Overview

overview

10

Static

static

3

Maple.sfx.exe

windows10-2004-x64

10

Maple.sfx.exe

windows10-ltsc 2021-x64

10

Maple.sfx.exe

windows11-21h2-x64

10

Analysis

  • max time kernel
    600s
  • max time network
    597s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    15-12-2024 05:46

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Maple.sfx.exe

  • Size

    49.9MB

  • MD5

    14f12462e11fa31d767d0c5c595275d7

  • SHA1

    f1856059d89103e0f4945596fc676d9e7324b617

  • SHA256

    e249cfa785ad8d169e8d1df6694af48edf299ad2e261d6bd511dabe1d1612431

  • SHA512

    6a8ba912609f58c2dba80a56962529ccde435ec1564497fadc3b6a5e28c5c06cd054e725d0e42a891fdee6d378b041cb3d71890622a7d569cacfac3f452b7c1f

  • SSDEEP

    1572864:NKc6lOyrjq1zExjMkfCfYFvWExN+ZJupU485C/:NP6lOscE9Mkfnb1pUTC/

Score
10/10
njratumbralxwormdiscoveryevasionexecutionpersistenceprivilege_escalationratspywarestealertrojan

Malware Config

Extracted

Family

xworm

Version

5.0

C2

testarosa.duckdns.org:7110

Mutex

5ZpeoOe6AtQfr6wU

Attributes
  • Install_directory

    %AppData%

  • install_file

    Ondrive.exe

aes.plain

Signatures

  • Detect Umbral payload 2 IoCs
  • Detect Xworm Payload 2 IoCs
  • Njrat family
    njrat
  • Umbral

    Umbral stealer is an opensource moduler stealer written in C#.

    stealerumbral
  • Umbral family
    umbral
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Xworm family
    xworm
  • njRAT/Bladabindi

    Widely used RAT written in .NET.

    trojannjrat
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
    evasion
  • Command and Scripting Interpreter: PowerShell 1 TTPs 8 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Drops file in Drivers directory 1 IoCs
  • Modifies Windows Firewall 2 TTPs 1 IoCs
    evasion
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings 2 TTPs 5 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 20 IoCs
  • Loads dropped DLL 64 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

    Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

    persistenceprivilege_escalation
  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • Detects videocard installed 1 TTPs 1 IoCs

    Uses WMIC.exe to determine videocard installed.

  • Runs ping.exe 1 TTPs 1 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence
  • Views/modifies file attributes 1 TTPs 1 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\Maple.sfx.exe
    "C:\Users\Admin\AppData\Local\Temp\Maple.sfx.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2468
    • C:\Users\Admin\AppData\Roaming\loader.exe
      "C:\Users\Admin\AppData\Roaming\loader.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:1120
      • C:\Users\Admin\AppData\Local\Temp\Server.exe
        "C:\Users\Admin\AppData\Local\Temp\Server.exe"
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • Suspicious use of WriteProcessMemory
        PID:4176
        • C:\Users\Admin\AppData\Roaming\Server.exe
          "C:\Users\Admin\AppData\Roaming\Server.exe"
          4⤵
          • Checks computer location settings
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:1228
          • C:\Users\Admin\AppData\Local\Temp\server.exe
            "C:\Users\Admin\AppData\Local\Temp\server.exe"
            5⤵
            • Executes dropped EXE
            • Adds Run key to start application
            • System Location Discovery: System Language Discovery
            PID:5088
            • C:\Windows\SysWOW64\netsh.exe
              netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
              6⤵
              • Modifies Windows Firewall
              • Event Triggered Execution: Netsh Helper DLL
              • System Location Discovery: System Language Discovery
              PID:4896
        • C:\Users\Admin\AppData\Roaming\conhost.exe
          "C:\Users\Admin\AppData\Roaming\conhost.exe"
          4⤵
          • Checks computer location settings
          • Executes dropped EXE
          • Suspicious behavior: AddClipboardFormatListener
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:1516
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\conhost.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious use of AdjustPrivilegeToken
            PID:3580
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'conhost.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious use of AdjustPrivilegeToken
            PID:3520
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Ondrive.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious use of AdjustPrivilegeToken
            PID:4324
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Ondrive.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious use of AdjustPrivilegeToken
            PID:2968
          • C:\Windows\System32\schtasks.exe
            "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Ondrive" /tr "C:\Users\Admin\AppData\Roaming\Ondrive.exe"
            5⤵
            • Scheduled Task/Job: Scheduled Task
            PID:1288
      • C:\Users\Admin\AppData\Local\Temp\Maple.exe
        "C:\Users\Admin\AppData\Local\Temp\Maple.exe"
        3⤵
        • Drops file in Drivers directory
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1808
        • C:\Windows\System32\Wbem\wmic.exe
          "wmic.exe" csproduct get uuid
          4⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:1736
        • C:\Windows\SYSTEM32\attrib.exe
          "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Maple.exe"
          4⤵
          • Views/modifies file attributes
          PID:3612
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Maple.exe'
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious use of AdjustPrivilegeToken
          PID:4456
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious use of AdjustPrivilegeToken
          PID:4628
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious use of AdjustPrivilegeToken
          PID:3784
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
          4⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:4916
        • C:\Windows\System32\Wbem\wmic.exe
          "wmic.exe" os get Caption
          4⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:4652
        • C:\Windows\System32\Wbem\wmic.exe
          "wmic.exe" computersystem get totalphysicalmemory
          4⤵
            PID:4840
            • C:\Windows\System32\Conhost.exe
              \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              5⤵
                PID:4284
            • C:\Windows\System32\Wbem\wmic.exe
              "wmic.exe" csproduct get uuid
              4⤵
                PID:1448
              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
                4⤵
                • Command and Scripting Interpreter: PowerShell
                PID:4756
              • C:\Windows\System32\Wbem\wmic.exe
                "wmic" path win32_VideoController get name
                4⤵
                • Detects videocard installed
                PID:3784
              • C:\Windows\SYSTEM32\cmd.exe
                "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Maple.exe" && pause
                4⤵
                • System Network Configuration Discovery: Internet Connection Discovery
                PID:4772
                • C:\Windows\system32\PING.EXE
                  ping localhost
                  5⤵
                  • System Network Configuration Discovery: Internet Connection Discovery
                  • Runs ping.exe
                  PID:4024
            • C:\Users\Admin\AppData\Local\Temp\loader.exe
              "C:\Users\Admin\AppData\Local\Temp\loader.exe"
              3⤵
              • Executes dropped EXE
              • Suspicious use of WriteProcessMemory
              PID:5084
              • C:\Users\Admin\AppData\Local\Temp\onefile_5084_133787155869642077\loader.exe
                "C:\Users\Admin\AppData\Local\Temp\loader.exe"
                4⤵
                • Executes dropped EXE
                • Loads dropped DLL
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:5008
                • C:\Windows\system32\cmd.exe
                  C:\Windows\system32\cmd.exe /c "start maple.exe"
                  5⤵
                  • Suspicious use of WriteProcessMemory
                  PID:1652
                  • C:\Users\Admin\AppData\Roaming\maple.exe
                    maple.exe
                    6⤵
                    • Executes dropped EXE
                    • Suspicious use of WriteProcessMemory
                    PID:2356
                    • C:\Users\Admin\AppData\Local\Temp\onefile_2356_133787155894069857\main.exe
                      maple.exe
                      7⤵
                      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                      • Checks BIOS information in registry
                      • Executes dropped EXE
                      • Loads dropped DLL
                      • Checks whether UAC is enabled
                      • Suspicious use of WriteProcessMemory
                      PID:4292
                      • C:\Windows\system32\cmd.exe
                        C:\Windows\system32\cmd.exe /c
                        8⤵
                          PID:4284
                        • C:\Windows\system32\cmd.exe
                          C:\Windows\system32\cmd.exe /c "ver"
                          8⤵
                            PID:460
                          • C:\Windows\system32\cmd.exe
                            C:\Windows\system32\cmd.exe /c mode 100, 20
                            8⤵
                            • Suspicious use of WriteProcessMemory
                            PID:3688
                            • C:\Windows\system32\mode.com
                              mode 100, 20
                              9⤵
                                PID:2788
                            • C:\Windows\system32\cmd.exe
                              C:\Windows\system32\cmd.exe /c cls
                              8⤵
                                PID:4996
                              • C:\Windows\system32\cmd.exe
                                C:\Windows\system32\cmd.exe /c cls
                                8⤵
                                  PID:1564
                  • C:\Users\Admin\AppData\Roaming\Ondrive.exe
                    C:\Users\Admin\AppData\Roaming\Ondrive.exe
                    1⤵
                    • Executes dropped EXE
                    PID:3856
                  • C:\Users\Admin\AppData\Roaming\Ondrive.exe
                    C:\Users\Admin\AppData\Roaming\Ondrive.exe
                    1⤵
                    • Executes dropped EXE
                    PID:1872
                  • C:\Users\Admin\AppData\Roaming\Ondrive.exe
                    C:\Users\Admin\AppData\Roaming\Ondrive.exe
                    1⤵
                    • Executes dropped EXE
                    PID:4784
                  • C:\Users\Admin\AppData\Roaming\Ondrive.exe
                    C:\Users\Admin\AppData\Roaming\Ondrive.exe
                    1⤵
                    • Executes dropped EXE
                    PID:1924
                  • C:\Users\Admin\AppData\Roaming\Ondrive.exe
                    C:\Users\Admin\AppData\Roaming\Ondrive.exe
                    1⤵
                    • Executes dropped EXE
                    PID:4972
                  • C:\Users\Admin\AppData\Roaming\Ondrive.exe
                    C:\Users\Admin\AppData\Roaming\Ondrive.exe
                    1⤵
                    • Executes dropped EXE
                    PID:2476
                  • C:\Users\Admin\AppData\Roaming\Ondrive.exe
                    C:\Users\Admin\AppData\Roaming\Ondrive.exe
                    1⤵
                    • Executes dropped EXE
                    PID:1616
                  • C:\Users\Admin\AppData\Roaming\Ondrive.exe
                    C:\Users\Admin\AppData\Roaming\Ondrive.exe
                    1⤵
                    • Executes dropped EXE
                    PID:5056
                  • C:\Users\Admin\AppData\Roaming\Ondrive.exe
                    C:\Users\Admin\AppData\Roaming\Ondrive.exe
                    1⤵
                    • Executes dropped EXE
                    PID:4300
                  • C:\Users\Admin\AppData\Roaming\Ondrive.exe
                    C:\Users\Admin\AppData\Roaming\Ondrive.exe
                    1⤵
                    • Executes dropped EXE
                    PID:4360

                  Network

                  MITRE ATT&CK Enterprise v15

                  Reconnaissance

                  Resource Development

                  Initial Access

                  Execution

                  Command and Scripting Interpreter

                  1
                  T1059

                  PowerShell

                  1
                  T1059.001

                  Scheduled Task/Job

                  1
                  T1053

                  Scheduled Task

                  1
                  T1053.005

                  Persistence

                  Boot or Logon Autostart Execution

                  1
                  T1547

                  Registry Run Keys / Startup Folder

                  1
                  T1547.001

                  Create or Modify System Process

                  1
                  T1543

                  Windows Service

                  1
                  T1543.003

                  Event Triggered Execution

                  1
                  T1546

                  Netsh Helper DLL

                  1
                  T1546.007

                  Scheduled Task/Job

                  1
                  T1053

                  Scheduled Task

                  1
                  T1053.005

                  Privilege Escalation

                  Boot or Logon Autostart Execution

                  1
                  T1547

                  Registry Run Keys / Startup Folder

                  1
                  T1547.001

                  Create or Modify System Process

                  1
                  T1543

                  Windows Service

                  1
                  T1543.003

                  Event Triggered Execution

                  1
                  T1546

                  Netsh Helper DLL

                  1
                  T1546.007

                  Scheduled Task/Job

                  1
                  T1053

                  Scheduled Task

                  1
                  T1053.005

                  Defense Evasion

                  Hide Artifacts

                  1
                  T1564

                  Hidden Files and Directories

                  1
                  T1564.001

                  Impair Defenses

                  1
                  T1562

                  Disable or Modify System Firewall

                  1
                  T1562.004

                  Modify Registry

                  1
                  T1112

                  Virtualization/Sandbox Evasion

                  1
                  T1497

                  Credential Access

                  Credentials from Password Stores

                  1
                  T1555

                  Credentials from Web Browsers

                  1
                  T1555.003

                  Unsecured Credentials

                  1
                  T1552

                  Credentials In Files

                  1
                  T1552.001

                  Discovery

                  Query Registry

                  4
                  T1012

                  Remote System Discovery

                  1
                  T1018

                  System Information Discovery

                  5
                  T1082

                  System Location Discovery

                  1
                  T1614

                  System Language Discovery

                  1
                  T1614.001

                  System Network Configuration Discovery

                  1
                  T1016

                  Internet Connection Discovery

                  1
                  T1016.001

                  Virtualization/Sandbox Evasion

                  1
                  T1497

                  Lateral Movement

                  Collection

                  Data from Local System

                  1
                  T1005

                  Command and Control

                  Web Service

                  1
                  T1102

                  Exfiltration

                  Impact

                  Replay Monitor

                  Loading Replay Monitor...

                  Downloads

                  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
                    Filesize

                    2KB

                    MD5

                    d85ba6ff808d9e5444a4b369f5bc2730

                    SHA1

                    31aa9d96590fff6981b315e0b391b575e4c0804a

                    SHA256

                    84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

                    SHA512

                    8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

                    Download Submit

                  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                    Filesize

                    944B

                    MD5

                    3235c0b45a0ee14bd4e5213339b30705

                    SHA1

                    49ebee3177d8bf7d2b1ce8df3f28f3cc576364aa

                    SHA256

                    e407d81c185f5505e1f76e43cfe12076caf7fc7ffb35fd8df087c12c35125b9f

                    SHA512

                    2e3e467a766e7f05c81f661472bf8ce944f915cf829f70b4f988b65fc55165580fe37bb8683851e28b939313707c995849fefb1f402d57998412de96cfe0cd54

                    Download Submit

                  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                    Filesize

                    948B

                    MD5

                    28ef595a6cc9f47b8eccb22d4ed50d6c

                    SHA1

                    4335de707324b15eba79017938c3da2752d3eea5

                    SHA256

                    3abd14d4fe7b5697b2fa84993e7183f4fd2580be5b4e5150da15ddda5a9560b9

                    SHA512

                    687b7849faa62a4dabc240b573afa163f0cda9a80be61cebe28ef1461777744d73b465ac92d065093228068540846e79c899445057f5b906f9b9fa9868132208

                    Download Submit

                  • C:\Users\Admin\AppData\Local\Temp\Maple.exe
                    Filesize

                    227KB

                    MD5

                    550b445ad1a44d1f23f7155fae400db6

                    SHA1

                    cb006a53156285fdef3a0b33a4a08f534cd3bab7

                    SHA256

                    d223b3918e8bc3bab1d23fdc2e306be1c6587d3ab8f324fc377e37585387884e

                    SHA512

                    909f31f24672ffc5542ac42f344eb6020bcdfdfac9ac13d5672fe7ed22e686b06385d15709f1f83b576b1dade591ad40eb429ef076d07f4597235cd95a679fa5

                    Download Submit

                  • C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\_socket.pyd
                    Filesize

                    76KB

                    MD5

                    8140bdc5803a4893509f0e39b67158ce

                    SHA1

                    653cc1c82ba6240b0186623724aec3287e9bc232

                    SHA256

                    39715ef8d043354f0ab15f62878530a38518fb6192bc48da6a098498e8d35769

                    SHA512

                    d0878fee92e555b15e9f01ce39cfdc3d6122b41ce00ec3a4a7f0f661619f83ec520dca41e35a1e15650fb34ad238974fe8019577c42ca460dde76e3891b0e826

                    Download Submit

                  • C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\libffi-8.dll
                    Filesize

                    34KB

                    MD5

                    32d36d2b0719db2b739af803c5e1c2f5

                    SHA1

                    023c4f1159a2a05420f68daf939b9ac2b04ab082

                    SHA256

                    128a583e821e52b595eb4b3dda17697d3ca456ee72945f7ecce48ededad0e93c

                    SHA512

                    a0a68cfc2f96cb1afd29db185c940e9838b6d097d2591b0a2e66830dd500e8b9538d170125a00ee8c22b8251181b73518b73de94beeedd421d3e888564a111c1

                    Download Submit

                  • C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\psutil\_psutil_windows.pyd
                    Filesize

                    76KB

                    MD5

                    ebefbc98d468560b222f2d2d30ebb95c

                    SHA1

                    ee267e3a6e5bed1a15055451efcccac327d2bc43

                    SHA256

                    67c17558b635d6027ddbb781ea4e79fc0618bbec7485bd6d84b0ebcd9ef6a478

                    SHA512

                    ab9f949adfe9475b0ba8c37fa14b0705923f79c8a10b81446abc448ad38d5d55516f729b570d641926610c99df834223567c1efde166e6a0f805c9e2a35556e3

                    Download Submit

                  • C:\Users\Admin\AppData\Local\Temp\ONEFIL~2\zstandard\backend_c.pyd
                    Filesize

                    512KB

                    MD5

                    4652c4087b148d08adefedf55719308b

                    SHA1

                    30e06026fea94e5777c529b479470809025ffbe2

                    SHA256

                    003f439c27a532d6f3443706ccefac6be4152bebc1aa8bdf1c4adfc095d33795

                    SHA512

                    d4972c51ffbce63d2888ddfead2f616166b6f21a0c186ccf97a41c447c1fac6e848f464e4acde05bea5b24c73c5a03b834731f8807a54ee46ca8619b1d0c465d

                    Download Submit

                  • C:\Users\Admin\AppData\Local\Temp\Server.exe
                    Filesize

                    71KB

                    MD5

                    f9b08bd21b40a938122b479095b7c70c

                    SHA1

                    eb925e3927b83c20d8d24bdab2e587c10d6ac8cd

                    SHA256

                    c96cde2e96021c266a202286d644ceb28543d6347e21006d72b29b8a72c505e8

                    SHA512

                    fcc5784936b7f85a550883c472b99b5edfa7e5c6fd3872fd806b81c2ce1f195ca34342b230a89456066885579fe55aea46d91074ac08af192fbd04ea158473ee

                    Download Submit

                  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_oc1ofiaz.txw.ps1
                    Filesize

                    60B

                    MD5

                    d17fe0a3f47be24a6453e9ef58c94641

                    SHA1

                    6ab83620379fc69f80c0242105ddffd7d98d5d9d

                    SHA256

                    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                    SHA512

                    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                    Download Submit

                  • C:\Users\Admin\AppData\Local\Temp\loader.exe
                    Filesize

                    5.3MB

                    MD5

                    e630d72436e3dc1be7763de7f75b7adf

                    SHA1

                    40e07b22ab8b69e6827f90e20aeac35757899a23

                    SHA256

                    59818142f41895d3cadf7bee0124b392af3473060f00b9548daa3a224223993e

                    SHA512

                    82f0be15e2736447fae7d9a313a8a81a2c6e6ca617539ff8bf3fa0d2fe93d96e68afea6964e96e9dd671ba4090ddbc8a759c9b68f10e24a7fb847fe2c9825a83

                    Download Submit

                  • C:\Users\Admin\AppData\Local\Temp\onefile_2356_133787155894069857\VCRUNTIME140.dll
                    Filesize

                    95KB

                    MD5

                    f34eb034aa4a9735218686590cba2e8b

                    SHA1

                    2bc20acdcb201676b77a66fa7ec6b53fa2644713

                    SHA256

                    9d2b40f0395cc5d1b4d5ea17b84970c29971d448c37104676db577586d4ad1b1

                    SHA512

                    d27d5e65e8206bd7923cf2a3c4384fec0fc59e8bc29e25f8c03d039f3741c01d1a8c82979d7b88c10b209db31fbbec23909e976b3ee593dc33481f0050a445af

                    Download Submit

                  • C:\Users\Admin\AppData\Local\Temp\onefile_2356_133787155894069857\_brotli.pyd
                    Filesize

                    801KB

                    MD5

                    ee3d454883556a68920caaedefbc1f83

                    SHA1

                    45b4d62a6e7db022e52c6159eef17e9d58bec858

                    SHA256

                    791e7195d7df47a21466868f3d7386cff13f16c51fcd0350bf4028e96278dff1

                    SHA512

                    e404adf831076d27680cc38d3879af660a96afc8b8e22ffd01647248c601f3c6c4585d7d7dc6bbd187660595f6a48f504792106869d329aa1a0f3707d7f777c6

                    Download Submit

                  • C:\Users\Admin\AppData\Local\Temp\onefile_2356_133787155894069857\_ctypes.pyd
                    Filesize

                    120KB

                    MD5

                    1635a0c5a72df5ae64072cbb0065aebe

                    SHA1

                    c975865208b3369e71e3464bbcc87b65718b2b1f

                    SHA256

                    1ea3dd3df393fa9b27bf6595be4ac859064cd8ef9908a12378a6021bba1cb177

                    SHA512

                    6e34346ea8a0aacc29ccd480035da66e280830a7f3d220fd2f12d4cfa3e1c03955d58c0b95c2674aea698a36a1b674325d3588483505874c2ce018135320ff99

                    Download Submit

                  • C:\Users\Admin\AppData\Local\Temp\onefile_2356_133787155894069857\_hashlib.pyd
                    Filesize

                    63KB

                    MD5

                    d4674750c732f0db4c4dd6a83a9124fe

                    SHA1

                    fd8d76817abc847bb8359a7c268acada9d26bfd5

                    SHA256

                    caa4d2f8795e9a55e128409cc016e2cc5c694cb026d7058fc561e4dd131ed1c9

                    SHA512

                    97d57cfb80dd9dd822f2f30f836e13a52f771ee8485bc0fd29236882970f6bfbdfaac3f2e333bba5c25c20255e8c0f5ad82d8bc8a6b6e2f7a07ea94a9149c81e

                    Download Submit

                  • C:\Users\Admin\AppData\Local\Temp\onefile_2356_133787155894069857\_queue.pyd
                    Filesize

                    30KB

                    MD5

                    d8c1b81bbc125b6ad1f48a172181336e

                    SHA1

                    3ff1d8dcec04ce16e97e12263b9233fbf982340c

                    SHA256

                    925f05255f4aae0997dc4ec94d900fd15950fd840685d5b8aa755427c7422b14

                    SHA512

                    ccc9f0d3aca66729832f26be12f8e7021834bbee1f4a45da9451b1aa5c2e63126c0031d223af57cf71fad2c85860782a56d78d8339b35720194df139076e0772

                    Download Submit

                  • C:\Users\Admin\AppData\Local\Temp\onefile_2356_133787155894069857\_socket.pyd
                    Filesize

                    77KB

                    MD5

                    819166054fec07efcd1062f13c2147ee

                    SHA1

                    93868ebcd6e013fda9cd96d8065a1d70a66a2a26

                    SHA256

                    e6deb751039cd5424a139708475ce83f9c042d43e650765a716cb4a924b07e4f

                    SHA512

                    da3a440c94cb99b8af7d2bc8f8f0631ae9c112bd04badf200edbf7ea0c48d012843b4a9fb9f1e6d3a9674fd3d4eb6f0fa78fd1121fad1f01f3b981028538b666

                    Download Submit

                  • C:\Users\Admin\AppData\Local\Temp\onefile_2356_133787155894069857\_ssl.pyd
                    Filesize

                    156KB

                    MD5

                    7910fb2af40e81bee211182cffec0a06

                    SHA1

                    251482ed44840b3c75426dd8e3280059d2ca06c6

                    SHA256

                    d2a7999e234e33828888ad455baa6ab101d90323579abc1095b8c42f0f723b6f

                    SHA512

                    bfe6506feb27a592fe9cf1db7d567d0d07f148ef1a2c969f1e4f7f29740c6bb8ccf946131e65fe5aa8ede371686c272b0860bd4c0c223195aaa1a44f59301b27

                    Download Submit

                  • C:\Users\Admin\AppData\Local\Temp\onefile_2356_133787155894069857\libcrypto-1_1.dll
                    Filesize

                    3.3MB

                    MD5

                    9d7a0c99256c50afd5b0560ba2548930

                    SHA1

                    76bd9f13597a46f5283aa35c30b53c21976d0824

                    SHA256

                    9b7b4a0ad212095a8c2e35c71694d8a1764cd72a829e8e17c8afe3a55f147939

                    SHA512

                    cb39aa99b9d98c735fdacf1c5ed68a4d09d11f30262b91f6aa48c3f8520eff95e499400d0ce7e280ca7a90ff6d7141d2d893ef0b33a8803a1cadb28ba9a9e3e2

                    Download Submit

                  • C:\Users\Admin\AppData\Local\Temp\onefile_2356_133787155894069857\libffi-7.dll
                    Filesize

                    32KB

                    MD5

                    eef7981412be8ea459064d3090f4b3aa

                    SHA1

                    c60da4830ce27afc234b3c3014c583f7f0a5a925

                    SHA256

                    f60dd9f2fcbd495674dfc1555effb710eb081fc7d4cae5fa58c438ab50405081

                    SHA512

                    dc9ff4202f74a13ca9949a123dff4c0223da969f49e9348feaf93da4470f7be82cfa1d392566eaaa836d77dde7193fed15a8395509f72a0e9f97c66c0a096016

                    Download Submit

                  • C:\Users\Admin\AppData\Local\Temp\onefile_2356_133787155894069857\libssl-1_1.dll
                    Filesize

                    688KB

                    MD5

                    bec0f86f9da765e2a02c9237259a7898

                    SHA1

                    3caa604c3fff88e71f489977e4293a488fb5671c

                    SHA256

                    d74ce01319ae6f54483a19375524aa39d9f5fd91f06cf7df238ca25e043130fd

                    SHA512

                    ffbc4e5ffdb49704e7aa6d74533e5af76bbe5db297713d8e59bd296143fe5f145fbb616b343eed3c48eceaccccc2431630470d8975a4a17c37eafcc12edd19f4

                    Download Submit

                  • C:\Users\Admin\AppData\Local\Temp\onefile_2356_133787155894069857\python310.dll
                    Filesize

                    4.3MB

                    MD5

                    63a1fa9259a35eaeac04174cecb90048

                    SHA1

                    0dc0c91bcd6f69b80dcdd7e4020365dd7853885a

                    SHA256

                    14b06796f288bc6599e458fb23a944ab0c843e9868058f02a91d4606533505ed

                    SHA512

                    896caa053f48b1e4102e0f41a7d13d932a746eea69a894ae564ef5a84ef50890514deca6496e915aae40a500955220dbc1b1016fe0b8bcdde0ad81b2917dea8b

                    Download Submit

                  • C:\Users\Admin\AppData\Local\Temp\onefile_2356_133787155894069857\select.pyd
                    Filesize

                    29KB

                    MD5

                    a653f35d05d2f6debc5d34daddd3dfa1

                    SHA1

                    1a2ceec28ea44388f412420425665c3781af2435

                    SHA256

                    db85f2f94d4994283e1055057372594538ae11020389d966e45607413851d9e9

                    SHA512

                    5aede99c3be25b1a962261b183ae7a7fb92cb0cb866065dc9cd7bb5ff6f41cc8813d2cc9de54670a27b3ad07a33b833eaa95a5b46dad7763ca97dfa0c1ce54c9

                    Download Submit

                  • C:\Users\Admin\AppData\Local\Temp\onefile_5084_133787155869642077\_ctypes.pyd
                    Filesize

                    120KB

                    MD5

                    6a9ca97c039d9bbb7abf40b53c851198

                    SHA1

                    01bcbd134a76ccd4f3badb5f4056abedcff60734

                    SHA256

                    e662d2b35bb48c5f3432bde79c0d20313238af800968ba0faa6ea7e7e5ef4535

                    SHA512

                    dedf7f98afc0a94a248f12e4c4ca01b412da45b926da3f9c4cbc1d2cbb98c8899f43f5884b1bf1f0b941edaeef65612ea17438e67745962ff13761300910960d

                    Download Submit

                  • C:\Users\Admin\AppData\Local\Temp\onefile_5084_133787155869642077\loader.exe
                    Filesize

                    8.5MB

                    MD5

                    7e528c7d750373f489ed3983d28a5279

                    SHA1

                    805d666d7c3f98b0f2f21f8ded1ebc801bb87028

                    SHA256

                    7b025b56f3cec113e0569dfa37fa593f64d15c42116d321452500c03df105b8e

                    SHA512

                    40b4809678c6b17fcd389038464d32752058e60ed446d941698fee561641e740652bd305e2a6fe80cdd6171807fe6fbc22b99e4eaccd4c699acaca39b7328ca3

                    Download Submit

                  • C:\Users\Admin\AppData\Local\Temp\onefile_5084_133787155869642077\python3.dll
                    Filesize

                    64KB

                    MD5

                    34e49bb1dfddf6037f0001d9aefe7d61

                    SHA1

                    a25a39dca11cdc195c9ecd49e95657a3e4fe3215

                    SHA256

                    4055d1b9e553b78c244143ab6b48151604003b39a9bf54879dee9175455c1281

                    SHA512

                    edb715654baaf499cf788bcacd5657adcf9f20b37b02671abe71bda334629344415ed3a7e95cb51164e66a7aa3ed4bf84acb05649ccd55e3f64036f3178b7856

                    Download Submit

                  • C:\Users\Admin\AppData\Local\Temp\onefile_5084_133787155869642077\python311.dll
                    Filesize

                    5.5MB

                    MD5

                    9a24c8c35e4ac4b1597124c1dcbebe0f

                    SHA1

                    f59782a4923a30118b97e01a7f8db69b92d8382a

                    SHA256

                    a0cf640e756875c25c12b4a38ba5f2772e8e512036e2ac59eb8567bf05ffbfb7

                    SHA512

                    9d9336bf1f0d3bc9ce4a636a5f4e52c5f9487f51f00614fc4a34854a315ce7ea8be328153812dbd67c45c75001818fa63317eba15a6c9a024fa9f2cab163165b

                    Download Submit

                  • C:\Users\Admin\AppData\Local\Temp\onefile_5084_133787155869642077\select.pyd
                    Filesize

                    28KB

                    MD5

                    97ee623f1217a7b4b7de5769b7b665d6

                    SHA1

                    95b918f3f4c057fb9c878c8cc5e502c0bd9e54c0

                    SHA256

                    0046eb32f873cde62cf29af02687b1dd43154e9fd10e0aa3d8353d3debb38790

                    SHA512

                    20edc7eae5c0709af5c792f04a8a633d416da5a38fc69bd0409afe40b7fb1afa526de6fe25d8543ece9ea44fd6baa04a9d316ac71212ae9638bdef768e661e0f

                    Download Submit

                  • C:\Users\Admin\AppData\Local\Temp\onefile_5084_133787155869642077\vcruntime140.dll
                    Filesize

                    96KB

                    MD5

                    f12681a472b9dd04a812e16096514974

                    SHA1

                    6fd102eb3e0b0e6eef08118d71f28702d1a9067c

                    SHA256

                    d66c3b47091ceb3f8d3cc165a43d285ae919211a0c0fcb74491ee574d8d464f8

                    SHA512

                    7d3accbf84de73fb0c5c0de812a9ed600d39cd7ed0f99527ca86a57ce63f48765a370e913e3a46ffc2ccd48ee07d823dafdd157710eef9e7cc1eb7505dc323a2

                    Download Submit

                  • C:\Users\Admin\AppData\Roaming\Server.exe
                    Filesize

                    23KB

                    MD5

                    32fe01ccb93b0233503d0aaaa451f7b2

                    SHA1

                    58e5a63142150e8fb175dbb4dedea2ce405d7db0

                    SHA256

                    6988ee719a54c93a89303dcff277c62ae4890274cc45f074bc7effde315fbf43

                    SHA512

                    76945f23a49d594e325d80ffc0570341044ac0b97bd889c92f90bc56d3cdff5c1b29178be4f157c8c1bb9ce7cc311765309f2e6f7b08b24e7acf983ea67635a6

                    Download Submit

                  • C:\Users\Admin\AppData\Roaming\conhost.exe
                    Filesize

                    37KB

                    MD5

                    b37dd1a1f0507baf993471ae1b7a314c

                    SHA1

                    9aff9d71492ffff8d51f8e8d67f5770755899882

                    SHA256

                    e58e8918a443c0061add029f8f211f6551a130202195cc2b9b529ea72553e0bc

                    SHA512

                    ac76d5b10540eb292341f30c7abfd81f03be65f6655c814aba6ac6a0ecf4f0f2c34c3b8e63ceef8c4579f98b7459e51b9fdd30d601c6d1930860ab7c154da460

                    Download Submit

                  • C:\Users\Admin\AppData\Roaming\loader.exe
                    Filesize

                    5.4MB

                    MD5

                    916f7dea6831485387d70b0891455e65

                    SHA1

                    176e995cc2584d7c9703b2beee0994dcc4be91d5

                    SHA256

                    c47e49026afb1d2c8708f1e36510ad862eb288c7ac48e9c4bebfbd051475fbc2

                    SHA512

                    ba5c40e6416a53c88f5b5d7e0ce346956ef6bd0aebed355df8070ebb71dda78125945fe1cdca87caa29a2b5d98c437bafd228396a516c91f764256e54556f0e4

                    Download Submit

                  • C:\Users\Admin\AppData\Roaming\maple.exe
                    Filesize

                    40.8MB

                    MD5

                    db7b4b030f0a44a2f51c957d949f8e1e

                    SHA1

                    7814eaffb9c68fb78f3f69380439aaf94d556828

                    SHA256

                    8f5f582788ce95ba51ca37dac8e45fff1674e0d36e4129731edded7e71a94c30

                    SHA512

                    be6f371423a0bee1b3d3f61640e1b6ca64290a4a864d4a1b3ad8ca6250650ca01d42b635f650138733b3817c491f64a8bc82622e7f1b565dc4cc8da37e43a63c

                    Download Submit

                  • memory/1120-20-0x00007FFB411C3000-0x00007FFB411C5000-memory.dmp

                    Filesize

                    8KB

                    Download

                  • memory/1120-56-0x00007FFB411C0000-0x00007FFB41C81000-memory.dmp

                    Filesize

                    10.8MB

                    Download

                  • memory/1120-21-0x0000000000600000-0x0000000000B60000-memory.dmp

                    Filesize

                    5.4MB

                    Download

                  • memory/1120-32-0x00007FFB411C0000-0x00007FFB41C81000-memory.dmp

                    Filesize

                    10.8MB

                    Download

                  • memory/1516-76-0x0000000000BA0000-0x0000000000BB0000-memory.dmp

                    Filesize

                    64KB

                    Download

                  • memory/1808-1196-0x00000213321A0000-0x0000021332216000-memory.dmp

                    Filesize

                    472KB

                    Download

                  • memory/1808-45-0x0000021317A50000-0x0000021317A90000-memory.dmp

                    Filesize

                    256KB

                    Download

                  • memory/1808-1198-0x0000021332120000-0x000002133213E000-memory.dmp

                    Filesize

                    120KB

                    Download

                  • memory/1808-1197-0x0000021332220000-0x0000021332270000-memory.dmp

                    Filesize

                    320KB

                    Download

                  • memory/1808-1296-0x0000021332170000-0x0000021332182000-memory.dmp

                    Filesize

                    72KB

                    Download

                  • memory/1808-1295-0x0000021332140000-0x000002133214A000-memory.dmp

                    Filesize

                    40KB

                    Download

                  • memory/4176-46-0x0000000000F20000-0x0000000000F38000-memory.dmp

                    Filesize

                    96KB

                    Download

                  • memory/4292-1280-0x000000005CFD0000-0x000000005D9AF000-memory.dmp

                    Filesize

                    9.9MB

                    Download

                  • memory/4292-1282-0x000000005CFD0000-0x000000005D9AF000-memory.dmp

                    Filesize

                    9.9MB

                    Download

                  • memory/4292-1281-0x000000005CFD0000-0x000000005D9AF000-memory.dmp

                    Filesize

                    9.9MB

                    Download

                  • memory/4292-1279-0x000000005CFD0000-0x000000005D9AF000-memory.dmp

                    Filesize

                    9.9MB

                    Download

                  • memory/4292-1278-0x000000005CFD0000-0x000000005D9AF000-memory.dmp

                    Filesize

                    9.9MB

                    Download

                  • memory/4292-1276-0x000000005CFD0000-0x000000005D9AF000-memory.dmp

                    Filesize

                    9.9MB

                    Download

                  • memory/4292-1277-0x000000005CFD0000-0x000000005D9AF000-memory.dmp

                    Filesize

                    9.9MB

                    Download

                  • memory/4292-1368-0x00007FFB350D0000-0x00007FFB3625F000-memory.dmp

                    Filesize

                    17.6MB

                    Download

                  • memory/4292-1369-0x00007FFB2D700000-0x00007FFB2F7B6000-memory.dmp

                    Filesize

                    32.7MB

                    Download

                  • memory/4456-160-0x000001C3A6770000-0x000001C3A6792000-memory.dmp

                    Filesize

                    136KB

                    Download