xworm | b6a02bede9af95adb28ce056584dfed53a2d70a8bd7b76c919392359139d39f6

Analysis

max time kernel
129s
max time network
136s
platform
windows10-2004_x64
resource
win10v2004-20240730-en
resource tags

arch:x64arch:x86image:win10v2004-20240730-enlocale:en-usos:windows10-2004-x64system
submitted
01-08-2024 21:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

aznuril.exe
Size

35.0MB
MD5

71a8a8297116bb9e6a527c82db38ae0c
SHA1

f42ad3f6636c5d987939033d9cb09b657fc2a76b
SHA256

b6a02bede9af95adb28ce056584dfed53a2d70a8bd7b76c919392359139d39f6
SHA512

f84b9b160f6cbb5b1ad7947c0ebac7cc7b24d379b3136f7ffa6becfe3bfedcda2a7008779b25334b1572a9e6f6854ec727f57b493d913cbf59a33a90e4200db9
SSDEEP

786432:vkudQtsmW+e5RU2j6+s7LWB75zuk2q9TqyMeLBSQryklN:vjdQt9W+eHU2qHWB75ikfNNBShWN

Score

10^/10

xworm discovery execution persistence pyinstaller rat trojan

Malware Config

Extracted

Family

xworm

heart-debian.gl.at.ply.gg:47573

Attributes

Install_directory
%AppData%
install_file
system32.exe
telegram
https://api.telegram.org/bot7458595634:AAEEmxZd7rBIYX3YZTRCO1t9uU7_yLyhcaw/sendMessage?chat_id=1473354298

Signatures

Contains code to disable Windows Defender 1 IoCs

A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

resource	yara_rule
behavioral2/memory/2448-268-0x00000000023D0000-0x00000000023DE000-memory.dmp	disable_win_def

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral2/files/0x000b000000023466-3.dat	family_xworm
behavioral2/memory/2448-12-0x0000000000320000-0x000000000033A000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2300	powershell.exe
5028	powershell.exe
3524	powershell.exe
3788	powershell.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-195445723-368091294-1661186673-1000\Control Panel\International\Geo\Nation	aznuril.exe
Key value queried	\REGISTRY\USER\S-1-5-21-195445723-368091294-1661186673-1000\Control Panel\International\Geo\Nation	DXXPRIVATE.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\system32.lnk	DXXPRIVATE.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\system32.lnk	DXXPRIVATE.exe

Executes dropped EXE 5 IoCs

pid	Process
2448	DXXPRIVATE.exe
4448	DXX SOFTS PRIVATE.exe
2900	DXX SOFTS PRIVATE.exe
3476	system32.exe
4324	system32.exe

Loads dropped DLL 22 IoCs

pid	Process
2900	DXX SOFTS PRIVATE.exe
2900	DXX SOFTS PRIVATE.exe
2900	DXX SOFTS PRIVATE.exe
2900	DXX SOFTS PRIVATE.exe
2900	DXX SOFTS PRIVATE.exe
2900	DXX SOFTS PRIVATE.exe
2900	DXX SOFTS PRIVATE.exe
2900	DXX SOFTS PRIVATE.exe
2900	DXX SOFTS PRIVATE.exe
2900	DXX SOFTS PRIVATE.exe
2900	DXX SOFTS PRIVATE.exe
2900	DXX SOFTS PRIVATE.exe
2900	DXX SOFTS PRIVATE.exe
2900	DXX SOFTS PRIVATE.exe
2900	DXX SOFTS PRIVATE.exe
2900	DXX SOFTS PRIVATE.exe
2900	DXX SOFTS PRIVATE.exe
2900	DXX SOFTS PRIVATE.exe
2900	DXX SOFTS PRIVATE.exe
2900	DXX SOFTS PRIVATE.exe
2900	DXX SOFTS PRIVATE.exe
2900	DXX SOFTS PRIVATE.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-195445723-368091294-1661186673-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\system32 = "C:\\Users\\Admin\\AppData\\Roaming\\system32.exe"	DXXPRIVATE.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
16	ip-api.com

Detects Pyinstaller 1 IoCs

pyinstaller

resource	yara_rule
behavioral2/files/0x000800000002347b-17.dat	pyinstaller

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aznuril.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4252	schtasks.exe

Suspicious behavior: EnumeratesProcesses 37 IoCs

pid	Process
2300	powershell.exe
2300	powershell.exe
5028	powershell.exe
5028	powershell.exe
3524	powershell.exe
3524	powershell.exe
3788	powershell.exe
3788	powershell.exe
2448	DXXPRIVATE.exe
2448	DXXPRIVATE.exe
2448	DXXPRIVATE.exe
2448	DXXPRIVATE.exe
2448	DXXPRIVATE.exe
2448	DXXPRIVATE.exe
2448	DXXPRIVATE.exe
2448	DXXPRIVATE.exe
2448	DXXPRIVATE.exe
2448	DXXPRIVATE.exe
2448	DXXPRIVATE.exe
2448	DXXPRIVATE.exe
2448	DXXPRIVATE.exe
2448	DXXPRIVATE.exe
2448	DXXPRIVATE.exe
2448	DXXPRIVATE.exe
2448	DXXPRIVATE.exe
2448	DXXPRIVATE.exe
2448	DXXPRIVATE.exe
2448	DXXPRIVATE.exe
2448	DXXPRIVATE.exe
2448	DXXPRIVATE.exe
2448	DXXPRIVATE.exe
2448	DXXPRIVATE.exe
2448	DXXPRIVATE.exe
2448	DXXPRIVATE.exe
2448	DXXPRIVATE.exe
2448	DXXPRIVATE.exe
2448	DXXPRIVATE.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeDebugPrivilege	2448	DXXPRIVATE.exe
Token: SeDebugPrivilege	2300	powershell.exe
Token: SeDebugPrivilege	5028	powershell.exe
Token: SeDebugPrivilege	3524	powershell.exe
Token: SeDebugPrivilege	3788	powershell.exe
Token: SeDebugPrivilege	2448	DXXPRIVATE.exe
Token: SeDebugPrivilege	3476	system32.exe
Token: SeDebugPrivilege	4324	system32.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2448	DXXPRIVATE.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 4564 wrote to memory of 2448	4564	aznuril.exe	86
PID 4564 wrote to memory of 2448	4564	aznuril.exe	86
PID 4564 wrote to memory of 4448	4564	aznuril.exe	87
PID 4564 wrote to memory of 4448	4564	aznuril.exe	87
PID 2448 wrote to memory of 2300	2448	DXXPRIVATE.exe	90
PID 2448 wrote to memory of 2300	2448	DXXPRIVATE.exe	90
PID 4448 wrote to memory of 2900	4448	DXX SOFTS PRIVATE.exe	92
PID 4448 wrote to memory of 2900	4448	DXX SOFTS PRIVATE.exe	92
PID 2448 wrote to memory of 5028	2448	DXXPRIVATE.exe	93
PID 2448 wrote to memory of 5028	2448	DXXPRIVATE.exe	93
PID 2900 wrote to memory of 3580	2900	DXX SOFTS PRIVATE.exe	95
PID 2900 wrote to memory of 3580	2900	DXX SOFTS PRIVATE.exe	95
PID 2900 wrote to memory of 32	2900	DXX SOFTS PRIVATE.exe	96
PID 2900 wrote to memory of 32	2900	DXX SOFTS PRIVATE.exe	96
PID 2448 wrote to memory of 3524	2448	DXXPRIVATE.exe	97
PID 2448 wrote to memory of 3524	2448	DXXPRIVATE.exe	97
PID 2448 wrote to memory of 3788	2448	DXXPRIVATE.exe	99
PID 2448 wrote to memory of 3788	2448	DXXPRIVATE.exe	99
PID 2448 wrote to memory of 4252	2448	DXXPRIVATE.exe	102
PID 2448 wrote to memory of 4252	2448	DXXPRIVATE.exe	102

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\aznuril.exe
"C:\Users\Admin\AppData\Local\Temp\aznuril.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4564
- C:\Users\Admin\AppData\Local\Temp\DXXPRIVATE.exe
  "C:\Users\Admin\AppData\Local\Temp\DXXPRIVATE.exe"
  2⤵
  - Checks computer location settings
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2448
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\DXXPRIVATE.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2300
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'DXXPRIVATE.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:5028
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\system32.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3524
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'system32.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3788
- - C:\Windows\System32\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "system32" /tr "C:\Users\Admin\AppData\Roaming\system32.exe"
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:4252
- C:\Users\Admin\AppData\Local\Temp\DXX SOFTS PRIVATE.exe
  "C:\Users\Admin\AppData\Local\Temp\DXX SOFTS PRIVATE.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4448
- - C:\Users\Admin\AppData\Local\Temp\DXX SOFTS PRIVATE.exe
    "C:\Users\Admin\AppData\Local\Temp\DXX SOFTS PRIVATE.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2900
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "ver"
      4⤵
      PID:3580
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c
      4⤵
      PID:32

C:\Users\Admin\AppData\Roaming\system32.exe
C:\Users\Admin\AppData\Roaming\system32.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3476

C:\Users\Admin\AppData\Roaming\system32.exe
C:\Users\Admin\AppData\Roaming\system32.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4324

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\system32.exe.log

Filesize
654B

MD5
2ff39f6c7249774be85fd60a8f9a245e

SHA1
684ff36b31aedc1e587c8496c02722c6698c1c4e

SHA256
e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced

SHA512
1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
6d3e9c29fe44e90aae6ed30ccf799ca8

SHA1
c7974ef72264bbdf13a2793ccf1aed11bc565dce

SHA256
2360634e63e8f0b5748e2c56ebb8f4aa78e71008ea7b5c9ca1c49be03b49557d

SHA512
60c38c4367352537545d859f64b9c5cbada94240478d1d039fd27b5ecba4dc1c90051557c16d802269703b873546ead416279c0a80c6fd5e49ad361cef22596a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
22310ad6749d8cc38284aa616efcd100

SHA1
440ef4a0a53bfa7c83fe84326a1dff4326dcb515

SHA256
55b1d8021c4eb4c3c0d75e3ed7a4eb30cd0123e3d69f32eeb596fe4ffec05abf

SHA512
2ef08e2ee15bb86695fe0c10533014ffed76ececc6e579d299d3365fafb7627f53e32e600bb6d872b9f58aca94f8cb7e1e94cdfd14777527f7f0aa019d9c6def

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
9bc110200117a3752313ca2acaf8a9e1

SHA1
fda6b7da2e7b0175b391475ca78d1b4cf2147cd3

SHA256
c88e4bbb64f7fa31429ebe82c1cf07785c44486f37576f783a26ac856e02a4eb

SHA512
1f1af32aa18a8cbfcc65b0d4fb7e6ca2705f125eaa85789e981ee68b90c64522e954825abf460d4b4f97567715dfae8d9b0a25a4d54d10bc4c257c472f2e80fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\DXX SOFTS PRIVATE.exe

Filesize
34.9MB

MD5
75d32588eb6d63a219979c4d426f6b24

SHA1
7418f040c081e3a3fa941da7b2596c53eb14e13f

SHA256
25d1dad3e5662b215e5b05f51db5e24714fdd2b5db9c424d7e11677be0c32808

SHA512
c3d20730fa5e4e5558b535069ea45df0d30638e49a33dff83662efd895ea519836291581b85f4b21ce84d2aece344a462ecb03cfb497fab9912a83f4f82d43e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\DXXPRIVATE.exe

Filesize
77KB

MD5
0023d5028225136e000201652d675318

SHA1
2c0c6c975e263d88225916db67f4dff50c577380

SHA256
fc975db05fc20acc0c6bfefc517f9c54487857c0332877036408035a95677a68

SHA512
c842faccb9de56d38de1112799fb9bbead47fdbeaf70f1d0159dd0a6516b848040d33793163a1fbb6212fff8ad17925c67720c900c36b218cdd349a2dd08087f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI44482\VCRUNTIME140.dll

Filesize
106KB

MD5
4585a96cc4eef6aafd5e27ea09147dc6

SHA1
489cfff1b19abbec98fda26ac8958005e88dd0cb

SHA256
a8f950b4357ec12cfccddc9094cca56a3d5244b95e09ea6e9a746489f2d58736

SHA512
d78260c66331fe3029d2cc1b41a5d002ec651f2e3bbf55076d65839b5e3c6297955afd4d9ab8951fbdc9f929dbc65eb18b14b59bce1f2994318564eb4920f286

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI44482\VCRUNTIME140_1.dll

Filesize
48KB

MD5
7e668ab8a78bd0118b94978d154c85bc

SHA1
dbac42a02a8d50639805174afd21d45f3c56e3a0

SHA256
e4b533a94e02c574780e4b333fcf0889f65ed00d39e32c0fbbda2116f185873f

SHA512
72bb41db17256141b06e2eaeb8fc65ad4abdb65e4b5f604c82b9e7e7f60050734137d602e0f853f1a38201515655b6982f2761ee0fa77c531aa58591c95f0032

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI44482\_asyncio.pyd

Filesize
63KB

MD5
cee78dc603d57cb2117e03b2c0813d84

SHA1
095c98ca409e364b8755dc9cfd12e6791bf6e2b8

SHA256
6306be660d87ffb2271dd5d783ee32e735a792556e0b5bd672dc0b1c206fdadc

SHA512
7258560aa557e3e211bb9580add604b5191c769594e17800b2793239df45225a82ce440a6b9dcf3f2228ed84712912affe9bf0b70b16498489832df2dee33e7e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI44482\_bz2.pyd

Filesize
82KB

MD5
28ede9ce9484f078ac4e52592a8704c7

SHA1
bcf8d6fe9f42a68563b6ce964bdc615c119992d0

SHA256
403e76fe18515a5ea3227cf5f919aa2f32ac3233853c9fb71627f2251c554d09

SHA512
8c372f9f6c4d27f7ca9028c6034c17deb6e98cfef690733465c1b44bd212f363625d9c768f8e0bd4c781ddde34ee4316256203ed18fa709d120f56df3cca108b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI44482\_ctypes.pyd

Filesize
120KB

MD5
22c4892caf560a3ee28cf7f210711f9e

SHA1
b30520fadd882b667ecef3b4e5c05dc92e08b95a

SHA256
e28d4e46e5d10b5fdcf0292f91e8fd767e33473116247cd5d577e4554d7a4c0c

SHA512
edb86b3694fff0b05318decf7fc42c20c348c1523892cce7b89cc9c5ab62925261d4dd72d9f46c9b2bda5ac1e6b53060b8701318b064a286e84f817813960b19

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI44482\_lzma.pyd

Filesize
155KB

MD5
d386b7c4dcf589e026abfc7196cf1c4c

SHA1
c07ce47ce0e69d233c5bdd0bcac507057d04b2d4

SHA256
ad0440ca6998e18f5cc917d088af3fea2c0ff0febce2b5e2b6c0f1370f6e87b1

SHA512
78d79e2379761b054df1f9fd8c5b7de5c16b99af2d2de16a3d0ac5cb3f0bd522257579a49e91218b972a273db4981f046609fdcf2f31cf074724d544dac7d6c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI44482\_overlapped.pyd

Filesize
49KB

MD5
d3be208dc5388225162b6f88ff1d4386

SHA1
8effdb606b6771d5fdf83145de0f289e8ad83b69

SHA256
ce48969ebebdc620f4313eba2a6b6cda568b663c09d5478fa93826d401abe674

SHA512
9e1c3b37e51616687eecf1f7b945003f6eb4291d8794fea5545b4a84c636007eb781c18f6436039df02a902223ac73efac9b2e44ddc8594db62feb9997475da3

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI44482\_queue.pyd

Filesize
31KB

MD5
50842ce7fcb1950b672d8a31c892a5d1

SHA1
d84c69fa2110b860da71785d1dbe868bd1a8320f

SHA256
06c36ec0749d041e6957c3cd7d2d510628b6abe28cee8c9728412d9ce196a8a2

SHA512
c1e686c112b55ab0a5e639399bd6c1d7adfe6aedc847f07c708bee9f6f2876a1d8f41ede9d5e5a88ac8a9fbb9f1029a93a83d1126619874e33d09c5a5e45a50d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI44482\_socket.pyd

Filesize
77KB

MD5
2c0ec225e35a0377ac1d0777631bffe4

SHA1
7e5d81a06ff8317af52284aedccac6ebace5c390

SHA256
301c47c4016dac27811f04f4d7232f24852ef7675e9a4500f0601703ed8f06af

SHA512
aea9d34d9e93622b01e702defd437d397f0e7642bc5f9829754d59860b345bbde2dd6d7fe21cc1d0397ff0a9db4ecfe7c38b649d33c5c6f0ead233cb201a73e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI44482\_ssl.pyd

Filesize
172KB

MD5
66e78727c2da15fd2aac56571cd57147

SHA1
e93c9a5e61db000dee0d921f55f8507539d2df3d

SHA256
4727b60962efacfd742dca21341a884160cf9fcf499b9afa3d9fdbcc93fb75d0

SHA512
a6881f9f5827aceb51957aaed4c53b69fcf836f60b9fc66eeb2ed84aed08437a9f0b35ea038d4b1e3c539e350d9d343f8a6782b017b10a2a5157649abbca9f9a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI44482\base_library.zip

Filesize
1.8MB

MD5
dd2dd5e0cda264e5264b4ba12bda6e83

SHA1
c4c392e0c8ceceac2869443d02de883504d483d0

SHA256
cdbc4ac70e94feba04f1522b914fbde89afa9f5006c8ae95fa18b4110571c3ed

SHA512
03f7080b90c6d459ace2ebe36f3aed350841f0244392f5207645abb6c227a8a0e4bd1cf260db347a0b1025acdf64f2047e01db192d12ca5af411f5441ec43f8e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI44482\libcrypto-3.dll

Filesize
4.9MB

MD5
51e8a5281c2092e45d8c97fbdbf39560

SHA1
c499c810ed83aaadce3b267807e593ec6b121211

SHA256
2a234b5aa20c3faecf725bbb54fb33f3d94543f78fa7045408e905593e49960a

SHA512
98b91719b0975cb38d3b3c7b6f820d184ef1b64d38ad8515be0b8b07730e2272376b9e51631fe9efd9b8a1709fea214cf3f77b34eeb9fd282eb09e395120e7cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI44482\libffi-8.dll

Filesize
38KB

MD5
0f8e4992ca92baaf54cc0b43aaccce21

SHA1
c7300975df267b1d6adcbac0ac93fd7b1ab49bd2

SHA256
eff52743773eb550fcc6ce3efc37c85724502233b6b002a35496d828bd7b280a

SHA512
6e1b223462dc124279bfca74fd2c66fe18b368ffbca540c84e82e0f5bcbea0e10cc243975574fa95ace437b9d8b03a446ed5ee0c9b1b094147cefaf704dfe978

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI44482\libssl-3.dll

Filesize
771KB

MD5
bfc834bb2310ddf01be9ad9cff7c2a41

SHA1
fb1d601b4fcb29ff1b13b0d2ed7119bd0472205c

SHA256
41ad1a04ca27a7959579e87fbbda87c93099616a64a0e66260c983381c5570d1

SHA512
6af473c7c0997f2847ebe7cee8ef67cd682dee41720d4f268964330b449ba71398fda8954524f9a97cc4cdf9893b8bdc7a1cf40e9e45a73f4f35a37f31c6a9c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI44482\pyexpat.pyd

Filesize
194KB

MD5
6527063f18e8d49d04e2cc216c2f0b27

SHA1
917c349c62689f9b782a314ce4b2311b6b826606

SHA256
5604f629523125904909547a97f3cdb5dbfe33b39878bad77534de0c3c034387

SHA512
67c87d11683a0f4e1bc4083ff05edee423155f829051c3fa66cc4f2cfb98cf7374b3a06eb37095e19f5f2a6c8da83f0c0e3f7eb964694992b525f81b1b00f423

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI44482\python3.DLL

Filesize
65KB

MD5
d8ba00c1d9fcc7c0abbffb5c214da647

SHA1
5fa9d5700b42a83bfcc125d1c45e0111b9d62035

SHA256
e45452efa356db874f2e5ff08c9cc0fe22528609e5d341f8fb67ba48885ab77d

SHA512
df1b714494856f618a742791eefbf470b2eee07b51d983256e4386ea7d48da5c7b1e896f222ea55a748c9413203886cde3a65ef9e7ea069014fa626f81d79cd3

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI44482\python311.dll

Filesize
5.5MB

MD5
65e381a0b1bc05f71c139b0c7a5b8eb2

SHA1
7c4a3adf21ebcee5405288fc81fc4be75019d472

SHA256
53a969094231b9032abe4148939ce08a3a4e4b30b0459fc7d90c89f65e8dcd4a

SHA512
4db465ef927dfb019ab6faec3a3538b0c3a8693ea3c2148fd16163bf31c03c899dfdf350c31457edf64e671e3cc3e46851f32f0f84b267535bebc4768ef53d39

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI44482\pywin32_system32\pythoncom311.dll

Filesize
654KB

MD5
f98264f2dacfc8e299391ed1180ab493

SHA1
849551b6d9142bf983e816fef4c05e639d2c1018

SHA256
0fe49ec1143a0efe168809c9d48fe3e857e2ac39b19db3fd8718c56a4056696b

SHA512
6bb3dbd9f4d3e6b7bd294f3cb8b2ef4c29b9eff85c0cfd5e2d2465be909014a7b2ecd3dc06265b1b58196892bb04d3e6b0aa4b2ccbf3a716e0ff950eb28db11c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI44482\pywin32_system32\pywintypes311.dll

Filesize
131KB

MD5
90b786dc6795d8ad0870e290349b5b52

SHA1
592c54e67cf5d2d884339e7a8d7a21e003e6482f

SHA256
89f2a5c6be1e70b3d895318fdd618506b8c0e9a63b6a1a4055dff4abdc89f18a

SHA512
c6e1dbf25d260c723a26c88ec027d40d47f5e28fc9eb2dbc72a88813a1d05c7f75616b31836b68b87df45c65eef6f3eaed2a9f9767f9e2f12c45f672c2116e72

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI44482\select.pyd

Filesize
29KB

MD5
8472d39b9ee6051c961021d664c7447e

SHA1
b284e3566889359576d43e2e0e99d4acf068e4fb

SHA256
8a9a103bc417dede9f6946d9033487c410937e1761d93c358c1600b82f0a711f

SHA512
309f1ec491d9c39f4b319e7ce1abdedf11924301e4582d122e261e948705fb71a453fec34f63df9f9abe7f8cc2063a56cd2c2935418ab54be5596aadc2e90ad3

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI44482\win32\win32api.pyd

Filesize
130KB

MD5
1d6762b494dc9e60ca95f7238ae1fb14

SHA1
aa0397d96a0ed41b2f03352049dafe040d59ad5d

SHA256
fae5323e2119a8f678055f4244177b5806c7b6b171b1945168f685631b913664

SHA512
0b561f651161a34c37ff8d115f154c52202f573d049681f8cdd7bba2e966bb8203780c19ba824b4a693ef12ef1eeef6aeeef96eb369e4b6129f1deb6b26aaa00

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_0fv5acg5.poz.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/2300-54-0x00000108A61B0000-0x00000108A61D2000-memory.dmp

Filesize
136KB

Download
memory/2448-49-0x00007FF9B2C50000-0x00007FF9B3711000-memory.dmp

Filesize
10.8MB

Download
memory/2448-12-0x0000000000320000-0x000000000033A000-memory.dmp

Filesize
104KB

Download
memory/2448-262-0x00007FF9B2C53000-0x00007FF9B2C55000-memory.dmp

Filesize
8KB

Download
memory/2448-263-0x00007FF9B2C50000-0x00007FF9B3711000-memory.dmp

Filesize
10.8MB

Download
memory/2448-268-0x00000000023D0000-0x00000000023DE000-memory.dmp

Filesize
56KB

Download
memory/2448-11-0x00007FF9B2C53000-0x00007FF9B2C55000-memory.dmp

Filesize
8KB

Download
memory/2448-271-0x000000001B430000-0x000000001B43A000-memory.dmp

Filesize
40KB

Download
memory/4564-20-0x0000000000400000-0x0000000002700000-memory.dmp

Filesize
35.0MB

Download