4ac656e49c04e50f3ddcf806d8564d444c922d95af39cebc446548ce437acc20

Analysis

max time kernel
139s
max time network
140s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
20/08/2024, 04:37

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

wolskill-windows-x64-setup.exe
Size

43.6MB
MD5

4bcbc8e08fcebac824cbee197af8a91a
SHA1

ff94273dbd17f0ae47f21c900a369c1b7b1c5491
SHA256

4ac656e49c04e50f3ddcf806d8564d444c922d95af39cebc446548ce437acc20
SHA512

f02c5d3fdb7719705590507fa4ce967381ccb864edfbb439de2030b2d936f0f5eb718763cdb4fcc40a87bd8ea0fd46e627939965855982fe73c44503b56b2925
SSDEEP

786432:sP9tH2cZBiUX9aa15OCWIx5PPmAXGHwdTAFtDE0hsq851XmpCUsP:s2aiK5OCW8H2wNAPijmpCUG

Score

7^/10

discovery persistence

Malware Config

Signatures

Executes dropped EXE 9 IoCs

pid	Process
536	wolskill.exe
4864	wolskill.exe
4720	wolskill.exe
4716	wolskill.exe
484	wolskill.exe
972	wolskill.exe
2488	wolskill.exe
604	wolskill.exe
4064	wolskill.exe

Loads dropped DLL 26 IoCs

pid	Process
2436	wolskill-windows-x64-setup.exe
2436	wolskill-windows-x64-setup.exe
2436	wolskill-windows-x64-setup.exe
2436	wolskill-windows-x64-setup.exe
2436	wolskill-windows-x64-setup.exe
2436	wolskill-windows-x64-setup.exe
2436	wolskill-windows-x64-setup.exe
2436	wolskill-windows-x64-setup.exe
2436	wolskill-windows-x64-setup.exe
536	wolskill.exe
536	wolskill.exe
4864	wolskill.exe
4720	wolskill.exe
4716	wolskill.exe
4864	wolskill.exe
4864	wolskill.exe
4864	wolskill.exe
484	wolskill.exe
484	wolskill.exe
972	wolskill.exe
2488	wolskill.exe
604	wolskill.exe
972	wolskill.exe
972	wolskill.exe
972	wolskill.exe
4064	wolskill.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3761892313-3378554128-2287991803-1000\Software\Microsoft\Windows\CurrentVersion\Run\electron.app.wolskill = "C:\\Users\\Admin\\AppData\\Local\\Programs\\wolskill\\wolskill.exe"	wolskill.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3761892313-3378554128-2287991803-1000\Software\Microsoft\Windows\CurrentVersion\Run\electron.app.wolskill = "C:\\Users\\Admin\\AppData\\Local\\Programs\\wolskill\\wolskill.exe"	wolskill.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wolskill-windows-x64-setup.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3761892313-3378554128-2287991803-1000_Classes\Local Settings\MuiCache	MiniSearchHost.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
2436	wolskill-windows-x64-setup.exe
2436	wolskill-windows-x64-setup.exe
2436	wolskill-windows-x64-setup.exe
2436	wolskill-windows-x64-setup.exe
2436	wolskill-windows-x64-setup.exe
2436	wolskill-windows-x64-setup.exe
4720	wolskill.exe
4720	wolskill.exe
4716	wolskill.exe
4716	wolskill.exe
2488	wolskill.exe
2488	wolskill.exe
604	wolskill.exe
604	wolskill.exe
4064	wolskill.exe
4064	wolskill.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeSecurityPrivilege	2436	wolskill-windows-x64-setup.exe

Suspicious use of FindShellTrayWindow 24 IoCs

pid	Process
536	wolskill.exe
536	wolskill.exe
536	wolskill.exe
484	wolskill.exe
484	wolskill.exe
484	wolskill.exe
484	wolskill.exe
484	wolskill.exe
484	wolskill.exe
484	wolskill.exe
484	wolskill.exe
484	wolskill.exe
484	wolskill.exe
484	wolskill.exe
484	wolskill.exe
484	wolskill.exe
484	wolskill.exe
484	wolskill.exe
484	wolskill.exe
484	wolskill.exe
484	wolskill.exe
484	wolskill.exe
484	wolskill.exe
484	wolskill.exe

Suspicious use of SendNotifyMessage 44 IoCs

pid	Process
536	wolskill.exe
536	wolskill.exe
536	wolskill.exe
536	wolskill.exe
484	wolskill.exe
484	wolskill.exe
484	wolskill.exe
484	wolskill.exe
484	wolskill.exe
484	wolskill.exe
484	wolskill.exe
484	wolskill.exe
484	wolskill.exe
484	wolskill.exe
484	wolskill.exe
484	wolskill.exe
484	wolskill.exe
484	wolskill.exe
484	wolskill.exe
484	wolskill.exe
484	wolskill.exe
484	wolskill.exe
484	wolskill.exe
484	wolskill.exe
484	wolskill.exe
484	wolskill.exe
484	wolskill.exe
484	wolskill.exe
484	wolskill.exe
484	wolskill.exe
484	wolskill.exe
484	wolskill.exe
484	wolskill.exe
484	wolskill.exe
484	wolskill.exe
484	wolskill.exe
484	wolskill.exe
484	wolskill.exe
484	wolskill.exe
484	wolskill.exe
484	wolskill.exe
484	wolskill.exe
484	wolskill.exe
484	wolskill.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3124	MiniSearchHost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 536 wrote to memory of 4864	536	wolskill.exe	86
PID 536 wrote to memory of 4864	536	wolskill.exe	86
PID 536 wrote to memory of 4864	536	wolskill.exe	86
PID 536 wrote to memory of 4864	536	wolskill.exe	86
PID 536 wrote to memory of 4864	536	wolskill.exe	86
PID 536 wrote to memory of 4864	536	wolskill.exe	86
PID 536 wrote to memory of 4864	536	wolskill.exe	86
PID 536 wrote to memory of 4864	536	wolskill.exe	86
PID 536 wrote to memory of 4864	536	wolskill.exe	86
PID 536 wrote to memory of 4864	536	wolskill.exe	86
PID 536 wrote to memory of 4864	536	wolskill.exe	86
PID 536 wrote to memory of 4864	536	wolskill.exe	86
PID 536 wrote to memory of 4864	536	wolskill.exe	86
PID 536 wrote to memory of 4864	536	wolskill.exe	86
PID 536 wrote to memory of 4864	536	wolskill.exe	86
PID 536 wrote to memory of 4864	536	wolskill.exe	86
PID 536 wrote to memory of 4864	536	wolskill.exe	86
PID 536 wrote to memory of 4864	536	wolskill.exe	86
PID 536 wrote to memory of 4864	536	wolskill.exe	86
PID 536 wrote to memory of 4864	536	wolskill.exe	86
PID 536 wrote to memory of 4864	536	wolskill.exe	86
PID 536 wrote to memory of 4864	536	wolskill.exe	86
PID 536 wrote to memory of 4864	536	wolskill.exe	86
PID 536 wrote to memory of 4864	536	wolskill.exe	86
PID 536 wrote to memory of 4864	536	wolskill.exe	86
PID 536 wrote to memory of 4864	536	wolskill.exe	86
PID 536 wrote to memory of 4864	536	wolskill.exe	86
PID 536 wrote to memory of 4864	536	wolskill.exe	86
PID 536 wrote to memory of 4864	536	wolskill.exe	86
PID 536 wrote to memory of 4864	536	wolskill.exe	86
PID 536 wrote to memory of 4864	536	wolskill.exe	86
PID 536 wrote to memory of 4864	536	wolskill.exe	86
PID 536 wrote to memory of 4864	536	wolskill.exe	86
PID 536 wrote to memory of 4864	536	wolskill.exe	86
PID 536 wrote to memory of 4864	536	wolskill.exe	86
PID 536 wrote to memory of 4864	536	wolskill.exe	86
PID 536 wrote to memory of 4864	536	wolskill.exe	86
PID 536 wrote to memory of 4864	536	wolskill.exe	86
PID 536 wrote to memory of 4864	536	wolskill.exe	86
PID 536 wrote to memory of 4864	536	wolskill.exe	86
PID 536 wrote to memory of 4720	536	wolskill.exe	87
PID 536 wrote to memory of 4720	536	wolskill.exe	87
PID 536 wrote to memory of 4716	536	wolskill.exe	88
PID 536 wrote to memory of 4716	536	wolskill.exe	88
PID 484 wrote to memory of 972	484	wolskill.exe	91
PID 484 wrote to memory of 972	484	wolskill.exe	91
PID 484 wrote to memory of 972	484	wolskill.exe	91
PID 484 wrote to memory of 972	484	wolskill.exe	91
PID 484 wrote to memory of 972	484	wolskill.exe	91
PID 484 wrote to memory of 972	484	wolskill.exe	91
PID 484 wrote to memory of 972	484	wolskill.exe	91
PID 484 wrote to memory of 972	484	wolskill.exe	91
PID 484 wrote to memory of 972	484	wolskill.exe	91
PID 484 wrote to memory of 972	484	wolskill.exe	91
PID 484 wrote to memory of 972	484	wolskill.exe	91
PID 484 wrote to memory of 972	484	wolskill.exe	91
PID 484 wrote to memory of 972	484	wolskill.exe	91
PID 484 wrote to memory of 972	484	wolskill.exe	91
PID 484 wrote to memory of 972	484	wolskill.exe	91
PID 484 wrote to memory of 972	484	wolskill.exe	91
PID 484 wrote to memory of 972	484	wolskill.exe	91
PID 484 wrote to memory of 972	484	wolskill.exe	91
PID 484 wrote to memory of 972	484	wolskill.exe	91
PID 484 wrote to memory of 972	484	wolskill.exe	91

C:\Users\Admin\AppData\Local\Temp\wolskill-windows-x64-setup.exe
"C:\Users\Admin\AppData\Local\Temp\wolskill-windows-x64-setup.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2436

C:\Users\Admin\AppData\Local\Programs\wolskill\wolskill.exe
"C:\Users\Admin\AppData\Local\Programs\wolskill\wolskill.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:536
- C:\Users\Admin\AppData\Local\Programs\wolskill\wolskill.exe
  "C:\Users\Admin\AppData\Local\Programs\wolskill\wolskill.exe" --type=gpu-process --field-trial-handle=1664,2252085287868131491,848131796855282608,131072 --disable-features=SpareRendererForSitePerProcess --gpu-preferences=KAAAAAAAAADgAAAwAAAAAAAAYAAAAAAAEAAAAAAAAAAAAAAAAAAAACgAAAAEAAAAIAAAAAAAAAAoAAAAAAAAADAAAAAAAAAAOAAAAAAAAAAQAAAAAAAAAAAAAAAFAAAAEAAAAAAAAAAAAAAABgAAABAAAAAAAAAAAQAAAAUAAAAQAAAAAAAAAAEAAAAGAAAA --service-request-channel-token=11271243097505831851 --mojo-platform-channel-handle=1672 --ignored=" --type=renderer " /prefetch:2
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:4864
- C:\Users\Admin\AppData\Local\Programs\wolskill\wolskill.exe
  "C:\Users\Admin\AppData\Local\Programs\wolskill\wolskill.exe" --type=utility --field-trial-handle=1664,2252085287868131491,848131796855282608,131072 --disable-features=SpareRendererForSitePerProcess --lang=en-US --service-sandbox-type=network --service-request-channel-token=16655189114289170564 --mojo-platform-channel-handle=2204 /prefetch:8
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  PID:4720
- C:\Users\Admin\AppData\Local\Programs\wolskill\wolskill.exe
  "C:\Users\Admin\AppData\Local\Programs\wolskill\wolskill.exe" --type=renderer --field-trial-handle=1664,2252085287868131491,848131796855282608,131072 --disable-features=SpareRendererForSitePerProcess --lang=en-US --app-user-model-id=electron.app.wolskill --app-path="C:\Users\Admin\AppData\Local\Programs\wolskill\resources\app.asar" --node-integration --no-sandbox --no-zygote --preload="C:\Users\Admin\AppData\Local\Programs\wolskill\resources\app.asar\preload.js" --background-color=#fff --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --service-request-channel-token=7043614954464981749 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2244 /prefetch:1
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  PID:4716
- C:\Users\Admin\AppData\Local\Programs\wolskill\wolskill.exe
  "C:\Users\Admin\AppData\Local\Programs\wolskill\wolskill.exe" --type=gpu-process --field-trial-handle=1664,2252085287868131491,848131796855282608,131072 --disable-features=SpareRendererForSitePerProcess --disable-gpu-sandbox --use-gl=disabled --gpu-preferences=KAAAAAAAAADoAAAwAAAAAAAAYAAAAAAAEAAAAAAAAAAAAAAAAAAAACgAAAAEAAAAIAAAAAAAAAAoAAAAAAAAADAAAAAAAAAAOAAAAAAAAAAQAAAAAAAAAAAAAAAFAAAAEAAAAAAAAAAAAAAABgAAABAAAAAAAAAAAQAAAAUAAAAQAAAAAAAAAAEAAAAGAAAA --service-request-channel-token=11141790075595335573 --mojo-platform-channel-handle=2376 /prefetch:2
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  PID:4064

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1660

C:\Users\Admin\AppData\Local\Programs\wolskill\wolskill.exe
"C:\Users\Admin\AppData\Local\Programs\wolskill\wolskill.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:484
- C:\Users\Admin\AppData\Local\Programs\wolskill\wolskill.exe
  "C:\Users\Admin\AppData\Local\Programs\wolskill\wolskill.exe" --type=gpu-process --field-trial-handle=1652,15376051720817480614,4933735955032217089,131072 --disable-features=SpareRendererForSitePerProcess --gpu-preferences=KAAAAAAAAADgAAAwAAAAAAAAYAAAAAAAEAAAAAAAAAAAAAAAAAAAACgAAAAEAAAAIAAAAAAAAAAoAAAAAAAAADAAAAAAAAAAOAAAAAAAAAAQAAAAAAAAAAAAAAAFAAAAEAAAAAAAAAAAAAAABgAAABAAAAAAAAAAAQAAAAUAAAAQAAAAAAAAAAEAAAAGAAAA --service-request-channel-token=7598835306349509711 --mojo-platform-channel-handle=1668 --ignored=" --type=renderer " /prefetch:2
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:972
- C:\Users\Admin\AppData\Local\Programs\wolskill\wolskill.exe
  "C:\Users\Admin\AppData\Local\Programs\wolskill\wolskill.exe" --type=utility --field-trial-handle=1652,15376051720817480614,4933735955032217089,131072 --disable-features=SpareRendererForSitePerProcess --lang=en-US --service-sandbox-type=network --service-request-channel-token=4684459991285406520 --mojo-platform-channel-handle=2112 /prefetch:8
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  PID:2488
- C:\Users\Admin\AppData\Local\Programs\wolskill\wolskill.exe
  "C:\Users\Admin\AppData\Local\Programs\wolskill\wolskill.exe" --type=renderer --field-trial-handle=1652,15376051720817480614,4933735955032217089,131072 --disable-features=SpareRendererForSitePerProcess --lang=en-US --app-user-model-id=electron.app.wolskill --app-path="C:\Users\Admin\AppData\Local\Programs\wolskill\resources\app.asar" --node-integration --no-sandbox --no-zygote --preload="C:\Users\Admin\AppData\Local\Programs\wolskill\resources\app.asar\preload.js" --background-color=#fff --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --service-request-channel-token=8727617648364102921 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2264 /prefetch:1
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  PID:604

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2748

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3124

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat

Filesize
10KB

MD5
e861e5ab5aae1361b48aadaf013045c3

SHA1
8d947ca1cd894fb9b93b9448d76c7e9866cce3a0

SHA256
86d389ae471ef1b814cbad37d63f813ca2504375a2a9834a6a61505885512833

SHA512
a69b662494e33e688d3f11984991e67bf1c5c1baf8a215f26096bcdb44af9d1efaac0c09e2c50dec579bb1dcbe54caf3919ba98aa9186a71f6406f587e18b367

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat

Filesize
10KB

MD5
39672f53ef15816c45ae7655b7ee082c

SHA1
3429cda9db9abc8054e29b3f5598320a5c83e549

SHA256
de403fd316e2fb539a7e35ac6d42ad13bffc239fa93e72e30e1544bab13eb983

SHA512
ef04b2a7d64056ebadb770f3118326f273ef27b18064cfb57b01aba7f4a0fdf7ece7aebe5b0deff7531501bbf3dc7b599dcffd8b5f4276b90406d9c6876aebe4

Download Submit
C:\Users\Admin\AppData\Local\Programs\wolskill\chrome_100_percent.pak

Filesize
173KB

MD5
c56bc01c88f2fd186ae22f10b1bd5900

SHA1
b000e68ccd919010eff8c2e114b7d1b6e702d997

SHA256
d8cbc2234f40b49437a5876bb008b6b43afdf92391dec3f0739be98e448ab671

SHA512
46f9158e0f06a4e415b95a7dabe88cc4f3eecc235cdaf9d744caf4de5e665ae91599e3c2feea0860e9f6eeb2eea45fe4e57542fae95ed9110d44624513de3aa0

Download Submit
C:\Users\Admin\AppData\Local\Programs\wolskill\chrome_200_percent.pak

Filesize
308KB

MD5
9662c1f572ef83f070d2354b0275ec60

SHA1
04ce905a95a1c3b8521a17ac9f57503e7aa3eac9

SHA256
55dd419a1cecca86665ba5e6184d6b58edf714d652e67c5220dd3b407d99afa8

SHA512
b1d34d58f5079b1db9764bce2787969113ac7cb1b83dbc3ebce8c9c287af372a639611ba11246a088243e2098dbd1d6ad51341eff2a57a995868bb0db94a3167

Download Submit
C:\Users\Admin\AppData\Local\Programs\wolskill\d3dcompiler_47.dll

Filesize
4.3MB

MD5
fea40e5b591127ae3b065389d058a445

SHA1
621fa52fb488271c25c10c646d67e7ce5f42d4f8

SHA256
4b074a3976399dc735484f5d43d04b519b7bdee8ac719d9ab8ed6bd4e6be0345

SHA512
d2412b701d89e2762c72dd99a48283d601dd4311e3731d690cc2ab6cced20994fa67bf3fea4920291fc407cd946e20bdc85836e6786766a1b98a86febaa0e3d9

Download Submit
C:\Users\Admin\AppData\Local\Programs\wolskill\ffmpeg.dll

Filesize
2.0MB

MD5
9e470c0b3c89a5897f3d5d903297c65c

SHA1
ec342ca979bf9e765ee8ff8bd55a3ce253477495

SHA256
f222d284e0a8206f10e5272ac87c006959379cd185c8c4152848e4e7a89b9ae3

SHA512
3f2778732d1add971b475a5a058cf727d410c396834946dbe0df1bcd9d3b64948f563b9f96e7200c2df0738eafe8393c0a60905baea54c59d5d1a717b52dc728

Download Submit
C:\Users\Admin\AppData\Local\Programs\wolskill\icudtl.dat

Filesize
9.9MB

MD5
9e8b247aa7a609e6632518ecd6634fc0

SHA1
cc43315bec76167be7dfbb7dd0b6d61974204d6c

SHA256
18acc07d9ca59b1e599343b022a9e602a0a0c152866f7e5dce1fedd2dbcd33a0

SHA512
7a9590f410c14886317d7cdae606b50b4a0355061e251aa3bcd3e0c614438298e839ff116553089116423e9bc98c131f35796478517d88a180a5a2d08ff7fa5f

Download Submit
C:\Users\Admin\AppData\Local\Programs\wolskill\libEGL.dll

Filesize
138KB

MD5
6fa9e5d7f0100612f31e4de68cdc3387

SHA1
bb1fba878b90bdd386778ae8ac4901f3d3870302

SHA256
d38da60cf89eda2696957dc77231f137475de4c4cc879f8d6ec37a767db3d3f7

SHA512
c7d4d45554ffffd5fab0259235ecea345d77a2b755c7f3c01534cd0289d2e7d4c18d68aa192d3b984ba2b55a609577986dcf9b20e11c30a42d6c84425098a108

Download Submit
C:\Users\Admin\AppData\Local\Programs\wolskill\libglesv2.dll

Filesize
7.4MB

MD5
0988ce390d3ff7542ec747425e2cf37b

SHA1
ebfab63a108a09f6ceeb1ec7c3373fe990d4347e

SHA256
8e5eff35f39cdcf525c04469431cebf24a038fc5d5e8bfd8ba82fa3a6dd2ee89

SHA512
240fb7ce78f5e6fca3a5d4cb5a629ec08a38a6b23f285b48a7b3ff2cce4924af240c53cf5f936ded00472c1a87c0b4db3efa25f68024a851b108a673c2453727

Download Submit
C:\Users\Admin\AppData\Local\Programs\wolskill\locales\en-US.pak

Filesize
71KB

MD5
ce30d32061b772148cbc966915291edc

SHA1
4c5edaed4f3ba6e10443f344e757c26f7ceb4ce9

SHA256
88a07be1329cfde3486dd0376de77e289468a750273970aeae6ad4468c0969f4

SHA512
720fa132a3362ea4f5ea10f30c4996378d1f196210cef13c38579dbacc1f11e55d6dfdaa3aa0a6a574670a962f6e2910a2d66a64a1e7e1d6466b20529f5652cd

Download Submit
C:\Users\Admin\AppData\Local\Programs\wolskill\natives_blob.bin

Filesize
80KB

MD5
1582ffe1b8cb37438bc22edee6cd0a90

SHA1
01af249f33b2e5ffba18ba8f7cd76f2ee0e5f425

SHA256
02586eeaf4ce40d1b34310d885e34fb63e8e9f155fcedbd796536735907cbe80

SHA512
8c66ba4ef15fea573c29f0f6977e290b8fd72f4c8833f31a9b0ef4285f5493e9b27daf3a02c352ed12eadce36cda933d9d97576bfa4dcbbcc04294e73ad9ebfc

Download Submit
C:\Users\Admin\AppData\Local\Programs\wolskill\resources.pak

Filesize
8.3MB

MD5
ece1281abfe1f39aecbd5250d5252403

SHA1
9f995daec49cdb2a3f60c93b3dbf53c6ca0941e4

SHA256
64725eee7be0c64d7d034e77ee0b4a229d59a0865539c3e70cc7a534a89b5182

SHA512
cd78a0125bb77c9dcea4616544117789bc2d5c75d48123ac50b1aaccfd14ab43955850c155b4dd875dc34fca813e9cc7030eda2ee7cc71e418f384f19686ffb4

Download Submit
C:\Users\Admin\AppData\Local\Programs\wolskill\resources\app.asar

Filesize
6.7MB

MD5
fda97f38d05cc2a844adb7d801b605c7

SHA1
6d40ad7c667aefbeea1537d1db81173c125583d5

SHA256
76e9839980a442637a46cef787f38960b4c622c244da90bd7474d5d445e0f7d1

SHA512
12a623139baf2085b9299040bc9b065a1e2d73bbeccc4e04bafe0242b271568163a25c55a3251842faf6f3fa4aaec043e7cd8a9cf6baad7e7d39847156a66c62

Download Submit
C:\Users\Admin\AppData\Local\Programs\wolskill\v8_context_snapshot.bin

Filesize
684KB

MD5
ade12ed60b340f474e242f66ba423711

SHA1
4d800cd71872e76e08a5a5650ff0169eb16f8ef6

SHA256
25b3a8326201f6940611c49eabecaff1648d31c27ff38dd192015b23e7dc75e0

SHA512
2cb2af6e0f873a36aba90307fba0b56a039f1ee29f317c70c5fc41634b19f6c0a807aa9293cbf7a83f470637921ddc96f79b4273300a61259447fce0624a097e

Download Submit
C:\Users\Admin\AppData\Local\Temp\bf4af771-c0a0-477f-b2d4-52c75943e844.tmp.node

Filesize
601KB

MD5
c4f523ff55e62556dc395fc97ea174cb

SHA1
eae1d781d191a13ffa0d887f5ef83444a6b66260

SHA256
9d6658db6518b86c2d78e8ff6097f3d717d51d908546c4a7bc8ab385c691ea94

SHA512
00d530522edde68e92da07059a96bea18f949d9c2dfb9cd59987c1376e4d2f660cf4af5ddf8ea5b2726958500ee4c0a1745365ec49171c960737d64c085ea085

Download Submit
C:\Users\Admin\AppData\Local\Temp\nso9C41.tmp\SpiderBanner.dll

Filesize
9KB

MD5
17309e33b596ba3a5693b4d3e85cf8d7

SHA1
7d361836cf53df42021c7f2b148aec9458818c01

SHA256
996a259e53ca18b89ec36d038c40148957c978c0fd600a268497d4c92f882a93

SHA512
1abac3ce4f2d5e4a635162e16cf9125e059ba1539f70086c2d71cd00d41a6e2a54d468e6f37792e55a822d7082fb388b8dfecc79b59226bbb047b7d28d44d298

Download Submit
C:\Users\Admin\AppData\Local\Temp\nso9C41.tmp\StdUtils.dll

Filesize
100KB

MD5
c6a6e03f77c313b267498515488c5740

SHA1
3d49fc2784b9450962ed6b82b46e9c3c957d7c15

SHA256
b72e9013a6204e9f01076dc38dabbf30870d44dfc66962adbf73619d4331601e

SHA512
9870c5879f7b72836805088079ad5bbafcb59fc3d9127f2160d4ec3d6e88d3cc8ebe5a9f5d20a4720fe6407c1336ef10f33b2b9621bc587e930d4cbacf337803

Download Submit
C:\Users\Admin\AppData\Local\Temp\nso9C41.tmp\System.dll

Filesize
11KB

MD5
75ed96254fbf894e42058062b4b4f0d1

SHA1
996503f1383b49021eb3427bc28d13b5bbd11977

SHA256
a632d74332b3f08f834c732a103dafeb09a540823a2217ca7f49159755e8f1d7

SHA512
58174896db81d481947b8745dafe3a02c150f3938bb4543256e8cce1145154e016d481df9fe68dac6d48407c62cbe20753320ebd5fe5e84806d07ce78e0eb0c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\nso9C41.tmp\WinShell.dll

Filesize
3KB

MD5
1cc7c37b7e0c8cd8bf04b6cc283e1e56

SHA1
0b9519763be6625bd5abce175dcc59c96d100d4c

SHA256
9be85b986ea66a6997dde658abe82b3147ed2a1a3dcb784bb5176f41d22815a6

SHA512
7acf7f8e68aa6066b59ca9f2ae2e67997e6b347bc08eb788d2a119b3295c844b5b9606757168e8d2fbd61c2cda367bf80e9e48c9a52c28d5a7a00464bfd2048f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nso9C41.tmp\nsProcess.dll

Filesize
4KB

MD5
f0438a894f3a7e01a4aae8d1b5dd0289

SHA1
b058e3fcfb7b550041da16bf10d8837024c38bf6

SHA256
30c6c3dd3cc7fcea6e6081ce821adc7b2888542dae30bf00e881c0a105eb4d11

SHA512
f91fcea19cbddf8086affcb63fe599dc2b36351fc81ac144f58a80a524043ddeaa3943f36c86ebae45dd82e8faf622ea7b7c9b776e74c54b93df2963cfe66cc7

Download Submit
C:\Users\Admin\AppData\Local\Temp\nso9C41.tmp\nsis7z.dll

Filesize
424KB

MD5
80e44ce4895304c6a3a831310fbf8cd0

SHA1
36bd49ae21c460be5753a904b4501f1abca53508

SHA256
b393f05e8ff919ef071181050e1873c9a776e1a0ae8329aefff7007d0cadf592

SHA512
c8ba7b1f9113ead23e993e74a48c4427ae3562c1f6d9910b2bbe6806c9107cf7d94bc7d204613e4743d0cd869e00dafd4fb54aad1e8adb69c553f3b9e5bc64df

Download Submit
C:\Users\Admin\AppData\Roaming\wolskill\Code Cache\js\index

Filesize
24B

MD5
54cb446f628b2ea4a5bce5769910512e

SHA1
c27ca848427fe87f5cf4d0e0e3cd57151b0d820d

SHA256
fbcfe23a2ecb82b7100c50811691dde0a33aa3da8d176be9882a9db485dc0f2d

SHA512
8f6ed2e91aed9bd415789b1dbe591e7eab29f3f1b48fdfa5e864d7bf4ae554acc5d82b4097a770dabc228523253623e4296c5023cf48252e1b94382c43123cb0

Download Submit
C:\Users\Admin\AppData\Roaming\wolskill\Code Cache\js\index-dir\the-real-index

Filesize
48B

MD5
c1763f38d584931e293274db8fea06cd

SHA1
c9bd7048d019c5315f620fa3d4e2cefbb5002e75

SHA256
d67566d64ad2707c98585fb995e0ed3e4a645a6ca8986b48bfa430d2a5fc4ea8

SHA512
d2225f105608c39df60e30cd9d0ae6f8e6605db0b019765d7d1b39c78f304fbc4f4c20c3ae32cb9d3f6bc9583249280607e291b5961383b01b68bfdcb9d7eea3

Download Submit
C:\Users\Admin\AppData\Roaming\wolskill\GPUCache\data_0

Filesize
8KB

MD5
cf89d16bb9107c631daabf0c0ee58efb

SHA1
3ae5d3a7cf1f94a56e42f9a58d90a0b9616ae74b

SHA256
d6a5fe39cd672781b256e0e3102f7022635f1d4bb7cfcc90a80fffe4d0f3877e

SHA512
8cb5b059c8105eb91e74a7d5952437aaa1ada89763c5843e7b0f1b93d9ebe15ed40f287c652229291fac02d712cf7ff5ececef276ba0d7ddc35558a3ec3f77b0

Download Submit
C:\Users\Admin\AppData\Roaming\wolskill\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Roaming\wolskill\GPUCache\data_2

Filesize
8KB

MD5
0962291d6d367570bee5454721c17e11

SHA1
59d10a893ef321a706a9255176761366115bedcb

SHA256
ec1702806f4cc7c42a82fc2b38e89835fde7c64bb32060e0823c9077ca92efb7

SHA512
f555e961b69e09628eaf9c61f465871e6984cd4d31014f954bb747351dad9cea6d17c1db4bca2c1eb7f187cb5f3c0518748c339c8b43bbd1dbd94aeaa16f58ed

Download Submit
C:\Users\Admin\AppData\Roaming\wolskill\GPUCache\data_3

Filesize
8KB

MD5
41876349cb12d6db992f1309f22df3f0

SHA1
5cf26b3420fc0302cd0a71e8d029739b8765be27

SHA256
e09f42c398d688dce168570291f1f92d079987deda3099a34adb9e8c0522b30c

SHA512
e9a4fc1f7cb6ae2901f8e02354a92c4aaa7a53c640dcf692db42a27a5acc2a3bfb25a0de0eb08ab53983132016e7d43132ea4292e439bb636aafd53fb6ef907e

Download Submit
C:\Users\Admin\AppData\Roaming\wolskill\GPUCache\index

Filesize
256KB

MD5
14da69ccaa729c7389b917faf7f602f5

SHA1
bae8fc91c4ec5c41806987122f67433066b3e223

SHA256
f2e1857679ddba2f8ff706f5c6cb15ecae6c33d0ce5f21902ca62332b837926b

SHA512
c97300f37ed8480e45e631880d57f30f3a7c1feb309d78ad240e053ae0c7248d1671c266275cd83066ce67f1c4c952c6ea1afc51a56481b7366d6d5c1b0adf70

Download Submit
C:\Users\Admin\AppData\Roaming\wolskill\Network Persistent State

Filesize
59B

MD5
2800881c775077e1c4b6e06bf4676de4

SHA1
2873631068c8b3b9495638c865915be822442c8b

SHA256
226eec4486509917aa336afebd6ff65777b75b65f1fb06891d2a857a9421a974

SHA512
e342407ab65cc68f1b3fd706cd0a37680a0864ffd30a6539730180ede2cdcd732cc97ae0b9ef7db12da5c0f83e429df0840dbf7596aca859a0301665e517377b

Download Submit
memory/4864-211-0x00007FFEBF910000-0x00007FFEBF911000-memory.dmp

Filesize
4KB

Download