Malware Analysis Report

2024-08-06 13:01

Sample ID 240629-q62x6syeqg
Target b1f2068201c29f3b00aeedc0911498043d7c204a860ca16b3fef47fc19fc2b22.exe
SHA256 b1f2068201c29f3b00aeedc0911498043d7c204a860ca16b3fef47fc19fc2b22
Tags
pyinstaller asyncrat 2026 persistence rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

b1f2068201c29f3b00aeedc0911498043d7c204a860ca16b3fef47fc19fc2b22

Threat Level: Known bad

The file b1f2068201c29f3b00aeedc0911498043d7c204a860ca16b3fef47fc19fc2b22.exe was found to be: Known bad.

Malicious Activity Summary

pyinstaller asyncrat 2026 persistence rat

AsyncRat

Checks computer location settings

Loads dropped DLL

Executes dropped EXE

Adds Run key to start application

Suspicious use of SetThreadContext

Enumerates physical storage devices

Detects Pyinstaller

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Persistence
TA0003
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Privilege Escalation
TA0004
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Defense Evasion
TA0005
Modify Registry
T1112
Credential Access
TA0006
Discovery
TA0007
Query Registry
T1012
System Information Discovery
T1082
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-06-29 13:53

Signatures

Detects Pyinstaller

pyinstaller
Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-29 13:53

Reported

2024-06-29 13:55

Platform

win7-20240220-en

Max time kernel

122s

Max time network

124s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b1f2068201c29f3b00aeedc0911498043d7c204a860ca16b3fef47fc19fc2b22.exe"

Signatures

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\b1f2068201c29f3b00aeedc0911498043d7c204a860ca16b3fef47fc19fc2b22.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b1f2068201c29f3b00aeedc0911498043d7c204a860ca16b3fef47fc19fc2b22.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b1f2068201c29f3b00aeedc0911498043d7c204a860ca16b3fef47fc19fc2b22.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b1f2068201c29f3b00aeedc0911498043d7c204a860ca16b3fef47fc19fc2b22.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b1f2068201c29f3b00aeedc0911498043d7c204a860ca16b3fef47fc19fc2b22.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b1f2068201c29f3b00aeedc0911498043d7c204a860ca16b3fef47fc19fc2b22.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b1f2068201c29f3b00aeedc0911498043d7c204a860ca16b3fef47fc19fc2b22.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b1f2068201c29f3b00aeedc0911498043d7c204a860ca16b3fef47fc19fc2b22.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b1f2068201c29f3b00aeedc0911498043d7c204a860ca16b3fef47fc19fc2b22.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b1f2068201c29f3b00aeedc0911498043d7c204a860ca16b3fef47fc19fc2b22.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b1f2068201c29f3b00aeedc0911498043d7c204a860ca16b3fef47fc19fc2b22.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b1f2068201c29f3b00aeedc0911498043d7c204a860ca16b3fef47fc19fc2b22.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b1f2068201c29f3b00aeedc0911498043d7c204a860ca16b3fef47fc19fc2b22.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b1f2068201c29f3b00aeedc0911498043d7c204a860ca16b3fef47fc19fc2b22.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b1f2068201c29f3b00aeedc0911498043d7c204a860ca16b3fef47fc19fc2b22.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b1f2068201c29f3b00aeedc0911498043d7c204a860ca16b3fef47fc19fc2b22.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b1f2068201c29f3b00aeedc0911498043d7c204a860ca16b3fef47fc19fc2b22.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\b1f2068201c29f3b00aeedc0911498043d7c204a860ca16b3fef47fc19fc2b22.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\b1f2068201c29f3b00aeedc0911498043d7c204a860ca16b3fef47fc19fc2b22.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\b1f2068201c29f3b00aeedc0911498043d7c204a860ca16b3fef47fc19fc2b22.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1856 wrote to memory of 344 N/A C:\Users\Admin\AppData\Local\Temp\b1f2068201c29f3b00aeedc0911498043d7c204a860ca16b3fef47fc19fc2b22.exe C:\Users\Admin\AppData\Local\Temp\b1f2068201c29f3b00aeedc0911498043d7c204a860ca16b3fef47fc19fc2b22.exe
PID 1856 wrote to memory of 344 N/A C:\Users\Admin\AppData\Local\Temp\b1f2068201c29f3b00aeedc0911498043d7c204a860ca16b3fef47fc19fc2b22.exe C:\Users\Admin\AppData\Local\Temp\b1f2068201c29f3b00aeedc0911498043d7c204a860ca16b3fef47fc19fc2b22.exe
PID 1856 wrote to memory of 344 N/A C:\Users\Admin\AppData\Local\Temp\b1f2068201c29f3b00aeedc0911498043d7c204a860ca16b3fef47fc19fc2b22.exe C:\Users\Admin\AppData\Local\Temp\b1f2068201c29f3b00aeedc0911498043d7c204a860ca16b3fef47fc19fc2b22.exe

Processes

C:\Users\Admin\AppData\Local\Temp\b1f2068201c29f3b00aeedc0911498043d7c204a860ca16b3fef47fc19fc2b22.exe

"C:\Users\Admin\AppData\Local\Temp\b1f2068201c29f3b00aeedc0911498043d7c204a860ca16b3fef47fc19fc2b22.exe"

C:\Users\Admin\AppData\Local\Temp\b1f2068201c29f3b00aeedc0911498043d7c204a860ca16b3fef47fc19fc2b22.exe

"C:\Users\Admin\AppData\Local\Temp\b1f2068201c29f3b00aeedc0911498043d7c204a860ca16b3fef47fc19fc2b22.exe"

Network

N/A

Files

C:\Users\Admin\AppData\Local\Temp\_MEI18562\python37.dll

MD5 c4709f84e6cf6e082b80c80b87abe551
SHA1 c0c55b229722f7f2010d34e26857df640182f796
SHA256 ca8e39f2b1d277b0a24a43b5b8eada5baf2de97488f7ef2484014df6e270b3f3
SHA512 e04a5832b9f2e1e53ba096e011367d46e6710389967fa7014a0e2d4a6ce6fc8d09d0ce20cee7e7d67d5057d37854eddab48bef7df1767f2ec3a4ab91475b7ce4

C:\Users\Admin\AppData\Local\Temp\_MEI18562\VCRUNTIME140.dll

MD5 89a24c66e7a522f1e0016b1d0b4316dc
SHA1 5340dd64cfe26e3d5f68f7ed344c4fd96fbd0d42
SHA256 3096cafb6a21b6d28cf4fe2dd85814f599412c0fe1ef090dd08d1c03affe9ab6
SHA512 e88e0459744a950829cd508a93e2ef0061293ab32facd9d8951686cbe271b34460efd159fd8ec4aa96ff8a629741006458b166e5cff21f35d049ad059bc56a1a

C:\Users\Admin\AppData\Local\Temp\_MEI18562\base_library.zip

MD5 8386cf8add72bab03573064b6e1d89d2
SHA1 c451d2f3eed6b944543f19c5bd15ae7e8832bbd4
SHA256 2eea4b6202a6a6f61cb4d75c78be5ec2e1052897f54973797885f2c3b24d202c
SHA512 2bb61f7fac7ecc7d5654756ae8286d5fd9e2730e6ac42f3e7516f598e00fd8b9b6d3e77373994bb31d89831278e6833d379f306d52033fa5c48a786ac67da2b2

C:\Users\Admin\AppData\Local\Temp\_MEI18562\_ctypes.pyd

MD5 5e869eebb6169ce66225eb6725d5be4a
SHA1 747887da0d7ab152e1d54608c430e78192d5a788
SHA256 430f1886caf059f05cde6eb2e8d96feb25982749a151231e471e4b8d7f54f173
SHA512 feb6888bb61e271b1670317435ee8653dedd559263788fbf9a7766bc952defd7a43e7c3d9f539673c262abedd97b0c4dd707f0f5339b1c1570db4e25da804a16

\Users\Admin\AppData\Local\Temp\_MEI18562\_bz2.pyd

MD5 cf77513525fc652bad6c7f85e192e94b
SHA1 23ec3bb9cdc356500ec192cac16906864d5e9a81
SHA256 8bce02e8d44003c5301608b1722f7e26aada2a03d731fa92a48c124db40e2e41
SHA512 dbc1ba8794ce2d027145c78b7e1fc842ffbabb090abf9c29044657bdecd44396014b4f7c2b896de18aad6cfa113a4841a9ca567e501a6247832b205fe39584a9

C:\Users\Admin\AppData\Local\Temp\_MEI18562\_lzma.pyd

MD5 5fbb728a3b3abbdd830033586183a206
SHA1 066fde2fa80485c4f22e0552a4d433584d672a54
SHA256 f9bc6036d9e4d57d08848418367743fb608434c04434ab07da9dabe4725f9a9b
SHA512 31e7c9fe9d8680378f8e3ea4473461ba830df2d80a3e24e5d02a106128d048430e5d5558c0b99ec51c3d1892c76e4baa14d63d1ec1fc6b1728858aa2a255b2fb

C:\Users\Admin\AppData\Local\Temp\_MEI18562\_socket.pyd

MD5 8ea18d0eeae9044c278d2ea7a1dbae36
SHA1 de210842da8cb1cb14318789575d65117d14e728
SHA256 9822c258a9d25062e51eafc45d62ed19722e0450a212668f6737eb3bfe3a41c2
SHA512 d275ce71d422cfaacef1220dc1f35afba14b38a205623e3652766db11621b2a1d80c5d0fb0a7df19402ebe48603e76b8f8852f6cbff95a181d33e797476029f0

C:\Users\Admin\AppData\Local\Temp\_MEI18562\select.pyd

MD5 fb4a0d7abaeaa76676846ad0f08fefa5
SHA1 755fd998215511506edd2c5c52807b46ca9393b2
SHA256 65a3c8806d456e9df2211051ed808a087a96c94d38e23d43121ac120b4d36429
SHA512 f5b3557f823ee4c662f2c9b7ecc5497934712e046aa8ae8e625f41756beb5e524227355316f9145bfabb89b0f6f93a1f37fa94751a66c344c38ce449e879d35f

C:\Users\Admin\AppData\Local\Temp\_MEI18562\pyexpat.pyd

MD5 6500aa010c8b50ffd1544f08af03fa4f
SHA1 a03f9f70d4ecc565f0fae26ef690d63e3711a20a
SHA256 752cf6804aac09480bf1e839a26285ec2668405010ed7ffd2021596e49b94dec
SHA512 f5f0521039c816408a5dd8b7394f9db5250e6dc14c0328898f1bed5de1e8a26338a678896f20aafa13c56b903b787f274d3dec467808787d00c74350863175d1

C:\Users\Admin\AppData\Local\Temp\_MEI18562\_hashlib.pyd

MD5 b32cb9615a9bada55e8f20dcea2fbf48
SHA1 a9c6e2d44b07b31c898a6d83b7093bf90915062d
SHA256 ca4f433a68c3921526f31f46d8a45709b946bbd40f04a4cfc6c245cb9ee0eab5
SHA512 5c583292de2ba33a3fc1129dfb4e2429ff2a30eeaf9c0bcff6cca487921f0ca02c3002b24353832504c3eec96a7b2c507f455b18717bcd11b239bbbbd79fadbe

C:\Users\Admin\AppData\Local\Temp\_MEI18562\libcrypto-1_1.dll

MD5 cc4cbf715966cdcad95a1e6c95592b3d
SHA1 d5873fea9c084bcc753d1c93b2d0716257bea7c3
SHA256 594303e2ce6a4a02439054c84592791bf4ab0b7c12e9bbdb4b040e27251521f1
SHA512 3b5af9fbbc915d172648c2b0b513b5d2151f940ccf54c23148cd303e6660395f180981b148202bef76f5209acc53b8953b1cb067546f90389a6aa300c1fbe477

C:\Users\Admin\AppData\Local\Temp\_MEI18562\win32\win32api.pyd

MD5 ba792c828797ab1b1ec5062b12872540
SHA1 15745e8c75c7d46a08a2efc301c6d6f95d3676e9
SHA256 e86a8623f4532645419bd753baf239c77198a51c0663d5441ad6e8b56093f530
SHA512 0e5f02a25789d47a686a18186fd6811e1cecbbc3104b0b3135eea5cc99240c59a3c24a760f8fe77bca8bffa2b4b1e0c305c5f73a28af4f84772a67db00544b82

C:\Users\Admin\AppData\Local\Temp\_MEI18562\pywin32_system32\pywintypes37.dll

MD5 f9d8093503c0eb02a2d30db794dbaa81
SHA1 d11ac482caef0a4f3b008644e34b5c962c69a3af
SHA256 47cfa248363c3e5e3c2fcd847bd73435890bac14c3403f2841fd5e138f936869
SHA512 c4ce86cecef6e2b3785f076667381f3e8e4b7d9e6e7c9e48d2fedde83670df61c51bdd852c3fadc826bee6025d9c22a1cd2f1ba255a7123047ac11e2ed262fdc

C:\Users\Admin\AppData\Local\Temp\_MEI18562\pywin32_system32\pythoncom37.dll

MD5 53cf89c12cd651b824bf19ea86822b7e
SHA1 da16db3464f268c202670d0b379c24e3cf8a886a
SHA256 1dd7f1beb75529a090e8157bac0cac3c55ed49579b48d8bcab6fc756931662fb
SHA512 3ad7c7c6ba790ae4f5eef055a4af1611b5b02331abe64a4923c699cafdeafd28da307d67d3a77ea2284f6824ed04300aa46a2e7f95d8a11acebc3a8d181d4e92

C:\Users\Admin\AppData\Local\Temp\_MEI18562\_cffi_backend.cp37-win_amd64.pyd

MD5 daccb97b9214bb1366ed40ad583679a2
SHA1 89554e638b62be5f388c9bdd35d9daf53a240e0c
SHA256 b714423d9cad42e67937531f2634001a870f8be2bf413eacfc9f73ef391a7915
SHA512 99fd5c80372d878f722e4bcb1b8c8c737600961d3a9dffc3e8277e024aaac8648c64825820e20da1ab9ad9180501218c6d796af1905d8845d41c6dbb4c6ebab0

C:\Users\Admin\AppData\Local\Temp\_MEI18562\clr_loader\ffi\dlls\amd64\ClrLoader.dll

MD5 e8a52f61db8eb35ef3b8211bfbb821e9
SHA1 835d394badb777e9c7e4ef59c72a309500a3971e
SHA256 4942106eb2b86a37c63eba972a2c6c5870d4ae7535075bb5252556e2ff2357f6
SHA512 48e7f25ea4a4af1dc09fe594c25e8a962304922445a1e9708873cef4578a783eea913b59cc390d0e318c9d35995f01109b9a104b6176cd8cd081449988913626

memory/344-81-0x0000000004460000-0x00000000044E0000-memory.dmp

memory/344-82-0x000007FEF5213000-0x000007FEF5214000-memory.dmp

memory/344-85-0x00000000043D0000-0x00000000043DA000-memory.dmp

memory/344-86-0x000007FEF6900000-0x000007FEF690A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI18562\pythonnet\runtime\Python.Runtime.dll

MD5 d94eea13862fa10cc55075a7b595c3ee
SHA1 af8607c0a6f67917d5f9d9136d7b981caaaa6a32
SHA256 22822869023482e6d15314a8cbd7cb700e5c1ef4d89ecff65ff4144b1840da79
SHA512 591359cdf1108297c49b68dc1c375f747aad19b0dc609fe625f0e8ed16d46804ae05a14c7fa3343493589bd3e5f6e8f485d7e54b1398c3f3881b4911cb38c643

memory/344-88-0x00000000043E0000-0x0000000004450000-memory.dmp

memory/344-89-0x00000000044E0000-0x0000000004550000-memory.dmp

memory/344-90-0x00000000046F0000-0x000000000470A000-memory.dmp

memory/344-91-0x0000000004790000-0x0000000004798000-memory.dmp

memory/344-92-0x00000000047A0000-0x00000000047A8000-memory.dmp

memory/344-93-0x000007FEF5210000-0x000007FEF5BFC000-memory.dmp

memory/344-94-0x0000000004460000-0x00000000044E0000-memory.dmp

memory/344-95-0x000007FEF5210000-0x000007FEF5BFC000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-29 13:53

Reported

2024-06-29 13:55

Platform

win10v2004-20240508-en

Max time kernel

108s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b1f2068201c29f3b00aeedc0911498043d7c204a860ca16b3fef47fc19fc2b22.exe"

Signatures

AsyncRat

rat asyncrat

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\b1f2068201c29f3b00aeedc0911498043d7c204a860ca16b3fef47fc19fc2b22.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\MyApp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\MyApp.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\b1f2068201c29f3b00aeedc0911498043d7c204a860ca16b3fef47fc19fc2b22.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b1f2068201c29f3b00aeedc0911498043d7c204a860ca16b3fef47fc19fc2b22.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b1f2068201c29f3b00aeedc0911498043d7c204a860ca16b3fef47fc19fc2b22.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b1f2068201c29f3b00aeedc0911498043d7c204a860ca16b3fef47fc19fc2b22.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b1f2068201c29f3b00aeedc0911498043d7c204a860ca16b3fef47fc19fc2b22.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b1f2068201c29f3b00aeedc0911498043d7c204a860ca16b3fef47fc19fc2b22.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b1f2068201c29f3b00aeedc0911498043d7c204a860ca16b3fef47fc19fc2b22.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b1f2068201c29f3b00aeedc0911498043d7c204a860ca16b3fef47fc19fc2b22.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b1f2068201c29f3b00aeedc0911498043d7c204a860ca16b3fef47fc19fc2b22.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b1f2068201c29f3b00aeedc0911498043d7c204a860ca16b3fef47fc19fc2b22.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b1f2068201c29f3b00aeedc0911498043d7c204a860ca16b3fef47fc19fc2b22.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b1f2068201c29f3b00aeedc0911498043d7c204a860ca16b3fef47fc19fc2b22.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b1f2068201c29f3b00aeedc0911498043d7c204a860ca16b3fef47fc19fc2b22.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b1f2068201c29f3b00aeedc0911498043d7c204a860ca16b3fef47fc19fc2b22.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b1f2068201c29f3b00aeedc0911498043d7c204a860ca16b3fef47fc19fc2b22.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b1f2068201c29f3b00aeedc0911498043d7c204a860ca16b3fef47fc19fc2b22.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b1f2068201c29f3b00aeedc0911498043d7c204a860ca16b3fef47fc19fc2b22.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\MyApp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\MyApp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\MyApp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\MyApp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\MyApp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\MyApp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\MyApp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\MyApp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\MyApp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\MyApp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\MyApp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\MyApp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\MyApp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\MyApp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\MyApp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\MyApp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\MyApp.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Steam = "C:\\Users\\Admin\\AppData\\Local\\Xbox\\MyApp.vbs" C:\Users\Admin\AppData\Local\Temp\b1f2068201c29f3b00aeedc0911498043d7c204a860ca16b3fef47fc19fc2b22.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 3448 set thread context of 4328 N/A C:\Users\Admin\AppData\Local\Microsoft\MyApp.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe

Detects Pyinstaller

pyinstaller
Description Indicator Process Target
N/A N/A N/A N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\MyApp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\MyApp.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\b1f2068201c29f3b00aeedc0911498043d7c204a860ca16b3fef47fc19fc2b22.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\b1f2068201c29f3b00aeedc0911498043d7c204a860ca16b3fef47fc19fc2b22.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Microsoft\MyApp.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Microsoft\MyApp.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3184 wrote to memory of 2088 N/A C:\Users\Admin\AppData\Local\Temp\b1f2068201c29f3b00aeedc0911498043d7c204a860ca16b3fef47fc19fc2b22.exe C:\Users\Admin\AppData\Local\Temp\b1f2068201c29f3b00aeedc0911498043d7c204a860ca16b3fef47fc19fc2b22.exe
PID 3184 wrote to memory of 2088 N/A C:\Users\Admin\AppData\Local\Temp\b1f2068201c29f3b00aeedc0911498043d7c204a860ca16b3fef47fc19fc2b22.exe C:\Users\Admin\AppData\Local\Temp\b1f2068201c29f3b00aeedc0911498043d7c204a860ca16b3fef47fc19fc2b22.exe
PID 2088 wrote to memory of 3328 N/A C:\Users\Admin\AppData\Local\Temp\b1f2068201c29f3b00aeedc0911498043d7c204a860ca16b3fef47fc19fc2b22.exe C:\Users\Admin\AppData\Local\Microsoft\MyApp.exe
PID 2088 wrote to memory of 3328 N/A C:\Users\Admin\AppData\Local\Temp\b1f2068201c29f3b00aeedc0911498043d7c204a860ca16b3fef47fc19fc2b22.exe C:\Users\Admin\AppData\Local\Microsoft\MyApp.exe
PID 3328 wrote to memory of 3448 N/A C:\Users\Admin\AppData\Local\Microsoft\MyApp.exe C:\Users\Admin\AppData\Local\Microsoft\MyApp.exe
PID 3328 wrote to memory of 3448 N/A C:\Users\Admin\AppData\Local\Microsoft\MyApp.exe C:\Users\Admin\AppData\Local\Microsoft\MyApp.exe
PID 3448 wrote to memory of 2264 N/A C:\Users\Admin\AppData\Local\Microsoft\MyApp.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 3448 wrote to memory of 2264 N/A C:\Users\Admin\AppData\Local\Microsoft\MyApp.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 3448 wrote to memory of 2264 N/A C:\Users\Admin\AppData\Local\Microsoft\MyApp.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 3448 wrote to memory of 4328 N/A C:\Users\Admin\AppData\Local\Microsoft\MyApp.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 3448 wrote to memory of 4328 N/A C:\Users\Admin\AppData\Local\Microsoft\MyApp.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 3448 wrote to memory of 4328 N/A C:\Users\Admin\AppData\Local\Microsoft\MyApp.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 3448 wrote to memory of 4328 N/A C:\Users\Admin\AppData\Local\Microsoft\MyApp.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 3448 wrote to memory of 4328 N/A C:\Users\Admin\AppData\Local\Microsoft\MyApp.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 3448 wrote to memory of 4328 N/A C:\Users\Admin\AppData\Local\Microsoft\MyApp.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 3448 wrote to memory of 4328 N/A C:\Users\Admin\AppData\Local\Microsoft\MyApp.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 3448 wrote to memory of 4328 N/A C:\Users\Admin\AppData\Local\Microsoft\MyApp.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe

Processes

C:\Users\Admin\AppData\Local\Temp\b1f2068201c29f3b00aeedc0911498043d7c204a860ca16b3fef47fc19fc2b22.exe

"C:\Users\Admin\AppData\Local\Temp\b1f2068201c29f3b00aeedc0911498043d7c204a860ca16b3fef47fc19fc2b22.exe"

C:\Users\Admin\AppData\Local\Temp\b1f2068201c29f3b00aeedc0911498043d7c204a860ca16b3fef47fc19fc2b22.exe

"C:\Users\Admin\AppData\Local\Temp\b1f2068201c29f3b00aeedc0911498043d7c204a860ca16b3fef47fc19fc2b22.exe"

C:\Users\Admin\AppData\Local\Microsoft\MyApp.exe

"C:\Users\Admin\AppData\Local\Microsoft\MyApp.exe"

C:\Users\Admin\AppData\Local\Microsoft\MyApp.exe

"C:\Users\Admin\AppData\Local\Microsoft\MyApp.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 20.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 107.12.20.2.in-addr.arpa udp
US 8.8.8.8:53 newws.eu udp
US 45.8.146.124:2005 newws.eu tcp
US 8.8.8.8:53 124.146.8.45.in-addr.arpa udp
US 45.8.146.124:2005 newws.eu tcp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 82.90.14.23.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\_MEI31842\python37.dll

MD5 c4709f84e6cf6e082b80c80b87abe551
SHA1 c0c55b229722f7f2010d34e26857df640182f796
SHA256 ca8e39f2b1d277b0a24a43b5b8eada5baf2de97488f7ef2484014df6e270b3f3
SHA512 e04a5832b9f2e1e53ba096e011367d46e6710389967fa7014a0e2d4a6ce6fc8d09d0ce20cee7e7d67d5057d37854eddab48bef7df1767f2ec3a4ab91475b7ce4

C:\Users\Admin\AppData\Local\Temp\_MEI31842\base_library.zip

MD5 8386cf8add72bab03573064b6e1d89d2
SHA1 c451d2f3eed6b944543f19c5bd15ae7e8832bbd4
SHA256 2eea4b6202a6a6f61cb4d75c78be5ec2e1052897f54973797885f2c3b24d202c
SHA512 2bb61f7fac7ecc7d5654756ae8286d5fd9e2730e6ac42f3e7516f598e00fd8b9b6d3e77373994bb31d89831278e6833d379f306d52033fa5c48a786ac67da2b2

C:\Users\Admin\AppData\Local\Temp\_MEI31842\VCRUNTIME140.dll

MD5 89a24c66e7a522f1e0016b1d0b4316dc
SHA1 5340dd64cfe26e3d5f68f7ed344c4fd96fbd0d42
SHA256 3096cafb6a21b6d28cf4fe2dd85814f599412c0fe1ef090dd08d1c03affe9ab6
SHA512 e88e0459744a950829cd508a93e2ef0061293ab32facd9d8951686cbe271b34460efd159fd8ec4aa96ff8a629741006458b166e5cff21f35d049ad059bc56a1a

C:\Users\Admin\AppData\Local\Temp\_MEI31842\_ctypes.pyd

MD5 5e869eebb6169ce66225eb6725d5be4a
SHA1 747887da0d7ab152e1d54608c430e78192d5a788
SHA256 430f1886caf059f05cde6eb2e8d96feb25982749a151231e471e4b8d7f54f173
SHA512 feb6888bb61e271b1670317435ee8653dedd559263788fbf9a7766bc952defd7a43e7c3d9f539673c262abedd97b0c4dd707f0f5339b1c1570db4e25da804a16

C:\Users\Admin\AppData\Local\Temp\_MEI31842\_bz2.pyd

MD5 cf77513525fc652bad6c7f85e192e94b
SHA1 23ec3bb9cdc356500ec192cac16906864d5e9a81
SHA256 8bce02e8d44003c5301608b1722f7e26aada2a03d731fa92a48c124db40e2e41
SHA512 dbc1ba8794ce2d027145c78b7e1fc842ffbabb090abf9c29044657bdecd44396014b4f7c2b896de18aad6cfa113a4841a9ca567e501a6247832b205fe39584a9

C:\Users\Admin\AppData\Local\Temp\_MEI31842\_socket.pyd

MD5 8ea18d0eeae9044c278d2ea7a1dbae36
SHA1 de210842da8cb1cb14318789575d65117d14e728
SHA256 9822c258a9d25062e51eafc45d62ed19722e0450a212668f6737eb3bfe3a41c2
SHA512 d275ce71d422cfaacef1220dc1f35afba14b38a205623e3652766db11621b2a1d80c5d0fb0a7df19402ebe48603e76b8f8852f6cbff95a181d33e797476029f0

C:\Users\Admin\AppData\Local\Temp\_MEI31842\_lzma.pyd

MD5 5fbb728a3b3abbdd830033586183a206
SHA1 066fde2fa80485c4f22e0552a4d433584d672a54
SHA256 f9bc6036d9e4d57d08848418367743fb608434c04434ab07da9dabe4725f9a9b
SHA512 31e7c9fe9d8680378f8e3ea4473461ba830df2d80a3e24e5d02a106128d048430e5d5558c0b99ec51c3d1892c76e4baa14d63d1ec1fc6b1728858aa2a255b2fb

C:\Users\Admin\AppData\Local\Temp\_MEI31842\select.pyd

MD5 fb4a0d7abaeaa76676846ad0f08fefa5
SHA1 755fd998215511506edd2c5c52807b46ca9393b2
SHA256 65a3c8806d456e9df2211051ed808a087a96c94d38e23d43121ac120b4d36429
SHA512 f5b3557f823ee4c662f2c9b7ecc5497934712e046aa8ae8e625f41756beb5e524227355316f9145bfabb89b0f6f93a1f37fa94751a66c344c38ce449e879d35f

C:\Users\Admin\AppData\Local\Temp\_MEI31842\pyexpat.pyd

MD5 6500aa010c8b50ffd1544f08af03fa4f
SHA1 a03f9f70d4ecc565f0fae26ef690d63e3711a20a
SHA256 752cf6804aac09480bf1e839a26285ec2668405010ed7ffd2021596e49b94dec
SHA512 f5f0521039c816408a5dd8b7394f9db5250e6dc14c0328898f1bed5de1e8a26338a678896f20aafa13c56b903b787f274d3dec467808787d00c74350863175d1

C:\Users\Admin\AppData\Local\Temp\_MEI31842\_hashlib.pyd

MD5 b32cb9615a9bada55e8f20dcea2fbf48
SHA1 a9c6e2d44b07b31c898a6d83b7093bf90915062d
SHA256 ca4f433a68c3921526f31f46d8a45709b946bbd40f04a4cfc6c245cb9ee0eab5
SHA512 5c583292de2ba33a3fc1129dfb4e2429ff2a30eeaf9c0bcff6cca487921f0ca02c3002b24353832504c3eec96a7b2c507f455b18717bcd11b239bbbbd79fadbe

C:\Users\Admin\AppData\Local\Temp\_MEI31842\libcrypto-1_1.dll

MD5 cc4cbf715966cdcad95a1e6c95592b3d
SHA1 d5873fea9c084bcc753d1c93b2d0716257bea7c3
SHA256 594303e2ce6a4a02439054c84592791bf4ab0b7c12e9bbdb4b040e27251521f1
SHA512 3b5af9fbbc915d172648c2b0b513b5d2151f940ccf54c23148cd303e6660395f180981b148202bef76f5209acc53b8953b1cb067546f90389a6aa300c1fbe477

C:\Users\Admin\AppData\Local\Temp\_MEI31842\win32\win32api.pyd

MD5 ba792c828797ab1b1ec5062b12872540
SHA1 15745e8c75c7d46a08a2efc301c6d6f95d3676e9
SHA256 e86a8623f4532645419bd753baf239c77198a51c0663d5441ad6e8b56093f530
SHA512 0e5f02a25789d47a686a18186fd6811e1cecbbc3104b0b3135eea5cc99240c59a3c24a760f8fe77bca8bffa2b4b1e0c305c5f73a28af4f84772a67db00544b82

C:\Users\Admin\AppData\Local\Temp\_MEI31842\pywin32_system32\pythoncom37.dll

MD5 53cf89c12cd651b824bf19ea86822b7e
SHA1 da16db3464f268c202670d0b379c24e3cf8a886a
SHA256 1dd7f1beb75529a090e8157bac0cac3c55ed49579b48d8bcab6fc756931662fb
SHA512 3ad7c7c6ba790ae4f5eef055a4af1611b5b02331abe64a4923c699cafdeafd28da307d67d3a77ea2284f6824ed04300aa46a2e7f95d8a11acebc3a8d181d4e92

C:\Users\Admin\AppData\Local\Temp\_MEI31842\pywin32_system32\pywintypes37.dll

MD5 f9d8093503c0eb02a2d30db794dbaa81
SHA1 d11ac482caef0a4f3b008644e34b5c962c69a3af
SHA256 47cfa248363c3e5e3c2fcd847bd73435890bac14c3403f2841fd5e138f936869
SHA512 c4ce86cecef6e2b3785f076667381f3e8e4b7d9e6e7c9e48d2fedde83670df61c51bdd852c3fadc826bee6025d9c22a1cd2f1ba255a7123047ac11e2ed262fdc

C:\Users\Admin\AppData\Local\Temp\_MEI31842\_cffi_backend.cp37-win_amd64.pyd

MD5 daccb97b9214bb1366ed40ad583679a2
SHA1 89554e638b62be5f388c9bdd35d9daf53a240e0c
SHA256 b714423d9cad42e67937531f2634001a870f8be2bf413eacfc9f73ef391a7915
SHA512 99fd5c80372d878f722e4bcb1b8c8c737600961d3a9dffc3e8277e024aaac8648c64825820e20da1ab9ad9180501218c6d796af1905d8845d41c6dbb4c6ebab0

C:\Users\Admin\AppData\Local\Temp\_MEI31842\clr_loader\ffi\dlls\amd64\ClrLoader.dll

MD5 e8a52f61db8eb35ef3b8211bfbb821e9
SHA1 835d394badb777e9c7e4ef59c72a309500a3971e
SHA256 4942106eb2b86a37c63eba972a2c6c5870d4ae7535075bb5252556e2ff2357f6
SHA512 48e7f25ea4a4af1dc09fe594c25e8a962304922445a1e9708873cef4578a783eea913b59cc390d0e318c9d35995f01109b9a104b6176cd8cd081449988913626

memory/2088-86-0x00007FFE30BB3000-0x00007FFE30BB5000-memory.dmp

memory/2088-85-0x0000029B50330000-0x0000029B50340000-memory.dmp

memory/2088-84-0x00007FFE40C60000-0x00007FFE40C6A000-memory.dmp

memory/2088-88-0x0000029B503F0000-0x0000029B50460000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI31842\pythonnet\runtime\Python.Runtime.dll

MD5 d94eea13862fa10cc55075a7b595c3ee
SHA1 af8607c0a6f67917d5f9d9136d7b981caaaa6a32
SHA256 22822869023482e6d15314a8cbd7cb700e5c1ef4d89ecff65ff4144b1840da79
SHA512 591359cdf1108297c49b68dc1c375f747aad19b0dc609fe625f0e8ed16d46804ae05a14c7fa3343493589bd3e5f6e8f485d7e54b1398c3f3881b4911cb38c643

memory/2088-89-0x0000029B503B0000-0x0000029B503CA000-memory.dmp

memory/2088-90-0x0000029B50310000-0x0000029B50318000-memory.dmp

memory/2088-83-0x0000029B502D0000-0x0000029B502DA000-memory.dmp

memory/2088-91-0x0000029B50320000-0x0000029B50328000-memory.dmp

memory/2088-92-0x0000029B68A00000-0x0000029B68A22000-memory.dmp

memory/2088-93-0x00007FFE30BB0000-0x00007FFE31671000-memory.dmp

memory/2088-94-0x0000029B50330000-0x0000029B50340000-memory.dmp

memory/2088-95-0x00007FFE30BB0000-0x00007FFE31671000-memory.dmp

memory/2088-96-0x0000029B503D0000-0x0000029B503D8000-memory.dmp

memory/2088-97-0x00007FFE30BB0000-0x00007FFE31671000-memory.dmp

memory/2088-98-0x0000029B50470000-0x0000029B504A4000-memory.dmp

memory/2088-99-0x00007FFE30BB0000-0x00007FFE31671000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\MyApp.exe

MD5 2b0d0f3cb0a66cf1e42db5890dc346fc
SHA1 da018fd72acabb1c5e9d1741f1cab7a281bdb25a
SHA256 b1f2068201c29f3b00aeedc0911498043d7c204a860ca16b3fef47fc19fc2b22
SHA512 571eb38108027baba47f0b32ba1a3a6eac31248718c16778efc78907bcdb26d3e492cf14d5f8d70ca0cc07caca509ff2a52d610ca6302754f6b3c706ceeaa1f0

memory/2088-164-0x00007FFE30BB0000-0x00007FFE31671000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI33282\pip-22.3.dist-info\top_level.txt

MD5 365c9bfeb7d89244f2ce01c1de44cb85
SHA1 d7a03141d5d6b1e88b6b59ef08b6681df212c599
SHA256 ceebae7b8927a3227e5303cf5e0f1f7b34bb542ad7250ac03fbcde36ec2f1508
SHA512 d220d322a4053d84130567d626a9f7bb2fb8f0b854da1621f001826dc61b0ed6d3f91793627e6f0ac2ac27aea2b986b6a7a63427f05fe004d8a2adfbdadc13c1

memory/3448-225-0x00007FFE45F30000-0x00007FFE45F3A000-memory.dmp

memory/3448-224-0x00000267EE110000-0x00000267EE11A000-memory.dmp

memory/4328-226-0x0000000000400000-0x0000000000416000-memory.dmp

memory/4328-259-0x0000000005FA0000-0x0000000006544000-memory.dmp

memory/4328-260-0x0000000005BE0000-0x0000000005C72000-memory.dmp

memory/4328-261-0x0000000005C80000-0x0000000005C8A000-memory.dmp

memory/4328-263-0x0000000006790000-0x00000000067F6000-memory.dmp

memory/4328-262-0x0000000006830000-0x00000000068CC000-memory.dmp