Analysis Overview
SHA256
dba66a3b6da35a30734871b840747dcc9d1e704a717349e92d79b9a5e0bcd595
Threat Level: Shows suspicious behavior
The file Roblox-Cookie-Logger-main.zip was found to be: Shows suspicious behavior.
Malicious Activity Summary
Loads dropped DLL
UPX packed file
Reads user/profile data of web browsers
Adds Run key to start application
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Unsigned PE
Detects Pyinstaller
Enumerates physical storage devices
Modifies registry class
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Modifies registry key
Suspicious use of SetWindowsHookEx
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-05-10 18:12
Signatures
Detects Pyinstaller
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-10 18:12
Reported
2024-05-10 18:15
Platform
win7-20240419-en
Max time kernel
120s
Max time network
121s
Command Line
Signatures
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Roblox-Cookie-Logger-main\Arctic.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Roblox-Cookie-Logger-main\Arctic.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 108 wrote to memory of 2740 | N/A | C:\Users\Admin\AppData\Local\Temp\Roblox-Cookie-Logger-main\Arctic.exe | C:\Users\Admin\AppData\Local\Temp\Roblox-Cookie-Logger-main\Arctic.exe |
| PID 108 wrote to memory of 2740 | N/A | C:\Users\Admin\AppData\Local\Temp\Roblox-Cookie-Logger-main\Arctic.exe | C:\Users\Admin\AppData\Local\Temp\Roblox-Cookie-Logger-main\Arctic.exe |
| PID 108 wrote to memory of 2740 | N/A | C:\Users\Admin\AppData\Local\Temp\Roblox-Cookie-Logger-main\Arctic.exe | C:\Users\Admin\AppData\Local\Temp\Roblox-Cookie-Logger-main\Arctic.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\Roblox-Cookie-Logger-main\Arctic.exe
"C:\Users\Admin\AppData\Local\Temp\Roblox-Cookie-Logger-main\Arctic.exe"
C:\Users\Admin\AppData\Local\Temp\Roblox-Cookie-Logger-main\Arctic.exe
"C:\Users\Admin\AppData\Local\Temp\Roblox-Cookie-Logger-main\Arctic.exe"
Network
Files
C:\Users\Admin\AppData\Local\Temp\_MEI1082\python39.dll
| MD5 | c938648ffb242bc402358c7a4f1ffb9c |
| SHA1 | bdd3f674702c4715669ddf062f94b8218dec46d5 |
| SHA256 | 8bb31916d8495625a7e280763e10346852b7bb76729a8c850929b015f4ef3378 |
| SHA512 | 89ab5a7c8f2ae836e83f80c3d1111f5ebd691d75aeefe9fef6f863d4ba8c71ef3b47d2bfc8cbe0a223dfd49ac01ca623d9859e6f26797bb757b3a6cdd6464df5 |
memory/2740-125-0x000007FEF6120000-0x000007FEF65AF000-memory.dmp
memory/2740-126-0x000007FEF6120000-0x000007FEF65AF000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-10 18:12
Reported
2024-05-10 18:15
Platform
win10v2004-20240426-en
Max time kernel
138s
Max time network
108s
Command Line
Signatures
Loads dropped DLL
Reads user/profile data of web browsers
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\empyrean = "C:\\Users\\Admin\\AppData\\Roaming\\empyrean\\run.bat" | C:\Windows\system32\reg.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.ipify.org | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
Modifies registry key
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\reg.exe | N/A |
| N/A | N/A | C:\Windows\system32\reg.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Roblox-Cookie-Logger-main\Arctic.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Roblox-Cookie-Logger-main\Arctic.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Roblox-Cookie-Logger-main\Arctic.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Roblox-Cookie-Logger-main\Arctic.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Roblox-Cookie-Logger-main\Arctic.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Roblox-Cookie-Logger-main\Arctic.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Roblox-Cookie-Logger-main\Arctic.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Roblox-Cookie-Logger-main\Arctic.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Roblox-Cookie-Logger-main\Arctic.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: 36 | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: 36 | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\Roblox-Cookie-Logger-main\Arctic.exe
"C:\Users\Admin\AppData\Local\Temp\Roblox-Cookie-Logger-main\Arctic.exe"
C:\Users\Admin\AppData\Local\Temp\Roblox-Cookie-Logger-main\Arctic.exe
"C:\Users\Admin\AppData\Local\Temp\Roblox-Cookie-Logger-main\Arctic.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "ver"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Windows\System32\wbem\WMIC.exe csproduct get uuid"
C:\Windows\System32\wbem\WMIC.exe
C:\Windows\System32\wbem\WMIC.exe csproduct get uuid
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "reg delete HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v empyrean /f"
C:\Windows\system32\reg.exe
reg delete HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v empyrean /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v empyrean /t REG_SZ /d C:\Users\Admin\AppData\Roaming\empyrean\run.bat /f"
C:\Windows\system32\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v empyrean /t REG_SZ /d C:\Users\Admin\AppData\Roaming\empyrean\run.bat /f
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | api.ipify.org | udp |
| US | 104.26.12.205:443 | api.ipify.org | tcp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | raw.githubusercontent.com | udp |
| US | 185.199.111.133:443 | raw.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 205.12.26.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.111.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | discord.com | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| BE | 2.17.196.96:443 | www.bing.com | tcp |
| US | 162.159.137.232:443 | discord.com | tcp |
| US | 8.8.8.8:53 | 96.196.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.137.159.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| BE | 2.17.196.96:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 24.121.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 138.201.86.20.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\_MEI26162\python39.dll
| MD5 | c938648ffb242bc402358c7a4f1ffb9c |
| SHA1 | bdd3f674702c4715669ddf062f94b8218dec46d5 |
| SHA256 | 8bb31916d8495625a7e280763e10346852b7bb76729a8c850929b015f4ef3378 |
| SHA512 | 89ab5a7c8f2ae836e83f80c3d1111f5ebd691d75aeefe9fef6f863d4ba8c71ef3b47d2bfc8cbe0a223dfd49ac01ca623d9859e6f26797bb757b3a6cdd6464df5 |
C:\Users\Admin\AppData\Local\Temp\_MEI26162\VCRUNTIME140.dll
| MD5 | a87575e7cf8967e481241f13940ee4f7 |
| SHA1 | 879098b8a353a39e16c79e6479195d43ce98629e |
| SHA256 | ded5adaa94341e6c62aea03845762591666381dca30eb7c17261dd154121b83e |
| SHA512 | e112f267ae4c9a592d0dd2a19b50187eb13e25f23ded74c2e6ccde458bcdaee99f4e3e0a00baf0e3362167ae7b7fe4f96ecbcd265cc584c1c3a4d1ac316e92f0 |
memory/3040-127-0x00007FFB075C0000-0x00007FFB07A4F000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI26162\tinyaes.cp39-win_amd64.pyd
| MD5 | 30156b741d136294f692cea4f80e5014 |
| SHA1 | 8c057b5a0fdaffc26db3febcf04463f65a4a89ee |
| SHA256 | 49d4dff20f47ad831d7aff9215b95a283f56f1bc3fb2ca24c48418ad8f92ad4f |
| SHA512 | 31014c8b702bbe9e347c341b4b157cd7ecda44694b577d48b638219e99357440b9e80eaac9a73aca0c1a53ca4c27502644ab9a660c21010d7b53eab1d9c7885a |
C:\Users\Admin\AppData\Local\Temp\_MEI26162\base_library.zip
| MD5 | 7e05b20d5ccc9ec98fefb5266eea8c0d |
| SHA1 | d3301b48ad8b5caf0a191092fb44e7052811c448 |
| SHA256 | 321e76698a876b3869f00efecfcf1971a73eb8473d6e0b4757717825e4a70fac |
| SHA512 | e196dccd0f4166cae3eb4b5a84fb7d4fd8c1530d5e13306f01d2ce702f92b273f4376d25adc2ec9b1b037b3a57182f239e59c3450565414f9b4b5727f9af8f28 |
C:\Users\Admin\AppData\Local\Temp\_MEI26162\python3.DLL
| MD5 | 2ddd2ee635db86575c416f075c41ac8c |
| SHA1 | 99d03f524823059066995181ba21be29d90f2488 |
| SHA256 | be0b573bc6f005235354c246e1f9f626793687f50ad632feb2e767398f414fe3 |
| SHA512 | b84d4b3ca1298897cfafe195394ec6fdb51ed42ce0ca9ea0ab60dc2a8c31b2c865c4cc4fe0df3ffe1c813d21ca6013661e0cb83a91614472c7f6e3a7c78c1f06 |
C:\Users\Admin\AppData\Local\Temp\_MEI26162\libffi-7.dll
| MD5 | b5150b41ca910f212a1dd236832eb472 |
| SHA1 | a17809732c562524b185953ffe60dfa91ba3ce7d |
| SHA256 | 1a106569ac0ad3152f3816ff361aa227371d0d85425b357632776ac48d92ea8a |
| SHA512 | 9e82b0caa3d72bb4a7ad7d66ebfb10edb778749e89280bca67c766e72dc794e99aab2bc2980d64282a384699929ce6cc996462a73584898d2df67a57bff2a9c6 |
C:\Users\Admin\AppData\Local\Temp\_MEI26162\_ctypes.pyd
| MD5 | cace7ff57cac9775efb56be376e101d2 |
| SHA1 | 80d26652fdf9788dffebfb0d2d3165b9db178b7c |
| SHA256 | e9010fcdcab116c429775030b8f3879a04399e73e5bd71d68c0ed8acb33f21d6 |
| SHA512 | 92888b13e5f4dbe41451d7924a8a28f07a1a5f6641c6318fdb508276bc389d136ece7ef18cb0e14f0a14069cfb8ab028d9a86e1f6e4fe27c2d389270d7c55110 |
memory/3040-139-0x00007FFB1C690000-0x00007FFB1C69F000-memory.dmp
memory/3040-138-0x00007FFB1B380000-0x00007FFB1B3A6000-memory.dmp
memory/3040-134-0x00007FFB1C5C0000-0x00007FFB1C5D1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI26162\_socket.pyd
| MD5 | fa7771e74fa6fcc27d53565be05a65f7 |
| SHA1 | 753c420b10fef436fc2607d286469a5370c29b6a |
| SHA256 | 72099dd9990c125e6b2cc1a3a6d7958edc7316c485bd3789da9a865a5b3f3956 |
| SHA512 | 018594b0190b856dadf858c18f728022970e5e6eac9f047658a7472d04030cb6a983fe3ca90949a3e281e1051bdc43c6630d9d7f1c59b15a6fc9477468c7be79 |
C:\Users\Admin\AppData\Local\Temp\_MEI26162\select.pyd
| MD5 | aa76a96abf4d4431c5c28c7aecc3543d |
| SHA1 | e4160ff3ee21e08f4408df4e052859aa5a6f54ef |
| SHA256 | 42217cf3a9e2849f10f4c7e303edff315952d581db18fb604e855dc71845c4e5 |
| SHA512 | e9f9f31001872f634cb44d0f9ed85966974ae8e7f639fe285e9d2395b3f46cc26085a505ab9625e0b431350f4394d2f4f7c8ef4d60d7192e294ef7800a2aafaf |
memory/3040-145-0x00007FFB1B370000-0x00007FFB1B37E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI26162\_bz2.pyd
| MD5 | ffc729a1a725e73008d19e0ead356666 |
| SHA1 | 33daabaad6a57db0ad4ebfbd753f1b0af913dcd1 |
| SHA256 | 2e798ad2ea8e4058a6da7cca0f7111f52c2d880092449244e2f9d960a7a235af |
| SHA512 | 89cd6dd2081d2a2c395b32ca548093234941af8b6b4db86e4ee2680c71a6d3b1234e056fe48387559d8f9ec97cb0062a3e7c478f8c6f4f7c4d885a1b3b63d6ae |
memory/3040-149-0x00007FFB16AC0000-0x00007FFB16ADC000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI26162\_lzma.pyd
| MD5 | d81ad781c5bdc6e9f50de364d322dc24 |
| SHA1 | 6b20b64a679e57e66b667b6616a4fac2fa0a1106 |
| SHA256 | 0efbee39cd16ef121e2c04e78ee42770d4905d0cf262bda1d6d2fe2c8656a494 |
| SHA512 | 5876bc3e2176c8d8fcbbb91cd7e7d3ff8e4dfcd7190391cf204b730b64122cbe5d6a35fe6399904837d30d12e321a604c21d120081da070bdc89dfb113c7cc64 |
C:\Users\Admin\AppData\Local\Temp\_MEI26162\pyexpat.pyd
| MD5 | de178625c6f731e51d10bc6694ca161a |
| SHA1 | a43bf2c25c0246138b36af516242958371325d8e |
| SHA256 | 82909bbf92179b79619565a9013adb96f549089ee80d25005aeb4d9cb5fd062b |
| SHA512 | 3e4a4512e2e3d2d82f959cda2b024c7f06095eb2999f98fcd1ad9d378f52187f11e861637e3e31f84486d41f0a25b2885030621fe07e5fa53d646e9999e7c855 |
C:\Users\Admin\AppData\Local\Temp\_MEI26162\win32api.pyd
| MD5 | 1ece4a98d438ea8028cbc9e82853f680 |
| SHA1 | 496860f93d814013b3c86bba7fc593e56870db44 |
| SHA256 | 1d1eef92c404309918cb951836ae7099145c4c7c4ddf84ce19a8cd4b9dde1c03 |
| SHA512 | 253b1920f9992ebefb3eb0e80eb9fe599509b017a4b7f3f3fbb00ca30ae48113a8d009ce3398bd60e5f957cba55c0d54fa810c96033fdfbb351fef8f2db78326 |
memory/3040-158-0x00007FFB16950000-0x00007FFB1697A000-memory.dmp
memory/3040-157-0x00007FFB16980000-0x00007FFB169B7000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI26162\pywintypes39.dll
| MD5 | 01f97001f49506cbcab51e0931563dfc |
| SHA1 | 5cb6711126c9222743bcedc2cc1154f024c6a406 |
| SHA256 | b3a79b8e5dee8641173e2b4f70981dd12cc6d740a82eac7f05c8dc17af239341 |
| SHA512 | dc963b5a80b39f39cc3082e379dcf200dd130ee1420e317578bcdb271ae17bfbaf94120b643a20eb19569af151a21ab0876934369920e891458f3267990eeac3 |
C:\Users\Admin\AppData\Local\Temp\_MEI26162\pythoncom39.dll
| MD5 | 46581e0c56de54a0f3df51e2a6796ad1 |
| SHA1 | d8bcb21ab92ae3d5838237d15280380a0157abd9 |
| SHA256 | df2e479149d90827723d4829485c50879fe2878c6d7fb6a4b0315082cc1534e3 |
| SHA512 | ccccb5e5c5df39c35f3b226d3a168b1b3342c7f4b3f99311dec6cc4553e59f5b49bf11e02c4e993a0c3acb6fdf693bcd1d4db1fbcfb2f77ea5dde8a5e3922ba3 |
memory/3040-161-0x00007FFB16920000-0x00007FFB16950000-memory.dmp
memory/3040-163-0x00007FFB167B0000-0x00007FFB1686C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI26162\sqlite3.dll
| MD5 | a97a44f9486197f8afc3379206eef7f8 |
| SHA1 | 5af5242c94730e811bbaeb2b003b3b064d0903ae |
| SHA256 | 15cf99c8d458384957dce22867c71a60f564780a62b0a0a182535454343e5c71 |
| SHA512 | 994f0583e789ef776c064661d054bf4d68727aa90e3268de15e57a643de29839512794a294fdf2166c27ca965f2d62b1807ca9988b99f5984e37db5b8b679ac3 |
C:\Users\Admin\AppData\Local\Temp\_MEI26162\_sqlite3.pyd
| MD5 | d8ec8740a7739023636ea60a13b6b973 |
| SHA1 | b39fcb857dd47da50f0deebf03ccb29ff82e2e2c |
| SHA256 | 98b60fc1a194b859f2fc9a148c7a29e7d684cde6024d0ba91de029030781538d |
| SHA512 | e5c5c9e6bb6a6ccb471f2a8a3c69547feaaee12dc81773e7ebd0562d9002a4b3e969e652734dccd01ef87a5fec17a1898515a78d05728e9ec9888c1a1a2b1112 |
C:\Users\Admin\AppData\Local\Temp\_MEI26162\_cffi_backend.cp39-win_amd64.pyd
| MD5 | 0e178a407b2b6d0b0291f952e064034f |
| SHA1 | e5a1e485075068c7ddc05ed9bd9e59773ae44164 |
| SHA256 | fa472ede1ed7a73ba13fb63bb14ec5b32b8445070ef8b2f12a5509a25c7d487d |
| SHA512 | 03f0bb1374aaf623f2f39caf86fd84026566f5bd56a807cfdd3c2c218f0bc83d926ff1f5bc2713051e9e9d95255d44568226d422c48e9bb0bd41864e95813945 |
memory/3040-172-0x00007FFB06E60000-0x00007FFB06FDF000-memory.dmp
memory/3040-171-0x00007FFB16AA0000-0x00007FFB16ABD000-memory.dmp
memory/3040-175-0x00007FFB166B0000-0x00007FFB166E8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI26162\Crypto\Cipher\_raw_ecb.pyd
| MD5 | 7b33e1b222189dbcc24500a2ed7c1474 |
| SHA1 | f861eaa8a495eaf5a947f70a015addce814da56b |
| SHA256 | 974b1278a0bab19b066a4a18c6418e558a485cbdbd8de08a5c7f8bcee1f01620 |
| SHA512 | 96ab13a21c13ef0b0a11eeb3553fbf30f2c4afda3bbc5fd3fe574427b6786cd8d35daeb20af8f2289a49319ddb96282610cc99eb2e4e5e275d3da83250d9175e |
C:\Users\Admin\AppData\Local\Temp\_MEI26162\Crypto\Cipher\_raw_cbc.pyd
| MD5 | dca619ab054f52dd5721c51b6a74b895 |
| SHA1 | 1b44dafff1ea8780629684e3b4fc8b7255e92db9 |
| SHA256 | acf1d16f3ad979ce6591c5758de2f4faf748a4a38d184ff86062fb35716ca339 |
| SHA512 | ee76e56f4962a917eedbef1ac5d0f0886db9583b9eb38d961e853a322cc12dbbb39e9ab449a70a08901533bc795c65bd9d959ac6f84725cbf736d1e276e334bf |
C:\Users\Admin\AppData\Local\Temp\_MEI26162\Crypto\Cipher\_raw_cfb.pyd
| MD5 | cf32c2629ecfcb077b91787fd52248c0 |
| SHA1 | 9f3d01a49f47df99ab0542b0d9d6292e40e5df89 |
| SHA256 | fea87430ecf6d7b6b87a7e592e9e9333ee5de3d34968a058e23db46ff8d70328 |
| SHA512 | 857e19958dd0c3def2be273da04cb5ed3496dbd6d639887fe94a46578ada20edcee127681d998c111ef6228d453d915a87c98aea50ec1b8f2fd10f4382f8a724 |
C:\Users\Admin\AppData\Local\Temp\_MEI26162\Crypto\Cipher\_raw_ctr.pyd
| MD5 | e5a0eee1568b172ead6b7a1883c25f6a |
| SHA1 | b73d9b3cec2878d95819487616813658ccbbd4f5 |
| SHA256 | cfce1c8fa046535cd0f62a8639445e4b3e1d9c4af5c96cc67257c0e39bd2dd44 |
| SHA512 | 19d7bc5917cf31fe317acde2f66ee8955d1f6d5d07fdc6a4d7da41c75853eab40b6af785feb3b1d470c637577a64e650c5ca4e905e536a39deaa9dc28df4510a |
C:\Users\Admin\AppData\Local\Temp\_MEI26162\Crypto\Hash\_BLAKE2s.pyd
| MD5 | 5905e263b145a794c362d3d120670492 |
| SHA1 | c2e5d3624b021ebf7a61ecd34a20aade802e1127 |
| SHA256 | 611c49223c54f1316bc92d5cfd598c37077663efd11d98f0830e3796038938bc |
| SHA512 | 40bdee938028d1c8427fe6480aa98d3f55047444058d35b757f8fa082247be8879528438847efc872727dd10f44d21c0a050fa8165e208edff482b12d5a97e06 |
C:\Users\Admin\AppData\Local\Temp\_MEI26162\Crypto\Hash\_SHA256.pyd
| MD5 | 3d82da53cd6fdef9af9d37fb41ab3a80 |
| SHA1 | 6fb84f782e3a2d197f77c05a4557deb610f8dc31 |
| SHA256 | 3fe74f1bff5ee00df8492488035a91ef8a9b5639932f778d384daee0ac00e91b |
| SHA512 | ca4706446022cfa06b58c0e05c28d007405f555774f6b7d2dbaaaf18cdef53c629c6f1d4970ef626bff5ece85b8389386566c395ed2ee8b1e2d310b45ee3f1dc |
C:\Users\Admin\AppData\Local\Temp\_MEI26162\Crypto\Hash\_ghash_portable.pyd
| MD5 | 4f60e65da888c0a3f8bfce9fa48487d2 |
| SHA1 | 4ba1ede63e390bcdad06933f5ef6b8a2fee96a80 |
| SHA256 | 7731b0df740cd8b1dc36d464ed7a47fee6f8a1f88ed4213039ee9ab2d8955dce |
| SHA512 | f1725c57062e2bc1e45545dd96fc151ab0ffd6d714e2d1794e26b40d7e5eb6032da60078e536b2c0187a49bcfdc7b29a6caa112646966866eaf983f5fe4608e6 |
C:\Users\Admin\AppData\Local\Temp\_MEI26162\Crypto\Hash\_ghash_clmul.pyd
| MD5 | 5af171e314a90fefed23d841f626686e |
| SHA1 | 54a39c657d8c4d4dc7dd6e0f80a012482681ee54 |
| SHA256 | 0d2a0cee2efeba596974b2b14283f2e536b9c0b5e6bcd2c5e17cc2ea1fa9b856 |
| SHA512 | d32a5d25342c7b6e145f481b2ac150c5598761aeda9f7dfcaad139c187cb5d52e5fd01da0ec3d6c1524924376c66269253df32cced2cd6f5682ca9708849b58a |
C:\Users\Admin\AppData\Local\Temp\_MEI26162\Crypto\Util\_cpuid_c.pyd
| MD5 | 326d2ec8f51cc47905a7e14d87451da0 |
| SHA1 | 6279c6b8b72b97538b5013965bcafb47800cb973 |
| SHA256 | 12d3ae38023d63ff5ea7b6ac6f26ef1f67aedef94503a991f2cda084ec6152a1 |
| SHA512 | 40f2d96ee5de6b0e7aca3f2ede7dd3f94ad0910a0d4ffaf8ab9b2a0f39c0e4fc37caf153f4d410f307400ebf47649ee237b54aea7ec00da18280c5c604fee207 |
C:\Users\Admin\AppData\Local\Temp\_MEI26162\Crypto\Protocol\_scrypt.pyd
| MD5 | fcfb7c1d954c2dd90fc3e706cb760421 |
| SHA1 | efba79868ba6be6a374970a8a1d52bd87387012c |
| SHA256 | 5f31f9765099a6a3c577b11e065ef9891c5c36dd029a54e5d24558007ba4f15b |
| SHA512 | 34ba0c9cbdc50682823301d7af9cd8a9d3c29fdbed04add0be60123620a21eecefc519970df3ce77ca942a8ec25fb306785da98455c10871b1cc7601bbfcd21f |
C:\Users\Admin\AppData\Local\Temp\_MEI26162\Crypto\Cipher\_Salsa20.pyd
| MD5 | 379cb154645f88ebdf0af8fa07a62ab6 |
| SHA1 | 2d9172f4c97eae87c9501980554acb49704646a6 |
| SHA256 | 0418ccbd95db8f96e043c9972de10350f864951a25137f77b6e4c22a7b3d3315 |
| SHA512 | 428a8fbdd53611b76a3427b5732e8a71affe24e03901d8b2c11de8182afeb3baf3877bf42edbd4c81ca5cb4bd5652e40a47ca970247a37ee0fdf1ae2b0b1a4be |
memory/3040-209-0x00007FFB165D0000-0x00007FFB165E1000-memory.dmp
memory/3040-226-0x0000019462290000-0x0000019462607000-memory.dmp
memory/3040-225-0x00007FFB06A20000-0x00007FFB06D97000-memory.dmp
memory/3040-224-0x00007FFB06DA0000-0x00007FFB06E57000-memory.dmp
memory/3040-223-0x00007FFB15B60000-0x00007FFB15B8D000-memory.dmp
memory/3040-230-0x00007FFB15B20000-0x00007FFB15B32000-memory.dmp
memory/3040-231-0x00007FFB15B00000-0x00007FFB15B14000-memory.dmp
memory/3040-229-0x00007FFB16B20000-0x00007FFB16B3A000-memory.dmp
memory/3040-232-0x00007FFB15A50000-0x00007FFB15A66000-memory.dmp
memory/3040-228-0x00007FFB15B40000-0x00007FFB15B56000-memory.dmp
memory/3040-235-0x00007FFB159E0000-0x00007FFB159FC000-memory.dmp
memory/3040-234-0x00007FFB072E0000-0x00007FFB073F8000-memory.dmp
memory/3040-233-0x00007FFB16950000-0x00007FFB1697A000-memory.dmp
memory/3040-227-0x00007FFB1B380000-0x00007FFB1B3A6000-memory.dmp
memory/3040-222-0x00007FFB15B90000-0x00007FFB15BA1000-memory.dmp
memory/3040-221-0x00007FFB16200000-0x00007FFB16215000-memory.dmp
memory/3040-220-0x00007FFB16220000-0x00007FFB16231000-memory.dmp
memory/3040-219-0x00007FFB16240000-0x00007FFB1624E000-memory.dmp
memory/3040-218-0x00007FFB16250000-0x00007FFB1625E000-memory.dmp
memory/3040-217-0x00007FFB16260000-0x00007FFB1626F000-memory.dmp
memory/3040-216-0x00007FFB16300000-0x00007FFB1630E000-memory.dmp
memory/3040-215-0x00007FFB16310000-0x00007FFB1631F000-memory.dmp
memory/3040-214-0x00007FFB16320000-0x00007FFB16330000-memory.dmp
memory/3040-213-0x00007FFB16330000-0x00007FFB16342000-memory.dmp
memory/3040-212-0x00007FFB165A0000-0x00007FFB165B0000-memory.dmp
memory/3040-211-0x00007FFB165B0000-0x00007FFB165C0000-memory.dmp
memory/3040-210-0x00007FFB165C0000-0x00007FFB165CF000-memory.dmp
memory/3040-208-0x00007FFB165F0000-0x00007FFB165FE000-memory.dmp
memory/3040-207-0x00007FFB16900000-0x00007FFB1690F000-memory.dmp
memory/3040-206-0x00007FFB16910000-0x00007FFB1691E000-memory.dmp
memory/3040-205-0x00007FFB182F0000-0x00007FFB182FF000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI26162\Crypto\Hash\_MD5.pyd
| MD5 | c14d46cb478e3e115f75218d1ee20689 |
| SHA1 | 7199ccd6451717f4746e2a043c525f6a0013b523 |
| SHA256 | 0e5cb860210e2592e5bcdba048b64bff973e152ae3e8b37dab1bebd34f959b8b |
| SHA512 | 4e10305b9c0b7e665630f4c15ceaf21206f8b4de906f2022fd581415ec2a47d7593c0499012e58bf9719374d752060699711fece59beae6bd19e27fded436a0a |
C:\Users\Admin\AppData\Local\Temp\_MEI26162\Crypto\Hash\_SHA1.pyd
| MD5 | cbc56b7321ac2330aa1b44794049e023 |
| SHA1 | 3235e1c8a3b462192e8ec3e4ad98da30a80c57db |
| SHA256 | 57ca95d67546ae5a39d0ae707a75cdf0ac4226e4bd069261875c4a26429e351e |
| SHA512 | 81cb4254b8be9f324dbdd7af8584790c6204aa647e72d75eefc9e08e74538817372d093d18cebaf5d468a588b998b04499d1a4024df1185f9fd3c9d597592b96 |
C:\Users\Admin\AppData\Local\Temp\_MEI26162\Crypto\Util\_strxor.pyd
| MD5 | 2f95abc7edb97577c46118af28b3aef6 |
| SHA1 | 3c39f9852fef49f570293eb898c8a6de3582c458 |
| SHA256 | e21b65565bd68cf2ac82b7f7e629c51361bbff7c5fb2a666daea038c9ebcf5eb |
| SHA512 | 59f1fbd9270b0ac992a4ebb26e7b4d4cc21ce3e3d4de30f0e831864dcc28cdd4d8d8bffce556c16bcd06339109c8b3e2f6af8c24609633398554fd07913140ae |
C:\Users\Admin\AppData\Local\Temp\_MEI26162\Crypto\Cipher\_raw_ofb.pyd
| MD5 | a66fd121f1d2f4145b232ad7d61d4a51 |
| SHA1 | d22d9c098d96f9fad5154dbdd6aa809503a5f1c3 |
| SHA256 | 5f89c248f38ccabd90da592090102add6844ec3e4959657bb1fd39b0f9c2a3b8 |
| SHA512 | 48be88e746fb440fd7ec4a663d66f308d33f1dfb2a0498ef11cf1d798ed5e730c122128e5780828021ff7620a5fb92a0da49d588ff76437a92163a9729f03a2f |
memory/3040-174-0x00007FFB075C0000-0x00007FFB07A4F000-memory.dmp
memory/3040-154-0x00007FFB169C0000-0x00007FFB169EE000-memory.dmp
memory/3040-144-0x00007FFB16B20000-0x00007FFB16B3A000-memory.dmp
memory/3040-237-0x00007FFB0D4C0000-0x00007FFB0D4D3000-memory.dmp
memory/3040-236-0x00007FFB167B0000-0x00007FFB1686C000-memory.dmp
memory/3040-247-0x00007FFB0F4E0000-0x00007FFB0F4ED000-memory.dmp
memory/3040-246-0x00007FFB15AF0000-0x00007FFB15AFE000-memory.dmp
memory/3040-248-0x00007FFB0CDC0000-0x00007FFB0CDD6000-memory.dmp
memory/3040-245-0x00007FFB15B40000-0x00007FFB15B56000-memory.dmp
memory/3040-244-0x0000019462290000-0x0000019462607000-memory.dmp
memory/3040-243-0x00007FFB06DA0000-0x00007FFB06E57000-memory.dmp
memory/3040-242-0x00007FFB15B60000-0x00007FFB15B8D000-memory.dmp
memory/3040-241-0x00007FFB06A20000-0x00007FFB06D97000-memory.dmp
memory/3040-240-0x00007FFB166B0000-0x00007FFB166E8000-memory.dmp
memory/3040-239-0x00007FFB0CDE0000-0x00007FFB0CE1F000-memory.dmp
memory/3040-238-0x00007FFB0D4A0000-0x00007FFB0D4B5000-memory.dmp
memory/3040-249-0x00007FFB06FF0000-0x00007FFB0701A000-memory.dmp
memory/3040-251-0x00007FFB0D490000-0x00007FFB0D49D000-memory.dmp
memory/3040-250-0x00007FFB06A00000-0x00007FFB06A18000-memory.dmp
memory/3040-254-0x00007FFB06680000-0x00007FFB069A4000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\empyrean-vault\google-chromeGoogle-Chrome-Vault.db
| MD5 | 73bd1e15afb04648c24593e8ba13e983 |
| SHA1 | 4dd85ca46fcdf9d93f6b324f8bb0b5bb512a1b91 |
| SHA256 | aab0b201f392fef9fdff09e56a9d0ac33d0f68be95da270e6dab89bb1f971d8b |
| SHA512 | 6eb58fb41691894045569085bd64a83acd62277575ab002cf73d729bda4b6d43c36643a5fa336342e87a493326337ed43b8e5eaeae32f53210714699cb8dfac7 |
C:\Users\Admin\AppData\Local\Temp\empyrean-vault\microsoft-edgeMicrosoft-Edge-Vault.db
| MD5 | 9618e15b04a4ddb39ed6c496575f6f95 |
| SHA1 | 1c28f8750e5555776b3c80b187c5d15a443a7412 |
| SHA256 | a4cd72e529e60b5f74c50e4e5b159efaf80625f23534dd15a28203760b8b28ab |
| SHA512 | f802582aa7510f6b950e3343b0560ffa9037c6d22373a6a33513637ab0f8e60ed23294a13ad8890935b02c64830b5232ba9f60d0c0fe90df02b5da30ecd7fa26 |
memory/3040-295-0x00007FFB0D4C0000-0x00007FFB0D4D3000-memory.dmp
memory/3040-296-0x00007FFB0CDE0000-0x00007FFB0CE1F000-memory.dmp
memory/3040-308-0x00007FFB167B0000-0x00007FFB1686C000-memory.dmp
memory/3040-328-0x00007FFB16200000-0x00007FFB16215000-memory.dmp
memory/3040-327-0x00007FFB16220000-0x00007FFB16231000-memory.dmp
memory/3040-326-0x00007FFB16240000-0x00007FFB1624E000-memory.dmp
memory/3040-325-0x00007FFB16250000-0x00007FFB1625E000-memory.dmp
memory/3040-324-0x00007FFB16260000-0x00007FFB1626F000-memory.dmp
memory/3040-323-0x00007FFB16300000-0x00007FFB1630E000-memory.dmp
memory/3040-322-0x00007FFB16310000-0x00007FFB1631F000-memory.dmp
memory/3040-321-0x00007FFB16320000-0x00007FFB16330000-memory.dmp
memory/3040-320-0x00007FFB16330000-0x00007FFB16342000-memory.dmp
memory/3040-319-0x00007FFB165A0000-0x00007FFB165B0000-memory.dmp
memory/3040-318-0x00007FFB165B0000-0x00007FFB165C0000-memory.dmp
memory/3040-317-0x00007FFB165C0000-0x00007FFB165CF000-memory.dmp
memory/3040-316-0x00007FFB165D0000-0x00007FFB165E1000-memory.dmp
memory/3040-315-0x00007FFB165F0000-0x00007FFB165FE000-memory.dmp
memory/3040-314-0x00007FFB16900000-0x00007FFB1690F000-memory.dmp
memory/3040-313-0x00007FFB16910000-0x00007FFB1691E000-memory.dmp
memory/3040-312-0x00007FFB182F0000-0x00007FFB182FF000-memory.dmp
memory/3040-310-0x00007FFB06E60000-0x00007FFB06FDF000-memory.dmp
memory/3040-309-0x00007FFB16AA0000-0x00007FFB16ABD000-memory.dmp
memory/3040-307-0x00007FFB16920000-0x00007FFB16950000-memory.dmp
memory/3040-299-0x00007FFB1B380000-0x00007FFB1B3A6000-memory.dmp
memory/3040-297-0x00007FFB075C0000-0x00007FFB07A4F000-memory.dmp
memory/3040-363-0x00007FFB06A00000-0x00007FFB06A18000-memory.dmp
memory/3040-398-0x00007FFB15B60000-0x00007FFB15B8D000-memory.dmp
memory/3040-410-0x00007FFB06E60000-0x00007FFB06FDF000-memory.dmp
memory/3040-411-0x00007FFB06A20000-0x00007FFB06D97000-memory.dmp
memory/3040-409-0x00007FFB15AF0000-0x00007FFB15AFE000-memory.dmp
memory/3040-408-0x00007FFB0D4C0000-0x00007FFB0D4D3000-memory.dmp
memory/3040-407-0x00007FFB0D490000-0x00007FFB0D49D000-memory.dmp
memory/3040-406-0x00007FFB159E0000-0x00007FFB159FC000-memory.dmp
memory/3040-405-0x00007FFB15A50000-0x00007FFB15A66000-memory.dmp
memory/3040-404-0x00007FFB15B00000-0x00007FFB15B14000-memory.dmp
memory/3040-403-0x00007FFB15B40000-0x00007FFB15B56000-memory.dmp
memory/3040-402-0x00007FFB15B20000-0x00007FFB15B32000-memory.dmp
memory/3040-401-0x00007FFB0F4E0000-0x00007FFB0F4ED000-memory.dmp
memory/3040-400-0x00007FFB0D4A0000-0x00007FFB0D4B5000-memory.dmp
memory/3040-399-0x00007FFB06DA0000-0x00007FFB06E57000-memory.dmp
memory/3040-397-0x00007FFB166B0000-0x00007FFB166E8000-memory.dmp
memory/3040-396-0x00007FFB0CDE0000-0x00007FFB0CE1F000-memory.dmp
memory/3040-395-0x00007FFB16AA0000-0x00007FFB16ABD000-memory.dmp
memory/3040-394-0x00007FFB167B0000-0x00007FFB1686C000-memory.dmp
memory/3040-393-0x00007FFB16920000-0x00007FFB16950000-memory.dmp
memory/3040-392-0x00007FFB16980000-0x00007FFB169B7000-memory.dmp
memory/3040-391-0x00007FFB16950000-0x00007FFB1697A000-memory.dmp
memory/3040-390-0x00007FFB169C0000-0x00007FFB169EE000-memory.dmp
memory/3040-389-0x00007FFB16AC0000-0x00007FFB16ADC000-memory.dmp
memory/3040-388-0x00007FFB1B370000-0x00007FFB1B37E000-memory.dmp
memory/3040-387-0x00007FFB16B20000-0x00007FFB16B3A000-memory.dmp
memory/3040-386-0x00007FFB1C690000-0x00007FFB1C69F000-memory.dmp
memory/3040-385-0x00007FFB1B380000-0x00007FFB1B3A6000-memory.dmp
memory/3040-384-0x00007FFB1C5C0000-0x00007FFB1C5D1000-memory.dmp
memory/3040-383-0x00007FFB075C0000-0x00007FFB07A4F000-memory.dmp
Analysis: behavioral3
Detonation Overview
Submitted
2024-05-10 18:12
Reported
2024-05-10 18:15
Platform
win7-20240221-en
Max time kernel
119s
Max time network
124s
Command Line
Signatures
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\pyc_auto_file | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\.pyc | C:\Windows\system32\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\.pyc\ = "pyc_auto_file" | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\pyc_auto_file\shell\Read | C:\Windows\system32\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\pyc_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_Classes\Local Settings | C:\Windows\system32\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\pyc_auto_file\ | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\pyc_auto_file\shell | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\pyc_auto_file\shell\Read\command | C:\Windows\system32\rundll32.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2980 wrote to memory of 2500 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 2980 wrote to memory of 2500 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 2980 wrote to memory of 2500 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 2500 wrote to memory of 2460 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 2500 wrote to memory of 2460 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 2500 wrote to memory of 2460 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 2500 wrote to memory of 2460 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\main.pyc
C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\main.pyc
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\main.pyc"
Network
Files
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents
| MD5 | fac60725d35d130ed40da487c5c1619e |
| SHA1 | e427713fca348659ae1c6d7398a88cad605edb88 |
| SHA256 | 05be4326614791dc725f6a57851ecd018ea8a1111182a83b873e0d77f17f61b5 |
| SHA512 | 6a1f909e2d14b74ba60b1792bbeefa7341658d60f7ee59c482f83df7948662a17ba669f3c9150d17d11f113b4cc9caec93cc2f915a5c7b906be6673ff6bcfebf |
Analysis: behavioral4
Detonation Overview
Submitted
2024-05-10 18:12
Reported
2024-05-10 18:15
Platform
win10v2004-20240508-en
Max time kernel
149s
Max time network
152s
Command Line
Signatures
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings | C:\Windows\system32\cmd.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings | C:\Windows\system32\OpenWith.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\main.pyc
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 64.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| BE | 2.17.196.96:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| BE | 2.17.196.96:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 96.196.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 24.121.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 77.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 213.143.182.52.in-addr.arpa | udp |