9835cdcdeeff23e6dd9f5a76a6071d734a83dc66e7411ddf3c9ac803abd1a4af

Analysis

max time kernel
5s
max time network
31s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
22/04/2023, 16:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bob_leponge.exe
Size

8.3MB
MD5

330472b720577832869cb242c0dc1731
SHA1

bfad071c3d377310b9d21c9e98b7caa0be619a1d
SHA256

9835cdcdeeff23e6dd9f5a76a6071d734a83dc66e7411ddf3c9ac803abd1a4af
SHA512

c7bc5cb287651a56f1aef252880bce77178b83087fd7fbb7d1bc4d8eea61928719c87e844dff48be4698cb5d8f94ae3273368fb68a58f1a222a03c58e990ff40
SSDEEP

196608:dXgafMj+16B6yYnlPzf+JiT4n3XWK2MvnwE9VyUyFfuF5nd:eafiBRYnlPSF3VVvnwjBuP

Score

7^/10

upx

Malware Config

Signatures

Loads dropped DLL 19 IoCs

pid	Process
1692	bob_leponge.exe
1692	bob_leponge.exe
1692	bob_leponge.exe
1692	bob_leponge.exe
1692	bob_leponge.exe
1692	bob_leponge.exe
1692	bob_leponge.exe
1692	bob_leponge.exe
1692	bob_leponge.exe
1692	bob_leponge.exe
1692	bob_leponge.exe
1692	bob_leponge.exe
1692	bob_leponge.exe
1692	bob_leponge.exe
1692	bob_leponge.exe
1692	bob_leponge.exe
1692	bob_leponge.exe
1692	bob_leponge.exe
1692	bob_leponge.exe

UPX packed file 48 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x0006000000023154-160.dat	upx
behavioral2/files/0x0006000000023154-161.dat	upx
behavioral2/files/0x000600000002314d-165.dat	upx
behavioral2/files/0x000600000002314d-166.dat	upx
behavioral2/memory/1692-167-0x00007FFC4B7C0000-0x00007FFC4BDAA000-memory.dmp	upx
behavioral2/files/0x0008000000023149-168.dat	upx
behavioral2/files/0x0008000000023149-169.dat	upx
behavioral2/files/0x000600000002314f-170.dat	upx
behavioral2/files/0x000600000002314f-171.dat	upx
behavioral2/files/0x0006000000023157-172.dat	upx
behavioral2/files/0x0006000000023157-173.dat	upx
behavioral2/files/0x0006000000023151-175.dat	upx
behavioral2/files/0x0006000000023151-174.dat	upx
behavioral2/files/0x0006000000023153-178.dat	upx
behavioral2/files/0x0006000000023152-176.dat	upx
behavioral2/files/0x0006000000023152-180.dat	upx
behavioral2/files/0x0006000000023152-179.dat	upx
behavioral2/files/0x0006000000023153-177.dat	upx
behavioral2/files/0x000600000002314c-181.dat	upx
behavioral2/files/0x000600000002314c-182.dat	upx
behavioral2/memory/1692-183-0x00007FFC5B6A0000-0x00007FFC5B6CD000-memory.dmp	upx
behavioral2/memory/1692-184-0x00007FFC53A20000-0x00007FFC53A39000-memory.dmp	upx
behavioral2/files/0x000600000002314e-185.dat	upx
behavioral2/files/0x000600000002314e-186.dat	upx
behavioral2/memory/1692-187-0x00007FFC524E0000-0x00007FFC524F9000-memory.dmp	upx
behavioral2/memory/1692-189-0x00007FFC5C290000-0x00007FFC5C29D000-memory.dmp	upx
behavioral2/files/0x0006000000023150-188.dat	upx
behavioral2/files/0x0006000000023150-191.dat	upx
behavioral2/memory/1692-190-0x00007FFC4D5E0000-0x00007FFC4D60E000-memory.dmp	upx
behavioral2/memory/1692-193-0x00007FFC4BDB0000-0x00007FFC4BE68000-memory.dmp	upx
behavioral2/files/0x0006000000023158-194.dat	upx
behavioral2/files/0x0006000000023158-192.dat	upx
behavioral2/memory/1692-195-0x00007FFC4B440000-0x00007FFC4B7B5000-memory.dmp	upx
behavioral2/files/0x00020000000225be-196.dat	upx
behavioral2/files/0x00020000000225be-197.dat	upx
behavioral2/memory/1692-199-0x00007FFC4CDF0000-0x00007FFC4CE04000-memory.dmp	upx
behavioral2/files/0x000600000002315a-200.dat	upx
behavioral2/files/0x000600000002315a-201.dat	upx
behavioral2/files/0x0006000000023156-202.dat	upx
behavioral2/files/0x0006000000023156-204.dat	upx
behavioral2/memory/1692-207-0x00007FFC5C040000-0x00007FFC5C04D000-memory.dmp	upx
behavioral2/memory/1692-208-0x00007FFC4B2B0000-0x00007FFC4B2D3000-memory.dmp	upx
behavioral2/memory/1692-209-0x00007FFC4B140000-0x00007FFC4B2AF000-memory.dmp	upx
behavioral2/memory/1692-210-0x00007FFC4AEE0000-0x00007FFC4B132000-memory.dmp	upx
behavioral2/memory/1692-211-0x00007FFC4AE90000-0x00007FFC4AEB9000-memory.dmp	upx
behavioral2/memory/1692-212-0x00007FFC4AE60000-0x00007FFC4AE8E000-memory.dmp	upx
behavioral2/files/0x0006000000023159-269.dat	upx
behavioral2/files/0x0006000000023159-270.dat	upx

Enumerates processes with tasklist 1 TTPs 1 IoCs

Process Discovery

T1057

pid	Process
4408	tasklist.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
4388	taskkill.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
3864	powershell.exe
3864	powershell.exe
908	powershell.exe
4012	powershell.exe
908	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	3864	powershell.exe
Token: SeDebugPrivilege	908	powershell.exe
Token: SeDebugPrivilege	4012	powershell.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 3756 wrote to memory of 1692	3756	bob_leponge.exe	84
PID 3756 wrote to memory of 1692	3756	bob_leponge.exe	84
PID 1692 wrote to memory of 3840	1692	bob_leponge.exe	85
PID 1692 wrote to memory of 3840	1692	bob_leponge.exe	85
PID 1692 wrote to memory of 4600	1692	bob_leponge.exe	86
PID 1692 wrote to memory of 4600	1692	bob_leponge.exe	86
PID 4600 wrote to memory of 3864	4600	cmd.exe	89
PID 4600 wrote to memory of 3864	4600	cmd.exe	89
PID 3840 wrote to memory of 1512	3840	cmd.exe	90
PID 3840 wrote to memory of 1512	3840	cmd.exe	90
PID 1512 wrote to memory of 2376	1512	net.exe	91
PID 1512 wrote to memory of 2376	1512	net.exe	91
PID 1692 wrote to memory of 512	1692	bob_leponge.exe	93
PID 1692 wrote to memory of 512	1692	bob_leponge.exe	93
PID 1692 wrote to memory of 3892	1692	bob_leponge.exe	92
PID 1692 wrote to memory of 3892	1692	bob_leponge.exe	92
PID 512 wrote to memory of 908	512	cmd.exe	96
PID 512 wrote to memory of 908	512	cmd.exe	96
PID 3892 wrote to memory of 4012	3892	cmd.exe	97
PID 3892 wrote to memory of 4012	3892	cmd.exe	97

C:\Users\Admin\AppData\Local\Temp\bob_leponge.exe
"C:\Users\Admin\AppData\Local\Temp\bob_leponge.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3756
- C:\Users\Admin\AppData\Local\Temp\bob_leponge.exe
  "C:\Users\Admin\AppData\Local\Temp\bob_leponge.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1692
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "net session"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3840
  - - C:\Windows\system32\net.exe
      net session
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1512
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 session
        5⤵
        
        PID:2376
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Unblock-File '.\bob_leponge.exe'"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4600
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Unblock-File '.\bob_leponge.exe'
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3864
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\bob_leponge.exe'"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3892
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\bob_leponge.exe'
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4012
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:512
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:908
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'"
    3⤵
    PID:4560
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'
      4⤵
      PID:4684
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    PID:2832
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      PID:2312
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    PID:836
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:4408
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "taskkill /F /IM svchost.exe"
    3⤵
    PID:4104
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /IM svchost.exe
      4⤵
      Kills process with taskkill
      PID:4388

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Process Discovery

T1057

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
2f57fde6b33e89a63cf0dfdd6e60a351

SHA1
445bf1b07223a04f8a159581a3d37d630273010f

SHA256
3b0068d29ae4b20c447227fbf410aa2deedfef6220ccc3f698f3c7707c032c55

SHA512
42857c5f111bfa163e9f4ea6b81a42233d0bbb0836ecc703ce7e8011b6f8a8eca761f39adc3ed026c9a2f99206d88bab9bddb42da9113e478a31a6382af5c220

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
6d3e9c29fe44e90aae6ed30ccf799ca8

SHA1
c7974ef72264bbdf13a2793ccf1aed11bc565dce

SHA256
2360634e63e8f0b5748e2c56ebb8f4aa78e71008ea7b5c9ca1c49be03b49557d

SHA512
60c38c4367352537545d859f64b9c5cbada94240478d1d039fd27b5ecba4dc1c90051557c16d802269703b873546ead416279c0a80c6fd5e49ad361cef22596a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
d28a889fd956d5cb3accfbaf1143eb6f

SHA1
157ba54b365341f8ff06707d996b3635da8446f7

SHA256
21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45

SHA512
0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
d28a889fd956d5cb3accfbaf1143eb6f

SHA1
157ba54b365341f8ff06707d996b3635da8446f7

SHA256
21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45

SHA512
0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI37562\PIL\_imaging.cp311-win_amd64.pyd

Filesize
732KB

MD5
e382184096e78544c3d9eb9df61d6200

SHA1
e928c6f4bfd58f743c903289c09166dfa1b3207f

SHA256
f89c546766e5e309b8b16240bd139b47956951507cf9b5382f7baee00606961e

SHA512
a96c7f6553cde4789c5209e6790880fa89069a466e155f121d1ed67d28c3ce7846e3efabcc089d512c8c24f3f3e0dee2fb9b9ae4d6883176b53e19e85f8bfa0b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI37562\PIL\_imaging.cp311-win_amd64.pyd

Filesize
732KB

MD5
e382184096e78544c3d9eb9df61d6200

SHA1
e928c6f4bfd58f743c903289c09166dfa1b3207f

SHA256
f89c546766e5e309b8b16240bd139b47956951507cf9b5382f7baee00606961e

SHA512
a96c7f6553cde4789c5209e6790880fa89069a466e155f121d1ed67d28c3ce7846e3efabcc089d512c8c24f3f3e0dee2fb9b9ae4d6883176b53e19e85f8bfa0b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI37562\VCRUNTIME140.dll

Filesize
106KB

MD5
870fea4e961e2fbd00110d3783e529be

SHA1
a948e65c6f73d7da4ffde4e8533c098a00cc7311

SHA256
76fdb83fde238226b5bebaf3392ee562e2cb7ca8d3ef75983bf5f9d6c7119644

SHA512
0b636a3cdefa343eb4cb228b391bb657b5b4c20df62889cd1be44c7bee94ffad6ec82dc4db79949edef576bff57867e0d084e0a597bf7bf5c8e4ed1268477e88

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI37562\VCRUNTIME140.dll

Filesize
106KB

MD5
870fea4e961e2fbd00110d3783e529be

SHA1
a948e65c6f73d7da4ffde4e8533c098a00cc7311

SHA256
76fdb83fde238226b5bebaf3392ee562e2cb7ca8d3ef75983bf5f9d6c7119644

SHA512
0b636a3cdefa343eb4cb228b391bb657b5b4c20df62889cd1be44c7bee94ffad6ec82dc4db79949edef576bff57867e0d084e0a597bf7bf5c8e4ed1268477e88

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI37562\VCRUNTIME140_1.dll

Filesize
48KB

MD5
bba9680bc310d8d25e97b12463196c92

SHA1
9a480c0cf9d377a4caedd4ea60e90fa79001f03a

SHA256
e0b66601cc28ecb171c3d4b7ac690c667f47da6b6183bff80604c84c00d265ab

SHA512
1575c786ac3324b17057255488da5f0bc13ad943ac9383656baf98db64d4ec6e453230de4cd26b535ce7e8b7d41a9f2d3f569a0eff5a84aeb1c2f9d6e3429739

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI37562\VCRUNTIME140_1.dll

Filesize
48KB

MD5
bba9680bc310d8d25e97b12463196c92

SHA1
9a480c0cf9d377a4caedd4ea60e90fa79001f03a

SHA256
e0b66601cc28ecb171c3d4b7ac690c667f47da6b6183bff80604c84c00d265ab

SHA512
1575c786ac3324b17057255488da5f0bc13ad943ac9383656baf98db64d4ec6e453230de4cd26b535ce7e8b7d41a9f2d3f569a0eff5a84aeb1c2f9d6e3429739

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI37562\VCRUNTIME140_1.dll

Filesize
48KB

MD5
bba9680bc310d8d25e97b12463196c92

SHA1
9a480c0cf9d377a4caedd4ea60e90fa79001f03a

SHA256
e0b66601cc28ecb171c3d4b7ac690c667f47da6b6183bff80604c84c00d265ab

SHA512
1575c786ac3324b17057255488da5f0bc13ad943ac9383656baf98db64d4ec6e453230de4cd26b535ce7e8b7d41a9f2d3f569a0eff5a84aeb1c2f9d6e3429739

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI37562\_bz2.pyd

Filesize
48KB

MD5
b227a77a065cbdf53d89072b91ad5d36

SHA1
ca2b8fd5b8f84298fd147b3d8f850cd9d3b7678f

SHA256
fafee9f3f6a8f9dc1859f482a401c1301bc64632c5164db460f6dcfe010cf69d

SHA512
91f44f35360859fcc5f77a33fa9606c67ea353f97bac907078966afe7224d9197444ef3a79845ff3610cba9ba8703f39d83006a6795176f9a7d154a7ff7ae037

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI37562\_bz2.pyd

Filesize
48KB

MD5
b227a77a065cbdf53d89072b91ad5d36

SHA1
ca2b8fd5b8f84298fd147b3d8f850cd9d3b7678f

SHA256
fafee9f3f6a8f9dc1859f482a401c1301bc64632c5164db460f6dcfe010cf69d

SHA512
91f44f35360859fcc5f77a33fa9606c67ea353f97bac907078966afe7224d9197444ef3a79845ff3610cba9ba8703f39d83006a6795176f9a7d154a7ff7ae037

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI37562\_hashlib.pyd

Filesize
35KB

MD5
d6ede55082df871c677d0da68a49684f

SHA1
61b73740621d7ac9f677cdee1b776d14a7e9c2ff

SHA256
1aba7710685d8d86e182c5faeab604e71fcb3fff1b6ac905152cb4f1331f36fd

SHA512
337e880ae4859f72e86223785c628f40b84848ed6fa2a016031d16151fe655e1cd7008b4935cf5ad2c10decd25352eed04a0b9574289b0fd5ff3bc29b7550864

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI37562\_hashlib.pyd

Filesize
35KB

MD5
d6ede55082df871c677d0da68a49684f

SHA1
61b73740621d7ac9f677cdee1b776d14a7e9c2ff

SHA256
1aba7710685d8d86e182c5faeab604e71fcb3fff1b6ac905152cb4f1331f36fd

SHA512
337e880ae4859f72e86223785c628f40b84848ed6fa2a016031d16151fe655e1cd7008b4935cf5ad2c10decd25352eed04a0b9574289b0fd5ff3bc29b7550864

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI37562\_lzma.pyd

Filesize
85KB

MD5
b44fd0cc6537cf62cd93f26f0225b73f

SHA1
b851300f9436ca003b7738d511bd0d0a99f7bdfc

SHA256
134ead1985e01aa08fc0cf9429a3bdd2e8bd0ccd012a708bdb207452b81ee6ed

SHA512
8f3e79411790303dc0283846548ff33c541489dc6878902756b147d644afb6369e2721bc2ae913c6eb742346fcb0a7545df46ed6da8a13b15339e51e15117ec3

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI37562\_lzma.pyd

Filesize
85KB

MD5
b44fd0cc6537cf62cd93f26f0225b73f

SHA1
b851300f9436ca003b7738d511bd0d0a99f7bdfc

SHA256
134ead1985e01aa08fc0cf9429a3bdd2e8bd0ccd012a708bdb207452b81ee6ed

SHA512
8f3e79411790303dc0283846548ff33c541489dc6878902756b147d644afb6369e2721bc2ae913c6eb742346fcb0a7545df46ed6da8a13b15339e51e15117ec3

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI37562\_queue.pyd

Filesize
25KB

MD5
5a68de9bfe3b02de63dbb20656b16b53

SHA1
7eb26047fdd3307a82b406ea177b22ddbf1a14bc

SHA256
0f6f50993bdff1247a7cadf20934f214265dfb3712340326a2240767fe5e0fb7

SHA512
d6ed9a4208587c3482fe8652420773964ee9a2ae7e8de2aa0efba2b57eefd60a3bf7ddb6ab3de00797e963dc6c1a67ae426387cb14719900ccfb7cb0e8808215

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI37562\_queue.pyd

Filesize
25KB

MD5
5a68de9bfe3b02de63dbb20656b16b53

SHA1
7eb26047fdd3307a82b406ea177b22ddbf1a14bc

SHA256
0f6f50993bdff1247a7cadf20934f214265dfb3712340326a2240767fe5e0fb7

SHA512
d6ed9a4208587c3482fe8652420773964ee9a2ae7e8de2aa0efba2b57eefd60a3bf7ddb6ab3de00797e963dc6c1a67ae426387cb14719900ccfb7cb0e8808215

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI37562\_socket.pyd

Filesize
43KB

MD5
5fadaa05ce39e7bd808049556f6b95a5

SHA1
32b27e7c54bebbe8012126d3c0dd20f98689af88

SHA256
8cfe616dd8710ea5f2742f1306f64922826673c9a60e0b7b6f2552ac31088f9e

SHA512
1784faae9e641937afd73d7a7699ad1313b93353fb20a67965722ccc7a37aee34e3f053e6df35508c9e0a7ba6db48516ac475c3d1fac4dfe043beba3c0e6b59f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI37562\_socket.pyd

Filesize
43KB

MD5
5fadaa05ce39e7bd808049556f6b95a5

SHA1
32b27e7c54bebbe8012126d3c0dd20f98689af88

SHA256
8cfe616dd8710ea5f2742f1306f64922826673c9a60e0b7b6f2552ac31088f9e

SHA512
1784faae9e641937afd73d7a7699ad1313b93353fb20a67965722ccc7a37aee34e3f053e6df35508c9e0a7ba6db48516ac475c3d1fac4dfe043beba3c0e6b59f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI37562\_sqlite3.pyd

Filesize
56KB

MD5
bbe2a08a0e997eacc34735fc2c9df601

SHA1
0d0fcdb43a038ab9ef2dd46e00187a41e96c1489

SHA256
28add6e21b62ff80168e83efc537454f56ed55b8c758f4342cd36d51c89ae5df

SHA512
e799cefaca9b1908d78f61b0ba2a829c10318d0c1d9b031c73a71e3ed86c24c73f9bfa2a22e997f91b53c0e8aef972de5cc4698f26e1247530cd191bd57f4e1d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI37562\_sqlite3.pyd

Filesize
56KB

MD5
bbe2a08a0e997eacc34735fc2c9df601

SHA1
0d0fcdb43a038ab9ef2dd46e00187a41e96c1489

SHA256
28add6e21b62ff80168e83efc537454f56ed55b8c758f4342cd36d51c89ae5df

SHA512
e799cefaca9b1908d78f61b0ba2a829c10318d0c1d9b031c73a71e3ed86c24c73f9bfa2a22e997f91b53c0e8aef972de5cc4698f26e1247530cd191bd57f4e1d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI37562\_ssl.pyd

Filesize
62KB

MD5
6eab88efb66abaa42a3f6ec2f0ada718

SHA1
10f21dd91c309df77a5c1399fb059c8e70749fb4

SHA256
03d67916ef72469257a1e4f7c891a63769f1289d0104eb4f19508704f0200317

SHA512
14259bb728a75eae6ea93e2591f9e9aaa8677fe00f349210803db0e9fb42cfdb53e1d257bd9295905629b87c5741cd8409cb45a08129dd5838510670e13bbb53

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI37562\_ssl.pyd

Filesize
62KB

MD5
6eab88efb66abaa42a3f6ec2f0ada718

SHA1
10f21dd91c309df77a5c1399fb059c8e70749fb4

SHA256
03d67916ef72469257a1e4f7c891a63769f1289d0104eb4f19508704f0200317

SHA512
14259bb728a75eae6ea93e2591f9e9aaa8677fe00f349210803db0e9fb42cfdb53e1d257bd9295905629b87c5741cd8409cb45a08129dd5838510670e13bbb53

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI37562\base_library.zip

Filesize
1.7MB

MD5
7bcea208f62a447a79d34d8530f3608e

SHA1
08e4f3939060c35ec497b23edc54f3c130b18614

SHA256
924e3835d50dcdd523c00f1eae3e9f1ef0900bcf5137218b4ec4c6e00e5902c9

SHA512
86d3470a1d8cccd43d9b3e53abfe3bc7db5512a41d7ba57884dda437ee5ae43366693bba364b3436be0649e599376537d4e2e60b3f3c7c219cf4ab710d06b202

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI37562\config.json

Filesize
321B

MD5
e7dcee9e2613fa7efddc88fca1e3098b

SHA1
90e45a5608e7170edfb3d93fe8f95f51f37fb4e0

SHA256
09919238e33a432152c79827ee73ec9c3cad3eb4db016ce6fef8d19dea7e44ab

SHA512
be47c0f830d5313a1ca63ac9eed90596d5a14090310e74683c7c7b0077fc734e4efb65d450cf2eac159debaf610e54d35409483de8f20bbf5337c9ee8959d809

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI37562\libcrypto-1_1.dll

Filesize
1.1MB

MD5
14c89f5cf35732f5eae8c381935b53d8

SHA1
be143c04a004e86b439f495a01dbf4661566187e

SHA256
67a7ceab9a00047b3986855a438acf51faff86b6f13980fd282e5b312ae9e54e

SHA512
9a631dec362730273ddb4ed39dbe8adcc1bf87b53932dcb81e07fe4d5197fe56fa20c98a261cc950f4e4766ccfa8a9db93d6a975d10afbe1a0758b19ee879252

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI37562\libcrypto-1_1.dll

Filesize
1.1MB

MD5
14c89f5cf35732f5eae8c381935b53d8

SHA1
be143c04a004e86b439f495a01dbf4661566187e

SHA256
67a7ceab9a00047b3986855a438acf51faff86b6f13980fd282e5b312ae9e54e

SHA512
9a631dec362730273ddb4ed39dbe8adcc1bf87b53932dcb81e07fe4d5197fe56fa20c98a261cc950f4e4766ccfa8a9db93d6a975d10afbe1a0758b19ee879252

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI37562\libcrypto-1_1.dll

Filesize
1.1MB

MD5
14c89f5cf35732f5eae8c381935b53d8

SHA1
be143c04a004e86b439f495a01dbf4661566187e

SHA256
67a7ceab9a00047b3986855a438acf51faff86b6f13980fd282e5b312ae9e54e

SHA512
9a631dec362730273ddb4ed39dbe8adcc1bf87b53932dcb81e07fe4d5197fe56fa20c98a261cc950f4e4766ccfa8a9db93d6a975d10afbe1a0758b19ee879252

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI37562\libssl-1_1.dll

Filesize
203KB

MD5
12ce2e61d0b52bec18225c1a7542d5a4

SHA1
9b34515971021d678ffc6087cc968c93a16895dc

SHA256
17096a9f8be7cb4bc65318c2b64643949720965fadaf7d128895ccdd7215c896

SHA512
e28eeeb8f51f82b596cb8dca5cc0d538b647487cce7304a32ed7730fff6b3968ffd6c6a00f57607c2ac12766286251004e8a8452ea299dca86336b5ed725be41

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI37562\libssl-1_1.dll

Filesize
203KB

MD5
12ce2e61d0b52bec18225c1a7542d5a4

SHA1
9b34515971021d678ffc6087cc968c93a16895dc

SHA256
17096a9f8be7cb4bc65318c2b64643949720965fadaf7d128895ccdd7215c896

SHA512
e28eeeb8f51f82b596cb8dca5cc0d538b647487cce7304a32ed7730fff6b3968ffd6c6a00f57607c2ac12766286251004e8a8452ea299dca86336b5ed725be41

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI37562\python311.dll

Filesize
1.6MB

MD5
53b1a9474ddc3a31adf72011dc8da780

SHA1
36f476d318acca6a12d3625b02cb14ab19534db7

SHA256
357e545f47b605682328566a8df692dc22e4ea2ab37686788c3416b3813addc7

SHA512
290c070eaf324476bfda676fc547ee42479a239b11192b654604862d53de1f1752a2f1b212dc15b3a22787a6469d6ec22ced98b7bb7d5f7c618602bbd12b7881

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI37562\python311.dll

Filesize
1.6MB

MD5
53b1a9474ddc3a31adf72011dc8da780

SHA1
36f476d318acca6a12d3625b02cb14ab19534db7

SHA256
357e545f47b605682328566a8df692dc22e4ea2ab37686788c3416b3813addc7

SHA512
290c070eaf324476bfda676fc547ee42479a239b11192b654604862d53de1f1752a2f1b212dc15b3a22787a6469d6ec22ced98b7bb7d5f7c618602bbd12b7881

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI37562\pywin32_system32\pywintypes311.dll

Filesize
62KB

MD5
bd26e7e8c402cfedfb28c04c401edd56

SHA1
de09348e6e53a2bd02d601e91ecd10d239f726f5

SHA256
48a59a866181df73ed1864c6e14354c95e5c31605c9e6b2dd5daa6595a95888f

SHA512
b567e532d31bee3345d856cdd275c3453f7ba8b0ca80324cf871ec06394890c0b735a3fa6b8515979d9ea66b6cfbc3bc336612da838b0cea4cb9e986538ae404

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI37562\pywin32_system32\pywintypes311.dll

Filesize
62KB

MD5
bd26e7e8c402cfedfb28c04c401edd56

SHA1
de09348e6e53a2bd02d601e91ecd10d239f726f5

SHA256
48a59a866181df73ed1864c6e14354c95e5c31605c9e6b2dd5daa6595a95888f

SHA512
b567e532d31bee3345d856cdd275c3453f7ba8b0ca80324cf871ec06394890c0b735a3fa6b8515979d9ea66b6cfbc3bc336612da838b0cea4cb9e986538ae404

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI37562\select.pyd

Filesize
25KB

MD5
4fb899c990d705b5d2f96947c1cdbc17

SHA1
0cfbf51732a5e55422d5a70b446e0208c6c852a6

SHA256
3fcd54d75627f5cdbe2398bb6bd7008d5b1041cc84aa9a40424f1caa290638a5

SHA512
718a832577447b93262ea2269a6fbeddea3daf17e0134e56fb72a71c4de42014c9cbcd46a54521b92c8ba161fcbe7a92ab4132b37d7dd804a70f3fb4814065ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI37562\select.pyd

Filesize
25KB

MD5
4fb899c990d705b5d2f96947c1cdbc17

SHA1
0cfbf51732a5e55422d5a70b446e0208c6c852a6

SHA256
3fcd54d75627f5cdbe2398bb6bd7008d5b1041cc84aa9a40424f1caa290638a5

SHA512
718a832577447b93262ea2269a6fbeddea3daf17e0134e56fb72a71c4de42014c9cbcd46a54521b92c8ba161fcbe7a92ab4132b37d7dd804a70f3fb4814065ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI37562\sqlite3.dll

Filesize
607KB

MD5
dd904ba8cbc5933ca8dcfd08724a4d23

SHA1
0b1acb031846e8eed30e3f508cdae4c25ee96fc4

SHA256
94ce8d7282fe94377edd09998ed23107b072c3562785116c4e79ce7391b3511e

SHA512
be665d19e4b4afa873689ad391dfb96101a27d513872fc63302d47ae0ee8e8631230f03ba9e01f06d6b6caf1b4243e65ad285e72b956481c88d475958b5ac83e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI37562\sqlite3.dll

Filesize
607KB

MD5
dd904ba8cbc5933ca8dcfd08724a4d23

SHA1
0b1acb031846e8eed30e3f508cdae4c25ee96fc4

SHA256
94ce8d7282fe94377edd09998ed23107b072c3562785116c4e79ce7391b3511e

SHA512
be665d19e4b4afa873689ad391dfb96101a27d513872fc63302d47ae0ee8e8631230f03ba9e01f06d6b6caf1b4243e65ad285e72b956481c88d475958b5ac83e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI37562\unicodedata.pyd

Filesize
295KB

MD5
b895bb4056e6f35014aa7c6807fe09c1

SHA1
528757e7173de08735da1737011b5d670c41976c

SHA256
2a544f5d327d76529c808fe40b6ba35433b569ad5216814e51f31804ec0cc1f6

SHA512
8c06697f2a5c5b055d6e936ba5a63163e3641e3d45b5ffffd32fe0a78ba3a743b36a2b7c2369a4e25cf733b54c0ac69285045d59d1ce4e129ca6e0bba63a93da

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI37562\unicodedata.pyd

Filesize
295KB

MD5
b895bb4056e6f35014aa7c6807fe09c1

SHA1
528757e7173de08735da1737011b5d670c41976c

SHA256
2a544f5d327d76529c808fe40b6ba35433b569ad5216814e51f31804ec0cc1f6

SHA512
8c06697f2a5c5b055d6e936ba5a63163e3641e3d45b5ffffd32fe0a78ba3a743b36a2b7c2369a4e25cf733b54c0ac69285045d59d1ce4e129ca6e0bba63a93da

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI37562\win32crypt.pyd

Filesize
51KB

MD5
5ea45424d1d96eac3ba530183154f5f5

SHA1
58b1ff6a5124091b68804e0962dc9f34fbcfd085

SHA256
48cf9148e04a9d083779707880f2f763429b4e13961796d4a9de6c5b74b86536

SHA512
c1474e76ce84682e9a8a4e35e932fbf8ba803751c3907e438dada735ac1dbd9dd35d9dad345f62cf348f156a16a11128f1dd1e43cb99cade0c51448842ee3dd9

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI37562\win32crypt.pyd

Filesize
51KB

MD5
5ea45424d1d96eac3ba530183154f5f5

SHA1
58b1ff6a5124091b68804e0962dc9f34fbcfd085

SHA256
48cf9148e04a9d083779707880f2f763429b4e13961796d4a9de6c5b74b86536

SHA512
c1474e76ce84682e9a8a4e35e932fbf8ba803751c3907e438dada735ac1dbd9dd35d9dad345f62cf348f156a16a11128f1dd1e43cb99cade0c51448842ee3dd9

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_bd4wavsi.fxf.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/908-246-0x000001D7F3EA0000-0x000001D7F3EB0000-memory.dmp

Filesize
64KB

Download
memory/908-244-0x000001D7F3EA0000-0x000001D7F3EB0000-memory.dmp

Filesize
64KB

Download
memory/1692-207-0x00007FFC5C040000-0x00007FFC5C04D000-memory.dmp

Filesize
52KB

Download
memory/1692-183-0x00007FFC5B6A0000-0x00007FFC5B6CD000-memory.dmp

Filesize
180KB

Download
memory/1692-209-0x00007FFC4B140000-0x00007FFC4B2AF000-memory.dmp

Filesize
1.4MB

Download
memory/1692-210-0x00007FFC4AEE0000-0x00007FFC4B132000-memory.dmp

Filesize
2.3MB

Download
memory/1692-211-0x00007FFC4AE90000-0x00007FFC4AEB9000-memory.dmp

Filesize
164KB

Download
memory/1692-212-0x00007FFC4AE60000-0x00007FFC4AE8E000-memory.dmp

Filesize
184KB

Download
memory/1692-189-0x00007FFC5C290000-0x00007FFC5C29D000-memory.dmp

Filesize
52KB

Download
memory/1692-190-0x00007FFC4D5E0000-0x00007FFC4D60E000-memory.dmp

Filesize
184KB

Download
memory/1692-199-0x00007FFC4CDF0000-0x00007FFC4CE04000-memory.dmp

Filesize
80KB

Download
memory/1692-198-0x000002838A0C0000-0x000002838A435000-memory.dmp

Filesize
3.5MB

Download
memory/1692-193-0x00007FFC4BDB0000-0x00007FFC4BE68000-memory.dmp

Filesize
736KB

Download
memory/1692-167-0x00007FFC4B7C0000-0x00007FFC4BDAA000-memory.dmp

Filesize
5.9MB

Download
memory/1692-208-0x00007FFC4B2B0000-0x00007FFC4B2D3000-memory.dmp

Filesize
140KB

Download
memory/1692-195-0x00007FFC4B440000-0x00007FFC4B7B5000-memory.dmp

Filesize
3.5MB

Download
memory/1692-187-0x00007FFC524E0000-0x00007FFC524F9000-memory.dmp

Filesize
100KB

Download
memory/1692-184-0x00007FFC53A20000-0x00007FFC53A39000-memory.dmp

Filesize
100KB

Download
memory/3864-243-0x0000017DB25D0000-0x0000017DB25E0000-memory.dmp

Filesize
64KB

Download
memory/3864-242-0x0000017DB25D0000-0x0000017DB25E0000-memory.dmp

Filesize
64KB

Download
memory/3864-223-0x0000017DB2510000-0x0000017DB2532000-memory.dmp

Filesize
136KB

Download
memory/4012-245-0x000001D0D06D0000-0x000001D0D06E0000-memory.dmp

Filesize
64KB

Download
memory/4684-264-0x0000016261C00000-0x0000016261C10000-memory.dmp

Filesize
64KB

Download
memory/4684-266-0x0000016261C00000-0x0000016261C10000-memory.dmp

Filesize
64KB

Download
memory/4684-265-0x0000016261C00000-0x0000016261C10000-memory.dmp

Filesize
64KB

Download
memory/4684-267-0x0000016261C00000-0x0000016261C10000-memory.dmp

Filesize
64KB

Download