wannacry | 47e7bf5bff0cb8810af12259b059c93facd4e24e371fa3ce25087a274805014b

Analysis

max time kernel
147s
max time network
144s
platform
windows11-21h2_x64
resource
win11-20250410-en
resource tags

arch:x64arch:x86image:win11-20250410-enlocale:en-usos:windows11-21h2-x64system
submitted
19/04/2025, 03:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2025-04-19_d5ba8d74d21b8f998b6d40abc208a9a6_black-basta_cobalt-strike_satacom.exe
Size

10.3MB
MD5

d5ba8d74d21b8f998b6d40abc208a9a6
SHA1

f7337f1e873cbf28afab66c346f07a8ecc1d300a
SHA256

47e7bf5bff0cb8810af12259b059c93facd4e24e371fa3ce25087a274805014b
SHA512

677f7fb4409f17499e6becdd837799c93c9ae2f335983e08c76d9b3da384e91e15fdb98298f7de3a7c4b3e8ac53fe20319262f2eb88b2a8825477649970c87df
SSDEEP

196608:6YEljWOuXJWIj8KkUx2R4NzHdQmRJ8dA6lkaycBIGpEyW01Ve:IOJWQsUcR4NzHdQuslp9pW01M

Score

10^/10

wannacry defense_evasion discovery execution impact persistence ransomware spyware stealer worm

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\@[email protected]

Family

wannacry

Ransom Note

Q: What's wrong with my files? A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted. If you follow our instructions, we guarantee that you can decrypt all your files quickly and safely! Let's start decrypting! Q: What do I do? A: First, you need to pay service fees for the decryption. Please send $300 worth of bitcoin to this bitcoin address: 12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw Next, please find an application file named "@[email protected]". It is the decrypt software. Run and follow the instructions! (You may need to disable your antivirus for a while.) Q: How can I trust? A: Don't worry about decryption. We will decrypt your files surely because nobody will trust us if we cheat users. * If you need our assistance, send a message by clicking <Contact Us> on the decryptor window. �

Wallets

12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Wannacry family
wannacry
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047

Drops startup file 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SDA6E6.tmp	WannaCrypt0r.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\~SDA6FD.tmp	WannaCrypt0r.exe

Executes dropped EXE 17 IoCs

pid	Process
1548	WannaCrypt0r.exe
820	taskdl.exe
1988	@[email protected]
6136	@[email protected]
4572	taskhsvc.exe
1012	taskdl.exe
2884	@[email protected]
1088	taskse.exe
4412	taskdl.exe
2120	@[email protected]
1544	taskse.exe
2128	taskse.exe
2848	@[email protected]
3524	taskdl.exe
4840	taskse.exe
1488	@[email protected]
4852	taskdl.exe

Loads dropped DLL 26 IoCs

pid	Process
5448	2025-04-19_d5ba8d74d21b8f998b6d40abc208a9a6_black-basta_cobalt-strike_satacom.exe
5448	2025-04-19_d5ba8d74d21b8f998b6d40abc208a9a6_black-basta_cobalt-strike_satacom.exe
5448	2025-04-19_d5ba8d74d21b8f998b6d40abc208a9a6_black-basta_cobalt-strike_satacom.exe
5448	2025-04-19_d5ba8d74d21b8f998b6d40abc208a9a6_black-basta_cobalt-strike_satacom.exe
5448	2025-04-19_d5ba8d74d21b8f998b6d40abc208a9a6_black-basta_cobalt-strike_satacom.exe
5448	2025-04-19_d5ba8d74d21b8f998b6d40abc208a9a6_black-basta_cobalt-strike_satacom.exe
5448	2025-04-19_d5ba8d74d21b8f998b6d40abc208a9a6_black-basta_cobalt-strike_satacom.exe
5448	2025-04-19_d5ba8d74d21b8f998b6d40abc208a9a6_black-basta_cobalt-strike_satacom.exe
5448	2025-04-19_d5ba8d74d21b8f998b6d40abc208a9a6_black-basta_cobalt-strike_satacom.exe
5448	2025-04-19_d5ba8d74d21b8f998b6d40abc208a9a6_black-basta_cobalt-strike_satacom.exe
5448	2025-04-19_d5ba8d74d21b8f998b6d40abc208a9a6_black-basta_cobalt-strike_satacom.exe
5448	2025-04-19_d5ba8d74d21b8f998b6d40abc208a9a6_black-basta_cobalt-strike_satacom.exe
5448	2025-04-19_d5ba8d74d21b8f998b6d40abc208a9a6_black-basta_cobalt-strike_satacom.exe
5448	2025-04-19_d5ba8d74d21b8f998b6d40abc208a9a6_black-basta_cobalt-strike_satacom.exe
5448	2025-04-19_d5ba8d74d21b8f998b6d40abc208a9a6_black-basta_cobalt-strike_satacom.exe
5448	2025-04-19_d5ba8d74d21b8f998b6d40abc208a9a6_black-basta_cobalt-strike_satacom.exe
5448	2025-04-19_d5ba8d74d21b8f998b6d40abc208a9a6_black-basta_cobalt-strike_satacom.exe
5448	2025-04-19_d5ba8d74d21b8f998b6d40abc208a9a6_black-basta_cobalt-strike_satacom.exe
5448	2025-04-19_d5ba8d74d21b8f998b6d40abc208a9a6_black-basta_cobalt-strike_satacom.exe
4572	taskhsvc.exe
4572	taskhsvc.exe
4572	taskhsvc.exe
4572	taskhsvc.exe
4572	taskhsvc.exe
4572	taskhsvc.exe
4572	taskhsvc.exe

Modifies file permissions 1 TTPs 1 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
6040	icacls.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\madulpqkvxkddr445 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\tasksche.exe\""	reg.exe

File and Directory Permissions Modification: Windows File and Directory Permissions Modification 1 TTPs
defense_evasion

Windows File and Directory Permissions Modification
T1222.001

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
1	raw.githubusercontent.com
2	raw.githubusercontent.com

Sets desktop wallpaper using registry 2 TTPs 2 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2211465213-323295031-1970282057-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\@[email protected]"	WannaCrypt0r.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2211465213-323295031-1970282057-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\@[email protected]"	@[email protected]

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 20 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WannaCrypt0r.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskhsvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
3112	reg.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
4572	taskhsvc.exe
4572	taskhsvc.exe
4572	taskhsvc.exe
4572	taskhsvc.exe
4572	taskhsvc.exe
4572	taskhsvc.exe

Suspicious use of AdjustPrivilegeToken 53 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	3320	WMIC.exe
Token: SeSecurityPrivilege	3320	WMIC.exe
Token: SeTakeOwnershipPrivilege	3320	WMIC.exe
Token: SeLoadDriverPrivilege	3320	WMIC.exe
Token: SeSystemProfilePrivilege	3320	WMIC.exe
Token: SeSystemtimePrivilege	3320	WMIC.exe
Token: SeProfSingleProcessPrivilege	3320	WMIC.exe
Token: SeIncBasePriorityPrivilege	3320	WMIC.exe
Token: SeCreatePagefilePrivilege	3320	WMIC.exe
Token: SeBackupPrivilege	3320	WMIC.exe
Token: SeRestorePrivilege	3320	WMIC.exe
Token: SeShutdownPrivilege	3320	WMIC.exe
Token: SeDebugPrivilege	3320	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3320	WMIC.exe
Token: SeRemoteShutdownPrivilege	3320	WMIC.exe
Token: SeUndockPrivilege	3320	WMIC.exe
Token: SeManageVolumePrivilege	3320	WMIC.exe
Token: 33	3320	WMIC.exe
Token: 34	3320	WMIC.exe
Token: 35	3320	WMIC.exe
Token: 36	3320	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3320	WMIC.exe
Token: SeSecurityPrivilege	3320	WMIC.exe
Token: SeTakeOwnershipPrivilege	3320	WMIC.exe
Token: SeLoadDriverPrivilege	3320	WMIC.exe
Token: SeSystemProfilePrivilege	3320	WMIC.exe
Token: SeSystemtimePrivilege	3320	WMIC.exe
Token: SeProfSingleProcessPrivilege	3320	WMIC.exe
Token: SeIncBasePriorityPrivilege	3320	WMIC.exe
Token: SeCreatePagefilePrivilege	3320	WMIC.exe
Token: SeBackupPrivilege	3320	WMIC.exe
Token: SeRestorePrivilege	3320	WMIC.exe
Token: SeShutdownPrivilege	3320	WMIC.exe
Token: SeDebugPrivilege	3320	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3320	WMIC.exe
Token: SeRemoteShutdownPrivilege	3320	WMIC.exe
Token: SeUndockPrivilege	3320	WMIC.exe
Token: SeManageVolumePrivilege	3320	WMIC.exe
Token: 33	3320	WMIC.exe
Token: 34	3320	WMIC.exe
Token: 35	3320	WMIC.exe
Token: 36	3320	WMIC.exe
Token: SeBackupPrivilege	428	vssvc.exe
Token: SeRestorePrivilege	428	vssvc.exe
Token: SeAuditPrivilege	428	vssvc.exe
Token: SeTcbPrivilege	1088	taskse.exe
Token: SeTcbPrivilege	1088	taskse.exe
Token: SeTcbPrivilege	1544	taskse.exe
Token: SeTcbPrivilege	1544	taskse.exe
Token: SeTcbPrivilege	2128	taskse.exe
Token: SeTcbPrivilege	2128	taskse.exe
Token: SeTcbPrivilege	4840	taskse.exe
Token: SeTcbPrivilege	4840	taskse.exe

Suspicious use of SetWindowsHookEx 9 IoCs

pid	Process
1988	@[email protected]
1988	@[email protected]
6136	@[email protected]
6136	@[email protected]
2884	@[email protected]
2884	@[email protected]
2120	@[email protected]
2848	@[email protected]
1488	@[email protected]

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3504 wrote to memory of 5448	3504	2025-04-19_d5ba8d74d21b8f998b6d40abc208a9a6_black-basta_cobalt-strike_satacom.exe	78
PID 3504 wrote to memory of 5448	3504	2025-04-19_d5ba8d74d21b8f998b6d40abc208a9a6_black-basta_cobalt-strike_satacom.exe	78
PID 5448 wrote to memory of 5076	5448	2025-04-19_d5ba8d74d21b8f998b6d40abc208a9a6_black-basta_cobalt-strike_satacom.exe	79
PID 5448 wrote to memory of 5076	5448	2025-04-19_d5ba8d74d21b8f998b6d40abc208a9a6_black-basta_cobalt-strike_satacom.exe	79
PID 5076 wrote to memory of 1548	5076	cmd.exe	81
PID 5076 wrote to memory of 1548	5076	cmd.exe	81
PID 5076 wrote to memory of 1548	5076	cmd.exe	81
PID 1548 wrote to memory of 456	1548	WannaCrypt0r.exe	82
PID 1548 wrote to memory of 456	1548	WannaCrypt0r.exe	82
PID 1548 wrote to memory of 456	1548	WannaCrypt0r.exe	82
PID 1548 wrote to memory of 6040	1548	WannaCrypt0r.exe	83
PID 1548 wrote to memory of 6040	1548	WannaCrypt0r.exe	83
PID 1548 wrote to memory of 6040	1548	WannaCrypt0r.exe	83
PID 1548 wrote to memory of 820	1548	WannaCrypt0r.exe	86
PID 1548 wrote to memory of 820	1548	WannaCrypt0r.exe	86
PID 1548 wrote to memory of 820	1548	WannaCrypt0r.exe	86
PID 1548 wrote to memory of 1572	1548	WannaCrypt0r.exe	87
PID 1548 wrote to memory of 1572	1548	WannaCrypt0r.exe	87
PID 1548 wrote to memory of 1572	1548	WannaCrypt0r.exe	87
PID 1572 wrote to memory of 1876	1572	cmd.exe	89
PID 1572 wrote to memory of 1876	1572	cmd.exe	89
PID 1572 wrote to memory of 1876	1572	cmd.exe	89
PID 1548 wrote to memory of 3944	1548	WannaCrypt0r.exe	90
PID 1548 wrote to memory of 3944	1548	WannaCrypt0r.exe	90
PID 1548 wrote to memory of 3944	1548	WannaCrypt0r.exe	90
PID 1548 wrote to memory of 1988	1548	WannaCrypt0r.exe	93
PID 1548 wrote to memory of 1988	1548	WannaCrypt0r.exe	93
PID 1548 wrote to memory of 1988	1548	WannaCrypt0r.exe	93
PID 1548 wrote to memory of 960	1548	WannaCrypt0r.exe	94
PID 1548 wrote to memory of 960	1548	WannaCrypt0r.exe	94
PID 1548 wrote to memory of 960	1548	WannaCrypt0r.exe	94
PID 960 wrote to memory of 6136	960	cmd.exe	96
PID 960 wrote to memory of 6136	960	cmd.exe	96
PID 960 wrote to memory of 6136	960	cmd.exe	96
PID 1988 wrote to memory of 4572	1988	@[email protected]	98
PID 1988 wrote to memory of 4572	1988	@[email protected]	98
PID 1988 wrote to memory of 4572	1988	@[email protected]	98
PID 6136 wrote to memory of 660	6136	@[email protected]	100
PID 6136 wrote to memory of 660	6136	@[email protected]	100
PID 6136 wrote to memory of 660	6136	@[email protected]	100
PID 660 wrote to memory of 3320	660	cmd.exe	102
PID 660 wrote to memory of 3320	660	cmd.exe	102
PID 660 wrote to memory of 3320	660	cmd.exe	102
PID 1548 wrote to memory of 1012	1548	WannaCrypt0r.exe	105
PID 1548 wrote to memory of 1012	1548	WannaCrypt0r.exe	105
PID 1548 wrote to memory of 1012	1548	WannaCrypt0r.exe	105
PID 1548 wrote to memory of 1088	1548	WannaCrypt0r.exe	106
PID 1548 wrote to memory of 1088	1548	WannaCrypt0r.exe	106
PID 1548 wrote to memory of 1088	1548	WannaCrypt0r.exe	106
PID 1548 wrote to memory of 2884	1548	WannaCrypt0r.exe	107
PID 1548 wrote to memory of 2884	1548	WannaCrypt0r.exe	107
PID 1548 wrote to memory of 2884	1548	WannaCrypt0r.exe	107
PID 1548 wrote to memory of 5436	1548	WannaCrypt0r.exe	108
PID 1548 wrote to memory of 5436	1548	WannaCrypt0r.exe	108
PID 1548 wrote to memory of 5436	1548	WannaCrypt0r.exe	108
PID 5436 wrote to memory of 3112	5436	cmd.exe	110
PID 5436 wrote to memory of 3112	5436	cmd.exe	110
PID 5436 wrote to memory of 3112	5436	cmd.exe	110
PID 1548 wrote to memory of 4412	1548	WannaCrypt0r.exe	113
PID 1548 wrote to memory of 4412	1548	WannaCrypt0r.exe	113
PID 1548 wrote to memory of 4412	1548	WannaCrypt0r.exe	113
PID 1548 wrote to memory of 1544	1548	WannaCrypt0r.exe	114
PID 1548 wrote to memory of 1544	1548	WannaCrypt0r.exe	114
PID 1548 wrote to memory of 1544	1548	WannaCrypt0r.exe	114

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

Views/modifies file attributes 1 TTPs 2 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
456	attrib.exe
3944	attrib.exe

C:\Users\Admin\AppData\Local\Temp\2025-04-19_d5ba8d74d21b8f998b6d40abc208a9a6_black-basta_cobalt-strike_satacom.exe
"C:\Users\Admin\AppData\Local\Temp\2025-04-19_d5ba8d74d21b8f998b6d40abc208a9a6_black-basta_cobalt-strike_satacom.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3504
- C:\Users\Admin\AppData\Local\Temp\2025-04-19_d5ba8d74d21b8f998b6d40abc208a9a6_black-basta_cobalt-strike_satacom.exe
  "C:\Users\Admin\AppData\Local\Temp\2025-04-19_d5ba8d74d21b8f998b6d40abc208a9a6_black-basta_cobalt-strike_satacom.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:5448
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c start WannaCrypt0r.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5076
  - - C:\Users\Admin\AppData\Local\Temp\WannaCrypt0r.exe
      WannaCrypt0r.exe
      4⤵
      Drops startup file
      Executes dropped EXE
      Sets desktop wallpaper using registry
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1548
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib +h .
        5⤵
        System Location Discovery: System Language Discovery
        Views/modifies file attributes
        
        PID:456
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls . /grant Everyone:F /T /C /Q
        5⤵
        Modifies file permissions
        System Location Discovery: System Language Discovery
        
        PID:6040
    - - C:\Users\Admin\AppData\Local\Temp\taskdl.exe
        
        taskdl.exe
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:820
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c 217261745032031.bat
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1572
      - C:\Windows\SysWOW64\cscript.exe
        
        cscript.exe //nologo m.vbs
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1876
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib +h +s F:\$RECYCLE
        5⤵
        System Location Discovery: System Language Discovery
        Views/modifies file attributes
        
        PID:3944
    - - C:\Users\Admin\AppData\Local\Temp\@[email protected]
        
        @[email protected] co
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1988
      - C:\Users\Admin\AppData\Local\Temp\TaskData\Tor\taskhsvc.exe
        
        TaskData\Tor\taskhsvc.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:4572
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c start /b @[email protected] vs
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:960
      - C:\Users\Admin\AppData\Local\Temp\@[email protected]
        
        @[email protected] vs
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:6136
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet
        7⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:660
        
        C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        wmic shadowcopy delete
        8⤵
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:3320
    - - C:\Users\Admin\AppData\Local\Temp\taskdl.exe
        
        taskdl.exe
        5⤵
        Executes dropped EXE
        
        PID:1012
    - - C:\Users\Admin\AppData\Local\Temp\taskse.exe
        
        taskse.exe C:\Users\Admin\AppData\Local\Temp\@[email protected]
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1088
    - - C:\Users\Admin\AppData\Local\Temp\@[email protected]
        
        @[email protected]
        5⤵
        Executes dropped EXE
        Sets desktop wallpaper using registry
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2884
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "madulpqkvxkddr445" /t REG_SZ /d "\"C:\Users\Admin\AppData\Local\Temp\tasksche.exe\"" /f
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:5436
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "madulpqkvxkddr445" /t REG_SZ /d "\"C:\Users\Admin\AppData\Local\Temp\tasksche.exe\"" /f
        6⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:3112
    - - C:\Users\Admin\AppData\Local\Temp\taskdl.exe
        
        taskdl.exe
        5⤵
        Executes dropped EXE
        
        PID:4412
    - - C:\Users\Admin\AppData\Local\Temp\taskse.exe
        
        taskse.exe C:\Users\Admin\AppData\Local\Temp\@[email protected]
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1544
    - - C:\Users\Admin\AppData\Local\Temp\@[email protected]
        
        @[email protected]
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2120
    - - C:\Users\Admin\AppData\Local\Temp\taskse.exe
        
        taskse.exe C:\Users\Admin\AppData\Local\Temp\@[email protected]
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2128
    - - C:\Users\Admin\AppData\Local\Temp\@[email protected]
        
        @[email protected]
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2848
    - - C:\Users\Admin\AppData\Local\Temp\taskdl.exe
        
        taskdl.exe
        5⤵
        Executes dropped EXE
        
        PID:3524
    - - C:\Users\Admin\AppData\Local\Temp\taskse.exe
        
        taskse.exe C:\Users\Admin\AppData\Local\Temp\@[email protected]
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4840
    - - C:\Users\Admin\AppData\Local\Temp\@[email protected]
        
        @[email protected]
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1488
    - - C:\Users\Admin\AppData\Local\Temp\taskdl.exe
        
        taskdl.exe
        5⤵
        Executes dropped EXE
        
        PID:4852

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:428

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\tasksche.exe"
1⤵
PID:5336

Network

MITRE ATT&CK Enterprise v16

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

File and Directory Permissions Modification

T1222

Windows File and Directory Permissions Modification

T1222.001

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Defacement

T1491

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\@[email protected]

Filesize
1KB

MD5
d939ade5d5ea89321c08c80a34328311

SHA1
772dc0d8ae47c2d11a2d01125e44434ff144ee0a

SHA256
1fc1e8c9aff160d418c90947d33c1d0e3d0897a91333247830429dff27e33fa6

SHA512
fabe7cf43e9b7b8d0f6c0f7238782f2c5f5c84bf451b52cb872bc5706f36c3bb848f722092255a3b81142a99a9be046b916b4787109af313b3838379ab234d3c

Download Submit
C:\Users\Admin\AppData\Local\Temp\@[email protected]

Filesize
933B

MD5
7a2726bb6e6a79fb1d092b7f2b688af0

SHA1
b3effadce8b76aee8cd6ce2eccbb8701797468a2

SHA256
840ab19c411c918ea3e7526d0df4b9cb002de5ea15e854389285df0d1ea9a8e5

SHA512
4e107f661e6be183659fdd265e131a64cce2112d842226305f6b111d00109a970fda0b5abfb1daa9f64428e445e3b472332392435707c9aebbfe94c480c72e54

Download Submit
C:\Users\Admin\AppData\Local\Temp\@[email protected]

Filesize
240KB

MD5
7bf2b57f2a205768755c07f238fb32cc

SHA1
45356a9dd616ed7161a3b9192e2f318d0ab5ad10

SHA256
b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25

SHA512
91a39e919296cb5c6eccba710b780519d90035175aa460ec6dbe631324e5e5753bd8d87f395b5481bcd7e1ad623b31a34382d81faae06bef60ec28b49c3122a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\TaskData\Tor\tor.exe

Filesize
3.0MB

MD5
fe7eb54691ad6e6af77f8a9a0b6de26d

SHA1
53912d33bec3375153b7e4e68b78d66dab62671a

SHA256
e48673680746fbe027e8982f62a83c298d6fb46ad9243de8e79b7e5a24dcd4eb

SHA512
8ac6dc5bb016afc869fcbb713f6a14d3692e866b94f4f1ee83b09a7506a8cb58768bd47e081cf6e97b2dacf9f9a6a8ca240d7d20d0b67dbd33238cc861deae8f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35042\VCRUNTIME140.dll

Filesize
106KB

MD5
870fea4e961e2fbd00110d3783e529be

SHA1
a948e65c6f73d7da4ffde4e8533c098a00cc7311

SHA256
76fdb83fde238226b5bebaf3392ee562e2cb7ca8d3ef75983bf5f9d6c7119644

SHA512
0b636a3cdefa343eb4cb228b391bb657b5b4c20df62889cd1be44c7bee94ffad6ec82dc4db79949edef576bff57867e0d084e0a597bf7bf5c8e4ed1268477e88

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35042\_brotli.cp310-win_amd64.pyd

Filesize
801KB

MD5
ee3d454883556a68920caaedefbc1f83

SHA1
45b4d62a6e7db022e52c6159eef17e9d58bec858

SHA256
791e7195d7df47a21466868f3d7386cff13f16c51fcd0350bf4028e96278dff1

SHA512
e404adf831076d27680cc38d3879af660a96afc8b8e22ffd01647248c601f3c6c4585d7d7dc6bbd187660595f6a48f504792106869d329aa1a0f3707d7f777c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35042\_bz2.pyd

Filesize
81KB

MD5
bbe89cf70b64f38c67b7bf23c0ea8a48

SHA1
44577016e9c7b463a79b966b67c3ecc868957470

SHA256
775fbc6e9a4c7e9710205157350f3d6141b5a9e8f44cb07b3eac38f2789c8723

SHA512
3ee72ba60541116bbca1a62db64074276d40ad8ed7d0ca199a9c51d65c3f0762a8ef6d0e1e9ebf04bf4efe1347f120e4bc3d502dd288339b4df646a59aad0ec1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35042\_cffi_backend.cp310-win_amd64.pyd

Filesize
177KB

MD5
ebb660902937073ec9695ce08900b13d

SHA1
881537acead160e63fe6ba8f2316a2fbbb5cb311

SHA256
52e5a0c3ca9b0d4fc67243bd8492f5c305ff1653e8d956a2a3d9d36af0a3e4fd

SHA512
19d5000ef6e473d2f533603afe8d50891f81422c59ae03bead580412ec756723dc3379310e20cd0c39e9683ce7c5204791012e1b6b73996ea5cb59e8d371de24

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35042\_ctypes.pyd

Filesize
119KB

MD5
ca4cef051737b0e4e56b7d597238df94

SHA1
583df3f7ecade0252fdff608eb969439956f5c4a

SHA256
e60a2b100c4fa50b0b144cf825fe3cde21a8b7b60b92bfc326cb39573ce96b2b

SHA512
17103d6b5fa84156055e60f9e5756ffc31584cdb6274c686a136291c58ba0be00238d501f8acc1f1ca7e1a1fadcb0c7fefddcb98cedb9dd04325314f7e905df3

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35042\_decimal.pyd

Filesize
242KB

MD5
6339fa92584252c3b24e4cce9d73ef50

SHA1
dccda9b641125b16e56c5b1530f3d04e302325cd

SHA256
4ae6f6fb3992bb878416211221b3d62515e994d78f72eab51e0126ca26d0ee96

SHA512
428b62591d4eba3a4e12f7088c990c48e30b6423019bebf8ede3636f6708e1f4151f46d442516d2f96453694ebeef78618c0c8a72e234f679c6e4d52bebc1b84

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35042\_hashlib.pyd

Filesize
60KB

MD5
d856a545a960bf2dca1e2d9be32e5369

SHA1
67a15ecf763cdc2c2aa458a521db8a48d816d91e

SHA256
cd33f823e608d3bda759ad441f583a20fc0198119b5a62a8964f172559acb7d3

SHA512
34a074025c8b28f54c01a7fd44700fdedb391f55be39d578a003edb90732dec793c2b0d16da3da5cdbd8adbaa7b3b83fc8887872e284800e7a8389345a30a6a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35042\_lzma.pyd

Filesize
153KB

MD5
0a94c9f3d7728cf96326db3ab3646d40

SHA1
8081df1dca4a8520604e134672c4be79eb202d14

SHA256
0a70e8546fa6038029f2a3764e721ceebea415818e5f0df6b90d6a40788c3b31

SHA512
6f047f3bdaead121018623f52a35f7e8b38c58d3a9cb672e8056a5274d02395188975de08cabae948e2cc2c1ca01c74ca7bc1b82e2c23d652e952f3745491087

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35042\_queue.pyd

Filesize
29KB

MD5
52d0a6009d3de40f4fa6ec61db98c45c

SHA1
5083a2aff5bcce07c80409646347c63d2a87bd25

SHA256
007bcf19d9b036a7e73f5ef31f39bfb1910f72c9c10e4a1b0658352cfe7a8b75

SHA512
cd552a38efaa8720a342b60318f62320ce20c03871d2e50d3fa3a9a730b84dacdbb8eb4d0ab7a1c8a97215b537826c8dc532c9a55213bcd0c1d13d7d8a9ad824

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35042\_socket.pyd

Filesize
75KB

MD5
0f5e64e33f4d328ef11357635707d154

SHA1
8b6dcb4b9952b362f739a3f16ae96c44bea94a0e

SHA256
8af6d70d44bb9398733f88bcfb6d2085dd1a193cd00e52120b96a651f6e35ebe

SHA512
4be9febb583364da75b6fb3a43a8b50ee29ca8fc1dda35b96c0fcc493342372f69b4f27f2604888bca099c8d00f38a16f4c9463c16eff098227d812c29563643

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35042\api-ms-win-core-console-l1-1-0.dll

Filesize
11KB

MD5
07ebe4d5cef3301ccf07430f4c3e32d8

SHA1
3b878b2b2720915773f16dba6d493dab0680ac5f

SHA256
8f8b79150e850acc92fd6aab614f6e3759bea875134a62087d5dd65581e3001f

SHA512
6c7e4df62ebae9934b698f231cf51f54743cf3303cd758573d00f872b8ecc2af1f556b094503aae91100189c0d0a93eaf1b7cafec677f384a1d7b4fda2eee598

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35042\api-ms-win-core-datetime-l1-1-0.dll

Filesize
11KB

MD5
557405c47613de66b111d0e2b01f2fdb

SHA1
de116ed5de1ffaa900732709e5e4eef921ead63c

SHA256
913eaaa7997a6aee53574cffb83f9c9c1700b1d8b46744a5e12d76a1e53376fd

SHA512
c2b326f555b2b7acb7849402ac85922880105857c616ef98f7fb4bbbdc2cd7f2af010f4a747875646fcc272ab8aa4ce290b6e09a9896ce1587e638502bd4befb

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35042\api-ms-win-core-debug-l1-1-0.dll

Filesize
11KB

MD5
624401f31a706b1ae2245eb19264dc7f

SHA1
8d9def3750c18ddfc044d5568e3406d5d0fb9285

SHA256
58a8d69df60ecbee776cd9a74b2a32b14bf2b0bd92d527ec5f19502a0d3eb8e9

SHA512
3353734b556d6eebc57734827450ce3b34d010e0c033e95a6e60800c0fda79a1958ebf9053f12054026525d95d24eec541633186f00f162475cec19f07a0d817

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35042\api-ms-win-core-errorhandling-l1-1-0.dll

Filesize
11KB

MD5
2db5666d3600a4abce86be0099c6b881

SHA1
63d5dda4cec0076884bc678c691bdd2a4fa1d906

SHA256
46079c0a1b660fc187aafd760707f369d0b60d424d878c57685545a3fce95819

SHA512
7c6e1e022db4217a85a4012c8e4daee0a0f987e4fba8a4c952424ef28e250bac38b088c242d72b4641157b7cc882161aefa177765a2e23afcdc627188a084345

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35042\api-ms-win-core-file-l1-1-0.dll

Filesize
14KB

MD5
0f7d418c05128246afa335a1fb400cb9

SHA1
f6313e371ed5a1dffe35815cc5d25981184d0368

SHA256
5c9bc70586ad538b0df1fcf5d6f1f3527450ae16935aa34bd7eb494b4f1b2db9

SHA512
7555d9d3311c8622df6782748c2186a3738c4807fc58df2f75e539729fc4069db23739f391950303f12e0d25df9f065b4c52e13b2ebb6d417ca4c12cfdeca631

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35042\api-ms-win-core-file-l1-2-0.dll

Filesize
11KB

MD5
5a72a803df2b425d5aaff21f0f064011

SHA1
4b31963d981c07a7ab2a0d1a706067c539c55ec5

SHA256
629e52ba4e2dca91b10ef7729a1722888e01284eed7dda6030d0a1ec46c94086

SHA512
bf44997c405c2ba80100eb0f2ff7304938fc69e4d7ae3eac52b3c236c3188e80c9f18bda226b5f4fde0112320e74c198ad985f9ffd7cea99aca22980c39c7f69

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35042\api-ms-win-core-file-l2-1-0.dll

Filesize
11KB

MD5
721b60b85094851c06d572f0bd5d88cd

SHA1
4d0ee4d717aeb9c35da8621a545d3e2b9f19b4e7

SHA256
dac867476caa42ff8df8f5dfe869ffd56a18dadee17d47889afb69ed6519afbf

SHA512
430a91fcecde4c8cc4ac7eb9b4c6619243ab244ee88c34c9e93ca918e54bd42b08aca8ea4475d4c0f5fa95241e4aacb3206cbae863e92d15528c8e7c9f45601b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35042\api-ms-win-core-handle-l1-1-0.dll

Filesize
11KB

MD5
d1df480505f2d23c0b5c53df2e0e2a1a

SHA1
207db9568afd273e864b05c87282987e7e81d0ba

SHA256
0b3dfb8554ead94d5da7859a12db353942406f9d1dfe3fac3d48663c233ea99d

SHA512
f14239420f5dd84a15ff5fca2fad81d0aa9280c566fa581122a018e10ebdf308ac0bf1d3fcfc08634c1058c395c767130c5abca55540295c68df24ffd931ca0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35042\api-ms-win-core-heap-l1-1-0.dll

Filesize
11KB

MD5
73433ebfc9a47ed16ea544ddd308eaf8

SHA1
ac1da1378dd79762c6619c9a63fd1ebe4d360c6f

SHA256
c43075b1d2386a8a262de628c93a65350e52eae82582b27f879708364b978e29

SHA512
1c28cc0d3d02d4c308a86e9d0bc2da88333dfa8c92305ec706f3e389f7bb6d15053040afd1c4f0aa3383f3549495343a537d09fe882db6ed12b7507115e5a263

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35042\api-ms-win-core-interlocked-l1-1-0.dll

Filesize
11KB

MD5
7c7b61ffa29209b13d2506418746780b

SHA1
08f3a819b5229734d98d58291be4bfa0bec8f761

SHA256
c23fe8d5c3ca89189d11ec8df983cc144d168cb54d9eab5d9532767bcb2f1fa3

SHA512
6e5e3485d980e7e2824665cbfe4f1619b3e61ce3bcbf103979532e2b1c3d22c89f65bcfbddbb5fe88cddd096f8fd72d498e8ee35c3c2307bacecc6debbc1c97f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35042\api-ms-win-core-libraryloader-l1-1-0.dll

Filesize
12KB

MD5
6d0550d3a64bd3fd1d1b739133efb133

SHA1
c7596fde7ea1c676f0cc679ced8ba810d15a4afe

SHA256
f320f9c0463de641b396ce7561af995de32211e144407828b117088cf289df91

SHA512
5da9d490ef54a1129c94ce51349399b9012fc0d4b575ae6c9f1bafcfcf7f65266f797c539489f882d4ad924c94428b72f5137009a851ecb541fe7fb9de12feb2

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35042\api-ms-win-core-localization-l1-2-0.dll

Filesize
14KB

MD5
1ed0b196ab58edb58fcf84e1739c63ce

SHA1
ac7d6c77629bdee1df7e380cc9559e09d51d75b7

SHA256
8664222823e122fca724620fd8b72187fc5336c737d891d3cef85f4f533b8de2

SHA512
e1fa7f14f39c97aaa3104f3e13098626b5f7cfd665ba52dcb2312a329639aaf5083a9177e4686d11c4213e28acc40e2c027988074b6cc13c5016d5c5e9ef897b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35042\api-ms-win-core-memory-l1-1-0.dll

Filesize
11KB

MD5
721baea26a27134792c5ccc613f212b2

SHA1
2a27dcd2436df656a8264a949d9ce00eab4e35e8

SHA256
5d9767d8cca0fbfd5801bff2e0c2adddd1baaaa8175543625609abce1a9257bd

SHA512
9fd6058407aa95058ed2fda9d391b7a35fa99395ec719b83c5116e91c9b448a6d853ecc731d0bdf448d1436382eecc1fa9101f73fa242d826cc13c4fd881d9bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35042\api-ms-win-core-namedpipe-l1-1-0.dll

Filesize
11KB

MD5
b3f887142f40cb176b59e58458f8c46d

SHA1
a05948aba6f58eb99bbac54fa3ed0338d40cbfad

SHA256
8e015cdf2561450ed9a0773be1159463163c19eab2b6976155117d16c36519da

SHA512
7b762319ec58e3fcb84b215ae142699b766fa9d5a26e1a727572ee6ed4f5d19c859efb568c0268846b4aa5506422d6dd9b4854da2c9b419bfec754f547203f7e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35042\api-ms-win-core-processenvironment-l1-1-0.dll

Filesize
12KB

MD5
89f35cb1212a1fd8fbe960795c92d6e8

SHA1
061ae273a75324885dd098ee1ff4246a97e1e60c

SHA256
058eb7ce88c22d2ff7d3e61e6593ca4e3d6df449f984bf251d9432665e1517d1

SHA512
f9e81f1feab1535128b16e9ff389bd3daaab8d1dabf64270f9e563be9d370c023de5d5306dd0de6d27a5a099e7c073d17499442f058ec1d20b9d37f56bcfe6d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35042\api-ms-win-core-processthreads-l1-1-0.dll

Filesize
13KB

MD5
0c933a4b3c2fcf1f805edd849428c732

SHA1
b8b19318dbb1d2b7d262527abd1468d099de3fb6

SHA256
a5b733e3dce21ab62bd4010f151b3578c6f1246da4a96d51ac60817865648dd3

SHA512
b25ed54345a5b14e06aa9dadd07b465c14c23225023d7225e04fbd8a439e184a7d43ab40df80e3f8a3c0f2d5c7a79b402ddc6b9093d0d798e612f4406284e39d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35042\api-ms-win-core-processthreads-l1-1-1.dll

Filesize
11KB

MD5
7e8b61d27a9d04e28d4dae0bfa0902ed

SHA1
861a7b31022915f26fb49c79ac357c65782c9f4b

SHA256
1ef06c600c451e66e744b2ca356b7f4b7b88ba2f52ec7795858d21525848ac8c

SHA512
1c5b35026937b45beb76cb8d79334a306342c57a8e36cc15d633458582fc8f7d9ab70ace7a92144288c6c017f33ecfc20477a04432619b40a21c9cda8d249f6d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35042\api-ms-win-core-profile-l1-1-0.dll

Filesize
11KB

MD5
8d12ffd920314b71f2c32614cc124fec

SHA1
251a98f2c75c2e25ffd0580f90657a3ea7895f30

SHA256
e63550608dd58040304ea85367e9e0722038ba8e7dc7bf9d91c4d84f0ec65887

SHA512
5084c739d7de465a9a78bcdbb8a3bd063b84a68dcfd3c9ef1bfa224c1cc06580e2a2523fd4696cfc48e9fd068a2c44dbc794dd9bdb43dc74b4e854c82ecd3ea5

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35042\api-ms-win-core-rtlsupport-l1-1-0.dll

Filesize
11KB

MD5
9fa3fc24186d912b0694a572847d6d74

SHA1
93184e00cbddacab7f2ad78447d0eac1b764114d

SHA256
91508ab353b90b30ff2551020e9755d7ab0e860308f16c2f6417dfb2e9a75014

SHA512
95ad31c9082f57ea57f5b4c605331fcad62735a1862afb01ef8a67fea4e450154c1ae0c411cf3ac5b9cd35741f8100409cc1910f69c1b2d807d252389812f594

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35042\api-ms-win-core-string-l1-1-0.dll

Filesize
11KB

MD5
c9cbad5632d4d42a1bc25ccfa8833601

SHA1
09f37353a89f1bfe49f7508559da2922b8efeb05

SHA256
f3a7a9c98ebe915b1b57c16e27fffd4ddf31a82f0f21c06fe292878e48f5883e

SHA512
2412e0affdc6db069de7bd9666b7baa1cd76aa8d976c9649a4c2f1ffce27f8269c9b02da5fd486ec86b54231b1a5ebf6a1c72790815b7c253fee1f211086892f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35042\api-ms-win-core-synch-l1-1-0.dll

Filesize
13KB

MD5
4ccde2d1681217e282996e27f3d9ed2e

SHA1
8eda134b0294ed35e4bbac4911da620301a3f34d

SHA256
d6708d1254ed88a948871771d6d1296945e1aa3aeb7e33e16cc378f396c61045

SHA512
93fe6ae9a947ac88cc5ed78996e555700340e110d12b2651f11956db7cee66322c269717d31fccb31744f4c572a455b156b368f08b70eda9effec6de01dbab23

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35042\api-ms-win-core-synch-l1-2-0.dll

Filesize
11KB

MD5
e86cfc5e1147c25972a5eefed7be989f

SHA1
0075091c0b1f2809393c5b8b5921586bdd389b29

SHA256
72c639d1afda32a65143bcbe016fe5d8b46d17924f5f5190eb04efe954c1199a

SHA512
ea58a8d5aa587b7f5bde74b4d394921902412617100ed161a7e0bef6b3c91c5dae657065ea7805a152dd76992997017e070f5415ef120812b0d61a401aa8c110

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35042\api-ms-win-core-sysinfo-l1-1-0.dll

Filesize
12KB

MD5
206adcb409a1c9a026f7afdfc2933202

SHA1
bb67e1232a536a4d1ae63370bd1a9b5431335e77

SHA256
76d8e4ed946deefeefa0d0012c276f0b61f3d1c84af00533f4931546cbb2f99e

SHA512
727aa0c4cd1a0b7e2affdced5da3a0e898e9bae3c731ff804406ad13864cee2b27e5baac653bab9a0d2d961489915d4fcad18557d4383ecb0a066902276955a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35042\api-ms-win-core-timezone-l1-1-0.dll

Filesize
11KB

MD5
91a2ae3c4eb79cf748e15a58108409ad

SHA1
d402b9df99723ea26a141bfc640d78eaf0b0111b

SHA256
b0eda99eabd32fefecc478fd9fe7439a3f646a864fdab4ec3c1f18574b5f8b34

SHA512
8527af610c1e2101b6f336a142b1a85ac9c19bb3af4ad4a245cfb6fd602dc185da0f7803358067099475102f3a8f10a834dc75b56d3e6ded2ed833c00ad217ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35042\api-ms-win-core-util-l1-1-0.dll

Filesize
11KB

MD5
1e4c4c8e643de249401e954488744997

SHA1
db1c4c0fc907100f204b21474e8cd2db0135bc61

SHA256
f28a8fe2cd7e8e00b6d2ec273c16db6e6eea9b6b16f7f69887154b6228af981e

SHA512
ef8411fd321c0e363c2e5742312cc566e616d4b0a65eff4fb6f1b22fdbea3410e1d75b99e889939ff70ad4629c84cedc88f6794896428c5f0355143443fdc3a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35042\api-ms-win-crt-conio-l1-1-0.dll

Filesize
12KB

MD5
fa770bcd70208a479bde8086d02c22da

SHA1
28ee5f3ce3732a55ca60aee781212f117c6f3b26

SHA256
e677497c1baefffb33a17d22a99b76b7fa7ae7a0c84e12fda27d9be5c3d104cf

SHA512
f8d81e350cebdba5afb579a072bad7986691e9f3d4c9febca8756b807301782ee6eb5ba16b045cfa29b6e4f4696e0554c718d36d4e64431f46d1e4b1f42dc2b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35042\api-ms-win-crt-convert-l1-1-0.dll

Filesize
15KB

MD5
4ec4790281017e616af632da1dc624e1

SHA1
342b15c5d3e34ab4ac0b9904b95d0d5b074447b7

SHA256
5cf5bbb861608131b5f560cbf34a3292c80886b7c75357acc779e0bf98e16639

SHA512
80c4e20d37eff29c7577b2d0ed67539a9c2c228edb48ab05d72648a6ed38f5ff537715c130342beb0e3ef16eb11179b9b484303354a026bda3a86d5414d24e69

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35042\api-ms-win-crt-environment-l1-1-0.dll

Filesize
11KB

MD5
7a859e91fdcf78a584ac93aa85371bc9

SHA1
1fa9d9cad7cc26808e697373c1f5f32aaf59d6b7

SHA256
b7ee468f5b6c650dada7db3ad9e115a0e97135b3df095c3220dfd22ba277b607

SHA512
a368f21eca765afca86e03d59cf953500770f4a5bff8b86b2ac53f1b5174c627e061ce9a1f781dc56506774e0d0b09725e9698d4dc2d3a59e93da7ef3d900887

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35042\api-ms-win-crt-filesystem-l1-1-0.dll

Filesize
13KB

MD5
972544ade7e32bfdeb28b39bc734cdee

SHA1
87816f4afabbdec0ec2cfeb417748398505c5aa9

SHA256
7102f8d9d0f3f689129d7fe071b234077fba4dd3687071d1e2aeaa137b123f86

SHA512
5e1131b405e0c7a255b1c51073aff99e2d5c0d28fd3e55cabc04d463758a575a954008ea1ba5b4e2b345b49af448b93ad21dfc4a01573b3cb6e7256d9ecceef1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35042\api-ms-win-crt-heap-l1-1-0.dll

Filesize
12KB

MD5
8906279245f7385b189a6b0b67df2d7c

SHA1
fcf03d9043a2daafe8e28dee0b130513677227e4

SHA256
f5183b8d7462c01031992267fe85680ab9c5b279bedc0b25ab219f7c2184766f

SHA512
67cac89ae58cc715976107f3bdf279b1e78945afd07e6f657e076d78e92ee1a98e3e7b8feae295af5ce35e00c804f3f53a890895badb1eed32377d85c21672b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35042\api-ms-win-crt-locale-l1-1-0.dll

Filesize
11KB

MD5
dd8176e132eedea3322443046ac35ca2

SHA1
d13587c7cc52b2c6fbcaa548c8ed2c771a260769

SHA256
2eb96422375f1a7b687115b132a4005d2e7d3d5dc091fb0eb22a6471e712848e

SHA512
77cb8c44c8cc8dd29997fba4424407579ac91176482db3cf7bc37e1f9f6aa4c4f5ba14862d2f3a9c05d1fdd7ca5a043b5f566bd0e9a9e1ed837da9c11803b253

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35042\api-ms-win-crt-math-l1-1-0.dll

Filesize
20KB

MD5
a6a3d6d11d623e16866f38185853facd

SHA1
fbeadd1e9016908ecce5753de1d435d6fcf3d0b5

SHA256
a768339f0b03674735404248a039ec8591fcba6ff61a3c6812414537badd23b0

SHA512
abbf32ceb35e5ec6c1562f9f3b2652b96b7dbd97bfc08d918f987c0ec0503e8390dd697476b2a2389f0172cd8cf16029fd2ec5f32a9ba3688bf2ebeefb081b2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35042\api-ms-win-crt-process-l1-1-0.dll

Filesize
12KB

MD5
074b81a625fb68159431bb556d28fab5

SHA1
20f8ead66d548cfa861bc366bb1250ced165be24

SHA256
3af38920e767bd9ebc08f88eaf2d08c748a267c7ec60eab41c49b3f282a4cf65

SHA512
36388c3effa0d94cf626decaa1da427801cc5607a2106abdadf92252c6f6fd2ce5bf0802f5d0a4245a1ffdb4481464c99d60510cf95e83ebaf17bd3d6acbc3dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35042\api-ms-win-crt-runtime-l1-1-0.dll

Filesize
15KB

MD5
f1a23c251fcbb7041496352ec9bcffbe

SHA1
be4a00642ec82465bc7b3d0cc07d4e8df72094e8

SHA256
d899c2f061952b3b97ab9cdbca2450290b0f005909ddd243ed0f4c511d32c198

SHA512
31f8c5cd3b6e153073e2e2edf0ca8072d0f787784f1611a57219349c1d57d6798a3adbd6942b0f16cef781634dd8691a5ec0b506df21b24cb70aee5523a03fd9

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35042\api-ms-win-crt-stdio-l1-1-0.dll

Filesize
17KB

MD5
55b2eb7f17f82b2096e94bca9d2db901

SHA1
44d85f1b1134ee7a609165e9c142188c0f0b17e0

SHA256
f9d3f380023a4c45e74170fe69b32bca506ee1e1fbe670d965d5b50c616da0cb

SHA512
0cf0770f5965a83f546253decfa967d8f85c340b5f6ea220d3caa14245f3cdb37c53bf8d3da6c35297b22a3fa88e7621202634f6b3649d7d9c166a221d3456a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35042\api-ms-win-crt-string-l1-1-0.dll

Filesize
17KB

MD5
9b79965f06fd756a5efde11e8d373108

SHA1
3b9de8bf6b912f19f7742ad34a875cbe2b5ffa50

SHA256
1a916c0db285deb02c0b9df4d08dad5ea95700a6a812ea067bd637a91101a9f6

SHA512
7d4155c00d65c3554e90575178a80d20dc7c80d543c4b5c4c3f508f0811482515638fe513e291b82f958b4d7a63c9876be4e368557b07ff062961197ed4286fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35042\api-ms-win-crt-time-l1-1-0.dll

Filesize
13KB

MD5
1d48a3189a55b632798f0e859628b0fb

SHA1
61569a8e4f37adc353986d83efc90dc043cdc673

SHA256
b56bc94e8539603dd2f0fea2f25efd17966315067442507db4bffafcbc2955b0

SHA512
47f329102b703bfbb1ebaeb5203d1c8404a0c912019193c93d150a95bb0c5ba8dc101ac56d3283285f9f91239fc64a66a5357afe428a919b0be7194bada1f64f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35042\api-ms-win-crt-utility-l1-1-0.dll

Filesize
11KB

MD5
dbc27d384679916ba76316fb5e972ea6

SHA1
fb9f021f2220c852f6ff4ea94e8577368f0616a4

SHA256
dd14133adf5c534539298422f6c4b52739f80aca8c5a85ca8c966dea9964ceb1

SHA512
cc0d8c56749ccb9d007b6d3f5c4a8f1d4e368bb81446ebcd7cc7b40399bbd56d0acaba588ca172ecb7472a8cbddbd4c366ffa38094a832f6d7e343b813ba565e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35042\base_library.zip

Filesize
859KB

MD5
c5ba88a6ae2f9b694774e54a8cd14179

SHA1
e3f772a8a40f386ee4caef9bfd594d76a963fb06

SHA256
2ea71c6099e73f354e0a023351745d421028b14734cd378dbc91ed5c90bc7578

SHA512
3e8c0d3a51c79f1637bebcf23de7b3c2786a25be77372f9eaad2e95047bc5673990c91e8427d12bbad2adee6da72bb43a337735d14135480fe1d70cac733d9d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35042\libcrypto-1_1.dll

Filesize
3.3MB

MD5
6f4b8eb45a965372156086201207c81f

SHA1
8278f9539463f0a45009287f0516098cb7a15406

SHA256
976ce72efd0a8aeeb6e21ad441aa9138434314ea07f777432205947cdb149541

SHA512
2c5c54842aba9c82fb9e7594ae9e264ac3cbdc2cc1cd22263e9d77479b93636799d0f28235ac79937070e40b04a097c3ea3b7e0cd4376a95ed8ca90245b7891f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35042\libffi-7.dll

Filesize
32KB

MD5
eef7981412be8ea459064d3090f4b3aa

SHA1
c60da4830ce27afc234b3c3014c583f7f0a5a925

SHA256
f60dd9f2fcbd495674dfc1555effb710eb081fc7d4cae5fa58c438ab50405081

SHA512
dc9ff4202f74a13ca9949a123dff4c0223da969f49e9348feaf93da4470f7be82cfa1d392566eaaa836d77dde7193fed15a8395509f72a0e9f97c66c0a096016

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35042\libssl-1_1.dll

Filesize
686KB

MD5
8769adafca3a6fc6ef26f01fd31afa84

SHA1
38baef74bdd2e941ccd321f91bfd49dacc6a3cb6

SHA256
2aebb73530d21a2273692a5a3d57235b770daf1c35f60c74e01754a5dac05071

SHA512
fac22f1a2ffbfb4789bdeed476c8daf42547d40efe3e11b41fadbc4445bb7ca77675a31b5337df55fdeb4d2739e0fb2cbcac2feabfd4cd48201f8ae50a9bd90b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35042\python3.dll

Filesize
63KB

MD5
c17b7a4b853827f538576f4c3521c653

SHA1
6115047d02fbbad4ff32afb4ebd439f5d529485a

SHA256
d21e60f3dfbf2bab0cc8a06656721fa3347f026df10297674fc635ebf9559a68

SHA512
8e08e702d69df6840781d174c4565e14a28022b40f650fda88d60172be2d4ffd96a3e9426d20718c54072ca0da27e0455cc0394c098b75e062a27559234a3df7

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35042\python310.dll

Filesize
4.3MB

MD5
deaf0c0cc3369363b800d2e8e756a402

SHA1
3085778735dd8badad4e39df688139f4eed5f954

SHA256
156cf2b64dd0f4d9bdb346b654a11300d6e9e15a65ef69089923dafc1c71e33d

SHA512
5cac1d92af7ee18425b5ee8e7cd4e941a9ddffb4bc1c12bb8aeabeed09acec1ff0309abc41a2e0c8db101fee40724f8bfb27a78898128f8746c8fe01c1631989

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35042\select.pyd

Filesize
28KB

MD5
c119811a40667dca93dfe6faa418f47a

SHA1
113e792b7dcec4366fc273e80b1fc404c309074c

SHA256
8f27cd8c5071cb740a2191b3c599e99595b121f461988166f07d9f841e7116b7

SHA512
107257dbd8cf2607e4a1c7bef928a6f61ebdfc21be1c4bdc3a649567e067e9bb7ea40c0ac8844d2cedd08682447b963148b52f85adb1837f243df57af94c04b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35042\ucrtbase.dll

Filesize
1011KB

MD5
849959a003fa63c5a42ae87929fcd18b

SHA1
d1b80b3265e31a2b5d8d7da6183146bbd5fb791b

SHA256
6238cbfe9f57c142b75e153c399c478d492252fda8cb40ee539c2dcb0f2eb232

SHA512
64958dabdb94d21b59254c2f074db5d51e914ddbc8437452115dff369b0c134e50462c3fdbbc14b6fa809a6ee19ab2fb83d654061601cc175cddcb7d74778e09

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35042\unicodedata.pyd

Filesize
1.1MB

MD5
4c8af8a30813e9380f5f54309325d6b8

SHA1
169a80d8923fb28f89bc26ebf89ffe37f8545c88

SHA256
4b6e3ba734c15ec789b5d7469a5097bd082bdfd8e55e636ded0d097cf6511e05

SHA512
ea127779901b10953a2bf9233e20a4fab2fba6f97d7baf40c1b314b7cd03549e0f4d2fb9bad0fbc23736e21eb391a418d79a51d64402245c1cd8899e4d765c5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\msg\m_finnish.wnry

Filesize
37KB

MD5
35c2f97eea8819b1caebd23fee732d8f

SHA1
e354d1cc43d6a39d9732adea5d3b0f57284255d2

SHA256
1adfee058b98206cb4fbe1a46d3ed62a11e1dee2c7ff521c1eef7c706e6a700e

SHA512
908149a6f5238fcccd86f7c374986d486590a0991ef5243f0cd9e63cc8e208158a9a812665233b09c3a478233d30f21e3d355b94f36b83644795556f147345bf

Download Submit
C:\Users\Admin\AppData\Roaming\tor\cached-microdescs.new

Filesize
23.8MB

MD5
2cbf11b1ecdaf5ef1e9ef84e20cb757c

SHA1
2afa73505f93fe2de3cc4df6d82d679662449c1b

SHA256
c20ac153bb61e1820f1a2ea68cf280586f1f8a35528aaa951d6ea46e93453839

SHA512
c18e90f544d071412900330f12ef9072558501efe21dc67ed70e83624be5a468858d9f14932ed2094ccb39b7c4f72f0440a55603bb95197dce91f7dd688b41c8

Download Submit
C:\Users\Default\Desktop\@[email protected]

Filesize
1.4MB

MD5
c17170262312f3be7027bc2ca825bf0c

SHA1
f19eceda82973239a1fdc5826bce7691e5dcb4fb

SHA256
d5e0e8694ddc0548d8e6b87c83d50f4ab85c1debadb106d6a6a794c3e746f4fa

SHA512
c6160fd03ad659c8dd9cf2a83f9fdcd34f2db4f8f27f33c5afd52aced49dfa9ce4909211c221a0479dbbb6e6c985385557c495fc04d3400ff21a0fbbae42ee7c

Download Submit
memory/1548-182-0x0000000010000000-0x0000000010010000-memory.dmp

Filesize
64KB

Download
memory/4572-1595-0x0000000073F30000-0x000000007414C000-memory.dmp

Filesize
2.1MB

Download
memory/4572-1594-0x00000000742B0000-0x0000000074332000-memory.dmp

Filesize
520KB

Download
memory/4572-1597-0x0000000074260000-0x0000000074282000-memory.dmp

Filesize
136KB

Download
memory/4572-1596-0x0000000074150000-0x00000000741D2000-memory.dmp

Filesize
520KB

Download
memory/4572-1609-0x00000000742B0000-0x0000000074332000-memory.dmp

Filesize
520KB

Download
memory/4572-1614-0x0000000073F30000-0x000000007414C000-memory.dmp

Filesize
2.1MB

Download
memory/4572-1613-0x0000000074150000-0x00000000741D2000-memory.dmp

Filesize
520KB

Download
memory/4572-1612-0x00000000741E0000-0x0000000074257000-memory.dmp

Filesize
476KB

Download
memory/4572-1611-0x0000000074260000-0x0000000074282000-memory.dmp

Filesize
136KB

Download
memory/4572-1610-0x0000000074290000-0x00000000742AC000-memory.dmp

Filesize
112KB

Download
memory/4572-1608-0x0000000000A40000-0x0000000000D3E000-memory.dmp

Filesize
3.0MB

Download
memory/4572-1598-0x0000000000A40000-0x0000000000D3E000-memory.dmp

Filesize
3.0MB

Download
memory/4572-1636-0x0000000000A40000-0x0000000000D3E000-memory.dmp

Filesize
3.0MB

Download
memory/4572-1642-0x0000000073F30000-0x000000007414C000-memory.dmp

Filesize
2.1MB

Download
memory/4572-1643-0x0000000000A40000-0x0000000000D3E000-memory.dmp

Filesize
3.0MB

Download
memory/4572-1654-0x0000000000A40000-0x0000000000D3E000-memory.dmp

Filesize
3.0MB

Download
memory/4572-1660-0x0000000073F30000-0x000000007414C000-memory.dmp

Filesize
2.1MB

Download
memory/4572-1699-0x0000000000A40000-0x0000000000D3E000-memory.dmp

Filesize
3.0MB

Download
memory/4572-1708-0x0000000000A40000-0x0000000000D3E000-memory.dmp

Filesize
3.0MB

Download
memory/4572-1719-0x0000000000A40000-0x0000000000D3E000-memory.dmp

Filesize
3.0MB

Download
memory/4572-1725-0x0000000073F30000-0x000000007414C000-memory.dmp

Filesize
2.1MB

Download
memory/4572-1726-0x0000000000A40000-0x0000000000D3E000-memory.dmp

Filesize
3.0MB

Download