63bd5de0406b8b5db7c853bfbf3c1970519bc068d88902edee744e6b9a99ba61

Analysis

max time kernel
36s
max time network
40s
platform
windows10-ltsc_2021_x64
resource
win10ltsc2021-20250314-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20250314-enlocale:en-usos:windows10-ltsc_2021-x64system
submitted
19/03/2025, 00:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Wave.exe
Size

54.0MB
MD5

5f4c9f3fc681ac6be5be6681396545ab
SHA1

e3d67195899364eebfb27d7d8b050a25040466b9
SHA256

63bd5de0406b8b5db7c853bfbf3c1970519bc068d88902edee744e6b9a99ba61
SHA512

5b2065e212bbbd12420022b69ae77252cf80c5b44de24b32be6107a6252405084f174df65aab411df870f347a13d54f404aa25aedfab221c999d8fc73c4beaf7
SSDEEP

393216:59nqYllR13C29oiF0U1vFEgcfn52W3K+AbcsCSmggoKlQnAliXUxR0rHa93WhlUk:Dfl6e0OBG6ZC/Lwi8rj

Score

7^/10

defense_evasion discovery execution

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
4804	7za.exe
5840	system.exe

Loads dropped DLL 64 IoCs

pid	Process
5840	system.exe
5840	system.exe
5840	system.exe
5840	system.exe
5840	system.exe
5840	system.exe
5840	system.exe
5840	system.exe
5840	system.exe
5840	system.exe
5840	system.exe
5840	system.exe
5840	system.exe
5840	system.exe
5840	system.exe
5840	system.exe
5840	system.exe
5840	system.exe
5840	system.exe
5840	system.exe
5840	system.exe
5840	system.exe
5840	system.exe
5840	system.exe
5840	system.exe
5840	system.exe
5840	system.exe
5840	system.exe
5840	system.exe
5840	system.exe
5840	system.exe
5840	system.exe
5840	system.exe
5840	system.exe
5840	system.exe
5840	system.exe
5840	system.exe
5840	system.exe
5840	system.exe
5840	system.exe
5840	system.exe
5840	system.exe
5840	system.exe
5840	system.exe
5840	system.exe
5840	system.exe
5840	system.exe
5840	system.exe
5840	system.exe
5840	system.exe
5840	system.exe
5840	system.exe
5840	system.exe
5840	system.exe
5840	system.exe
5840	system.exe
5840	system.exe
5840	system.exe
5840	system.exe
5840	system.exe
5840	system.exe
5840	system.exe
5840	system.exe
5840	system.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
1	raw.githubusercontent.com
2	raw.githubusercontent.com

Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
defense_evasion

Command Obfuscation
T1027.010

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell to get system information.

execution

PowerShell

T1059.001

pid	Process
4168	powershell.exe
5328	powershell.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7za.exe

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
5164	WMIC.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
2736	Wave.exe
2736	Wave.exe
5784	powershell.exe
5784	powershell.exe
5328	powershell.exe
5328	powershell.exe
4168	powershell.exe
4168	powershell.exe
5840	system.exe
5840	system.exe
5164	WMIC.exe
5164	WMIC.exe
5164	WMIC.exe
5164	WMIC.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	5784	powershell.exe
Token: SeDebugPrivilege	5328	powershell.exe
Token: SeDebugPrivilege	4168	powershell.exe
Token: SeIncreaseQuotaPrivilege	4168	powershell.exe
Token: SeSecurityPrivilege	4168	powershell.exe
Token: SeTakeOwnershipPrivilege	4168	powershell.exe
Token: SeLoadDriverPrivilege	4168	powershell.exe
Token: SeSystemProfilePrivilege	4168	powershell.exe
Token: SeSystemtimePrivilege	4168	powershell.exe
Token: SeProfSingleProcessPrivilege	4168	powershell.exe
Token: SeIncBasePriorityPrivilege	4168	powershell.exe
Token: SeCreatePagefilePrivilege	4168	powershell.exe
Token: SeBackupPrivilege	4168	powershell.exe
Token: SeRestorePrivilege	4168	powershell.exe
Token: SeShutdownPrivilege	4168	powershell.exe
Token: SeDebugPrivilege	4168	powershell.exe
Token: SeSystemEnvironmentPrivilege	4168	powershell.exe
Token: SeRemoteShutdownPrivilege	4168	powershell.exe
Token: SeUndockPrivilege	4168	powershell.exe
Token: SeManageVolumePrivilege	4168	powershell.exe
Token: 33	4168	powershell.exe
Token: 34	4168	powershell.exe
Token: 35	4168	powershell.exe
Token: 36	4168	powershell.exe
Token: SeDebugPrivilege	5840	system.exe
Token: SeIncreaseQuotaPrivilege	5164	WMIC.exe
Token: SeSecurityPrivilege	5164	WMIC.exe
Token: SeTakeOwnershipPrivilege	5164	WMIC.exe
Token: SeLoadDriverPrivilege	5164	WMIC.exe
Token: SeSystemProfilePrivilege	5164	WMIC.exe
Token: SeSystemtimePrivilege	5164	WMIC.exe
Token: SeProfSingleProcessPrivilege	5164	WMIC.exe
Token: SeIncBasePriorityPrivilege	5164	WMIC.exe
Token: SeCreatePagefilePrivilege	5164	WMIC.exe
Token: SeBackupPrivilege	5164	WMIC.exe
Token: SeRestorePrivilege	5164	WMIC.exe
Token: SeShutdownPrivilege	5164	WMIC.exe
Token: SeDebugPrivilege	5164	WMIC.exe
Token: SeSystemEnvironmentPrivilege	5164	WMIC.exe
Token: SeRemoteShutdownPrivilege	5164	WMIC.exe
Token: SeUndockPrivilege	5164	WMIC.exe
Token: SeManageVolumePrivilege	5164	WMIC.exe
Token: 33	5164	WMIC.exe
Token: 34	5164	WMIC.exe
Token: 35	5164	WMIC.exe
Token: 36	5164	WMIC.exe
Token: SeIncreaseQuotaPrivilege	5164	WMIC.exe
Token: SeSecurityPrivilege	5164	WMIC.exe
Token: SeTakeOwnershipPrivilege	5164	WMIC.exe
Token: SeLoadDriverPrivilege	5164	WMIC.exe
Token: SeSystemProfilePrivilege	5164	WMIC.exe
Token: SeSystemtimePrivilege	5164	WMIC.exe
Token: SeProfSingleProcessPrivilege	5164	WMIC.exe
Token: SeIncBasePriorityPrivilege	5164	WMIC.exe
Token: SeCreatePagefilePrivilege	5164	WMIC.exe
Token: SeBackupPrivilege	5164	WMIC.exe
Token: SeRestorePrivilege	5164	WMIC.exe
Token: SeShutdownPrivilege	5164	WMIC.exe
Token: SeDebugPrivilege	5164	WMIC.exe
Token: SeSystemEnvironmentPrivilege	5164	WMIC.exe
Token: SeRemoteShutdownPrivilege	5164	WMIC.exe
Token: SeUndockPrivilege	5164	WMIC.exe
Token: SeManageVolumePrivilege	5164	WMIC.exe
Token: 33	5164	WMIC.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
5840	system.exe
5840	system.exe

Suspicious use of WriteProcessMemory 25 IoCs

description	pid	Process	procid_target
PID 2736 wrote to memory of 5784	2736	Wave.exe	81
PID 2736 wrote to memory of 5784	2736	Wave.exe	81
PID 5784 wrote to memory of 5112	5784	powershell.exe	82
PID 5784 wrote to memory of 5112	5784	powershell.exe	82
PID 5112 wrote to memory of 5972	5112	csc.exe	83
PID 5112 wrote to memory of 5972	5112	csc.exe	83
PID 2736 wrote to memory of 5328	2736	Wave.exe	84
PID 2736 wrote to memory of 5328	2736	Wave.exe	84
PID 2736 wrote to memory of 4168	2736	Wave.exe	85
PID 2736 wrote to memory of 4168	2736	Wave.exe	85
PID 2736 wrote to memory of 852	2736	Wave.exe	87
PID 2736 wrote to memory of 852	2736	Wave.exe	87
PID 2736 wrote to memory of 4804	2736	Wave.exe	88
PID 2736 wrote to memory of 4804	2736	Wave.exe	88
PID 2736 wrote to memory of 4804	2736	Wave.exe	88
PID 2736 wrote to memory of 4808	2736	Wave.exe	90
PID 2736 wrote to memory of 4808	2736	Wave.exe	90
PID 4808 wrote to memory of 5840	4808	cmd.exe	91
PID 4808 wrote to memory of 5840	4808	cmd.exe	91
PID 5840 wrote to memory of 5100	5840	system.exe	92
PID 5840 wrote to memory of 5100	5840	system.exe	92
PID 5840 wrote to memory of 60	5840	system.exe	95
PID 5840 wrote to memory of 60	5840	system.exe	95
PID 60 wrote to memory of 5164	60	cmd.exe	97
PID 60 wrote to memory of 5164	60	cmd.exe	97

Views/modifies file attributes 1 TTPs 1 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
852	attrib.exe

C:\Users\Admin\AppData\Local\Temp\Wave.exe
"C:\Users\Admin\AppData\Local\Temp\Wave.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2736
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -NoLogo -NonInteractive -NoProfile -ExecutionPolicy Bypass -EncodedCommand CgBpAGYAIAAoAC0AbgBvAHQAIAAoAFsAUwB5AHMAdABlAG0ALgBNAGEAbgBhAGcAZQBtAGUAbgB0AC4AQQB1AHQAbwBtAGEAdABpAG8AbgAuAFAAUwBUAHkAcABlAE4AYQBtAGUAXQAnAFcAaQBuADMAMgAnACkALgBUAHkAcABlACkAIAB7AAoAIAAgACAAIABBAGQAZAAtAFQAeQBwAGUAIABAACIACgAgACAAIAAgAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsACgAgACAAIAAgAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AUgB1AG4AdABpAG0AZQAuAEkAbgB0AGUAcgBvAHAAUwBlAHIAdgBpAGMAZQBzADsACgAKACAAIAAgACAAcAB1AGIAbABpAGMAIABjAGwAYQBzAHMAIABXAGkAbgAzADIAIAB7AAoAIAAgACAAIAAgACAAIAAgAFsARABsAGwASQBtAHAAbwByAHQAKAAiAHUAcwBlAHIAMwAyAC4AZABsAGwAIgApAF0ACgAgACAAIAAgACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABHAGUAdABGAG8AcgBlAGcAcgBvAHUAbgBkAFcAaQBuAGQAbwB3ACgAKQA7AAoACgAgACAAIAAgACAAIAAgACAAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAdQBzAGUAcgAzADIALgBkAGwAbAAiACkAXQAKACAAIAAgACAAIAAgACAAIABbAHIAZQB0AHUAcgBuADoAIABNAGEAcgBzAGgAYQBsAEEAcwAoAFUAbgBtAGEAbgBhAGcAZQBkAFQAeQBwAGUALgBCAG8AbwBsACkAXQAKACAAIAAgACAAIAAgACAAIABwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABiAG8AbwBsACAAUwBoAG8AdwBXAGkAbgBkAG8AdwAoAEkAbgB0AFAAdAByACAAaABXAG4AZAAsACAAaQBuAHQAIABuAEMAbQBkAFMAaABvAHcAKQA7AAoAIAAgACAAIAB9AAoAIgBAAAoAfQAKAGYAdQBuAGMAdABpAG8AbgAgAEcAZQB0AEEAYwB0AGkAdgBlAFcAaQBuAGQAbwB3AFQAaQB0AGwAZQAoACkAIAB7AAoAIAAgACAAIAAkAGgAVwBuAGQAIAA9ACAAWwBXAGkAbgAzADIAXQA6ADoARwBlAHQARgBvAHIAZQBnAHIAbwB1AG4AZABXAGkAbgBkAG8AdwAoACkACgAgACAAIAAgACQAcwBiACAAPQAgAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBTAHQAcgBpAG4AZwBCAHUAaQBsAGQAZQByACgAMgA1ADYAKQAKACAAIAAgACAAWwBXAGkAbgAzADIAXQA6ADoARwBlAHQAVwBpAG4AZABvAHcAVABlAHgAdAAoACQAaABXAG4AZAAsACAAJABzAGIALAAgACQAcwBiAC4AQwBhAHAAYQBjAGkAdAB5ACkAIAB8ACAATwB1AHQALQBOAHUAbABsAAoAIAAgACAAIAByAGUAdAB1AHIAbgAgACQAcwBiAC4AVABvAFMAdAByAGkAbgBnACgAKQAKAH0ACgBmAHUAbgBjAHQAaQBvAG4AIABIAGkAZABlAEEAYwB0AGkAdgBlAFcAaQBuAGQAbwB3ACgAKQAgAHsACgAgACAAIAAgACQAaABXAG4AZAAgAD0AIABbAFcAaQBuADMAMgBdADoAOgBHAGUAdABGAG8AcgBlAGcAcgBvAHUAbgBkAFcAaQBuAGQAbwB3ACgAKQAKACAAIAAgACAAWwBXAGkAbgAzADIAXQA6ADoAUwBoAG8AdwBXAGkAbgBkAG8AdwAoACQAaABXAG4AZAAsACAAMAApAAoAfQAKACQAYwB1AHIAcgBlAG4AdABXAGkAbgBkAG8AdwBUAGkAdABsAGUAIAA9ACAARwBlAHQAQQBjAHQAaQB2AGUAVwBpAG4AZABvAHcAVABpAHQAbABlAAoASABpAGQAZQBBAGMAdABpAHYAZQBXAGkAbgBkAG8AdwAKAA==
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:5784
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\gvedk3z4\gvedk3z4.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5112
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7A7F.tmp" "c:\Users\Admin\AppData\Local\Temp\gvedk3z4\CSC363FDFD3FC7D43D29438B49C4C6CA78B.TMP"
      4⤵
      PID:5972
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command [System.Security.Principal.WindowsIdentity]::GetCurrent().Name
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5328
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -NoLogo -NonInteractive -Command "(Get-CimInstance -ClassName Win32_ComputerSystemProduct).UUID"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4168
- C:\Windows\SYSTEM32\attrib.exe
  "attrib" +h C:\WindowsGraphics
  2⤵
  - Views/modifies file attributes
  PID:852
- C:\WindowsGraphics\Downloading\7za.exe
  "C:\WindowsGraphics\Downloading\7za.exe" x C:\WindowsGraphics\Versions\Build-B7u4R5BSaf\bbv.7z -oC:\WindowsGraphics\Binds\Bind-DXLaLCptdJ -y -pgaul_0xudjUy6128xbv68hSu
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4804
- C:\Windows\SYSTEM32\cmd.exe
  "cmd" /c C:\WindowsGraphics\Binds\Bind-DXLaLCptdJ\system.exe real
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4808
- - C:\WindowsGraphics\Binds\Bind-DXLaLCptdJ\system.exe
    C:\WindowsGraphics\Binds\Bind-DXLaLCptdJ\system.exe real
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:5840
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "ver"
      4⤵
      PID:5100
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:60
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path win32_VideoController get name
        5⤵
        Detects videocard installed
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5164

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x308 0x4a8
1⤵
PID:5868

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Obfuscated Files or Information

T1027

Command Obfuscation

T1027.010

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
ed30ca9187bf5593affb3dc9276309a6

SHA1
c63757897a6c43a44102b221fe8dc36355e99359

SHA256
81fc6cfe81caf86f84e1285cb854082ac5e127335b5946da154a73f7aa9c2122

SHA512
1df4f44b207bb30fecee119a2f7f7ab7a0a0aed4d58eeabbec5791d5a6d9443cccffa5479ad4da094e6b88c871720d2e4bcf14ebec45a587ee4ec5e572f37810

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
a6d75813e5e87f0431291bd346f58c1d

SHA1
4e61259db14c379d78ecf1b2f9afb2b794333fe2

SHA256
23053c2befb3daf31c53193444c0c5d429fcc5fc1629ed4ad59e8f2d2e78ab9f

SHA512
b46eacafa8c5d70f77c3e1de03269c1d49db25977becd1b42e52eee8b75185a59de5c1a1bb01f34afe37c348194a41bea0340940179c328cd11a6885988c371d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
1a11402783a8686e08f8fa987dd07bca

SHA1
580df3865059f4e2d8be10644590317336d146ce

SHA256
9b1d1b468932a2d88548dc18504ac3066f8248079ecb083e919460bdb88398c0

SHA512
5f7f9f76d9d12a25fdc5b8d193391fb42c37515c657250fe01a9bfd9fe4cc4eab9d5ec254b2596ac1b9005f12511905f19fdae41f057062261d75bd83254b510

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES7A7F.tmp

Filesize
1KB

MD5
52f87f4e70e1b388f7755219e23a7c1e

SHA1
cb8c79db61360b7378bc1fd6910d35474a044d3c

SHA256
633536460fd949d11c74599d84b9febcf4f7225ef272d73030cb275cb396b788

SHA512
b9830b33dd36b959188b79108d54a4c88e4bf705f6e7975c42e5f422f4061385fe2af85c31434e09bc4aa94c421c0d8cac1a93533218cd8e33f360d876ea0048

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_vmw23x5r.jnl.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\gvedk3z4\gvedk3z4.dll

Filesize
3KB

MD5
3f4c4316481200c90e76dd6ff12d5365

SHA1
ee9d8a9cfd156639d7e064b73b31578586865a7c

SHA256
0b263d4c059c1ab35b81e164ee1462d80451944daeb72a5e8456b9618870f4a4

SHA512
c6ae335788b47cf3df3749c4a1d5e0d9c3dd0e16fa01e74fb0de0ff04e86ad5b7d55d500ea7b4fab26b9c9c9b7e2f3af3da2177d05e4134baa64c9fe042923e8

Download Submit
C:\WINDOW~1\Binds\BIND-D~1\Cryptodome\Cipher\_Salsa20.pyd

Filesize
13KB

MD5
2ce3043d6fbd62bcbe6948a1e6a789f0

SHA1
7a5e9bc5a96bd2ec677927fb014073e7cdb70f3b

SHA256
c5a4ac8202a0211163938b6306e3a678cc461ed8e283f4c4601748d2e50783a3

SHA512
8fca5216d65c66640541b31e21a7eb18f510c5c0d3420bff5581337875a6f68dd808f35d61a759a26aad9ae4f50aa1580e8d90e016d9acdc5aa2d04cfaad4377

Download Submit
C:\WINDOW~1\Binds\BIND-D~1\Cryptodome\Cipher\_raw_aes.pyd

Filesize
35KB

MD5
e306365bdc8d15b2f477e5af252d0b59

SHA1
e6461fd5079050d129cd47cd4f6afa7b632c4314

SHA256
2dcac73ea3240a008d115bac0ea4d7c65c8162676ab30bcaf7527c22b98b4929

SHA512
1b63a9adcf6a37f601b8e1bd6206ec369a618c81f1c3477301053219db1ddecc27b5aeb9e7ad7490c7e987ba196884d66e85bb5b7f4dad43bfff891310e11945

Download Submit
C:\WINDOW~1\Binds\BIND-D~1\Cryptodome\Cipher\_raw_aesni.pyd

Filesize
15KB

MD5
973f11de023c9337f35f9bb55c6154a6

SHA1
c02ff64d9fc5b8b8590488bbe9658593fc90ca47

SHA256
483758336267f8842f5432bb83300ea0fcb49c4e0b29962cbd7f27b1c3dfc56a

SHA512
8658ade868c9d942660361a60c5b4068238b418857bbbd4b1712de5a146300f435960a75c411e1737e590020644309c92a2dcfda69a2d6162a4135244a282871

Download Submit
C:\WINDOW~1\Binds\BIND-D~1\Cryptodome\Cipher\_raw_cbc.pyd

Filesize
12KB

MD5
8d17946e6b1936061203afe20cddb5b0

SHA1
589dac4d2864fdc0219b0de3973b2ee0023cd5ea

SHA256
bb9898057572f17131bb63d513c19901e29d2e29215f7a93d6d84fa537475f0b

SHA512
3354942781e4d36b84d83ab6959707d29f6e25d3614b15a228d63d084f6f2a280bfc9153f24ea0fef489fa7043e21eb67e4b6d3ad7d073fde37f6206462f5931

Download Submit
C:\WINDOW~1\Binds\BIND-D~1\Cryptodome\Cipher\_raw_cfb.pyd

Filesize
12KB

MD5
606e85b094ae6752e1099a176aa20f09

SHA1
35e9355ce75b57111d3793502636d5fcd78d34a4

SHA256
917fa3438b61cc207d73bd72cda6c42cd08656a2187fd9ca2860c67c12677238

SHA512
19de7b6c567e997825f2f08773c45a3562bc3980248de31738395cafa0306707a82f912a8b9b1dba440162443e1554e87ef5586776189b763576d9a7aca9e587

Download Submit
C:\WINDOW~1\Binds\BIND-D~1\Cryptodome\Cipher\_raw_ctr.pyd

Filesize
14KB

MD5
f3cfd044825e9c08ce37a8034e2ed786

SHA1
51637c5678aedf528adef8036c53513495fcbb44

SHA256
bcbe37f565b91a127e40634db8e7e1b8b1ce3e1344f3fa082496b93d75435b80

SHA512
fd9f8ae46a438138c31408ebf9129dd507a8fd6dc24f24eae2b2dd8bd90e8b78afb0aef82a314ca5566d4d1bb7d166642dd2e7d7ea8e484c0261f623b2c1c15b

Download Submit
C:\WINDOW~1\Binds\BIND-D~1\Cryptodome\Cipher\_raw_ecb.pyd

Filesize
10KB

MD5
4db0ac98329ae64cec9c28570af52968

SHA1
8f7d327c1049c27b0df6bc6c2017cc302ba99a10

SHA256
5a43e3809403668ed6c6f17a71828eb8cd0dcb64afc09b815a4b9f05c3661714

SHA512
515e0b972a644620c27b3c074aee62b8ba5aa679b0e1c936f616c5537a83c7ca762b7a6c7acc3279ab235d1d344db9423cdc1abf7c72775d4bbfb2cb24cbf6b9

Download Submit
C:\WINDOW~1\Binds\BIND-D~1\Cryptodome\Cipher\_raw_ocb.pyd

Filesize
17KB

MD5
ed75912a048ca3c2e0fe8e7307559347

SHA1
bb0998846468a91a5fb6d9725439c2f62e02cc21

SHA256
eb1085a28631fe3c8b3350b19dddc5c2eaf9b2cbf1c578fdfbf6b72fdf0b909c

SHA512
c04f62f57e0395ec731180f6ce9568a35c00be51ae172f2f6eee4d9d6726f5bdc41a55e8043d596e9724ccee00f861f349e3f787fc3c1b5adb47f8c194a23fb1

Download Submit
C:\WINDOW~1\Binds\BIND-D~1\Cryptodome\Cipher\_raw_ofb.pyd

Filesize
11KB

MD5
dae7f4dd6792fb84c91bd45d44ed6c96

SHA1
a88eb81d4d72adc4c7f7402338f9d5760957efc3

SHA256
01eb2117f0223f0447cd16b5ec79baf3430871da8ef461404ba13592d2e8a89c

SHA512
66e98ae82073abb24e9053203f41cebb4ac30a461fe2a62baa1190970e1be7567f495914e017ec94b6b911bab721e63a7ff2d1d85e29d5824ab3d9bc9fb9fce4

Download Submit
C:\WINDOW~1\Binds\BIND-D~1\Cryptodome\Hash\_BLAKE2s.pyd

Filesize
13KB

MD5
1dee6707a941e02202a47c58408ed538

SHA1
511387a5a611119ba81377931da5a8da5c429b78

SHA256
4e76a0be3e295571172cf1d06dbcc48f715357bb496d8567d9376667326fa5ef

SHA512
f29063d04151c9df75ca2c138fba5f9e4da551f0fdfa7a8a83390df0dcde064038ba87eec4c852a87d80cef0dc38306aed1121d06a6b337e4cc722e4057c432a

Download Submit
C:\WINDOW~1\Binds\BIND-D~1\Cryptodome\Hash\_SHA256.pyd

Filesize
21KB

MD5
15e2c2434668d1648d9147156b0a44c6

SHA1
bea635adfd889381cc324d2612606e409518261d

SHA256
ebee833d40ed09abccff1f415b4a4cb1ec6f8d84431067980b09a36450edb9f8

SHA512
197818202b07f97dc370f456a1f59a5210c8af7e8221d6e0bbf8a96e8190668dd29d353bffb0f833fc622b8f797558708446cdde7a062ecd8c66d67b87262445

Download Submit
C:\WINDOW~1\Binds\BIND-D~1\Cryptodome\Hash\_ghash_clmul.pyd

Filesize
12KB

MD5
26798493d96b2b2cb9601c0708595b84

SHA1
cec50f2d5d38e3410f1ffe1546a08be35847b198

SHA256
84e5f449d863e2801c93c84648ab18c078fe52d75ce4309632afc295081ab5e8

SHA512
3f8f3bb54cd0755cccd4cf6e8ed29c2d0f1c10baeb6a0e58d6db51f5a5a442d653114eb2ac8ee78833e26f71275602f0b3b0e06c333b22bb45c1d2e7a70f278c

Download Submit
C:\WINDOW~1\Binds\BIND-D~1\Cryptodome\Hash\_ghash_portable.pyd

Filesize
13KB

MD5
bea27cb11a8529d6ad11373531e5222f

SHA1
74b61da8fd39f03136b4fad7faa7e5a1ea7c1116

SHA256
1eb72bd49457080ce1432eb28e85134d7bd4344bccd9357839acbbfa9236b868

SHA512
49fec85d5853ddb352abc93be6cab3c42f2a3dbcdf32a90fe7fff6e5bf378514c594328c7845f892508c8301f8224f7a6a26f44458a6a9ebc59d99b7ccef8f4b

Download Submit
C:\WINDOW~1\Binds\BIND-D~1\Cryptodome\Protocol\_scrypt.pyd

Filesize
12KB

MD5
308c6e862a3554f1b5587d003f4b1bbf

SHA1
800955d3a24065766e5825c8324b7f48cd02f073

SHA256
671aad8b7fae31e076df50c947cd198369eea6379e6fa1b058596e528f5da561

SHA512
35b27a6320a8046f7e7bc42b9af8414b076f5334467576a0e83c6d7992ec3675f73cf0fc72ae6da402ff70dd16fcc0c29287ab27ad04bb346d5229d62deb54a5

Download Submit
C:\WINDOW~1\Binds\BIND-D~1\Cryptodome\Util\_cpuid_c.pyd

Filesize
10KB

MD5
690fc8d8423ee69c662f11cd6406cef1

SHA1
a0b78af3bc976c8aafa1fe80ef71f22d4bf7080b

SHA256
bd597e5853a3f2cad1d4e5743170a66383be18d215f8f83be2a473736ee28718

SHA512
b08dd641aef8c663174c4ad436915ffc4c4afb70b8a9719f535f1f99b7b29240a0c8951e19f3348c010dad3000b6b5173b1def077ec6d96bb8a3d3e9be339a40

Download Submit
C:\WINDOW~1\Binds\BIND-D~1\Cryptodome\Util\_strxor.pyd

Filesize
10KB

MD5
174b652c8e6c40c36c8ab06a20a34c01

SHA1
f3cb9321100dce3a8d79b0fc517cc58e05d26e41

SHA256
42af8d99fc975720585d25d767fc825d4922c088b6c2b13ee2de23e439523610

SHA512
9f0c444069e477a043c85f606bf1a3fb695773dbc16d1124a4b2d771ea0385b797552031433cb625d7dc9c8d490eb0ef8fa2c13aa628ebba58df6a0530913f32

Download Submit
C:\WINDOW~1\Binds\BIND-D~1\_cffi_backend.pyd

Filesize
174KB

MD5
2baaa98b744915339ae6c016b17c3763

SHA1
483c11673b73698f20ca2ff0748628c789b4dc68

SHA256
4f1ce205c2be986c9d38b951b6bcb6045eb363e06dacc069a41941f80be9068c

SHA512
2ae8df6e764c0813a4c9f7ac5a08e045b44daac551e8ff5f8aa83286be96aa0714d373b8d58e6d3aa4b821786a919505b74f118013d9fcd1ebc5a9e4876c2b5f

Download Submit
C:\WINDOW~1\Binds\BIND-D~1\_ctypes.pyd

Filesize
117KB

MD5
79f339753dc8954b8eb45fe70910937e

SHA1
3ad1bf9872dc779f32795988eb85c81fe47b3dd4

SHA256
35cdd122679041ebef264de5626b7805f3f66c8ae6cc451b8bc520be647fa007

SHA512
21e567e813180ed0480c4b21be3e2e67974d8d787e663275be054cee0a3f5161fc39034704dbd25f1412feb021d6a21b300a32d1747dee072820be81b9d9b753

Download Submit
C:\WINDOW~1\Binds\BIND-D~1\_socket.pyd

Filesize
72KB

MD5
5dd51579fa9b6a06336854889562bec0

SHA1
99c0ed0a15ed450279b01d95b75c162628c9be1d

SHA256
3669e56e99ae3a944fbe7845f0be05aea96a603717e883d56a27dc356f8c2f2c

SHA512
7aa6c6587890ae8c3f9a5e97ebde689243ac5b9abb9b1e887f29c53eef99a53e4b4ec100c03e1c043e2f0d330e7af444c3ca886c9a5e338c2ea42aaacae09f3e

Download Submit
C:\WINDOW~1\Binds\BIND-D~1\_ssl.pyd

Filesize
152KB

MD5
11c5008e0ba2caa8adf7452f0aaafd1e

SHA1
764b33b749e3da9e716b8a853b63b2f7711fcc7c

SHA256
bf63f44951f14c9d0c890415d013276498d6d59e53811bbe2fa16825710bea14

SHA512
fceb022d8694bce6504d6b64de4596e2b8252fc2427ee66300e37bcff297579cc7d32a8cb8f847408eaa716cb053e20d53e93fbd945e3f60d58214e6a969c9dd

Download Submit
C:\WINDOW~1\Binds\BIND-D~1\libcrypto-1_1.dll

Filesize
3.3MB

MD5
63c4f445b6998e63a1414f5765c18217

SHA1
8c1ac1b4290b122e62f706f7434517077974f40e

SHA256
664c3e52f914e351bb8a66ce2465ee0d40acab1d2a6b3167ae6acf6f1d1724d2

SHA512
aa7bdb3c5bc8aeefbad70d785f2468acbb88ef6e6cac175da765647030734453a2836f9658dc7ce33f6fff0de85cb701c825ef5c04018d79fa1953c8ef946afd

Download Submit
C:\WINDOW~1\Binds\BIND-D~1\libffi-7.dll

Filesize
32KB

MD5
eef7981412be8ea459064d3090f4b3aa

SHA1
c60da4830ce27afc234b3c3014c583f7f0a5a925

SHA256
f60dd9f2fcbd495674dfc1555effb710eb081fc7d4cae5fa58c438ab50405081

SHA512
dc9ff4202f74a13ca9949a123dff4c0223da969f49e9348feaf93da4470f7be82cfa1d392566eaaa836d77dde7193fed15a8395509f72a0e9f97c66c0a096016

Download Submit
C:\WINDOW~1\Binds\BIND-D~1\select.pyd

Filesize
25KB

MD5
78d421a4e6b06b5561c45b9a5c6f86b1

SHA1
c70747d3f2d26a92a0fe0b353f1d1d01693929ac

SHA256
f1694ce82da997faa89a9d22d469bfc94abb0f2063a69ec9b953bc085c2cb823

SHA512
83e02963c9726a40cd4608b69b4cdf697e41c9eedfb2d48f3c02c91500e212e7e0ab03e6b3f70f42e16e734e572593f27b016b901c8aa75f674b6e0fbb735012

Download Submit
C:\WindowsGraphics\Binds\Bind-DXLaLCptdJ\Cryptodome\Hash\_SHA1.pyd

Filesize
17KB

MD5
2efa942a436ca17562fb49bb66acdcc4

SHA1
50b2841914e9a1237ac29c7a681f0951c03d59a4

SHA256
4810a6392848b3ff20d67a531a26daaf2e1f2fe37cf61c0245d24cb0fa00177d

SHA512
bad96c34d318b975330f720b422c758ddc91ae6ab34b873f9a68f060f52552939654ac7a78d49ea787d7f182e293c604f772bea9e027d0159a43c9f06957d392

Download Submit
C:\WindowsGraphics\Binds\Bind-DXLaLCptdJ\VCRUNTIME140.dll

Filesize
94KB

MD5
11d9ac94e8cb17bd23dea89f8e757f18

SHA1
d4fb80a512486821ad320c4fd67abcae63005158

SHA256
e1d6f78a72836ea120bd27a33ae89cbdc3f3ca7d9d0231aaa3aac91996d2fa4e

SHA512
aa6afd6bea27f554e3646152d8c4f96f7bcaaa4933f8b7c04346e410f93f23cfa6d29362fd5d51ccbb8b6223e094cd89e351f072ad0517553703f5bf9de28778

Download Submit
C:\WindowsGraphics\Binds\Bind-DXLaLCptdJ\python310.dll

Filesize
4.2MB

MD5
384349987b60775d6fc3a6d202c3e1bd

SHA1
701cb80c55f859ad4a31c53aa744a00d61e467e5

SHA256
f281c2e252ed59dd96726dbb2de529a2b07b818e9cc3799d1ffa9883e3028ed8

SHA512
6bf3ef9f08f4fc07461b6ea8d9822568ad0a0f211e471b990f62c6713adb7b6be28b90f206a4ec0673b92bae99597d1c7785381e486f6091265c7df85ff0f9b5

Download Submit
C:\WindowsGraphics\Downloading\7za.exe

Filesize
574KB

MD5
42badc1d2f03a8b1e4875740d3d49336

SHA1
cee178da1fb05f99af7a3547093122893bd1eb46

SHA256
c136b1467d669a725478a6110ebaaab3cb88a3d389dfa688e06173c066b76fcf

SHA512
6bc519a7368ee6bd8c8f69f2d634dd18799b4ca31fbc284d2580ba625f3a88b6a52d2bc17bea0e75e63ca11c10356c47ee00c2c500294abcb5141424fc5dc71c

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\gvedk3z4\CSC363FDFD3FC7D43D29438B49C4C6CA78B.TMP

Filesize
652B

MD5
ff162514676d7d178e07f948814507b6

SHA1
41882890da38f2be2c9248dc67ea51ba54f88fe8

SHA256
a7b6626fd53e8ed05e5f1f26bedb9e723fd1388e47a152137287b0150da0d92a

SHA512
25fcf8f9d79ed8c548b3300cd1b40b539fb3dba14f4fc0e688b4d1235b7695ba0fc562371fadfd0c44e2f44e91f0445c157a12c8f55f20dd87f4b523405ba8f9

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\gvedk3z4\gvedk3z4.0.cs

Filesize
343B

MD5
c36def33cf3b17c9e92da3e1e7781022

SHA1
58ca5035b92f51d361e3b536bb1478285aabb3b2

SHA256
abbbedac28650c7d19e51f587149e89a44a01c925ea1a496f0f1bcf6288f98f1

SHA512
4285621a8df007a5f95f7582795035495dcd315b50776fadcf8d9d5755efacfd7e4da46260f2418ad5453a2704aaed565d9fb85ab5f83259dc7302852f38daf6

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\gvedk3z4\gvedk3z4.cmdline

Filesize
369B

MD5
09a090cc132ae8d728cd46fe51865f67

SHA1
2e0328746306beeee902cfb02310a273e6598cde

SHA256
91391ff59c0c27494cce0355abf33c5fe33258f1236c9b4da95c45c3e12bf787

SHA512
b7c2522e8acb26aa54013edfc1b8cd12ad4968d4d224252cc1cd6093fbddc8cd31783bec367e6f2df13889454482c65e08e4ca20cf76cc1d8c3d5e923fc93b73

Download Submit
memory/4168-55-0x000001D268920000-0x000001D26894A000-memory.dmp

Filesize
168KB

Download
memory/4168-56-0x000001D268920000-0x000001D268944000-memory.dmp

Filesize
144KB

Download
memory/5784-30-0x00007FFAA4DE0000-0x00007FFAA58A2000-memory.dmp

Filesize
10.8MB

Download
memory/5784-2-0x000002C3F4900000-0x000002C3F4922000-memory.dmp

Filesize
136KB

Download
memory/5784-12-0x00007FFAA4DE0000-0x00007FFAA58A2000-memory.dmp

Filesize
10.8MB

Download
memory/5784-13-0x00007FFAA4DE0000-0x00007FFAA58A2000-memory.dmp

Filesize
10.8MB

Download
memory/5784-1-0x00007FFAA4DE3000-0x00007FFAA4DE5000-memory.dmp

Filesize
8KB

Download
memory/5784-26-0x000002C3F4850000-0x000002C3F4858000-memory.dmp

Filesize
32KB

Download
memory/5840-2314-0x0000026B80000000-0x0000026B8489A000-memory.dmp

Filesize
72.6MB

Download