Malware Analysis Report

2024-10-10 11:09

Sample ID 240614-qcfg3ssamd
Target ugene-50.0-win-x86-64.exe
SHA256 a2792b8d2290310062cfa14c52036192f8359af62ee7ff3be63e86ddbf637d75
Tags
discovery
score
4/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral13

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral14

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral21

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral17

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral25

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral26

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral19

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral23

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral20

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral29

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral32

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral18

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral30

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral15

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral16

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral22

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral28

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral31

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral24

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral27

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
4/10

SHA256

a2792b8d2290310062cfa14c52036192f8359af62ee7ff3be63e86ddbf637d75

Threat Level: Likely benign

The file ugene-50.0-win-x86-64.exe was found to be: Likely benign.

Malicious Activity Summary

discovery

Checks installed software on the system

Loads dropped DLL

Drops file in Program Files directory

Enumerates physical storage devices

Unsigned PE

NSIS installer

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of WriteProcessMemory

Modifies registry class

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-14 13:11

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-14 13:06

Reported

2024-06-14 13:18

Platform

win7-20231129-en

Max time kernel

311s

Max time network

316s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe"

Signatures

Checks installed software on the system

discovery

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Unipro UGENE\tools\perl5\lib\CPAN\Nox.pm C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe N/A
File created C:\Program Files\Unipro UGENE\tools\perl5\lib\pods\perlmodinstall.pod C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe N/A
File created C:\Program Files\Unipro UGENE\tools\python3\Lib\site-packages\pip\_vendor\distro\__init__.py C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe N/A
File created C:\Program Files\Unipro UGENE\data\weight_matrix\pam410.txt C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe N/A
File created C:\Program Files\Unipro UGENE\tools\mfold\gs\gs10.02.0\Resource\Init\gs_dscp.ps C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe N/A
File created C:\Program Files\Unipro UGENE\tools\perl5\lib\Encode.pm C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe N/A
File created C:\Program Files\Unipro UGENE\tools\perl5\lib\DateTime\Locale\en_SB.pod C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe N/A
File created C:\Program Files\Unipro UGENE\tools\perl5\lib\DateTime\TimeZone\Pacific\Funafuti.pm C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe N/A
File created C:\Program Files\Unipro UGENE\tools\perl5\lib\unicore\lib\Gc\M.pl C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe N/A
File created C:\Program Files\Unipro UGENE\tools\python3\Lib\tomllib\_types.py C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe N/A
File created C:\Program Files\Unipro UGENE\data\position_weight_matrix\JASPAR\insects\MA0251.1.pfm C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe N/A
File created C:\Program Files\Unipro UGENE\data\position_weight_matrix\UniPROBE\GR09\Rds2.pwm C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe N/A
File created C:\Program Files\Unipro UGENE\tools\perl5\lib\Config\Tiny.pm C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe N/A
File created C:\Program Files\Unipro UGENE\tools\perl5\lib\Moose\Exception\MetaclassIsARoleNotASubclassOfGivenMetaclass.pm C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe N/A
File created C:\Program Files\Unipro UGENE\tools\python3\Lib\multiprocessing\queues.py C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe N/A
File created C:\Program Files\Unipro UGENE\tools\mfold\mfold-3.6\bin\reformat-seq.sh C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe N/A
File created C:\Program Files\Unipro UGENE\tools\perl5\lib\ExtUtils\ParseXS\Eval.pm C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe N/A
File created C:\Program Files\Unipro UGENE\tools\perl5\lib\Locale\Codes\Country.pod C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe N/A
File created C:\Program Files\Unipro UGENE\data\position_weight_matrix\UniPROBE\GR09\Yox1.pwm C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe N/A
File created C:\Program Files\Unipro UGENE\tools\perl5\lib\Moose\Meta\Method\Accessor\Native\String\substr.pm C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe N/A
File created C:\Program Files\Unipro UGENE\tools\perl5\lib\auto\share\dist\DateTime-Locale\vi-VN.pl C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe N/A
File created C:\Program Files\Unipro UGENE\tools\python3\Lib\subprocess.py C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe N/A
File created C:\Program Files\Unipro UGENE\tools\python3\Lib\site-packages\pip\_vendor\platformdirs\unix.py C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe N/A
File created C:\Program Files\Unipro UGENE\tools\perl5\lib\DateTime\Locale\si.pod C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe N/A
File created C:\Program Files\Unipro UGENE\tools\perl5\lib\auto\ActivePerl\DocTools\.packlist C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe N/A
File created C:\Program Files\Unipro UGENE\tools\perl5\lib\auto\share\dist\DateTime-Locale\en-CY.pl C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe N/A
File created C:\Program Files\Unipro UGENE\tools\perl5\lib\DateTime\Locale\de_LI.pod C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe N/A
File created C:\Program Files\Unipro UGENE\tools\perl5\lib\Moose\Exception\OverloadRequiresAMetaMethod.pm C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe N/A
File created C:\Program Files\Unipro UGENE\tools\perl5\lib\PPIx\Regexp\Structure\CharClass.pm C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe N/A
File created C:\Program Files\Unipro UGENE\tools\perl5\lib\SQL\Eval.pm C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe N/A
File created C:\Program Files\Unipro UGENE\tools\perl5\lib\auto\share\dist\DateTime-Locale\qu.pl C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe N/A
File created C:\Program Files\Unipro UGENE\tools\fastqc\uk\ac\babraham\FastQC\FastQCConfig.class C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe N/A
File created C:\Program Files\Unipro UGENE\tools\perl5\lib\bignum.pm C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe N/A
File created C:\Program Files\Unipro UGENE\tools\perl5\lib\DateTime\Locale\bo_CN.pod C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe N/A
File created C:\Program Files\Unipro UGENE\tools\perl5\lib\unicore\lib\Perl\_PerlFol.pl C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe N/A
File created C:\Program Files\Unipro UGENE\data\position_weight_matrix\JASPAR\fungi\MA0408.1.pfm C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe N/A
File created C:\Program Files\Unipro UGENE\tools\python3\DLLs\pyd.ico C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe N/A
File created C:\Program Files\Unipro UGENE\tools\python3\Lib\encodings\utf_16_le.py C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe N/A
File created C:\Program Files\Unipro UGENE\tools\perl5\lib\auto\share\dist\DateTime-Locale\es-CU.pl C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe N/A
File created C:\Program Files\Unipro UGENE\data\position_weight_matrix\JASPAR\fungi\MA0409.1.pfm C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe N/A
File created C:\Program Files\Unipro UGENE\tools\mfold\gs\gs10.02.0\Resource\CMap\CNS2-V C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe N/A
File created C:\Program Files\Unipro UGENE\tools\perl5\lib\DateTime\TimeZone\Europe\Vienna.pm C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe N/A
File created C:\Program Files\Unipro UGENE\tools\perl5\lib\CORE\perlhost.h C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe N/A
File created C:\Program Files\Unipro UGENE\tools\perl5\lib\Devel\NYTProf.pm C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe N/A
File created C:\Program Files\Unipro UGENE\tools\perl5\lib\auto\share\dist\DateTime-Locale\fr-MQ.pl C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe N/A
File created C:\Program Files\Unipro UGENE\tools\perl5\lib\unicore\lib\Age\V50.pl C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe N/A
File created C:\Program Files\Unipro UGENE\tools\python3\Lib\lib2to3\fixer_util.py C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe N/A
File created C:\Program Files\Unipro UGENE\data\position_weight_matrix\UniPROBE\Cell08\Lmx1b_3433.2.pwm C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe N/A
File created C:\Program Files\Unipro UGENE\tools\fastqc\uk\ac\babraham\FastQC\Help\HelpDialog.class C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe N/A
File created C:\Program Files\Unipro UGENE\tools\mfold\gs\gs10.02.0\lib\bjc610a2.upp C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe N/A
File created C:\Program Files\Unipro UGENE\tools\python3\Lib\site-packages\pip\_internal\resolution\resolvelib\factory.py C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe N/A
File created C:\Program Files\Unipro UGENE\tools\python3\Lib\site-packages\pip\_vendor\pyproject_hooks\_in_process\__init__.py C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe N/A
File created C:\Program Files\Unipro UGENE\tools\python3\include\internal\pycore_symtable.h C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe N/A
File created C:\Program Files\Unipro UGENE\tools\mfold\gs\gs10.02.0\Resource\Font\NimbusSans-BoldItalic C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe N/A
File created C:\Program Files\Unipro UGENE\tools\perl5\lib\auto\share\dist\DateTime-Locale\sv-AX.pl C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe N/A
File created C:\Program Files\Unipro UGENE\tools\perl5\lib\unicore\lib\Nt\Nu.pl C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe N/A
File created C:\Program Files\Unipro UGENE\tools\perl5\lib\Term\ReadLine\Perl.pm C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe N/A
File created C:\Program Files\Unipro UGENE\tools\perl5\lib\Test\Builder\Formatter.pm C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe N/A
File created C:\Program Files\Unipro UGENE\tools\perl5\lib\Unicode\Collate\Locale\as.pl C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe N/A
File created C:\Program Files\Unipro UGENE\tools\perl5\lib\auto\share\dist\DateTime-Locale\os-RU.pl C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe N/A
File created C:\Program Files\Unipro UGENE\data\weight_matrix\pam240.txt C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe N/A
File created C:\Program Files\Unipro UGENE\plugins\remote_blast.plugin C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe N/A
File created C:\Program Files\Unipro UGENE\tools\mfold\msys64\usr\bin\msys-2.0.dll C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe N/A
File created C:\Program Files\Unipro UGENE\tools\perl5\lib\CPAN\Distroprefs.pm C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe N/A

Enumerates physical storage devices

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Swiss-Prot file\shell\open C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.gen C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\MSF multiple sequence file\shell C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\MSF multiple sequence file\shell\open\command C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.newick\ = "NEWICK tree file" C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Unipro UGENE project file\shell C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.gbk C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Protein Data Bank file C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.sam C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.genbank C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\BAM genome assembly\shell\open\command C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\BAM genome assembly\shell\open C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\FASTQ file\ = "FASTQ file" C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\FASTA short reads file C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Clustal alignment file\shell\open\command C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\NEWICK tree file\shell\open\command\ = "C:\\Program Files\\Unipro UGENE\\ugeneui.exe \"%1\"" C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.ugenedb C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\UGENE Database\shell C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\UGENE Database C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\UGENE Query Language\DefaultIcon C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\UGENE Query Language\shell\open\command\ = "C:\\Program Files\\Unipro UGENE\\ugeneui.exe \"%1\"" C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\FASTA sequence file\ = "FASTA sequence file" C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Genbank plain text file\DefaultIcon C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.msf C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\NEWICK tree file\shell\open\command C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Stockholm alignment file\DefaultIcon\ = "C:\\Program Files\\Unipro UGENE\\ugeneui.exe,1" C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\UGENE Workflow Language\shell\open\command C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Clustal alignment file C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\MSF multiple sequence file\shell\open C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.fsa\ = "FASTA sequence file" C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\SAM genome assembly C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ABIF file\shell\ = "open" C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\BAM genome assembly\DefaultIcon C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\UGENE Workflow Language\shell\open C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\GFF format\shell C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\GFF format\shell\open\command C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\NEWICK tree file\shell C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\FASTA short reads file\DefaultIcon C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\GFF format\DefaultIcon C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.newick C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Stockholm alignment file\shell\ = "open" C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ABIF file\ = "ABIF file" C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Swiss-Prot file\shell C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\FASTQ file\shell\open\command\ = "C:\\Program Files\\Unipro UGENE\\ugeneui.exe \"%1\"" C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.gff\ = "GFF format" C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\SAM genome assembly\shell\ = "open" C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\EMBL file\DefaultIcon\ = "C:\\Program Files\\Unipro UGENE\\ugeneui.exe,1" C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Swiss-Prot file\ = "Swiss-Prot file" C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mpfa C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\BAM genome assembly\shell\ = "open" C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Protein Data Bank file\ = "Protein Data Bank file" C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Protein Data Bank file\shell\ = "open" C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\FASTA short reads file\shell\ = "open" C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Unipro UGENE project file\ = "Unipro UGENE project file" C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ABIF file\shell\open\command\ = "C:\\Program Files\\Unipro UGENE\\ugeneui.exe \"%1\"" C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.abi C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.fa\ = "FASTA sequence file" C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Genbank plain text file\shell C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\UGENE Database\shell\ = "open" C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.uql C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\EMBL file\shell\open\command C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Swiss-Prot file C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\UGENE Database\shell\open\command\ = "C:\\Program Files\\Unipro UGENE\\ugeneui.exe \"%1\"" C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.srfasta\ = "FASTA short reads file" C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe

"C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe"

Network

N/A

Files

\Users\Admin\AppData\Local\Temp\nsi3084.tmp\System.dll

MD5 fbe295e5a1acfbd0a6271898f885fe6a
SHA1 d6d205922e61635472efb13c2bb92c9ac6cb96da
SHA256 a1390a78533c47e55cc364e97af431117126d04a7faed49390210ea3e89dd0e1
SHA512 2cb596971e504eaf1ce8e3f09719ebfb3f6234cea5ca7b0d33ec7500832ff4b97ec2bbe15a1fbf7e6a5b02c59db824092b9562cd8991f4d027feab6fd3177b06

\Users\Admin\AppData\Local\Temp\nsi3084.tmp\LangDLL.dll

MD5 de3558ce305e32f742ff25b697407fec
SHA1 d55c50c546001421647f2e91780c324dbb8d6ebb
SHA256 98160b4ebb4870f64b13a45f5384b693614ae5ca1b5243edf461ca0b5a6d479a
SHA512 7081654001cba9263e6fb8d5b8570ba29a3de89621f52524aa7941ba9e6dfd963e5ef7b073f193b9df70300af04d7f72f93d0241d8c70ccdbecfd9092e166cac

\Users\Admin\AppData\Local\Temp\nsi3084.tmp\nsDialogs.dll

MD5 ab101f38562c8545a641e95172c354b4
SHA1 ec47ac5449f6ee4b14f6dd7ddde841a3e723e567
SHA256 3cdf3e24c87666ed5c582b8b028c01ee6ac16d5a9b8d8d684ae67605376786ea
SHA512 72d4b6dc439f40b7d68b03353a748fc3ad7ed10b0401741c5030705d9b1adef856406075e9ce4f1a08e4345a16e1c759f636c38ad92a57ef369867a9533b7037

C:\Program Files\Unipro UGENE\plugins\biostruct3d_view.license

MD5 ffa10f40b98be2c2bc9608f56827ed23
SHA1 dc8f2e570bf431427dbc3bab9d4d551b53a60208
SHA256 189b1af95d661151e054cea10c91b3d754e4de4d3fecfb074c1fb29476f7167b
SHA512 1420da3215ed30afcf413935e20404cabe0723822c728ea29dcb9699533355ef1bee17660facdb55655241c2db30a7314d8ad6a4a3f72576b2721f522d487aa9

C:\Program Files\Unipro UGENE\tools\blast\makeblastdb.exe.manifest

MD5 7cb71b006fcdcf8ade80e31fd5ab8060
SHA1 655380fb2cca01b0ca707f748fc7dcf006732518
SHA256 be8918559280a2e74748bf8f6238b568ed7cbf75183b2180a6a8a979a1ebf243
SHA512 ce095bb84dbf2e72304471f97e80799185fab42b843f95bd84df4b97764786687807f057dc4434287c8982937329e664f7de476445ff6e2cbf298d7a44b48d55

C:\Program Files\Unipro UGENE\tools\mfold\mfold-3.6\share\mfold\sint6.dg

MD5 897316929176464ebc9ad085f31e7284
SHA1 09d2af8dd22201dd8d48e5dcfcaed281ff9422c7
SHA256 9a271f2a916b0b6ee6cecb2426f0b3206ef074578be55d9bc94f6f3fe3ab86aa
SHA512 a546d1300f49037a465ecec8bc1ebd07d57015a5ff1abfa1c94da9b30576933fb68e3898ff764d4de6e6741da822a7c93adc6e845806a266a63aa14c8bb09ebb

C:\Program Files\Unipro UGENE\tools\python3\Lib\site-packages\pip-23.2.1.dist-info\top_level.txt

MD5 365c9bfeb7d89244f2ce01c1de44cb85
SHA1 d7a03141d5d6b1e88b6b59ef08b6681df212c599
SHA256 ceebae7b8927a3227e5303cf5e0f1f7b34bb542ad7250ac03fbcde36ec2f1508
SHA512 d220d322a4053d84130567d626a9f7bb2fb8f0b854da1621f001826dc61b0ed6d3f91793627e6f0ac2ac27aea2b986b6a7a63427f05fe004d8a2adfbdadc13c1

C:\Program Files\Unipro UGENE\tools\trimmomatic\LICENSE

MD5 d32239bcb673463ab874e80d47fae504
SHA1 8624bcdae55baeef00cd11d5dfcfa60f68710a02
SHA256 8ceb4b9ee5adedde47b31e975c1d90c73ad27b6b165a1dcd80c7c545eb65b903
SHA512 7633623b66b5e686bb94dd96a7cdb5a7e5ee00e87004fab416a5610d59c62badaf512a2e26e34e2455b7ed6b76690d2cd47464836d7d85d78b51d50f7e933d5c

C:\Program Files\Unipro UGENE\tools\perl5\lib\Unicode\Collate\Locale\nb.pl

MD5 66ed114afca8e09fa9af4c7011abaa0e
SHA1 93c34030bb195a3b9334230de8a7970adfa9ef72
SHA256 a8ca3f8067a7215ec8f168a2bffe0846d1024a9138626f88e048dbb5b112c93f
SHA512 90762b4df5ae25ee36bd3571437301179de15454c8ebdf5758acb86fe391cd17af4fe5fd05e1bc6be5a52e8b1a8b0986c43f86dd0ace5479083daaa7564918ab

C:\Program Files\Unipro UGENE\tools\mfold\mfold-3.6\bin\myps2img.bash

MD5 e3056941bd15507718d2d4b9e808c7d0
SHA1 de9ff3fc12304d4060e2a1d40b98e6b73cf03eef
SHA256 63f155ef26f370f8e7fde423288028f355798e0923f242831d5c2c56f8ce2374
SHA512 ee85f34ca427f2413e73e93e0a41004ba2a7e072b21efedf891fafa3857c4ef7aec48c77b340f5d66619fad2a87cac2599f52deb984ce2cb59665f1a275dbe84

C:\Program Files\Unipro UGENE\tools\java\lib\images\cursors\invalid32x32.gif

MD5 1e9d8f133a442da6b0c74d49bc84a341
SHA1 259edc45b4569427e8319895a444f4295d54348f
SHA256 1a1d3079d49583837662b84e11d8c0870698511d9110e710eb8e7eb20df7ae3b
SHA512 63d6f70c8cab9735f0f857f5bf99e319f6ae98238dc7829dd706b7d6855c70be206e32e3e55df884402483cf8bebad00d139283af5c0b85dc1c5bf8f253acd37

\Program Files\Unipro UGENE\ugeneui.exe

MD5 e507b1eb783b3d0c66b87bee96720b0a
SHA1 3718357ba806e220056bc08f2186e33c2f646653
SHA256 9175593c40d4190821d325d5f9dc7274c83db687c0280eb253be4b858ef5ebb1
SHA512 d7856b3d813669cfaa52ad1fb39a6302764e1d0969d10103087401b07b41bf97df2f5bb2798bd022ef1ce886c892d887218851fcf7ab1a2ce7d961f0fc777eac

\Program Files\Unipro UGENE\Uninst.exe

MD5 17baabed1288e8c0f8e3ff152804aa89
SHA1 13cbfab9cf10e041cb4d4450b2b51800abaacc33
SHA256 5befc3ef39d7b4603122d5adc8600f63ae3333f1c8f1807addab4f5464e3f439
SHA512 e3246b060be76bbc8bf9b06f4da88aa6b06c017a103fc2a7f2f9d92dbf07371a4a41da2d927e4702d26bed73e89f6723c41a11593cc587a70202fe4b867f721a

Analysis: behavioral5

Detonation Overview

Submitted

2024-06-14 13:06

Reported

2024-06-14 13:16

Platform

win7-20231129-en

Max time kernel

117s

Max time network

138s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\tools\python3\Lib\textwrap.py

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_Classes\Local Settings C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\py_auto_file C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\.py C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\.py\ = "py_auto_file" C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\py_auto_file\ C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\py_auto_file\shell\Read C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\py_auto_file\shell C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\py_auto_file\shell\Read\command C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\py_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" C:\Windows\system32\rundll32.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\tools\python3\Lib\textwrap.py

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\tools\python3\Lib\textwrap.py

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe

"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\tools\python3\Lib\textwrap.py"

Network

N/A

Files

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

MD5 eba08a9f723d26f21110697af9b7f4a4
SHA1 e898260adedf086c20579ba62110b689c78721f6
SHA256 1c00891f68858d44d321288704ac5df12c0488e08b2e0c9b0286d312867a0fa9
SHA512 1db924b7b568dc7c3a0f3088749540356c7e37326974d821439d994eb2b36e0d962a564420946f824c4b09a2c221fc35060c2aeb8cc01e32d389470b395a2f8a

Analysis: behavioral6

Detonation Overview

Submitted

2024-06-14 13:06

Reported

2024-06-14 13:16

Platform

win10v2004-20240508-en

Max time kernel

56s

Max time network

101s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\tools\python3\Lib\textwrap.py

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\tools\python3\Lib\textwrap.py

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

Network

Country Destination Domain Proto
US 52.111.227.14:443 tcp

Files

N/A

Analysis: behavioral11

Detonation Overview

Submitted

2024-06-14 13:06

Reported

2024-06-14 13:16

Platform

win7-20240611-en

Max time kernel

122s

Max time network

140s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\tools\python3\Lib\timeit.py

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000_CLASSES\.py C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000_CLASSES\py_auto_file\shell\Read C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000_CLASSES\py_auto_file\shell C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000_CLASSES\py_auto_file\shell\Read\command C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000_Classes\Local Settings C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000_CLASSES\py_auto_file C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000_CLASSES\py_auto_file\ C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000_CLASSES\.py\ = "py_auto_file" C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000_CLASSES\py_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" C:\Windows\system32\rundll32.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\tools\python3\Lib\timeit.py

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\tools\python3\Lib\timeit.py

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe

"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\tools\python3\Lib\timeit.py"

Network

N/A

Files

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

MD5 a6acac9a853434ee728dfd269cd74d31
SHA1 716eb04a2f13e32ec7b7b3c3a597356e2a6de350
SHA256 54b22168520e5ca744420fb9d0acf9ecb76744513808e78a33ab62dc02ee9791
SHA512 8b3122b6dcbab4fed76d2cc2aca8904d48b027543fcbe081164d2055585243d91e18f7ef2f68ae178eda0b641198bb4da96b12b86227b273c38c21b4d8f96e49

Analysis: behavioral13

Detonation Overview

Submitted

2024-06-14 13:06

Reported

2024-06-14 13:16

Platform

win7-20240508-en

Max time kernel

120s

Max time network

145s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\tools\python3\Lib\token.py

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\py_auto_file\shell\Read C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\py_auto_file\shell C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\py_auto_file\shell\Read\command C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\py_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\.py C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\py_auto_file C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\py_auto_file\ C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\.py\ = "py_auto_file" C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_Classes\Local Settings C:\Windows\system32\rundll32.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\tools\python3\Lib\token.py

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\tools\python3\Lib\token.py

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe

"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\tools\python3\Lib\token.py"

Network

N/A

Files

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

MD5 5295fe925798b0093f8c1053a7cdf36d
SHA1 a341f4ddf7f3fd764704888d48c7d407361ab3a5
SHA256 280927437efdbd90f2150cac70146ee23322b339dd65c38b839e9d0104fa2c36
SHA512 82cfed9a9c6a2106192cd4d2df9499cc0426b6fa3fa82aafd93cc0e88e50aaa5111970fb7fc559b5ef4470f6d27a5bd2862b20d003e126f681e6095b61fd8c34

Analysis: behavioral14

Detonation Overview

Submitted

2024-06-14 13:06

Reported

2024-06-14 13:16

Platform

win10v2004-20240508-en

Max time kernel

38s

Max time network

64s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\tools\python3\Lib\token.py

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\tools\python3\Lib\token.py

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

Network

Files

N/A

Analysis: behavioral21

Detonation Overview

Submitted

2024-06-14 13:06

Reported

2024-06-14 13:16

Platform

win7-20240221-en

Max time kernel

121s

Max time network

140s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\tools\python3\Lib\traceback.py

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_Classes\Local Settings C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\py_auto_file C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\.py\ = "py_auto_file" C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\py_auto_file\shell\Read C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\py_auto_file\shell\Read\command C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\py_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\py_auto_file\ C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\.py C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\py_auto_file\shell C:\Windows\system32\rundll32.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\tools\python3\Lib\traceback.py

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\tools\python3\Lib\traceback.py

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe

"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\tools\python3\Lib\traceback.py"

Network

N/A

Files

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

MD5 cf72bc35ccc7d243a172d05be7db529f
SHA1 0f9995082bce4e043f6ede0503d6cb9fbcd60316
SHA256 995af3c640b43e4b998d5c1b23cd770f9b4612bec807b54db546ef72a209e1d0
SHA512 ba817da7429726b7e2ceb6d5d3509faae85952c90b5176944c862a51b50343c77536d1eb373b4869087a69d6bd9ab876ff6d7d567108d4e233cf95253bc9d97a

Analysis: behavioral4

Detonation Overview

Submitted

2024-06-14 13:06

Reported

2024-06-14 13:17

Platform

win10v2004-20240508-en

Max time kernel

121s

Max time network

159s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\tools\python3\Lib\tempfile.py

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\tools\python3\Lib\tempfile.py

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp

Files

N/A

Analysis: behavioral9

Detonation Overview

Submitted

2024-06-14 13:06

Reported

2024-06-14 13:17

Platform

win7-20240508-en

Max time kernel

122s

Max time network

147s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\tools\python3\Lib\threading.py

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_CLASSES\py_auto_file C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_CLASSES\.py C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_CLASSES\py_auto_file\shell\Read C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_CLASSES\py_auto_file\shell\Read\command C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_CLASSES\py_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_Classes\Local Settings C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_CLASSES\py_auto_file\ C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_CLASSES\.py\ = "py_auto_file" C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_CLASSES\py_auto_file\shell C:\Windows\system32\rundll32.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\tools\python3\Lib\threading.py

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\tools\python3\Lib\threading.py

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe

"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\tools\python3\Lib\threading.py"

Network

N/A

Files

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

MD5 4e3be7806860809d4f1afde960bd7dc7
SHA1 335247d4ca4d1503688a6c1f093897a1be734ee3
SHA256 e0cd3e9445dd2af4ff7d8cd7723b2421717f9b007e6b706217b85733f1f43fc2
SHA512 f57e679b446149b27830572724f4907af43daf4ca9dd920811c80b963694f2f501a592354114aec99323ca3b8ed531a69ec446f297e5ca3c9d65d73fe95f1ac5

Analysis: behavioral17

Detonation Overview

Submitted

2024-06-14 13:06

Reported

2024-06-14 13:16

Platform

ubuntu1804-amd64-20240611-en

Max time kernel

0s

Max time network

132s

Command Line

[/tmp/tools/python3/Lib/trace.py]

Signatures

N/A

Processes

/tmp/tools/python3/Lib/trace.py

[/tmp/tools/python3/Lib/trace.py]

/usr/local/sbin/python3

[python3 /tmp/tools/python3/Lib/trace.py]

/usr/local/bin/python3

[python3 /tmp/tools/python3/Lib/trace.py]

/usr/sbin/python3

[python3 /tmp/tools/python3/Lib/trace.py]

/usr/bin/python3

[python3 /tmp/tools/python3/Lib/trace.py]

/sbin/python3

[python3 /tmp/tools/python3/Lib/trace.py]

/bin/python3

[python3 /tmp/tools/python3/Lib/trace.py]

/snap/bin/python3

[python3 /tmp/tools/python3/Lib/trace.py]

Network

Country Destination Domain Proto
US 151.101.129.91:443 tcp
GB 185.125.188.61:443 tcp
GB 185.125.188.61:443 tcp
US 151.101.129.91:443 tcp
GB 195.181.164.19:443 tcp
N/A 224.0.0.251:5353 udp

Files

N/A

Analysis: behavioral25

Detonation Overview

Submitted

2024-06-14 13:06

Reported

2024-06-14 13:16

Platform

win7-20231129-en

Max time kernel

117s

Max time network

137s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\tools\python3\Lib\tty.py

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_Classes\Local Settings C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\py_auto_file\ C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\.py\ = "py_auto_file" C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\py_auto_file\shell\Read C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\py_auto_file\shell C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\py_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\py_auto_file C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\.py C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\py_auto_file\shell\Read\command C:\Windows\system32\rundll32.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\tools\python3\Lib\tty.py

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\tools\python3\Lib\tty.py

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe

"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\tools\python3\Lib\tty.py"

Network

N/A

Files

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

MD5 357dc5acd8c2d30b982e23fcae4fa56f
SHA1 7e2771770c899fb3b13af15907806ca1ddd6ff51
SHA256 cd61e264b2e3377d3438cb84f8caaa0f02ec4e42fa16094b463a07df38ad2037
SHA512 a3633bffe5565085420a8d1ab43dd69fd08e77d4664742318b1e1f2a155ff6e9b4dc5ea748a18464ae3b310209e5a0c71b054d386f6d197c037232d5ef71046d

Analysis: behavioral26

Detonation Overview

Submitted

2024-06-14 13:06

Reported

2024-06-14 13:17

Platform

win10v2004-20240611-en

Max time kernel

125s

Max time network

167s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\tools\python3\Lib\tty.py

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\tools\python3\Lib\tty.py

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
BE 88.221.83.208:443 www.bing.com tcp
US 8.8.8.8:53 20.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 114.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 208.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 177.23.48.23.in-addr.arpa udp
US 8.8.8.8:53 203.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 7.173.189.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral7

Detonation Overview

Submitted

2024-06-14 13:06

Reported

2024-06-14 13:16

Platform

win7-20240220-en

Max time kernel

122s

Max time network

142s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\tools\python3\Lib\this.py

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\py_auto_file\ C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\.py\ = "py_auto_file" C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\py_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_Classes\Local Settings C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\py_auto_file C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\.py C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\py_auto_file\shell\Read C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\py_auto_file\shell C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\py_auto_file\shell\Read\command C:\Windows\system32\rundll32.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\tools\python3\Lib\this.py

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\tools\python3\Lib\this.py

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe

"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\tools\python3\Lib\this.py"

Network

N/A

Files

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

MD5 cfde5975dd78ad516536107a835915ff
SHA1 88e6bcbbc06d8abe75bd46ed624c8a0a8a41a0e7
SHA256 c979dd144fb581ae9bcd17a9a90e585dd3cabfa1cb3751de87f8f7332b7d6c1c
SHA512 8a0ea1f68bd1b0c1d07b81af2dc7e69e679407a91b3b0fd82b96cfb246fd03c90f5c35e1af16e819368dca204965982a62ae5e6c83f700f14b646f60a5fdcd6d

Analysis: behavioral10

Detonation Overview

Submitted

2024-06-14 13:06

Reported

2024-06-14 13:17

Platform

win10v2004-20240611-en

Max time kernel

130s

Max time network

162s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\tools\python3\Lib\threading.py

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\tools\python3\Lib\threading.py

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 240.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 139.107.17.2.in-addr.arpa udp

Files

N/A

Analysis: behavioral19

Detonation Overview

Submitted

2024-06-14 13:06

Reported

2024-06-14 13:17

Platform

debian9-mipsbe-20240611-en

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

N/A

Files

N/A

Analysis: behavioral23

Detonation Overview

Submitted

2024-06-14 13:06

Reported

2024-06-14 13:16

Platform

win7-20240508-en

Max time kernel

120s

Max time network

139s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\tools\python3\Lib\tracemalloc.py

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_CLASSES\py_auto_file\ C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_CLASSES\.py C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_CLASSES\py_auto_file\shell C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_CLASSES\py_auto_file\shell\Read\command C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_Classes\Local Settings C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_CLASSES\py_auto_file C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_CLASSES\.py\ = "py_auto_file" C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_CLASSES\py_auto_file\shell\Read C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_CLASSES\py_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" C:\Windows\system32\rundll32.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\tools\python3\Lib\tracemalloc.py

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\tools\python3\Lib\tracemalloc.py

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe

"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\tools\python3\Lib\tracemalloc.py"

Network

N/A

Files

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

MD5 00d8eeac8adffc2ae02aaac2c3e08733
SHA1 cb88dd0c50779dd65eef112e5b0ea8faf9b26e7f
SHA256 574d3e13b851a94a665dc68c9043e820d14c315785c42b9103f3ba82be79f776
SHA512 3ff0fe6574b7669ffa5517dfdc0a6793caa0d8164b73bf7150700ffe883250baa7926fd8eb8f22e5b27e520170e43af46e8dc3aeb80021a5238c524d724ec879

Analysis: behavioral20

Detonation Overview

Submitted

2024-06-14 13:06

Reported

2024-06-14 13:18

Platform

debian9-mipsel-20240611-en

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

N/A

Files

N/A

Analysis: behavioral29

Detonation Overview

Submitted

2024-06-14 13:06

Reported

2024-06-14 13:16

Platform

win7-20240611-en

Max time kernel

121s

Max time network

139s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\tools\python3\Lib\types.py

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000_CLASSES\py_auto_file\ C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000_CLASSES\.py\ = "py_auto_file" C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000_CLASSES\py_auto_file\shell C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000_CLASSES\py_auto_file\shell\Read\command C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000_Classes\Local Settings C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000_CLASSES\py_auto_file C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000_CLASSES\.py C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000_CLASSES\py_auto_file\shell\Read C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000_CLASSES\py_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" C:\Windows\system32\rundll32.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\tools\python3\Lib\types.py

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\tools\python3\Lib\types.py

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe

"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\tools\python3\Lib\types.py"

Network

N/A

Files

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

MD5 24b080cd357d6ea01d5564b5fe3216de
SHA1 cb19cd13b4f616e7fcf476a2217cd9ef546ab6e9
SHA256 8b781a57ca9df77d56fcbb571ef2c662c4beecb89a6a85e1935e3436ba27eef7
SHA512 4ce648b2c4d7cf8b8469f690997928bb683b4b7fa4c13f37c07d3fbb954d39ba004b8782beb88194c1aced26a918d5822c26be2222889c2aa6e5d49795f5048c

Analysis: behavioral32

Detonation Overview

Submitted

2024-06-14 13:06

Reported

2024-06-14 13:16

Platform

win10v2004-20240508-en

Max time kernel

123s

Max time network

154s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\tools\python3\Lib\typing.py

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\tools\python3\Lib\typing.py

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

Network

Files

N/A

Analysis: behavioral8

Detonation Overview

Submitted

2024-06-14 13:06

Reported

2024-06-14 13:16

Platform

win10v2004-20240611-en

Max time kernel

131s

Max time network

160s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\tools\python3\Lib\this.py

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\tools\python3\Lib\this.py

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 22.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 177.23.48.23.in-addr.arpa udp
US 8.8.8.8:53 203.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp

Files

N/A

Analysis: behavioral18

Detonation Overview

Submitted

2024-06-14 13:06

Reported

2024-06-14 13:22

Platform

debian9-armhf-20240611-en

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

N/A

Files

N/A

Analysis: behavioral30

Detonation Overview

Submitted

2024-06-14 13:06

Reported

2024-06-14 13:16

Platform

win10v2004-20240508-en

Max time kernel

41s

Max time network

64s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\tools\python3\Lib\types.py

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\tools\python3\Lib\types.py

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp

Files

N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-06-14 13:06

Reported

2024-06-14 13:16

Platform

win7-20240221-en

Max time kernel

117s

Max time network

142s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\tools\python3\Lib\tempfile.py

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\py_auto_file\shell\Read C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\py_auto_file\shell\Read\command C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\py_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_Classes\Local Settings C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\py_auto_file C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\py_auto_file\ C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\.py C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\.py\ = "py_auto_file" C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\py_auto_file\shell C:\Windows\system32\rundll32.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\tools\python3\Lib\tempfile.py

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\tools\python3\Lib\tempfile.py

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe

"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\tools\python3\Lib\tempfile.py"

Network

N/A

Files

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

MD5 275d15eeed248fd6e3a7e96ef8dca506
SHA1 9aca1d1eff93d707aa57fc32333a2be2e30c4ff3
SHA256 a08e77678d0256ca2d7c883ab03de123e1c745c8aedf44a451b520e3c667e353
SHA512 6c49ca7ed6b079b77deab515939b1a80050730d0d5b7466c2400b911e097dd353e520e20145e80c994bb16a68a6edb26b48d362c1b48a6aba564a6cd28c8505e

Analysis: behavioral15

Detonation Overview

Submitted

2024-06-14 13:06

Reported

2024-06-14 13:16

Platform

win7-20240611-en

Max time kernel

120s

Max time network

138s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\tools\python3\Lib\tokenize.py

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000_Classes\Local Settings C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000_CLASSES\py_auto_file C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000_CLASSES\.py\ = "py_auto_file" C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000_CLASSES\py_auto_file\shell C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000_CLASSES\py_auto_file\shell\Read\command C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000_CLASSES\py_auto_file\ C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000_CLASSES\.py C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000_CLASSES\py_auto_file\shell\Read C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000_CLASSES\py_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" C:\Windows\system32\rundll32.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\tools\python3\Lib\tokenize.py

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\tools\python3\Lib\tokenize.py

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe

"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\tools\python3\Lib\tokenize.py"

Network

N/A

Files

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

MD5 dfba557f64e46e976ae964654b495202
SHA1 10c030d2e2cac3d90a4fbad4a5f591754014b96c
SHA256 2208a4afc7468ec268234edde53410be4cbaa61d3232b59965193db5cc743cd2
SHA512 c9995406a160c8d1c2fe112d905a595975656ab2e2e6c8f3de52d5f72549312d3afc6571cd6cf4b4f1fb45836deac934b3376825c7791095086dd9277022afb0

Analysis: behavioral16

Detonation Overview

Submitted

2024-06-14 13:06

Reported

2024-06-14 13:16

Platform

win10v2004-20240508-en

Max time kernel

40s

Max time network

64s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\tools\python3\Lib\tokenize.py

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\tools\python3\Lib\tokenize.py

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

Network

Files

N/A

Analysis: behavioral22

Detonation Overview

Submitted

2024-06-14 13:06

Reported

2024-06-14 13:16

Platform

win10v2004-20240508-en

Max time kernel

41s

Max time network

64s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\tools\python3\Lib\traceback.py

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\tools\python3\Lib\traceback.py

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp

Files

N/A

Analysis: behavioral28

Detonation Overview

Submitted

2024-06-14 13:06

Reported

2024-06-14 13:16

Platform

win10v2004-20240508-en

Max time kernel

39s

Max time network

66s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\tools\python3\Lib\turtle.py

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\tools\python3\Lib\turtle.py

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

Network

Files

N/A

Analysis: behavioral31

Detonation Overview

Submitted

2024-06-14 13:06

Reported

2024-06-14 13:16

Platform

win7-20240508-en

Max time kernel

119s

Max time network

138s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\tools\python3\Lib\typing.py

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\py_auto_file C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\py_auto_file\ C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\py_auto_file\shell C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\py_auto_file\shell\Read\command C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\py_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_Classes\Local Settings C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\.py C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\.py\ = "py_auto_file" C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\py_auto_file\shell\Read C:\Windows\system32\rundll32.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\tools\python3\Lib\typing.py

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\tools\python3\Lib\typing.py

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe

"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\tools\python3\Lib\typing.py"

Network

N/A

Files

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

MD5 9b1f5affa34e5707cb366667d3074c39
SHA1 5b1a4f6b15bcce3ebab3f91d5fba0358da4bb7ca
SHA256 0de57e4472ee8a1cc824f6908c6ca4c9857614a6b2cbeef29c4beb0d1b6f7c01
SHA512 813d968711922d2d57a7855ad6864072eae33567a615ef347112f74528c0cab943f777d938ee60f78dca986b8aa297630792a91b878bff344478a2ff094098dd

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-14 13:06

Reported

2024-06-14 13:16

Platform

win10v2004-20240508-en

Max time kernel

143s

Max time network

156s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe"

Signatures

Checks installed software on the system

discovery

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Unipro UGENE\tools\mfold\gs\gs10.02.0\lib\stc800ih.upp C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe N/A
File created C:\Program Files\Unipro UGENE\tools\perl5\lib\CPAN\FTP\netrc.pm C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe N/A
File created C:\Program Files\Unipro UGENE\tools\perl5\lib\DateTime\Locale\en_UM.pod C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe N/A
File created C:\Program Files\Unipro UGENE\tools\perl5\lib\DateTime\Locale\sw_UG.pod C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe N/A
File created C:\Program Files\Unipro UGENE\data\sitecon_models\prokaryotic\MODE.sitecon.gz C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe N/A
File created C:\Program Files\Unipro UGENE\data\workflow_samples\NGS\tuxedo\tuxedo_no_novel_transcr_paired.uwl C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe N/A
File created C:\Program Files\Unipro UGENE\tools\perl5\lib\URI\news.pm C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe N/A
File created C:\Program Files\Unipro UGENE\tools\perl5\lib\pods\perlos390.pod C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe N/A
File created C:\Program Files\Unipro UGENE\tools\perl5\lib\Params\ValidatePP.pm C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe N/A
File created C:\Program Files\Unipro UGENE\tools\perl5\lib\Test2\Compare\Object.pm C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe N/A
File created C:\Program Files\Unipro UGENE\data\sitecon_models\eukaryotic\NF1.sitecon.gz C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe N/A
File created C:\Program Files\Unipro UGENE\plugins\biostruct3d_view.plugin C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe N/A
File created C:\Program Files\Unipro UGENE\tools\mfold\gs\gs10.02.0\lib\lpgs.bat C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe N/A
File created C:\Program Files\Unipro UGENE\tools\perl5\lib\Locale\Codes\LangVar_Retired.pm C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe N/A
File created C:\Program Files\Unipro UGENE\tools\perl5\lib\auto\share\dist\DateTime-Locale\kab.pl C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe N/A
File created C:\Program Files\Unipro UGENE\tools\perl5\lib\unicore\lib\Sc\Limb.pl C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe N/A
File created C:\Program Files\Unipro UGENE\data\position_weight_matrix\JASPAR\fungi\MA0326.1.pfm C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe N/A
File created C:\Program Files\Unipro UGENE\data\position_weight_matrix\UniPROBE\Cell08\Pbx1_3203.1.pwm C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe N/A
File created C:\Program Files\Unipro UGENE\tools\blast\msvcp140.dll C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe N/A
File created C:\Program Files\Unipro UGENE\tools\perl5\lib\auto\share\dist\DateTime-Locale\pa-Guru.pl C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe N/A
File created C:\Program Files\Unipro UGENE\tools\perl5\bin\dateparse.bat C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe N/A
File created C:\Program Files\Unipro UGENE\tools\perl5\bin\lwp-dump.bat C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe N/A
File created C:\Program Files\Unipro UGENE\tools\perl5\lib\DateTime\TimeZone\Africa\Accra.pm C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe N/A
File created C:\Program Files\Unipro UGENE\tools\perl5\lib\Unicode\Collate\Locale\is.pl C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe N/A
File created C:\Program Files\Unipro UGENE\data\position_weight_matrix\JASPAR\fungi\MA0418.1.pfm C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe N/A
File created C:\Program Files\Unipro UGENE\tools\mfold\gs\gs10.02.0\lib\gsnd.bat C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe N/A
File created C:\Program Files\Unipro UGENE\tools\perl5\lib\DateTime\Locale\it.pod C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe N/A
File created C:\Program Files\Unipro UGENE\tools\perl5\lib\auto\share\dist\DateTime-Locale\en-MT.pl C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe N/A
File created C:\Program Files\Unipro UGENE\tools\python3\Lib\encodings\mbcs.py C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe N/A
File created C:\Program Files\Unipro UGENE\tools\python3\Lib\multiprocessing\dummy\connection.py C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe N/A
File created C:\Program Files\Unipro UGENE\tools\mfold\msys64\usr\bin\msys-pcre-1.dll C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe N/A
File created C:\Program Files\Unipro UGENE\tools\perl5\lib\CPAN\API\HOWTO.pod C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe N/A
File created C:\Program Files\Unipro UGENE\tools\perl5\lib\B\Hooks\EndOfScope\XS.pm C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe N/A
File created C:\Program Files\Unipro UGENE\tools\perl5\lib\ExtUtils\MANIFEST.SKIP C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe N/A
File created C:\Program Files\Unipro UGENE\tools\python3\Lib\xml\sax\__init__.py C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe N/A
File created C:\Program Files\Unipro UGENE\tools\fastqc\uk\ac\babraham\FastQC\Modules\AdapterContent.class C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe N/A
File created C:\Program Files\Unipro UGENE\tools\mfold\gs\gs10.02.0\Resource\Init\gs_agl.ps C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe N/A
File created C:\Program Files\Unipro UGENE\tools\perl5\lib\DateTime\Locale\kab_DZ.pod C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe N/A
File created C:\Program Files\Unipro UGENE\tools\perl5\lib\ExtUtils\Command\MM.pm C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe N/A
File created C:\Program Files\Unipro UGENE\tools\perl5\lib\Moose\Manual\Attributes.pod C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe N/A
File created C:\Program Files\Unipro UGENE\tools\perl5\lib\Moose\Meta\Role\Method\Conflicting.pm C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe N/A
File created C:\Program Files\Unipro UGENE\tools\perl5\lib\Test2\EventFacet\Amnesty.pm C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe N/A
File created C:\Program Files\Unipro UGENE\tools\perl5\lib\URI\mms.pm C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe N/A
File created C:\Program Files\Unipro UGENE\tools\mfold\gs\gs10.02.0\lib\landscap.ps C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe N/A
File created C:\Program Files\Unipro UGENE\tools\perl5\lib\DateTime\Locale\fr_MC.pod C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe N/A
File created C:\Program Files\Unipro UGENE\tools\python3\Lib\mimetypes.py C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe N/A
File created C:\Program Files\Unipro UGENE\tools\perl5\lib\unicore\lib\Sc\Telu.pl C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe N/A
File created C:\Program Files\Unipro UGENE\tools\python3\Lib\_compat_pickle.py C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe N/A
File created C:\Program Files\Unipro UGENE\tools\perl5\lib\DateTime\Locale\fi.pod C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe N/A
File created C:\Program Files\Unipro UGENE\tools\perl5\lib\DateTime\TimeZone\America\Hermosillo.pm C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe N/A
File created C:\Program Files\Unipro UGENE\tools\perl5\lib\auto\share\dist\DateTime-Locale\fr-BE.pl C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe N/A
File created C:\Program Files\Unipro UGENE\tools\perl5\lib\auto\share\dist\DateTime-Locale\hr-HR.pl C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe N/A
File created C:\Program Files\Unipro UGENE\tools\fastqc\Configuration\adapter_list.txt C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe N/A
File created C:\Program Files\Unipro UGENE\tools\mafft\usr\bin\cut.exe C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe N/A
File created C:\Program Files\Unipro UGENE\tools\perl5\lib\auto\share\dist\DateTime-Locale\rn.pl C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe N/A
File created C:\Program Files\Unipro UGENE\tools\perl5\lib\unicore\lib\Nv\1000.pl C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe N/A
File created C:\Program Files\Unipro UGENE\tools\python3\Lib\site-packages\dnaio\_conversions.h C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe N/A
File created C:\Program Files\Unipro UGENE\tools\python3\Lib\site-packages\pip\_vendor\packaging\__about__.py C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe N/A
File created C:\Program Files\Unipro UGENE\tools\perl5\lib\DateTime\Locale\FromData.pm C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe N/A
File created C:\Program Files\Unipro UGENE\tools\perl5\lib\DateTime\Locale\so_SO.pod C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe N/A
File created C:\Program Files\Unipro UGENE\data\position_weight_matrix\JASPAR\fungi\MA0320.1.pfm C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe N/A
File created C:\Program Files\Unipro UGENE\tools\perl5\lib\unicore\lib\Nv\6.pl C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe N/A
File created C:\Program Files\Unipro UGENE\tools\python3\Lib\configparser.py C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe N/A
File created C:\Program Files\Unipro UGENE\tools\python3\Lib\site-packages\pip\_internal\resolution\resolvelib\factory.py C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\FASTQ file\DefaultIcon C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.msf C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\FASTA short reads file\shell\open\command\ = "C:\\Program Files\\Unipro UGENE\\ugeneui.exe \"%1\"" C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.em\ = "EMBL file" C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.ugenedb C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\UGENE Workflow Language\DefaultIcon C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\UGENE Workflow Language\shell\open\command C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Protein Data Bank file\ = "Protein Data Bank file" C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.seq C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\UGENE Query Language\shell\ = "open" C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Clustal alignment file\DefaultIcon C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\MSF multiple sequence file\DefaultIcon C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\FASTA short reads file\DefaultIcon\ = "C:\\Program Files\\Unipro UGENE\\ugeneui.exe,1" C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\FASTA sequence file C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Genbank plain text file\DefaultIcon C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.msf\ = "MSF multiple sequence file" C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\SAM genome assembly\DefaultIcon\ = "C:\\Program Files\\Unipro UGENE\\ugeneui.exe,1" C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\BAM genome assembly\DefaultIcon C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Unipro UGENE project file\shell\open\command\ = "C:\\Program Files\\Unipro UGENE\\ugeneui.exe \"%1\"" C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\FASTQ file\shell\ = "open" C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.gb\ = "Genbank plain text file" C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.srfasta C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.sto C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ABIF file\DefaultIcon C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\EMBL file\shell\open C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Genbank plain text file C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.gen C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.uprj C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\FASTA short reads file\shell\ = "open" C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Clustal alignment file\shell\open\command\ = "C:\\Program Files\\Unipro UGENE\\ugeneui.exe \"%1\"" C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\FASTQ file\shell\open C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\MSF multiple sequence file\shell C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\SAM genome assembly\shell\open\command C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.em C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\GFF format C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.srfa C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Genbank plain text file\shell\open\command C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Genbank plain text file\ = "Genbank plain text file" C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.gff C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Unipro UGENE project file\shell C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Swiss-Prot file\DefaultIcon\ = "C:\\Program Files\\Unipro UGENE\\ugeneui.exe,1" C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.fna C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MSF multiple sequence file\DefaultIcon\ = "C:\\Program Files\\Unipro UGENE\\ugeneui.exe,1" C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.abif C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.genbank C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Swiss-Prot file\DefaultIcon C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Swiss-Prot file\shell\open\command\ = "C:\\Program Files\\Unipro UGENE\\ugeneui.exe \"%1\"" C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\MSF multiple sequence file C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\UGENE Database\DefaultIcon C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\UGENE Workflow Language C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Unipro UGENE project file\DefaultIcon\ = "C:\\Program Files\\Unipro UGENE\\ugeneui.exe,0" C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.pdb\ = "Protein Data Bank file" C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.uql\ = "UGENE Query Language" C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.uwl C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\EMBL file\shell\ = "open" C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Clustal alignment file\DefaultIcon\ = "C:\\Program Files\\Unipro UGENE\\ugeneui.exe,1" C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.gen\ = "Genbank plain text file" C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.genbank\ = "Genbank plain text file" C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MSF multiple sequence file\ = "MSF multiple sequence file" C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Unipro UGENE project file\shell\open\command C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\EMBL file\DefaultIcon C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\UGENE Workflow Language\DefaultIcon\ = "C:\\Program Files\\Unipro UGENE\\ugeneui.exe,1" C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Clustal alignment file\shell C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Clustal alignment file\ = "Clustal alignment file" C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe

"C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\nse76D8.tmp\System.dll

MD5 fbe295e5a1acfbd0a6271898f885fe6a
SHA1 d6d205922e61635472efb13c2bb92c9ac6cb96da
SHA256 a1390a78533c47e55cc364e97af431117126d04a7faed49390210ea3e89dd0e1
SHA512 2cb596971e504eaf1ce8e3f09719ebfb3f6234cea5ca7b0d33ec7500832ff4b97ec2bbe15a1fbf7e6a5b02c59db824092b9562cd8991f4d027feab6fd3177b06

C:\Users\Admin\AppData\Local\Temp\nse76D8.tmp\LangDLL.dll

MD5 de3558ce305e32f742ff25b697407fec
SHA1 d55c50c546001421647f2e91780c324dbb8d6ebb
SHA256 98160b4ebb4870f64b13a45f5384b693614ae5ca1b5243edf461ca0b5a6d479a
SHA512 7081654001cba9263e6fb8d5b8570ba29a3de89621f52524aa7941ba9e6dfd963e5ef7b073f193b9df70300af04d7f72f93d0241d8c70ccdbecfd9092e166cac

C:\Users\Admin\AppData\Local\Temp\nse76D8.tmp\nsDialogs.dll

MD5 ab101f38562c8545a641e95172c354b4
SHA1 ec47ac5449f6ee4b14f6dd7ddde841a3e723e567
SHA256 3cdf3e24c87666ed5c582b8b028c01ee6ac16d5a9b8d8d684ae67605376786ea
SHA512 72d4b6dc439f40b7d68b03353a748fc3ad7ed10b0401741c5030705d9b1adef856406075e9ce4f1a08e4345a16e1c759f636c38ad92a57ef369867a9533b7037

C:\Program Files\Unipro UGENE\plugins\biostruct3d_view.license

MD5 ffa10f40b98be2c2bc9608f56827ed23
SHA1 dc8f2e570bf431427dbc3bab9d4d551b53a60208
SHA256 189b1af95d661151e054cea10c91b3d754e4de4d3fecfb074c1fb29476f7167b
SHA512 1420da3215ed30afcf413935e20404cabe0723822c728ea29dcb9699533355ef1bee17660facdb55655241c2db30a7314d8ad6a4a3f72576b2721f522d487aa9

C:\Program Files\Unipro UGENE\tools\blast\makeblastdb.exe.manifest

MD5 7cb71b006fcdcf8ade80e31fd5ab8060
SHA1 655380fb2cca01b0ca707f748fc7dcf006732518
SHA256 be8918559280a2e74748bf8f6238b568ed7cbf75183b2180a6a8a979a1ebf243
SHA512 ce095bb84dbf2e72304471f97e80799185fab42b843f95bd84df4b97764786687807f057dc4434287c8982937329e664f7de476445ff6e2cbf298d7a44b48d55

C:\Program Files\Unipro UGENE\tools\mfold\mfold-3.6\share\mfold\sint6.dg

MD5 897316929176464ebc9ad085f31e7284
SHA1 09d2af8dd22201dd8d48e5dcfcaed281ff9422c7
SHA256 9a271f2a916b0b6ee6cecb2426f0b3206ef074578be55d9bc94f6f3fe3ab86aa
SHA512 a546d1300f49037a465ecec8bc1ebd07d57015a5ff1abfa1c94da9b30576933fb68e3898ff764d4de6e6741da822a7c93adc6e845806a266a63aa14c8bb09ebb

C:\Program Files\Unipro UGENE\tools\python3\Lib\site-packages\pip-23.2.1.dist-info\top_level.txt

MD5 365c9bfeb7d89244f2ce01c1de44cb85
SHA1 d7a03141d5d6b1e88b6b59ef08b6681df212c599
SHA256 ceebae7b8927a3227e5303cf5e0f1f7b34bb542ad7250ac03fbcde36ec2f1508
SHA512 d220d322a4053d84130567d626a9f7bb2fb8f0b854da1621f001826dc61b0ed6d3f91793627e6f0ac2ac27aea2b986b6a7a63427f05fe004d8a2adfbdadc13c1

C:\Program Files\Unipro UGENE\tools\trimmomatic\LICENSE

MD5 d32239bcb673463ab874e80d47fae504
SHA1 8624bcdae55baeef00cd11d5dfcfa60f68710a02
SHA256 8ceb4b9ee5adedde47b31e975c1d90c73ad27b6b165a1dcd80c7c545eb65b903
SHA512 7633623b66b5e686bb94dd96a7cdb5a7e5ee00e87004fab416a5610d59c62badaf512a2e26e34e2455b7ed6b76690d2cd47464836d7d85d78b51d50f7e933d5c

C:\Program Files\Unipro UGENE\tools\perl5\lib\Unicode\Collate\Locale\nb.pl

MD5 66ed114afca8e09fa9af4c7011abaa0e
SHA1 93c34030bb195a3b9334230de8a7970adfa9ef72
SHA256 a8ca3f8067a7215ec8f168a2bffe0846d1024a9138626f88e048dbb5b112c93f
SHA512 90762b4df5ae25ee36bd3571437301179de15454c8ebdf5758acb86fe391cd17af4fe5fd05e1bc6be5a52e8b1a8b0986c43f86dd0ace5479083daaa7564918ab

C:\Program Files\Unipro UGENE\tools\mfold\mfold-3.6\bin\myps2img.bash

MD5 e3056941bd15507718d2d4b9e808c7d0
SHA1 de9ff3fc12304d4060e2a1d40b98e6b73cf03eef
SHA256 63f155ef26f370f8e7fde423288028f355798e0923f242831d5c2c56f8ce2374
SHA512 ee85f34ca427f2413e73e93e0a41004ba2a7e072b21efedf891fafa3857c4ef7aec48c77b340f5d66619fad2a87cac2599f52deb984ce2cb59665f1a275dbe84

C:\Program Files\Unipro UGENE\tools\java\lib\images\cursors\invalid32x32.gif

MD5 1e9d8f133a442da6b0c74d49bc84a341
SHA1 259edc45b4569427e8319895a444f4295d54348f
SHA256 1a1d3079d49583837662b84e11d8c0870698511d9110e710eb8e7eb20df7ae3b
SHA512 63d6f70c8cab9735f0f857f5bf99e319f6ae98238dc7829dd706b7d6855c70be206e32e3e55df884402483cf8bebad00d139283af5c0b85dc1c5bf8f253acd37

C:\Program Files\Unipro UGENE\ugeneui.exe

MD5 e507b1eb783b3d0c66b87bee96720b0a
SHA1 3718357ba806e220056bc08f2186e33c2f646653
SHA256 9175593c40d4190821d325d5f9dc7274c83db687c0280eb253be4b858ef5ebb1
SHA512 d7856b3d813669cfaa52ad1fb39a6302764e1d0969d10103087401b07b41bf97df2f5bb2798bd022ef1ce886c892d887218851fcf7ab1a2ce7d961f0fc777eac

C:\Users\Admin\AppData\Local\Temp\nse76D8.tmp\modern-wizard.bmp

MD5 59ed2684c564aa9dcb6859342a97b960
SHA1 d7ca551a1340e2a31106171ead92631e79983949
SHA256 d238273737a291fb4129e33415cb66131756782428b86fe13894d8bf1b4abb7c
SHA512 c41433f1baf5b1826496ab9146be1b9e45e1f6208a74b54120cf421fee51900409fbc92e978d9213d4c0dcd0e937c390f782e787d8d7032fae62e1d957a3e9f6

Analysis: behavioral12

Detonation Overview

Submitted

2024-06-14 13:06

Reported

2024-06-14 13:17

Platform

win10v2004-20240611-en

Max time kernel

118s

Max time network

166s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\tools\python3\Lib\timeit.py

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\tools\python3\Lib\timeit.py

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 145.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 203.107.17.2.in-addr.arpa udp

Files

N/A

Analysis: behavioral24

Detonation Overview

Submitted

2024-06-14 13:06

Reported

2024-06-14 13:18

Platform

win10v2004-20240226-en

Max time kernel

93s

Max time network

219s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\tools\python3\Lib\tracemalloc.py

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\tools\python3\Lib\tracemalloc.py

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

Network

Country Destination Domain Proto
GB 96.16.110.114:80 tcp
US 8.8.8.8:53 125.162.192.69.in-addr.arpa udp
GB 142.250.187.234:443 tcp
US 13.107.246.64:443 tcp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 28.77.24.184.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 138.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 49.192.11.51.in-addr.arpa udp

Files

N/A

Analysis: behavioral27

Detonation Overview

Submitted

2024-06-14 13:06

Reported

2024-06-14 13:16

Platform

win7-20240221-en

Max time kernel

102s

Max time network

28s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\tools\python3\Lib\turtle.py

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\py_auto_file\shell C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\.py\ = "py_auto_file" C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\py_auto_file C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\py_auto_file\ C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\.py C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\py_auto_file\shell\Read C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\py_auto_file\shell\Read\command C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\py_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_Classes\Local Settings C:\Windows\system32\rundll32.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\tools\python3\Lib\turtle.py

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\tools\python3\Lib\turtle.py

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe

"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\tools\python3\Lib\turtle.py"

Network

N/A

Files

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

MD5 a4787a587aed13ee9969da54457bfaf8
SHA1 c09f02f0651ae9d86a9d9e25fb72494f07f41a31
SHA256 f6f80273e2f6a6e8768beda6f15e07d0c073baf06f926210bb57fb53cb8dff49
SHA512 4a4be619843563d274eca0ec641fc614b054ef8676915d6ef4ad4671068f96d3e3b182f8926de35e03b181cb2da1f3ec8dea567832482bf0b3c9950c19a6a46c