Analysis Overview
SHA256
a2792b8d2290310062cfa14c52036192f8359af62ee7ff3be63e86ddbf637d75
Threat Level: Likely benign
The file ugene-50.0-win-x86-64.exe was found to be: Likely benign.
Malicious Activity Summary
Checks installed software on the system
Loads dropped DLL
Drops file in Program Files directory
Enumerates physical storage devices
Unsigned PE
NSIS installer
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of WriteProcessMemory
Modifies registry class
Suspicious use of SetWindowsHookEx
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-14 13:11
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
NSIS installer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-14 13:06
Reported
2024-06-14 13:18
Platform
win7-20231129-en
Max time kernel
311s
Max time network
316s
Command Line
Signatures
Checks installed software on the system
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files\Unipro UGENE\tools\perl5\lib\CPAN\Nox.pm | C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe | N/A |
| File created | C:\Program Files\Unipro UGENE\tools\perl5\lib\pods\perlmodinstall.pod | C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe | N/A |
| File created | C:\Program Files\Unipro UGENE\tools\python3\Lib\site-packages\pip\_vendor\distro\__init__.py | C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe | N/A |
| File created | C:\Program Files\Unipro UGENE\data\weight_matrix\pam410.txt | C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe | N/A |
| File created | C:\Program Files\Unipro UGENE\tools\mfold\gs\gs10.02.0\Resource\Init\gs_dscp.ps | C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe | N/A |
| File created | C:\Program Files\Unipro UGENE\tools\perl5\lib\Encode.pm | C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe | N/A |
| File created | C:\Program Files\Unipro UGENE\tools\perl5\lib\DateTime\Locale\en_SB.pod | C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe | N/A |
| File created | C:\Program Files\Unipro UGENE\tools\perl5\lib\DateTime\TimeZone\Pacific\Funafuti.pm | C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe | N/A |
| File created | C:\Program Files\Unipro UGENE\tools\perl5\lib\unicore\lib\Gc\M.pl | C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe | N/A |
| File created | C:\Program Files\Unipro UGENE\tools\python3\Lib\tomllib\_types.py | C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe | N/A |
| File created | C:\Program Files\Unipro UGENE\data\position_weight_matrix\JASPAR\insects\MA0251.1.pfm | C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe | N/A |
| File created | C:\Program Files\Unipro UGENE\data\position_weight_matrix\UniPROBE\GR09\Rds2.pwm | C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe | N/A |
| File created | C:\Program Files\Unipro UGENE\tools\perl5\lib\Config\Tiny.pm | C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe | N/A |
| File created | C:\Program Files\Unipro UGENE\tools\perl5\lib\Moose\Exception\MetaclassIsARoleNotASubclassOfGivenMetaclass.pm | C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe | N/A |
| File created | C:\Program Files\Unipro UGENE\tools\python3\Lib\multiprocessing\queues.py | C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe | N/A |
| File created | C:\Program Files\Unipro UGENE\tools\mfold\mfold-3.6\bin\reformat-seq.sh | C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe | N/A |
| File created | C:\Program Files\Unipro UGENE\tools\perl5\lib\ExtUtils\ParseXS\Eval.pm | C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe | N/A |
| File created | C:\Program Files\Unipro UGENE\tools\perl5\lib\Locale\Codes\Country.pod | C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe | N/A |
| File created | C:\Program Files\Unipro UGENE\data\position_weight_matrix\UniPROBE\GR09\Yox1.pwm | C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe | N/A |
| File created | C:\Program Files\Unipro UGENE\tools\perl5\lib\Moose\Meta\Method\Accessor\Native\String\substr.pm | C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe | N/A |
| File created | C:\Program Files\Unipro UGENE\tools\perl5\lib\auto\share\dist\DateTime-Locale\vi-VN.pl | C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe | N/A |
| File created | C:\Program Files\Unipro UGENE\tools\python3\Lib\subprocess.py | C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe | N/A |
| File created | C:\Program Files\Unipro UGENE\tools\python3\Lib\site-packages\pip\_vendor\platformdirs\unix.py | C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe | N/A |
| File created | C:\Program Files\Unipro UGENE\tools\perl5\lib\DateTime\Locale\si.pod | C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe | N/A |
| File created | C:\Program Files\Unipro UGENE\tools\perl5\lib\auto\ActivePerl\DocTools\.packlist | C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe | N/A |
| File created | C:\Program Files\Unipro UGENE\tools\perl5\lib\auto\share\dist\DateTime-Locale\en-CY.pl | C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe | N/A |
| File created | C:\Program Files\Unipro UGENE\tools\perl5\lib\DateTime\Locale\de_LI.pod | C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe | N/A |
| File created | C:\Program Files\Unipro UGENE\tools\perl5\lib\Moose\Exception\OverloadRequiresAMetaMethod.pm | C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe | N/A |
| File created | C:\Program Files\Unipro UGENE\tools\perl5\lib\PPIx\Regexp\Structure\CharClass.pm | C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe | N/A |
| File created | C:\Program Files\Unipro UGENE\tools\perl5\lib\SQL\Eval.pm | C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe | N/A |
| File created | C:\Program Files\Unipro UGENE\tools\perl5\lib\auto\share\dist\DateTime-Locale\qu.pl | C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe | N/A |
| File created | C:\Program Files\Unipro UGENE\tools\fastqc\uk\ac\babraham\FastQC\FastQCConfig.class | C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe | N/A |
| File created | C:\Program Files\Unipro UGENE\tools\perl5\lib\bignum.pm | C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe | N/A |
| File created | C:\Program Files\Unipro UGENE\tools\perl5\lib\DateTime\Locale\bo_CN.pod | C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe | N/A |
| File created | C:\Program Files\Unipro UGENE\tools\perl5\lib\unicore\lib\Perl\_PerlFol.pl | C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe | N/A |
| File created | C:\Program Files\Unipro UGENE\data\position_weight_matrix\JASPAR\fungi\MA0408.1.pfm | C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe | N/A |
| File created | C:\Program Files\Unipro UGENE\tools\python3\DLLs\pyd.ico | C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe | N/A |
| File created | C:\Program Files\Unipro UGENE\tools\python3\Lib\encodings\utf_16_le.py | C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe | N/A |
| File created | C:\Program Files\Unipro UGENE\tools\perl5\lib\auto\share\dist\DateTime-Locale\es-CU.pl | C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe | N/A |
| File created | C:\Program Files\Unipro UGENE\data\position_weight_matrix\JASPAR\fungi\MA0409.1.pfm | C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe | N/A |
| File created | C:\Program Files\Unipro UGENE\tools\mfold\gs\gs10.02.0\Resource\CMap\CNS2-V | C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe | N/A |
| File created | C:\Program Files\Unipro UGENE\tools\perl5\lib\DateTime\TimeZone\Europe\Vienna.pm | C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe | N/A |
| File created | C:\Program Files\Unipro UGENE\tools\perl5\lib\CORE\perlhost.h | C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe | N/A |
| File created | C:\Program Files\Unipro UGENE\tools\perl5\lib\Devel\NYTProf.pm | C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe | N/A |
| File created | C:\Program Files\Unipro UGENE\tools\perl5\lib\auto\share\dist\DateTime-Locale\fr-MQ.pl | C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe | N/A |
| File created | C:\Program Files\Unipro UGENE\tools\perl5\lib\unicore\lib\Age\V50.pl | C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe | N/A |
| File created | C:\Program Files\Unipro UGENE\tools\python3\Lib\lib2to3\fixer_util.py | C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe | N/A |
| File created | C:\Program Files\Unipro UGENE\data\position_weight_matrix\UniPROBE\Cell08\Lmx1b_3433.2.pwm | C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe | N/A |
| File created | C:\Program Files\Unipro UGENE\tools\fastqc\uk\ac\babraham\FastQC\Help\HelpDialog.class | C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe | N/A |
| File created | C:\Program Files\Unipro UGENE\tools\mfold\gs\gs10.02.0\lib\bjc610a2.upp | C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe | N/A |
| File created | C:\Program Files\Unipro UGENE\tools\python3\Lib\site-packages\pip\_internal\resolution\resolvelib\factory.py | C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe | N/A |
| File created | C:\Program Files\Unipro UGENE\tools\python3\Lib\site-packages\pip\_vendor\pyproject_hooks\_in_process\__init__.py | C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe | N/A |
| File created | C:\Program Files\Unipro UGENE\tools\python3\include\internal\pycore_symtable.h | C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe | N/A |
| File created | C:\Program Files\Unipro UGENE\tools\mfold\gs\gs10.02.0\Resource\Font\NimbusSans-BoldItalic | C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe | N/A |
| File created | C:\Program Files\Unipro UGENE\tools\perl5\lib\auto\share\dist\DateTime-Locale\sv-AX.pl | C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe | N/A |
| File created | C:\Program Files\Unipro UGENE\tools\perl5\lib\unicore\lib\Nt\Nu.pl | C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe | N/A |
| File created | C:\Program Files\Unipro UGENE\tools\perl5\lib\Term\ReadLine\Perl.pm | C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe | N/A |
| File created | C:\Program Files\Unipro UGENE\tools\perl5\lib\Test\Builder\Formatter.pm | C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe | N/A |
| File created | C:\Program Files\Unipro UGENE\tools\perl5\lib\Unicode\Collate\Locale\as.pl | C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe | N/A |
| File created | C:\Program Files\Unipro UGENE\tools\perl5\lib\auto\share\dist\DateTime-Locale\os-RU.pl | C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe | N/A |
| File created | C:\Program Files\Unipro UGENE\data\weight_matrix\pam240.txt | C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe | N/A |
| File created | C:\Program Files\Unipro UGENE\plugins\remote_blast.plugin | C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe | N/A |
| File created | C:\Program Files\Unipro UGENE\tools\mfold\msys64\usr\bin\msys-2.0.dll | C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe | N/A |
| File created | C:\Program Files\Unipro UGENE\tools\perl5\lib\CPAN\Distroprefs.pm | C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Enumerates physical storage devices
NSIS installer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Swiss-Prot file\shell\open | C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.gen | C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\MSF multiple sequence file\shell | C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\MSF multiple sequence file\shell\open\command | C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.newick\ = "NEWICK tree file" | C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Unipro UGENE project file\shell | C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.gbk | C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Protein Data Bank file | C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.sam | C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.genbank | C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\BAM genome assembly\shell\open\command | C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\BAM genome assembly\shell\open | C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\FASTQ file\ = "FASTQ file" | C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\FASTA short reads file | C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Clustal alignment file\shell\open\command | C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\NEWICK tree file\shell\open\command\ = "C:\\Program Files\\Unipro UGENE\\ugeneui.exe \"%1\"" | C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.ugenedb | C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\UGENE Database\shell | C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\UGENE Database | C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\UGENE Query Language\DefaultIcon | C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\UGENE Query Language\shell\open\command\ = "C:\\Program Files\\Unipro UGENE\\ugeneui.exe \"%1\"" | C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\FASTA sequence file\ = "FASTA sequence file" | C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Genbank plain text file\DefaultIcon | C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.msf | C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\NEWICK tree file\shell\open\command | C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Stockholm alignment file\DefaultIcon\ = "C:\\Program Files\\Unipro UGENE\\ugeneui.exe,1" | C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\UGENE Workflow Language\shell\open\command | C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Clustal alignment file | C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\MSF multiple sequence file\shell\open | C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.fsa\ = "FASTA sequence file" | C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\SAM genome assembly | C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\ABIF file\shell\ = "open" | C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\BAM genome assembly\DefaultIcon | C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\UGENE Workflow Language\shell\open | C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\GFF format\shell | C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\GFF format\shell\open\command | C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\NEWICK tree file\shell | C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\FASTA short reads file\DefaultIcon | C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\GFF format\DefaultIcon | C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.newick | C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Stockholm alignment file\shell\ = "open" | C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\ABIF file\ = "ABIF file" | C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Swiss-Prot file\shell | C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\FASTQ file\shell\open\command\ = "C:\\Program Files\\Unipro UGENE\\ugeneui.exe \"%1\"" | C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.gff\ = "GFF format" | C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\SAM genome assembly\shell\ = "open" | C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\EMBL file\DefaultIcon\ = "C:\\Program Files\\Unipro UGENE\\ugeneui.exe,1" | C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Swiss-Prot file\ = "Swiss-Prot file" | C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.mpfa | C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\BAM genome assembly\shell\ = "open" | C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Protein Data Bank file\ = "Protein Data Bank file" | C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Protein Data Bank file\shell\ = "open" | C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\FASTA short reads file\shell\ = "open" | C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Unipro UGENE project file\ = "Unipro UGENE project file" | C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\ABIF file\shell\open\command\ = "C:\\Program Files\\Unipro UGENE\\ugeneui.exe \"%1\"" | C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.abi | C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.fa\ = "FASTA sequence file" | C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Genbank plain text file\shell | C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\UGENE Database\shell\ = "open" | C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.uql | C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\EMBL file\shell\open\command | C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Swiss-Prot file | C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\UGENE Database\shell\open\command\ = "C:\\Program Files\\Unipro UGENE\\ugeneui.exe \"%1\"" | C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.srfasta\ = "FASTA short reads file" | C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe
"C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe"
Network
Files
\Users\Admin\AppData\Local\Temp\nsi3084.tmp\System.dll
| MD5 | fbe295e5a1acfbd0a6271898f885fe6a |
| SHA1 | d6d205922e61635472efb13c2bb92c9ac6cb96da |
| SHA256 | a1390a78533c47e55cc364e97af431117126d04a7faed49390210ea3e89dd0e1 |
| SHA512 | 2cb596971e504eaf1ce8e3f09719ebfb3f6234cea5ca7b0d33ec7500832ff4b97ec2bbe15a1fbf7e6a5b02c59db824092b9562cd8991f4d027feab6fd3177b06 |
\Users\Admin\AppData\Local\Temp\nsi3084.tmp\LangDLL.dll
| MD5 | de3558ce305e32f742ff25b697407fec |
| SHA1 | d55c50c546001421647f2e91780c324dbb8d6ebb |
| SHA256 | 98160b4ebb4870f64b13a45f5384b693614ae5ca1b5243edf461ca0b5a6d479a |
| SHA512 | 7081654001cba9263e6fb8d5b8570ba29a3de89621f52524aa7941ba9e6dfd963e5ef7b073f193b9df70300af04d7f72f93d0241d8c70ccdbecfd9092e166cac |
\Users\Admin\AppData\Local\Temp\nsi3084.tmp\nsDialogs.dll
| MD5 | ab101f38562c8545a641e95172c354b4 |
| SHA1 | ec47ac5449f6ee4b14f6dd7ddde841a3e723e567 |
| SHA256 | 3cdf3e24c87666ed5c582b8b028c01ee6ac16d5a9b8d8d684ae67605376786ea |
| SHA512 | 72d4b6dc439f40b7d68b03353a748fc3ad7ed10b0401741c5030705d9b1adef856406075e9ce4f1a08e4345a16e1c759f636c38ad92a57ef369867a9533b7037 |
C:\Program Files\Unipro UGENE\plugins\biostruct3d_view.license
| MD5 | ffa10f40b98be2c2bc9608f56827ed23 |
| SHA1 | dc8f2e570bf431427dbc3bab9d4d551b53a60208 |
| SHA256 | 189b1af95d661151e054cea10c91b3d754e4de4d3fecfb074c1fb29476f7167b |
| SHA512 | 1420da3215ed30afcf413935e20404cabe0723822c728ea29dcb9699533355ef1bee17660facdb55655241c2db30a7314d8ad6a4a3f72576b2721f522d487aa9 |
C:\Program Files\Unipro UGENE\tools\blast\makeblastdb.exe.manifest
| MD5 | 7cb71b006fcdcf8ade80e31fd5ab8060 |
| SHA1 | 655380fb2cca01b0ca707f748fc7dcf006732518 |
| SHA256 | be8918559280a2e74748bf8f6238b568ed7cbf75183b2180a6a8a979a1ebf243 |
| SHA512 | ce095bb84dbf2e72304471f97e80799185fab42b843f95bd84df4b97764786687807f057dc4434287c8982937329e664f7de476445ff6e2cbf298d7a44b48d55 |
C:\Program Files\Unipro UGENE\tools\mfold\mfold-3.6\share\mfold\sint6.dg
| MD5 | 897316929176464ebc9ad085f31e7284 |
| SHA1 | 09d2af8dd22201dd8d48e5dcfcaed281ff9422c7 |
| SHA256 | 9a271f2a916b0b6ee6cecb2426f0b3206ef074578be55d9bc94f6f3fe3ab86aa |
| SHA512 | a546d1300f49037a465ecec8bc1ebd07d57015a5ff1abfa1c94da9b30576933fb68e3898ff764d4de6e6741da822a7c93adc6e845806a266a63aa14c8bb09ebb |
C:\Program Files\Unipro UGENE\tools\python3\Lib\site-packages\pip-23.2.1.dist-info\top_level.txt
| MD5 | 365c9bfeb7d89244f2ce01c1de44cb85 |
| SHA1 | d7a03141d5d6b1e88b6b59ef08b6681df212c599 |
| SHA256 | ceebae7b8927a3227e5303cf5e0f1f7b34bb542ad7250ac03fbcde36ec2f1508 |
| SHA512 | d220d322a4053d84130567d626a9f7bb2fb8f0b854da1621f001826dc61b0ed6d3f91793627e6f0ac2ac27aea2b986b6a7a63427f05fe004d8a2adfbdadc13c1 |
C:\Program Files\Unipro UGENE\tools\trimmomatic\LICENSE
| MD5 | d32239bcb673463ab874e80d47fae504 |
| SHA1 | 8624bcdae55baeef00cd11d5dfcfa60f68710a02 |
| SHA256 | 8ceb4b9ee5adedde47b31e975c1d90c73ad27b6b165a1dcd80c7c545eb65b903 |
| SHA512 | 7633623b66b5e686bb94dd96a7cdb5a7e5ee00e87004fab416a5610d59c62badaf512a2e26e34e2455b7ed6b76690d2cd47464836d7d85d78b51d50f7e933d5c |
C:\Program Files\Unipro UGENE\tools\perl5\lib\Unicode\Collate\Locale\nb.pl
| MD5 | 66ed114afca8e09fa9af4c7011abaa0e |
| SHA1 | 93c34030bb195a3b9334230de8a7970adfa9ef72 |
| SHA256 | a8ca3f8067a7215ec8f168a2bffe0846d1024a9138626f88e048dbb5b112c93f |
| SHA512 | 90762b4df5ae25ee36bd3571437301179de15454c8ebdf5758acb86fe391cd17af4fe5fd05e1bc6be5a52e8b1a8b0986c43f86dd0ace5479083daaa7564918ab |
C:\Program Files\Unipro UGENE\tools\mfold\mfold-3.6\bin\myps2img.bash
| MD5 | e3056941bd15507718d2d4b9e808c7d0 |
| SHA1 | de9ff3fc12304d4060e2a1d40b98e6b73cf03eef |
| SHA256 | 63f155ef26f370f8e7fde423288028f355798e0923f242831d5c2c56f8ce2374 |
| SHA512 | ee85f34ca427f2413e73e93e0a41004ba2a7e072b21efedf891fafa3857c4ef7aec48c77b340f5d66619fad2a87cac2599f52deb984ce2cb59665f1a275dbe84 |
C:\Program Files\Unipro UGENE\tools\java\lib\images\cursors\invalid32x32.gif
| MD5 | 1e9d8f133a442da6b0c74d49bc84a341 |
| SHA1 | 259edc45b4569427e8319895a444f4295d54348f |
| SHA256 | 1a1d3079d49583837662b84e11d8c0870698511d9110e710eb8e7eb20df7ae3b |
| SHA512 | 63d6f70c8cab9735f0f857f5bf99e319f6ae98238dc7829dd706b7d6855c70be206e32e3e55df884402483cf8bebad00d139283af5c0b85dc1c5bf8f253acd37 |
\Program Files\Unipro UGENE\ugeneui.exe
| MD5 | e507b1eb783b3d0c66b87bee96720b0a |
| SHA1 | 3718357ba806e220056bc08f2186e33c2f646653 |
| SHA256 | 9175593c40d4190821d325d5f9dc7274c83db687c0280eb253be4b858ef5ebb1 |
| SHA512 | d7856b3d813669cfaa52ad1fb39a6302764e1d0969d10103087401b07b41bf97df2f5bb2798bd022ef1ce886c892d887218851fcf7ab1a2ce7d961f0fc777eac |
\Program Files\Unipro UGENE\Uninst.exe
| MD5 | 17baabed1288e8c0f8e3ff152804aa89 |
| SHA1 | 13cbfab9cf10e041cb4d4450b2b51800abaacc33 |
| SHA256 | 5befc3ef39d7b4603122d5adc8600f63ae3333f1c8f1807addab4f5464e3f439 |
| SHA512 | e3246b060be76bbc8bf9b06f4da88aa6b06c017a103fc2a7f2f9d92dbf07371a4a41da2d927e4702d26bed73e89f6723c41a11593cc587a70202fe4b867f721a |
Analysis: behavioral5
Detonation Overview
Submitted
2024-06-14 13:06
Reported
2024-06-14 13:16
Platform
win7-20231129-en
Max time kernel
117s
Max time network
138s
Command Line
Signatures
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_Classes\Local Settings | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\py_auto_file | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\.py | C:\Windows\system32\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\.py\ = "py_auto_file" | C:\Windows\system32\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\py_auto_file\ | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\py_auto_file\shell\Read | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\py_auto_file\shell | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\py_auto_file\shell\Read\command | C:\Windows\system32\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\py_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" | C:\Windows\system32\rundll32.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2960 wrote to memory of 2624 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 2960 wrote to memory of 2624 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 2960 wrote to memory of 2624 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 2624 wrote to memory of 2104 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 2624 wrote to memory of 2104 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 2624 wrote to memory of 2104 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 2624 wrote to memory of 2104 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\tools\python3\Lib\textwrap.py
C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\tools\python3\Lib\textwrap.py
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\tools\python3\Lib\textwrap.py"
Network
Files
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents
| MD5 | eba08a9f723d26f21110697af9b7f4a4 |
| SHA1 | e898260adedf086c20579ba62110b689c78721f6 |
| SHA256 | 1c00891f68858d44d321288704ac5df12c0488e08b2e0c9b0286d312867a0fa9 |
| SHA512 | 1db924b7b568dc7c3a0f3088749540356c7e37326974d821439d994eb2b36e0d962a564420946f824c4b09a2c221fc35060c2aeb8cc01e32d389470b395a2f8a |
Analysis: behavioral6
Detonation Overview
Submitted
2024-06-14 13:06
Reported
2024-06-14 13:16
Platform
win10v2004-20240508-en
Max time kernel
56s
Max time network
101s
Command Line
Signatures
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings | C:\Windows\system32\cmd.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings | C:\Windows\system32\OpenWith.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\tools\python3\Lib\textwrap.py
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
Network
| Country | Destination | Domain | Proto |
| US | 52.111.227.14:443 | tcp |
Files
Analysis: behavioral11
Detonation Overview
Submitted
2024-06-14 13:06
Reported
2024-06-14 13:16
Platform
win7-20240611-en
Max time kernel
122s
Max time network
140s
Command Line
Signatures
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000_CLASSES\.py | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000_CLASSES\py_auto_file\shell\Read | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000_CLASSES\py_auto_file\shell | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000_CLASSES\py_auto_file\shell\Read\command | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000_Classes\Local Settings | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000_CLASSES\py_auto_file | C:\Windows\system32\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000_CLASSES\py_auto_file\ | C:\Windows\system32\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000_CLASSES\.py\ = "py_auto_file" | C:\Windows\system32\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000_CLASSES\py_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" | C:\Windows\system32\rundll32.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2176 wrote to memory of 2724 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 2176 wrote to memory of 2724 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 2176 wrote to memory of 2724 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 2724 wrote to memory of 2732 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 2724 wrote to memory of 2732 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 2724 wrote to memory of 2732 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 2724 wrote to memory of 2732 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\tools\python3\Lib\timeit.py
C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\tools\python3\Lib\timeit.py
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\tools\python3\Lib\timeit.py"
Network
Files
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents
| MD5 | a6acac9a853434ee728dfd269cd74d31 |
| SHA1 | 716eb04a2f13e32ec7b7b3c3a597356e2a6de350 |
| SHA256 | 54b22168520e5ca744420fb9d0acf9ecb76744513808e78a33ab62dc02ee9791 |
| SHA512 | 8b3122b6dcbab4fed76d2cc2aca8904d48b027543fcbe081164d2055585243d91e18f7ef2f68ae178eda0b641198bb4da96b12b86227b273c38c21b4d8f96e49 |
Analysis: behavioral13
Detonation Overview
Submitted
2024-06-14 13:06
Reported
2024-06-14 13:16
Platform
win7-20240508-en
Max time kernel
120s
Max time network
145s
Command Line
Signatures
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\py_auto_file\shell\Read | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\py_auto_file\shell | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\py_auto_file\shell\Read\command | C:\Windows\system32\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\py_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\.py | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\py_auto_file | C:\Windows\system32\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\py_auto_file\ | C:\Windows\system32\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\.py\ = "py_auto_file" | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_Classes\Local Settings | C:\Windows\system32\rundll32.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2928 wrote to memory of 2644 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 2928 wrote to memory of 2644 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 2928 wrote to memory of 2644 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 2644 wrote to memory of 2520 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 2644 wrote to memory of 2520 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 2644 wrote to memory of 2520 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 2644 wrote to memory of 2520 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\tools\python3\Lib\token.py
C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\tools\python3\Lib\token.py
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\tools\python3\Lib\token.py"
Network
Files
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents
| MD5 | 5295fe925798b0093f8c1053a7cdf36d |
| SHA1 | a341f4ddf7f3fd764704888d48c7d407361ab3a5 |
| SHA256 | 280927437efdbd90f2150cac70146ee23322b339dd65c38b839e9d0104fa2c36 |
| SHA512 | 82cfed9a9c6a2106192cd4d2df9499cc0426b6fa3fa82aafd93cc0e88e50aaa5111970fb7fc559b5ef4470f6d27a5bd2862b20d003e126f681e6095b61fd8c34 |
Analysis: behavioral14
Detonation Overview
Submitted
2024-06-14 13:06
Reported
2024-06-14 13:16
Platform
win10v2004-20240508-en
Max time kernel
38s
Max time network
64s
Command Line
Signatures
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings | C:\Windows\system32\cmd.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings | C:\Windows\system32\OpenWith.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\tools\python3\Lib\token.py
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
Network
Files
Analysis: behavioral21
Detonation Overview
Submitted
2024-06-14 13:06
Reported
2024-06-14 13:16
Platform
win7-20240221-en
Max time kernel
121s
Max time network
140s
Command Line
Signatures
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_Classes\Local Settings | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\py_auto_file | C:\Windows\system32\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\.py\ = "py_auto_file" | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\py_auto_file\shell\Read | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\py_auto_file\shell\Read\command | C:\Windows\system32\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\py_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" | C:\Windows\system32\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\py_auto_file\ | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\.py | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\py_auto_file\shell | C:\Windows\system32\rundll32.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2472 wrote to memory of 2828 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 2472 wrote to memory of 2828 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 2472 wrote to memory of 2828 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 2828 wrote to memory of 2696 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 2828 wrote to memory of 2696 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 2828 wrote to memory of 2696 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 2828 wrote to memory of 2696 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\tools\python3\Lib\traceback.py
C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\tools\python3\Lib\traceback.py
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\tools\python3\Lib\traceback.py"
Network
Files
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents
| MD5 | cf72bc35ccc7d243a172d05be7db529f |
| SHA1 | 0f9995082bce4e043f6ede0503d6cb9fbcd60316 |
| SHA256 | 995af3c640b43e4b998d5c1b23cd770f9b4612bec807b54db546ef72a209e1d0 |
| SHA512 | ba817da7429726b7e2ceb6d5d3509faae85952c90b5176944c862a51b50343c77536d1eb373b4869087a69d6bd9ab876ff6d7d567108d4e233cf95253bc9d97a |
Analysis: behavioral4
Detonation Overview
Submitted
2024-06-14 13:06
Reported
2024-06-14 13:17
Platform
win10v2004-20240508-en
Max time kernel
121s
Max time network
159s
Command Line
Signatures
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings | C:\Windows\system32\cmd.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings | C:\Windows\system32\OpenWith.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\tools\python3\Lib\tempfile.py
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
Files
Analysis: behavioral9
Detonation Overview
Submitted
2024-06-14 13:06
Reported
2024-06-14 13:17
Platform
win7-20240508-en
Max time kernel
122s
Max time network
147s
Command Line
Signatures
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_CLASSES\py_auto_file | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_CLASSES\.py | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_CLASSES\py_auto_file\shell\Read | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_CLASSES\py_auto_file\shell\Read\command | C:\Windows\system32\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_CLASSES\py_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_Classes\Local Settings | C:\Windows\system32\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_CLASSES\py_auto_file\ | C:\Windows\system32\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_CLASSES\.py\ = "py_auto_file" | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_CLASSES\py_auto_file\shell | C:\Windows\system32\rundll32.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2968 wrote to memory of 2736 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 2968 wrote to memory of 2736 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 2968 wrote to memory of 2736 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 2736 wrote to memory of 2628 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 2736 wrote to memory of 2628 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 2736 wrote to memory of 2628 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 2736 wrote to memory of 2628 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\tools\python3\Lib\threading.py
C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\tools\python3\Lib\threading.py
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\tools\python3\Lib\threading.py"
Network
Files
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents
| MD5 | 4e3be7806860809d4f1afde960bd7dc7 |
| SHA1 | 335247d4ca4d1503688a6c1f093897a1be734ee3 |
| SHA256 | e0cd3e9445dd2af4ff7d8cd7723b2421717f9b007e6b706217b85733f1f43fc2 |
| SHA512 | f57e679b446149b27830572724f4907af43daf4ca9dd920811c80b963694f2f501a592354114aec99323ca3b8ed531a69ec446f297e5ca3c9d65d73fe95f1ac5 |
Analysis: behavioral17
Detonation Overview
Submitted
2024-06-14 13:06
Reported
2024-06-14 13:16
Platform
ubuntu1804-amd64-20240611-en
Max time kernel
0s
Max time network
132s
Command Line
Signatures
Processes
/tmp/tools/python3/Lib/trace.py
[/tmp/tools/python3/Lib/trace.py]
/usr/local/sbin/python3
[python3 /tmp/tools/python3/Lib/trace.py]
/usr/local/bin/python3
[python3 /tmp/tools/python3/Lib/trace.py]
/usr/sbin/python3
[python3 /tmp/tools/python3/Lib/trace.py]
/usr/bin/python3
[python3 /tmp/tools/python3/Lib/trace.py]
/sbin/python3
[python3 /tmp/tools/python3/Lib/trace.py]
/bin/python3
[python3 /tmp/tools/python3/Lib/trace.py]
/snap/bin/python3
[python3 /tmp/tools/python3/Lib/trace.py]
Network
| Country | Destination | Domain | Proto |
| US | 151.101.129.91:443 | tcp | |
| GB | 185.125.188.61:443 | tcp | |
| GB | 185.125.188.61:443 | tcp | |
| US | 151.101.129.91:443 | tcp | |
| GB | 195.181.164.19:443 | tcp | |
| N/A | 224.0.0.251:5353 | udp |
Files
Analysis: behavioral25
Detonation Overview
Submitted
2024-06-14 13:06
Reported
2024-06-14 13:16
Platform
win7-20231129-en
Max time kernel
117s
Max time network
137s
Command Line
Signatures
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_Classes\Local Settings | C:\Windows\system32\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\py_auto_file\ | C:\Windows\system32\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\.py\ = "py_auto_file" | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\py_auto_file\shell\Read | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\py_auto_file\shell | C:\Windows\system32\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\py_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\py_auto_file | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\.py | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\py_auto_file\shell\Read\command | C:\Windows\system32\rundll32.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 936 wrote to memory of 2592 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 936 wrote to memory of 2592 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 936 wrote to memory of 2592 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 2592 wrote to memory of 2696 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 2592 wrote to memory of 2696 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 2592 wrote to memory of 2696 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 2592 wrote to memory of 2696 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\tools\python3\Lib\tty.py
C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\tools\python3\Lib\tty.py
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\tools\python3\Lib\tty.py"
Network
Files
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents
| MD5 | 357dc5acd8c2d30b982e23fcae4fa56f |
| SHA1 | 7e2771770c899fb3b13af15907806ca1ddd6ff51 |
| SHA256 | cd61e264b2e3377d3438cb84f8caaa0f02ec4e42fa16094b463a07df38ad2037 |
| SHA512 | a3633bffe5565085420a8d1ab43dd69fd08e77d4664742318b1e1f2a155ff6e9b4dc5ea748a18464ae3b310209e5a0c71b054d386f6d197c037232d5ef71046d |
Analysis: behavioral26
Detonation Overview
Submitted
2024-06-14 13:06
Reported
2024-06-14 13:17
Platform
win10v2004-20240611-en
Max time kernel
125s
Max time network
167s
Command Line
Signatures
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000_Classes\Local Settings | C:\Windows\system32\cmd.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000_Classes\Local Settings | C:\Windows\system32\OpenWith.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\tools\python3\Lib\tty.py
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| BE | 88.221.83.208:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 20.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 114.83.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 208.83.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 177.23.48.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 203.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 7.173.189.20.in-addr.arpa | udp |
Files
Analysis: behavioral7
Detonation Overview
Submitted
2024-06-14 13:06
Reported
2024-06-14 13:16
Platform
win7-20240220-en
Max time kernel
122s
Max time network
142s
Command Line
Signatures
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\py_auto_file\ | C:\Windows\system32\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\.py\ = "py_auto_file" | C:\Windows\system32\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\py_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_Classes\Local Settings | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\py_auto_file | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\.py | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\py_auto_file\shell\Read | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\py_auto_file\shell | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\py_auto_file\shell\Read\command | C:\Windows\system32\rundll32.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2580 wrote to memory of 2708 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 2580 wrote to memory of 2708 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 2580 wrote to memory of 2708 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 2708 wrote to memory of 2704 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 2708 wrote to memory of 2704 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 2708 wrote to memory of 2704 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 2708 wrote to memory of 2704 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\tools\python3\Lib\this.py
C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\tools\python3\Lib\this.py
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\tools\python3\Lib\this.py"
Network
Files
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents
| MD5 | cfde5975dd78ad516536107a835915ff |
| SHA1 | 88e6bcbbc06d8abe75bd46ed624c8a0a8a41a0e7 |
| SHA256 | c979dd144fb581ae9bcd17a9a90e585dd3cabfa1cb3751de87f8f7332b7d6c1c |
| SHA512 | 8a0ea1f68bd1b0c1d07b81af2dc7e69e679407a91b3b0fd82b96cfb246fd03c90f5c35e1af16e819368dca204965982a62ae5e6c83f700f14b646f60a5fdcd6d |
Analysis: behavioral10
Detonation Overview
Submitted
2024-06-14 13:06
Reported
2024-06-14 13:17
Platform
win10v2004-20240611-en
Max time kernel
130s
Max time network
162s
Command Line
Signatures
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings | C:\Windows\system32\cmd.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings | C:\Windows\system32\OpenWith.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\tools\python3\Lib\threading.py
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 4.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 139.107.17.2.in-addr.arpa | udp |
Files
Analysis: behavioral19
Detonation Overview
Submitted
2024-06-14 13:06
Reported
2024-06-14 13:17
Platform
debian9-mipsbe-20240611-en
Command Line
Signatures
Processes
Network
Files
Analysis: behavioral23
Detonation Overview
Submitted
2024-06-14 13:06
Reported
2024-06-14 13:16
Platform
win7-20240508-en
Max time kernel
120s
Max time network
139s
Command Line
Signatures
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_CLASSES\py_auto_file\ | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_CLASSES\.py | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_CLASSES\py_auto_file\shell | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_CLASSES\py_auto_file\shell\Read\command | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_Classes\Local Settings | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_CLASSES\py_auto_file | C:\Windows\system32\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_CLASSES\.py\ = "py_auto_file" | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_CLASSES\py_auto_file\shell\Read | C:\Windows\system32\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_CLASSES\py_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" | C:\Windows\system32\rundll32.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1208 wrote to memory of 2712 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 1208 wrote to memory of 2712 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 1208 wrote to memory of 2712 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 2712 wrote to memory of 2764 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 2712 wrote to memory of 2764 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 2712 wrote to memory of 2764 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 2712 wrote to memory of 2764 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\tools\python3\Lib\tracemalloc.py
C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\tools\python3\Lib\tracemalloc.py
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\tools\python3\Lib\tracemalloc.py"
Network
Files
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents
| MD5 | 00d8eeac8adffc2ae02aaac2c3e08733 |
| SHA1 | cb88dd0c50779dd65eef112e5b0ea8faf9b26e7f |
| SHA256 | 574d3e13b851a94a665dc68c9043e820d14c315785c42b9103f3ba82be79f776 |
| SHA512 | 3ff0fe6574b7669ffa5517dfdc0a6793caa0d8164b73bf7150700ffe883250baa7926fd8eb8f22e5b27e520170e43af46e8dc3aeb80021a5238c524d724ec879 |
Analysis: behavioral20
Detonation Overview
Submitted
2024-06-14 13:06
Reported
2024-06-14 13:18
Platform
debian9-mipsel-20240611-en
Command Line
Signatures
Processes
Network
Files
Analysis: behavioral29
Detonation Overview
Submitted
2024-06-14 13:06
Reported
2024-06-14 13:16
Platform
win7-20240611-en
Max time kernel
121s
Max time network
139s
Command Line
Signatures
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000_CLASSES\py_auto_file\ | C:\Windows\system32\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000_CLASSES\.py\ = "py_auto_file" | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000_CLASSES\py_auto_file\shell | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000_CLASSES\py_auto_file\shell\Read\command | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000_Classes\Local Settings | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000_CLASSES\py_auto_file | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000_CLASSES\.py | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000_CLASSES\py_auto_file\shell\Read | C:\Windows\system32\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000_CLASSES\py_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" | C:\Windows\system32\rundll32.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2212 wrote to memory of 2684 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 2212 wrote to memory of 2684 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 2212 wrote to memory of 2684 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 2684 wrote to memory of 2664 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 2684 wrote to memory of 2664 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 2684 wrote to memory of 2664 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 2684 wrote to memory of 2664 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\tools\python3\Lib\types.py
C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\tools\python3\Lib\types.py
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\tools\python3\Lib\types.py"
Network
Files
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents
| MD5 | 24b080cd357d6ea01d5564b5fe3216de |
| SHA1 | cb19cd13b4f616e7fcf476a2217cd9ef546ab6e9 |
| SHA256 | 8b781a57ca9df77d56fcbb571ef2c662c4beecb89a6a85e1935e3436ba27eef7 |
| SHA512 | 4ce648b2c4d7cf8b8469f690997928bb683b4b7fa4c13f37c07d3fbb954d39ba004b8782beb88194c1aced26a918d5822c26be2222889c2aa6e5d49795f5048c |
Analysis: behavioral32
Detonation Overview
Submitted
2024-06-14 13:06
Reported
2024-06-14 13:16
Platform
win10v2004-20240508-en
Max time kernel
123s
Max time network
154s
Command Line
Signatures
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings | C:\Windows\system32\cmd.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings | C:\Windows\system32\OpenWith.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\tools\python3\Lib\typing.py
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
Network
Files
Analysis: behavioral8
Detonation Overview
Submitted
2024-06-14 13:06
Reported
2024-06-14 13:16
Platform
win10v2004-20240611-en
Max time kernel
131s
Max time network
160s
Command Line
Signatures
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000_Classes\Local Settings | C:\Windows\system32\cmd.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000_Classes\Local Settings | C:\Windows\system32\OpenWith.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\tools\python3\Lib\this.py
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 22.177.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 177.23.48.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 203.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
Files
Analysis: behavioral18
Detonation Overview
Submitted
2024-06-14 13:06
Reported
2024-06-14 13:22
Platform
debian9-armhf-20240611-en
Command Line
Signatures
Processes
Network
Files
Analysis: behavioral30
Detonation Overview
Submitted
2024-06-14 13:06
Reported
2024-06-14 13:16
Platform
win10v2004-20240508-en
Max time kernel
41s
Max time network
64s
Command Line
Signatures
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings | C:\Windows\system32\cmd.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings | C:\Windows\system32\OpenWith.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\tools\python3\Lib\types.py
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
Files
Analysis: behavioral3
Detonation Overview
Submitted
2024-06-14 13:06
Reported
2024-06-14 13:16
Platform
win7-20240221-en
Max time kernel
117s
Max time network
142s
Command Line
Signatures
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\py_auto_file\shell\Read | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\py_auto_file\shell\Read\command | C:\Windows\system32\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\py_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_Classes\Local Settings | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\py_auto_file | C:\Windows\system32\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\py_auto_file\ | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\.py | C:\Windows\system32\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\.py\ = "py_auto_file" | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\py_auto_file\shell | C:\Windows\system32\rundll32.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3068 wrote to memory of 2724 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 3068 wrote to memory of 2724 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 3068 wrote to memory of 2724 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 2724 wrote to memory of 2428 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 2724 wrote to memory of 2428 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 2724 wrote to memory of 2428 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 2724 wrote to memory of 2428 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\tools\python3\Lib\tempfile.py
C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\tools\python3\Lib\tempfile.py
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\tools\python3\Lib\tempfile.py"
Network
Files
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents
| MD5 | 275d15eeed248fd6e3a7e96ef8dca506 |
| SHA1 | 9aca1d1eff93d707aa57fc32333a2be2e30c4ff3 |
| SHA256 | a08e77678d0256ca2d7c883ab03de123e1c745c8aedf44a451b520e3c667e353 |
| SHA512 | 6c49ca7ed6b079b77deab515939b1a80050730d0d5b7466c2400b911e097dd353e520e20145e80c994bb16a68a6edb26b48d362c1b48a6aba564a6cd28c8505e |
Analysis: behavioral15
Detonation Overview
Submitted
2024-06-14 13:06
Reported
2024-06-14 13:16
Platform
win7-20240611-en
Max time kernel
120s
Max time network
138s
Command Line
Signatures
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000_Classes\Local Settings | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000_CLASSES\py_auto_file | C:\Windows\system32\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000_CLASSES\.py\ = "py_auto_file" | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000_CLASSES\py_auto_file\shell | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000_CLASSES\py_auto_file\shell\Read\command | C:\Windows\system32\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000_CLASSES\py_auto_file\ | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000_CLASSES\.py | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000_CLASSES\py_auto_file\shell\Read | C:\Windows\system32\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000_CLASSES\py_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" | C:\Windows\system32\rundll32.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1832 wrote to memory of 3040 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 1832 wrote to memory of 3040 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 1832 wrote to memory of 3040 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 3040 wrote to memory of 2776 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 3040 wrote to memory of 2776 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 3040 wrote to memory of 2776 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 3040 wrote to memory of 2776 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\tools\python3\Lib\tokenize.py
C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\tools\python3\Lib\tokenize.py
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\tools\python3\Lib\tokenize.py"
Network
Files
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents
| MD5 | dfba557f64e46e976ae964654b495202 |
| SHA1 | 10c030d2e2cac3d90a4fbad4a5f591754014b96c |
| SHA256 | 2208a4afc7468ec268234edde53410be4cbaa61d3232b59965193db5cc743cd2 |
| SHA512 | c9995406a160c8d1c2fe112d905a595975656ab2e2e6c8f3de52d5f72549312d3afc6571cd6cf4b4f1fb45836deac934b3376825c7791095086dd9277022afb0 |
Analysis: behavioral16
Detonation Overview
Submitted
2024-06-14 13:06
Reported
2024-06-14 13:16
Platform
win10v2004-20240508-en
Max time kernel
40s
Max time network
64s
Command Line
Signatures
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings | C:\Windows\system32\cmd.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings | C:\Windows\system32\OpenWith.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\tools\python3\Lib\tokenize.py
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
Network
Files
Analysis: behavioral22
Detonation Overview
Submitted
2024-06-14 13:06
Reported
2024-06-14 13:16
Platform
win10v2004-20240508-en
Max time kernel
41s
Max time network
64s
Command Line
Signatures
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings | C:\Windows\system32\cmd.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings | C:\Windows\system32\OpenWith.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\tools\python3\Lib\traceback.py
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
Files
Analysis: behavioral28
Detonation Overview
Submitted
2024-06-14 13:06
Reported
2024-06-14 13:16
Platform
win10v2004-20240508-en
Max time kernel
39s
Max time network
66s
Command Line
Signatures
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings | C:\Windows\system32\cmd.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings | C:\Windows\system32\OpenWith.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\tools\python3\Lib\turtle.py
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
Network
Files
Analysis: behavioral31
Detonation Overview
Submitted
2024-06-14 13:06
Reported
2024-06-14 13:16
Platform
win7-20240508-en
Max time kernel
119s
Max time network
138s
Command Line
Signatures
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\py_auto_file | C:\Windows\system32\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\py_auto_file\ | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\py_auto_file\shell | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\py_auto_file\shell\Read\command | C:\Windows\system32\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\py_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_Classes\Local Settings | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\.py | C:\Windows\system32\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\.py\ = "py_auto_file" | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\py_auto_file\shell\Read | C:\Windows\system32\rundll32.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1856 wrote to memory of 2708 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 1856 wrote to memory of 2708 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 1856 wrote to memory of 2708 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 2708 wrote to memory of 2960 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 2708 wrote to memory of 2960 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 2708 wrote to memory of 2960 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 2708 wrote to memory of 2960 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\tools\python3\Lib\typing.py
C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\tools\python3\Lib\typing.py
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\tools\python3\Lib\typing.py"
Network
Files
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents
| MD5 | 9b1f5affa34e5707cb366667d3074c39 |
| SHA1 | 5b1a4f6b15bcce3ebab3f91d5fba0358da4bb7ca |
| SHA256 | 0de57e4472ee8a1cc824f6908c6ca4c9857614a6b2cbeef29c4beb0d1b6f7c01 |
| SHA512 | 813d968711922d2d57a7855ad6864072eae33567a615ef347112f74528c0cab943f777d938ee60f78dca986b8aa297630792a91b878bff344478a2ff094098dd |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-14 13:06
Reported
2024-06-14 13:16
Platform
win10v2004-20240508-en
Max time kernel
143s
Max time network
156s
Command Line
Signatures
Checks installed software on the system
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files\Unipro UGENE\tools\mfold\gs\gs10.02.0\lib\stc800ih.upp | C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe | N/A |
| File created | C:\Program Files\Unipro UGENE\tools\perl5\lib\CPAN\FTP\netrc.pm | C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe | N/A |
| File created | C:\Program Files\Unipro UGENE\tools\perl5\lib\DateTime\Locale\en_UM.pod | C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe | N/A |
| File created | C:\Program Files\Unipro UGENE\tools\perl5\lib\DateTime\Locale\sw_UG.pod | C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe | N/A |
| File created | C:\Program Files\Unipro UGENE\data\sitecon_models\prokaryotic\MODE.sitecon.gz | C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe | N/A |
| File created | C:\Program Files\Unipro UGENE\data\workflow_samples\NGS\tuxedo\tuxedo_no_novel_transcr_paired.uwl | C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe | N/A |
| File created | C:\Program Files\Unipro UGENE\tools\perl5\lib\URI\news.pm | C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe | N/A |
| File created | C:\Program Files\Unipro UGENE\tools\perl5\lib\pods\perlos390.pod | C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe | N/A |
| File created | C:\Program Files\Unipro UGENE\tools\perl5\lib\Params\ValidatePP.pm | C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe | N/A |
| File created | C:\Program Files\Unipro UGENE\tools\perl5\lib\Test2\Compare\Object.pm | C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe | N/A |
| File created | C:\Program Files\Unipro UGENE\data\sitecon_models\eukaryotic\NF1.sitecon.gz | C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe | N/A |
| File created | C:\Program Files\Unipro UGENE\plugins\biostruct3d_view.plugin | C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe | N/A |
| File created | C:\Program Files\Unipro UGENE\tools\mfold\gs\gs10.02.0\lib\lpgs.bat | C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe | N/A |
| File created | C:\Program Files\Unipro UGENE\tools\perl5\lib\Locale\Codes\LangVar_Retired.pm | C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe | N/A |
| File created | C:\Program Files\Unipro UGENE\tools\perl5\lib\auto\share\dist\DateTime-Locale\kab.pl | C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe | N/A |
| File created | C:\Program Files\Unipro UGENE\tools\perl5\lib\unicore\lib\Sc\Limb.pl | C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe | N/A |
| File created | C:\Program Files\Unipro UGENE\data\position_weight_matrix\JASPAR\fungi\MA0326.1.pfm | C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe | N/A |
| File created | C:\Program Files\Unipro UGENE\data\position_weight_matrix\UniPROBE\Cell08\Pbx1_3203.1.pwm | C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe | N/A |
| File created | C:\Program Files\Unipro UGENE\tools\blast\msvcp140.dll | C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe | N/A |
| File created | C:\Program Files\Unipro UGENE\tools\perl5\lib\auto\share\dist\DateTime-Locale\pa-Guru.pl | C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe | N/A |
| File created | C:\Program Files\Unipro UGENE\tools\perl5\bin\dateparse.bat | C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe | N/A |
| File created | C:\Program Files\Unipro UGENE\tools\perl5\bin\lwp-dump.bat | C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe | N/A |
| File created | C:\Program Files\Unipro UGENE\tools\perl5\lib\DateTime\TimeZone\Africa\Accra.pm | C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe | N/A |
| File created | C:\Program Files\Unipro UGENE\tools\perl5\lib\Unicode\Collate\Locale\is.pl | C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe | N/A |
| File created | C:\Program Files\Unipro UGENE\data\position_weight_matrix\JASPAR\fungi\MA0418.1.pfm | C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe | N/A |
| File created | C:\Program Files\Unipro UGENE\tools\mfold\gs\gs10.02.0\lib\gsnd.bat | C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe | N/A |
| File created | C:\Program Files\Unipro UGENE\tools\perl5\lib\DateTime\Locale\it.pod | C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe | N/A |
| File created | C:\Program Files\Unipro UGENE\tools\perl5\lib\auto\share\dist\DateTime-Locale\en-MT.pl | C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe | N/A |
| File created | C:\Program Files\Unipro UGENE\tools\python3\Lib\encodings\mbcs.py | C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe | N/A |
| File created | C:\Program Files\Unipro UGENE\tools\python3\Lib\multiprocessing\dummy\connection.py | C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe | N/A |
| File created | C:\Program Files\Unipro UGENE\tools\mfold\msys64\usr\bin\msys-pcre-1.dll | C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe | N/A |
| File created | C:\Program Files\Unipro UGENE\tools\perl5\lib\CPAN\API\HOWTO.pod | C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe | N/A |
| File created | C:\Program Files\Unipro UGENE\tools\perl5\lib\B\Hooks\EndOfScope\XS.pm | C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe | N/A |
| File created | C:\Program Files\Unipro UGENE\tools\perl5\lib\ExtUtils\MANIFEST.SKIP | C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe | N/A |
| File created | C:\Program Files\Unipro UGENE\tools\python3\Lib\xml\sax\__init__.py | C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe | N/A |
| File created | C:\Program Files\Unipro UGENE\tools\fastqc\uk\ac\babraham\FastQC\Modules\AdapterContent.class | C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe | N/A |
| File created | C:\Program Files\Unipro UGENE\tools\mfold\gs\gs10.02.0\Resource\Init\gs_agl.ps | C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe | N/A |
| File created | C:\Program Files\Unipro UGENE\tools\perl5\lib\DateTime\Locale\kab_DZ.pod | C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe | N/A |
| File created | C:\Program Files\Unipro UGENE\tools\perl5\lib\ExtUtils\Command\MM.pm | C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe | N/A |
| File created | C:\Program Files\Unipro UGENE\tools\perl5\lib\Moose\Manual\Attributes.pod | C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe | N/A |
| File created | C:\Program Files\Unipro UGENE\tools\perl5\lib\Moose\Meta\Role\Method\Conflicting.pm | C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe | N/A |
| File created | C:\Program Files\Unipro UGENE\tools\perl5\lib\Test2\EventFacet\Amnesty.pm | C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe | N/A |
| File created | C:\Program Files\Unipro UGENE\tools\perl5\lib\URI\mms.pm | C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe | N/A |
| File created | C:\Program Files\Unipro UGENE\tools\mfold\gs\gs10.02.0\lib\landscap.ps | C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe | N/A |
| File created | C:\Program Files\Unipro UGENE\tools\perl5\lib\DateTime\Locale\fr_MC.pod | C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe | N/A |
| File created | C:\Program Files\Unipro UGENE\tools\python3\Lib\mimetypes.py | C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe | N/A |
| File created | C:\Program Files\Unipro UGENE\tools\perl5\lib\unicore\lib\Sc\Telu.pl | C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe | N/A |
| File created | C:\Program Files\Unipro UGENE\tools\python3\Lib\_compat_pickle.py | C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe | N/A |
| File created | C:\Program Files\Unipro UGENE\tools\perl5\lib\DateTime\Locale\fi.pod | C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe | N/A |
| File created | C:\Program Files\Unipro UGENE\tools\perl5\lib\DateTime\TimeZone\America\Hermosillo.pm | C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe | N/A |
| File created | C:\Program Files\Unipro UGENE\tools\perl5\lib\auto\share\dist\DateTime-Locale\fr-BE.pl | C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe | N/A |
| File created | C:\Program Files\Unipro UGENE\tools\perl5\lib\auto\share\dist\DateTime-Locale\hr-HR.pl | C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe | N/A |
| File created | C:\Program Files\Unipro UGENE\tools\fastqc\Configuration\adapter_list.txt | C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe | N/A |
| File created | C:\Program Files\Unipro UGENE\tools\mafft\usr\bin\cut.exe | C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe | N/A |
| File created | C:\Program Files\Unipro UGENE\tools\perl5\lib\auto\share\dist\DateTime-Locale\rn.pl | C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe | N/A |
| File created | C:\Program Files\Unipro UGENE\tools\perl5\lib\unicore\lib\Nv\1000.pl | C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe | N/A |
| File created | C:\Program Files\Unipro UGENE\tools\python3\Lib\site-packages\dnaio\_conversions.h | C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe | N/A |
| File created | C:\Program Files\Unipro UGENE\tools\python3\Lib\site-packages\pip\_vendor\packaging\__about__.py | C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe | N/A |
| File created | C:\Program Files\Unipro UGENE\tools\perl5\lib\DateTime\Locale\FromData.pm | C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe | N/A |
| File created | C:\Program Files\Unipro UGENE\tools\perl5\lib\DateTime\Locale\so_SO.pod | C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe | N/A |
| File created | C:\Program Files\Unipro UGENE\data\position_weight_matrix\JASPAR\fungi\MA0320.1.pfm | C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe | N/A |
| File created | C:\Program Files\Unipro UGENE\tools\perl5\lib\unicore\lib\Nv\6.pl | C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe | N/A |
| File created | C:\Program Files\Unipro UGENE\tools\python3\Lib\configparser.py | C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe | N/A |
| File created | C:\Program Files\Unipro UGENE\tools\python3\Lib\site-packages\pip\_internal\resolution\resolvelib\factory.py | C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe | N/A |
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\FASTQ file\DefaultIcon | C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.msf | C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\FASTA short reads file\shell\open\command\ = "C:\\Program Files\\Unipro UGENE\\ugeneui.exe \"%1\"" | C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.em\ = "EMBL file" | C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.ugenedb | C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\UGENE Workflow Language\DefaultIcon | C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\UGENE Workflow Language\shell\open\command | C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Protein Data Bank file\ = "Protein Data Bank file" | C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.seq | C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\UGENE Query Language\shell\ = "open" | C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Clustal alignment file\DefaultIcon | C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\MSF multiple sequence file\DefaultIcon | C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\FASTA short reads file\DefaultIcon\ = "C:\\Program Files\\Unipro UGENE\\ugeneui.exe,1" | C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\FASTA sequence file | C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Genbank plain text file\DefaultIcon | C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.msf\ = "MSF multiple sequence file" | C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\SAM genome assembly\DefaultIcon\ = "C:\\Program Files\\Unipro UGENE\\ugeneui.exe,1" | C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\BAM genome assembly\DefaultIcon | C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Unipro UGENE project file\shell\open\command\ = "C:\\Program Files\\Unipro UGENE\\ugeneui.exe \"%1\"" | C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\FASTQ file\shell\ = "open" | C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.gb\ = "Genbank plain text file" | C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.srfasta | C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.sto | C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\ABIF file\DefaultIcon | C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\EMBL file\shell\open | C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Genbank plain text file | C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.gen | C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.uprj | C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\FASTA short reads file\shell\ = "open" | C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Clustal alignment file\shell\open\command\ = "C:\\Program Files\\Unipro UGENE\\ugeneui.exe \"%1\"" | C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\FASTQ file\shell\open | C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\MSF multiple sequence file\shell | C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\SAM genome assembly\shell\open\command | C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.em | C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\GFF format | C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.srfa | C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Genbank plain text file\shell\open\command | C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Genbank plain text file\ = "Genbank plain text file" | C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.gff | C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Unipro UGENE project file\shell | C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Swiss-Prot file\DefaultIcon\ = "C:\\Program Files\\Unipro UGENE\\ugeneui.exe,1" | C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.fna | C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\MSF multiple sequence file\DefaultIcon\ = "C:\\Program Files\\Unipro UGENE\\ugeneui.exe,1" | C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.abif | C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.genbank | C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Swiss-Prot file\DefaultIcon | C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Swiss-Prot file\shell\open\command\ = "C:\\Program Files\\Unipro UGENE\\ugeneui.exe \"%1\"" | C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\MSF multiple sequence file | C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\UGENE Database\DefaultIcon | C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\UGENE Workflow Language | C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Unipro UGENE project file\DefaultIcon\ = "C:\\Program Files\\Unipro UGENE\\ugeneui.exe,0" | C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.pdb\ = "Protein Data Bank file" | C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.uql\ = "UGENE Query Language" | C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.uwl | C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\EMBL file\shell\ = "open" | C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Clustal alignment file\DefaultIcon\ = "C:\\Program Files\\Unipro UGENE\\ugeneui.exe,1" | C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.gen\ = "Genbank plain text file" | C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.genbank\ = "Genbank plain text file" | C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\MSF multiple sequence file\ = "MSF multiple sequence file" | C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Unipro UGENE project file\shell\open\command | C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\EMBL file\DefaultIcon | C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\UGENE Workflow Language\DefaultIcon\ = "C:\\Program Files\\Unipro UGENE\\ugeneui.exe,1" | C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Clustal alignment file\shell | C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Clustal alignment file\ = "Clustal alignment file" | C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe
"C:\Users\Admin\AppData\Local\Temp\ugene-50.0-win-x86-64.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\nse76D8.tmp\System.dll
| MD5 | fbe295e5a1acfbd0a6271898f885fe6a |
| SHA1 | d6d205922e61635472efb13c2bb92c9ac6cb96da |
| SHA256 | a1390a78533c47e55cc364e97af431117126d04a7faed49390210ea3e89dd0e1 |
| SHA512 | 2cb596971e504eaf1ce8e3f09719ebfb3f6234cea5ca7b0d33ec7500832ff4b97ec2bbe15a1fbf7e6a5b02c59db824092b9562cd8991f4d027feab6fd3177b06 |
C:\Users\Admin\AppData\Local\Temp\nse76D8.tmp\LangDLL.dll
| MD5 | de3558ce305e32f742ff25b697407fec |
| SHA1 | d55c50c546001421647f2e91780c324dbb8d6ebb |
| SHA256 | 98160b4ebb4870f64b13a45f5384b693614ae5ca1b5243edf461ca0b5a6d479a |
| SHA512 | 7081654001cba9263e6fb8d5b8570ba29a3de89621f52524aa7941ba9e6dfd963e5ef7b073f193b9df70300af04d7f72f93d0241d8c70ccdbecfd9092e166cac |
C:\Users\Admin\AppData\Local\Temp\nse76D8.tmp\nsDialogs.dll
| MD5 | ab101f38562c8545a641e95172c354b4 |
| SHA1 | ec47ac5449f6ee4b14f6dd7ddde841a3e723e567 |
| SHA256 | 3cdf3e24c87666ed5c582b8b028c01ee6ac16d5a9b8d8d684ae67605376786ea |
| SHA512 | 72d4b6dc439f40b7d68b03353a748fc3ad7ed10b0401741c5030705d9b1adef856406075e9ce4f1a08e4345a16e1c759f636c38ad92a57ef369867a9533b7037 |
C:\Program Files\Unipro UGENE\plugins\biostruct3d_view.license
| MD5 | ffa10f40b98be2c2bc9608f56827ed23 |
| SHA1 | dc8f2e570bf431427dbc3bab9d4d551b53a60208 |
| SHA256 | 189b1af95d661151e054cea10c91b3d754e4de4d3fecfb074c1fb29476f7167b |
| SHA512 | 1420da3215ed30afcf413935e20404cabe0723822c728ea29dcb9699533355ef1bee17660facdb55655241c2db30a7314d8ad6a4a3f72576b2721f522d487aa9 |
C:\Program Files\Unipro UGENE\tools\blast\makeblastdb.exe.manifest
| MD5 | 7cb71b006fcdcf8ade80e31fd5ab8060 |
| SHA1 | 655380fb2cca01b0ca707f748fc7dcf006732518 |
| SHA256 | be8918559280a2e74748bf8f6238b568ed7cbf75183b2180a6a8a979a1ebf243 |
| SHA512 | ce095bb84dbf2e72304471f97e80799185fab42b843f95bd84df4b97764786687807f057dc4434287c8982937329e664f7de476445ff6e2cbf298d7a44b48d55 |
C:\Program Files\Unipro UGENE\tools\mfold\mfold-3.6\share\mfold\sint6.dg
| MD5 | 897316929176464ebc9ad085f31e7284 |
| SHA1 | 09d2af8dd22201dd8d48e5dcfcaed281ff9422c7 |
| SHA256 | 9a271f2a916b0b6ee6cecb2426f0b3206ef074578be55d9bc94f6f3fe3ab86aa |
| SHA512 | a546d1300f49037a465ecec8bc1ebd07d57015a5ff1abfa1c94da9b30576933fb68e3898ff764d4de6e6741da822a7c93adc6e845806a266a63aa14c8bb09ebb |
C:\Program Files\Unipro UGENE\tools\python3\Lib\site-packages\pip-23.2.1.dist-info\top_level.txt
| MD5 | 365c9bfeb7d89244f2ce01c1de44cb85 |
| SHA1 | d7a03141d5d6b1e88b6b59ef08b6681df212c599 |
| SHA256 | ceebae7b8927a3227e5303cf5e0f1f7b34bb542ad7250ac03fbcde36ec2f1508 |
| SHA512 | d220d322a4053d84130567d626a9f7bb2fb8f0b854da1621f001826dc61b0ed6d3f91793627e6f0ac2ac27aea2b986b6a7a63427f05fe004d8a2adfbdadc13c1 |
C:\Program Files\Unipro UGENE\tools\trimmomatic\LICENSE
| MD5 | d32239bcb673463ab874e80d47fae504 |
| SHA1 | 8624bcdae55baeef00cd11d5dfcfa60f68710a02 |
| SHA256 | 8ceb4b9ee5adedde47b31e975c1d90c73ad27b6b165a1dcd80c7c545eb65b903 |
| SHA512 | 7633623b66b5e686bb94dd96a7cdb5a7e5ee00e87004fab416a5610d59c62badaf512a2e26e34e2455b7ed6b76690d2cd47464836d7d85d78b51d50f7e933d5c |
C:\Program Files\Unipro UGENE\tools\perl5\lib\Unicode\Collate\Locale\nb.pl
| MD5 | 66ed114afca8e09fa9af4c7011abaa0e |
| SHA1 | 93c34030bb195a3b9334230de8a7970adfa9ef72 |
| SHA256 | a8ca3f8067a7215ec8f168a2bffe0846d1024a9138626f88e048dbb5b112c93f |
| SHA512 | 90762b4df5ae25ee36bd3571437301179de15454c8ebdf5758acb86fe391cd17af4fe5fd05e1bc6be5a52e8b1a8b0986c43f86dd0ace5479083daaa7564918ab |
C:\Program Files\Unipro UGENE\tools\mfold\mfold-3.6\bin\myps2img.bash
| MD5 | e3056941bd15507718d2d4b9e808c7d0 |
| SHA1 | de9ff3fc12304d4060e2a1d40b98e6b73cf03eef |
| SHA256 | 63f155ef26f370f8e7fde423288028f355798e0923f242831d5c2c56f8ce2374 |
| SHA512 | ee85f34ca427f2413e73e93e0a41004ba2a7e072b21efedf891fafa3857c4ef7aec48c77b340f5d66619fad2a87cac2599f52deb984ce2cb59665f1a275dbe84 |
C:\Program Files\Unipro UGENE\tools\java\lib\images\cursors\invalid32x32.gif
| MD5 | 1e9d8f133a442da6b0c74d49bc84a341 |
| SHA1 | 259edc45b4569427e8319895a444f4295d54348f |
| SHA256 | 1a1d3079d49583837662b84e11d8c0870698511d9110e710eb8e7eb20df7ae3b |
| SHA512 | 63d6f70c8cab9735f0f857f5bf99e319f6ae98238dc7829dd706b7d6855c70be206e32e3e55df884402483cf8bebad00d139283af5c0b85dc1c5bf8f253acd37 |
C:\Program Files\Unipro UGENE\ugeneui.exe
| MD5 | e507b1eb783b3d0c66b87bee96720b0a |
| SHA1 | 3718357ba806e220056bc08f2186e33c2f646653 |
| SHA256 | 9175593c40d4190821d325d5f9dc7274c83db687c0280eb253be4b858ef5ebb1 |
| SHA512 | d7856b3d813669cfaa52ad1fb39a6302764e1d0969d10103087401b07b41bf97df2f5bb2798bd022ef1ce886c892d887218851fcf7ab1a2ce7d961f0fc777eac |
C:\Users\Admin\AppData\Local\Temp\nse76D8.tmp\modern-wizard.bmp
| MD5 | 59ed2684c564aa9dcb6859342a97b960 |
| SHA1 | d7ca551a1340e2a31106171ead92631e79983949 |
| SHA256 | d238273737a291fb4129e33415cb66131756782428b86fe13894d8bf1b4abb7c |
| SHA512 | c41433f1baf5b1826496ab9146be1b9e45e1f6208a74b54120cf421fee51900409fbc92e978d9213d4c0dcd0e937c390f782e787d8d7032fae62e1d957a3e9f6 |
Analysis: behavioral12
Detonation Overview
Submitted
2024-06-14 13:06
Reported
2024-06-14 13:17
Platform
win10v2004-20240611-en
Max time kernel
118s
Max time network
166s
Command Line
Signatures
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000_Classes\Local Settings | C:\Windows\system32\cmd.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000_Classes\Local Settings | C:\Windows\system32\OpenWith.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\tools\python3\Lib\timeit.py
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 4.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 145.83.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 203.107.17.2.in-addr.arpa | udp |
Files
Analysis: behavioral24
Detonation Overview
Submitted
2024-06-14 13:06
Reported
2024-06-14 13:18
Platform
win10v2004-20240226-en
Max time kernel
93s
Max time network
219s
Command Line
Signatures
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings | C:\Windows\system32\cmd.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings | C:\Windows\system32\OpenWith.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\tools\python3\Lib\tracemalloc.py
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
Network
| Country | Destination | Domain | Proto |
| GB | 96.16.110.114:80 | tcp | |
| US | 8.8.8.8:53 | 125.162.192.69.in-addr.arpa | udp |
| GB | 142.250.187.234:443 | tcp | |
| US | 13.107.246.64:443 | tcp | |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.77.24.184.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 138.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 49.192.11.51.in-addr.arpa | udp |
Files
Analysis: behavioral27
Detonation Overview
Submitted
2024-06-14 13:06
Reported
2024-06-14 13:16
Platform
win7-20240221-en
Max time kernel
102s
Max time network
28s
Command Line
Signatures
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\py_auto_file\shell | C:\Windows\system32\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\.py\ = "py_auto_file" | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\py_auto_file | C:\Windows\system32\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\py_auto_file\ | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\.py | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\py_auto_file\shell\Read | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\py_auto_file\shell\Read\command | C:\Windows\system32\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\py_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_Classes\Local Settings | C:\Windows\system32\rundll32.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1744 wrote to memory of 2552 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 1744 wrote to memory of 2552 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 1744 wrote to memory of 2552 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 2552 wrote to memory of 2456 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 2552 wrote to memory of 2456 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 2552 wrote to memory of 2456 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 2552 wrote to memory of 2456 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\tools\python3\Lib\turtle.py
C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\tools\python3\Lib\turtle.py
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\tools\python3\Lib\turtle.py"
Network
Files
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents
| MD5 | a4787a587aed13ee9969da54457bfaf8 |
| SHA1 | c09f02f0651ae9d86a9d9e25fb72494f07f41a31 |
| SHA256 | f6f80273e2f6a6e8768beda6f15e07d0c073baf06f926210bb57fb53cb8dff49 |
| SHA512 | 4a4be619843563d274eca0ec641fc614b054ef8676915d6ef4ad4671068f96d3e3b182f8926de35e03b181cb2da1f3ec8dea567832482bf0b3c9950c19a6a46c |