1f29ce0eb6cd08fe49d8322cf4adce63e86d753e82e1ae9afdc438c6dbcef79e

Analysis

max time kernel
93s
max time network
121s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
15/09/2024, 00:54

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

4fc650ca6f44d97bd03a1c2f1ef1c010N.exe
Size

8.0MB
MD5

4fc650ca6f44d97bd03a1c2f1ef1c010
SHA1

b1f53f84b79af747f04aac66b7fab7ab56f1dbf2
SHA256

1f29ce0eb6cd08fe49d8322cf4adce63e86d753e82e1ae9afdc438c6dbcef79e
SHA512

9acfcc7e0972f2b5d09aaacd68c77b58d2834777d011aab5f089e90f11c0f713d1e9ea0cd6a8b87df2f95a7e6c25c4d00c84f14cd10b2aed2979e932db72a39e
SSDEEP

98304:VHdOZoRoiGYXAQ/ol9z01ivu8ZNooA52QhF4hWEw11iYRrlykS1SRY3g6ZYPt5ou:iitGUAQ/fUvuTg/CB51Rw7Qrf2TE

Score

10^/10

discovery execution persistence pyinstaller

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://s3.amazonaws.com/cdn.hotglue.xyz/executables/nssm.exe

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://s3.amazonaws.com/cdn.hotglue.xyz/executables/Sage50-HGConnector-v3.exe

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://s3.amazonaws.com/cdn.hotglue.xyz/executables/Sage50-HGConnector-write-v29-v2.exe

Signatures

Blocklisted process makes network request 3 IoCs

flow	pid	Process
9	4532	powershell.exe
19	4456	powershell.exe
41	944	powershell.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\4fc650ca6f44d97bd03a1c2f1ef1c010N.exe = "C:\\Program Files\\hotglue\\4fc650ca6f44d97bd03a1c2f1ef1c010N.exe"	4fc650ca6f44d97bd03a1c2f1ef1c010N.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
4532	powershell.exe
4456	powershell.exe
944	powershell.exe

Downloads MZ/PE file

Drops file in Program Files directory 8 IoCs

description	ioc	Process
File created	C:\Program Files\hotglue\nssm.exe	powershell.exe
File created	C:\Program Files\hotglue\4fc650ca6f44d97bd03a1c2f1ef1c010N.exe	4fc650ca6f44d97bd03a1c2f1ef1c010N.exe
File created	C:\Program Files\hotglue\Sage50-HGConnector.exe	powershell.exe
File created	C:\Program Files\hotglue\Sage50-HGConnector-write.exe	powershell.exe
File created	C:\Program Files\hotglue\hotglue-sage-connector.log	Sage50-HGConnector.exe
File created	C:\Program Files\hotglue\config.yml	Sage50-HGConnector.exe
File opened for modification	C:\Program Files\hotglue\hotglue-sage-connector.log	Sage50-HGConnector.exe
File opened for modification	C:\Program Files\hotglue\launcher.log	4fc650ca6f44d97bd03a1c2f1ef1c010N.exe

Executes dropped EXE 5 IoCs

pid	Process
3828	nssm.exe
2840	nssm.exe
2288	nssm.exe
2104	Sage50-HGConnector.exe
1532	Sage50-HGConnector.exe

Loads dropped DLL 46 IoCs

pid	Process
2876	4fc650ca6f44d97bd03a1c2f1ef1c010N.exe
2876	4fc650ca6f44d97bd03a1c2f1ef1c010N.exe
2876	4fc650ca6f44d97bd03a1c2f1ef1c010N.exe
2876	4fc650ca6f44d97bd03a1c2f1ef1c010N.exe
2876	4fc650ca6f44d97bd03a1c2f1ef1c010N.exe
2876	4fc650ca6f44d97bd03a1c2f1ef1c010N.exe
2876	4fc650ca6f44d97bd03a1c2f1ef1c010N.exe
2876	4fc650ca6f44d97bd03a1c2f1ef1c010N.exe
2876	4fc650ca6f44d97bd03a1c2f1ef1c010N.exe
2876	4fc650ca6f44d97bd03a1c2f1ef1c010N.exe
2876	4fc650ca6f44d97bd03a1c2f1ef1c010N.exe
2876	4fc650ca6f44d97bd03a1c2f1ef1c010N.exe
2876	4fc650ca6f44d97bd03a1c2f1ef1c010N.exe
2876	4fc650ca6f44d97bd03a1c2f1ef1c010N.exe
2876	4fc650ca6f44d97bd03a1c2f1ef1c010N.exe
2876	4fc650ca6f44d97bd03a1c2f1ef1c010N.exe
2876	4fc650ca6f44d97bd03a1c2f1ef1c010N.exe
2876	4fc650ca6f44d97bd03a1c2f1ef1c010N.exe
2876	4fc650ca6f44d97bd03a1c2f1ef1c010N.exe
2876	4fc650ca6f44d97bd03a1c2f1ef1c010N.exe
1532	Sage50-HGConnector.exe
1532	Sage50-HGConnector.exe
1532	Sage50-HGConnector.exe
1532	Sage50-HGConnector.exe
1532	Sage50-HGConnector.exe
1532	Sage50-HGConnector.exe
1532	Sage50-HGConnector.exe
1532	Sage50-HGConnector.exe
1532	Sage50-HGConnector.exe
1532	Sage50-HGConnector.exe
1532	Sage50-HGConnector.exe
1532	Sage50-HGConnector.exe
1532	Sage50-HGConnector.exe
1532	Sage50-HGConnector.exe
1532	Sage50-HGConnector.exe
1532	Sage50-HGConnector.exe
1532	Sage50-HGConnector.exe
1532	Sage50-HGConnector.exe
1532	Sage50-HGConnector.exe
1532	Sage50-HGConnector.exe
1532	Sage50-HGConnector.exe
1532	Sage50-HGConnector.exe
1532	Sage50-HGConnector.exe
1532	Sage50-HGConnector.exe
1532	Sage50-HGConnector.exe
1532	Sage50-HGConnector.exe

Detects Pyinstaller 1 IoCs

pyinstaller

resource	yara_rule
behavioral2/files/0x0003000000022ab2-135.dat	pyinstaller

System Location Discovery: System Language Discovery 1 TTPs 10 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4fc650ca6f44d97bd03a1c2f1ef1c010N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Sage50-HGConnector.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4fc650ca6f44d97bd03a1c2f1ef1c010N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Sage50-HGConnector.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
4532	powershell.exe
4532	powershell.exe
4456	powershell.exe
4456	powershell.exe
944	powershell.exe
944	powershell.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	2876	4fc650ca6f44d97bd03a1c2f1ef1c010N.exe
Token: SeDebugPrivilege	4532	powershell.exe
Token: SeDebugPrivilege	4456	powershell.exe
Token: SeDebugPrivilege	944	powershell.exe
Token: SeDebugPrivilege	1532	Sage50-HGConnector.exe

Suspicious use of WriteProcessMemory 33 IoCs

description	pid	Process	procid_target
PID 4648 wrote to memory of 2876	4648	4fc650ca6f44d97bd03a1c2f1ef1c010N.exe	85
PID 4648 wrote to memory of 2876	4648	4fc650ca6f44d97bd03a1c2f1ef1c010N.exe	85
PID 4648 wrote to memory of 2876	4648	4fc650ca6f44d97bd03a1c2f1ef1c010N.exe	85
PID 2876 wrote to memory of 1768	2876	4fc650ca6f44d97bd03a1c2f1ef1c010N.exe	87
PID 2876 wrote to memory of 1768	2876	4fc650ca6f44d97bd03a1c2f1ef1c010N.exe	87
PID 2876 wrote to memory of 1768	2876	4fc650ca6f44d97bd03a1c2f1ef1c010N.exe	87
PID 1768 wrote to memory of 4532	1768	cmd.exe	89
PID 1768 wrote to memory of 4532	1768	cmd.exe	89
PID 1768 wrote to memory of 4532	1768	cmd.exe	89
PID 2876 wrote to memory of 4264	2876	4fc650ca6f44d97bd03a1c2f1ef1c010N.exe	94
PID 2876 wrote to memory of 4264	2876	4fc650ca6f44d97bd03a1c2f1ef1c010N.exe	94
PID 2876 wrote to memory of 4264	2876	4fc650ca6f44d97bd03a1c2f1ef1c010N.exe	94
PID 4264 wrote to memory of 4456	4264	cmd.exe	96
PID 4264 wrote to memory of 4456	4264	cmd.exe	96
PID 4264 wrote to memory of 4456	4264	cmd.exe	96
PID 2876 wrote to memory of 3828	2876	4fc650ca6f44d97bd03a1c2f1ef1c010N.exe	102
PID 2876 wrote to memory of 3828	2876	4fc650ca6f44d97bd03a1c2f1ef1c010N.exe	102
PID 2876 wrote to memory of 2840	2876	4fc650ca6f44d97bd03a1c2f1ef1c010N.exe	104
PID 2876 wrote to memory of 2840	2876	4fc650ca6f44d97bd03a1c2f1ef1c010N.exe	104
PID 2876 wrote to memory of 2288	2876	4fc650ca6f44d97bd03a1c2f1ef1c010N.exe	106
PID 2876 wrote to memory of 2288	2876	4fc650ca6f44d97bd03a1c2f1ef1c010N.exe	106
PID 2876 wrote to memory of 2104	2876	4fc650ca6f44d97bd03a1c2f1ef1c010N.exe	108
PID 2876 wrote to memory of 2104	2876	4fc650ca6f44d97bd03a1c2f1ef1c010N.exe	108
PID 2876 wrote to memory of 2104	2876	4fc650ca6f44d97bd03a1c2f1ef1c010N.exe	108
PID 2876 wrote to memory of 980	2876	4fc650ca6f44d97bd03a1c2f1ef1c010N.exe	109
PID 2876 wrote to memory of 980	2876	4fc650ca6f44d97bd03a1c2f1ef1c010N.exe	109
PID 2876 wrote to memory of 980	2876	4fc650ca6f44d97bd03a1c2f1ef1c010N.exe	109
PID 980 wrote to memory of 944	980	cmd.exe	111
PID 980 wrote to memory of 944	980	cmd.exe	111
PID 980 wrote to memory of 944	980	cmd.exe	111
PID 2104 wrote to memory of 1532	2104	Sage50-HGConnector.exe	112
PID 2104 wrote to memory of 1532	2104	Sage50-HGConnector.exe	112
PID 2104 wrote to memory of 1532	2104	Sage50-HGConnector.exe	112

C:\Users\Admin\AppData\Local\Temp\4fc650ca6f44d97bd03a1c2f1ef1c010N.exe
"C:\Users\Admin\AppData\Local\Temp\4fc650ca6f44d97bd03a1c2f1ef1c010N.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4648
- C:\Users\Admin\AppData\Local\Temp\4fc650ca6f44d97bd03a1c2f1ef1c010N.exe
  "C:\Users\Admin\AppData\Local\Temp\4fc650ca6f44d97bd03a1c2f1ef1c010N.exe"
  2⤵
  - Adds Run key to start application
  - Drops file in Program Files directory
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2876
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://s3.amazonaws.com/cdn.hotglue.xyz/executables/nssm.exe', 'C:/Program Files\hotglue\nssm.exe')""
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1768
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://s3.amazonaws.com/cdn.hotglue.xyz/executables/nssm.exe', 'C:/Program Files\hotglue\nssm.exe')"
      4⤵
      Blocklisted process makes network request
      Command and Scripting Interpreter: PowerShell
      Drops file in Program Files directory
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4532
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://s3.amazonaws.com/cdn.hotglue.xyz/executables/Sage50-HGConnector-v3.exe', 'C:/Program Files\hotglue\Sage50-HGConnector.exe')""
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4264
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://s3.amazonaws.com/cdn.hotglue.xyz/executables/Sage50-HGConnector-v3.exe', 'C:/Program Files\hotglue\Sage50-HGConnector.exe')"
      4⤵
      Blocklisted process makes network request
      Command and Scripting Interpreter: PowerShell
      Drops file in Program Files directory
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4456
- - C:\Program Files\hotglue\nssm.exe
    "C:/Program Files\hotglue/nssm.exe" remove sage50read confirm
    3⤵
    - Executes dropped EXE
    PID:3828
- - C:\Program Files\hotglue\nssm.exe
    "C:/Program Files\hotglue/nssm.exe" install sage50read "C:/Program Files\hotglue\Sage50-HGConnector.exe"
    3⤵
    - Executes dropped EXE
    PID:2840
- - C:\Program Files\hotglue\nssm.exe
    "C:/Program Files\hotglue/nssm.exe" set sage50read AppDirectory "C:/Program Files\hotglue"
    3⤵
    - Executes dropped EXE
    PID:2288
- - C:\Program Files\hotglue\Sage50-HGConnector.exe
    "C:/Program Files\hotglue\Sage50-HGConnector.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2104
  - - C:\Program Files\hotglue\Sage50-HGConnector.exe
      "C:/Program Files\hotglue\Sage50-HGConnector.exe"
      4⤵
      Drops file in Program Files directory
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:1532
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://s3.amazonaws.com/cdn.hotglue.xyz/executables/Sage50-HGConnector-write-v29-v2.exe', 'C:/Program Files\hotglue\Sage50-HGConnector-write.exe')""
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:980
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://s3.amazonaws.com/cdn.hotglue.xyz/executables/Sage50-HGConnector-write-v29-v2.exe', 'C:/Program Files\hotglue\Sage50-HGConnector-write.exe')"
      4⤵
      Blocklisted process makes network request
      Command and Scripting Interpreter: PowerShell
      Drops file in Program Files directory
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:944

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\hotglue\Sage50-HGConnector.exe

Filesize
14.9MB

MD5
4384133770ff071b93a768c6b1034923

SHA1
f39e94e570863b1e83a37c711e8d5f73a83aff2d

SHA256
885301df8e50e1b499614e0fa1315db385358e870c57c69c7abb2980967802e9

SHA512
3154cde1ea63f633d0fa90c6af02839eca89bbb13746b673ce19ca57241ef93554e43a163bfad84df41ad85c06bddde893238ac6196352732f8c6757f45b8940

Download Submit
C:\Program Files\hotglue\launcher.log

Filesize
616B

MD5
39bae6fd8fd87cf9049092e2b0cd1e27

SHA1
31c033bbe6b19af7cd2e397090d6e49a40a05501

SHA256
406b7b39748d7fd8341d20c5e737528813507ea542830422e71849e833a11d8c

SHA512
b426cc003a6b7bd02fa265d69e9882f7edad93990128cace87cb7282c969bf4f6de996fabd61316c5c2fe8b3fb95481d466cee1cb0ada068f9b183d8b9e192ed

Download Submit
C:\Program Files\hotglue\nssm.exe

Filesize
333KB

MD5
ea40c346f47c41bbfe3ff1a4cd4a3ad9

SHA1
b8d12e84ac58c5148f498854111729fe4a6a16f2

SHA256
8b2e7331b1019905044e8b0207516daa953a041c6468de26f14eed10e360cbf4

SHA512
f75b605d98a3643fb68c9585a4589598256c6f74fa3a0e0b37e7891584fda0ba3658ad3a9d51073c67c5ed994fbdfa22e9fd2185b7efe91d5d0a917838cd365e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
1KB

MD5
4280e36a29fa31c01e4d8b2ba726a0d8

SHA1
c485c2c9ce0a99747b18d899b71dfa9a64dabe32

SHA256
e2486a1bdcba80dad6dd6210d7374bd70ae196a523c06ceda71370fd3ea78359

SHA512
494fe5f0ade03669e5830bed93c964d69b86629440148d7b0881cf53203fd89443ebff9b4d1ee9d96244f62af6edede622d9eacba37f80f389a0d522e4ad4ea4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
53KB

MD5
06ad34f9739c5159b4d92d702545bd49

SHA1
9152a0d4f153f3f40f7e606be75f81b582ee0c17

SHA256
474813b625f00710f29fa3b488235a6a22201851efb336bddf60d7d24a66bfba

SHA512
c272cd28ae164d465b779163ba9eca6a28261376414c6bbdfbd9f2128adb7f7ff1420e536b4d6000d0301ded2ec9036bc5c657588458bff41f176bdce8d74f92

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
16KB

MD5
abd185b4db385a0f34dccf0bf8df7ab2

SHA1
a0eb61490f16674410bc1d5ecc11e2381c07ec35

SHA256
1dbfae522e505b3cfd1bef1bf632ef7bde13643061339560f1ffd13309c74c63

SHA512
cc15ddf6552448b7b33830248a816c07969608ee592e8a0df75711352b54ec2a6ceb83b9e0df89dbc1c8002637f9b104b825f578f85c69a133dedaacfd46ceb8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
16KB

MD5
d3b6daa67acb45757a65bf8ce613410a

SHA1
42b6efaf9a851af70213f01ea88273d92a95fabe

SHA256
06380bd8594fdf814fbc7b61426c3b37b0b80bcab33db0a5aae540843f77c0a4

SHA512
9d412bcc748a4f7039dcb83dd28d0286d65549d43a7de903b8d16287f8f7979b3c832dd460be0da03065fd8a54f5a15d24a9d0d6488512bc9c7b6f01d9844fa6

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI21042\base_library.zip

Filesize
1.0MB

MD5
af3cc011e4c932dcb75f5dc6d5ca4625

SHA1
3ae85170d13b4b0f97f353937bf77a0f6411356e

SHA256
ce118506f32a8e2a7723a52c708f49b5067c37e89a7987fbac076e50450abb91

SHA512
c3b17e359dd0117c064cb3a3d245fc67b9c7a8e80a9c4b7ab4a04d3e560b10daeaebfba036b76daf70858633d4c59a492a415a5372e3a85a2fb8f7bb20970a91

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI21042\pytz\zoneinfo\Africa\Conakry

Filesize
148B

MD5
09a9397080948b96d97819d636775e33

SHA1
5cc9b028b5bd2222200e20091a18868ea62c4f18

SHA256
d2efac4e5f23d88c95d72c1db42807170f52f43dd98a205af5a92a91b9f2d997

SHA512
2eccf2515599ed261e96da3fbcfbab0b6a2dfc86a1d87e3814091709f0bfe2f600c3044c8555ed027978a8ae9045666ee639a8c249f48d665d8e5c60f0597799

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI21042\pytz\zoneinfo\Africa\Djibouti

Filesize
265B

MD5
86dcc322e421bc8bdd14925e9d61cd6c

SHA1
289d1fb5a419107bc1d23a84a9e06ad3f9ee8403

SHA256
c89b2e253a8926a6cecf7eff34e4bfcdb7fe24daff22d84718c30deec0ea4968

SHA512
d32771be8629fb3186723c8971f06c3803d31389438b29bf6baa958b3f9db9a38971019583ba272c7a8f5eb4a633dfc467bfcb6f76faa8e290bad4fd7366bb2b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI21042\pytz\zoneinfo\Africa\Kigali

Filesize
149B

MD5
b77fb20b4917d76b65c3450a7117023c

SHA1
b99f3115100292d9884a22ed9aef9a9c43b31ccd

SHA256
93f19e9551d58868ae5820752d2c93a486124c364463dc9c9489d0458f8bc682

SHA512
a088c2a4c7d72717257c3125c7c2aca28463d68306ea452afaad75b8a0f9e5730a8d9c430d14668809717a672dc63c4816762acb046b339da662da421a6d65df

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI21042\pytz\zoneinfo\Africa\Lagos

Filesize
235B

MD5
8244c4cc8508425b6612fa24df71e603

SHA1
30ba925b4670235915dddfa1dd824dd9d7295eac

SHA256
cffeb0282ccbd7fba0e493ff8677a1e5a6dd5197885042e437f95a773f844846

SHA512
560c7581dcb2c800eae779005e41406beaf15d24efc763304e3111b9bb6074fe0ba59c48b5a2c5511245551b94418bbc35934d9bd46313fcc6e383323056668c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI21042\pytz\zoneinfo\America\Curacao

Filesize
246B

MD5
adf95d436701b9774205f9315ec6e4a4

SHA1
fcf8be5296496a5dd3a7a97ed331b0bb5c861450

SHA256
8491e557ff801a8306516b8ca5946ff5f2e6821af31477eb47d7d191cc5a6497

SHA512
f8fceff3c346224d693315af1ab12433eb046415200abaa6cdd65fd0ad40673fdddf67b83563d351e4aa520565881a4226fb37d578d3ba88a135e596ebb9b348

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI21042\pytz\zoneinfo\America\Toronto

Filesize
3KB

MD5
44a2dd3cb61b90aa4201c38e571a15ba

SHA1
73f6ad91b2c748957bdaec149db3b1b6b0d8ac86

SHA256
820392cdb1e499f82ef704d0ccfd0c50ab2b28c6e0bdeb80793861d5e165d5ad

SHA512
11ddb971c65c2f4ecc690ef685163f2972c089660f4778997964d89113a403030927edbb2ed397b81cf61bde9276add6a43ee8ee92dfa69a6d102b035fe9f01d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI21042\pytz\zoneinfo\Etc\Greenwich

Filesize
114B

MD5
9cd2aef183c064f630dfcf6018551374

SHA1
2a8483df5c2809f1dfe0c595102c474874338379

SHA256
6d9f378883c079f86c0387a5547a92c449869d806e07de10084ab04f0249018d

SHA512
dafa0cb9d0a8e0ff75a19be499751ad85372aafa856ff06dd68ecf2b1c5578bb98a040becaecf0aed2c3e4ff7372ff200fe7614334756d19fe79dd61c01d4e92

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI21042\pytz\zoneinfo\Europe\London

Filesize
3KB

MD5
a40006ee580ef0a4b6a7b925fee2e11f

SHA1
1beba7108ea93c7111dabc9d7f4e4bfdea383992

SHA256
c85495070dca42687df6a1c3ee780a27cbcb82f1844750ea6f642833a44d29b4

SHA512
316ecacc34136294ce11dcb6d0f292570ad0515f799fd59fbff5e7121799860b1347d802b6439a291f029573a3715e043009e2c1d5275f38957be9e04f92e62e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI21042\pytz\zoneinfo\Europe\Oslo

Filesize
2KB

MD5
7db6c3e5031eaf69e6d1e5583ab2e870

SHA1
918341ad71f9d3acd28997326e42d5b00fba41e0

SHA256
5ee475f71a0fc1a32faeb849f8c39c6e7aa66d6d41ec742b97b3a7436b3b0701

SHA512
688eaa6d3001192addaa49d4e15f57aa59f3dd9dc511c063aa2687f36ffd28ffef01d937547926be6477bba8352a8006e8295ee77690be935f76d977c3ea12fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI21042\pytz\zoneinfo\Europe\Skopje

Filesize
1KB

MD5
6213fc0a706f93af6ff6a831fecbc095

SHA1
961a2223fd1573ab344930109fbd905336175c5f

SHA256
3a95adb06156044fd2fa662841c0268c2b5af47c1b19000d9d299563d387093a

SHA512
8149de3fd09f8e0f5a388f546ffe8823bdcda662d3e285b5cebc92738f0c6548ccb6ed2a5d086fd738cb3edc8e9e1f81c5e2e48edb0571e7ea7f131675b99327

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI21042\pytz\zoneinfo\PRC

Filesize
561B

MD5
09dd479d2f22832ce98c27c4db7ab97c

SHA1
79360e38e040eaa15b6e880296c1d1531f537b6f

SHA256
64ffc2e43a94435a043c040d1d3af7e92d031adc78e7737af1861baa4eeef3e6

SHA512
f88ae25f3f04c7d5d5f98aafecc03cc7e4e56f1cd4c8deba6afd043f0fb7fe67b4d50e4df5493e77c6b34ba183e019442e736a13f784ba8c2847c06fd74ff200

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI21042\pytz\zoneinfo\Pacific\Wallis

Filesize
152B

MD5
5bdd7374e21e3df324a5b3d178179715

SHA1
244ed7d52bc39d915e1f860727ecfe3f4b1ae121

SHA256
53268a8a6b11f0b8e02fc67683ae48d074efaf7b4c66e036c1478107afd9a7d7

SHA512
9c76f39e8795c50e6c5b384a7ff1f308a1c5173f42f810759b36cdeae7d33d1dac4934efeed580c59d988c152e2d7f8d9b8eb2073ab1fc15e4b9c10900c7b383

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI21042\pytz\zoneinfo\Pacific\Yap

Filesize
172B

MD5
ec972f59902432836f93737f75c5116f

SHA1
331542d6faf6ab15ffd364d57fbaa62629b52b94

SHA256
9c1dfa1c15994dd8774e53f40cb14dcf529143468721f1dba7b2c2e14ae9f5f0

SHA512
e8e8c8f6d096c352d1244280254e4c6ecf93f7c2ff69ecc6fa4363a6be8a2daf6cfcd7f0d96bc2669268ced5565532fa06be348a139b0742ccccb83953c6324d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI21042\pytz\zoneinfo\UCT

Filesize
114B

MD5
38bb24ba4d742dd6f50c1cba29cd966a

SHA1
d0b8991654116e9395714102c41d858c1454b3bd

SHA256
8b85846791ab2c8a5463c83a5be3c043e2570d7448434d41398969ed47e3e6f2

SHA512
194867d0cf66c2de4969dbfeb58c775964ecb2132acdc1b000b5ef0998cefde4a2979ffc04ec8b7dcb430e43326a79d9cedb28ecea184345aa7d742eaf9234ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI46482\VCRUNTIME140.dll

Filesize
88KB

MD5
a0df29af5f6135b735dee359c0871ecf

SHA1
f7ebb9a9fd00e1ac95537158fae1167b06f490bd

SHA256
35afadbacc9a30341c1a5ee2117e69583e5044cea0bfab636dccbdcc281a8786

SHA512
fdc7a62d0b187829708ec544de52b4037da613e01a7591a2abc55f95c4719ee04f9c51d31f01edb7161b5edc3cd85004c3a55d375116baa76fb44553df592b3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI46482\_bz2.pyd

Filesize
77KB

MD5
9c8bd2f2b0746bccd6e3abd3e4ef87ba

SHA1
de737486b5d4c015db2d155174a0e361372b3ad6

SHA256
e46d5f7d2887bdffc28c8487250135de6e652072024c53444076e554a607035d

SHA512
a93a438c35bd623329b3b9b870ce3379f16a2a158afef2530e58ad2ceb3ff9b7bee17c64da34e00e38ea4bb79ca0d5570164dae0176804743f0b8c73ee5895e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI46482\_ctypes.pyd

Filesize
103KB

MD5
9151b64e3606d4cf696aa99691dedaa0

SHA1
ec18cd3bbc25cc601a35708b87a6bee2ed460248

SHA256
61db1362647f10526f30d52358939a81a792d2a5bce6827a4dc1cf06f1c232a5

SHA512
3bf5457ff867955e9e9feef949bb8adbbf65bec29012161dab4dd5137115ec111862d8258ddec87a9bbad496397a82aa3120bed9edbde7ec657a92cbbdd3b18a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI46482\_hashlib.pyd

Filesize
46KB

MD5
6bec1f4a550544d5b5a49556baf3275a

SHA1
2aff089c030cd8c97ef301637cc9f5328b2fabc7

SHA256
94f52b29f66dff2c1e7933e3ad36099919278b906487a1c649ff4a811d957a9c

SHA512
27f458b50abc75960b30461a6d9e4403dff8c0c83f42dc29917b995ce0b4855c14518c0d31f900ceb6de22a539400fe0eccc28c2ea56f3df7639777fbed06a17

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI46482\_lzma.pyd

Filesize
144KB

MD5
ae807263afdfdd9638171eb7c34c0a6c

SHA1
52c78cdabec513c673a5e6a6f8f60ceab360aa98

SHA256
e059dbc865f0244ae41cbb0085d6e3b52933fce3f2272f91109b518aa38d2dbc

SHA512
f9620eb3d371ac1e6ad86636ab498036eb6ec8f9253968cc8eac853f89ba440cd8c2e10cd7320293491410ceefe290d159645e28bc6ef3573e3e208ff58571c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI46482\_queue.pyd

Filesize
26KB

MD5
e73e169ee8fd20e552ba439a795c9797

SHA1
49277723fb2eaf61eafcaa51f9e0984e4f713439

SHA256
baebbd0607698dc02312405772f24e72316047af0f59780281825d7605364825

SHA512
828f19a7a7858796b19cc2ed832af3c0574714d3b4dd9041254be1d0990f9b136fe35d89e2711174754753f0409b208e2280311d49838ae1097fbaec130bf7cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI46482\_socket.pyd

Filesize
67KB

MD5
317b41a31a85e70a00a8282ae196832a

SHA1
2b919bfbdba3e2155f31af54ab58d07fb42158d1

SHA256
c53764abb71a7c3fe6c58e04230ca9862949d52895aeca5aa3fc54741f44a3ce

SHA512
5a6aba76700acba5b6bc63be82e4b6f72a19d00674559d62c7a01fd3e50fd7bfb53134cb337804f681e0b7391d4b954851a48825f2e58b2bf98904fd738aea28

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI46482\_ssl.pyd

Filesize
136KB

MD5
ca2ec65bfa4034ac9bc287476a94e548

SHA1
72437ae6b806139577462e5126762661b5c4196d

SHA256
c2db98702fec772e4edcb66ff4a50311aa79c07f177dd6744d0918becde703bc

SHA512
55258faf394d64badd93c8a51302f348a73b130be2dcab812de5afa19fec74992b907c239194ce976bea18fd6956fb6f305e55ece1426c129885b2454ba49435

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI46482\base_library.zip

Filesize
1.0MB

MD5
35f47c57d93ed1da390d203eb36d769a

SHA1
d632350c6adc73e134a50ba06db37e124800b234

SHA256
57a5108a5227ddf057f2405cf2f192705b4e52e4b6388d82a20a16a7f7003128

SHA512
fe38011f637f8daa9585ffd2f7570397cc091d877d670e38938b6f31f8305de909ab8f1650052a29f7c1ec15334800a8e07d52619d015497620fab5241a40e7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI46482\certifi\cacert.pem

Filesize
268KB

MD5
59a15f9a93dcdaa5bfca246b84fa936a

SHA1
7f295ea74fc7ed0af0e92be08071fb0b76c8509e

SHA256
2c11c3ce08ffc40d390319c72bc10d4f908e9c634494d65ed2cbc550731fd524

SHA512
746157a0fcedc67120c2a194a759fa8d8e1f84837e740f379566f260e41aa96b8d4ea18e967e3d1aa1d65d5de30453446d8a8c37c636c08c6a3741387483a7d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI46482\libcrypto-1_1.dll

Filesize
2.2MB

MD5
90311ea0cc27e27d2998969c57eba038

SHA1
4653f1261fb7b16bc64c72833cfb93f0662d6f6d

SHA256
239d518dd67d8c2bbf6aeaded86ed464865e914db6bf3b115973d525ebd7d367

SHA512
6e2f839fb8d7aaab0b51778670da104c36355e22991eae930d2eaecabab45b40fda5e2317f1c928a803146855ac5553e4e464a65213696311c206bec926775d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI46482\libffi-7.dll

Filesize
28KB

MD5
bc20614744ebf4c2b8acd28d1fe54174

SHA1
665c0acc404e13a69800fae94efd69a41bdda901

SHA256
0c7ec6de19c246a23756b8550e6178ac2394b1093e96d0f43789124149486f57

SHA512
0c473e7070c72d85ae098d208b8d128b50574abebba874dda2a7408aea2aabc6c4b9018801416670af91548c471b7dd5a709a7b17e3358b053c37433665d3f6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI46482\libssl-1_1.dll

Filesize
536KB

MD5
0eb0295658ac5ce82b2d96d330d2866e

SHA1
68894ff86e0b443502e3ba9ce06bfb1660d19204

SHA256
52224881670ced6419a3e68731e5e3d0b1d224d5816619dccf6161f91ec78021

SHA512
347b7b5d7b9b1c88ea642f92257f955c0202ae16d6764f82d9923c96c151f1e944abf968f1e5728bde0dae382026b5279e4bcbe24c347134a1fbe1cb0b2e090f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI46482\psutil\_psutil_windows.pyd

Filesize
62KB

MD5
b92e780fe4c49760b87da1f8ff08d6df

SHA1
bcea9df27dcaf4a26cf579a1c18bc84322624d69

SHA256
17ee098231485b258cf4ea2593e7112e0e5e178d379aa48059b1d8095121f400

SHA512
92ae06f9bb81514863f497a2201eeb88bcb9df7f50b3dc21632045ea873d793feb90eb5dbb4e2103cd14110bc67cc6d2f5a7d5b3a40ede6a08665aad1672803f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI46482\python3.dll

Filesize
62KB

MD5
e70fa6a8ee52483775f6efb1f2eb870e

SHA1
694df83dcacfd6e364d48332dcf5144d1583f5f6

SHA256
927855f09cf77a03b701308bc68938e23b5739304a0012106f71a210e4be108e

SHA512
0c9a33e5d8235f2c599f52f23fd78859b1a2c49dc80300990f3ab64f88b5f80b32da5f20a3beff701d906e33c8af24e7bad8d30c3b1104ee1d57c6429b45910a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI46482\python310.dll

Filesize
3.9MB

MD5
ec970131c8d8d66aeed8b50aa59e9e79

SHA1
3ca30a8e8afd8531ffbf97b8723f15bda9c13314

SHA256
6d97125e77feb8eeb642619a61e3fe80f76f1bac85bec450d6f1bbdaaf0c003f

SHA512
37d108c87b70a10bc00be0ad5988252e2bff86d0a4c597104d202da252bfc057413067ede5e7096809b4d53a55c1d9baab6bf8d01112947cf781df9b6c290db9

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI46482\pywin32_system32\pywintypes310.dll

Filesize
108KB

MD5
270725fb2869bf85588ec5829c5e7ee1

SHA1
a195e7224db74da35b25018e0fffc9f22d5a4c34

SHA256
f0d46a388b61fc0ba4d926124cdcf6ce5adda625404be056637158691563a778

SHA512
b78f75a149b0a24b8ef2957f73c9651efae87fa3c1cd7170a198186dd5cebe8ff5fcee2820306138dc2d0ecbe266ee49b0349333f26e9d12afb661e4702ff17a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI46482\select.pyd

Filesize
25KB

MD5
f22a751c280856f7b090aa81ed66ef16

SHA1
ae79b7f1df52be5194956bc2fae9d009dc6d863e

SHA256
c86c45e0e3ed617d7769f4a53730c17f60efeef8defc9731f9464a953dc4bb05

SHA512
d48813342b53e8d9ef566fdee679928b5309f0c29dac88a056331a34203da7a90a39840e5f62f6fdd43e81701e4b6e30e9abbc5e7540c16cb843610e6655dcfb

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI46482\unicodedata.pyd

Filesize
1.1MB

MD5
1edf5d81f4e4007c3c7796c10bba2980

SHA1
875d67317839de057833b8cc587a30bb4bf34337

SHA256
030ce1de2303f5e5e2460584930bae486bae5ed3598786d54050f9e0f217c5be

SHA512
16eaf2d286d3893fea215f53c7b2ce1e68988cfe614f647c949a782869c017dafe45ba7e00cda547e0f804ce4a56a1b25612871236d575bf7fc549461d860164

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI46482\win32file.pyd

Filesize
120KB

MD5
bd3227f7581e585ffdc41feb26caf9b4

SHA1
cac1a0f15b87ab5ced4ae80a76892b3e1de80e50

SHA256
c4cabcdb2f130d49eff8220cfa7beb1a97e9381fe09b19806260134ae5e66a01

SHA512
3fedbad56917659129d3ac8bc684aa3d0abdab0275455e182fc75a3572870625469b1a7c863c2fa53a4de3b8dbc3f56a59e6d68f95044c3fce2d2b5ca89d962b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI46482\win32security.pyd

Filesize
111KB

MD5
eadba08cb84bd26b7bfe364e7a45789c

SHA1
0d937ad88efbbfb2324e0f75995be726d43a94d1

SHA256
746fe418746dc619eeffb164785cbc7b591d6ca00284d6097facc015f0fb8175

SHA512
2b9d934e2ac456a22ea65aa287bb359ea993a2684aa91d744c4988bc5da76384d4c34123b96ecf60e56c4383ab794e4028182bc608cc244c8586aa1b87bd3d93

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_5dkb4nw2.dex.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/944-657-0x0000000005540000-0x0000000005894000-memory.dmp

Filesize
3.3MB

Download
memory/944-750-0x0000000005C10000-0x0000000005C5C000-memory.dmp

Filesize
304KB

Download
memory/4456-127-0x0000000006B90000-0x0000000006BDC000-memory.dmp

Filesize
304KB

Download
memory/4456-125-0x00000000064D0000-0x0000000006824000-memory.dmp

Filesize
3.3MB

Download
memory/4532-98-0x0000000006390000-0x00000000063AE000-memory.dmp

Filesize
120KB

Download
memory/4532-83-0x00007FF94BAB0000-0x00007FF94BCA5000-memory.dmp

Filesize
2.0MB

Download
memory/4532-82-0x0000000002D80000-0x0000000002DB6000-memory.dmp

Filesize
216KB

Download
memory/4532-81-0x00007FF94BAB0000-0x00007FF94BCA5000-memory.dmp

Filesize
2.0MB

Download
memory/4532-84-0x0000000005440000-0x0000000005A68000-memory.dmp

Filesize
6.2MB

Download
memory/4532-85-0x0000000005370000-0x0000000005392000-memory.dmp

Filesize
136KB

Download
memory/4532-86-0x0000000005A70000-0x0000000005AD6000-memory.dmp

Filesize
408KB

Download
memory/4532-87-0x0000000005AE0000-0x0000000005B46000-memory.dmp

Filesize
408KB

Download
memory/4532-97-0x0000000005D70000-0x00000000060C4000-memory.dmp

Filesize
3.3MB

Download
memory/4532-105-0x00007FF94BAB0000-0x00007FF94BCA5000-memory.dmp

Filesize
2.0MB

Download
memory/4532-99-0x00000000066F0000-0x000000000673C000-memory.dmp

Filesize
304KB

Download
memory/4532-100-0x0000000007B70000-0x00000000081EA000-memory.dmp

Filesize
6.5MB

Download
memory/4532-101-0x00000000068A0000-0x00000000068BA000-memory.dmp

Filesize
104KB

Download