ec50cb208b4e464ee0d09204a6329fd4ce867dc02911e24b9c15930928fc4acd

Analysis

max time kernel
150s
max time network
147s
platform
windows7_x64
resource
win7-20240215-en
resource tags

arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
submitted
22/04/2024, 01:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-22_fa5b700dd378b580e395dc71da2ca812_ponmocup_ryuk.exe
Size

15.4MB
MD5

fa5b700dd378b580e395dc71da2ca812
SHA1

84ea39494d25f7a724546a49abfe5b2eacfb8b6e
SHA256

ec50cb208b4e464ee0d09204a6329fd4ce867dc02911e24b9c15930928fc4acd
SHA512

6a4f645a816d19d9acd2892a19399f81797626069c7607f1227725ee9a089384662d685291e837c64f678c4550fa5eda04eec3ad80144125a1f2f93c0d394a96
SSDEEP

393216:Vl4DDxi9c5hlER35ShR4uw22WmfDZHZTtN3ZWAgiQx6w/:b4XxOEhkpQ2z7/tN34QO

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 39 IoCs

pid	Process
1708	2024-04-22_fa5b700dd378b580e395dc71da2ca812_ponmocup_ryuk.exe
1708	2024-04-22_fa5b700dd378b580e395dc71da2ca812_ponmocup_ryuk.exe
1708	2024-04-22_fa5b700dd378b580e395dc71da2ca812_ponmocup_ryuk.exe
1708	2024-04-22_fa5b700dd378b580e395dc71da2ca812_ponmocup_ryuk.exe
1708	2024-04-22_fa5b700dd378b580e395dc71da2ca812_ponmocup_ryuk.exe
1708	2024-04-22_fa5b700dd378b580e395dc71da2ca812_ponmocup_ryuk.exe
1708	2024-04-22_fa5b700dd378b580e395dc71da2ca812_ponmocup_ryuk.exe
1708	2024-04-22_fa5b700dd378b580e395dc71da2ca812_ponmocup_ryuk.exe
1708	2024-04-22_fa5b700dd378b580e395dc71da2ca812_ponmocup_ryuk.exe
1708	2024-04-22_fa5b700dd378b580e395dc71da2ca812_ponmocup_ryuk.exe
1708	2024-04-22_fa5b700dd378b580e395dc71da2ca812_ponmocup_ryuk.exe
1708	2024-04-22_fa5b700dd378b580e395dc71da2ca812_ponmocup_ryuk.exe
1708	2024-04-22_fa5b700dd378b580e395dc71da2ca812_ponmocup_ryuk.exe
1708	2024-04-22_fa5b700dd378b580e395dc71da2ca812_ponmocup_ryuk.exe
1708	2024-04-22_fa5b700dd378b580e395dc71da2ca812_ponmocup_ryuk.exe
1708	2024-04-22_fa5b700dd378b580e395dc71da2ca812_ponmocup_ryuk.exe
1708	2024-04-22_fa5b700dd378b580e395dc71da2ca812_ponmocup_ryuk.exe
1708	2024-04-22_fa5b700dd378b580e395dc71da2ca812_ponmocup_ryuk.exe
1708	2024-04-22_fa5b700dd378b580e395dc71da2ca812_ponmocup_ryuk.exe
1708	2024-04-22_fa5b700dd378b580e395dc71da2ca812_ponmocup_ryuk.exe
1708	2024-04-22_fa5b700dd378b580e395dc71da2ca812_ponmocup_ryuk.exe
1708	2024-04-22_fa5b700dd378b580e395dc71da2ca812_ponmocup_ryuk.exe
1708	2024-04-22_fa5b700dd378b580e395dc71da2ca812_ponmocup_ryuk.exe
1708	2024-04-22_fa5b700dd378b580e395dc71da2ca812_ponmocup_ryuk.exe
1708	2024-04-22_fa5b700dd378b580e395dc71da2ca812_ponmocup_ryuk.exe
1708	2024-04-22_fa5b700dd378b580e395dc71da2ca812_ponmocup_ryuk.exe
1708	2024-04-22_fa5b700dd378b580e395dc71da2ca812_ponmocup_ryuk.exe
1708	2024-04-22_fa5b700dd378b580e395dc71da2ca812_ponmocup_ryuk.exe
1708	2024-04-22_fa5b700dd378b580e395dc71da2ca812_ponmocup_ryuk.exe
1708	2024-04-22_fa5b700dd378b580e395dc71da2ca812_ponmocup_ryuk.exe
1708	2024-04-22_fa5b700dd378b580e395dc71da2ca812_ponmocup_ryuk.exe
1708	2024-04-22_fa5b700dd378b580e395dc71da2ca812_ponmocup_ryuk.exe
1708	2024-04-22_fa5b700dd378b580e395dc71da2ca812_ponmocup_ryuk.exe
1708	2024-04-22_fa5b700dd378b580e395dc71da2ca812_ponmocup_ryuk.exe
1708	2024-04-22_fa5b700dd378b580e395dc71da2ca812_ponmocup_ryuk.exe
1708	2024-04-22_fa5b700dd378b580e395dc71da2ca812_ponmocup_ryuk.exe
1708	2024-04-22_fa5b700dd378b580e395dc71da2ca812_ponmocup_ryuk.exe
1708	2024-04-22_fa5b700dd378b580e395dc71da2ca812_ponmocup_ryuk.exe
1708	2024-04-22_fa5b700dd378b580e395dc71da2ca812_ponmocup_ryuk.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
2	ip-api.com

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2388	schtasks.exe

Gathers network information 2 TTPs 1 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
1340	ipconfig.exe

Suspicious use of AdjustPrivilegeToken 40 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	1972	WMIC.exe
Token: SeSecurityPrivilege	1972	WMIC.exe
Token: SeTakeOwnershipPrivilege	1972	WMIC.exe
Token: SeLoadDriverPrivilege	1972	WMIC.exe
Token: SeSystemProfilePrivilege	1972	WMIC.exe
Token: SeSystemtimePrivilege	1972	WMIC.exe
Token: SeProfSingleProcessPrivilege	1972	WMIC.exe
Token: SeIncBasePriorityPrivilege	1972	WMIC.exe
Token: SeCreatePagefilePrivilege	1972	WMIC.exe
Token: SeBackupPrivilege	1972	WMIC.exe
Token: SeRestorePrivilege	1972	WMIC.exe
Token: SeShutdownPrivilege	1972	WMIC.exe
Token: SeDebugPrivilege	1972	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1972	WMIC.exe
Token: SeRemoteShutdownPrivilege	1972	WMIC.exe
Token: SeUndockPrivilege	1972	WMIC.exe
Token: SeManageVolumePrivilege	1972	WMIC.exe
Token: 33	1972	WMIC.exe
Token: 34	1972	WMIC.exe
Token: 35	1972	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1972	WMIC.exe
Token: SeSecurityPrivilege	1972	WMIC.exe
Token: SeTakeOwnershipPrivilege	1972	WMIC.exe
Token: SeLoadDriverPrivilege	1972	WMIC.exe
Token: SeSystemProfilePrivilege	1972	WMIC.exe
Token: SeSystemtimePrivilege	1972	WMIC.exe
Token: SeProfSingleProcessPrivilege	1972	WMIC.exe
Token: SeIncBasePriorityPrivilege	1972	WMIC.exe
Token: SeCreatePagefilePrivilege	1972	WMIC.exe
Token: SeBackupPrivilege	1972	WMIC.exe
Token: SeRestorePrivilege	1972	WMIC.exe
Token: SeShutdownPrivilege	1972	WMIC.exe
Token: SeDebugPrivilege	1972	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1972	WMIC.exe
Token: SeRemoteShutdownPrivilege	1972	WMIC.exe
Token: SeUndockPrivilege	1972	WMIC.exe
Token: SeManageVolumePrivilege	1972	WMIC.exe
Token: 33	1972	WMIC.exe
Token: 34	1972	WMIC.exe
Token: 35	1972	WMIC.exe

Suspicious use of WriteProcessMemory 48 IoCs

description	pid	Process	procid_target
PID 2084 wrote to memory of 1708	2084	2024-04-22_fa5b700dd378b580e395dc71da2ca812_ponmocup_ryuk.exe	28
PID 2084 wrote to memory of 1708	2084	2024-04-22_fa5b700dd378b580e395dc71da2ca812_ponmocup_ryuk.exe	28
PID 2084 wrote to memory of 1708	2084	2024-04-22_fa5b700dd378b580e395dc71da2ca812_ponmocup_ryuk.exe	28
PID 1708 wrote to memory of 2268	1708	2024-04-22_fa5b700dd378b580e395dc71da2ca812_ponmocup_ryuk.exe	29
PID 1708 wrote to memory of 2268	1708	2024-04-22_fa5b700dd378b580e395dc71da2ca812_ponmocup_ryuk.exe	29
PID 1708 wrote to memory of 2268	1708	2024-04-22_fa5b700dd378b580e395dc71da2ca812_ponmocup_ryuk.exe	29
PID 2268 wrote to memory of 1932	2268	cmd.exe	31
PID 2268 wrote to memory of 1932	2268	cmd.exe	31
PID 2268 wrote to memory of 1932	2268	cmd.exe	31
PID 2268 wrote to memory of 1340	2268	cmd.exe	32
PID 2268 wrote to memory of 1340	2268	cmd.exe	32
PID 2268 wrote to memory of 1340	2268	cmd.exe	32
PID 2268 wrote to memory of 2172	2268	cmd.exe	33
PID 2268 wrote to memory of 2172	2268	cmd.exe	33
PID 2268 wrote to memory of 2172	2268	cmd.exe	33
PID 1708 wrote to memory of 848	1708	2024-04-22_fa5b700dd378b580e395dc71da2ca812_ponmocup_ryuk.exe	34
PID 1708 wrote to memory of 848	1708	2024-04-22_fa5b700dd378b580e395dc71da2ca812_ponmocup_ryuk.exe	34
PID 1708 wrote to memory of 848	1708	2024-04-22_fa5b700dd378b580e395dc71da2ca812_ponmocup_ryuk.exe	34
PID 848 wrote to memory of 1252	848	cmd.exe	36
PID 848 wrote to memory of 1252	848	cmd.exe	36
PID 848 wrote to memory of 1252	848	cmd.exe	36
PID 1708 wrote to memory of 1944	1708	2024-04-22_fa5b700dd378b580e395dc71da2ca812_ponmocup_ryuk.exe	37
PID 1708 wrote to memory of 1944	1708	2024-04-22_fa5b700dd378b580e395dc71da2ca812_ponmocup_ryuk.exe	37
PID 1708 wrote to memory of 1944	1708	2024-04-22_fa5b700dd378b580e395dc71da2ca812_ponmocup_ryuk.exe	37
PID 1944 wrote to memory of 1972	1944	cmd.exe	39
PID 1944 wrote to memory of 1972	1944	cmd.exe	39
PID 1944 wrote to memory of 1972	1944	cmd.exe	39
PID 1708 wrote to memory of 2332	1708	2024-04-22_fa5b700dd378b580e395dc71da2ca812_ponmocup_ryuk.exe	41
PID 1708 wrote to memory of 2332	1708	2024-04-22_fa5b700dd378b580e395dc71da2ca812_ponmocup_ryuk.exe	41
PID 1708 wrote to memory of 2332	1708	2024-04-22_fa5b700dd378b580e395dc71da2ca812_ponmocup_ryuk.exe	41
PID 1708 wrote to memory of 880	1708	2024-04-22_fa5b700dd378b580e395dc71da2ca812_ponmocup_ryuk.exe	43
PID 1708 wrote to memory of 880	1708	2024-04-22_fa5b700dd378b580e395dc71da2ca812_ponmocup_ryuk.exe	43
PID 1708 wrote to memory of 880	1708	2024-04-22_fa5b700dd378b580e395dc71da2ca812_ponmocup_ryuk.exe	43
PID 880 wrote to memory of 2064	880	cmd.exe	45
PID 880 wrote to memory of 2064	880	cmd.exe	45
PID 880 wrote to memory of 2064	880	cmd.exe	45
PID 880 wrote to memory of 1348	880	cmd.exe	46
PID 880 wrote to memory of 1348	880	cmd.exe	46
PID 880 wrote to memory of 1348	880	cmd.exe	46
PID 1708 wrote to memory of 1004	1708	2024-04-22_fa5b700dd378b580e395dc71da2ca812_ponmocup_ryuk.exe	47
PID 1708 wrote to memory of 1004	1708	2024-04-22_fa5b700dd378b580e395dc71da2ca812_ponmocup_ryuk.exe	47
PID 1708 wrote to memory of 1004	1708	2024-04-22_fa5b700dd378b580e395dc71da2ca812_ponmocup_ryuk.exe	47
PID 1708 wrote to memory of 1524	1708	2024-04-22_fa5b700dd378b580e395dc71da2ca812_ponmocup_ryuk.exe	49
PID 1708 wrote to memory of 1524	1708	2024-04-22_fa5b700dd378b580e395dc71da2ca812_ponmocup_ryuk.exe	49
PID 1708 wrote to memory of 1524	1708	2024-04-22_fa5b700dd378b580e395dc71da2ca812_ponmocup_ryuk.exe	49
PID 1004 wrote to memory of 2388	1004	cmd.exe	51
PID 1004 wrote to memory of 2388	1004	cmd.exe	51
PID 1004 wrote to memory of 2388	1004	cmd.exe	51

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\2024-04-22_fa5b700dd378b580e395dc71da2ca812_ponmocup_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-22_fa5b700dd378b580e395dc71da2ca812_ponmocup_ryuk.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2084
- C:\Users\Admin\AppData\Local\Temp\2024-04-22_fa5b700dd378b580e395dc71da2ca812_ponmocup_ryuk.exe
  "C:\Users\Admin\AppData\Local\Temp\2024-04-22_fa5b700dd378b580e395dc71da2ca812_ponmocup_ryuk.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1708
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "chcp 65001 && ipconfig | findstr /i "Default Gateway""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2268
  - - C:\Windows\system32\chcp.com
      chcp 65001
      4⤵
      PID:1932
  - - C:\Windows\system32\ipconfig.exe
      ipconfig
      4⤵
      Gathers network information
      PID:1340
  - - C:\Windows\system32\findstr.exe
      findstr /i "Default Gateway"
      4⤵
      PID:2172
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "@chcp 65001 1>nul"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:848
  - - C:\Windows\system32\chcp.com
      chcp 65001
      4⤵
      PID:1252
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic BIOS get BIOSVersion"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1944
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic BIOS get BIOSVersion
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1972
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "ver"
    3⤵
    PID:2332
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "@chcp 65001 && @schtasks.exe /query /tn "Updatter""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:880
  - - C:\Windows\system32\chcp.com
      chcp 65001
      4⤵
      PID:2064
  - - C:\Windows\system32\schtasks.exe
      schtasks.exe /query /tn "Updatter"
      4⤵
      PID:1348
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "schtasks /create /f /sc onlogon /rl highest /tn "Updatter" /tr "C:\System32\svzhost.exe""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1004
  - - C:\Windows\system32\schtasks.exe
      schtasks /create /f /sc onlogon /rl highest /tn "Updatter" /tr "C:\System32\svzhost.exe"
      4⤵
      Creates scheduled task(s)
      PID:2388
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "ver.exe"
    3⤵
    PID:1524

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_MEI20842\Crypto\Cipher\_raw_ecb.cp38-win_amd64.pyd

Filesize
11KB

MD5
d4535f5b8683cd4b523d1f97232d3772

SHA1
1a6ce4eeb5acd1762f629478db14dfe8e361967f

SHA256
a8bd1b23f25393b26570a23f3083227dca1e2a6c4422581ff3e46cea3c4ac4ad

SHA512
447c9b1772f4a4f91961268e1b87c3576415f5257197db16336a3be8601dcfc8cd01dd1bb0676403633c58b8593aa9f558bbd53ccd994f5702df38c265358730

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20842\Crypto\Cipher\_raw_ofb.cp38-win_amd64.pyd

Filesize
12KB

MD5
b537c5216bd68311d50b10d62d02b9bb

SHA1
eb613bdabc18ee0f43afa4a13e684d0f8bc57817

SHA256
2b4fefd3688f5e92b1c3ef745d3463d44d9c071b9e2e190a7179191cd3b1e3a5

SHA512
1a3a8e9454646d7ac87f0acc34092da9c3873e4912ea8cb7c335d58a1bf7336d370dda9da13fdc6148ebfe93e3b75ceebc0684a5ee7b4ae24e8e2b5d053afe38

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20842\Crypto\Hash\_MD5.cp38-win_amd64.pyd

Filesize
16KB

MD5
7b4db40a5af596c7b685b1bff8c85a63

SHA1
bdc1ca3a817731ab89fcc0ff8f9ed540b8fe016d

SHA256
938aa6f71988f899c605dfe09a0882403af0564eb1937316bf50bda5b63659af

SHA512
8d995a342eecbb4278ea02ca84b0c5d3446b06952c1ce29e3d3eb1aa95c7b31cbd88976bd6bdb2c92c4e5e25103d392aa911a5f718cca3cb6e9e0c2d9e8695fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20842\TOOL.exe.manifest

Filesize
1KB

MD5
f36009384fb2b7df0ab4edb33d6d80c3

SHA1
56e0f6e7c6ccd4fad68616d70c2d4ad7829ca838

SHA256
47af5ba84be771d9e4ebc64563fa54cbe293330c0c83b4ca6e82052cd86913a7

SHA512
6f9959c929a2e63f4a2d730a244a84c66c36035b3e56f4c1d420717c193d91546d72c9e41c9a719e181b69dfbaed91d85a30e01ebf5d4ef78db6a3d386f37384

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20842\_bz2.pyd

Filesize
84KB

MD5
b89b6c064cd8241ae12addb7f376cab2

SHA1
29e86a1df404c442e14344042d39a98dd15425f7

SHA256
0563df6e938b836f817c49e0cf9828cc251b2092a84273152ea5a7c537c03beb

SHA512
f87b1c6d90cfb01316a17ad37f27287d5ef4ff3a0f7fd25303203ea7c7fa1ed12c1aef486dc9bbb8b4d527f37e771b950fa5142b2bac01f52afbfdbf7a77111d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20842\_lzma.pyd

Filesize
158KB

MD5
6e396653552d446c8114e98e5e195d09

SHA1
c1f760617f7f640d6f84074d6d5218d5a338a6ec

SHA256
5ddba137db772b61d4765c45b6156b2ee33a1771ddd52dd55b0ef592535785cf

SHA512
c4bf2c4c51350b9142da3faeadf72f94994e614f9e43e3c2a1675aa128c6e7f1212fd388a71124971648488bb718ca9b66452e5d0d0b840a0979df7146ed7ae5

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20842\_queue.pyd

Filesize
27KB

MD5
1707a6aeeb0278ee445e86ee4354c86c

SHA1
50c30823b1dc995a03f5989c774d6541e5eaaef9

SHA256
dd8c39ff48de02f3f74256a61bf3d9d7e411c051dd4205ca51446b909458f0cd

SHA512
404b99b8c70de1d5e6a4f747df44f514a4b6480b6c30b468f35e9e0257fd75c1a480641bc88180f6eb50f0bd96bdcafb65bb25364c0757a6e601090ae5989838

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20842\_ssl.pyd

Filesize
150KB

MD5
fefbb91866778278460e16e44cfb8151

SHA1
53890f03a999078b70b921b104df198f2f481a7c

SHA256
8a10b301294a35bc3a96a59ca434a628753a13d26de7c7cb51d37cf96c3bdbb5

SHA512
449b5f0c089626db1824ebe405b97a67b073ea7ce22cee72aa3b2490136b3b6218e9f15d71da6fd32fba090255d3a0ba0e77a36c1f8b8bea45f6be95a91e388d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20842\base_library.zip

Filesize
768KB

MD5
25e7be8004f46166cfd2c4de68952a71

SHA1
3c13099423c1fce1f502dd4cba6e17d53d76c321

SHA256
a7b3d59901f28bb8c7d51a6b7faed7c8932db28898fc72b8140ed3f8fa45d9d8

SHA512
6565ea170902474e1ff08c97bcccb290f2475cc16e0f606db5f1c06d2cadfc985777862242575e9c788d17d629782dfa6e8e1e65a4f9dd8f1b83b2c0cd3e9496

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20842\certifi\cacert.pem

Filesize
275KB

MD5
c760591283d5a4a987ad646b35de3717

SHA1
5d10cbd25ac1c7ced5bfb3d6f185fa150f6ea134

SHA256
1a14f6e1fd11efff72e1863f8645f090eec1b616614460c210c3b7e3c13d4b5e

SHA512
c192ae381008eaf180782e6e40cd51834e0233e98942bd071768308e179f58f3530e6e883f245a2630c86923dbeb68b624c5ec2167040d749813fedc37a6d1e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20842\libcrypto-1_1.dll

Filesize
3.2MB

MD5
cc4cbf715966cdcad95a1e6c95592b3d

SHA1
d5873fea9c084bcc753d1c93b2d0716257bea7c3

SHA256
594303e2ce6a4a02439054c84592791bf4ab0b7c12e9bbdb4b040e27251521f1

SHA512
3b5af9fbbc915d172648c2b0b513b5d2151f940ccf54c23148cd303e6660395f180981b148202bef76f5209acc53b8953b1cb067546f90389a6aa300c1fbe477

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20842\python38.dll

Filesize
4.0MB

MD5
3cd1e87aeb3d0037d52c8e51030e1084

SHA1
49ecd5f6a55f26b0fb3aeb4929868b93cc4ec8af

SHA256
13f7c38dc27777a507d4b7f0bd95d9b359925f6f5bf8d0465fe91e0976b610c8

SHA512
497e48a379885fdd69a770012e31cd2a62536953e317bb28e3a50fdb177e202f8869ea58fc11802909cabb0552d8c8850537e9fb4ead7dd14a99f67283182340

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20842\select.pyd

Filesize
26KB

MD5
08b499ae297c5579ba05ea87c31aff5b

SHA1
4a1a9f1bf41c284e9c5a822f7d018f8edc461422

SHA256
940fb90fd78b5be4d72279dcf9c24a8b1fcf73999f39909980b12565a7921281

SHA512
ab26f4f80449aa9cc24e68344fc89aeb25d5ba5aae15aeed59a804216825818edfe31c7fda837a93a6db4068ccfb1cc7e99173a80bd9dda33bfb2d3b5937d7e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20842\sqlite3.dll

Filesize
1.4MB

MD5
ce480e119718e4ece416c7216aef7620

SHA1
f5ef2e1c2bc7f25221cc84461975b536b165fec2

SHA256
9c903beee9b402a167a0e1e66fcd80790840efc4d55753dcf06f1e742777e374

SHA512
2d57d162d8e9a0b35f21e06e0d62378c1c567540618c2635583d5f86cc99e1583924d0ee136c034631c3736e0fa3d8b7fcc3522757134758a3a647d36592d2e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20842\unicodedata.pyd

Filesize
1.0MB

MD5
84fb421643cab316ce623aa84395a950

SHA1
4fba083864b3811b8a09644d559186ecb347c387

SHA256
5578c3054f8846be86e686fb73b62b1f931d3ed1a7859b87925a96774371dba4

SHA512
a2132f93b0e4292dc9c32da2a6478769ec4f58be5c36ee2701e2a66154ea1dc2c0684fc7698e7c3ac04f5c1d366cb9633a9366e5a38b7ff7a964ff25ea266f9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20842\win32api.pyd

Filesize
129KB

MD5
511367f74dd035502f2dc895b6a752e7

SHA1
40e319f0ace8cf7c6d7c1fb3041c7d3d9f9787eb

SHA256
202dd28e5d0451f2c672a4537116c70929ca6bbc5edd9115ed8a99f734f430ff

SHA512
7ee506c35c8b3a54f6cc1cf40abe6672a86780ada82024c519498c1d30a1a045ff79bd5a34116258503241880722da87a361f4dfea2729af7f812bc54d723d20

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI20842\Crypto\Cipher\_raw_cbc.cp38-win_amd64.pyd

Filesize
13KB

MD5
03c703a8f4c2a1443cccc8316af8940c

SHA1
046d8c846d9393e472064aa1250826994a785577

SHA256
ca09e03d93f3a330a467afd7fb998ad81dfd75fa7a1c2e202d6898f229c269d4

SHA512
a65bf31452e984de1f951a3bca97c9dc27ac113e5fd4e0d29fa2b67e6c1b24d48ba6513d1e2ceaa7617e92305171e9675379a0e97980a3ceec209c49cd687329

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI20842\Crypto\Cipher\_raw_cfb.cp38-win_amd64.pyd

Filesize
13KB

MD5
6f1d3ed33d7dfeae5642406d76ff2084

SHA1
014cfee7d754564928ed2df2fef933aeda915918

SHA256
f5918822781473d44f69030a9b32bcaeffa8671f1328c48085c9671f140d1273

SHA512
e55f57ef9411979ab164d5c3faca609856ddaa273ee817225ba77a12ddad02da464378ca0cbd98ddec708aeac96845ab8c718d35edc88b0ab06bb14ed53647ca

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI20842\Crypto\Cipher\_raw_ctr.cp38-win_amd64.pyd

Filesize
14KB

MD5
c04554cf7f89e2d360ebcc39f85a2970

SHA1
42ac403bd2a854d7f6ac60a299594a9c4a793f35

SHA256
264ed03313efc36ef0794e3c716319e0aa4774c3d0a26c522dcfa7be1f46349f

SHA512
668928abb8510d36dcc2e9ff7cd10353c3cbc10af199ca4c909770921fdcbe4aeedc5dfb106c91cf480c86a2ab78e2da6278d859aae93cb72bc50de432411ed9

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI20842\Crypto\Hash\_BLAKE2s.cp38-win_amd64.pyd

Filesize
15KB

MD5
2101eb8948ad5b50feeceb0865169d48

SHA1
fd55a3553d0c0416cd733ae732361685c0d23c59

SHA256
962a6e4baf1fe8579b815c059abd924563835fc2139fa16d4ba191c291d033ec

SHA512
122c8ba5df3d3c2b6ddb6de8415634c02c296285e629f780e1f9d9a4afaf1ef3bef0863f83748f2ad5847385e349b4d39c4c54ed7d4246f502603080c5b973e4

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI20842\Crypto\Hash\_SHA1.cp38-win_amd64.pyd

Filesize
19KB

MD5
abc7d549b8974a93e441b45b118a3f8e

SHA1
1b78c6022f03550ca48a67aa2b2edc0add3a5fd7

SHA256
059e3b26c6816c5f2e3a3d6fdfcc0298077221cd8ae8a17fc9fe6d67ef2bfc3a

SHA512
8ac63714eebbe6c4ff7da73ebe1e03be1aaee194d635df068108956bf009b872bad1357a5c41e5780d053903784c10797d417f90f941e362f3d3774e91bbb98e

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI20842\Crypto\Hash\_SHA256.cp38-win_amd64.pyd

Filesize
21KB

MD5
4c16bb062911f8d38d881022dba921dc

SHA1
fed09bcb06fa5bb604bfb81d4aecbd012548f5f9

SHA256
d72174d81ef9e6c8c9c2b2c9a0392e85195a1fde81757a8fa61e7561b8689f84

SHA512
2ca19b324011f1957f2182b6d57a687cff1805e94c27118452d7b579ea4dc9bdf2f409c03cb97b71e312593c41312bd278c25d52cac1cf0eecc72ce79ba0d08d

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI20842\Crypto\Util\_strxor.cp38-win_amd64.pyd

Filesize
11KB

MD5
c718722a0c7e48a91b492b604ca15125

SHA1
6fa5b7da8366bfd7ae575452d389d01bfa25e6b4

SHA256
248962dbfabfd47f79df23f22754e6644404ccd10f152420a639de12215a615f

SHA512
953aa4827746ad544e799976724f657a56337407bebcc0c721b926caa74fae6bfc42acbd194c4220f3e0e4edc5e325674be3f0773859f9ed40ad943a359058dd

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI20842\VCRUNTIME140.dll

Filesize
99KB

MD5
8697c106593e93c11adc34faa483c4a0

SHA1
cd080c51a97aa288ce6394d6c029c06ccb783790

SHA256
ff43e813785ee948a937b642b03050bb4b1c6a5e23049646b891a66f65d4c833

SHA512
724bbed7ce6f7506e5d0b43399fb3861dda6457a2ad2fafe734f8921c9a4393b480cdd8a435dbdbd188b90236cb98583d5d005e24fa80b5a0622a6322e6f3987

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI20842\_ctypes.pyd

Filesize
123KB

MD5
4d13a7b3ecc8c7dc96a0424c465d7251

SHA1
0c72f7259ac9108d956aede40b6fcdf3a3943cb5

SHA256
2995ef03e784c68649fa7898979cbb2c1737f691348fae15f325d9fc524df8ed

SHA512
68ff7c421007d63a970269089afb39c949d6cf9f4d56aff7e4e0b88d3c43cfaa352364c5326523386c00727cc36e64274a51b5dbb3a343b16201cf5fc264fec8

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI20842\_hashlib.pyd

Filesize
45KB

MD5
496cde3c381c8e33186354631dfad0f1

SHA1
cbdb280ecb54469fd1987b9eff666d519e20249f

SHA256
f9548e3b71764ac99efb988e4daac249e300eb629c58d2a341b753299180c679

SHA512
f7245eb24f2b6d8bc22f876d6abb90e77db46bf0e5ab367f2e02e4ca936c898a5a14d843235adc5502f6d74715da0b93d86222e8dec592ae41ab59d56432bf4f

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI20842\_portaudio.cp38-win_amd64.pyd

Filesize
201KB

MD5
f7b8055f8d54b1ff8fe16bf86eee9d22

SHA1
8da2387d8e840d6eb34978a8343fee27d86ae100

SHA256
a35531c046271b4e0355e0d6d2844d886480b01220b71e4795263312f50beea6

SHA512
82cd75009b17719e477785040b6fa3372affdcea4b16ffb579a869f5353cb914b88ade612624f7c0d0d7e2b64edb3c92cc34c6a0306a5c2fd2829c67b3e2de0c

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI20842\_socket.pyd

Filesize
77KB

MD5
eb974aeda30d7478bb800bb4c5fbc0a2

SHA1
c5b7bc326bd003d42bcf620d657cac3f46f9d566

SHA256
1db7b4f6ae31c4d35ef874eb328f735c96a2457677a3119e9544ee2a79bc1016

SHA512
f9eea3636371ba508d563cf21541a21879ce50a5666e419ecfd74255c8decc3ae5e2ceb4a8f066ae519101dd71a116335a359e3343e8b2ff3884812099ae9b1b

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI20842\_sqlite3.pyd

Filesize
85KB

MD5
7f184284e7786226d3b1de5f02338a48

SHA1
b5b8d1a23780dabe32e994a6a7b348fc56f97c43

SHA256
17fb342ecdacb63160576dec824c9f627ed06a6ba58236110620afaeacb45bb5

SHA512
c3794f8e0eacaa98c756bc6f0ab7ee39ccdc228691298c9b5d14ed834ec06f408d86031bcd62cffb02e349706fee8763ca24d39b13cf7a8feefacc25aab9ed46

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI20842\libffi-7.dll

Filesize
32KB

MD5
eef7981412be8ea459064d3090f4b3aa

SHA1
c60da4830ce27afc234b3c3014c583f7f0a5a925

SHA256
f60dd9f2fcbd495674dfc1555effb710eb081fc7d4cae5fa58c438ab50405081

SHA512
dc9ff4202f74a13ca9949a123dff4c0223da969f49e9348feaf93da4470f7be82cfa1d392566eaaa836d77dde7193fed15a8395509f72a0e9f97c66c0a096016

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI20842\libssl-1_1.dll

Filesize
673KB

MD5
bc778f33480148efa5d62b2ec85aaa7d

SHA1
b1ec87cbd8bc4398c6ebb26549961c8aab53d855

SHA256
9d4cf1c03629f92662fc8d7e3f1094a7fc93cb41634994464b853df8036af843

SHA512
80c1dd9d0179e6cc5f33eb62d05576a350af78b5170bfdf2ecda16f1d8c3c2d0e991a5534a113361ae62079fb165fff2344efd1b43031f1a7bfda696552ee173

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI20842\pythoncom38.dll

Filesize
558KB

MD5
4f8818b15e4f1237748eaa870d7a3e38

SHA1
1baeca046a4bb9031e30be99d2333d93562c3bd9

SHA256
063d249851f457c8d5684943bee1c81d1c7810ce7e06469faef19898c556c8b5

SHA512
c9a6e3a03b2124e22fd179b5dc50d6d09ab51ac6d41390845c48508c7175ad4cd08599ee6e564158be3a375c40d88088dba50ca9cbcf8dba1c2480612f0f4539

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI20842\pywintypes38.dll

Filesize
138KB

MD5
306e8a0ca8c383a27ae00649cb1e5080

SHA1
25a4188ed099d45f092598c6ed119a41ef446672

SHA256
74565d7b4e01807eb146bf26cfeb7aa27029caca58fee7c394111cbd5fa95e2e

SHA512
3a61b826556c6cbbe56397cef9f0429bf366d453d6894327dcd6aeeaffb625b5fc82559a108b74612727100c5fff156ffa048d45fca149fe4437270e6293a763

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI20842\win32gui.pyd

Filesize
224KB

MD5
1180f5ff22a6953310bb3fdf76830b9b

SHA1
0ff147907e7cdab11e164891dfe2257b70c384e0

SHA256
42ed7a66402ab771d9b072c46eb9db315e4a93728cac31a1eb62cdfed2e966cc

SHA512
546731456ca8d5c8488da0ab238f50b58546f172f98eb6bb51a9a4ef6664d5886020eec44cc713f310fbec18c7cd8bac7cef15d742f7646b7537766782db76ff

Download Submit
memory/1708-1058-0x0000000003A00000-0x0000000003A01000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads