Analysis Overview
SHA256
5cef45602b843003d06ee762499e1606134be8ce6567e046961863cbc96e9c72
Threat Level: Shows suspicious behavior
The file Nuwo (1).exe was found to be: Shows suspicious behavior.
Malicious Activity Summary
Loads dropped DLL
UPX packed file
Unsigned PE
Detects Pyinstaller
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
Modifies registry class
Opens file in notepad (likely ransom note)
Suspicious use of SetWindowsHookEx
Suspicious behavior: GetForegroundWindowSpam
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-20 03:15
Signatures
Detects Pyinstaller
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-20 03:15
Reported
2024-06-20 03:18
Platform
win7-20240221-en
Max time kernel
118s
Max time network
119s
Command Line
Signatures
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Nuwo (1).exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Nuwo (1).exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Nuwo (1).exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Nuwo (1).exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Nuwo (1).exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Nuwo (1).exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Nuwo (1).exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2992 wrote to memory of 2428 | N/A | C:\Users\Admin\AppData\Local\Temp\Nuwo (1).exe | C:\Users\Admin\AppData\Local\Temp\Nuwo (1).exe |
| PID 2992 wrote to memory of 2428 | N/A | C:\Users\Admin\AppData\Local\Temp\Nuwo (1).exe | C:\Users\Admin\AppData\Local\Temp\Nuwo (1).exe |
| PID 2992 wrote to memory of 2428 | N/A | C:\Users\Admin\AppData\Local\Temp\Nuwo (1).exe | C:\Users\Admin\AppData\Local\Temp\Nuwo (1).exe |
Processes
C:\Users\Admin\AppData\Local\Temp\Nuwo (1).exe
"C:\Users\Admin\AppData\Local\Temp\Nuwo (1).exe"
C:\Users\Admin\AppData\Local\Temp\Nuwo (1).exe
"C:\Users\Admin\AppData\Local\Temp\Nuwo (1).exe"
Network
Files
C:\Users\Admin\AppData\Local\Temp\_MEI29922\ucrtbase.dll
| MD5 | 28647d8fb402416cb1c986894d849c50 |
| SHA1 | bf0eaa587001214a4d6e6876b8adfcb49254450b |
| SHA256 | b3591e2ba725934a1a659882444b85b186da44d2dddaba3b66587dd3f97364ab |
| SHA512 | 689346b9d9fa2f93a5d50af15eee9cc18ee819c00986dabbdd102126556466adecc412a8c539a8d22239cddccc1c3d3dd5783dff047f593bfd7be761c0ab9b12 |
C:\Users\Admin\AppData\Local\Temp\_MEI29922\api-ms-win-core-localization-l1-2-0.dll
| MD5 | d13d82a9f3a0ee74f5c778ea50de9d4b |
| SHA1 | afbf2470f0d46caf56f792ee10f6e86d58fc1aef |
| SHA256 | 139594138f923f34192b84edd810a6292eeb880e7797aeb3b9f22e69613426cf |
| SHA512 | 8544c73b9fb957ce0af9c112e0e06f3548525995d242098bf54c6d9e1a9822b1687bb5c32f85a7496632bfcabd4982ad8d573d74e1dc500c51cbd51558f8d6ba |
C:\Users\Admin\AppData\Local\Temp\_MEI29922\api-ms-win-core-processthreads-l1-1-1.dll
| MD5 | e105a7a95c3446b76a521c741ab03d1b |
| SHA1 | b8371e3d938daca45bfd7ef2101e6fabd0e2450d |
| SHA256 | a2947ba9d0c5510a62f685c839990cbe4ec43e2c7b38e20938420b562229090f |
| SHA512 | 10d4ed9e7a47d21bf04bb6c3b181e66528755601b1b748d2c23c20c9543f18e2cc2e87e133db5569b19d04748356891159ba210c1e3e719bb6dafce054a7c55a |
C:\Users\Admin\AppData\Local\Temp\_MEI29922\api-ms-win-core-file-l1-2-0.dll
| MD5 | 309ff152e830995a7978da8b20ebb318 |
| SHA1 | 7daaf752d511b0fdae74008a5d0808f51553f21e |
| SHA256 | 940a9a02e564e2ce13280b78f4aa7b794b97685830edf2be3fbb0aecfdee707d |
| SHA512 | 565ea894214b88ea1a50779a1f36db2cbeb0aaf77a24d92b3d66c1ddab2dc57876205aa02721f79d3d4d01012df7347b62f4b8504f65915e07170b6901a7679c |
C:\Users\Admin\AppData\Local\Temp\_MEI29922\api-ms-win-core-timezone-l1-1-0.dll
| MD5 | e27aa1ee2a6b5aa8d746ceed7095fdaf |
| SHA1 | e7bc272932c30c494e672bc2871bbc26d2c758b6 |
| SHA256 | 31e96eaf08a5dad4afe4304c97d18aefdfdc22c444c9f67be272f8e6282aa76a |
| SHA512 | 4c075c2ebab277480a05108588155d6f669c32d0bffd4264bc4d316fbaee613f940ffe4432ff906346f4290c5e379c7449a989c932834aed4c3f972d905b59e1 |
C:\Users\Admin\AppData\Local\Temp\_MEI29922\api-ms-win-core-file-l2-1-0.dll
| MD5 | 1e10f8ae883cdf8fc5fe166e61bd4c45 |
| SHA1 | 5bc3de1f03674a32b309869a5f1b48d89790ff40 |
| SHA256 | e9e0a414c092ac237ee2c0e5f167efe9ff5e62314a5eb529011f85bdf7c0b2b7 |
| SHA512 | 2ab555986a57f7fda8e284d472d1c1ca583e2415b6e9deccb0f1b0c72ce81fcddb1c733dc0b8f9d0f3ab8eae21864080c9091202ff99655534019b28a3ea866a |
C:\Users\Admin\AppData\Local\Temp\_MEI29922\python310.dll
| MD5 | 08812511e94ad9859492a8d19cafa63e |
| SHA1 | 492b9fefb9cc5c7f80681ebfa373d48b3a600747 |
| SHA256 | 9742af9d1154293fa4c4fc50352430c22d56e8cdc99202c78533af182d96489c |
| SHA512 | 6f7e41f4e2f893841329ac62315809a59a8d01ca047cb5739eb7ac1294afd4de2754549f7b1f5f9affa3397e9de379c5f6396844fc4fab9328362566225ddb8e |
memory/2428-82-0x000007FEF6350000-0x000007FEF67B6000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-20 03:15
Reported
2024-06-20 03:16
Platform
win10v2004-20240508-en
Max time kernel
52s
Max time network
51s
Command Line
Signatures
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Nuwo (1).exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Nuwo (1).exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Nuwo (1).exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Nuwo (1).exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Nuwo (1).exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Nuwo (1).exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Nuwo (1).exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Nuwo (1).exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Nuwo (1).exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Nuwo (1).exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Nuwo (1).exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Nuwo (1).exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\Nuwo (1).exe
"C:\Users\Admin\AppData\Local\Temp\Nuwo (1).exe"
C:\Users\Admin\AppData\Local\Temp\Nuwo (1).exe
"C:\Users\Admin\AppData\Local\Temp\Nuwo (1).exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "ver"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c color
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cls
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cls
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cls
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cls
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cls
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cls
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cls
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cls
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cls
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cls
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cls
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cls
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cls
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cls
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cls
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cls
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cls
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cls
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cls
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cls
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cls
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cls
Network
Files
C:\Users\Admin\AppData\Local\Temp\_MEI19802\ucrtbase.dll
| MD5 | 28647d8fb402416cb1c986894d849c50 |
| SHA1 | bf0eaa587001214a4d6e6876b8adfcb49254450b |
| SHA256 | b3591e2ba725934a1a659882444b85b186da44d2dddaba3b66587dd3f97364ab |
| SHA512 | 689346b9d9fa2f93a5d50af15eee9cc18ee819c00986dabbdd102126556466adecc412a8c539a8d22239cddccc1c3d3dd5783dff047f593bfd7be761c0ab9b12 |
C:\Users\Admin\AppData\Local\Temp\_MEI19802\python310.dll
| MD5 | 08812511e94ad9859492a8d19cafa63e |
| SHA1 | 492b9fefb9cc5c7f80681ebfa373d48b3a600747 |
| SHA256 | 9742af9d1154293fa4c4fc50352430c22d56e8cdc99202c78533af182d96489c |
| SHA512 | 6f7e41f4e2f893841329ac62315809a59a8d01ca047cb5739eb7ac1294afd4de2754549f7b1f5f9affa3397e9de379c5f6396844fc4fab9328362566225ddb8e |
C:\Users\Admin\AppData\Local\Temp\_MEI19802\VCRUNTIME140.dll
| MD5 | f34eb034aa4a9735218686590cba2e8b |
| SHA1 | 2bc20acdcb201676b77a66fa7ec6b53fa2644713 |
| SHA256 | 9d2b40f0395cc5d1b4d5ea17b84970c29971d448c37104676db577586d4ad1b1 |
| SHA512 | d27d5e65e8206bd7923cf2a3c4384fec0fc59e8bc29e25f8c03d039f3741c01d1a8c82979d7b88c10b209db31fbbec23909e976b3ee593dc33481f0050a445af |
memory/440-74-0x00007FFB983C0000-0x00007FFB98826000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI19802\base_library.zip
| MD5 | efc3810549d3974c7d24f2d2fcf6488d |
| SHA1 | b4af879f71af46e9366bc575c9e24bb4f705ca26 |
| SHA256 | 98545cd0eb80c79cf3803f2a63b3fc5ff4d810023596fc6a1cac1e17443b7677 |
| SHA512 | 9238aa070a1b762182470c4e0249ec086c63c8b619fcd45a74052ff6428092a1eb69773769441ddfaa55d44f63f76c073776ab3e5db54c5a094ac75576f7b3e5 |
C:\Users\Admin\AppData\Local\Temp\_MEI19802\_ctypes.pyd
| MD5 | 58ecf4a9a5e009a6747580ac2218cd13 |
| SHA1 | b620b37a1fff1011101cb5807c957c2f57e3a88d |
| SHA256 | 50771b69dced2a06327b51f8541535e783c34b66c290096482efcfd9df89af27 |
| SHA512 | dec698a310eb401341910caae769cbdf9867e7179332e27f4594fd477e3686c818b2f3922d34e0141b12e9e9542ad01eb25d06c7bb9d76a20ce288610a80e81a |
C:\Users\Admin\AppData\Local\Temp\_MEI19802\libffi-7.dll
| MD5 | da6331f94e77d27b8124799ad92e0747 |
| SHA1 | 55b360676c6702faf49cf4abfc33b34ffa2f4617 |
| SHA256 | 3908a220d72d4252ad949d55d4d76921eeca4ab2a0dca5191b761604e06ae136 |
| SHA512 | faf3ec3d28d90ca408b8f07563169ebc201d9fb7b3ea16db9da7e28979bf787537ad2004fbde9443a69e8e1a6f621c52ff6b3d300897fb9e8b33763e0e63f80c |
memory/440-81-0x00007FFBB09B0000-0x00007FFBB09BF000-memory.dmp
memory/440-80-0x00007FFBABD00000-0x00007FFBABD24000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI19802\_bz2.pyd
| MD5 | 37327e79a5438cbd6d504c0bbd70cd04 |
| SHA1 | 7131a686b5c6dfd229d0fff9eba38b4c717aedb5 |
| SHA256 | 7053a4bd8294112e45620b2c15e948b516c3a6c465226a08a3a28b59f1fa888d |
| SHA512 | 99472a2a68e1d4e5f623d4a545eca11d3ae7d9f626142f2a66e33e5a50cd54d81b6b36a6e1d499a9d479d7667a161d4a1d838fadb4a999c71ff70aad52001603 |
memory/440-85-0x00007FFBABCE0000-0x00007FFBABCF8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI19802\_lzma.pyd
| MD5 | 6516e2f6c5fb9cdee87a881507966e4d |
| SHA1 | 626a8713059d45a2ac7b5555db9295b33a496527 |
| SHA256 | 92a3d1698b95e7d03d9b4dce40e2ef666c00d63bb5c9b8c7327386daa210b831 |
| SHA512 | 0331ddfbe324884df3af8915c014f6a0d042a16360b48732988c37e7fce1d55b7156a0ba41a125a5a56db2207f6c2a847c244bb491a0832c9d48a657f2418872 |
C:\Users\Admin\AppData\Local\Temp\_MEI19802\_socket.pyd
| MD5 | 329d4b000775ec70a6f2ffb5475d76f6 |
| SHA1 | 19c76b636391d70bd74480bf084c3e9c1697e8a4 |
| SHA256 | f8da40be37142b4cb832e8fc461bed525dbaae7b2e892f0eca5a726d55af17a6 |
| SHA512 | 5ee676215cf87639e70caa4de05dc676cd51a38aea4d90de4ce82c90976895faf15e5cbc821a08554a9171d82bef88c30e247a36c54f75668a52843229146ca5 |
C:\Users\Admin\AppData\Local\Temp\_MEI19802\_queue.pyd
| MD5 | ba0e6f7bb8c984bf3bf3c8aab590bd06 |
| SHA1 | 4d7879a0ccbd763470687f79aa77cd5e2bb8df5c |
| SHA256 | 13cefe24c807a11fb6835608e2c3e27b9cdcddb3015848c30c77a42608b52b19 |
| SHA512 | ecf5d4f058fd101d44b6aa7fe7aa45b9490fcfe2c001936b98032fe54514a8fdf4460ff9d1f6d53e991cc1bffdce66a8897d45f3aa7b123f931ff97dd2ee2001 |
C:\Users\Admin\AppData\Local\Temp\_MEI19802\colorful\data\rgb.txt
| MD5 | 09ee098b83d94c7c046d6b55ebe84ae1 |
| SHA1 | 2a3c7ba23dbc3195a203a4cd744c5ce492b0358c |
| SHA256 | 2c8ab5acc9eb072f4cc88696834188100d05e50af5d1425501d993700aaa3164 |
| SHA512 | a5ab9660410d0f080e216df828b2a5f76cf32f90adcb157ab74609bad6268cdd97e6c2408e512126170028f52913d82e59a7df71a53e36c94bd6517ba50158f3 |
C:\Users\Admin\AppData\Local\Temp\_MEI19802\_hashlib.pyd
| MD5 | b2e9c716b3f441982af1a22979a57e11 |
| SHA1 | fb841dd7b55a0ae1c21e483b4cd22e0355e09e64 |
| SHA256 | 4dece1949a7ad2514bb501c97310cc25181cb41a12b0020c4f62e349823638a2 |
| SHA512 | 9d16d69883054647af2e0462c72d5035f5857caaa4194e8d9454bf02238c2030dfa5d99d648c9e8a0c49f96f5ad86f048b0a6a90be7c60771704d97cabea5f42 |
C:\Users\Admin\AppData\Local\Temp\_MEI19802\_decimal.pyd
| MD5 | ac633645551ff89c8b14e222128d4936 |
| SHA1 | 79aafdee7156fcc181c80d4cc1387362164bad7a |
| SHA256 | e7f7eb702373816fe146bc29c66df89820f402379984dea6a77de87e3b3c00a0 |
| SHA512 | 689cf97a8aff1508f2a236b01167d771c8e817ead26d5a0e39312468ce639997449ab729df1749e5a416c80c1e82e4beb5ba745db12a661aa8139b6b022fb30d |
C:\Users\Admin\AppData\Local\Temp\_MEI19802\unicodedata.pyd
| MD5 | e4273defe106039481317745f69b10e0 |
| SHA1 | a8425164e78a3ab28ad0a7efaf9d9b0134effd57 |
| SHA256 | 9247f28ff6ba4f7ae41e2d69104717b01a916dbb36944115184abbec726d03df |
| SHA512 | 7b87dcd1406f3e327bb70450d97ac3c56508c13bbeee47b00f47844695951371fe245d646641bc768b5fdc50e0d0f7eef8b419d497240aef39ae043f74ba0260 |
C:\Users\Admin\AppData\Local\Temp\_MEI19802\select.pyd
| MD5 | def0aa4c7cbaac4bcd682081c31ec790 |
| SHA1 | 4ff8f9df57a2383f4ad10814d77e30135775d012 |
| SHA256 | 6003e929e7e92e39482a2338783aa8e2a955a66940c84608a3399876642521a1 |
| SHA512 | 35a080c44b5eee298dd1f0536e7442bf599ca53efc664b91c73f5a438cb7b643da5542ccbeea6e5a38b83132bacfdf09521e040cb1a3a05bddfbec0cfd79fdc4 |
C:\Users\Admin\AppData\Local\Temp\_MEI19802\libcrypto-1_1.dll
| MD5 | 720d47d6ac304646aadb93d02e465f45 |
| SHA1 | e8d87c13fc815cdda3dbacb9f49d76dc9e1d7d8c |
| SHA256 | adfe41dbb6bc3483398619f28e13764855c7f1cd811b8965c9aac85f989bdcc1 |
| SHA512 | fb982e6013fa471e2bb6836d07bbd5e9e03aec5c8074f8d701fc9a4a300ae028b4ef4ec64a24a858c8c3af440855b194b27e57653acdd6079c4fb10f6ea49b38 |
C:\Users\Admin\AppData\Local\Temp\_MEI19802\api-ms-win-crt-utility-l1-1-0.dll
| MD5 | cd5360a1b881fd14fe5da0c158e727d2 |
| SHA1 | 6702e24993d70e6c8776244b77022304a3bed82d |
| SHA256 | 63d7bf5470fe4fc848d00eb2d569974dc04926093ae87254d82e0ab977c6938e |
| SHA512 | d4df6c80d35d0c8727a6caec7c8010636280a3293674ea3f0210342faf793484dfa42ec10235839ce2ac72e2f4f03c65ac418ee22c36a6400b3e024293ca38c3 |
C:\Users\Admin\AppData\Local\Temp\_MEI19802\api-ms-win-crt-time-l1-1-0.dll
| MD5 | bad231f0d259807e84e8c37c734e83cf |
| SHA1 | 8070a955680db2c8232f62a1bbd551eaf6699f79 |
| SHA256 | 75350e4f397bb773b36aceed854d1ff6262ce7bb892430008c61087b9e291a06 |
| SHA512 | 7fd09f70e5b228da0fbcafdb3d560d69daa61039ec8a74cf8683e338322637c7afe12539ec50e9fe98d65420b3820746b6ae10f8956caf8ec3a53cb5cbbf18e4 |
C:\Users\Admin\AppData\Local\Temp\_MEI19802\api-ms-win-crt-string-l1-1-0.dll
| MD5 | 2fee32866e6ae6fd9790e99b7e53807e |
| SHA1 | e63cd0078de5a248b0fc5d2d1d8d41b7e3b97e4c |
| SHA256 | 9f6b235f6a68cc68a21cd440b7df2e08a867709da4116d4849b703ec1a87cddc |
| SHA512 | 195a5e839a1dc1239bae77fcb5a8d8235b047f2185ad67f81176e3c7bf99c2530cefb0a60040541700e5d7895de0dab1b30cfb81304d7cb9eca79fdb624b3a93 |
C:\Users\Admin\AppData\Local\Temp\_MEI19802\api-ms-win-crt-stdio-l1-1-0.dll
| MD5 | 8b9f9c9af7809b562dd165acfdbf6e74 |
| SHA1 | 37f498dcb41a733c12bcf044eced84a86f249a8e |
| SHA256 | f6963567c4ea1447aba2d9fe14ba531daf29c686e6a9a53ddcf0de76c5a4f04f |
| SHA512 | 05f5785116506ea30b88902b3551faf810e9682dcdbe02fd2ca647fcec57310fbfabc026840eb4b960db4b09a05f177d1b1ba34ba64809c15a546be63c1d7d8c |
C:\Users\Admin\AppData\Local\Temp\_MEI19802\api-ms-win-crt-runtime-l1-1-0.dll
| MD5 | 934dcf45911b99db2f4b3e58d2223416 |
| SHA1 | 67b57713428135311d8ffc0208d68c087a500d2b |
| SHA256 | dd78d985a0031c6f99f33b317f0d94e4128a44f0ffb9e0839fefb40d86d76555 |
| SHA512 | a89ed25fc611a9f269d97b2e536145538206caece0ff87d72a944fa6bbbf8a0b93d62932bf2192978143e43dbf532e09fb865ee5153e05884afecae5406446e2 |
C:\Users\Admin\AppData\Local\Temp\_MEI19802\api-ms-win-crt-process-l1-1-0.dll
| MD5 | 0b13f70e5357aa3d0e9cac4e9f9c9869 |
| SHA1 | fa1d13f5406f9f522dddefd629d72977341b982c |
| SHA256 | 02d2fb99431336c8a820266122e6bc28401ebc5985318f2d60da35a5167ac606 |
| SHA512 | d5f00148a13c66a51781f6dcb0aade4f4e850fc93e2b71d4d02b523feae15909a35c055afcd6ceee5259fbcdfc53321757061cee796449d57a8ed9789491c3d8 |
C:\Users\Admin\AppData\Local\Temp\_MEI19802\api-ms-win-crt-math-l1-1-0.dll
| MD5 | 0aaeb5ea45cfc17101904a6f67964937 |
| SHA1 | 1c9b9b738ffec37c34c75ed7aa5f7f985558c487 |
| SHA256 | 335441ea64d1ff9a6aadc516b20d6a963bbcaac9ea4f0d88cd5649b5361f4f7b |
| SHA512 | 64c2f3c1b2f0e49513d29326532c2934e1bc2177edc9b7eaa273eb1f8f5de45fd5dc24c91673f8abeca5544dd8a65161e23116c4b81b4747a8c638d7cc70c17d |
C:\Users\Admin\AppData\Local\Temp\_MEI19802\api-ms-win-crt-locale-l1-1-0.dll
| MD5 | aedb34787077ae94610f619ccb95cbd7 |
| SHA1 | e6e0b57d2a0ea72f56d799161ffee4948fe2ef75 |
| SHA256 | 155c583a44ba85d356838f3cf8483c9d88610adf8083868e9a80b40b403b709c |
| SHA512 | 66f2faf7e31866c5d4b8470d4f62fed428c91ac61f5494270539aa78cda176aca72f2993aad1b28abb9d68225e4a01fd6dc755d7da59093015d8d52a1d5195e5 |
C:\Users\Admin\AppData\Local\Temp\_MEI19802\api-ms-win-crt-heap-l1-1-0.dll
| MD5 | 2279a0630cf88dd4c6fa887d0950fdf0 |
| SHA1 | 8da343b6ac85a15631c17a261c474ca4e63448dc |
| SHA256 | 0876fa0274364eb88f7b2f936c0ef2af3eb4acf00b500888ee561a668c9844e6 |
| SHA512 | 2c53faf0dd365bb86cbc7eacc99ac2a1913c614d940af959f24ee6b9f4cf7e751a81b1e4bf03589f9964dd13ce0c4f842db7bad3dc3bebb1cb6847bb53b5d0c9 |
C:\Users\Admin\AppData\Local\Temp\_MEI19802\api-ms-win-crt-filesystem-l1-1-0.dll
| MD5 | 368fd04ff236d763a9dfb75531409c71 |
| SHA1 | 52d5d362b531ffa1ac5544f2003322b28283c6a1 |
| SHA256 | 0d44067bd50c1ee8a060947b6e92ffb605843775ab77d1453f33337500436247 |
| SHA512 | 3bb4365294c45db14225cb9fdb4fc402739988a7aa6075539de8a56a51863c1826ed29422026b3178d39d778539b7d29d4a934c46f288575c7de40dcf70c7bb2 |
C:\Users\Admin\AppData\Local\Temp\_MEI19802\api-ms-win-crt-environment-l1-1-0.dll
| MD5 | 62e304a7258d7cced36afd23a4950972 |
| SHA1 | f7348bdb5897ef97943b71253e56b8b2bf8867e4 |
| SHA256 | 9b1e35e07b5e2fb7b92ee34914ab08976f8ef576b9c4e1ca5247f76e6716f23d |
| SHA512 | d787d0f82cbff29139c9d8b109ad468fb0a22163a123d71160e007dd610d233a17d9b3e83bd06b7be5d5c63b8d9c99e5496adde73ea7566580c4448e25fc9adb |
C:\Users\Admin\AppData\Local\Temp\_MEI19802\api-ms-win-crt-convert-l1-1-0.dll
| MD5 | b9ac59976187226d5e7379a9aa859f65 |
| SHA1 | 0dfc2ce75d359570a28c5999cd8635c22cfdf1ff |
| SHA256 | 3b0d2ca0bbd5550bec1e1459f16230c9397e2ba905c75d7c8279273240e9fa49 |
| SHA512 | 3ed6a55233ae7dd90b0ce22369e889d79bcea3d1ae5cdb4ce52886df1ee64f7afc6c929b9f7d5c7392a843d87b103de36c6dc9fc14c3abcd71b7ce1231441a57 |
C:\Users\Admin\AppData\Local\Temp\_MEI19802\api-ms-win-crt-conio-l1-1-0.dll
| MD5 | 2c5238973a9d5da4a71d80f7df8ae3da |
| SHA1 | dbc7fcec102e012c5f107125d2e67902872122d9 |
| SHA256 | 5fcf24d96e2fdf380c754d82acd88e96155627d6085c8cf34786682604a8e30b |
| SHA512 | 64cf241ff9071433b6a7dd350a48767747ea5212fd2eb8f52779257021940144fff00f48d313eb5407c5d47131afcbfbf81c3efd509d08c7239bd38368e6a111 |
C:\Users\Admin\AppData\Local\Temp\_MEI19802\api-ms-win-core-util-l1-1-0.dll
| MD5 | 5f312edacf345d1165eeea99d325d310 |
| SHA1 | b5c3834a54206f8bd9b9ff91eb849e3b37fab257 |
| SHA256 | bd26a8a36ec257c87904a4b3dd096b0f0816ca165da8b8a204967e1c7cd72957 |
| SHA512 | 0b5f697f6d49d0beee39e82f6375d9116a2d23affb09146754f24039a38fefd81d1189195429f9496750367d4d5a5e60e5b3e93472a2df6aaea2caef97235645 |
C:\Users\Admin\AppData\Local\Temp\_MEI19802\api-ms-win-core-timezone-l1-1-0.dll
| MD5 | e27aa1ee2a6b5aa8d746ceed7095fdaf |
| SHA1 | e7bc272932c30c494e672bc2871bbc26d2c758b6 |
| SHA256 | 31e96eaf08a5dad4afe4304c97d18aefdfdc22c444c9f67be272f8e6282aa76a |
| SHA512 | 4c075c2ebab277480a05108588155d6f669c32d0bffd4264bc4d316fbaee613f940ffe4432ff906346f4290c5e379c7449a989c932834aed4c3f972d905b59e1 |
C:\Users\Admin\AppData\Local\Temp\_MEI19802\api-ms-win-core-sysinfo-l1-1-0.dll
| MD5 | 176fdf1144c87c8ce6b6500273c02cb6 |
| SHA1 | 4acd062135aa94547431b82728efcb9a6023001d |
| SHA256 | 3c83193fe5290774a803b8e37e385f8d0dae5ceeca2cc8f04157d1046005715b |
| SHA512 | cfabd720fde1879f26e4ab0c4e87ddacce5d940cb07c59f70f14041d9259001dd222bd7b47199cb4b77bc48be72baabdf2ee2de7e39e8ee8d85328e17561e009 |
C:\Users\Admin\AppData\Local\Temp\_MEI19802\api-ms-win-core-synch-l1-2-0.dll
| MD5 | 95778251c6fb25e47665fcde32968e22 |
| SHA1 | 02ac77d74ea04cd79249c6d06d94b02809012ecd |
| SHA256 | 497c42978c43ac8ea147cc2128ee0b02dfda9bfecb0696ec9c4d42783db6c3c4 |
| SHA512 | 6e797b36cf97753e4500334217bcba7b85c1d8fd652ecd1a0c281bca1a23490e39d326d987d5d70ec6bd7955d0bf1e4a1b92520745ddf699de4948ceb5c5347a |
C:\Users\Admin\AppData\Local\Temp\_MEI19802\api-ms-win-core-synch-l1-1-0.dll
| MD5 | 7b11f4f023044beda3915ff81c38626a |
| SHA1 | b7bfbcb0cf741f7b65a707faf9f91ceace56907f |
| SHA256 | 81631a0f9df836906c46fc7ba887c68899aaebb1a17c01f7c9320bf6762b09c4 |
| SHA512 | e71968d4f2d8c47966bb93455c3e31e513195d24dfa058be72d799f67dc1724bda3b0ae5e7d38d22c0f85a54701cfacfe598d8a02a42fdcb656461792eca703b |
C:\Users\Admin\AppData\Local\Temp\_MEI19802\api-ms-win-core-string-l1-1-0.dll
| MD5 | 8d948530d8bae282972fccb52a711b6b |
| SHA1 | 39e1f77e28cbe48a23916ad19d97e74b7f54ec95 |
| SHA256 | 2514ef3acc1d54bfb81788f81710dba895160073959efd1b0aa80610b49080e2 |
| SHA512 | e28c6610f2cbb7a6de790493acc72a415f6fbb84337dd8adeee0126be62277ccd4105844bcdfd7fa3673dd38b45338e23a88c1eec5bba459b559230eed01852a |
C:\Users\Admin\AppData\Local\Temp\_MEI19802\api-ms-win-core-rtlsupport-l1-1-0.dll
| MD5 | 3ef207b8b27ebb62ff6fc14f1fdb11cd |
| SHA1 | d1fbf9ad07fda9ea9e9ab85bfbf6f10c02b7746d |
| SHA256 | 2db376ee29bb1b54214ca0a82c1aefe5fc7d6868fa895edc3ea66ed0b9d03574 |
| SHA512 | de7cb392aecb7f7c76b9f754b4877a3718a9e68aa56a41f4dcffd6c791fd0dec339b12c020f657ac1bebeee78163294733d1ea5f5903c11c93334d937a2877f2 |
C:\Users\Admin\AppData\Local\Temp\_MEI19802\api-ms-win-core-profile-l1-1-0.dll
| MD5 | e744111747c6c5786cfc0765a440a067 |
| SHA1 | 7dbb5e10190598b591a447cbbdd633c9d2791d02 |
| SHA256 | 1813bfb84c3cafdd784c348b79a753382e10e1d272ba7a694c71405c7ae19d49 |
| SHA512 | 392d68f88d8737a345ce8176c1695e56eb1e77862fff37277b4d8b159e31d1413c7c47bf85af76794df80c1df71d3912610c29f44d76b09685b10f4d50697837 |
C:\Users\Admin\AppData\Local\Temp\_MEI19802\api-ms-win-core-processthreads-l1-1-1.dll
| MD5 | e105a7a95c3446b76a521c741ab03d1b |
| SHA1 | b8371e3d938daca45bfd7ef2101e6fabd0e2450d |
| SHA256 | a2947ba9d0c5510a62f685c839990cbe4ec43e2c7b38e20938420b562229090f |
| SHA512 | 10d4ed9e7a47d21bf04bb6c3b181e66528755601b1b748d2c23c20c9543f18e2cc2e87e133db5569b19d04748356891159ba210c1e3e719bb6dafce054a7c55a |
C:\Users\Admin\AppData\Local\Temp\_MEI19802\api-ms-win-core-processthreads-l1-1-0.dll
| MD5 | dfe16a7cfcb9f6cf722d0f495c34f351 |
| SHA1 | adf2ca151ce8f1528164159c14fc18dcdaea37c1 |
| SHA256 | af843749800d5d47ddc56ab318a36fc0e502c882eaa3ddd33ff3d5d6f713abe8 |
| SHA512 | 2c26e4f5f59c1aa3d8af462cf570baea6911ed55d980aa125a38da01940b7315abfc2bd5910dde08c46bd24ff3399fe609e8f445ba98e97c9de07e7f1aaee03f |
C:\Users\Admin\AppData\Local\Temp\_MEI19802\api-ms-win-core-processenvironment-l1-1-0.dll
| MD5 | 175e814f24315413a705de65cf34d9a9 |
| SHA1 | 76c59961bd44a2e3d935648770a2903e75635201 |
| SHA256 | e83eb284479b47536c72a4dfee75bb2573f6c78ebb0c20fce33b0e9e6becbbc7 |
| SHA512 | 0af3e0af8d1de443ccd7cde90b6a5e1bf49f00c8530b5f50575416b7e2855282c9410c5b604b999642f3ddddead173f1b19cc6960cfde9a2b5c890d6b77b567d |
C:\Users\Admin\AppData\Local\Temp\_MEI19802\api-ms-win-core-namedpipe-l1-1-0.dll
| MD5 | ecd34517d055cf68e849e0161acaa0de |
| SHA1 | 2b956776a26f022a163a116696a610cb9acab58a |
| SHA256 | 8970556d1cfb04b349f6e6041418d65cee632ddda067e5a17999f2b6ed195766 |
| SHA512 | a07d276a974c3674e12367ddf5df2467157dfdd2e8726c637bed69e43df5b0a79d6dd9d92fb3c82c74205118985dd3fb3056dc0b7c4d961637380eb55f50cb10 |
C:\Users\Admin\AppData\Local\Temp\_MEI19802\api-ms-win-core-memory-l1-1-0.dll
| MD5 | 4a9f482dd5cab07b43e5bfd6d9134da1 |
| SHA1 | 471e4bfe3f0ba0319c68b61015f3e5bc2ebf035d |
| SHA256 | 4018d43955314b361e190659ad14e890cb599e43d81b00318bbd7a7fa4924697 |
| SHA512 | 7137f67bdc8dd04285d89d34fa33c4865a6508854d899523f4d67b8d6e6c7988416760d89d3e2410cf39a1d29a40112da6e55347ba62c61730f6b4f8036136fc |
C:\Users\Admin\AppData\Local\Temp\_MEI19802\api-ms-win-core-localization-l1-2-0.dll
| MD5 | d13d82a9f3a0ee74f5c778ea50de9d4b |
| SHA1 | afbf2470f0d46caf56f792ee10f6e86d58fc1aef |
| SHA256 | 139594138f923f34192b84edd810a6292eeb880e7797aeb3b9f22e69613426cf |
| SHA512 | 8544c73b9fb957ce0af9c112e0e06f3548525995d242098bf54c6d9e1a9822b1687bb5c32f85a7496632bfcabd4982ad8d573d74e1dc500c51cbd51558f8d6ba |
C:\Users\Admin\AppData\Local\Temp\_MEI19802\api-ms-win-core-libraryloader-l1-1-0.dll
| MD5 | 39e6e06b3aaa6e9f67ddcfa8efd2bd9f |
| SHA1 | 66d2d7f3a0c9d1d4d0f21b45b6541a6341b178a8 |
| SHA256 | f6c494c95032a0f4d462c23e668be060b63b63205a3e4cd50e7ce782ee8fe586 |
| SHA512 | 639e521cd6e322e4a4c57feb5b97f7b9a66021df9d76220223473610e9206caae92b37942524e711be3a5b50b74c12125456e0813e1eeb213b92397a13d09177 |
C:\Users\Admin\AppData\Local\Temp\_MEI19802\api-ms-win-core-interlocked-l1-1-0.dll
| MD5 | 15a08471ecb156e5dd92c66125a53e18 |
| SHA1 | f0916f3de5c0ff3f7bbde15bbe0570d22099803f |
| SHA256 | f680ad1bd71cf36611221327d15c531e0f21e272847373de1bae98a6efa54a2a |
| SHA512 | e3c65ef6e36cda6c0e450aa21b271a6196952a91e5556279b794688351dee1b1e00bf582b8b4fee1b870f66a35e1752813dead898ab3e059f1da5e524f3a60cc |
C:\Users\Admin\AppData\Local\Temp\_MEI19802\api-ms-win-core-heap-l1-1-0.dll
| MD5 | 1ce9d44808dec270a8b7b248a82fab26 |
| SHA1 | 676d456be71f66d110d7b2f67b3cc3d9cb58a296 |
| SHA256 | 60fe21b54b40af71fc9d8dd12c1a48fade9b253afe9eb4ef8afcbc304e8a4bed |
| SHA512 | 66f7ee656b5aaa8b72522de7a98f5757ae3f99fc14fcccd57af396d4566665e18e176130b27f2d89de9c6dcc62e5c86675875ef6e8ff08d25f5bd5b07c1c26f9 |
C:\Users\Admin\AppData\Local\Temp\_MEI19802\api-ms-win-core-handle-l1-1-0.dll
| MD5 | 05f80492e8b73099b034e70e21034189 |
| SHA1 | f68425820f4d70b73dfb733eb91112815c65a2b7 |
| SHA256 | b015f09ccd4d05e4b997a9eab1236872cf28682db7bfc4fbc968226aff104d27 |
| SHA512 | 6bc9a3623de77688789839f167cd78ed6d2070bc658d33b4c11f47b667f9b87b5671870674a4fe1641a8f74ec0e3795d0fd1337977153085e1df8fb713e37cc2 |
C:\Users\Admin\AppData\Local\Temp\_MEI19802\api-ms-win-core-file-l2-1-0.dll
| MD5 | 1e10f8ae883cdf8fc5fe166e61bd4c45 |
| SHA1 | 5bc3de1f03674a32b309869a5f1b48d89790ff40 |
| SHA256 | e9e0a414c092ac237ee2c0e5f167efe9ff5e62314a5eb529011f85bdf7c0b2b7 |
| SHA512 | 2ab555986a57f7fda8e284d472d1c1ca583e2415b6e9deccb0f1b0c72ce81fcddb1c733dc0b8f9d0f3ab8eae21864080c9091202ff99655534019b28a3ea866a |
C:\Users\Admin\AppData\Local\Temp\_MEI19802\api-ms-win-core-file-l1-2-0.dll
| MD5 | 309ff152e830995a7978da8b20ebb318 |
| SHA1 | 7daaf752d511b0fdae74008a5d0808f51553f21e |
| SHA256 | 940a9a02e564e2ce13280b78f4aa7b794b97685830edf2be3fbb0aecfdee707d |
| SHA512 | 565ea894214b88ea1a50779a1f36db2cbeb0aaf77a24d92b3d66c1ddab2dc57876205aa02721f79d3d4d01012df7347b62f4b8504f65915e07170b6901a7679c |
C:\Users\Admin\AppData\Local\Temp\_MEI19802\api-ms-win-core-file-l1-1-0.dll
| MD5 | df5480bad3e523150f7d895d75ce08cc |
| SHA1 | e6eba2dfc2c110a8b546d16ce21d9e9cb161a964 |
| SHA256 | e84219a0a46e7a812eb2ba6926308604bbab18708cbbdb36dc213833353afc08 |
| SHA512 | 754607e1b170cd81577c6f03b3947f92c6b78a9b3323a07982398c06b83a1620b0ac89c16927f127b35eeba453ac157ff0e63d12dc3ca7db517b55c1fbe5683d |
C:\Users\Admin\AppData\Local\Temp\_MEI19802\api-ms-win-core-errorhandling-l1-1-0.dll
| MD5 | 3136fd85de678537053e4274753becb6 |
| SHA1 | 5b6c6519d3d00ee6ec044bcc1d1ef3d7c9ac6104 |
| SHA256 | edc55f5d6aa351b4e9d3a5e763529c2f2287c6d312fa6ebf951c658aca0d61b4 |
| SHA512 | 0e936a534e78ee602917014bad85fbbe63ba55a5a98d2748b9bd1fc9b80ae23ce6c56d66c4d7788674e8e55a47f98431fab58986f2c69f4f7a37ef7dda43ee15 |
C:\Users\Admin\AppData\Local\Temp\_MEI19802\api-ms-win-core-debug-l1-1-0.dll
| MD5 | 5e45227d21af09f06678653f9d1dc646 |
| SHA1 | 909d1788e81bd030aad11c207eaf3d0123a92ba7 |
| SHA256 | b2bdf443b10fe975951f36ac5d6dadfbe118d57282e6cab9d2607cf7e393e089 |
| SHA512 | 7e9f3bbacba250ed35d26b70e1f745508413f2c54dd6123de04ba49344d7cd2db9851a451c7ea2d71f52a4787c9cff1e0b79c9bd64a870162b51dc306ad3e56b |
C:\Users\Admin\AppData\Local\Temp\_MEI19802\api-ms-win-core-datetime-l1-1-0.dll
| MD5 | 05d34ee081d3807de6acbb642299a76e |
| SHA1 | 6179eab12f99cd278e882f81f88b539494c6e13b |
| SHA256 | 2c4e225276daf1a109080eafb8d5f19459add35ba21f9646a05531cc3feab3af |
| SHA512 | ea67261346ce3ade9cc86cf8c410ee9104fc6f4cc8296b19f55730c1c8517ef84a2b873f9250180e41c45f9970eb4c1ae74f02f4feb2ee047d71d5c572fbc36a |
C:\Users\Admin\AppData\Local\Temp\_MEI19802\api-ms-win-core-console-l1-1-0.dll
| MD5 | 7f0cf36d2a43e40aa602a017e3bc3c51 |
| SHA1 | 4b4e533beb3d92784e060820b51cc4048efefb11 |
| SHA256 | dfa0e368067d3ab8606d946a531003d188b06e33473e0a157cfd9e293983c75d |
| SHA512 | 46b1c7f14d7b5573c58d933704a841888abfa0c05aa6ea89ceec03e673688cca7a0cc80314cab96c13c82c498455cff56514d3f1d916b7090484c4dc37a05fae |
memory/440-132-0x00007FFBABC90000-0x00007FFBABCBC000-memory.dmp
memory/440-135-0x00007FFBABC70000-0x00007FFBABC89000-memory.dmp
memory/440-137-0x00007FFBAED10000-0x00007FFBAED1D000-memory.dmp
memory/440-139-0x00007FFBABC60000-0x00007FFBABC6D000-memory.dmp
memory/440-140-0x00007FFBA6B70000-0x00007FFBA6C88000-memory.dmp
memory/440-141-0x00007FFB983C0000-0x00007FFB98826000-memory.dmp
memory/440-142-0x00007FFB983C0000-0x00007FFB98826000-memory.dmp
memory/440-152-0x00007FFBB09B0000-0x00007FFBB09BF000-memory.dmp
memory/440-151-0x00007FFBABD00000-0x00007FFBABD24000-memory.dmp
memory/440-150-0x00007FFBA6B70000-0x00007FFBA6C88000-memory.dmp
memory/440-147-0x00007FFBABC70000-0x00007FFBABC89000-memory.dmp
memory/440-154-0x00007FFB983C0000-0x00007FFB98826000-memory.dmp
memory/440-163-0x0000021724680000-0x0000021724681000-memory.dmp
memory/440-155-0x00007FFBABD00000-0x00007FFBABD24000-memory.dmp
memory/440-164-0x00007FFB983C0000-0x00007FFB98826000-memory.dmp
memory/440-173-0x00007FFB983C0000-0x00007FFB98826000-memory.dmp
memory/440-182-0x00007FFB983C0000-0x00007FFB98826000-memory.dmp
Analysis: behavioral3
Detonation Overview
Submitted
2024-06-20 03:15
Reported
2024-06-20 03:18
Platform
win7-20240508-en
Max time kernel
121s
Max time network
122s
Command Line
Signatures
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_Classes\Local Settings | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_CLASSES\pyc_auto_file | C:\Windows\system32\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_CLASSES\.pyc\ = "pyc_auto_file" | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_CLASSES\pyc_auto_file\shell\Read\command | C:\Windows\system32\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_CLASSES\pyc_auto_file\ | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_CLASSES\.pyc | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_CLASSES\pyc_auto_file\shell\Read | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_CLASSES\pyc_auto_file\shell | C:\Windows\system32\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_CLASSES\pyc_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" | C:\Windows\system32\rundll32.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1972 wrote to memory of 2728 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 1972 wrote to memory of 2728 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 1972 wrote to memory of 2728 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 2728 wrote to memory of 3032 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 2728 wrote to memory of 3032 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 2728 wrote to memory of 3032 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 2728 wrote to memory of 3032 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\Nuwo.pyc
C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\Nuwo.pyc
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Nuwo.pyc"
Network
Files
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents
| MD5 | f0bb2bcd5bded0433ae7d14782167289 |
| SHA1 | cb41326d864589c3d83b0fadaaac82ee45c43873 |
| SHA256 | f32930370c0778ddbcfd533cb38861934e755e82b24f73e0bbb1ed488eb4d554 |
| SHA512 | 9316bea286ac1b43b2c0242ed3d8be065909cf078bd5aa9b4ea545dc5d34969ef0b00036887e9a3f70b80a98883c72eac24ba6fccb314fa7d15a02da9fb9b474 |
Analysis: behavioral4
Detonation Overview
Submitted
2024-06-20 03:15
Reported
2024-06-20 03:18
Platform
win10v2004-20240508-en
Max time kernel
141s
Max time network
147s
Command Line
Signatures
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings | C:\Windows\system32\cmd.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings | C:\Windows\system32\OpenWith.exe | N/A |
Opens file in notepad (likely ransom note)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\NOTEPAD.EXE | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 456 wrote to memory of 3980 | N/A | C:\Windows\system32\OpenWith.exe | C:\Windows\system32\NOTEPAD.EXE |
| PID 456 wrote to memory of 3980 | N/A | C:\Windows\system32\OpenWith.exe | C:\Windows\system32\NOTEPAD.EXE |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\Nuwo.pyc
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\Nuwo.pyc
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 138.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 92.12.20.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |