpdateConnect.txt

MD5 d84d3c909738f807dce7db54ab25a773
SHA1 6731e45b5a1f55367736944f4c399aefd2ffc1e7
SHA256 68f57b79daf609fbef3cf790ed4ed49b35213ffcb7f0876853af97cbea65daca
SHA512 2c4f590e3f638ea3d064a56b1c4adb83034d39e95315f38f7f04e36a7432638ee501dffa9176fe71f11c076383093fadbd275f242fe010f252f30297e555b5e5

C:\Users\Admin\AppData\Local\Temp\StealedFilesByWaltuhium\Music\UnpublishConvert.mp4

MD5 225837ef4215072bd9a71488df7622b1
SHA1 8f97d2afe779e7d33c5fa91e289e84629f474ad7
SHA256 745cdba6821a6de41d3d75ca178654d1d3d88066defc77dabef9e20b240d39f7
SHA512 e8b3b0f7aa5deb10268dbc7ccf02b80a9dd44a634d9d79ccea83d1e6fb432d66fd33dc228e9d27b9821feba3a1f88faaf7ae7a2bf0a3afad85503f80592dd48b

C:\Users\Admin\AppData\Local\Temp\StealedFilesByWaltuhium\Music\ShowSwitch.docx

MD5 e0c0bf0bec7bb6edc1279c8069308782
SHA1 9e228a75b69802cbf18a726a01e356f0584e3421
SHA256 1f4aee0447b8ce1450d2e595852dda6cd7ad2b132334a2fdb4ead1550adb1639
SHA512 add4034fb200bc2b175eaca158c653fcc5d32bb2abaa1d3a66555e4d54cfc07ef4a96c10c9b8a6e5a7dcd68d6f1ffd9f92a7a7d3cfe41b29ee3e9f422887539a

C:\Users\Admin\AppData\Local\Temp\StealedFilesByWaltuhium\Music\RestoreSave.jpeg

MD5 41a344b1345397bc0135fe93d676984b
SHA1 804cf9394cd0c02a0c7142b5ffd01c4f3b965bc7
SHA256 097386ebc6742159e7f375362140096c2a47576c37f47fac29284c453875b3d5
SHA512 37eda107fd34415791e68f5416d0809642397f0fda122d6162fb6ea4081cc20b9b6b91173bcd1d940daa2528621591caadc94f7b2632b5d8c858fbbf92cbfdab

C:\Users\Admin\AppData\Local\Temp\StealedFilesByWaltuhium\Music\InstallSwitch.jpeg

MD5 f8ebfd80cc38e43523561c8a76fa66c7
SHA1 dc5766e0bd0ebc10afe6d5494e324c350ef08013
SHA256 398b0fb21f0b0cc8ab96955cd5a70a6fee968f037ee2973f1fa388e8fc3ed760
SHA512 fc15a6c94ebd1f781fb53d2f4f9ce65a534bca21d5eca39242f7d620ce3fd4e08ac0ad313ac6a170151cf34777bb39005829df62e4e367658462df87c8f0dcd9

C:\Users\Admin\AppData\Local\Temp\StealedFilesByWaltuhium\Pictures\MergeFind.jpg

MD5 bf8f1e1f6b79b6da1b15f01a93d464f1
SHA1 630b40486638bf9bccc657ee84fc74e62ac61af3
SHA256 0c1f2f358f68c6256e34e88a248d2d2662964dd4afa76343043d8ff76b81f5e4
SHA512 e8ea5ebc3885d04603c7719e2ef84cac65466a8ff1e6e7cfa534c2e2c10818f6db3fdf997b4aacc8791b5b84cfba2148eba9b5d0bf1468dd0b382bc993c9b350

C:\Users\Admin\AppData\Local\Temp\StealedFilesByWaltuhium\Pictures\My Wallpaper.jpg

MD5 a51464e41d75b2aa2b00ca31ea2ce7eb
SHA1 5b94362ac6a23c5aba706e8bfd11a5d8bab6097d
SHA256 16d5506b6663085b1acd80644ffa5363c158e390da67ed31298b85ddf0ad353f
SHA512 b2a09d52c211e7100e3e68d88c13394c64f23bf2ec3ca25b109ffb1e1a96a054f0e0d25d2f2a0c2145616eabc88c51d63023cef5faa7b49129d020f67ab0b1ff

C:\Users\Admin\AppData\Local\Temp\StealedFilesByWaltuhium\Pictures\UndoDeny.jpeg

MD5 4c0d926e362c33b61b35e8629c065d49
SHA1 bebac1e7de4a9ab57bf0dd7a97de034968bb5eea
SHA256 5bd0969da4b544411bff3b4ffd0b8834d75a27b7c1e0fd64b2cb67f2d386d08f
SHA512 3a100aa2c65a139a1a807741cfd25a250b74d915637a4d3f7be60b7f366205c10778992717ec9b5ab88bdd4e817fe721f4f9cfa9b784bc14aa091205fbb7e2d8

C:\Users\Admin\AppData\Local\Temp\StealedFilesByWaltuhium\Pictures\UpdateOut.jpg

MD5 8836f85718678fd866424c3b9a9ca7b0
SHA1 cc725ff801bca489e6327dcd96748ef0f82b284e
SHA256 ca691dc78520995d6b63bb974e9c9bfe3a7898c9f1238a2f91f98476c63d9465
SHA512 b51411145934ff9e38ce02463a75ced1b67f4885d1e76cd3749cd3fb250314dfaa19a36cde502a0af87c450d931c4ce2d2a8fe06d890597d1fc1eddbffd108ed