Analysis Overview
SHA256
ca20b7876b3490e497f4448bc03166ddaa41ebae02aac80ab49ae315eed59229
Threat Level: Shows suspicious behavior
The file MagicDorks.exe was found to be: Shows suspicious behavior.
Malicious Activity Summary
Loads dropped DLL
Suspicious use of NtSetInformationThreadHideFromDebugger
Detects Pyinstaller
Unsigned PE
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
Modifies registry class
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of SetWindowsHookEx
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-05-25 20:35
Signatures
Detects Pyinstaller
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-25 20:35
Reported
2024-05-25 20:42
Platform
win7-20231129-en
Max time kernel
383s
Max time network
363s
Command Line
Signatures
Loads dropped DLL
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\MagicDorks.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2848 wrote to memory of 1476 | N/A | C:\Users\Admin\AppData\Local\Temp\MagicDorks.exe | C:\Users\Admin\AppData\Local\Temp\MagicDorks.exe |
| PID 2848 wrote to memory of 1476 | N/A | C:\Users\Admin\AppData\Local\Temp\MagicDorks.exe | C:\Users\Admin\AppData\Local\Temp\MagicDorks.exe |
| PID 2848 wrote to memory of 1476 | N/A | C:\Users\Admin\AppData\Local\Temp\MagicDorks.exe | C:\Users\Admin\AppData\Local\Temp\MagicDorks.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\MagicDorks.exe
"C:\Users\Admin\AppData\Local\Temp\MagicDorks.exe"
C:\Users\Admin\AppData\Local\Temp\MagicDorks.exe
"C:\Users\Admin\AppData\Local\Temp\MagicDorks.exe"
Network
Files
\Users\Admin\AppData\Local\Temp\_MEI28482\python38.dll
| MD5 | 1f2688b97f9827f1de7dfedb4ad2348c |
| SHA1 | a9650970d38e30835336426f704579e87fcfc892 |
| SHA256 | 169eeb1bdf99ed93ca26453d5ca49339e5ae092662cd94cde09fbb10046f83fc |
| SHA512 | 27e56b2d73226e36b0c473d8eb646813997cbdf955397d0b61fcae37ed1f2c3715e589f9a07d909a967009ed2c664d14007ccf37d83a7df7ce2a0fefca615503 |
C:\Users\Admin\AppData\Local\Temp\_MEI28482\MagicDorks.exe.manifest
| MD5 | e51c1b86f0850f1a9c3aabb61c019fda |
| SHA1 | 478274da912591d2b384a005b87b558f3e4cbe2e |
| SHA256 | ad577f3c498a0c3e9b899a4492d333dde0f857faafc100261c59145b46d8078f |
| SHA512 | 60031380fa489d842588911aefd57f64c0af3e93ee32b05c6f3a8dce22ab753b17a3b6dd951c339e8793603eed5adb0cb2962b9b44886f585b1f239d21ae60b9 |
C:\Users\Admin\AppData\Local\Temp\_MEI28482\VCRUNTIME140.dll
| MD5 | 18571d6663b7d9ac95f2821c203e471f |
| SHA1 | 3c186018df04e875d6b9f83521028a21f145e3be |
| SHA256 | 0b040a314c19ff88f38fd9c89dca2d493113a6109adb8525733c3f6627da888f |
| SHA512 | c8cbca1072b8cb04f9d82135c91ff6d7a539cb7a488671cecb6b5e2f11a4807f47ad9af5a87ebee44984ab71d7c44fc87850f9d04fd2c5019ec1b6a1b483ca21 |
C:\Users\Admin\AppData\Local\Temp\_MEI28482\base_library.zip
| MD5 | 50060b2f8f4495e066613801bce8059f |
| SHA1 | 3db6700c554d92663dc433ca3ba308a1a1fa3279 |
| SHA256 | 5fae2dfe5188249b2e25080f8886a27a81bdcc9fe8b99d3c2bc3b3f7ad0f6236 |
| SHA512 | a3bd9cb1f0332aeb993cc4ca364df20e965aa896a14120b8de7863f71b66ad14ac2ebfe77985cde60b551685e21d23c6af0825af8bc514c896b10ffebda8e958 |
C:\Users\Admin\AppData\Local\Temp\_MEI28482\_ctypes.pyd
| MD5 | 8adb1345c717e575e6614e163eb62328 |
| SHA1 | f1ee3fff6e06dc4f22a5eb38c09c54580880e0a3 |
| SHA256 | 65edc348db42347570578b979151b787ceebfc98e0372c28116cc229494a78a8 |
| SHA512 | 0f11673854327fd2fcd12838f54c080edc4d40e4bcb50c413fe3f823056d189636dc661ea79207163f966719bf0815e1ffa75e2fb676df4e56ed6321f1ff6cae |
C:\Users\Admin\AppData\Local\Temp\_MEI28482\python3.DLL
| MD5 | 9779c701be8e17867d1d92d470607948 |
| SHA1 | 6aae834541ccc73d1c87c9f1a12df4ac0cf9001f |
| SHA256 | 59e6421802d30326c1704f15acc2b2888097241e291aba4860d1e1fc3d26d4bf |
| SHA512 | 4e34bcdd2093347d2b4e5c0f8c25f5d36d54097283faf5b2be1c75d717f716d459a45336647d3360457f25417952e62f8f21f5a720204fe5b894d5513e43e782 |
C:\Users\Admin\AppData\Local\Temp\_MEI28482\libffi-7.dll
| MD5 | eef7981412be8ea459064d3090f4b3aa |
| SHA1 | c60da4830ce27afc234b3c3014c583f7f0a5a925 |
| SHA256 | f60dd9f2fcbd495674dfc1555effb710eb081fc7d4cae5fa58c438ab50405081 |
| SHA512 | dc9ff4202f74a13ca9949a123dff4c0223da969f49e9348feaf93da4470f7be82cfa1d392566eaaa836d77dde7193fed15a8395509f72a0e9f97c66c0a096016 |
C:\Users\Admin\AppData\Local\Temp\_MEI28482\_socket.pyd
| MD5 | 1d53841bb21acdcc8742828c3aded891 |
| SHA1 | cdf15d4815820571684c1f720d0cba24129e79c8 |
| SHA256 | ab13258c6da2c26c4dca7239ff4360ca9166ea8f53bb8cc08d2c7476cab7d61b |
| SHA512 | 0266bcbcd7ca5f6c9df8dbeea00e1275932dacc38e5dd83a47bfbb87f7ca6778458a6671d8b84a63ae9216a65975da656ba487ac28d41140122f46d0174fa9f9 |
\Users\Admin\AppData\Local\Temp\_MEI28482\select.pyd
| MD5 | a2ab334e18222738dcb05bf820725938 |
| SHA1 | 2f75455a471f95ac814b8e4560a023034480b7b5 |
| SHA256 | 7ba95624370216795ea4a087c326422cfcbccc42b5ada21f4d85c532c71afad7 |
| SHA512 | 72e891d1c7e5ea44a569283b5c8bd8c310f2ee3d3cc9c25c6a7d7d77a62cb301c822c833b0792c3163cf0b0d6272da2f667e6bc74b07ed7946082433f77d9679 |
C:\Users\Admin\AppData\Local\Temp\_MEI28482\libcrypto-1_1.dll
| MD5 | cc4cbf715966cdcad95a1e6c95592b3d |
| SHA1 | d5873fea9c084bcc753d1c93b2d0716257bea7c3 |
| SHA256 | 594303e2ce6a4a02439054c84592791bf4ab0b7c12e9bbdb4b040e27251521f1 |
| SHA512 | 3b5af9fbbc915d172648c2b0b513b5d2151f940ccf54c23148cd303e6660395f180981b148202bef76f5209acc53b8953b1cb067546f90389a6aa300c1fbe477 |
\Users\Admin\AppData\Local\Temp\_MEI28482\_ssl.pyd
| MD5 | 84dea8d0acce4a707b094a3627b62eab |
| SHA1 | d45dda99466ab08cc922e828729d0840ae2ddc18 |
| SHA256 | dcf6b3ff84b55c3859d0f176c4ce6904c0d7d4643a657b817c6322933dbf82f6 |
| SHA512 | fdaa7eb10f8bf7b42a5c9691f600eff48190041a8b28a5dab977170db717fff58dd0f64b02ca30d274552ff30ee02a6577f1465792cf6760366c2588bf373108 |
C:\Users\Admin\AppData\Local\Temp\_MEI28482\libssl-1_1.dll
| MD5 | bc778f33480148efa5d62b2ec85aaa7d |
| SHA1 | b1ec87cbd8bc4398c6ebb26549961c8aab53d855 |
| SHA256 | 9d4cf1c03629f92662fc8d7e3f1094a7fc93cb41634994464b853df8036af843 |
| SHA512 | 80c1dd9d0179e6cc5f33eb62d05576a350af78b5170bfdf2ecda16f1d8c3c2d0e991a5534a113361ae62079fb165fff2344efd1b43031f1a7bfda696552ee173 |
\Users\Admin\AppData\Local\Temp\_MEI28482\_pytransform.dll
| MD5 | 4fdf69f15ece51f7818cb525bd4189b5 |
| SHA1 | 99df7e291b17bcd4fd17af9f727d40e81a7ba143 |
| SHA256 | 5304bdb81e30053fe06ed232c05b87d0c5622f8886290e662296cda3fb4c3fe0 |
| SHA512 | 60ae66392e7b8605a6477ebfa43cffb8ef4434e6220e6c17c92dbbd0471ab6c561c8470edb56614696f3408f790ef9f3f96a6d354b6653531e5ce89f7393d9bc |
C:\Users\Admin\AppData\Local\Temp\_MEI28482\license.lic
| MD5 | 2353cbf3f0e56f19ab81b9dd3a160e95 |
| SHA1 | 3dcca8296e91da135b6c5b9346d02fd06f85900e |
| SHA256 | 4636adc8235f6af6d4ca13e77f12a1044e8511184cccef7031c8e24314bd9605 |
| SHA512 | 27093980d5bb490d1cc828af46f0e40bb46d3a573651be91f4fade6303d2584d79b33ae8d24768b4e04adb1b7814589b2048d332b1716a4b0925275f8136e142 |
\Users\Admin\AppData\Local\Temp\_MEI28482\_tkinter.pyd
| MD5 | 7577b428063ea0eda1e0937f4976b078 |
| SHA1 | 6256415033aae978835fe3dc4523a462d5932873 |
| SHA256 | 7fdbb5a713a3de7413564a2ec15c8715f3ba203bfe2b944c9cda610155c511d1 |
| SHA512 | a36e09535579e5cc2fcc86659ae60fa7a779bfd577b6dc9d27fec78e8be1e095f52320fe0822fcb080b96d71729e97c6f07c8728565e8aea708426289485147c |
C:\Users\Admin\AppData\Local\Temp\_MEI28482\tcl86t.dll
| MD5 | c0b23815701dbae2a359cb8adb9ae730 |
| SHA1 | 5be6736b645ed12e97b9462b77e5a43482673d90 |
| SHA256 | f650d6bc321bcda3fc3ac3dec3ac4e473fb0b7b68b6c948581bcfc54653e6768 |
| SHA512 | ed60384e95be8ea5930994db8527168f78573f8a277f8d21c089f0018cd3b9906da764ed6fcc1bd4efad009557645e206fbb4e5baef9ab4b2e3c8bb5c3b5d725 |
C:\Users\Admin\AppData\Local\Temp\_MEI28482\tk86t.dll
| MD5 | fdc8a5d96f9576bd70aa1cadc2f21748 |
| SHA1 | bae145525a18ce7e5bc69c5f43c6044de7b6e004 |
| SHA256 | 1a6d0871be2fa7153de22be008a20a5257b721657e6d4b24da8b1f940345d0d5 |
| SHA512 | 816ada61c1fd941d10e6bb4350baa77f520e2476058249b269802be826bab294a9c18edc5d590f5ed6f8dafed502ab7ffb29db2f44292cb5bedf2f5fa609f49c |
memory/1476-1050-0x000007FEF0000000-0x000007FEF0001000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI28482\tcl\encoding\cp1252.enc
| MD5 | 5900f51fd8b5ff75e65594eb7dd50533 |
| SHA1 | 2e21300e0bc8a847d0423671b08d3c65761ee172 |
| SHA256 | 14df3ae30e81e7620be6bbb7a9e42083af1ae04d94cf1203565f8a3c0542ace0 |
| SHA512 | ea0455ff4cd5c0d4afb5e79b671565c2aede2857d534e1371f0c10c299c74cb4ad113d56025f58b8ae9e88e2862f0864a4836fed236f5730360b2223fde479dc |
memory/1476-1049-0x0000000002990000-0x0000000002991000-memory.dmp
memory/1476-1047-0x0000000002990000-0x0000000002991000-memory.dmp
memory/1476-1045-0x0000000002990000-0x0000000002991000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI28482\_queue.pyd
| MD5 | 1fc2c6b80936efc502bfc30fc24caa56 |
| SHA1 | 4e5b26ff3b225906c2b9e39e0f06126cfc43a257 |
| SHA256 | 9c47a3b84012837c60b7feced86ed0a4f12910a85fd259a4483a48cd940e3514 |
| SHA512 | d07655d78aca969ccc0d7cedf9e337c7b20082d80be1d90d69c42be933fbab1c828316d2eb5461ded2ff35e52762e249fc0c2bccbc2b8436488fb6a270d3d9ee |
memory/1476-1043-0x0000000002990000-0x0000000002991000-memory.dmp
memory/1476-1041-0x0000000002990000-0x0000000002991000-memory.dmp
memory/1476-1039-0x0000000002990000-0x0000000002991000-memory.dmp
memory/1476-1037-0x0000000002990000-0x0000000002991000-memory.dmp
memory/1476-1029-0x0000000002990000-0x0000000002991000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI28482\_hashlib.pyd
| MD5 | 5fa7c9d5e6068718c6010bbeb18fbeb3 |
| SHA1 | 93e8875d6d0f943b4226e25452c2c7d63d22b790 |
| SHA256 | 2e98f91087f56dfdffbbdd951cd55cd7ea771cec93d59cadb86b964ed8708155 |
| SHA512 | 3104aa8b785740dc6a5261c27b2bdc6e14b2f37862fa0fba151b1bc1bfc0e5fb5b6934b95488fa47c5af3fc2b2283f333ff6517b6f8cf0437c52cf171da58bf5 |
\Users\Admin\AppData\Local\Temp\_MEI28482\_bz2.pyd
| MD5 | fc0d862a854993e0e51c00dee3eec777 |
| SHA1 | 20203332c6f7bd51f6a5acbbc9f677c930d0669d |
| SHA256 | e5de23dbac7ece02566e79b3d1923a8eeae628925c7fb4b98a443cad94a06863 |
| SHA512 | b3c2ade15cc196e687e83dd8d21ce88b83c8137a83cfc20bc8f2c8f3ab72643ef7ca08e1dc23de0695f508ba0080871956303ac30f92ab865f3e4249d4d65c2f |
memory/1476-1027-0x0000000002990000-0x0000000002991000-memory.dmp
memory/1476-1025-0x0000000002990000-0x0000000002991000-memory.dmp
memory/1476-1023-0x0000000002990000-0x0000000002991000-memory.dmp
memory/1476-1021-0x0000000002990000-0x0000000002991000-memory.dmp
memory/1476-1019-0x0000000002990000-0x0000000002991000-memory.dmp
memory/1476-1017-0x0000000002990000-0x0000000002991000-memory.dmp
memory/1476-1008-0x0000000002990000-0x0000000002991000-memory.dmp
memory/1476-1006-0x0000000002990000-0x0000000002991000-memory.dmp
memory/1476-1004-0x0000000002990000-0x0000000002991000-memory.dmp
memory/1476-1002-0x0000000002990000-0x0000000002991000-memory.dmp
memory/1476-1000-0x0000000002990000-0x0000000002991000-memory.dmp
memory/1476-998-0x0000000002990000-0x0000000002991000-memory.dmp
memory/1476-996-0x0000000002990000-0x0000000002991000-memory.dmp
memory/1476-994-0x0000000002990000-0x0000000002991000-memory.dmp
memory/1476-992-0x0000000002990000-0x0000000002991000-memory.dmp
memory/1476-990-0x0000000002990000-0x0000000002991000-memory.dmp
memory/1476-989-0x0000000002980000-0x0000000002981000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI28482\pytransform.key
| MD5 | 2bcf75f492f791ef1a45b9e54cbe3170 |
| SHA1 | 8df4c5ccceda7bebdad76902ea9ca6604d5cfde9 |
| SHA256 | 59449650714f8f34cbbceb9c4e4ac8070ba77b8b2ba42c18e8945b82de594455 |
| SHA512 | 185576d8aba1e147ccfaeee4c99ee6d90c1a7aa73a1c14a0aaf9e8f9eef8aeec1f31b7c9c92136f5ab003ec4de64806816c276d5180464cc76416fd24da574f9 |
C:\Users\Admin\AppData\Local\Temp\_MEI28482\_lzma.pyd
| MD5 | 60e215bb78fb9a40352980f4de818814 |
| SHA1 | ff750858c3352081514e2ae0d200f3b8c3d40096 |
| SHA256 | c4d00582dee45841747b07b91a3e46e55af79e6518ec9f0ce59b989c0acd2806 |
| SHA512 | 398a441de98963873417da6352413d080620faf2ae4b99425d7c9eaf96d5f2fdf1358e21f16870bdff514452115266a58ee3c6783611f037957bfa4bcec34230 |
C:\Users\Admin\AppData\Local\Temp\_MEI28482\certifi\cacert.pem
| MD5 | c760591283d5a4a987ad646b35de3717 |
| SHA1 | 5d10cbd25ac1c7ced5bfb3d6f185fa150f6ea134 |
| SHA256 | 1a14f6e1fd11efff72e1863f8645f090eec1b616614460c210c3b7e3c13d4b5e |
| SHA512 | c192ae381008eaf180782e6e40cd51834e0233e98942bd071768308e179f58f3530e6e883f245a2630c86923dbeb68b624c5ec2167040d749813fedc37a6d1e6 |
C:\Users\Admin\AppData\Local\Temp\_MEI28482\unicodedata.pyd
| MD5 | 549c9eeda8546cd32d0713c723abd12a |
| SHA1 | f84b2c529cff58b888cc99f566fcd2eba6ff2b8e |
| SHA256 | 5d5e733397ef7c4946cf26c84b07312cb12eaf339374613d4381e694ef38169b |
| SHA512 | 9432daf045bac3e322b1797f49afe50f76faf8b7d8db063a1d56578016c813881af3324e2529032a8644a04b58ccc9d2c363bf92b56115f06b9eefebfab08180 |
C:\Users\Admin\AppData\Local\Temp\_MEI28482\_asyncio.pyd
| MD5 | 7dd62e9903d66377d49d592b6e6dac82 |
| SHA1 | 2b6bec5d58cd4a7f0eaa809179461dbdb527d4f7 |
| SHA256 | 29712c65138fc02208d8575a8ef188d69947464dd0dc2be53f34c8da81a82f06 |
| SHA512 | 9bc8526c6c9eba3682848277079457bb443a516cdbf3f10d281763a37483e7c6929afeddd7d9663e3573dd03665230395cec7c60ea3f1671df93628a665822ad |
C:\Users\Admin\AppData\Local\Temp\_MEI28482\_overlapped.pyd
| MD5 | da51560431c584706d9a9e3e40e82cfe |
| SHA1 | e60c22a05fd6a34c95f46dc17292f8c4d5e8c332 |
| SHA256 | ef1bb6abedc9a6e156eca16aa53e836948deb224cdc0c5fc05e7816f860c38a9 |
| SHA512 | 555aa6fd084b0675d629bf79711c91899d178735e4b1b9f9ac4c13d7f01e0a3d8f6436699e37922f04baffef32eff540ef4bace6b58e3bafafa021ddc12564eb |
memory/1476-1073-0x0000000070A00000-0x0000000070ABC000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-25 20:35
Reported
2024-05-25 20:43
Platform
win10v2004-20240508-en
Max time kernel
442s
Max time network
432s
Command Line
Signatures
Loads dropped DLL
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\MagicDorks.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 780 wrote to memory of 5008 | N/A | C:\Users\Admin\AppData\Local\Temp\MagicDorks.exe | C:\Users\Admin\AppData\Local\Temp\MagicDorks.exe |
| PID 780 wrote to memory of 5008 | N/A | C:\Users\Admin\AppData\Local\Temp\MagicDorks.exe | C:\Users\Admin\AppData\Local\Temp\MagicDorks.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\MagicDorks.exe
"C:\Users\Admin\AppData\Local\Temp\MagicDorks.exe"
C:\Users\Admin\AppData\Local\Temp\MagicDorks.exe
"C:\Users\Admin\AppData\Local\Temp\MagicDorks.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4080,i,5711962389779687290,1245653010537220991,262144 --variations-seed-version --mojo-platform-channel-handle=3772 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4608,i,5711962389779687290,1245653010537220991,262144 --variations-seed-version --mojo-platform-channel-handle=4072 /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 25.24.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| NL | 23.62.61.194:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 194.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| NL | 52.142.223.178:80 | tcp | |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 95.16.208.104.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\_MEI7802\python38.dll
| MD5 | 1f2688b97f9827f1de7dfedb4ad2348c |
| SHA1 | a9650970d38e30835336426f704579e87fcfc892 |
| SHA256 | 169eeb1bdf99ed93ca26453d5ca49339e5ae092662cd94cde09fbb10046f83fc |
| SHA512 | 27e56b2d73226e36b0c473d8eb646813997cbdf955397d0b61fcae37ed1f2c3715e589f9a07d909a967009ed2c664d14007ccf37d83a7df7ce2a0fefca615503 |
C:\Users\Admin\AppData\Local\Temp\_MEI7802\MagicDorks.exe.manifest
| MD5 | e51c1b86f0850f1a9c3aabb61c019fda |
| SHA1 | 478274da912591d2b384a005b87b558f3e4cbe2e |
| SHA256 | ad577f3c498a0c3e9b899a4492d333dde0f857faafc100261c59145b46d8078f |
| SHA512 | 60031380fa489d842588911aefd57f64c0af3e93ee32b05c6f3a8dce22ab753b17a3b6dd951c339e8793603eed5adb0cb2962b9b44886f585b1f239d21ae60b9 |
C:\Users\Admin\AppData\Local\Temp\_MEI7802\base_library.zip
| MD5 | 50060b2f8f4495e066613801bce8059f |
| SHA1 | 3db6700c554d92663dc433ca3ba308a1a1fa3279 |
| SHA256 | 5fae2dfe5188249b2e25080f8886a27a81bdcc9fe8b99d3c2bc3b3f7ad0f6236 |
| SHA512 | a3bd9cb1f0332aeb993cc4ca364df20e965aa896a14120b8de7863f71b66ad14ac2ebfe77985cde60b551685e21d23c6af0825af8bc514c896b10ffebda8e958 |
C:\Users\Admin\AppData\Local\Temp\_MEI7802\VCRUNTIME140.dll
| MD5 | 18571d6663b7d9ac95f2821c203e471f |
| SHA1 | 3c186018df04e875d6b9f83521028a21f145e3be |
| SHA256 | 0b040a314c19ff88f38fd9c89dca2d493113a6109adb8525733c3f6627da888f |
| SHA512 | c8cbca1072b8cb04f9d82135c91ff6d7a539cb7a488671cecb6b5e2f11a4807f47ad9af5a87ebee44984ab71d7c44fc87850f9d04fd2c5019ec1b6a1b483ca21 |
C:\Users\Admin\AppData\Local\Temp\_MEI7802\_socket.pyd
| MD5 | 1d53841bb21acdcc8742828c3aded891 |
| SHA1 | cdf15d4815820571684c1f720d0cba24129e79c8 |
| SHA256 | ab13258c6da2c26c4dca7239ff4360ca9166ea8f53bb8cc08d2c7476cab7d61b |
| SHA512 | 0266bcbcd7ca5f6c9df8dbeea00e1275932dacc38e5dd83a47bfbb87f7ca6778458a6671d8b84a63ae9216a65975da656ba487ac28d41140122f46d0174fa9f9 |
C:\Users\Admin\AppData\Local\Temp\_MEI7802\libcrypto-1_1.dll
| MD5 | cc4cbf715966cdcad95a1e6c95592b3d |
| SHA1 | d5873fea9c084bcc753d1c93b2d0716257bea7c3 |
| SHA256 | 594303e2ce6a4a02439054c84592791bf4ab0b7c12e9bbdb4b040e27251521f1 |
| SHA512 | 3b5af9fbbc915d172648c2b0b513b5d2151f940ccf54c23148cd303e6660395f180981b148202bef76f5209acc53b8953b1cb067546f90389a6aa300c1fbe477 |
C:\Users\Admin\AppData\Local\Temp\_MEI7802\tk86t.dll
| MD5 | fdc8a5d96f9576bd70aa1cadc2f21748 |
| SHA1 | bae145525a18ce7e5bc69c5f43c6044de7b6e004 |
| SHA256 | 1a6d0871be2fa7153de22be008a20a5257b721657e6d4b24da8b1f940345d0d5 |
| SHA512 | 816ada61c1fd941d10e6bb4350baa77f520e2476058249b269802be826bab294a9c18edc5d590f5ed6f8dafed502ab7ffb29db2f44292cb5bedf2f5fa609f49c |
C:\Users\Admin\AppData\Local\Temp\_MEI7802\unicodedata.pyd
| MD5 | 549c9eeda8546cd32d0713c723abd12a |
| SHA1 | f84b2c529cff58b888cc99f566fcd2eba6ff2b8e |
| SHA256 | 5d5e733397ef7c4946cf26c84b07312cb12eaf339374613d4381e694ef38169b |
| SHA512 | 9432daf045bac3e322b1797f49afe50f76faf8b7d8db063a1d56578016c813881af3324e2529032a8644a04b58ccc9d2c363bf92b56115f06b9eefebfab08180 |
C:\Users\Admin\AppData\Local\Temp\_MEI7802\_overlapped.pyd
| MD5 | da51560431c584706d9a9e3e40e82cfe |
| SHA1 | e60c22a05fd6a34c95f46dc17292f8c4d5e8c332 |
| SHA256 | ef1bb6abedc9a6e156eca16aa53e836948deb224cdc0c5fc05e7816f860c38a9 |
| SHA512 | 555aa6fd084b0675d629bf79711c91899d178735e4b1b9f9ac4c13d7f01e0a3d8f6436699e37922f04baffef32eff540ef4bace6b58e3bafafa021ddc12564eb |
C:\Users\Admin\AppData\Local\Temp\_MEI7802\_asyncio.pyd
| MD5 | 7dd62e9903d66377d49d592b6e6dac82 |
| SHA1 | 2b6bec5d58cd4a7f0eaa809179461dbdb527d4f7 |
| SHA256 | 29712c65138fc02208d8575a8ef188d69947464dd0dc2be53f34c8da81a82f06 |
| SHA512 | 9bc8526c6c9eba3682848277079457bb443a516cdbf3f10d281763a37483e7c6929afeddd7d9663e3573dd03665230395cec7c60ea3f1671df93628a665822ad |
C:\Users\Admin\AppData\Local\Temp\_MEI7802\certifi\cacert.pem
| MD5 | c760591283d5a4a987ad646b35de3717 |
| SHA1 | 5d10cbd25ac1c7ced5bfb3d6f185fa150f6ea134 |
| SHA256 | 1a14f6e1fd11efff72e1863f8645f090eec1b616614460c210c3b7e3c13d4b5e |
| SHA512 | c192ae381008eaf180782e6e40cd51834e0233e98942bd071768308e179f58f3530e6e883f245a2630c86923dbeb68b624c5ec2167040d749813fedc37a6d1e6 |
C:\Users\Admin\AppData\Local\Temp\_MEI7802\_lzma.pyd
| MD5 | 60e215bb78fb9a40352980f4de818814 |
| SHA1 | ff750858c3352081514e2ae0d200f3b8c3d40096 |
| SHA256 | c4d00582dee45841747b07b91a3e46e55af79e6518ec9f0ce59b989c0acd2806 |
| SHA512 | 398a441de98963873417da6352413d080620faf2ae4b99425d7c9eaf96d5f2fdf1358e21f16870bdff514452115266a58ee3c6783611f037957bfa4bcec34230 |
C:\Users\Admin\AppData\Local\Temp\_MEI7802\_bz2.pyd
| MD5 | fc0d862a854993e0e51c00dee3eec777 |
| SHA1 | 20203332c6f7bd51f6a5acbbc9f677c930d0669d |
| SHA256 | e5de23dbac7ece02566e79b3d1923a8eeae628925c7fb4b98a443cad94a06863 |
| SHA512 | b3c2ade15cc196e687e83dd8d21ce88b83c8137a83cfc20bc8f2c8f3ab72643ef7ca08e1dc23de0695f508ba0080871956303ac30f92ab865f3e4249d4d65c2f |
C:\Users\Admin\AppData\Local\Temp\_MEI7802\_hashlib.pyd
| MD5 | 5fa7c9d5e6068718c6010bbeb18fbeb3 |
| SHA1 | 93e8875d6d0f943b4226e25452c2c7d63d22b790 |
| SHA256 | 2e98f91087f56dfdffbbdd951cd55cd7ea771cec93d59cadb86b964ed8708155 |
| SHA512 | 3104aa8b785740dc6a5261c27b2bdc6e14b2f37862fa0fba151b1bc1bfc0e5fb5b6934b95488fa47c5af3fc2b2283f333ff6517b6f8cf0437c52cf171da58bf5 |
C:\Users\Admin\AppData\Local\Temp\_MEI7802\_queue.pyd
| MD5 | 1fc2c6b80936efc502bfc30fc24caa56 |
| SHA1 | 4e5b26ff3b225906c2b9e39e0f06126cfc43a257 |
| SHA256 | 9c47a3b84012837c60b7feced86ed0a4f12910a85fd259a4483a48cd940e3514 |
| SHA512 | d07655d78aca969ccc0d7cedf9e337c7b20082d80be1d90d69c42be933fbab1c828316d2eb5461ded2ff35e52762e249fc0c2bccbc2b8436488fb6a270d3d9ee |
C:\Users\Admin\AppData\Local\Temp\_MEI7802\tcl\encoding\cp1252.enc
| MD5 | 5900f51fd8b5ff75e65594eb7dd50533 |
| SHA1 | 2e21300e0bc8a847d0423671b08d3c65761ee172 |
| SHA256 | 14df3ae30e81e7620be6bbb7a9e42083af1ae04d94cf1203565f8a3c0542ace0 |
| SHA512 | ea0455ff4cd5c0d4afb5e79b671565c2aede2857d534e1371f0c10c299c74cb4ad113d56025f58b8ae9e88e2862f0864a4836fed236f5730360b2223fde479dc |
C:\Users\Admin\AppData\Local\Temp\_MEI7802\tcl86t.dll
| MD5 | c0b23815701dbae2a359cb8adb9ae730 |
| SHA1 | 5be6736b645ed12e97b9462b77e5a43482673d90 |
| SHA256 | f650d6bc321bcda3fc3ac3dec3ac4e473fb0b7b68b6c948581bcfc54653e6768 |
| SHA512 | ed60384e95be8ea5930994db8527168f78573f8a277f8d21c089f0018cd3b9906da764ed6fcc1bd4efad009557645e206fbb4e5baef9ab4b2e3c8bb5c3b5d725 |
C:\Users\Admin\AppData\Local\Temp\_MEI7802\_tkinter.pyd
| MD5 | 7577b428063ea0eda1e0937f4976b078 |
| SHA1 | 6256415033aae978835fe3dc4523a462d5932873 |
| SHA256 | 7fdbb5a713a3de7413564a2ec15c8715f3ba203bfe2b944c9cda610155c511d1 |
| SHA512 | a36e09535579e5cc2fcc86659ae60fa7a779bfd577b6dc9d27fec78e8be1e095f52320fe0822fcb080b96d71729e97c6f07c8728565e8aea708426289485147c |
memory/5008-1051-0x00007FFC00000000-0x00007FFC00001000-memory.dmp
memory/5008-1050-0x00000144F6680000-0x00000144F6681000-memory.dmp
memory/5008-1048-0x00000144F6680000-0x00000144F6681000-memory.dmp
memory/5008-1046-0x00000144F6680000-0x00000144F6681000-memory.dmp
memory/5008-1044-0x00000144F6680000-0x00000144F6681000-memory.dmp
memory/5008-1042-0x00000144F6680000-0x00000144F6681000-memory.dmp
memory/5008-1040-0x00000144F6680000-0x00000144F6681000-memory.dmp
memory/5008-1038-0x00000144F6680000-0x00000144F6681000-memory.dmp
memory/5008-1030-0x00000144F6680000-0x00000144F6681000-memory.dmp
memory/5008-1028-0x00000144F6680000-0x00000144F6681000-memory.dmp
memory/5008-1026-0x00000144F6680000-0x00000144F6681000-memory.dmp
memory/5008-1024-0x00000144F6680000-0x00000144F6681000-memory.dmp
memory/5008-1022-0x00000144F6680000-0x00000144F6681000-memory.dmp
memory/5008-1020-0x00000144F6680000-0x00000144F6681000-memory.dmp
memory/5008-1018-0x00000144F6680000-0x00000144F6681000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI7802\license.lic
| MD5 | 2353cbf3f0e56f19ab81b9dd3a160e95 |
| SHA1 | 3dcca8296e91da135b6c5b9346d02fd06f85900e |
| SHA256 | 4636adc8235f6af6d4ca13e77f12a1044e8511184cccef7031c8e24314bd9605 |
| SHA512 | 27093980d5bb490d1cc828af46f0e40bb46d3a573651be91f4fade6303d2584d79b33ae8d24768b4e04adb1b7814589b2048d332b1716a4b0925275f8136e142 |
memory/5008-1009-0x00000144F6680000-0x00000144F6681000-memory.dmp
memory/5008-1007-0x00000144F6680000-0x00000144F6681000-memory.dmp
memory/5008-1005-0x00000144F6680000-0x00000144F6681000-memory.dmp
memory/5008-1003-0x00000144F6680000-0x00000144F6681000-memory.dmp
memory/5008-1001-0x00000144F6680000-0x00000144F6681000-memory.dmp
memory/5008-999-0x00000144F6680000-0x00000144F6681000-memory.dmp
memory/5008-997-0x00000144F6680000-0x00000144F6681000-memory.dmp
memory/5008-995-0x00000144F6680000-0x00000144F6681000-memory.dmp
memory/5008-993-0x00000144F6680000-0x00000144F6681000-memory.dmp
memory/5008-991-0x00000144F6680000-0x00000144F6681000-memory.dmp
memory/5008-990-0x00000144F6670000-0x00000144F6671000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI7802\pytransform.key
| MD5 | 2bcf75f492f791ef1a45b9e54cbe3170 |
| SHA1 | 8df4c5ccceda7bebdad76902ea9ca6604d5cfde9 |
| SHA256 | 59449650714f8f34cbbceb9c4e4ac8070ba77b8b2ba42c18e8945b82de594455 |
| SHA512 | 185576d8aba1e147ccfaeee4c99ee6d90c1a7aa73a1c14a0aaf9e8f9eef8aeec1f31b7c9c92136f5ab003ec4de64806816c276d5180464cc76416fd24da574f9 |
C:\Users\Admin\AppData\Local\Temp\_MEI7802\_pytransform.dll
| MD5 | 4fdf69f15ece51f7818cb525bd4189b5 |
| SHA1 | 99df7e291b17bcd4fd17af9f727d40e81a7ba143 |
| SHA256 | 5304bdb81e30053fe06ed232c05b87d0c5622f8886290e662296cda3fb4c3fe0 |
| SHA512 | 60ae66392e7b8605a6477ebfa43cffb8ef4434e6220e6c17c92dbbd0471ab6c561c8470edb56614696f3408f790ef9f3f96a6d354b6653531e5ce89f7393d9bc |
C:\Users\Admin\AppData\Local\Temp\_MEI7802\libssl-1_1.dll
| MD5 | bc778f33480148efa5d62b2ec85aaa7d |
| SHA1 | b1ec87cbd8bc4398c6ebb26549961c8aab53d855 |
| SHA256 | 9d4cf1c03629f92662fc8d7e3f1094a7fc93cb41634994464b853df8036af843 |
| SHA512 | 80c1dd9d0179e6cc5f33eb62d05576a350af78b5170bfdf2ecda16f1d8c3c2d0e991a5534a113361ae62079fb165fff2344efd1b43031f1a7bfda696552ee173 |
C:\Users\Admin\AppData\Local\Temp\_MEI7802\_ssl.pyd
| MD5 | 84dea8d0acce4a707b094a3627b62eab |
| SHA1 | d45dda99466ab08cc922e828729d0840ae2ddc18 |
| SHA256 | dcf6b3ff84b55c3859d0f176c4ce6904c0d7d4643a657b817c6322933dbf82f6 |
| SHA512 | fdaa7eb10f8bf7b42a5c9691f600eff48190041a8b28a5dab977170db717fff58dd0f64b02ca30d274552ff30ee02a6577f1465792cf6760366c2588bf373108 |
C:\Users\Admin\AppData\Local\Temp\_MEI7802\select.pyd
| MD5 | a2ab334e18222738dcb05bf820725938 |
| SHA1 | 2f75455a471f95ac814b8e4560a023034480b7b5 |
| SHA256 | 7ba95624370216795ea4a087c326422cfcbccc42b5ada21f4d85c532c71afad7 |
| SHA512 | 72e891d1c7e5ea44a569283b5c8bd8c310f2ee3d3cc9c25c6a7d7d77a62cb301c822c833b0792c3163cf0b0d6272da2f667e6bc74b07ed7946082433f77d9679 |
C:\Users\Admin\AppData\Local\Temp\_MEI7802\libffi-7.dll
| MD5 | eef7981412be8ea459064d3090f4b3aa |
| SHA1 | c60da4830ce27afc234b3c3014c583f7f0a5a925 |
| SHA256 | f60dd9f2fcbd495674dfc1555effb710eb081fc7d4cae5fa58c438ab50405081 |
| SHA512 | dc9ff4202f74a13ca9949a123dff4c0223da969f49e9348feaf93da4470f7be82cfa1d392566eaaa836d77dde7193fed15a8395509f72a0e9f97c66c0a096016 |
C:\Users\Admin\AppData\Local\Temp\_MEI7802\_ctypes.pyd
| MD5 | 8adb1345c717e575e6614e163eb62328 |
| SHA1 | f1ee3fff6e06dc4f22a5eb38c09c54580880e0a3 |
| SHA256 | 65edc348db42347570578b979151b787ceebfc98e0372c28116cc229494a78a8 |
| SHA512 | 0f11673854327fd2fcd12838f54c080edc4d40e4bcb50c413fe3f823056d189636dc661ea79207163f966719bf0815e1ffa75e2fb676df4e56ed6321f1ff6cae |
C:\Users\Admin\AppData\Local\Temp\_MEI7802\python3.dll
| MD5 | 9779c701be8e17867d1d92d470607948 |
| SHA1 | 6aae834541ccc73d1c87c9f1a12df4ac0cf9001f |
| SHA256 | 59e6421802d30326c1704f15acc2b2888097241e291aba4860d1e1fc3d26d4bf |
| SHA512 | 4e34bcdd2093347d2b4e5c0f8c25f5d36d54097283faf5b2be1c75d717f716d459a45336647d3360457f25417952e62f8f21f5a720204fe5b894d5513e43e782 |
memory/5008-1074-0x0000000070A00000-0x0000000070ABC000-memory.dmp
Analysis: behavioral3
Detonation Overview
Submitted
2024-05-25 20:35
Reported
2024-05-25 20:38
Platform
win7-20240508-en
Max time kernel
121s
Max time network
127s
Command Line
Signatures
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_Classes\Local Settings | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\pyc_auto_file | C:\Windows\system32\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\.pyc\ = "pyc_auto_file" | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\pyc_auto_file\shell\Read\command | C:\Windows\system32\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\pyc_auto_file\ | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\.pyc | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\pyc_auto_file\shell\Read | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\pyc_auto_file\shell | C:\Windows\system32\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\pyc_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" | C:\Windows\system32\rundll32.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2132 wrote to memory of 2232 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 2132 wrote to memory of 2232 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 2132 wrote to memory of 2232 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 2232 wrote to memory of 2640 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 2232 wrote to memory of 2640 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 2232 wrote to memory of 2640 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 2232 wrote to memory of 2640 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\MagicDorks.pyc
C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\MagicDorks.pyc
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\MagicDorks.pyc"
Network
Files
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents
| MD5 | 30a8fed278f8e28504470fa153db5ac4 |
| SHA1 | 0b92add4675a742cea108566e33ad73bfa7a9f3f |
| SHA256 | 148bfab838d077ff8dfbf34a4bad38d34445e385a556d76141e8b16e1b9b7bce |
| SHA512 | 38811521e12f6765e788f95829b2df26bf9cebf26a95cd1321ddf6850e27c1325fbe674f37e8a3fabde0539faf0a45b65c558a200dba2e3bb0e63b9d125bfbb7 |
Analysis: behavioral4
Detonation Overview
Submitted
2024-05-25 20:35
Reported
2024-05-25 20:38
Platform
win10v2004-20240426-en
Max time kernel
150s
Max time network
155s
Command Line
Signatures
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings | C:\Windows\system32\cmd.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings | C:\Windows\system32\OpenWith.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\MagicDorks.pyc
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 18.24.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| NL | 23.62.61.194:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 140.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 194.61.62.23.in-addr.arpa | udp |
| NL | 23.62.61.194:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 138.201.86.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 24.73.42.20.in-addr.arpa | udp |