Analysis Overview
SHA256
a0716b835b01a9873d6db1f42bcbfed80b98e30ef35d28299943317be11e8358
Threat Level: Known bad
The file Gtad Robux.exe was found to be: Known bad.
Malicious Activity Summary
A stealer written in Python and packaged with Pyinstaller
Blankgrabber family
Command and Scripting Interpreter: PowerShell
Executes dropped EXE
Loads dropped DLL
Drops file in Windows directory
Detects Pyinstaller
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Enumerates processes with tasklist
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-01 09:26
Signatures
A stealer written in Python and packaged with Pyinstaller
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Blankgrabber family
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-01 09:25
Reported
2024-06-01 09:38
Platform
win10-20240404-en
Max time kernel
88s
Max time network
83s
Command Line
Signatures
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\bound.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\bound.exe | N/A |
Loads dropped DLL
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\Debug\WIA\wiatrace.log | C:\Windows\system32\mspaint.exe | N/A |
Detects Pyinstaller
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Enumerates processes with tasklist
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\system32\mspaint.exe | N/A |
| N/A | N/A | C:\Windows\system32\mspaint.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 36 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 36 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\bound.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\bound.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\bound.exe | N/A |
| N/A | N/A | C:\Windows\system32\mspaint.exe | N/A |
| N/A | N/A | C:\Windows\system32\mspaint.exe | N/A |
| N/A | N/A | C:\Windows\system32\mspaint.exe | N/A |
| N/A | N/A | C:\Windows\system32\mspaint.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\Gtad Robux.exe
"C:\Users\Admin\AppData\Local\Temp\Gtad Robux.exe"
C:\Users\Admin\AppData\Local\Temp\Gtad Robux.exe
"C:\Users\Admin\AppData\Local\Temp\Gtad Robux.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Gtad Robux.exe'"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Gtad Robux.exe'
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\bound.exe'"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "start bound.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
C:\Windows\SysWOW64\tasklist.exe
tasklist /FO LIST
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\bound.exe'
C:\Users\Admin\AppData\Local\Temp\bound.exe
bound.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic csproduct get uuid
C:\Users\Admin\AppData\Local\Temp\bound.exe
bound.exe
C:\Windows\system32\mspaint.exe
"C:\Windows\system32\mspaint.exe"
\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s DeviceAssociationService
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | blank-tn2ov.in | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\_MEI49202\python310.dll
| MD5 | 934f7575ca8310462b184ec35fa910aa |
| SHA1 | dec2ca44143f7ae4bc12aa482487bca1c18a7a98 |
| SHA256 | 63a625f652ec13115d14bcc85a076e6ced62691e3d57e3a9c08c7506878761af |
| SHA512 | b3d1f627859624f7ec4169e7008793d17391d3b56555b66ed3ea9efa614483e49081601e4b543d3d15ace14d1749bf2866cd93169af564fa6a5b73ee13ff1539 |
C:\Users\Admin\AppData\Local\Temp\_MEI49202\VCRUNTIME140.dll
| MD5 | afa8fb684eded0d4ca6aa03aebea446f |
| SHA1 | 98bbb8543d4b3fbecebb952037adb0f9869a63a5 |
| SHA256 | 44de8d0dc9994bff357344c44f12e8bfff8150442f7ca313298b98e6c23a588e |
| SHA512 | 6669eec07269002c881467d4f4af82e5510928ea32ce79a7b1f51a71ba9567e8d99605c5bc86f940a7b70231d70638aeb2f6c2397ef197bd4c28f5e9fad40312 |
C:\Users\Admin\AppData\Local\Temp\_MEI49202\base_library.zip
| MD5 | 5e0227944397e9075e254fe03249e61a |
| SHA1 | 01c3ab9740c31ed29a09b29f1ea3a0fcc6b3b08b |
| SHA256 | 94085e85495cc0fdf278071bb80b230f8d1cfcac87189fe0a85581b77e876d95 |
| SHA512 | 1acbc098a89602c5d851f9421dc616f15b2026a78f78e7215c121fefb5a815a6ce89914ecdbd4330e04158b008d34b295b2cf1e3666d7878e5bebd4dcd76ceb3 |
C:\Users\Admin\AppData\Local\Temp\_MEI49202\_ctypes.pyd
| MD5 | 4cc177b6bc8e54290bf211b0e910c87e |
| SHA1 | a4445f42721e6d3e36ad82730ceb78e0e5d5b275 |
| SHA256 | d823f14f3e7a0beff0897d70127ec8b5ba49ee8655d4ec271331194d29eb8640 |
| SHA512 | f847225a9d706a7d9ac0caa13b4be8661f80d454d9f74328f8b17397e4a71e342cc84fc64fd0d613db174a0e01ca434cd754e52d0d2048f77543d8adfb917569 |
C:\Users\Admin\AppData\Local\Temp\_MEI49202\libffi-7.dll
| MD5 | bc20614744ebf4c2b8acd28d1fe54174 |
| SHA1 | 665c0acc404e13a69800fae94efd69a41bdda901 |
| SHA256 | 0c7ec6de19c246a23756b8550e6178ac2394b1093e96d0f43789124149486f57 |
| SHA512 | 0c473e7070c72d85ae098d208b8d128b50574abebba874dda2a7408aea2aabc6c4b9018801416670af91548c471b7dd5a709a7b17e3358b053c37433665d3f6b |
C:\Users\Admin\AppData\Local\Temp\_MEI49202\blank.aes
| MD5 | 99bf43c610fca1ad5d0435d9165d42fb |
| SHA1 | 2fc4ab44def7d69dd3285b48d7940505d7f6a07a |
| SHA256 | 7d7a744719cf88f51b34c6f1fb63b1732a2ce42f43450b838ac785af6ecda5b0 |
| SHA512 | ae27967e3a6414e52688598c069c34c5536f5d638adc03a60e0758a9afa6f2624c8f0dfe9690232d9597bbd83f42d38dce4fc89c06b839754fa4152601359962 |
C:\Users\Admin\AppData\Local\Temp\_MEI49202\rar.exe
| MD5 | 9c223575ae5b9544bc3d69ac6364f75e |
| SHA1 | 8a1cb5ee02c742e937febc57609ac312247ba386 |
| SHA256 | 90341ac8dcc9ec5f9efe89945a381eb701fe15c3196f594d9d9f0f67b4fc2213 |
| SHA512 | 57663e2c07b56024aaae07515ee3a56b2f5068ebb2f2dc42be95d1224376c2458da21c965aab6ae54de780cb874c2fc9de83d9089abf4536de0f50faca582d09 |
C:\Users\Admin\AppData\Local\Temp\_MEI49202\rarreg.key
| MD5 | 4531984cad7dacf24c086830068c4abe |
| SHA1 | fa7c8c46677af01a83cf652ef30ba39b2aae14c3 |
| SHA256 | 58209c8ab4191e834ffe2ecd003fd7a830d3650f0fd1355a74eb8a47c61d4211 |
| SHA512 | 00056f471945d838ef2ce56d51c32967879fe54fcbf93a237ed85a98e27c5c8d2a39bc815b41c15caace2071edd0239d775a31d1794dc4dba49e7ecff1555122 |
C:\Users\Admin\AppData\Local\Temp\_MEI49202\libssl-1_1.dll
| MD5 | 8471e73a5594c8fbbb3a8b3df4fb7372 |
| SHA1 | 488772cb5bbb50f14a4a9546051edef4ae75dd20 |
| SHA256 | 380bb2c4ce42dd1ef77c33086cf95aa4fe50290a30849a3e77a18900141af793 |
| SHA512 | 24025b8f0cc076a6656eba288f5850847c75f8581c9c3e36273350db475050deee903d034ad130d56d1dede20c0d33b56b567c2ef72eb518f76d887f9254b11b |
C:\Users\Admin\AppData\Local\Temp\_MEI49202\unicodedata.pyd
| MD5 | 0d9e0bffac07835866f869856ff15e80 |
| SHA1 | b1c191b3e622436ff481efa0a1876ed8f3ae460f |
| SHA256 | 62380943a167c7acd7556c42df4f2cd592d269811d74215e48ad7088163f24c5 |
| SHA512 | 519e4798953f3b1d4144b5264ae8641e945f6a9136980c7f11e9fe41019cec35aaf71e9f49ee4147ddcbd9064c0de54a016a4ff9230df98fce1d58128ac4ab86 |
C:\Users\Admin\AppData\Local\Temp\_MEI49202\_bz2.pyd
| MD5 | 72d50e0665ac1765ea38534a332ce8a4 |
| SHA1 | 055bbc256a5ecafb14f7a63e3124e0a8e2590a62 |
| SHA256 | 90f1cdc5248c10e591385fbe76cb18bcaa171f8eac0a0d96d2bf738bf5c74c0a |
| SHA512 | 2a739936066b2b1ef99612c086d64e2c395cfbac651bc007078f8b1924845481a6ed381580f167af054f4c80f58479f9f12be22303e43d28f5f1b5f26d5e6670 |
C:\Users\Admin\AppData\Local\Temp\_MEI49202\sqlite3.dll
| MD5 | 03535b9dad84a5e2a869a587d8035bd4 |
| SHA1 | 6419e59741b9bcc3d84f7fea58e9148f44b5570f |
| SHA256 | c69728c71863c40c397799376ea95c52c57afd7c998e8b4aa676930eb4526abb |
| SHA512 | fb39576bc879ba16e83811410dfeeaa27b56062dfac10062c7351f7e4ce3550177a898b81d87b1cd3a285271beedb29d3b67c32329d104ba049ce7f8cbc6e672 |
C:\Users\Admin\AppData\Local\Temp\_MEI49202\select.pyd
| MD5 | 2c1fcd150cca37a6c6edaa534dc9d887 |
| SHA1 | 948eaf776c8a56149a8872feb50c8fc16d0a243c |
| SHA256 | 585c8325b7eadc42d508577186868d096eb4272e35f6b91c1eed781f57f40a66 |
| SHA512 | d2d963850a1f700196eaf2419af62cddf86db47ca2fd254e71a07f056fc719fd7338756e021a5ccdd2d57e9f3f0102384c692abdf7d4057a4c90cbefcc739a8d |
C:\Users\Admin\AppData\Local\Temp\_MEI49202\libcrypto-1_1.dll
| MD5 | 31c2130f39942ac41f99c77273969cd7 |
| SHA1 | 540edcfcfa75d0769c94877b451f5d0133b1826c |
| SHA256 | dd55258272eeb8f2b91a85082887463d0596e992614213730000b2dbc164bcad |
| SHA512 | cb4e0b90ea86076bd5c904b46f6389d0fd4afffe0bd3a903c7ff0338c542797063870498e674f86d58764cdbb73b444d1df4b4aa64f69f99b224e86ddaf74bb5 |
C:\Users\Admin\AppData\Local\Temp\_MEI49202\bound.blank
| MD5 | 682e2c57175581b8e6b95eac22b938cf |
| SHA1 | 15f34a04e81e9c677621dec77762634b38472245 |
| SHA256 | 01a0369b99f2c1038e72afd80a6d79452bd8b94b7dc678d80be78f8f6393d5fa |
| SHA512 | 992fbc770589b457f7173a8a3c8e2bf45f72822a1eaea0eb3f0d66ebe159868d9b334684de7691bfad999329bbb4706ed2d9e201f8ec4826ff65c9bb1463eab9 |
C:\Users\Admin\AppData\Local\Temp\_MEI49202\_decimal.pyd
| MD5 | 36025e9d9afa1b181335cffb07adafdc |
| SHA1 | 3af9726ecb6b16aadbe6405ec2c828e39a75161c |
| SHA256 | a08d00cf489e55d15e32fe3438ec72722e16459e79ec77ce0090b5c01b7c633e |
| SHA512 | ca1873a6193e35c7393a292475d74ca43a141d2a8c4fc3f09756544aecb2ad73334d78316a63b584610d29eef43c0009619c0699fb56cc6735005c80bb9ef134 |
C:\Users\Admin\AppData\Local\Temp\_MEI49202\_hashlib.pyd
| MD5 | 4314887edc666e92cf2fc202f7526949 |
| SHA1 | 1d7dffe99547b0f3eb0cac41d9dc39633a7aed9a |
| SHA256 | 63eb8e2c3362221453cbf3ccce59be0d32b5a6ba5a56acfc2c9409e6b0d1c14b |
| SHA512 | cb8fadbcb1b9eb51f9bff0c34de13db3d75fbd21e55b5b1dad7e1d2720b5f115134c145a1250270bd47c105fa62051040628fe3d44936af6dc56ba46a7794134 |
C:\Users\Admin\AppData\Local\Temp\_MEI49202\_lzma.pyd
| MD5 | c132ba1c7d8e958be2e099003695bfcd |
| SHA1 | 029b4e4b4ad5123474e4680a6b80678bc58e341f |
| SHA256 | ae6cdc8cc21177717d82246633d1b38902dc8e35a84d4a6cd8ea1c09619ff771 |
| SHA512 | 70afa4401a3d86b4b7761f95ce2c218232d782a98e4de7a4c0cfee8683633266579f37e9abe1be1def4dbb64cea978c6feafdeea5c23d5611344d06a57ed7f7d |
C:\Users\Admin\AppData\Local\Temp\_MEI49202\_queue.pyd
| MD5 | 0ee3265aa08e199a46e725783c6681ce |
| SHA1 | c0435c711a45bd128ef99703ae3ba89896898d1e |
| SHA256 | d4f2dfb15939d639e15713916e4c0755635f278086ed7d3d994ebdb493778f59 |
| SHA512 | 8dffb3fe347a15c4e75cc0a82c5dcc2c53f68c6789a9cde863cf1a9d1690b54b4b0f8f878f1b5f59ab3f8df13d2ba0892284ca17a508ac2b86ad9de0b6f1c2bb |
C:\Users\Admin\AppData\Local\Temp\_MEI49202\_socket.pyd
| MD5 | 87040cae57e97bed41987184d828a741 |
| SHA1 | e754e4a05f1cdd1d20328092e30c279deb9606c9 |
| SHA256 | 34a8dcc36321976d2b73a9ecdf3eddba9643f2972b429e1acac22959cba41000 |
| SHA512 | a6c37c74dd8b3bb852d06bf84a83a3d7c72481b927b27ffcaa5d1179b463d579292b2a6723b49905462419a5c83e1a917a4166bd10661c3ec198268620304b5f |
C:\Users\Admin\AppData\Local\Temp\_MEI49202\_sqlite3.pyd
| MD5 | 064baef1101bdbe1306459f9270d030f |
| SHA1 | 00534ad450629e65e4347aec71b4417aaf302e7c |
| SHA256 | c79fe582d64b74ea9ca90e9ceafca9c35c7872e5726b774dd1b0acc3d2ebe1c7 |
| SHA512 | 9f95bff833633f8c1eb3b36adf2a1bb7469f8f71bc6f74349b53f09697199536226b1ff979382dbc9d90496a9e74ebcf087a9c8352ae4efca96e686dcc8985f1 |
C:\Users\Admin\AppData\Local\Temp\_MEI49202\_ssl.pyd
| MD5 | 7f589dfe7461c08cdf6b51774e53352a |
| SHA1 | a6bd4ca0988cc7884c51ea9f5162f64b629c2e48 |
| SHA256 | a5542a7e6162214882dc8a1c804b349f07526a1679691343118f2bc698fde0be |
| SHA512 | 3f7d491b67375a958950cff260840c36de96d1112dbd0299e15148720590d53d11dc8ec492a22133c427b580f07ae3a2a937c013c760c5fe93faabc4f8b9eba6 |
memory/64-76-0x0000000000C40000-0x0000000000C76000-memory.dmp
memory/4540-78-0x0000000007090000-0x00000000076B8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\bound.exe
| MD5 | ea90e8033ff0744627b8fa880d79f127 |
| SHA1 | 459b0cd536af15c80d77fc4c833f3a4e57798744 |
| SHA256 | c6ca26ee22c273aa3c500194f647d287990682e1f7fa816cbd338bdb11d56ac5 |
| SHA512 | 6e473ef4f959e5e002d5fc8e8d83e0509b2865492dea0aaf41de6828ea338097d7cb166be9e67b05b5edddd9191d9f0abb0a5094dd348c2c2d67e6db3483dec8 |
memory/64-160-0x0000000006BC0000-0x0000000006BE2000-memory.dmp
memory/372-270-0x0000000007650000-0x00000000076B6000-memory.dmp
memory/372-269-0x00000000075D0000-0x0000000007636000-memory.dmp
memory/372-368-0x00000000076C0000-0x0000000007A10000-memory.dmp
memory/64-566-0x00000000078F0000-0x000000000793B000-memory.dmp
memory/64-525-0x0000000007880000-0x000000000789C000-memory.dmp
memory/64-842-0x0000000007BF0000-0x0000000007C66000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_toq5cmzu.ubs.ps1
| MD5 | c4ca4238a0b923820dcc509a6f75849b |
| SHA1 | 356a192b7913b04c54574d18c28d46e6395428ab |
| SHA256 | 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b |
| SHA512 | 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a |
C:\Users\Admin\AppData\Local\Temp\_MEI28282\python312.dll
| MD5 | 3c388ce47c0d9117d2a50b3fa5ac981d |
| SHA1 | 038484ff7460d03d1d36c23f0de4874cbaea2c48 |
| SHA256 | c98ba3354a7d1f69bdca42560feec933ccba93afcc707391049a065e1079cddb |
| SHA512 | e529c5c1c028be01e44a156cd0e7cad0a24b5f91e5d34697fafc395b63e37780dc0fac8f4c5d075ad8fe4bd15d62a250b818ff3d4ead1e281530a4c7e3ce6d35 |
C:\Users\Admin\AppData\Local\Temp\_MEI28282\VCRUNTIME140.dll
| MD5 | be8dbe2dc77ebe7f88f910c61aec691a |
| SHA1 | a19f08bb2b1c1de5bb61daf9f2304531321e0e40 |
| SHA256 | 4d292623516f65c80482081e62d5dadb759dc16e851de5db24c3cbb57b87db83 |
| SHA512 | 0da644472b374f1da449a06623983d0477405b5229e386accadb154b43b8b083ee89f07c3f04d2c0c7501ead99ad95aecaa5873ff34c5eeb833285b598d5a655 |
C:\Users\Admin\AppData\Local\Temp\_MEI28282\base_library.zip
| MD5 | 8dad91add129dca41dd17a332a64d593 |
| SHA1 | 70a4ec5a17ed63caf2407bd76dc116aca7765c0d |
| SHA256 | 8de4f013bfecb9431aabaa97bb084fb7de127b365b9478d6f7610959bf0d2783 |
| SHA512 | 2163414bc01fc30d47d1de763a8332afe96ea7b296665b1a0840d5197b7e56f4963938e69de35cd2bf89158e5e2240a1650d00d86634ac2a5e2ad825455a2d50 |
C:\Users\Admin\AppData\Local\Temp\_MEI28282\_tkinter.pyd
| MD5 | 1df0201667b4718637318dbcdc74a574 |
| SHA1 | fd44a9b3c525beffbca62c6abe4ba581b9233db2 |
| SHA256 | 70439ee9a05583d1c4575dce3343b2a1884700d9e0264c3ada9701829483a076 |
| SHA512 | 530431e880f2bc193fae53b6c051bc5f62be08d8ca9294f47f18bb3390dcc0914e8e53d953eee2fcf8e1efbe17d98eb60b3583bccc7e3da5e21ca4dc45adfaf4 |
C:\Users\Admin\AppData\Local\Temp\_MEI28282\_socket.pyd
| MD5 | dc06f8d5508be059eae9e29d5ba7e9ec |
| SHA1 | d666c88979075d3b0c6fd3be7c595e83e0cb4e82 |
| SHA256 | 7daff6aa3851a913ed97995702a5dfb8a27cb7cf00fb496597be777228d7564a |
| SHA512 | 57eb36bc1e9be20c85c34b0a535b2349cb13405d60e752016e23603c4648939f1150e4dbebc01ec7b43eb1a6947c182ccb8a806e7e72167ad2e9d98d1fd94ab3 |
C:\Users\Admin\AppData\Local\Temp\_MEI28282\_lzma.pyd
| MD5 | 05e8b2c429aff98b3ae6adc842fb56a3 |
| SHA1 | 834ddbced68db4fe17c283ab63b2faa2e4163824 |
| SHA256 | a6e2a5bb7a33ad9054f178786a031a46ea560faeef1fb96259331500aae9154c |
| SHA512 | badeb99795b89bc7c1f0c36becc7a0b2ce99ecfd6f6bb493bda24b8e57e6712e23f4c509c96a28bc05200910beddc9f1536416bbc922331cae698e813cbb50b3 |
C:\Users\Admin\AppData\Local\Temp\_MEI28282\_hashlib.pyd
| MD5 | eedb6d834d96a3dffffb1f65b5f7e5be |
| SHA1 | ed6735cfdd0d1ec21c7568a9923eb377e54b308d |
| SHA256 | 79c4cde23397b9a35b54a3c2298b3c7a844454f4387cb0693f15e4facd227dd2 |
| SHA512 | 527bd7bb2f4031416762595f4ce24cbc6254a50eaf2cc160b930950c4f2b3f5e245a486972148c535f8cd80c78ec6fa8c9a062085d60db8f23d4b21e8ae4c0ad |
C:\Users\Admin\AppData\Local\Temp\_MEI28282\_decimal.pyd
| MD5 | 3055edf761508190b576e9bf904003aa |
| SHA1 | f0dc8d882b5cd7955cc6dfc8f9834f70a83c7890 |
| SHA256 | e4104e47399d3f635a14d649f61250e9fd37f7e65c81ffe11f099923f8532577 |
| SHA512 | 87538fe20bd2c1150a8fefd0478ffd32e2a9c59d22290464bf5dfb917f6ac7ec874f8b1c70d643a4dc3dd32cbe17e7ea40c0be3ea9dd07039d94ab316f752248 |
C:\Users\Admin\AppData\Local\Temp\_MEI28282\_bz2.pyd
| MD5 | 223fd6748cae86e8c2d5618085c768ac |
| SHA1 | dcb589f2265728fe97156814cbe6ff3303cd05d3 |
| SHA256 | f81dc49eac5ecc528e628175add2ff6bda695a93ea76671d7187155aa6326abb |
| SHA512 | 9c22c178417b82e68f71e5b7fe7c0c0a77184ee12bd0dc049373eace7fa66c89458164d124a9167ae760ff9d384b78ca91001e5c151a51ad80c824066b8ecce6 |
C:\Users\Admin\AppData\Local\Temp\_MEI28282\unicodedata.pyd
| MD5 | 16be9a6f941f1a2cb6b5fca766309b2c |
| SHA1 | 17b23ae0e6a11d5b8159c748073e36a936f3316a |
| SHA256 | 10ffd5207eeff5a836b330b237d766365d746c30e01abf0fd01f78548d1f1b04 |
| SHA512 | 64b7ecc58ae7cf128f03a0d5d5428aaa0d4ad4ae7e7d19be0ea819bbbf99503836bfe4946df8ee3ab8a92331fdd002ab9a9de5146af3e86fef789ce46810796b |
C:\Users\Admin\AppData\Local\Temp\_MEI28282\tk86t.dll
| MD5 | 9fb68a0252e2b6cd99fd0cb6708c1606 |
| SHA1 | 60ab372e8473fad0f03801b6719bf5cccfc2592e |
| SHA256 | c6ffe2238134478d8cb1c695d57e794516f3790e211ff519f551e335230de7de |
| SHA512 | f5de1b1a9dc2d71ae27dfaa7b01e079e4970319b6424b44c47f86360faf0b976ed49dab6ee9f811e766a2684b647711e567cbaa6660f53ba82d724441c4ddd06 |
C:\Users\Admin\AppData\Local\Temp\_MEI28282\tcl86t.dll
| MD5 | 21dc82dd9cc445f92e0172d961162222 |
| SHA1 | 73bc20b509e1545b16324480d9620ae25364ebf1 |
| SHA256 | c2966941f116fab99f48ab9617196b43a5ee2fd94a8c70761bda56cb334daa03 |
| SHA512 | 3051a9d723fb7fc11f228e9f27bd2644ac5a0a95e7992d60c757240577b92fc31fa373987b338e6bc5707317d20089df4b48d1b188225ff370ad2a68d5ff7ba6 |
C:\Users\Admin\AppData\Local\Temp\_MEI28282\select.pyd
| MD5 | 92b440ca45447ec33e884752e4c65b07 |
| SHA1 | 5477e21bb511cc33c988140521a4f8c11a427bcc |
| SHA256 | 680df34fb908c49410ac5f68a8c05d92858acd111e62d1194d15bdce520bd6c3 |
| SHA512 | 40e60e1d1445592c5e8eb352a4052db28b1739a29e16b884b0ba15917b058e66196988214ce473ba158704837b101a13195d5e48cb1dc2f07262dfecfe8d8191 |
C:\Users\Admin\AppData\Local\Temp\_MEI28282\libcrypto-3.dll
| MD5 | e547cf6d296a88f5b1c352c116df7c0c |
| SHA1 | cafa14e0367f7c13ad140fd556f10f320a039783 |
| SHA256 | 05fe080eab7fc535c51e10c1bd76a2f3e6217f9c91a25034774588881c3f99de |
| SHA512 | 9f42edf04c7af350a00fa4fdf92b8e2e6f47ab9d2d41491985b20cd0adde4f694253399f6a88f4bdd765c4f49792f25fb01e84ec03fd5d0be8bb61773d77d74d |
C:\Users\Admin\AppData\Local\Temp\_MEI28282\zlib1.dll
| MD5 | 297e845dd893e549146ae6826101e64f |
| SHA1 | 6c52876ea6efb2bc8d630761752df8c0a79542f1 |
| SHA256 | 837efb838cb91428c8c0dfb65d5af1e69823ff1594780eb8c8e9d78f7c4b2fc1 |
| SHA512 | f6efef5e34ba13f1dfddacfea15f385de91d310d73a6894cabb79c2186accc186c80cef7405658d91517c3c10c66e1acb93e8ad2450d4346f1aa85661b6074c3 |
C:\Users\Admin\AppData\Local\Temp\_MEI28282\tcl\encoding\cp1252.enc
| MD5 | e9117326c06fee02c478027cb625c7d8 |
| SHA1 | 2ed4092d573289925a5b71625cf43cc82b901daf |
| SHA256 | 741859cf238c3a63bbb20ec6ed51e46451372bb221cfff438297d261d0561c2e |
| SHA512 | d0a39bc41adc32f2f20b1a0ebad33bf48dfa6ed5cc1d8f92700cdd431db6c794c09d9f08bb5709b394acf54116c3a1e060e2abcc6b503e1501f8364d3eebcd52 |
memory/64-1101-0x0000000071DE0000-0x0000000071E2B000-memory.dmp
memory/372-1100-0x0000000071DE0000-0x0000000071E2B000-memory.dmp
memory/372-1099-0x0000000009060000-0x0000000009093000-memory.dmp
memory/64-1104-0x0000000008A20000-0x0000000008A3E000-memory.dmp
memory/64-1113-0x0000000008D90000-0x0000000008E35000-memory.dmp
memory/4540-1114-0x0000000071DE0000-0x0000000071E2B000-memory.dmp
memory/64-1119-0x0000000008F70000-0x0000000009004000-memory.dmp
memory/372-1660-0x0000000009330000-0x000000000934A000-memory.dmp
memory/372-1705-0x0000000009310000-0x0000000009318000-memory.dmp
memory/1560-1753-0x00007FFA4C0B0000-0x00007FFA4C0DA000-memory.dmp
memory/1560-1759-0x00007FFA4C0B0000-0x00007FFA4C0DA000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-01 09:25
Reported
2024-06-01 09:36
Platform
win10-20240404-en