Malware Analysis Report

2024-10-24 21:47

Sample ID 240517-yg9wgsfh25
Target FrenniFazclaireAlpha-0.3.1-pc.zip
SHA256 73b06276c6ffc3658374d06065619590a1b9fd7a0c77fa1ce03e7fcb97b3ee8a
Tags
antivm
score
4/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral19

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral30

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral22

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral25

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral21

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral14

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral15

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral17

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral20

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral24

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral26

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral27

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral29

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral13

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral16

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral28

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral18

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral23

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral31

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral32

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
4/10

SHA256

73b06276c6ffc3658374d06065619590a1b9fd7a0c77fa1ce03e7fcb97b3ee8a

Threat Level: Likely benign

The file FrenniFazclaireAlpha-0.3.1-pc.zip was found to be: Likely benign.

Malicious Activity Summary

antivm

Changes its process name

Checks CPU configuration

Reads CPU attributes

Enumerates physical storage devices

Writes file to tmp directory

Unsigned PE

Enumerates kernel/hardware configuration

Reads runtime system information

Suspicious behavior: GetForegroundWindowSpam

Modifies registry class

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-17 19:48

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-05-17 19:46

Reported

2024-05-17 19:54

Platform

ubuntu1804-amd64-20240508-en

Max time kernel

0s

Max time network

132s

Command Line

[/tmp/FrenniFazclaireAlpha-0.3.1-pc/lib/py3-linux-x86_64/python]

Signatures

N/A

Processes

/tmp/FrenniFazclaireAlpha-0.3.1-pc/lib/py3-linux-x86_64/python

[/tmp/FrenniFazclaireAlpha-0.3.1-pc/lib/py3-linux-x86_64/python]

Network

Country Destination Domain Proto
US 151.101.193.91:443 tcp
GB 185.125.188.61:443 tcp
GB 185.125.188.61:443 tcp
US 151.101.193.91:443 tcp
GB 89.187.167.7:443 tcp
N/A 224.0.0.251:5353 udp

Files

N/A

Analysis: behavioral6

Detonation Overview

Submitted

2024-05-17 19:46

Reported

2024-05-17 19:53

Platform

ubuntu1804-amd64-20240508-en

Max time kernel

0s

Max time network

131s

Command Line

[/tmp/FrenniFazclaireAlpha-0.3.1-pc/lib/py3-linux-x86_64/zsyncmake]

Signatures

N/A

Processes

/tmp/FrenniFazclaireAlpha-0.3.1-pc/lib/py3-linux-x86_64/zsyncmake

[/tmp/FrenniFazclaireAlpha-0.3.1-pc/lib/py3-linux-x86_64/zsyncmake]

Network

Country Destination Domain Proto
GB 185.125.188.62:443 tcp
GB 185.125.188.62:443 tcp
US 151.101.1.91:443 tcp
US 151.101.1.91:443 tcp
N/A 224.0.0.251:5353 udp
GB 89.187.167.3:443 tcp

Files

N/A

Analysis: behavioral19

Detonation Overview

Submitted

2024-05-17 19:46

Reported

2024-05-17 19:54

Platform

win10v2004-20240508-en

Max time kernel

141s

Max time network

162s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\FrenniFazclaireAlpha-0.3.1-pc\lib\py3-windows-x86_64\nvdrs.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\FrenniFazclaireAlpha-0.3.1-pc\lib\py3-windows-x86_64\nvdrs.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 84.65.42.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral30

Detonation Overview

Submitted

2024-05-17 19:46

Reported

2024-05-17 19:53

Platform

win7-20231129-en

Max time kernel

120s

Max time network

133s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\FrenniFazclaireAlpha-0.3.1-pc\lib\python3.9\__future__.pyc

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\pyc_auto_file C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\pyc_auto_file\shell C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\pyc_auto_file\shell\Read\command C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\pyc_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_Classes\Local Settings C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\pyc_auto_file\ C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\.pyc C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\.pyc\ = "pyc_auto_file" C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\pyc_auto_file\shell\Read C:\Windows\system32\rundll32.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\FrenniFazclaireAlpha-0.3.1-pc\lib\python3.9\__future__.pyc

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\FrenniFazclaireAlpha-0.3.1-pc\lib\python3.9\__future__.pyc

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe

"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\FrenniFazclaireAlpha-0.3.1-pc\lib\python3.9\__future__.pyc"

Network

N/A

Files

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

MD5 51f6ebc89f3b697663371b8a2f1ad5df
SHA1 1bb7cf2cad37fd9d3f1f9a2d05296112cc062ba2
SHA256 68ca6ebcdf9366188255efe84cb51609caf7be114119fcf0b14e73c29e89a7c6
SHA512 a7365a0b1c812ac2b6da75509958753efcd8064ea826bc8cf93fb6ad68c18ce6d7efa31b82a010654a837ecbf2388adb2c31eeebe2cc8ee7a07000bf1967cb59

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-17 19:46

Reported

2024-05-17 19:54

Platform

ubuntu1804-amd64-20240508-en

Max time kernel

149s

Max time network

68s

Command Line

[/tmp/FrenniFazclaireAlpha-0.3.1-pc/lib/py3-linux-x86_64/FrenniFazclaireAlpha]

Signatures

Changes its process name

Description Indicator Process Target
Changes the process name, possibly in an attempt to hide itself SDLHotplugALSA N/A N/A
Changes the process name, possibly in an attempt to hide itself SDLTimer N/A N/A

Checks CPU configuration

antivm
Description Indicator Process Target
File opened for reading /proc/cpuinfo /tmp/FrenniFazclaireAlpha-0.3.1-pc/lib/py3-linux-x86_64/FrenniFazclaireAlpha N/A

Reads CPU attributes

Description Indicator Process Target
File opened for reading /sys/devices/system/cpu/online /tmp/FrenniFazclaireAlpha-0.3.1-pc/lib/py3-linux-x86_64/FrenniFazclaireAlpha N/A

Enumerates kernel/hardware configuration

Description Indicator Process Target
File opened for reading /sys/devices/pci0000:00/0000:00:02.0/vendor /tmp/FrenniFazclaireAlpha-0.3.1-pc/lib/py3-linux-x86_64/FrenniFazclaireAlpha N/A
File opened for reading /sys/devices/pci0000:00/0000:00:02.0/subsystem_device /tmp/FrenniFazclaireAlpha-0.3.1-pc/lib/py3-linux-x86_64/FrenniFazclaireAlpha N/A
File opened for reading /sys/class /tmp/FrenniFazclaireAlpha-0.3.1-pc/lib/py3-linux-x86_64/FrenniFazclaireAlpha N/A
File opened for reading /sys/devices/virtual/input/mice/uevent /tmp/FrenniFazclaireAlpha-0.3.1-pc/lib/py3-linux-x86_64/FrenniFazclaireAlpha N/A
File opened for reading /sys/devices/platform/i8042/serio1/input/input3/event3/uevent /tmp/FrenniFazclaireAlpha-0.3.1-pc/lib/py3-linux-x86_64/FrenniFazclaireAlpha N/A
File opened for reading /sys/devices/pci0000:00/0000:00:05.0/usb1/1-1/1-1:1.0/0003:0627:0001.0001/input/input4/js0/uevent /tmp/FrenniFazclaireAlpha-0.3.1-pc/lib/py3-linux-x86_64/FrenniFazclaireAlpha N/A
File opened for reading /sys/devices/pci0000:00/0000:00:05.0/usb1/1-1/product /tmp/FrenniFazclaireAlpha-0.3.1-pc/lib/py3-linux-x86_64/FrenniFazclaireAlpha N/A
File opened for reading /sys/devices/platform/i8042/serio1/input/input3/uevent /tmp/FrenniFazclaireAlpha-0.3.1-pc/lib/py3-linux-x86_64/FrenniFazclaireAlpha N/A
File opened for reading /sys/devices/pci0000:00/0000:00:05.0/usb1/1-1/1-1:1.0/0003:0627:0001.0001/input/input4/mouse0/uevent /tmp/FrenniFazclaireAlpha-0.3.1-pc/lib/py3-linux-x86_64/FrenniFazclaireAlpha N/A
File opened for reading /sys/devices/pci0000:00/0000:00:05.0/usb1/1-1/1-1:1.0/0003:0627:0001.0001/input/input4/uevent /tmp/FrenniFazclaireAlpha-0.3.1-pc/lib/py3-linux-x86_64/FrenniFazclaireAlpha N/A
File opened for reading /sys/devices/pci0000:00/0000:00:02.0/uevent /tmp/FrenniFazclaireAlpha-0.3.1-pc/lib/py3-linux-x86_64/FrenniFazclaireAlpha N/A
File opened for reading /sys/devices/platform/i8042/serio0/input/input1/event1/uevent /tmp/FrenniFazclaireAlpha-0.3.1-pc/lib/py3-linux-x86_64/FrenniFazclaireAlpha N/A
File opened for reading /sys/devices/platform/i8042/serio1/input/input3/mouse1/uevent /tmp/FrenniFazclaireAlpha-0.3.1-pc/lib/py3-linux-x86_64/FrenniFazclaireAlpha N/A
File opened for reading /sys/devices/pci0000:00/0000:00:02.0/subsystem_vendor /tmp/FrenniFazclaireAlpha-0.3.1-pc/lib/py3-linux-x86_64/FrenniFazclaireAlpha N/A
File opened for reading /sys/class/input /tmp/FrenniFazclaireAlpha-0.3.1-pc/lib/py3-linux-x86_64/FrenniFazclaireAlpha N/A
File opened for reading /sys/devices/LNXSYSTM:00/LNXPWRBN:00/input/input0/event0/uevent /tmp/FrenniFazclaireAlpha-0.3.1-pc/lib/py3-linux-x86_64/FrenniFazclaireAlpha N/A
File opened for reading /sys/class/hidraw /tmp/FrenniFazclaireAlpha-0.3.1-pc/lib/py3-linux-x86_64/FrenniFazclaireAlpha N/A
File opened for reading /sys/devices/platform/i8042/serio0/input/input1/uevent /tmp/FrenniFazclaireAlpha-0.3.1-pc/lib/py3-linux-x86_64/FrenniFazclaireAlpha N/A
File opened for reading /sys/devices/pci0000:00/0000:00:05.0/usb1/1-1/1-1:1.0/0003:0627:0001.0001/input/input4/event2/uevent /tmp/FrenniFazclaireAlpha-0.3.1-pc/lib/py3-linux-x86_64/FrenniFazclaireAlpha N/A
File opened for reading /sys/devices/pci0000:00/0000:00:05.0/usb1/1-1/1-1:1.0/0003:0627:0001.0001/hidraw/hidraw0/uevent /tmp/FrenniFazclaireAlpha-0.3.1-pc/lib/py3-linux-x86_64/FrenniFazclaireAlpha N/A
File opened for reading /sys/devices/pci0000:00/0000:00:05.0/usb1/1-1/1-1:1.0/0003:0627:0001.0001/uevent /tmp/FrenniFazclaireAlpha-0.3.1-pc/lib/py3-linux-x86_64/FrenniFazclaireAlpha N/A
File opened for reading /sys/devices/pci0000:00/0000:00:05.0/usb1/1-1/manufacturer /tmp/FrenniFazclaireAlpha-0.3.1-pc/lib/py3-linux-x86_64/FrenniFazclaireAlpha N/A
File opened for reading /sys/devices/pci0000:00/0000:00:05.0/usb1/1-1/bcdDevice /tmp/FrenniFazclaireAlpha-0.3.1-pc/lib/py3-linux-x86_64/FrenniFazclaireAlpha N/A
File opened for reading /sys/devices/pci0000:00/0000:00:02.0/device /tmp/FrenniFazclaireAlpha-0.3.1-pc/lib/py3-linux-x86_64/FrenniFazclaireAlpha N/A
File opened for reading /sys/bus /tmp/FrenniFazclaireAlpha-0.3.1-pc/lib/py3-linux-x86_64/FrenniFazclaireAlpha N/A
File opened for reading /sys/devices/pci0000:00/0000:00:05.0/usb1/1-1/1-1:1.0/uevent /tmp/FrenniFazclaireAlpha-0.3.1-pc/lib/py3-linux-x86_64/FrenniFazclaireAlpha N/A
File opened for reading /sys/devices/pci0000:00/0000:00:05.0/usb1/1-1/uevent /tmp/FrenniFazclaireAlpha-0.3.1-pc/lib/py3-linux-x86_64/FrenniFazclaireAlpha N/A
File opened for reading /sys/devices/LNXSYSTM:00/LNXPWRBN:00/input/input0/uevent /tmp/FrenniFazclaireAlpha-0.3.1-pc/lib/py3-linux-x86_64/FrenniFazclaireAlpha N/A
File opened for reading /sys/devices/pci0000:00/0000:00:05.0/usb1/1-1/1-1:1.0/bInterfaceNumber /tmp/FrenniFazclaireAlpha-0.3.1-pc/lib/py3-linux-x86_64/FrenniFazclaireAlpha N/A

Reads runtime system information

Description Indicator Process Target
File opened for reading /proc/self/fd /tmp/FrenniFazclaireAlpha-0.3.1-pc/lib/py3-linux-x86_64/FrenniFazclaireAlpha N/A
File opened for reading /proc/sys/vm/overcommit_memory /tmp/FrenniFazclaireAlpha-0.3.1-pc/lib/py3-linux-x86_64/FrenniFazclaireAlpha N/A

Writes file to tmp directory

Description Indicator Process Target
File opened for modification /tmp/FrenniFazclaireAlpha-0.3.1-pc/renpy/display/__pycache__/presplash.cpython-39.pyc.140079455427296 /tmp/FrenniFazclaireAlpha-0.3.1-pc/lib/py3-linux-x86_64/FrenniFazclaireAlpha N/A
File opened for modification /tmp/FrenniFazclaireAlpha-0.3.1-pc/renpy/__pycache__/minstore.cpython-39.pyc.140079436363952 /tmp/FrenniFazclaireAlpha-0.3.1-pc/lib/py3-linux-x86_64/FrenniFazclaireAlpha N/A
File opened for modification /tmp/FrenniFazclaireAlpha-0.3.1-pc/renpy/text/__pycache__/font.cpython-39.pyc.140079448663728 /tmp/FrenniFazclaireAlpha-0.3.1-pc/lib/py3-linux-x86_64/FrenniFazclaireAlpha N/A
File opened for modification /tmp/FrenniFazclaireAlpha-0.3.1-pc/renpy/display/__pycache__/image.cpython-39.pyc.140079447208128 /tmp/FrenniFazclaireAlpha-0.3.1-pc/lib/py3-linux-x86_64/FrenniFazclaireAlpha N/A
File opened for modification /tmp/FrenniFazclaireAlpha-0.3.1-pc/renpy/display/__pycache__/controller.cpython-39.pyc.140079447767056 /tmp/FrenniFazclaireAlpha-0.3.1-pc/lib/py3-linux-x86_64/FrenniFazclaireAlpha N/A
File opened for modification /tmp/FrenniFazclaireAlpha-0.3.1-pc/renpy/__pycache__/pyanalysis.cpython-39.pyc.140079451948848 /tmp/FrenniFazclaireAlpha-0.3.1-pc/lib/py3-linux-x86_64/FrenniFazclaireAlpha N/A
File opened for modification /tmp/FrenniFazclaireAlpha-0.3.1-pc/renpy/text/__pycache__/text.cpython-39.pyc.140079448619568 /tmp/FrenniFazclaireAlpha-0.3.1-pc/lib/py3-linux-x86_64/FrenniFazclaireAlpha N/A
File opened for modification /tmp/FrenniFazclaireAlpha-0.3.1-pc/renpy/display/__pycache__/transform.cpython-39.pyc.140079447445840 /tmp/FrenniFazclaireAlpha-0.3.1-pc/lib/py3-linux-x86_64/FrenniFazclaireAlpha N/A
File opened for modification /tmp/FrenniFazclaireAlpha-0.3.1-pc/renpy/sl2/__pycache__/sldisplayables.cpython-39.pyc.140079437317008 /tmp/FrenniFazclaireAlpha-0.3.1-pc/lib/py3-linux-x86_64/FrenniFazclaireAlpha N/A
File opened for modification /tmp/FrenniFazclaireAlpha-0.3.1-pc/renpy/gl2/__pycache__/live2d.cpython-39.pyc.140079436692400 /tmp/FrenniFazclaireAlpha-0.3.1-pc/lib/py3-linux-x86_64/FrenniFazclaireAlpha N/A
File opened for modification /tmp/FrenniFazclaireAlpha-0.3.1-pc/renpy/test/__pycache__/__init__.cpython-39.pyc.140079435550768 /tmp/FrenniFazclaireAlpha-0.3.1-pc/lib/py3-linux-x86_64/FrenniFazclaireAlpha N/A
File opened for modification /tmp/FrenniFazclaireAlpha-0.3.1-pc/renpy/__pycache__/__init__.cpython-39.pyc.140079455787568 /tmp/FrenniFazclaireAlpha-0.3.1-pc/lib/py3-linux-x86_64/FrenniFazclaireAlpha N/A
File opened for modification /tmp/FrenniFazclaireAlpha-0.3.1-pc/renpy/__pycache__/atl.cpython-39.pyc.140079450987184 /tmp/FrenniFazclaireAlpha-0.3.1-pc/lib/py3-linux-x86_64/FrenniFazclaireAlpha N/A
File opened for modification /tmp/FrenniFazclaireAlpha-0.3.1-pc/renpy/__pycache__/parser.cpython-39.pyc.140079450888496 /tmp/FrenniFazclaireAlpha-0.3.1-pc/lib/py3-linux-x86_64/FrenniFazclaireAlpha N/A
File opened for modification /tmp/FrenniFazclaireAlpha-0.3.1-pc/renpy/translation/__pycache__/extract.cpython-39.pyc.140079449651936 /tmp/FrenniFazclaireAlpha-0.3.1-pc/lib/py3-linux-x86_64/FrenniFazclaireAlpha N/A
File opened for modification /tmp/FrenniFazclaireAlpha-0.3.1-pc/renpy/text/__pycache__/__init__.cpython-39.pyc.140079448686784 /tmp/FrenniFazclaireAlpha-0.3.1-pc/lib/py3-linux-x86_64/FrenniFazclaireAlpha N/A
File opened for modification /tmp/FrenniFazclaireAlpha-0.3.1-pc/renpy/display/__pycache__/model.cpython-39.pyc.140079446746432 /tmp/FrenniFazclaireAlpha-0.3.1-pc/lib/py3-linux-x86_64/FrenniFazclaireAlpha N/A
File opened for modification /tmp/FrenniFazclaireAlpha-0.3.1-pc/renpy/__pycache__/memory.cpython-39.pyc.140079437486256 /tmp/FrenniFazclaireAlpha-0.3.1-pc/lib/py3-linux-x86_64/FrenniFazclaireAlpha N/A
File opened for modification /tmp/FrenniFazclaireAlpha-0.3.1-pc/renpy/display/__pycache__/motion.cpython-39.pyc.140079447344304 /tmp/FrenniFazclaireAlpha-0.3.1-pc/lib/py3-linux-x86_64/FrenniFazclaireAlpha N/A
File opened for modification /tmp/FrenniFazclaireAlpha-0.3.1-pc/renpy/audio/__pycache__/music.cpython-39.pyc.140079446737072 /tmp/FrenniFazclaireAlpha-0.3.1-pc/lib/py3-linux-x86_64/FrenniFazclaireAlpha N/A
File opened for modification /tmp/vm9jx_su /tmp/FrenniFazclaireAlpha-0.3.1-pc/lib/py3-linux-x86_64/FrenniFazclaireAlpha N/A
File opened for modification /tmp/FrenniFazclaireAlpha-0.3.1-pc/renpy/audio/__pycache__/__init__.cpython-39.pyc.140079446962656 /tmp/FrenniFazclaireAlpha-0.3.1-pc/lib/py3-linux-x86_64/FrenniFazclaireAlpha N/A
File opened for modification /tmp/FrenniFazclaireAlpha-0.3.1-pc/renpy/__pycache__/character.cpython-39.pyc.140079436691376 /tmp/FrenniFazclaireAlpha-0.3.1-pc/lib/py3-linux-x86_64/FrenniFazclaireAlpha N/A
File opened for modification /tmp/FrenniFazclaireAlpha-0.3.1-pc/renpy/__pycache__/revertable.cpython-39.pyc.140079451945520 /tmp/FrenniFazclaireAlpha-0.3.1-pc/lib/py3-linux-x86_64/FrenniFazclaireAlpha N/A
File opened for modification /tmp/FrenniFazclaireAlpha-0.3.1-pc/renpy/__pycache__/execution.cpython-39.pyc.140079451490864 /tmp/FrenniFazclaireAlpha-0.3.1-pc/lib/py3-linux-x86_64/FrenniFazclaireAlpha N/A
File opened for modification /tmp/FrenniFazclaireAlpha-0.3.1-pc/renpy/__pycache__/savelocation.cpython-39.pyc.140079450287248 /tmp/FrenniFazclaireAlpha-0.3.1-pc/lib/py3-linux-x86_64/FrenniFazclaireAlpha N/A
File opened for modification /tmp/FrenniFazclaireAlpha-0.3.1-pc/renpy/display/__pycache__/im.cpython-39.pyc.140079448351024 /tmp/FrenniFazclaireAlpha-0.3.1-pc/lib/py3-linux-x86_64/FrenniFazclaireAlpha N/A
File opened for modification /tmp/FrenniFazclaireAlpha-0.3.1-pc/renpy/display/__pycache__/dragdrop.cpython-39.pyc.140079446901072 /tmp/FrenniFazclaireAlpha-0.3.1-pc/lib/py3-linux-x86_64/FrenniFazclaireAlpha N/A
File opened for modification /tmp/FrenniFazclaireAlpha-0.3.1-pc/game/saves/text.txt /tmp/FrenniFazclaireAlpha-0.3.1-pc/lib/py3-linux-x86_64/FrenniFazclaireAlpha N/A
File opened for modification /tmp/FrenniFazclaireAlpha-0.3.1-pc/game/cache/screens.rpyb /tmp/FrenniFazclaireAlpha-0.3.1-pc/lib/py3-linux-x86_64/FrenniFazclaireAlpha N/A
File opened for modification /tmp/FrenniFazclaireAlpha-0.3.1-pc/renpy/translation/__pycache__/__init__.cpython-39.pyc.140079449782576 /tmp/FrenniFazclaireAlpha-0.3.1-pc/lib/py3-linux-x86_64/FrenniFazclaireAlpha N/A
File opened for modification /tmp/FrenniFazclaireAlpha-0.3.1-pc/renpy/display/__pycache__/core.cpython-39.pyc.140079449083024 /tmp/FrenniFazclaireAlpha-0.3.1-pc/lib/py3-linux-x86_64/FrenniFazclaireAlpha N/A
File opened for modification /tmp/FrenniFazclaireAlpha-0.3.1-pc/renpy/__pycache__/lint.cpython-39.pyc.140079447983920 /tmp/FrenniFazclaireAlpha-0.3.1-pc/lib/py3-linux-x86_64/FrenniFazclaireAlpha N/A
File opened for modification /tmp/FrenniFazclaireAlpha-0.3.1-pc/renpy/__pycache__/lexer.cpython-39.pyc.140079451241264 /tmp/FrenniFazclaireAlpha-0.3.1-pc/lib/py3-linux-x86_64/FrenniFazclaireAlpha N/A
File opened for modification /tmp/FrenniFazclaireAlpha-0.3.1-pc/renpy/styledata/__pycache__/__init__.cpython-39.pyc.140079449521728 /tmp/FrenniFazclaireAlpha-0.3.1-pc/lib/py3-linux-x86_64/FrenniFazclaireAlpha N/A
File opened for modification /tmp/FrenniFazclaireAlpha-0.3.1-pc/renpy/display/__pycache__/module.cpython-39.pyc.140079448939520 /tmp/FrenniFazclaireAlpha-0.3.1-pc/lib/py3-linux-x86_64/FrenniFazclaireAlpha N/A
File opened for modification /tmp/FrenniFazclaireAlpha-0.3.1-pc/renpy/display/__pycache__/scenelists.cpython-39.pyc.140079449252032 /tmp/FrenniFazclaireAlpha-0.3.1-pc/lib/py3-linux-x86_64/FrenniFazclaireAlpha N/A
File opened for modification /tmp/FrenniFazclaireAlpha-0.3.1-pc/renpy/test/__pycache__/testexecution.cpython-39.pyc.140079435703184 /tmp/FrenniFazclaireAlpha-0.3.1-pc/lib/py3-linux-x86_64/FrenniFazclaireAlpha N/A
File opened for modification /tmp/FrenniFazclaireAlpha-0.3.1-pc/renpy/compat/__pycache__/__init__.cpython-39.pyc.140079455587328 /tmp/FrenniFazclaireAlpha-0.3.1-pc/lib/py3-linux-x86_64/FrenniFazclaireAlpha N/A
File opened for modification /tmp/FrenniFazclaireAlpha-0.3.1-pc/renpy/__pycache__/python.cpython-39.pyc.140079451945520 /tmp/FrenniFazclaireAlpha-0.3.1-pc/lib/py3-linux-x86_64/FrenniFazclaireAlpha N/A
File opened for modification /tmp/FrenniFazclaireAlpha-0.3.1-pc/renpy/__pycache__/statements.cpython-39.pyc.140079450082096 /tmp/FrenniFazclaireAlpha-0.3.1-pc/lib/py3-linux-x86_64/FrenniFazclaireAlpha N/A
File opened for modification /tmp/FrenniFazclaireAlpha-0.3.1-pc/renpy/sl2/__pycache__/slproperties.cpython-39.pyc.140079437316720 /tmp/FrenniFazclaireAlpha-0.3.1-pc/lib/py3-linux-x86_64/FrenniFazclaireAlpha N/A
File opened for modification /tmp/FrenniFazclaireAlpha-0.3.1-pc/renpy/test/__pycache__/testkey.cpython-39.pyc.140079435552784 /tmp/FrenniFazclaireAlpha-0.3.1-pc/lib/py3-linux-x86_64/FrenniFazclaireAlpha N/A
File opened for modification /tmp/FrenniFazclaireAlpha-0.3.1-pc/renpy/test/__pycache__/testast.cpython-39.pyc.140079435553360 /tmp/FrenniFazclaireAlpha-0.3.1-pc/lib/py3-linux-x86_64/FrenniFazclaireAlpha N/A
File opened for modification /tmp/FrenniFazclaireAlpha-0.3.1-pc/renpy/__pycache__/script.cpython-39.pyc.140079450096048 /tmp/FrenniFazclaireAlpha-0.3.1-pc/lib/py3-linux-x86_64/FrenniFazclaireAlpha N/A
File opened for modification /tmp/FrenniFazclaireAlpha-0.3.1-pc/renpy/audio/__pycache__/sound.cpython-39.pyc.140079446737072 /tmp/FrenniFazclaireAlpha-0.3.1-pc/lib/py3-linux-x86_64/FrenniFazclaireAlpha N/A
File opened for modification /tmp/FrenniFazclaireAlpha-0.3.1-pc/renpy/__pycache__/defaultstore.cpython-39.pyc.140079436232720 /tmp/FrenniFazclaireAlpha-0.3.1-pc/lib/py3-linux-x86_64/FrenniFazclaireAlpha N/A
File opened for modification /tmp/FrenniFazclaireAlpha-0.3.1-pc/renpy/display/__pycache__/displayable.cpython-39.pyc.140079448990896 /tmp/FrenniFazclaireAlpha-0.3.1-pc/lib/py3-linux-x86_64/FrenniFazclaireAlpha N/A
File opened for modification /tmp/FrenniFazclaireAlpha-0.3.1-pc/renpy/__pycache__/ui.cpython-39.pyc.140079446737072 /tmp/FrenniFazclaireAlpha-0.3.1-pc/lib/py3-linux-x86_64/FrenniFazclaireAlpha N/A
File opened for modification /tmp/FrenniFazclaireAlpha-0.3.1-pc/renpy/gl/__pycache__/glfunctions.cpython-39.pyc.140079327505264 /tmp/FrenniFazclaireAlpha-0.3.1-pc/lib/py3-linux-x86_64/FrenniFazclaireAlpha N/A
File opened for modification /tmp/FrenniFazclaireAlpha-0.3.1-pc/renpy/__pycache__/substitutions.cpython-39.pyc.140079449781280 /tmp/FrenniFazclaireAlpha-0.3.1-pc/lib/py3-linux-x86_64/FrenniFazclaireAlpha N/A
File opened for modification /tmp/FrenniFazclaireAlpha-0.3.1-pc/renpy/translation/__pycache__/scanstrings.cpython-39.pyc.140079449666880 /tmp/FrenniFazclaireAlpha-0.3.1-pc/lib/py3-linux-x86_64/FrenniFazclaireAlpha N/A
File opened for modification /tmp/FrenniFazclaireAlpha-0.3.1-pc/renpy/display/__pycache__/transition.cpython-39.pyc.140079448556144 /tmp/FrenniFazclaireAlpha-0.3.1-pc/lib/py3-linux-x86_64/FrenniFazclaireAlpha N/A
File opened for modification /tmp/FrenniFazclaireAlpha-0.3.1-pc/renpy/sl2/__pycache__/slparser.cpython-39.pyc.140079437464896 /tmp/FrenniFazclaireAlpha-0.3.1-pc/lib/py3-linux-x86_64/FrenniFazclaireAlpha N/A
File opened for modification /tmp/FrenniFazclaireAlpha-0.3.1-pc/renpy/gl2/__pycache__/gl2shadercache.cpython-39.pyc.140079436449088 /tmp/FrenniFazclaireAlpha-0.3.1-pc/lib/py3-linux-x86_64/FrenniFazclaireAlpha N/A
File opened for modification /tmp/FrenniFazclaireAlpha-0.3.1-pc/renpy/display/__pycache__/screen.cpython-39.pyc.140079447777472 /tmp/FrenniFazclaireAlpha-0.3.1-pc/lib/py3-linux-x86_64/FrenniFazclaireAlpha N/A
File opened for modification /tmp/FrenniFazclaireAlpha-0.3.1-pc/renpy/test/__pycache__/testparser.cpython-39.pyc.140079435488976 /tmp/FrenniFazclaireAlpha-0.3.1-pc/lib/py3-linux-x86_64/FrenniFazclaireAlpha N/A
File opened for modification /tmp/FrenniFazclaireAlpha-0.3.1-pc/renpy/display/__pycache__/particle.cpython-39.pyc.140079447737664 /tmp/FrenniFazclaireAlpha-0.3.1-pc/lib/py3-linux-x86_64/FrenniFazclaireAlpha N/A
File opened for modification /tmp/FrenniFazclaireAlpha-0.3.1-pc/renpy/__pycache__/config.cpython-39.pyc.140079453328944 /tmp/FrenniFazclaireAlpha-0.3.1-pc/lib/py3-linux-x86_64/FrenniFazclaireAlpha N/A
File opened for modification /tmp/FrenniFazclaireAlpha-0.3.1-pc/renpy/__pycache__/parameter.cpython-39.pyc.140079451948848 /tmp/FrenniFazclaireAlpha-0.3.1-pc/lib/py3-linux-x86_64/FrenniFazclaireAlpha N/A
File opened for modification /tmp/FrenniFazclaireAlpha-0.3.1-pc/renpy/__pycache__/util.cpython-39.pyc.140079450082096 /tmp/FrenniFazclaireAlpha-0.3.1-pc/lib/py3-linux-x86_64/FrenniFazclaireAlpha N/A
File opened for modification /tmp/FrenniFazclaireAlpha-0.3.1-pc/renpy/translation/__pycache__/dialogue.cpython-39.pyc.140079449650496 /tmp/FrenniFazclaireAlpha-0.3.1-pc/lib/py3-linux-x86_64/FrenniFazclaireAlpha N/A
File opened for modification /tmp/FrenniFazclaireAlpha-0.3.1-pc/renpy/gl/__pycache__/__init__.cpython-39.pyc.140079448620208 /tmp/FrenniFazclaireAlpha-0.3.1-pc/lib/py3-linux-x86_64/FrenniFazclaireAlpha N/A
File opened for modification /tmp/FrenniFazclaireAlpha-0.3.1-pc/renpy/__pycache__/loader.cpython-39.pyc.140079452732336 /tmp/FrenniFazclaireAlpha-0.3.1-pc/lib/py3-linux-x86_64/FrenniFazclaireAlpha N/A

Processes

/tmp/FrenniFazclaireAlpha-0.3.1-pc/lib/py3-linux-x86_64/FrenniFazclaireAlpha

[/tmp/FrenniFazclaireAlpha-0.3.1-pc/lib/py3-linux-x86_64/FrenniFazclaireAlpha]

/usr/local/sbin/uname

[uname -p]

/usr/local/bin/uname

[uname -p]

/usr/sbin/uname

[uname -p]

/usr/bin/uname

[uname -p]

/sbin/uname

[uname -p]

/bin/uname

[uname -p]

/usr/bin/dbus-launch

[dbus-launch --autolaunch 11c67417355f45d397f6be11f62e85a6 --binary-syntax --close-stderr]

Network

Country Destination Domain Proto
US 151.101.193.91:443 tcp
N/A 224.0.0.251:5353 udp
GB 185.125.188.62:443 tcp
GB 185.125.188.61:443 tcp
US 151.101.193.91:443 tcp
GB 195.181.164.19:443 tcp

Files

/tmp/vm9jx_su

MD5 3f1d1d8d87177d3d8d897d7e421f84d6
SHA1 dd082d742a5cb751290f1db2bd519c286aa86d95
SHA256 f02285fb90ed8c81531fe78cf4e2abb68a62be73ee7d317623e2c3e3aefdfff2
SHA512 2ae2b3936f31756332ca7a4b877d18f3fcc50e41e9472b5cd45a70bea82e29a0fa956ee6a9ee0e02f23d9db56b41d19cb51d88aac06e9c923a820a21023752a9

/tmp/FrenniFazclaireAlpha-0.3.1-pc/log.txt

MD5 dab8291eb56153cf2f58121b6c977155
SHA1 7452b337f81ef4eb1b01c301754bce23f7c7792a
SHA256 6f7244af11f266715b9153325cf8532110ba644b1ea9171f0dc43057b87f102f
SHA512 e128f8858d23cf8246e53cfe66566bd1ab57c7ff6bbff630cbe44c4607c02ee7e9ee1dc8292c21ba6b643de8f1f945a67c96e49d9cfd7fb841f9d9cbbc3b89fb

/root/.renpy/tokens/security_keys.txt

MD5 a2bb9f111f66e41670450d766643b8d2
SHA1 108c2ec50de6f1334b6023e5d145771a813ee4aa
SHA256 82cb1252fa1466b51bc090c687e05689cb1dfb15408157acc8c255f1cc0ccbc0
SHA512 a864b46f0ce8b9eb314f956765fc343f640ce017d07cb1f70909aceb851e5d917f76817630dca1ff392a656b738c533c8ce3d9ad673fa38d57b6233603c3f62c

/root/.renpy/FrenniFazclaire-1683369202/text.txt

MD5 f4020e91252aafd4b18d8acd17f883db
SHA1 748d77dbb8bdb0dd330c099e7fde82da053fb1ff
SHA256 314ad142957febe390cc7223b4deb1d1b21c187f84f6e7257a23fe46c27fcae3
SHA512 301ddd0e34cbd842dae99a2cc4ccbfeb6ee8b3def39c214a719fa9edc26d7142749bbe6e992d26353dc167febbab0dbc05476b68a86ad93cab5f299f0aaf916d

/root/.renpy/tokens/upgraded.txt

MD5 bfde9e02eec23c1dc00bd76e4e8a8355
SHA1 933760b994ed5d327e89633bd55a7989c7d63636
SHA256 bf5945fe4e5b1a2786b7791eacc28f583121bf76fffd1bc9ce22e3241bc6e356
SHA512 2ce7ea1bf09c82155f6cff6f617d0514970cb9c59c6966a46eed766797d8e8d5e086e3319c498e9c19cfb6470b2bcb659436e90dbdd4dbdd66d199ae1a50ff77

Analysis: behavioral10

Detonation Overview

Submitted

2024-05-17 19:46

Reported

2024-05-17 19:54

Platform

win7-20240508-en

Max time kernel

119s

Max time network

138s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\FrenniFazclaireAlpha-0.3.1-pc\lib\py3-windows-x86_64\libGLESv2.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2400 wrote to memory of 1952 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\WerFault.exe
PID 2400 wrote to memory of 1952 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\WerFault.exe
PID 2400 wrote to memory of 1952 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\WerFault.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\FrenniFazclaireAlpha-0.3.1-pc\lib\py3-windows-x86_64\libGLESv2.dll,#1

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 2400 -s 88

Network

N/A

Files

N/A

Analysis: behavioral22

Detonation Overview

Submitted

2024-05-17 19:46

Reported

2024-05-17 19:54

Platform

win7-20240508-en

Max time kernel

122s

Max time network

137s

Command Line

"C:\Users\Admin\AppData\Local\Temp\FrenniFazclaireAlpha-0.3.1-pc\lib\py3-windows-x86_64\pythonw.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\FrenniFazclaireAlpha-0.3.1-pc\lib\py3-windows-x86_64\pythonw.exe

"C:\Users\Admin\AppData\Local\Temp\FrenniFazclaireAlpha-0.3.1-pc\lib\py3-windows-x86_64\pythonw.exe"

Network

N/A

Files

N/A

Analysis: behavioral25

Detonation Overview

Submitted

2024-05-17 19:46

Reported

2024-05-17 19:54

Platform

win10v2004-20240426-en

Max time kernel

140s

Max time network

159s

Command Line

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\FrenniFazclaireAlpha-0.3.1-pc\lib\py3-windows-x86_64\say.vbs"

Signatures

N/A

Processes

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\FrenniFazclaireAlpha-0.3.1-pc\lib\py3-windows-x86_64\say.vbs"

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 194.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 67.31.126.40.in-addr.arpa udp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp

Files

N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-05-17 19:46

Reported

2024-05-17 19:53

Platform

ubuntu1804-amd64-20240508-en

Max time kernel

0s

Max time network

131s

Command Line

[/tmp/FrenniFazclaireAlpha-0.3.1-pc/lib/py3-linux-x86_64/pythonw]

Signatures

N/A

Processes

/tmp/FrenniFazclaireAlpha-0.3.1-pc/lib/py3-linux-x86_64/pythonw

[/tmp/FrenniFazclaireAlpha-0.3.1-pc/lib/py3-linux-x86_64/pythonw]

Network

Country Destination Domain Proto
GB 185.125.188.62:443 tcp
GB 185.125.188.62:443 tcp
US 151.101.193.91:443 tcp
US 151.101.193.91:443 tcp
GB 89.187.167.3:443 tcp
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 1527653184.rsc.cdn77.org udp
US 1.1.1.1:53 1527653184.rsc.cdn77.org udp
GB 89.187.167.3:443 1527653184.rsc.cdn77.org tcp

Files

N/A

Analysis: behavioral21

Detonation Overview

Submitted

2024-05-17 19:46

Reported

2024-05-17 19:55

Platform

win10v2004-20240226-en

Max time kernel

154s

Max time network

240s

Command Line

"C:\Users\Admin\AppData\Local\Temp\FrenniFazclaireAlpha-0.3.1-pc\lib\py3-windows-x86_64\python.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\FrenniFazclaireAlpha-0.3.1-pc\lib\py3-windows-x86_64\python.exe

"C:\Users\Admin\AppData\Local\Temp\FrenniFazclaireAlpha-0.3.1-pc\lib\py3-windows-x86_64\python.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 79.121.231.20.in-addr.arpa udp
GB 142.250.187.234:443 tcp
US 13.107.246.64:443 tcp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 198.32.209.4.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 16.173.189.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral9

Detonation Overview

Submitted

2024-05-17 19:46

Reported

2024-05-17 19:54

Platform

win10v2004-20240508-en

Max time kernel

134s

Max time network

163s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\FrenniFazclaireAlpha-0.3.1-pc\lib\py3-windows-x86_64\libEGL.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\FrenniFazclaireAlpha-0.3.1-pc\lib\py3-windows-x86_64\libEGL.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp

Files

N/A

Analysis: behavioral14

Detonation Overview

Submitted

2024-05-17 19:46

Reported

2024-05-17 19:54

Platform

win7-20231129-en

Max time kernel

118s

Max time network

132s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\FrenniFazclaireAlpha-0.3.1-pc\lib\py3-windows-x86_64\librenpython.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\FrenniFazclaireAlpha-0.3.1-pc\lib\py3-windows-x86_64\librenpython.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral15

Detonation Overview

Submitted

2024-05-17 19:46

Reported

2024-05-17 19:54

Platform

win10v2004-20240508-en

Max time kernel

136s

Max time network

162s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\FrenniFazclaireAlpha-0.3.1-pc\lib\py3-windows-x86_64\librenpython.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\FrenniFazclaireAlpha-0.3.1-pc\lib\py3-windows-x86_64\librenpython.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp

Files

N/A

Analysis: behavioral17

Detonation Overview

Submitted

2024-05-17 19:46

Reported

2024-05-17 19:54

Platform

win10v2004-20240508-en

Max time kernel

141s

Max time network

163s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\FrenniFazclaireAlpha-0.3.1-pc\lib\py3-windows-x86_64\libwinpthread-1.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\FrenniFazclaireAlpha-0.3.1-pc\lib\py3-windows-x86_64\libwinpthread-1.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp

Files

N/A

Analysis: behavioral20

Detonation Overview

Submitted

2024-05-17 19:46

Reported

2024-05-17 19:54

Platform

win7-20240221-en

Max time kernel

12s

Max time network

44s

Command Line

"C:\Users\Admin\AppData\Local\Temp\FrenniFazclaireAlpha-0.3.1-pc\lib\py3-windows-x86_64\python.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\FrenniFazclaireAlpha-0.3.1-pc\lib\py3-windows-x86_64\python.exe

"C:\Users\Admin\AppData\Local\Temp\FrenniFazclaireAlpha-0.3.1-pc\lib\py3-windows-x86_64\python.exe"

Network

N/A

Files

N/A

Analysis: behavioral24

Detonation Overview

Submitted

2024-05-17 19:46

Reported

2024-05-17 19:54

Platform

win7-20240221-en

Max time kernel

119s

Max time network

135s

Command Line

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\FrenniFazclaireAlpha-0.3.1-pc\lib\py3-windows-x86_64\say.vbs"

Signatures

N/A

Processes

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\FrenniFazclaireAlpha-0.3.1-pc\lib\py3-windows-x86_64\say.vbs"

Network

N/A

Files

N/A

Analysis: behavioral26

Detonation Overview

Submitted

2024-05-17 19:46

Reported

2024-05-17 19:54

Platform

win7-20240220-en

Max time kernel

122s

Max time network

136s

Command Line

"C:\Users\Admin\AppData\Local\Temp\FrenniFazclaireAlpha-0.3.1-pc\lib\py3-windows-x86_64\zsync.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\FrenniFazclaireAlpha-0.3.1-pc\lib\py3-windows-x86_64\zsync.exe

"C:\Users\Admin\AppData\Local\Temp\FrenniFazclaireAlpha-0.3.1-pc\lib\py3-windows-x86_64\zsync.exe"

Network

N/A

Files

memory/1740-0-0x0000000000400000-0x000000000041C000-memory.dmp

Analysis: behavioral27

Detonation Overview

Submitted

2024-05-17 19:46

Reported

2024-05-17 19:54

Platform

win10v2004-20240426-en

Max time kernel

130s

Max time network

169s

Command Line

"C:\Users\Admin\AppData\Local\Temp\FrenniFazclaireAlpha-0.3.1-pc\lib\py3-windows-x86_64\zsync.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\FrenniFazclaireAlpha-0.3.1-pc\lib\py3-windows-x86_64\zsync.exe

"C:\Users\Admin\AppData\Local\Temp\FrenniFazclaireAlpha-0.3.1-pc\lib\py3-windows-x86_64\zsync.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 67.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp

Files

memory/2540-0-0x0000000000400000-0x000000000041C000-memory.dmp

Analysis: behavioral29

Detonation Overview

Submitted

2024-05-17 19:46

Reported

2024-05-17 19:54

Platform

win10v2004-20240508-en

Max time kernel

140s

Max time network

168s

Command Line

"C:\Users\Admin\AppData\Local\Temp\FrenniFazclaireAlpha-0.3.1-pc\lib\py3-windows-x86_64\zsyncmake.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\FrenniFazclaireAlpha-0.3.1-pc\lib\py3-windows-x86_64\zsyncmake.exe

"C:\Users\Admin\AppData\Local\Temp\FrenniFazclaireAlpha-0.3.1-pc\lib\py3-windows-x86_64\zsyncmake.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 194.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp

Files

memory/2708-0-0x0000000000400000-0x000000000041C000-memory.dmp

Analysis: behavioral8

Detonation Overview

Submitted

2024-05-17 19:46

Reported

2024-05-17 19:54

Platform

win7-20240221-en

Max time kernel

118s

Max time network

135s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\FrenniFazclaireAlpha-0.3.1-pc\lib\py3-windows-x86_64\libEGL.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\FrenniFazclaireAlpha-0.3.1-pc\lib\py3-windows-x86_64\libEGL.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral13

Detonation Overview

Submitted

2024-05-17 19:46

Reported

2024-05-17 19:54

Platform

win10v2004-20240426-en

Max time kernel

145s

Max time network

164s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\FrenniFazclaireAlpha-0.3.1-pc\lib\py3-windows-x86_64\libpython3.9.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\FrenniFazclaireAlpha-0.3.1-pc\lib\py3-windows-x86_64\libpython3.9.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
NL 23.62.61.97:443 www.bing.com tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp

Files

N/A

Analysis: behavioral16

Detonation Overview

Submitted

2024-05-17 19:46

Reported

2024-05-17 19:53

Platform

win7-20240508-en

Max time kernel

121s

Max time network

137s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\FrenniFazclaireAlpha-0.3.1-pc\lib\py3-windows-x86_64\libwinpthread-1.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\FrenniFazclaireAlpha-0.3.1-pc\lib\py3-windows-x86_64\libwinpthread-1.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral28

Detonation Overview

Submitted

2024-05-17 19:46

Reported

2024-05-17 19:54

Platform

win7-20240508-en

Max time kernel

142s

Max time network

140s

Command Line

"C:\Users\Admin\AppData\Local\Temp\FrenniFazclaireAlpha-0.3.1-pc\lib\py3-windows-x86_64\zsyncmake.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\FrenniFazclaireAlpha-0.3.1-pc\lib\py3-windows-x86_64\zsyncmake.exe

"C:\Users\Admin\AppData\Local\Temp\FrenniFazclaireAlpha-0.3.1-pc\lib\py3-windows-x86_64\zsyncmake.exe"

Network

N/A

Files

memory/2072-0-0x0000000000400000-0x000000000041C000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-17 19:46

Reported

2024-05-17 19:53

Platform

ubuntu1804-amd64-20240508-en

Max time kernel

0s

Max time network

134s

Command Line

[/tmp/FrenniFazclaireAlpha-0.3.1-pc/lib/py3-linux-x86_64/librenpython.so]

Signatures

N/A

Processes

/tmp/FrenniFazclaireAlpha-0.3.1-pc/lib/py3-linux-x86_64/librenpython.so

[/tmp/FrenniFazclaireAlpha-0.3.1-pc/lib/py3-linux-x86_64/librenpython.so]

Network

Country Destination Domain Proto
US 151.101.193.91:443 tcp
GB 89.187.167.9:443 tcp
GB 185.125.188.62:443 tcp
GB 185.125.188.62:443 tcp
US 151.101.193.91:443 tcp
N/A 224.0.0.251:5353 udp

Files

N/A

Analysis: behavioral12

Detonation Overview

Submitted

2024-05-17 19:46

Reported

2024-05-17 19:54

Platform

win7-20240221-en

Max time kernel

120s

Max time network

136s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\FrenniFazclaireAlpha-0.3.1-pc\lib\py3-windows-x86_64\libpython3.9.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1244 wrote to memory of 1260 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\WerFault.exe
PID 1244 wrote to memory of 1260 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\WerFault.exe
PID 1244 wrote to memory of 1260 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\WerFault.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\FrenniFazclaireAlpha-0.3.1-pc\lib\py3-windows-x86_64\libpython3.9.dll,#1

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 1244 -s 128

Network

N/A

Files

N/A

Analysis: behavioral18

Detonation Overview

Submitted

2024-05-17 19:46

Reported

2024-05-17 19:54

Platform

win7-20240221-en

Max time kernel

21s

Max time network

21s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\FrenniFazclaireAlpha-0.3.1-pc\lib\py3-windows-x86_64\nvdrs.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\FrenniFazclaireAlpha-0.3.1-pc\lib\py3-windows-x86_64\nvdrs.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral23

Detonation Overview

Submitted

2024-05-17 19:46

Reported

2024-05-17 19:53

Platform

win10v2004-20240426-en

Max time kernel

141s

Max time network

160s

Command Line

"C:\Users\Admin\AppData\Local\Temp\FrenniFazclaireAlpha-0.3.1-pc\lib\py3-windows-x86_64\pythonw.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\FrenniFazclaireAlpha-0.3.1-pc\lib\py3-windows-x86_64\pythonw.exe

"C:\Users\Admin\AppData\Local\Temp\FrenniFazclaireAlpha-0.3.1-pc\lib\py3-windows-x86_64\pythonw.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
NL 23.62.61.155:443 www.bing.com tcp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 155.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 64.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
NL 23.62.61.155:443 www.bing.com tcp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp

Files

N/A

Analysis: behavioral31

Detonation Overview

Submitted

2024-05-17 19:46

Reported

2024-05-17 19:54

Platform

win10v2004-20240508-en

Max time kernel

134s

Max time network

161s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\FrenniFazclaireAlpha-0.3.1-pc\lib\python3.9\__future__.pyc

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\FrenniFazclaireAlpha-0.3.1-pc\lib\python3.9\__future__.pyc

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 67.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
NL 23.62.61.155:443 www.bing.com tcp
US 8.8.8.8:53 155.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral32

Detonation Overview

Submitted

2024-05-17 19:46

Reported

2024-05-17 19:54

Platform

win7-20240419-en

Max time kernel

118s

Max time network

134s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\FrenniFazclaireAlpha-0.3.1-pc\lib\python3.9\_bootlocale.pyc

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\pyc_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_Classes\Local Settings C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\pyc_auto_file\ C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\.pyc C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\.pyc\ = "pyc_auto_file" C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\pyc_auto_file\shell\Read C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\pyc_auto_file\shell C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\pyc_auto_file\shell\Read\command C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\pyc_auto_file C:\Windows\system32\rundll32.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\FrenniFazclaireAlpha-0.3.1-pc\lib\python3.9\_bootlocale.pyc

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\FrenniFazclaireAlpha-0.3.1-pc\lib\python3.9\_bootlocale.pyc

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe

"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\FrenniFazclaireAlpha-0.3.1-pc\lib\python3.9\_bootlocale.pyc"

Network

N/A

Files

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

MD5 f0247acdb4dc254bdb332dfbe1e97a1d
SHA1 5427b14141aaa1ec952b4cd7c8d9103290200a39
SHA256 0511a1032d68ab50b8ca08298e205ee4be966a200688a93d124162eb9b3dd1e8
SHA512 e5ffcaa27aa6fb6b2f241897562d15eb4caceba81bf3a4a0ecc4980410b2598748d2a1234d3c3455ccb84104d2b63b485f3c31be39d905b20306526ff91780a0

Analysis: behavioral5

Detonation Overview

Submitted

2024-05-17 19:46

Reported

2024-05-17 19:54

Platform

ubuntu1804-amd64-20240508-en

Max time kernel

0s

Max time network

132s

Command Line

[/tmp/FrenniFazclaireAlpha-0.3.1-pc/lib/py3-linux-x86_64/zsync]

Signatures

N/A

Processes

/tmp/FrenniFazclaireAlpha-0.3.1-pc/lib/py3-linux-x86_64/zsync

[/tmp/FrenniFazclaireAlpha-0.3.1-pc/lib/py3-linux-x86_64/zsync]

Network

Country Destination Domain Proto
US 151.101.1.91:443 tcp
GB 185.125.188.61:443 tcp
GB 185.125.188.62:443 tcp
US 151.101.1.91:443 tcp
GB 89.187.167.7:443 tcp
N/A 224.0.0.251:5353 udp

Files

N/A

Analysis: behavioral7

Detonation Overview

Submitted

2024-05-17 19:46

Reported

2024-05-17 19:55

Platform

win10v2004-20240226-en

Max time kernel

90s

Max time network

219s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\FrenniFazclaireAlpha-0.3.1-pc\lib\py3-windows-x86_64\d3dcompiler_47.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\FrenniFazclaireAlpha-0.3.1-pc\lib\py3-windows-x86_64\d3dcompiler_47.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 79.121.231.20.in-addr.arpa udp
US 13.107.253.64:443 tcp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
GB 142.250.187.202:443 chromewebstore.googleapis.com tcp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 202.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 16.173.189.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral11

Detonation Overview

Submitted

2024-05-17 19:46

Reported

2024-05-17 19:54

Platform

win10v2004-20240508-en

Max time kernel

136s

Max time network

165s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\FrenniFazclaireAlpha-0.3.1-pc\lib\py3-windows-x86_64\libGLESv2.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\FrenniFazclaireAlpha-0.3.1-pc\lib\py3-windows-x86_64\libGLESv2.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 67.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 163.143.109.104.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp

Files

N/A