63bd5de0406b8b5db7c853bfbf3c1970519bc068d88902edee744e6b9a99ba61

Analysis

max time kernel
39s
max time network
41s
platform
windows11-21h2_x64
resource
win11-20250313-en
resource tags

arch:x64arch:x86image:win11-20250313-enlocale:en-usos:windows11-21h2-x64system
submitted
19/03/2025, 00:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Wave.exe
Size

54.0MB
MD5

5f4c9f3fc681ac6be5be6681396545ab
SHA1

e3d67195899364eebfb27d7d8b050a25040466b9
SHA256

63bd5de0406b8b5db7c853bfbf3c1970519bc068d88902edee744e6b9a99ba61
SHA512

5b2065e212bbbd12420022b69ae77252cf80c5b44de24b32be6107a6252405084f174df65aab411df870f347a13d54f404aa25aedfab221c999d8fc73c4beaf7
SSDEEP

393216:59nqYllR13C29oiF0U1vFEgcfn52W3K+AbcsCSmggoKlQnAliXUxR0rHa93WhlUk:Dfl6e0OBG6ZC/Lwi8rj

Score

7^/10

defense_evasion discovery execution

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
3532	7za.exe
4612	system.exe

Loads dropped DLL 64 IoCs

pid	Process
4612	system.exe
4612	system.exe
4612	system.exe
4612	system.exe
4612	system.exe
4612	system.exe
4612	system.exe
4612	system.exe
4612	system.exe
4612	system.exe
4612	system.exe
4612	system.exe
4612	system.exe
4612	system.exe
4612	system.exe
4612	system.exe
4612	system.exe
4612	system.exe
4612	system.exe
4612	system.exe
4612	system.exe
4612	system.exe
4612	system.exe
4612	system.exe
4612	system.exe
4612	system.exe
4612	system.exe
4612	system.exe
4612	system.exe
4612	system.exe
4612	system.exe
4612	system.exe
4612	system.exe
4612	system.exe
4612	system.exe
4612	system.exe
4612	system.exe
4612	system.exe
4612	system.exe
4612	system.exe
4612	system.exe
4612	system.exe
4612	system.exe
4612	system.exe
4612	system.exe
4612	system.exe
4612	system.exe
4612	system.exe
4612	system.exe
4612	system.exe
4612	system.exe
4612	system.exe
4612	system.exe
4612	system.exe
4612	system.exe
4612	system.exe
4612	system.exe
4612	system.exe
4612	system.exe
4612	system.exe
4612	system.exe
4612	system.exe
4612	system.exe
4612	system.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
1	raw.githubusercontent.com
2	raw.githubusercontent.com

Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
defense_evasion

Command Obfuscation
T1027.010

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
3664	powershell.exe
4224	powershell.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7za.exe

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
4776	WMIC.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
4244	Wave.exe
4244	Wave.exe
4452	powershell.exe
4452	powershell.exe
3664	powershell.exe
3664	powershell.exe
4224	powershell.exe
4224	powershell.exe
4612	system.exe
4612	system.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4452	powershell.exe
Token: SeDebugPrivilege	3664	powershell.exe
Token: SeDebugPrivilege	4224	powershell.exe
Token: SeIncreaseQuotaPrivilege	4224	powershell.exe
Token: SeSecurityPrivilege	4224	powershell.exe
Token: SeTakeOwnershipPrivilege	4224	powershell.exe
Token: SeLoadDriverPrivilege	4224	powershell.exe
Token: SeSystemProfilePrivilege	4224	powershell.exe
Token: SeSystemtimePrivilege	4224	powershell.exe
Token: SeProfSingleProcessPrivilege	4224	powershell.exe
Token: SeIncBasePriorityPrivilege	4224	powershell.exe
Token: SeCreatePagefilePrivilege	4224	powershell.exe
Token: SeBackupPrivilege	4224	powershell.exe
Token: SeRestorePrivilege	4224	powershell.exe
Token: SeShutdownPrivilege	4224	powershell.exe
Token: SeDebugPrivilege	4224	powershell.exe
Token: SeSystemEnvironmentPrivilege	4224	powershell.exe
Token: SeRemoteShutdownPrivilege	4224	powershell.exe
Token: SeUndockPrivilege	4224	powershell.exe
Token: SeManageVolumePrivilege	4224	powershell.exe
Token: 33	4224	powershell.exe
Token: 34	4224	powershell.exe
Token: 35	4224	powershell.exe
Token: 36	4224	powershell.exe
Token: SeDebugPrivilege	4612	system.exe
Token: SeIncreaseQuotaPrivilege	4776	WMIC.exe
Token: SeSecurityPrivilege	4776	WMIC.exe
Token: SeTakeOwnershipPrivilege	4776	WMIC.exe
Token: SeLoadDriverPrivilege	4776	WMIC.exe
Token: SeSystemProfilePrivilege	4776	WMIC.exe
Token: SeSystemtimePrivilege	4776	WMIC.exe
Token: SeProfSingleProcessPrivilege	4776	WMIC.exe
Token: SeIncBasePriorityPrivilege	4776	WMIC.exe
Token: SeCreatePagefilePrivilege	4776	WMIC.exe
Token: SeBackupPrivilege	4776	WMIC.exe
Token: SeRestorePrivilege	4776	WMIC.exe
Token: SeShutdownPrivilege	4776	WMIC.exe
Token: SeDebugPrivilege	4776	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4776	WMIC.exe
Token: SeRemoteShutdownPrivilege	4776	WMIC.exe
Token: SeUndockPrivilege	4776	WMIC.exe
Token: SeManageVolumePrivilege	4776	WMIC.exe
Token: 33	4776	WMIC.exe
Token: 34	4776	WMIC.exe
Token: 35	4776	WMIC.exe
Token: 36	4776	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4776	WMIC.exe
Token: SeSecurityPrivilege	4776	WMIC.exe
Token: SeTakeOwnershipPrivilege	4776	WMIC.exe
Token: SeLoadDriverPrivilege	4776	WMIC.exe
Token: SeSystemProfilePrivilege	4776	WMIC.exe
Token: SeSystemtimePrivilege	4776	WMIC.exe
Token: SeProfSingleProcessPrivilege	4776	WMIC.exe
Token: SeIncBasePriorityPrivilege	4776	WMIC.exe
Token: SeCreatePagefilePrivilege	4776	WMIC.exe
Token: SeBackupPrivilege	4776	WMIC.exe
Token: SeRestorePrivilege	4776	WMIC.exe
Token: SeShutdownPrivilege	4776	WMIC.exe
Token: SeDebugPrivilege	4776	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4776	WMIC.exe
Token: SeRemoteShutdownPrivilege	4776	WMIC.exe
Token: SeUndockPrivilege	4776	WMIC.exe
Token: SeManageVolumePrivilege	4776	WMIC.exe
Token: 33	4776	WMIC.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
4612	system.exe
4612	system.exe

Suspicious use of WriteProcessMemory 25 IoCs

description	pid	Process	procid_target
PID 4244 wrote to memory of 4452	4244	Wave.exe	82
PID 4244 wrote to memory of 4452	4244	Wave.exe	82
PID 4452 wrote to memory of 5060	4452	powershell.exe	84
PID 4452 wrote to memory of 5060	4452	powershell.exe	84
PID 5060 wrote to memory of 924	5060	csc.exe	85
PID 5060 wrote to memory of 924	5060	csc.exe	85
PID 4244 wrote to memory of 3664	4244	Wave.exe	86
PID 4244 wrote to memory of 3664	4244	Wave.exe	86
PID 4244 wrote to memory of 4224	4244	Wave.exe	87
PID 4244 wrote to memory of 4224	4244	Wave.exe	87
PID 4244 wrote to memory of 5064	4244	Wave.exe	89
PID 4244 wrote to memory of 5064	4244	Wave.exe	89
PID 4244 wrote to memory of 3532	4244	Wave.exe	90
PID 4244 wrote to memory of 3532	4244	Wave.exe	90
PID 4244 wrote to memory of 3532	4244	Wave.exe	90
PID 4244 wrote to memory of 4828	4244	Wave.exe	91
PID 4244 wrote to memory of 4828	4244	Wave.exe	91
PID 4828 wrote to memory of 4612	4828	cmd.exe	92
PID 4828 wrote to memory of 4612	4828	cmd.exe	92
PID 4612 wrote to memory of 1364	4612	system.exe	93
PID 4612 wrote to memory of 1364	4612	system.exe	93
PID 4612 wrote to memory of 2112	4612	system.exe	96
PID 4612 wrote to memory of 2112	4612	system.exe	96
PID 2112 wrote to memory of 4776	2112	cmd.exe	98
PID 2112 wrote to memory of 4776	2112	cmd.exe	98

Views/modifies file attributes 1 TTPs 1 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
5064	attrib.exe

C:\Users\Admin\AppData\Local\Temp\Wave.exe
"C:\Users\Admin\AppData\Local\Temp\Wave.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4244
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -NoLogo -NonInteractive -NoProfile -ExecutionPolicy Bypass -EncodedCommand CgBpAGYAIAAoAC0AbgBvAHQAIAAoAFsAUwB5AHMAdABlAG0ALgBNAGEAbgBhAGcAZQBtAGUAbgB0AC4AQQB1AHQAbwBtAGEAdABpAG8AbgAuAFAAUwBUAHkAcABlAE4AYQBtAGUAXQAnAFcAaQBuADMAMgAnACkALgBUAHkAcABlACkAIAB7AAoAIAAgACAAIABBAGQAZAAtAFQAeQBwAGUAIABAACIACgAgACAAIAAgAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsACgAgACAAIAAgAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AUgB1AG4AdABpAG0AZQAuAEkAbgB0AGUAcgBvAHAAUwBlAHIAdgBpAGMAZQBzADsACgAKACAAIAAgACAAcAB1AGIAbABpAGMAIABjAGwAYQBzAHMAIABXAGkAbgAzADIAIAB7AAoAIAAgACAAIAAgACAAIAAgAFsARABsAGwASQBtAHAAbwByAHQAKAAiAHUAcwBlAHIAMwAyAC4AZABsAGwAIgApAF0ACgAgACAAIAAgACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABHAGUAdABGAG8AcgBlAGcAcgBvAHUAbgBkAFcAaQBuAGQAbwB3ACgAKQA7AAoACgAgACAAIAAgACAAIAAgACAAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAdQBzAGUAcgAzADIALgBkAGwAbAAiACkAXQAKACAAIAAgACAAIAAgACAAIABbAHIAZQB0AHUAcgBuADoAIABNAGEAcgBzAGgAYQBsAEEAcwAoAFUAbgBtAGEAbgBhAGcAZQBkAFQAeQBwAGUALgBCAG8AbwBsACkAXQAKACAAIAAgACAAIAAgACAAIABwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABiAG8AbwBsACAAUwBoAG8AdwBXAGkAbgBkAG8AdwAoAEkAbgB0AFAAdAByACAAaABXAG4AZAAsACAAaQBuAHQAIABuAEMAbQBkAFMAaABvAHcAKQA7AAoAIAAgACAAIAB9AAoAIgBAAAoAfQAKAGYAdQBuAGMAdABpAG8AbgAgAEcAZQB0AEEAYwB0AGkAdgBlAFcAaQBuAGQAbwB3AFQAaQB0AGwAZQAoACkAIAB7AAoAIAAgACAAIAAkAGgAVwBuAGQAIAA9ACAAWwBXAGkAbgAzADIAXQA6ADoARwBlAHQARgBvAHIAZQBnAHIAbwB1AG4AZABXAGkAbgBkAG8AdwAoACkACgAgACAAIAAgACQAcwBiACAAPQAgAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBTAHQAcgBpAG4AZwBCAHUAaQBsAGQAZQByACgAMgA1ADYAKQAKACAAIAAgACAAWwBXAGkAbgAzADIAXQA6ADoARwBlAHQAVwBpAG4AZABvAHcAVABlAHgAdAAoACQAaABXAG4AZAAsACAAJABzAGIALAAgACQAcwBiAC4AQwBhAHAAYQBjAGkAdAB5ACkAIAB8ACAATwB1AHQALQBOAHUAbABsAAoAIAAgACAAIAByAGUAdAB1AHIAbgAgACQAcwBiAC4AVABvAFMAdAByAGkAbgBnACgAKQAKAH0ACgBmAHUAbgBjAHQAaQBvAG4AIABIAGkAZABlAEEAYwB0AGkAdgBlAFcAaQBuAGQAbwB3ACgAKQAgAHsACgAgACAAIAAgACQAaABXAG4AZAAgAD0AIABbAFcAaQBuADMAMgBdADoAOgBHAGUAdABGAG8AcgBlAGcAcgBvAHUAbgBkAFcAaQBuAGQAbwB3ACgAKQAKACAAIAAgACAAWwBXAGkAbgAzADIAXQA6ADoAUwBoAG8AdwBXAGkAbgBkAG8AdwAoACQAaABXAG4AZAAsACAAMAApAAoAfQAKACQAYwB1AHIAcgBlAG4AdABXAGkAbgBkAG8AdwBUAGkAdABsAGUAIAA9ACAARwBlAHQAQQBjAHQAaQB2AGUAVwBpAG4AZABvAHcAVABpAHQAbABlAAoASABpAGQAZQBBAGMAdABpAHYAZQBXAGkAbgBkAG8AdwAKAA==
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4452
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\5mkgieow\5mkgieow.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5060
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB5C3.tmp" "c:\Users\Admin\AppData\Local\Temp\5mkgieow\CSC84F9CDB96FE9472B8CE38ACD55862CD.TMP"
      4⤵
      PID:924
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command [System.Security.Principal.WindowsIdentity]::GetCurrent().Name
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3664
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -NoLogo -NonInteractive -Command "(Get-CimInstance -ClassName Win32_ComputerSystemProduct).UUID"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4224
- C:\Windows\SYSTEM32\attrib.exe
  "attrib" +h C:\WindowsGraphics
  2⤵
  - Views/modifies file attributes
  PID:5064
- C:\WindowsGraphics\Downloading\7za.exe
  "C:\WindowsGraphics\Downloading\7za.exe" x C:\WindowsGraphics\Versions\Build-bXBfLddrwc\bbv.7z -oC:\WindowsGraphics\Binds\Bind-YBg0ZBhNt5 -y -pgaul_0xudjUy6128xbv68hSu
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3532
- C:\Windows\SYSTEM32\cmd.exe
  "cmd" /c C:\WindowsGraphics\Binds\Bind-YBg0ZBhNt5\system.exe real
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4828
- - C:\WindowsGraphics\Binds\Bind-YBg0ZBhNt5\system.exe
    C:\WindowsGraphics\Binds\Bind-YBg0ZBhNt5\system.exe real
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:4612
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "ver"
      4⤵
      PID:1364
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2112
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path win32_VideoController get name
        5⤵
        Detects videocard installed
        Suspicious use of AdjustPrivilegeToken
        
        PID:4776

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004D8 0x00000000000004CC
1⤵
PID:1000

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Obfuscated Files or Information

T1027

Command Obfuscation

T1027.010

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
5f4c933102a824f41e258078e34165a7

SHA1
d2f9e997b2465d3ae7d91dad8d99b77a2332b6ee

SHA256
d69b7d84970cb04cd069299fd8aa9cef8394999588bead979104dc3cb743b4f2

SHA512
a7556b2be1a69dbc1f7ff4c1c25581a28cb885c7e1116632c535fee5facaa99067bcead8f02499980f1d999810157d0fc2f9e45c200dee7d379907ef98a6f034

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
a766b59cb8764029e0daa42ff2d21c3f

SHA1
9ca2e4735a93ab8ddf2d8e6928f1c570aa4ff80b

SHA256
92d5a76ed593d1450f8f5309d806ef2ec37be8839f1e0e20763e75180345feac

SHA512
e92fe19a450bc93cfcbaed70586d580470d239cd41997e0bdebdb45f1b6ba02604b4e839ab6ee40d5112ba683c647ecd10751183ab2f89226994e17680c52eae

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
235a8eb126d835efb2e253459ab8b089

SHA1
293fbf68e6726a5a230c3a42624c01899e35a89f

SHA256
5ffd4a816ae5d1c1a8bdc51d2872b7dd99e9c383c88001d303a6f64a77773686

SHA512
a83d17203b581491e47d65131e1efc8060ff04d1852e3415fc0a341c6a9691ef9f4cf4dd29d2f6d0032a49f2ba4bd36c35b3f472f0ce5f78f4bb139124760e92

Download Submit
C:\Users\Admin\AppData\Local\Temp\5mkgieow\5mkgieow.dll

Filesize
3KB

MD5
1ff211d6e7e431b26272d83445ecdc4a

SHA1
95a748da20d6dd9be01aab18669b2e7e635cdebf

SHA256
f3779e71dc0a8d7ffec6ccf799d46958b061286eb42ef72158b84f4cb0ff74b1

SHA512
2294120b9c91cd2bfd50d1b99089f452c57724a4504a69f018c2befdba89ef4514d096fd3fe681f2975d642182693b74d23759d06c7480ca6c75ea21ee1b342f

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESB5C3.tmp

Filesize
1KB

MD5
481f7cc07addc48aafcaa6784d6f41d4

SHA1
88b649cf9b526fb463f142672ae607fc33d31618

SHA256
e51744e4ae813d8d008fc9ecf54389e0ab160dceed3618041ecb457e9b28ecc2

SHA512
33bd12f346fc732c3dac22cd1f5c25a1ce34143249ee4fdc1483b020696c1c5bb3327a31de6d545cebfe12a7bc5b5423f2a88b4c7f666e66017a7c61c1245481

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_2wx0pteu.vrw.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\WINDOW~1\Binds\BIND-Y~1\Cryptodome\Cipher\_raw_ecb.pyd

Filesize
10KB

MD5
4db0ac98329ae64cec9c28570af52968

SHA1
8f7d327c1049c27b0df6bc6c2017cc302ba99a10

SHA256
5a43e3809403668ed6c6f17a71828eb8cd0dcb64afc09b815a4b9f05c3661714

SHA512
515e0b972a644620c27b3c074aee62b8ba5aa679b0e1c936f616c5537a83c7ca762b7a6c7acc3279ab235d1d344db9423cdc1abf7c72775d4bbfb2cb24cbf6b9

Download Submit
C:\WINDOW~1\Binds\BIND-Y~1\_ctypes.pyd

Filesize
117KB

MD5
79f339753dc8954b8eb45fe70910937e

SHA1
3ad1bf9872dc779f32795988eb85c81fe47b3dd4

SHA256
35cdd122679041ebef264de5626b7805f3f66c8ae6cc451b8bc520be647fa007

SHA512
21e567e813180ed0480c4b21be3e2e67974d8d787e663275be054cee0a3f5161fc39034704dbd25f1412feb021d6a21b300a32d1747dee072820be81b9d9b753

Download Submit
C:\WINDOW~1\Binds\BIND-Y~1\_ssl.pyd

Filesize
152KB

MD5
11c5008e0ba2caa8adf7452f0aaafd1e

SHA1
764b33b749e3da9e716b8a853b63b2f7711fcc7c

SHA256
bf63f44951f14c9d0c890415d013276498d6d59e53811bbe2fa16825710bea14

SHA512
fceb022d8694bce6504d6b64de4596e2b8252fc2427ee66300e37bcff297579cc7d32a8cb8f847408eaa716cb053e20d53e93fbd945e3f60d58214e6a969c9dd

Download Submit
C:\WINDOW~1\Binds\BIND-Y~1\libcrypto-1_1.dll

Filesize
3.3MB

MD5
63c4f445b6998e63a1414f5765c18217

SHA1
8c1ac1b4290b122e62f706f7434517077974f40e

SHA256
664c3e52f914e351bb8a66ce2465ee0d40acab1d2a6b3167ae6acf6f1d1724d2

SHA512
aa7bdb3c5bc8aeefbad70d785f2468acbb88ef6e6cac175da765647030734453a2836f9658dc7ce33f6fff0de85cb701c825ef5c04018d79fa1953c8ef946afd

Download Submit
C:\WINDOW~1\Binds\BIND-Y~1\libffi-7.dll

Filesize
32KB

MD5
eef7981412be8ea459064d3090f4b3aa

SHA1
c60da4830ce27afc234b3c3014c583f7f0a5a925

SHA256
f60dd9f2fcbd495674dfc1555effb710eb081fc7d4cae5fa58c438ab50405081

SHA512
dc9ff4202f74a13ca9949a123dff4c0223da969f49e9348feaf93da4470f7be82cfa1d392566eaaa836d77dde7193fed15a8395509f72a0e9f97c66c0a096016

Download Submit
C:\WindowsGraphics\Binds\Bind-YBg0ZBhNt5\Cryptodome\Cipher\_Salsa20.pyd

Filesize
13KB

MD5
2ce3043d6fbd62bcbe6948a1e6a789f0

SHA1
7a5e9bc5a96bd2ec677927fb014073e7cdb70f3b

SHA256
c5a4ac8202a0211163938b6306e3a678cc461ed8e283f4c4601748d2e50783a3

SHA512
8fca5216d65c66640541b31e21a7eb18f510c5c0d3420bff5581337875a6f68dd808f35d61a759a26aad9ae4f50aa1580e8d90e016d9acdc5aa2d04cfaad4377

Download Submit
C:\WindowsGraphics\Binds\Bind-YBg0ZBhNt5\Cryptodome\Cipher\_raw_aes.pyd

Filesize
35KB

MD5
e306365bdc8d15b2f477e5af252d0b59

SHA1
e6461fd5079050d129cd47cd4f6afa7b632c4314

SHA256
2dcac73ea3240a008d115bac0ea4d7c65c8162676ab30bcaf7527c22b98b4929

SHA512
1b63a9adcf6a37f601b8e1bd6206ec369a618c81f1c3477301053219db1ddecc27b5aeb9e7ad7490c7e987ba196884d66e85bb5b7f4dad43bfff891310e11945

Download Submit
C:\WindowsGraphics\Binds\Bind-YBg0ZBhNt5\Cryptodome\Cipher\_raw_aesni.pyd

Filesize
15KB

MD5
973f11de023c9337f35f9bb55c6154a6

SHA1
c02ff64d9fc5b8b8590488bbe9658593fc90ca47

SHA256
483758336267f8842f5432bb83300ea0fcb49c4e0b29962cbd7f27b1c3dfc56a

SHA512
8658ade868c9d942660361a60c5b4068238b418857bbbd4b1712de5a146300f435960a75c411e1737e590020644309c92a2dcfda69a2d6162a4135244a282871

Download Submit
C:\WindowsGraphics\Binds\Bind-YBg0ZBhNt5\Cryptodome\Cipher\_raw_cbc.pyd

Filesize
12KB

MD5
8d17946e6b1936061203afe20cddb5b0

SHA1
589dac4d2864fdc0219b0de3973b2ee0023cd5ea

SHA256
bb9898057572f17131bb63d513c19901e29d2e29215f7a93d6d84fa537475f0b

SHA512
3354942781e4d36b84d83ab6959707d29f6e25d3614b15a228d63d084f6f2a280bfc9153f24ea0fef489fa7043e21eb67e4b6d3ad7d073fde37f6206462f5931

Download Submit
C:\WindowsGraphics\Binds\Bind-YBg0ZBhNt5\Cryptodome\Cipher\_raw_cfb.pyd

Filesize
12KB

MD5
606e85b094ae6752e1099a176aa20f09

SHA1
35e9355ce75b57111d3793502636d5fcd78d34a4

SHA256
917fa3438b61cc207d73bd72cda6c42cd08656a2187fd9ca2860c67c12677238

SHA512
19de7b6c567e997825f2f08773c45a3562bc3980248de31738395cafa0306707a82f912a8b9b1dba440162443e1554e87ef5586776189b763576d9a7aca9e587

Download Submit
C:\WindowsGraphics\Binds\Bind-YBg0ZBhNt5\Cryptodome\Cipher\_raw_ctr.pyd

Filesize
14KB

MD5
f3cfd044825e9c08ce37a8034e2ed786

SHA1
51637c5678aedf528adef8036c53513495fcbb44

SHA256
bcbe37f565b91a127e40634db8e7e1b8b1ce3e1344f3fa082496b93d75435b80

SHA512
fd9f8ae46a438138c31408ebf9129dd507a8fd6dc24f24eae2b2dd8bd90e8b78afb0aef82a314ca5566d4d1bb7d166642dd2e7d7ea8e484c0261f623b2c1c15b

Download Submit
C:\WindowsGraphics\Binds\Bind-YBg0ZBhNt5\Cryptodome\Cipher\_raw_ocb.pyd

Filesize
17KB

MD5
ed75912a048ca3c2e0fe8e7307559347

SHA1
bb0998846468a91a5fb6d9725439c2f62e02cc21

SHA256
eb1085a28631fe3c8b3350b19dddc5c2eaf9b2cbf1c578fdfbf6b72fdf0b909c

SHA512
c04f62f57e0395ec731180f6ce9568a35c00be51ae172f2f6eee4d9d6726f5bdc41a55e8043d596e9724ccee00f861f349e3f787fc3c1b5adb47f8c194a23fb1

Download Submit
C:\WindowsGraphics\Binds\Bind-YBg0ZBhNt5\Cryptodome\Cipher\_raw_ofb.pyd

Filesize
11KB

MD5
dae7f4dd6792fb84c91bd45d44ed6c96

SHA1
a88eb81d4d72adc4c7f7402338f9d5760957efc3

SHA256
01eb2117f0223f0447cd16b5ec79baf3430871da8ef461404ba13592d2e8a89c

SHA512
66e98ae82073abb24e9053203f41cebb4ac30a461fe2a62baa1190970e1be7567f495914e017ec94b6b911bab721e63a7ff2d1d85e29d5824ab3d9bc9fb9fce4

Download Submit
C:\WindowsGraphics\Binds\Bind-YBg0ZBhNt5\Cryptodome\Hash\_BLAKE2s.pyd

Filesize
13KB

MD5
1dee6707a941e02202a47c58408ed538

SHA1
511387a5a611119ba81377931da5a8da5c429b78

SHA256
4e76a0be3e295571172cf1d06dbcc48f715357bb496d8567d9376667326fa5ef

SHA512
f29063d04151c9df75ca2c138fba5f9e4da551f0fdfa7a8a83390df0dcde064038ba87eec4c852a87d80cef0dc38306aed1121d06a6b337e4cc722e4057c432a

Download Submit
C:\WindowsGraphics\Binds\Bind-YBg0ZBhNt5\Cryptodome\Hash\_SHA1.pyd

Filesize
17KB

MD5
2efa942a436ca17562fb49bb66acdcc4

SHA1
50b2841914e9a1237ac29c7a681f0951c03d59a4

SHA256
4810a6392848b3ff20d67a531a26daaf2e1f2fe37cf61c0245d24cb0fa00177d

SHA512
bad96c34d318b975330f720b422c758ddc91ae6ab34b873f9a68f060f52552939654ac7a78d49ea787d7f182e293c604f772bea9e027d0159a43c9f06957d392

Download Submit
C:\WindowsGraphics\Binds\Bind-YBg0ZBhNt5\Cryptodome\Hash\_SHA256.pyd

Filesize
21KB

MD5
15e2c2434668d1648d9147156b0a44c6

SHA1
bea635adfd889381cc324d2612606e409518261d

SHA256
ebee833d40ed09abccff1f415b4a4cb1ec6f8d84431067980b09a36450edb9f8

SHA512
197818202b07f97dc370f456a1f59a5210c8af7e8221d6e0bbf8a96e8190668dd29d353bffb0f833fc622b8f797558708446cdde7a062ecd8c66d67b87262445

Download Submit
C:\WindowsGraphics\Binds\Bind-YBg0ZBhNt5\Cryptodome\Hash\_ghash_clmul.pyd

Filesize
12KB

MD5
26798493d96b2b2cb9601c0708595b84

SHA1
cec50f2d5d38e3410f1ffe1546a08be35847b198

SHA256
84e5f449d863e2801c93c84648ab18c078fe52d75ce4309632afc295081ab5e8

SHA512
3f8f3bb54cd0755cccd4cf6e8ed29c2d0f1c10baeb6a0e58d6db51f5a5a442d653114eb2ac8ee78833e26f71275602f0b3b0e06c333b22bb45c1d2e7a70f278c

Download Submit
C:\WindowsGraphics\Binds\Bind-YBg0ZBhNt5\Cryptodome\Hash\_ghash_portable.pyd

Filesize
13KB

MD5
bea27cb11a8529d6ad11373531e5222f

SHA1
74b61da8fd39f03136b4fad7faa7e5a1ea7c1116

SHA256
1eb72bd49457080ce1432eb28e85134d7bd4344bccd9357839acbbfa9236b868

SHA512
49fec85d5853ddb352abc93be6cab3c42f2a3dbcdf32a90fe7fff6e5bf378514c594328c7845f892508c8301f8224f7a6a26f44458a6a9ebc59d99b7ccef8f4b

Download Submit
C:\WindowsGraphics\Binds\Bind-YBg0ZBhNt5\Cryptodome\Protocol\_scrypt.pyd

Filesize
12KB

MD5
308c6e862a3554f1b5587d003f4b1bbf

SHA1
800955d3a24065766e5825c8324b7f48cd02f073

SHA256
671aad8b7fae31e076df50c947cd198369eea6379e6fa1b058596e528f5da561

SHA512
35b27a6320a8046f7e7bc42b9af8414b076f5334467576a0e83c6d7992ec3675f73cf0fc72ae6da402ff70dd16fcc0c29287ab27ad04bb346d5229d62deb54a5

Download Submit
C:\WindowsGraphics\Binds\Bind-YBg0ZBhNt5\Cryptodome\Util\_cpuid_c.pyd

Filesize
10KB

MD5
690fc8d8423ee69c662f11cd6406cef1

SHA1
a0b78af3bc976c8aafa1fe80ef71f22d4bf7080b

SHA256
bd597e5853a3f2cad1d4e5743170a66383be18d215f8f83be2a473736ee28718

SHA512
b08dd641aef8c663174c4ad436915ffc4c4afb70b8a9719f535f1f99b7b29240a0c8951e19f3348c010dad3000b6b5173b1def077ec6d96bb8a3d3e9be339a40

Download Submit
C:\WindowsGraphics\Binds\Bind-YBg0ZBhNt5\Cryptodome\Util\_strxor.pyd

Filesize
10KB

MD5
174b652c8e6c40c36c8ab06a20a34c01

SHA1
f3cb9321100dce3a8d79b0fc517cc58e05d26e41

SHA256
42af8d99fc975720585d25d767fc825d4922c088b6c2b13ee2de23e439523610

SHA512
9f0c444069e477a043c85f606bf1a3fb695773dbc16d1124a4b2d771ea0385b797552031433cb625d7dc9c8d490eb0ef8fa2c13aa628ebba58df6a0530913f32

Download Submit
C:\WindowsGraphics\Binds\Bind-YBg0ZBhNt5\_cffi_backend.pyd

Filesize
174KB

MD5
2baaa98b744915339ae6c016b17c3763

SHA1
483c11673b73698f20ca2ff0748628c789b4dc68

SHA256
4f1ce205c2be986c9d38b951b6bcb6045eb363e06dacc069a41941f80be9068c

SHA512
2ae8df6e764c0813a4c9f7ac5a08e045b44daac551e8ff5f8aa83286be96aa0714d373b8d58e6d3aa4b821786a919505b74f118013d9fcd1ebc5a9e4876c2b5f

Download Submit
C:\WindowsGraphics\Binds\Bind-YBg0ZBhNt5\_socket.pyd

Filesize
72KB

MD5
5dd51579fa9b6a06336854889562bec0

SHA1
99c0ed0a15ed450279b01d95b75c162628c9be1d

SHA256
3669e56e99ae3a944fbe7845f0be05aea96a603717e883d56a27dc356f8c2f2c

SHA512
7aa6c6587890ae8c3f9a5e97ebde689243ac5b9abb9b1e887f29c53eef99a53e4b4ec100c03e1c043e2f0d330e7af444c3ca886c9a5e338c2ea42aaacae09f3e

Download Submit
C:\WindowsGraphics\Binds\Bind-YBg0ZBhNt5\python310.dll

Filesize
4.2MB

MD5
384349987b60775d6fc3a6d202c3e1bd

SHA1
701cb80c55f859ad4a31c53aa744a00d61e467e5

SHA256
f281c2e252ed59dd96726dbb2de529a2b07b818e9cc3799d1ffa9883e3028ed8

SHA512
6bf3ef9f08f4fc07461b6ea8d9822568ad0a0f211e471b990f62c6713adb7b6be28b90f206a4ec0673b92bae99597d1c7785381e486f6091265c7df85ff0f9b5

Download Submit
C:\WindowsGraphics\Binds\Bind-YBg0ZBhNt5\select.pyd

Filesize
25KB

MD5
78d421a4e6b06b5561c45b9a5c6f86b1

SHA1
c70747d3f2d26a92a0fe0b353f1d1d01693929ac

SHA256
f1694ce82da997faa89a9d22d469bfc94abb0f2063a69ec9b953bc085c2cb823

SHA512
83e02963c9726a40cd4608b69b4cdf697e41c9eedfb2d48f3c02c91500e212e7e0ab03e6b3f70f42e16e734e572593f27b016b901c8aa75f674b6e0fbb735012

Download Submit
C:\WindowsGraphics\Binds\Bind-YBg0ZBhNt5\vcruntime140.dll

Filesize
94KB

MD5
11d9ac94e8cb17bd23dea89f8e757f18

SHA1
d4fb80a512486821ad320c4fd67abcae63005158

SHA256
e1d6f78a72836ea120bd27a33ae89cbdc3f3ca7d9d0231aaa3aac91996d2fa4e

SHA512
aa6afd6bea27f554e3646152d8c4f96f7bcaaa4933f8b7c04346e410f93f23cfa6d29362fd5d51ccbb8b6223e094cd89e351f072ad0517553703f5bf9de28778

Download Submit
C:\WindowsGraphics\Downloading\7za.exe

Filesize
574KB

MD5
42badc1d2f03a8b1e4875740d3d49336

SHA1
cee178da1fb05f99af7a3547093122893bd1eb46

SHA256
c136b1467d669a725478a6110ebaaab3cb88a3d389dfa688e06173c066b76fcf

SHA512
6bc519a7368ee6bd8c8f69f2d634dd18799b4ca31fbc284d2580ba625f3a88b6a52d2bc17bea0e75e63ca11c10356c47ee00c2c500294abcb5141424fc5dc71c

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\5mkgieow\5mkgieow.0.cs

Filesize
343B

MD5
c36def33cf3b17c9e92da3e1e7781022

SHA1
58ca5035b92f51d361e3b536bb1478285aabb3b2

SHA256
abbbedac28650c7d19e51f587149e89a44a01c925ea1a496f0f1bcf6288f98f1

SHA512
4285621a8df007a5f95f7582795035495dcd315b50776fadcf8d9d5755efacfd7e4da46260f2418ad5453a2704aaed565d9fb85ab5f83259dc7302852f38daf6

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\5mkgieow\5mkgieow.cmdline

Filesize
369B

MD5
4337d8db8ad6eb1eb7a036f52a16f24f

SHA1
bf948c5e8731ccb28f7f9a1727a2d0816099db5c

SHA256
6685f9af3887d1ae6ec88211d1e9d65c2df868e308adf876e47b7da7add622a6

SHA512
f671518b68e77256c95e7f66833e426fe08354ee866eeef7a67a165e84cca4906af746e2f81db7814cfb9e738d68da400045d958e394fe395e5432044b30e56a

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\5mkgieow\CSC84F9CDB96FE9472B8CE38ACD55862CD.TMP

Filesize
652B

MD5
fbfaa529a56f72d3f994dc35a623de4b

SHA1
08391d347c932ce5510f41029b9d7dab6b4c5b7a

SHA256
ba6637676d9a743b7fe07bf28b9b8183a8cb7eb6867705714fcb7354c48ae5c7

SHA512
fb689cee8004997c025472b23df95af957153b914b49bfe5cbcc745e6d842a3a360bcf2433554de40419844bbbd0759c1d2a33a524f315244076d3ec7b992217

Download Submit
memory/4224-52-0x00000226D1E00000-0x00000226D1E2A000-memory.dmp

Filesize
168KB

Download
memory/4224-53-0x00000226D1E00000-0x00000226D1E24000-memory.dmp

Filesize
144KB

Download
memory/4452-25-0x00000214F1D00000-0x00000214F1D08000-memory.dmp

Filesize
32KB

Download
memory/4452-29-0x00007FFE92EC0000-0x00007FFE93982000-memory.dmp

Filesize
10.8MB

Download
memory/4452-1-0x00007FFE92EC3000-0x00007FFE92EC5000-memory.dmp

Filesize
8KB

Download
memory/4452-12-0x00007FFE92EC0000-0x00007FFE93982000-memory.dmp

Filesize
10.8MB

Download
memory/4452-11-0x00007FFE92EC0000-0x00007FFE93982000-memory.dmp

Filesize
10.8MB

Download
memory/4452-10-0x00000214F1D20000-0x00000214F1D42000-memory.dmp

Filesize
136KB

Download
memory/4612-2311-0x000001AE99B20000-0x000001AE99BAB000-memory.dmp

Filesize
556KB

Download