Analysis Overview
SHA256
80eedcb0f82bba89b03223e4d5b4b099306bd7aac83c9280132c9c79d08fe374
Threat Level: Known bad
The file loader.exe was found to be: Known bad.
Malicious Activity Summary
Detect Pysilon
Pysilon family
Enumerates VirtualBox DLL files
Command and Scripting Interpreter: PowerShell
Sets file to hidden
Loads dropped DLL
Executes dropped EXE
UPX packed file
Adds Run key to start application
Legitimate hosting services abused for malware hosting/C2
System Location Discovery: System Language Discovery
Detects Pyinstaller
Enumerates physical storage devices
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Modifies Internet Explorer settings
Suspicious use of WriteProcessMemory
Suspicious use of SetWindowsHookEx
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Views/modifies file attributes
Suspicious behavior: GetForegroundWindowSpam
Checks processor information in registry
Kills process with taskkill
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-08-13 22:54
Signatures
Detect Pysilon
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Pysilon family
Detects Pyinstaller
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-08-13 22:53
Reported
2024-08-13 22:55
Platform
win11-20240802-en
Max time kernel
38s
Max time network
43s
Command Line
Signatures
Enumerates VirtualBox DLL files
| Description | Indicator | Process | Target |
| File opened (read-only) | C:\windows\system32\vboxhook.dll | C:\Users\Admin\chams\explore.exe | N/A |
| File opened (read-only) | C:\windows\system32\vboxmrxnp.dll | C:\Users\Admin\chams\explore.exe | N/A |
| File opened (read-only) | C:\windows\system32\vboxhook.dll | C:\Users\Admin\AppData\Local\Temp\loader.exe | N/A |
| File opened (read-only) | C:\windows\system32\vboxmrxnp.dll | C:\Users\Admin\AppData\Local\Temp\loader.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Sets file to hidden
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\attrib.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\chams\explore.exe | N/A |
| N/A | N/A | C:\Users\Admin\chams\explore.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\app = "C:\\Users\\Admin\\chams\\explore.exe" | C:\Users\Admin\AppData\Local\Temp\loader.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\loader.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\loader.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\loader.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\loader.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\loader.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\loader.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Users\Admin\chams\explore.exe | N/A |
| N/A | N/A | C:\Users\Admin\chams\explore.exe | N/A |
| N/A | N/A | C:\Users\Admin\chams\explore.exe | N/A |
| N/A | N/A | C:\Users\Admin\chams\explore.exe | N/A |
| N/A | N/A | C:\Users\Admin\chams\explore.exe | N/A |
| N/A | N/A | C:\Users\Admin\chams\explore.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\loader.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\chams\explore.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\chams\explore.exe | N/A |
Suspicious use of WriteProcessMemory
Views/modifies file attributes
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\attrib.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\loader.exe
"C:\Users\Admin\AppData\Local\Temp\loader.exe"
C:\Users\Admin\AppData\Local\Temp\loader.exe
"C:\Users\Admin\AppData\Local\Temp\loader.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "ver"
C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004C0 0x00000000000004D4
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Add-MpPreference -ExclusionPath \"C:\Users\Admin\chams\""
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\chams\activate.bat
C:\Windows\system32\attrib.exe
attrib +s +h .
C:\Users\Admin\chams\explore.exe
"explore.exe"
C:\Windows\system32\taskkill.exe
taskkill /f /im "loader.exe"
C:\Users\Admin\chams\explore.exe
"explore.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "ver"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Add-MpPreference -ExclusionPath \"C:\Users\Admin\chams\""
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 71.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 81.144.22.2.in-addr.arpa | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 162.159.128.233:443 | discord.com | tcp |
| US | 162.159.136.232:443 | discord.com | tcp |
| US | 162.159.135.232:443 | discord.com | tcp |
| US | 162.159.138.232:443 | discord.com | tcp |
| US | 162.159.137.232:443 | discord.com | tcp |
| US | 8.8.8.8:53 | 232.138.159.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.137.159.162.in-addr.arpa | udp |
| N/A | 127.0.0.1:53697 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\_MEI15082\ucrtbase.dll
| MD5 | 3b337c2d41069b0a1e43e30f891c3813 |
| SHA1 | ebee2827b5cb153cbbb51c9718da1549fa80fc5c |
| SHA256 | c04daeba7e7c4b711d33993ab4c51a2e087f98f4211aea0dcb3a216656ba0ab7 |
| SHA512 | fdb3012a71221447b35757ed2bdca6ed1f8833b2f81d03aabebd2cd7780a33a9c3d816535d03c5c3edd5aaf11d91156842b380e2a63135e3c7f87193ad211499 |
C:\Users\Admin\AppData\Local\Temp\_MEI15082\python311.dll
| MD5 | affa456007f359e9f8c5d2931d966cb9 |
| SHA1 | 9b06d6cb7d7f1a7c2fa9e7f62d339b9f2813e80f |
| SHA256 | 4bab2e402a02c8b2b0542246d9ef54027a739121b4b0760f08cd2e7c643ed866 |
| SHA512 | 7c357f43dd272e1d595ccde87c13fd2cdf4123b20af6855576bfba15afd814a95886cebbe96bb7781b916f9db3c3ee02d381036ddbf62095de3ee43a7f94d156 |
C:\Users\Admin\AppData\Local\Temp\_MEI15082\VCRUNTIME140.dll
| MD5 | 4585a96cc4eef6aafd5e27ea09147dc6 |
| SHA1 | 489cfff1b19abbec98fda26ac8958005e88dd0cb |
| SHA256 | a8f950b4357ec12cfccddc9094cca56a3d5244b95e09ea6e9a746489f2d58736 |
| SHA512 | d78260c66331fe3029d2cc1b41a5d002ec651f2e3bbf55076d65839b5e3c6297955afd4d9ab8951fbdc9f929dbc65eb18b14b59bce1f2994318564eb4920f286 |
memory/2692-1306-0x00007FFBFF9F0000-0x00007FFBFFFD9000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI15082\python3.DLL
| MD5 | d8ba00c1d9fcc7c0abbffb5c214da647 |
| SHA1 | 5fa9d5700b42a83bfcc125d1c45e0111b9d62035 |
| SHA256 | e45452efa356db874f2e5ff08c9cc0fe22528609e5d341f8fb67ba48885ab77d |
| SHA512 | df1b714494856f618a742791eefbf470b2eee07b51d983256e4386ea7d48da5c7b1e896f222ea55a748c9413203886cde3a65ef9e7ea069014fa626f81d79cd3 |
C:\Users\Admin\AppData\Local\Temp\_MEI15082\base_library.zip
| MD5 | c04a1916b8a726a74bcdba99b42a376b |
| SHA1 | f87ca7e558071e8dc85872644b8b2993563a75c0 |
| SHA256 | f9c5fdc929a36e519ec6a0a3d9f9a4f3358105640bdb71d98de7fb395542b8c4 |
| SHA512 | 8f453af49da1354b8e22aac594edc2cc5907f64a85167a35d750d2d300be0f39b0f461d48ab5cff70cf24e7f43bad8143933d42710db6153f782c3411923a073 |
C:\Users\Admin\AppData\Local\Temp\_MEI15082\_ctypes.pyd
| MD5 | 955a3624921b140bf6acaba5fca4ac3b |
| SHA1 | 027e0af89a1dbf5ef235bd4293595bbc12639c28 |
| SHA256 | ea07594b2eede262d038de13a64b76301edfbda11f885afa581917b1fb969238 |
| SHA512 | b115e83061c11aaf0a0f1131a18be5b520c5cbc3975f5b7a1e9cea06b0aff7a2815165fcd1f09ba1efcf7c185e37e84a0b6ad4eefea3049a369bdf46ed3d2cb7 |
memory/2692-1317-0x00007FFC17520000-0x00007FFC1752F000-memory.dmp
memory/2692-1316-0x00007FFC15AE0000-0x00007FFC15B03000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI15082\libffi-8.dll
| MD5 | 0d1c6b92d091cef3142e32ac4e0cc12e |
| SHA1 | 440dad5af38035cb0984a973e1f266deff2bd7fc |
| SHA256 | 11ee9c7fb70c3756c0392843245935517171b95cc5ba0d696b2c1742c8d46fb6 |
| SHA512 | 5d514ecab93941e83c008f0e9749f99e330949580884bf4850b11cac08fe1ac4ac50033e8888045fe4a9d8b4d2e3ea667b39be18f77266d00f8d7d6797260233 |
C:\Users\Admin\AppData\Local\Temp\_MEI15082\_bz2.pyd
| MD5 | f807854b836ab1e84fcdb11560216929 |
| SHA1 | 627ef83ca0611d9cb267c72dfccf2f0a30297d7c |
| SHA256 | 5847649160f3f1564e26cba88e70bd159cc5cea08a1bf07ecd5b7796a49d259e |
| SHA512 | 85c28890f2fa4ea6d4f295d41ffc11109d217449cd6f77ea4a901d3f681c67f1abf59fdc5dead503db99ba766d1c51ee5505e456a3b605374b00e3ff832add1d |
memory/2692-1321-0x00007FFC15560000-0x00007FFC15579000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI15082\_lzma.pyd
| MD5 | 872fea740d2ae4d8b9bb2ac95059f52b |
| SHA1 | 22274e636e2ef57ad16ccf0eb49a2ff3e37ba080 |
| SHA256 | c9a4162df80a99e4723dd60bdf34b8fefc4005f7865dc3e6d86833d84fa25da2 |
| SHA512 | f85d1b6602826b21f12a873176f7a5c857c3213ae329ed7a0b8f7d9b1a791edc5549d8fce3c5d2305ce40a4d8a57d9845b2956d42d374de78d5324703d5dfa03 |
C:\Users\Admin\AppData\Local\Temp\_MEI15082\libogg-0.dll
| MD5 | 0d65168162287df89af79bb9be79f65b |
| SHA1 | 3e5af700b8c3e1a558105284ecd21b73b765a6dc |
| SHA256 | 2ec2322aec756b795c2e614dab467ef02c3d67d527ad117f905b3ab0968ccf24 |
| SHA512 | 69af81fd2293c31f456b3c78588bb6a372fe4a449244d74bfe5bfaa3134a0709a685725fa05055cfd261c51a96df4b7ebd8b9e143f0e9312c374e54392f8a2c2 |
memory/2692-1369-0x00007FFC111C0000-0x00007FFC111ED000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI15082\libmodplug-1.dll
| MD5 | 2bb2e7fa60884113f23dcb4fd266c4a6 |
| SHA1 | 36bbd1e8f7ee1747c7007a3c297d429500183d73 |
| SHA256 | 9319bf867ed6007f3c61da139c2ab8b74a4cb68bf56265a101e79396941f6d3b |
| SHA512 | 1ddd4b9b9238c1744e0a1fe403f136a1def8df94814b405e7b01dd871b3f22a2afe819a26e08752142f127c3efe4ebae8bfd1bd63563d5eb98b4644426f576b2 |
C:\Users\Admin\AppData\Local\Temp\_MEI15082\libjpeg-9.dll
| MD5 | c22b781bb21bffbea478b76ad6ed1a28 |
| SHA1 | 66cc6495ba5e531b0fe22731875250c720262db1 |
| SHA256 | 1eed2385030348c84bbdb75d41d64891be910c27fab8d20fc9e85485fcb569dd |
| SHA512 | 9b42cad4a715680a27cd79f466fd2913649b80657ff042528cba2946631387ed9fb027014d215e1baf05839509ca5915d533b91aa958ae0525dea6e2a869b9e4 |
C:\Users\Admin\AppData\Local\Temp\_MEI15082\libcrypto-3.dll
| MD5 | f3fdbbd6c6ea0abe779151ae92c25321 |
| SHA1 | 0e62e32666ba5f041b5369b36470295a1916cb4e |
| SHA256 | 9000e335744818665b87a16a71da5b622b5052b5341f1d6ce08ff8346d2bf3e4 |
| SHA512 | e8a363042a05868acc693b5d313f52ffc95b8f6b764a77ff477b0ce2288787dd275478ddbe33d6dbd87636ba9ff0243d2e447a161e2f9cc2f3dba0746f219e4e |
C:\Users\Admin\AppData\Local\Temp\_MEI15082\freetype.dll
| MD5 | 04a9825dc286549ee3fa29e2b06ca944 |
| SHA1 | 5bed779bf591752bb7aa9428189ec7f3c1137461 |
| SHA256 | 50249f68b4faf85e7cd8d1220b7626a86bc507af9ae400d08c8e365f9ab97cde |
| SHA512 | 0e937e4de6cbc9d40035b94c289c2798c77c44fc1dc7097201f9fab97c7ff9e56113c06c51693f09908283eda92945b36de67351f893d4e3162e67c078cff4ec |
C:\Users\Admin\AppData\Local\Temp\_MEI15082\api-ms-win-crt-utility-l1-1-0.dll
| MD5 | 4653da8959b7fe33d32e61e472507d54 |
| SHA1 | 6d071b52f40dc609f40989b3dd0fb53124607df8 |
| SHA256 | b7e186a946119791e42f17e623732e23f864f98b592c41d95b3da0532ea9d5f3 |
| SHA512 | 81e17cf4b64ed5efba191d35b1877384544557c3001efa0321a755a35413740ae66e39e39f573d3184ef8c893c739a74d37f170fe540f81177a83b44bc18ba6d |
C:\Users\Admin\AppData\Local\Temp\_MEI15082\api-ms-win-crt-time-l1-1-0.dll
| MD5 | 9bc895e2cc140e168fa55372fce8682b |
| SHA1 | 579d71e19331625dda84baa9d8b81dd3bafc9913 |
| SHA256 | 287f80b2b330cc5f9fdf47de50b189993ce925b5e2b7a6da5cdaef9c7d5f36c1 |
| SHA512 | de0e5c6f9656106fcf2443d863d26c4b16bbb5b40e676199f9c459be02b4837a2d32bddda82543eb2e0bf14a27edea7f5d506914da8d63da77ed7ccd2204aa65 |
C:\Users\Admin\AppData\Local\Temp\_MEI15082\api-ms-win-crt-string-l1-1-0.dll
| MD5 | 2e657fe299572eacdac67f4b9f603857 |
| SHA1 | eb4fbc0147d4df5d4ef81953bc1265d505a19297 |
| SHA256 | ec3c2bff10b9469ac9c6ed109307731a1a4694fb54856ddd082a2ffd3cc34df2 |
| SHA512 | ee3899584ecece342accbd73d681358cfe8b4fd2ed07cf3034b14f3d04e3b03e5d6d041a0afcb0b2b2b5afac118032317b5eca00d11f7703d9d0dae0e3ac38f7 |
C:\Users\Admin\AppData\Local\Temp\_MEI15082\api-ms-win-crt-stdio-l1-1-0.dll
| MD5 | 4a3342bce6b58ef810e804f1c5915e40 |
| SHA1 | fe636cca0a57e92bb27e0f76075110981d3b3639 |
| SHA256 | 2509179079a598b3e5dfd856d8e03e45de7379c628901dbd869ec4332ddb618c |
| SHA512 | f0c626f88f016c17fa45ea62441dd862a9575666ec06734f61d8e153c5f46a016fe1d9271293a8e29afbd167f7a381e3ee04cb413736bc224ac31e0fe760341c |
C:\Users\Admin\AppData\Local\Temp\_MEI15082\api-ms-win-crt-runtime-l1-1-0.dll
| MD5 | dc8bfceec3d20100f29fd4798415dc00 |
| SHA1 | bd4764be2833f40c1cc54229c759f83d67ae5294 |
| SHA256 | 4950d0a97cb18971355247feccfd6f8ea24e46bca30f54540c050e4631ec57a8 |
| SHA512 | cc7899ad716a81af46d73b1cb8ded51aee9619f2accc35859e351fb8ee4f965f5bcc9adbb7353ca7a3c8e39d36c09481f66519cb173da1d2578718c764fb6fae |
C:\Users\Admin\AppData\Local\Temp\_MEI15082\api-ms-win-crt-process-l1-1-0.dll
| MD5 | 38d1c8d2aa2023d85aca69286d79fb78 |
| SHA1 | a97e806268dc4ee781ec2bfb654ed8bf91c2a83a |
| SHA256 | 381a09a63b5818a2499144adbd8c5f6bbcfce93d643e9920cc54485006fbcc48 |
| SHA512 | fc71441009ebe69dfbc04a791cb401306cb88f7bed5290cd899e234d290209917dc7fbd0d0d1a16ceb056858c77306b8ee5f3c17432f3594904b73b20162738e |
C:\Users\Admin\AppData\Local\Temp\_MEI15082\api-ms-win-crt-private-l1-1-0.dll
| MD5 | cd9cc79e885497f4da7cce77551ea160 |
| SHA1 | 160427067df3cdf6fde3277a2ce1c69d82cedc5f |
| SHA256 | 7da01dcebc45ba07374a2bf5d88d6746b91bbb3a299b75458889d4ba7f5c11ee |
| SHA512 | 0b109f990c74ebdc995ad1f3c40a20e4478141a6714e74d3a0085f636e67423809b835f144eace9a65d38278ef33e0d5d8fbd890cde98ca8c30990d8e5a19aef |
C:\Users\Admin\AppData\Local\Temp\_MEI15082\api-ms-win-crt-multibyte-l1-1-0.dll
| MD5 | 952eea89949b7facd3f22b127f51d5c9 |
| SHA1 | c1bae3e284f734a175f9e42c302728454d6c5976 |
| SHA256 | 808b4c22e32b829fad8468d7991bc81ce23f9c702b1d3d6fd66b58c1e18dd780 |
| SHA512 | 3223657cb44e79b4880a025def07334f8ee993083055030cf5b23451a8bb67c58dd9f6f9cc62983d9a9a716509fce722f3660b1c39ed2aad886c971acf11a660 |
C:\Users\Admin\AppData\Local\Temp\_MEI15082\api-ms-win-crt-math-l1-1-0.dll
| MD5 | a12569b252b6761a6330d2ffb6c2983b |
| SHA1 | cc6bdb88b252144af816976a181d2b3b961ce389 |
| SHA256 | ab0de0cf89f88b947e01a5ab630d71384ad69f903cef063ccb10de54d061ea2e |
| SHA512 | ee9cb0e2c613374348a34e4a65c83da8d35e6e841f50eed726ff397c7bb6ec430ed200b3b1a541041a91ebe5ae0c96270ee7b891c8c173b340c82abd2cdf8750 |
C:\Users\Admin\AppData\Local\Temp\_MEI15082\api-ms-win-crt-locale-l1-1-0.dll
| MD5 | 78fc4a7e489f64ea5e0a745c12477fd8 |
| SHA1 | 51ab73b5142ee2f742abdaedf427690613a19f4a |
| SHA256 | c12c28e3391a8c8adcabe4632470de824118c56338f46fcd8b99257709f50604 |
| SHA512 | c9064ff0b39421b28720e65e70695a997995cbec80f1534d88b886bda1797a7316d9b61e458b894b528c7bce21c36f1d4acd916de96d0cdfde59107ea93cd5d7 |
C:\Users\Admin\AppData\Local\Temp\_MEI15082\api-ms-win-crt-heap-l1-1-0.dll
| MD5 | 481282554b34e19c77978dc7888434e6 |
| SHA1 | bd33f1189fc79ac57716f9d030ef0bdd30205115 |
| SHA256 | 8895c5ab2152a7f25f0c44a3457867229046952106d422331a1c57ad7935b47e |
| SHA512 | fbe98fda91618dd980709babd8e56b8c4c4ff370e6de23075f89303aafffd723dddfd270f388c573914385e957add756bfe2b1fcef5f9f86cb30e111177a52e9 |
memory/2692-1370-0x00007FFC152D0000-0x00007FFC152E4000-memory.dmp
memory/2692-1371-0x00007FFBFF0D0000-0x00007FFBFF5F2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI15082\api-ms-win-crt-filesystem-l1-1-0.dll
| MD5 | 1fd59e1dd71eb3bdadb313029710dc33 |
| SHA1 | 82f5de117d9c55247da873ab8ad23f4e07841366 |
| SHA256 | 953e4403094ec0c3e8c3a9ab38012cc36d86ac5fe3fff2d6b6c5f51f75737c46 |
| SHA512 | 69608ff0127587b93db86c8cb27a932fa4b550c7d8d908f9fb8579ba2bccc6d43e7283363f7b46dd39a40a8c790a030028a78302703658fd5d68f5ee9452a5aa |
C:\Users\Admin\AppData\Local\Temp\_MEI15082\api-ms-win-crt-environment-l1-1-0.dll
| MD5 | 4eeb879fceeae59927f98a1a199b59ca |
| SHA1 | 3bb833edf4c10b42b7b376b93644ccc7f9a4b0f8 |
| SHA256 | e1b95e27cad9da4f0bd8bf4c913f49b9b8da6d28303f2946b55da3bd7feb36a3 |
| SHA512 | 6a43eb0c660395a60d17401e948bc4da010261197ea13b5c9e043e7ee93c30eb17efb9b6b138ecdd77ddc3d0caa98921b57bfc244f6cd554417a0fba5c9407b0 |
C:\Users\Admin\AppData\Local\Temp\_MEI15082\api-ms-win-crt-convert-l1-1-0.dll
| MD5 | 55e742035343af7b93caeeb71d322bed |
| SHA1 | 121134dfeca618ec3fae3fb640e541141d0c7b65 |
| SHA256 | 2364fa428deba813b8a27b369acea8ed365aa5c9da776d57e146576920746f0e |
| SHA512 | 601474b8c9185cb734df191f4382590f1466c0a32773e17c73afa5c1446dc648253d44e4ebad6ce0d29288afb1d7794c09ff0d7cfe81a3adc3dc26b3da46103d |
C:\Users\Admin\AppData\Local\Temp\_MEI15082\api-ms-win-crt-conio-l1-1-0.dll
| MD5 | 43760078912b411595bcded3b2eb063d |
| SHA1 | bd00cd60fd094b87ab0cff30cd2afe0a78853f22 |
| SHA256 | 0a9bcaa55326373200396bb1af46b3058f8f7af7be3289544dddbafdec420fea |
| SHA512 | d779f67bbb6e9867bcef7667c28e0032c01f36b8ea418504e9683240a6c0d9640b24d1dc5fa78cc9dcc4515f7be0d314f27ebcebc047b2e0f71680905d87827b |
C:\Users\Admin\AppData\Local\Temp\_MEI15082\api-ms-win-core-util-l1-1-0.dll
| MD5 | 85a8b925d50105db8250fa0878bb146e |
| SHA1 | 4b56d7eb81e0666e0cd047f9205584a97ce91a01 |
| SHA256 | f3324803591d2794bad583c71d5036976941631a5f0e6d67c71fc8ba29f30ba8 |
| SHA512 | cb074508052fafa8baa2e988e0f4241411a543e55a6a9fee915029c6aa87c93cce1f0b14fe0658361b6b4ab6880b31a950c215404c0d71d8a862d4e74ab3b797 |
C:\Users\Admin\AppData\Local\Temp\_MEI15082\api-ms-win-core-timezone-l1-1-0.dll
| MD5 | 953c63ef10ec30ef7c89a6f0f7074041 |
| SHA1 | 4b4f1ff3085fded9dbd737f273585ad43175b0a3 |
| SHA256 | c93954167c12e15b58ac95240d2e0a2fbd94561d739d9f6aca906d9c30453496 |
| SHA512 | b4534785e4d02ad387e3c6082884d438cc4b3cd8758aabcf99620052f5842dbd298351bc1723c274d4f7d3fce0cc940df3d47865fece2f07cdb1151376ba852e |
C:\Users\Admin\AppData\Local\Temp\_MEI15082\api-ms-win-core-sysinfo-l1-1-0.dll
| MD5 | 1f0ab051a3f210db40a8c5e813ba0428 |
| SHA1 | e2ec19439618df1d6f34ee7c76108e3ea90a8b14 |
| SHA256 | 2d4cdda6d6aec0b1a84d84528380c5650683b8eed680f3cafd821ac7f422070c |
| SHA512 | a8ba535580d6756ac30e725411980a8d17e9a8aa1229233bb7a9b15c55b18b61136772d5d75cce0edf21b0f300bbd4d2458a4c69762261e928ef3cb7d5a14bdd |
C:\Users\Admin\AppData\Local\Temp\_MEI15082\api-ms-win-core-synch-l1-2-0.dll
| MD5 | b865442fb6836a9b933a216109ff3d0f |
| SHA1 | 15011fcaea649ca016fa93996639f59c23b74106 |
| SHA256 | 498194cfe8b1138385595a7db3863adf29a9663551d746fb64648ffd075186b3 |
| SHA512 | eeb9fa00a941c4b30320fbb9ecc2717e53d13cd12394500d795be742dbe25c5fdf8590e9fe7f3b210a9d9aa07c7392419823a6a947591e7a38707a87309a2b76 |
C:\Users\Admin\AppData\Local\Temp\_MEI15082\api-ms-win-core-synch-l1-1-0.dll
| MD5 | 2c4be18e4d56e056b3fb7c2afb032e9e |
| SHA1 | 9620c91a98175dddccc1f1af78393143249e9eb9 |
| SHA256 | 56657da3db3877624f5dad3980df3235fe7e1038916627c0845b5001199d513f |
| SHA512 | 18cbb5671ed99b475c7f6ff2d41943ba6d28fbbd781884bf069d1aa83f051c00d61baa11459dcca4fe2a4bc26c3540e1f598e4e0ae59a5e18d340a68b695ed78 |
C:\Users\Admin\AppData\Local\Temp\_MEI15082\api-ms-win-core-string-l1-1-0.dll
| MD5 | 9ab1bde57b958090d53de161469e5e8d |
| SHA1 | 8452aed000b2e77040ba8b1e5762532cdf5a60ad |
| SHA256 | 199c988d566f19e8c67f4cd7147a7df591cd2f2d648cbc511a5e4580346e75f4 |
| SHA512 | cf53c6885e154a05f8773d6b66a605049d70cc544f22a11d423c885608cd387446306ce6dfee2cc4ee9387cdc0a50da55948b5e55ad94acde7c7fd04fe38a137 |
C:\Users\Admin\AppData\Local\Temp\_MEI15082\api-ms-win-core-rtlsupport-l1-1-0.dll
| MD5 | c03daa9e875ff8638f631b1c95f4b342 |
| SHA1 | 71eaeaccea8a302f87d1594ce612449c1195e882 |
| SHA256 | a281ae7a487ecea619e696903e5a8119ae3f9e9eb2f0b64b31a8324b530a4d35 |
| SHA512 | efa6ca2710f9827888f2cfcb87a321d66593b39988ebf743f37e2b8fe77dba9517bdd8571d0be7573cd6e1c786c1edba10857cfb6060e315aa0d46a16523d43b |
C:\Users\Admin\AppData\Local\Temp\_MEI15082\api-ms-win-core-profile-l1-1-0.dll
| MD5 | 430d7cdd96bc499ba9eb84bb36aa301a |
| SHA1 | 48b43f6e4ffa8423966d06b417b82c5f72525dd9 |
| SHA256 | 3e16b030a162ee3b4f6bf612af75d02a768a87f2d6a41a83f5adab2ec3c24dd1 |
| SHA512 | 51042ebca24086e1d0015fa921816a2f3c56065e1e15190b48c58656eb88610d64acacb87584981963cab501985c2cb68e53075cf5e0c65761bbddaf56fbbab0 |
C:\Users\Admin\AppData\Local\Temp\_MEI15082\api-ms-win-core-processthreads-l1-1-1.dll
| MD5 | b1ba47d8389c40c2dda3c56cbed14fc5 |
| SHA1 | 2eef9ffa32171d53affa44e3db7727aa383f7fac |
| SHA256 | c7277c05dc6b905fad5cb930b0ecfbbc4676b46974b4571e54ca44cb6f6be404 |
| SHA512 | 466e31f17f73bda5149343b23f4966502a8597d2a2e43f9a6c9c32387451d92c6b658ccaae27044e68e4a9fd0ef9c89e32dc7639d59fcf04c596b6abfa09658b |
C:\Users\Admin\AppData\Local\Temp\_MEI15082\api-ms-win-core-processthreads-l1-1-0.dll
| MD5 | d21be88a58960edfe83ccbbdf5c4103d |
| SHA1 | 3cb0d010837b77102e77ca62e1033ef4eb5473ac |
| SHA256 | 3e909b4951e485de391f9a101e513b32c6d3507674c4d666ad3105b939b25c24 |
| SHA512 | 99b1fda3ec9292a59ed528ab243b4f8ac63e2d7b219135f26050bb7dd124a5d5dc4a14a69383a8aa0b03f0f0a3bccf0c233ef09b8e3d3bdf43d0aa1cfc1a3992 |
C:\Users\Admin\AppData\Local\Temp\_MEI15082\api-ms-win-core-processenvironment-l1-1-0.dll
| MD5 | df64597430e1126c3ba0fe5ecf995004 |
| SHA1 | 3e32ad558501fb9d108f885a55841605be641628 |
| SHA256 | 9638950211cbdcdaeb886cab277573391bf7dda2fbdb24fc18d31125dc8a7c24 |
| SHA512 | e16c1f5468bf2fc90b66b4b66dbad62cdbe29180f8da8ab8ad28d1b0c418cb96eadf24bb54f2ee9bcfe3176256d05f7eb591b6f908e47bd420ba22768fe0ea61 |
C:\Users\Admin\AppData\Local\Temp\_MEI15082\api-ms-win-core-namedpipe-l1-1-0.dll
| MD5 | 94fce2f4b244d3968b75a4a61b2347ab |
| SHA1 | c5898af5fd941c19fcdd949c6b4e2bb090d040d2 |
| SHA256 | c513bdc265654d2e9a304423f299fb46953631f0d78af8c1d397cd58b491475a |
| SHA512 | 1afe1f3a9b803c5758ff24376fe040d856b5ca814717b490464260c9c78e70ce6c166efbcc98e26ac12dd6173285b4863da7df4ff644d1d8150f8ac4b47113e1 |
C:\Users\Admin\AppData\Local\Temp\_MEI15082\api-ms-win-core-memory-l1-1-0.dll
| MD5 | 5e93bf4aa81616285858ca455343b6d3 |
| SHA1 | 8de55be56b6520801177f757d9e3235ec88085f7 |
| SHA256 | c44ec29a51145281372007d241a2cc15b00d0bacc8adfaac61e8e82efe8ea6a3 |
| SHA512 | e6a46dad1d7125dbaaf9d020100d7ec321620e38fdd1c931af74e8ec25e841c52555ec9646a895ad4450de94f70e82e9a237c2895ddfd16769b07cb73ad827e0 |
C:\Users\Admin\AppData\Local\Temp\_MEI15082\api-ms-win-core-localization-l1-2-0.dll
| MD5 | 0414909b279ea61ca344edbe8e33e40b |
| SHA1 | 4ece0dabe954c43f9bd5032de76ec29c47b22e10 |
| SHA256 | 05b0c773a77850f3d50ddb4b82cc4d5f19316fe1aaa65e21b4709ae73f60a28e |
| SHA512 | edbd33540cd1ef69f2ce824cfb991903ec6e4edda815f07d610247594ceeb2ebc78f05a44b4de8c5c937191b7e8b2ef221423c06df303d73deea721c25d15eed |
C:\Users\Admin\AppData\Local\Temp\_MEI15082\api-ms-win-core-libraryloader-l1-1-0.dll
| MD5 | 5eb2d8e1b9c9bd462c808f492ef117c2 |
| SHA1 | 60d398ec6e72ab670a2d9ef1b6747387c8de724e |
| SHA256 | db85f9aae6e9a5f1664326fa3fb82fe1002a3053857724d6c8d979a07c1221a1 |
| SHA512 | df0ef770368f153104f828f1c2381bea9a79e69defd43af53bdd419b7d80144831e0c4cc8695baee9f26928f0c4a00fe4837c872313c37bce1b23e6690a93bda |
C:\Users\Admin\AppData\Local\Temp\_MEI15082\api-ms-win-core-interlocked-l1-1-0.dll
| MD5 | 5a1569efa80fd139b561a9677a661f8a |
| SHA1 | fb0c824688e65ed12f52fa961ef3bae5674f32af |
| SHA256 | 41c1eaf5545109e871abef7386ab1abf9d2de1762cb4720c945afa8424858b00 |
| SHA512 | 1d2594c7f9757a95b41a9e6496f89c81fc96448b32cacb0c10d0db8c28a95cf33b3ad23348bcd8fb37d82bd72865d3c60944206f2e795686440de49bbcc39d7e |
C:\Users\Admin\AppData\Local\Temp\_MEI15082\api-ms-win-core-heap-l1-1-0.dll
| MD5 | 5846d53ac41102bb6f7e1f78717fea7f |
| SHA1 | 72254f1b93f17c2c6921179c31cd19b1b4c5292d |
| SHA256 | 059dfa16c1bbe5ff3a4b5443ba5e7ad1d41e392a873b09cfef787020ca3e101f |
| SHA512 | 0c29c0f562f1cabd794d8bf7f5cef0b0213fcf52a71eb254e0122f88c6e03558cb2259caff6b46d3b055101ef5422318e48d6c7568cbf2423212b8ed4e8f0f7f |
C:\Users\Admin\AppData\Local\Temp\_MEI15082\api-ms-win-core-handle-l1-1-0.dll
| MD5 | 53b1beee348ff035fef099922d69d588 |
| SHA1 | 7bc23b19568e2683641116f770773f8bcf03376b |
| SHA256 | 3a52229bf8a9df9f69a450f1ed7afc0d813d478d148c20f88ec4169d19b0d592 |
| SHA512 | 85c7ffa63483d69870cd69bf40e2b4ea5992d6b82607ee9bfc354c3bd5079e18cfe2ca0bcaa2fe493b42226f4a8097737116ea023823ce3ef177596dd80edcdb |
C:\Users\Admin\AppData\Local\Temp\_MEI15082\api-ms-win-core-file-l2-1-0.dll
| MD5 | 50abf0a7ee67f00f247bada185a7661c |
| SHA1 | 0cddac9ac4db3bf10a11d4b79085ef9cb3fb84a1 |
| SHA256 | f957a4c261506484b53534a9be8931c02ec1a349b3f431a858f8215cecfec3f7 |
| SHA512 | c2694bb5d103baff1264926a04d2f0fe156b8815a23c3748412a81cc307b71a9236a0e974b5549321014065e393d10228a0f0004df9ba677f03b5d244a64b528 |
C:\Users\Admin\AppData\Local\Temp\_MEI15082\api-ms-win-core-file-l1-2-0.dll
| MD5 | 3473bc217562594b5b126d7aeb9380e9 |
| SHA1 | b551b9d9aa80be070f577376e484610e01c5171a |
| SHA256 | 0d8190fd619feb20df123931108d499132f7051f1ebb0ef246082f4c52c88b22 |
| SHA512 | 036b93457ade632ad68264d81ff26ee1156038e234c606882386d6babcbe722a18e9ced1655f97caecaf5fd514e261dafe999a3e9fec00cc677e177f0bf8e203 |
C:\Users\Admin\AppData\Local\Temp\_MEI15082\api-ms-win-core-file-l1-1-0.dll
| MD5 | ecee1b7da6539c233e8dec78bfc8e1f9 |
| SHA1 | 052ba049f6d8cd5579e01c9e2f85414b15e6cbf8 |
| SHA256 | 249d7cd1c87738f87458b95ace4ab8f87b0de99eeefb796f6b86cba889d49b2c |
| SHA512 | ea21fe20336b8170b2a8cd13df217e9ee87aa1d2b0ba476bee2a97c3fce57648c9ab664b9ba895d5bbbcd119f2bb6633bedc85dafbd7bf6853aa48b168a927f4 |
C:\Users\Admin\AppData\Local\Temp\_MEI15082\api-ms-win-core-fibers-l1-1-0.dll
| MD5 | 73dd550364215163ea9edb537e6b3714 |
| SHA1 | c24fcadfee877d5402e2b4f8518c4f5f4a2ce4b4 |
| SHA256 | 0235c78780eff0bd34fce01d1c366e5e5936ea361676cb9711a4cfff747d457a |
| SHA512 | 2406d9d44d3ed86a95248b25cf574e0c06533cd916048a2facd68f4db48e49e8e8ce1917091bcfb273d0acc210697ceb659930c896e51464c300ec06476d8cc2 |
C:\Users\Admin\AppData\Local\Temp\_MEI15082\api-ms-win-core-errorhandling-l1-1-0.dll
| MD5 | a17ff429442d4e5298f0faf95950a77d |
| SHA1 | 522a365dad26bedc2bfe48164dc63c2c37c993c3 |
| SHA256 | 8e9d1d206da69da744d77f730233344ebe7c2a392550511698a79ce2d9180b41 |
| SHA512 | 7d4e31251c171b90a0c533718655c98d8737ff220bcc43f893ff42c57ab43d82e6bd13fa94def5bb4205caec68dc8178d6b2a25ad819689f25dad01be544d5ac |
C:\Users\Admin\AppData\Local\Temp\_MEI15082\api-ms-win-core-debug-l1-1-0.dll
| MD5 | c68a86c180ff1fcac90d1da9a08179c1 |
| SHA1 | c287951441c957931dc4ebbee4dc9426a4501554 |
| SHA256 | 2c91c4861e88c92693a1b145ebe2f69ffb90797cd42061e2d84f3d7fc009a941 |
| SHA512 | 857fbf9852596ef7263d8faf970128487413c859246f58b15cec32d11576894c47211a3bd9005f86c2a28fa6b67fba96831c4953c0fa24e2373a6daecb85e121 |
C:\Users\Admin\AppData\Local\Temp\_MEI15082\api-ms-win-core-datetime-l1-1-0.dll
| MD5 | d7ad8db12ff42d620a657127dada1d88 |
| SHA1 | 0ca381c734a3a93dc5f19c58dadfdca9d1afccd8 |
| SHA256 | 26054d8febab1aacf11aa5cb64055808cd33388a8e77d0b3bcbc7543b0eea3bd |
| SHA512 | 7e2d6b60adbf97b22ab4b66691e483827d5755cfc6fcb5224369ada53cbd8cda43c4694a000ea4b5cebc69a475b54df0e9694c20afd9ec62b4db7b22241bdc45 |
C:\Users\Admin\AppData\Local\Temp\_MEI15082\api-ms-win-core-console-l1-1-0.dll
| MD5 | 4a8f3a1847f216b8ac3e6b53bc20bd81 |
| SHA1 | f5aadc1399a9da38087df52e509d919d743e3ea7 |
| SHA256 | 29b7d786d9f421765a4f4904f79605c41e17c0a24d7f91e44c0b7b0dea489fc3 |
| SHA512 | e70d2b719517c413fa967ca1a8d224299af55d988b3cc28013aaa3677660fae9ecb6f858d31c08cd8a0888f932af1384f0eaa928c002200f0710c2d5bddced1b |
memory/2692-1373-0x00007FFC15B80000-0x00007FFC15B8D000-memory.dmp
memory/2692-1372-0x00007FFC12000000-0x00007FFC12019000-memory.dmp
memory/2692-1375-0x00007FFBFF000000-0x00007FFBFF0CD000-memory.dmp
memory/2692-1374-0x00007FFC11180000-0x00007FFC111B3000-memory.dmp
memory/2692-1376-0x00007FFC15470000-0x00007FFC1547D000-memory.dmp
memory/2692-1380-0x00007FFBFEEE0000-0x00007FFBFEFFC000-memory.dmp
memory/2692-1379-0x00007FFC11150000-0x00007FFC11176000-memory.dmp
memory/2692-1378-0x00007FFC11D20000-0x00007FFC11D2B000-memory.dmp
memory/2692-1377-0x00007FFBFF9F0000-0x00007FFBFFFD9000-memory.dmp
memory/2692-1381-0x00007FFC0D500000-0x00007FFC0D536000-memory.dmp
memory/2692-1385-0x00007FFC10E30000-0x00007FFC10E3C000-memory.dmp
memory/2692-1384-0x00007FFC10CE0000-0x00007FFC10CEB000-memory.dmp
memory/2692-1383-0x00007FFC10ED0000-0x00007FFC10EDB000-memory.dmp
memory/2692-1382-0x00007FFC110E0000-0x00007FFC110EB000-memory.dmp
memory/2692-1402-0x00007FFC07520000-0x00007FFC07535000-memory.dmp
memory/2692-1401-0x00007FFC12000000-0x00007FFC12019000-memory.dmp
memory/2692-1400-0x00007FFC0DCA0000-0x00007FFC0DCAB000-memory.dmp
memory/2692-1399-0x00007FFC152D0000-0x00007FFC152E4000-memory.dmp
memory/2692-1398-0x00007FFC0C8A0000-0x00007FFC0C8AC000-memory.dmp
memory/2692-1397-0x00007FFC0C8B0000-0x00007FFC0C8C2000-memory.dmp
memory/2692-1396-0x00007FFC0C8D0000-0x00007FFC0C8DD000-memory.dmp
memory/2692-1395-0x00007FFC0C8E0000-0x00007FFC0C8EC000-memory.dmp
memory/2692-1394-0x00007FFC0D4F0000-0x00007FFC0D4FC000-memory.dmp
memory/2692-1393-0x00007FFC0DCB0000-0x00007FFC0DCBB000-memory.dmp
memory/2692-1392-0x00007FFC0DCC0000-0x00007FFC0DCCC000-memory.dmp
memory/2692-1391-0x00007FFC10420000-0x00007FFC1042E000-memory.dmp
memory/2692-1404-0x00007FFC07500000-0x00007FFC07512000-memory.dmp
memory/2692-1403-0x00007FFC11180000-0x00007FFC111B3000-memory.dmp
memory/2692-1390-0x00007FFC10430000-0x00007FFC1043C000-memory.dmp
memory/2692-1389-0x00007FFC10BD0000-0x00007FFC10BDC000-memory.dmp
memory/2692-1388-0x00007FFC10BE0000-0x00007FFC10BEB000-memory.dmp
memory/2692-1387-0x00007FFC10CD0000-0x00007FFC10CDC000-memory.dmp
memory/2692-1386-0x00007FFBFF0D0000-0x00007FFBFF5F2000-memory.dmp
memory/2692-1407-0x00007FFC06330000-0x00007FFC06352000-memory.dmp
memory/2692-1406-0x00007FFC074E0000-0x00007FFC074F4000-memory.dmp
memory/2692-1405-0x00007FFBFF000000-0x00007FFBFF0CD000-memory.dmp
memory/2692-1409-0x00007FFC06280000-0x00007FFC06299000-memory.dmp
memory/2692-1408-0x00007FFC062A0000-0x00007FFC062B7000-memory.dmp
memory/2692-1410-0x00007FFC06230000-0x00007FFC0627D000-memory.dmp
memory/2692-1411-0x00007FFC061C0000-0x00007FFC061D1000-memory.dmp
memory/2692-1413-0x00007FFC061A0000-0x00007FFC061BE000-memory.dmp
memory/2692-1414-0x00007FFBFED20000-0x00007FFBFED7D000-memory.dmp
memory/2692-1412-0x00007FFC0D500000-0x00007FFC0D536000-memory.dmp
memory/2692-1418-0x00007FFBFEB40000-0x00007FFBFECB7000-memory.dmp
memory/2692-1417-0x00007FFBFECC0000-0x00007FFBFECE3000-memory.dmp
memory/2692-1416-0x00007FFBFECF0000-0x00007FFBFED1E000-memory.dmp
memory/2692-1415-0x00007FFC00680000-0x00007FFC006A9000-memory.dmp
memory/2692-1419-0x00007FFBFEB20000-0x00007FFBFEB38000-memory.dmp
memory/2692-1421-0x00007FFC06220000-0x00007FFC0622B000-memory.dmp
memory/2692-1420-0x00007FFC06320000-0x00007FFC0632B000-memory.dmp
memory/2692-1426-0x00007FFBFEAA0000-0x00007FFBFEAAB000-memory.dmp
memory/2692-1425-0x00007FFBFEAB0000-0x00007FFBFEABC000-memory.dmp
memory/2692-1424-0x00007FFBFEAC0000-0x00007FFBFEACB000-memory.dmp
memory/2692-1423-0x00007FFC00670000-0x00007FFC0067C000-memory.dmp
memory/2692-1422-0x00007FFC07520000-0x00007FFC07535000-memory.dmp
memory/2692-1427-0x00007FFC07500000-0x00007FFC07512000-memory.dmp
memory/2692-1439-0x00007FFBFEA40000-0x00007FFBFEA4B000-memory.dmp
memory/2692-1438-0x00007FFBFEA60000-0x00007FFBFEA6C000-memory.dmp
memory/2692-1437-0x00007FFC06330000-0x00007FFC06352000-memory.dmp
memory/2692-1442-0x00007FFBFE9A0000-0x00007FFBFE9D6000-memory.dmp
memory/2692-1443-0x00007FFBFE8E0000-0x00007FFBFE99C000-memory.dmp
memory/2692-1440-0x00007FFC062A0000-0x00007FFC062B7000-memory.dmp
memory/2692-1441-0x00007FFC06280000-0x00007FFC06299000-memory.dmp
memory/2692-1435-0x00007FFBFE9F0000-0x00007FFBFEA02000-memory.dmp
memory/2692-1436-0x00007FFBFE9E0000-0x00007FFBFE9EC000-memory.dmp
memory/2692-1434-0x00007FFBFEA10000-0x00007FFBFEA1D000-memory.dmp
memory/2692-1433-0x00007FFBFEA20000-0x00007FFBFEA2C000-memory.dmp
memory/2692-1432-0x00007FFBFEA30000-0x00007FFBFEA3C000-memory.dmp
memory/2692-1431-0x00007FFBFEA50000-0x00007FFBFEA5B000-memory.dmp
memory/2692-1430-0x00007FFBFEA70000-0x00007FFBFEA7E000-memory.dmp
memory/2692-1429-0x00007FFBFEA80000-0x00007FFBFEA8C000-memory.dmp
memory/2692-1428-0x00007FFBFEA90000-0x00007FFBFEA9C000-memory.dmp
memory/2692-1444-0x00007FFBFE8B0000-0x00007FFBFE8DB000-memory.dmp
memory/2692-1446-0x00007FFBFED20000-0x00007FFBFED7D000-memory.dmp
memory/2692-1447-0x00007FFBFEB40000-0x00007FFBFECB7000-memory.dmp
memory/2692-1445-0x00007FFBFE5D0000-0x00007FFBFE8AF000-memory.dmp
memory/2692-1448-0x00007FFBFC4D0000-0x00007FFBFE5C3000-memory.dmp
memory/2692-1449-0x00007FFBFECF0000-0x00007FFBFED1E000-memory.dmp
memory/2692-1452-0x00007FFBFC480000-0x00007FFBFC4A1000-memory.dmp
memory/2692-1451-0x00007FFBFC4B0000-0x00007FFBFC4C7000-memory.dmp
memory/2692-1453-0x00007FFBFC450000-0x00007FFBFC472000-memory.dmp
memory/2692-1450-0x00007FFBFECC0000-0x00007FFBFECE3000-memory.dmp
memory/2692-1460-0x00007FFBFC1B0000-0x00007FFBFC264000-memory.dmp
memory/2692-1459-0x00007FFBFC270000-0x00007FFBFC283000-memory.dmp
memory/2692-1458-0x00007FFBFC290000-0x00007FFBFC2AD000-memory.dmp
memory/2692-1457-0x00007FFBFC2B0000-0x00007FFBFC2C9000-memory.dmp
memory/2692-1456-0x00007FFBFC2F0000-0x00007FFBFC337000-memory.dmp
memory/2692-1455-0x00007FFBFC380000-0x00007FFBFC3B0000-memory.dmp
memory/2692-1454-0x00007FFBFC3B0000-0x00007FFBFC44C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_rtmdoefl.voa.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/2692-1496-0x00007FFBFF0D0000-0x00007FFBFF5F2000-memory.dmp
memory/2692-1513-0x00007FFC061C0000-0x00007FFC061D1000-memory.dmp
memory/2692-1512-0x00007FFC06230000-0x00007FFC0627D000-memory.dmp
memory/2692-1511-0x00007FFC06280000-0x00007FFC06299000-memory.dmp
memory/2692-1510-0x00007FFC062A0000-0x00007FFC062B7000-memory.dmp
memory/2692-1509-0x00007FFC06330000-0x00007FFC06352000-memory.dmp
memory/2692-1508-0x00007FFC074E0000-0x00007FFC074F4000-memory.dmp
memory/2692-1507-0x00007FFC07500000-0x00007FFC07512000-memory.dmp
memory/2692-1506-0x00007FFC07520000-0x00007FFC07535000-memory.dmp
memory/2692-1504-0x00007FFBFEEE0000-0x00007FFBFEFFC000-memory.dmp
memory/2692-1503-0x00007FFC11150000-0x00007FFC11176000-memory.dmp
memory/2692-1502-0x00007FFC11D20000-0x00007FFC11D2B000-memory.dmp
memory/2692-1501-0x00007FFC15470000-0x00007FFC1547D000-memory.dmp
memory/2692-1490-0x00007FFBFF9F0000-0x00007FFBFFFD9000-memory.dmp
memory/2692-1505-0x00007FFC0D500000-0x00007FFC0D536000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI15442\cryptography-43.0.0.dist-info\INSTALLER
| MD5 | 365c9bfeb7d89244f2ce01c1de44cb85 |
| SHA1 | d7a03141d5d6b1e88b6b59ef08b6681df212c599 |
| SHA256 | ceebae7b8927a3227e5303cf5e0f1f7b34bb542ad7250ac03fbcde36ec2f1508 |
| SHA512 | d220d322a4053d84130567d626a9f7bb2fb8f0b854da1621f001826dc61b0ed6d3f91793627e6f0ac2ac27aea2b986b6a7a63427f05fe004d8a2adfbdadc13c1 |
memory/1408-3962-0x00007FFC11180000-0x00007FFC1118B000-memory.dmp
memory/1408-3982-0x00007FFC06270000-0x00007FFC062BD000-memory.dmp
memory/1408-3981-0x00007FFC07500000-0x00007FFC07519000-memory.dmp
memory/1408-3980-0x00007FFC07520000-0x00007FFC07537000-memory.dmp
memory/1408-3979-0x00007FFC0C8A0000-0x00007FFC0C8C2000-memory.dmp
memory/1408-3978-0x00007FFC0C8D0000-0x00007FFC0C8E4000-memory.dmp
memory/1408-3977-0x00007FFC0D500000-0x00007FFC0D512000-memory.dmp
memory/1408-3976-0x00007FFC0D520000-0x00007FFC0D535000-memory.dmp
memory/1408-3975-0x00007FFC10420000-0x00007FFC1042C000-memory.dmp
memory/1408-3974-0x00007FFC0DCB0000-0x00007FFC0DCC2000-memory.dmp
memory/1408-3973-0x00007FFC10430000-0x00007FFC1043D000-memory.dmp
memory/1408-3972-0x00007FFC10BD0000-0x00007FFC10BDC000-memory.dmp
memory/1408-3971-0x00007FFC10BE0000-0x00007FFC10BEC000-memory.dmp
memory/1408-3970-0x00007FFC10CD0000-0x00007FFC10CDB000-memory.dmp
memory/1408-3969-0x00007FFC10CE0000-0x00007FFC10CEB000-memory.dmp
memory/1408-3968-0x00007FFC10E30000-0x00007FFC10E3C000-memory.dmp
memory/1408-3967-0x00007FFC10ED0000-0x00007FFC10EDE000-memory.dmp
memory/1408-3966-0x00007FFC110E0000-0x00007FFC110EC000-memory.dmp
memory/1408-3965-0x00007FFC11150000-0x00007FFC1115C000-memory.dmp
memory/1408-3964-0x00007FFC11160000-0x00007FFC1116B000-memory.dmp
memory/1408-3963-0x00007FFC11170000-0x00007FFC1117C000-memory.dmp
memory/1408-3961-0x00007FFC11190000-0x00007FFC1119C000-memory.dmp
memory/1408-3960-0x00007FFC111A0000-0x00007FFC111AB000-memory.dmp
memory/1408-3959-0x00007FFC11720000-0x00007FFC1172B000-memory.dmp
memory/1408-3957-0x00007FFBFF4C0000-0x00007FFBFF5DC000-memory.dmp
memory/1408-3956-0x00007FFC11730000-0x00007FFC11756000-memory.dmp
memory/1408-3955-0x00007FFC11D20000-0x00007FFC11D2B000-memory.dmp
memory/1408-3953-0x00007FFC11760000-0x00007FFC1182D000-memory.dmp
memory/1408-3949-0x00007FFBFF5E0000-0x00007FFBFFB02000-memory.dmp
memory/1408-3948-0x00007FFC152D0000-0x00007FFC152E4000-memory.dmp
memory/1408-3947-0x00007FFC11870000-0x00007FFC1189D000-memory.dmp
memory/1408-3943-0x00007FFBFFB10000-0x00007FFC000F9000-memory.dmp
memory/1408-3958-0x00007FFC111B0000-0x00007FFC111E6000-memory.dmp
memory/1408-3954-0x00007FFC15470000-0x00007FFC1547D000-memory.dmp
memory/1408-3952-0x00007FFC11830000-0x00007FFC11863000-memory.dmp
memory/1408-3951-0x00007FFC15B80000-0x00007FFC15B8D000-memory.dmp
memory/1408-3950-0x00007FFC12000000-0x00007FFC12019000-memory.dmp
memory/1408-3946-0x00007FFC15560000-0x00007FFC15579000-memory.dmp
memory/1408-3945-0x00007FFC17520000-0x00007FFC1752F000-memory.dmp
memory/1408-3944-0x00007FFC15AE0000-0x00007FFC15B03000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-08-13 22:53
Reported
2024-08-13 22:57
Platform
win11-20240802-en
Max time kernel
152s
Max time network
155s
Command Line
Signatures
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000_Classes\Local Settings | C:\Windows\system32\cmd.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000_Classes\Local Settings | C:\Windows\system32\OpenWith.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\discord_token_grabber.pyc
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 31.243.111.52.in-addr.arpa | udp |
Files
Analysis: behavioral3
Detonation Overview
Submitted
2024-08-13 22:53
Reported
2024-08-13 23:24
Platform
win11-20240802-en
Max time kernel
1513s
Max time network
1497s
Command Line
Signatures
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000_Classes\Local Settings | C:\Windows\system32\cmd.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000_Classes\Local Settings | C:\Windows\system32\OpenWith.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\get_cookies.pyc
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
Files
Analysis: behavioral4
Detonation Overview
Submitted
2024-08-13 22:53
Reported
2024-08-13 23:24
Platform
win11-20240802-en
Max time kernel
1473s
Max time network
1486s
Command Line
Signatures
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000_Classes\Local Settings | C:\Windows\system32\cmd.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000_Classes\Local Settings | C:\Windows\system32\OpenWith.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\misc.pyc
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
Network
| Country | Destination | Domain | Proto |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
Files
Analysis: behavioral5
Detonation Overview
Submitted
2024-08-13 22:53
Reported
2024-08-13 22:57
Platform
win11-20240802-en
Max time kernel
193s
Max time network
156s
Command Line
Signatures
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000_Classes\pyc_auto_file\shell\Read\command | C:\Windows\system32\OpenWith.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000_Classes\Local Settings | C:\Windows\system32\cmd.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000_Classes\Local Settings | C:\Windows\system32\OpenWith.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000_Classes\.pyc | C:\Windows\system32\OpenWith.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000_Classes\pyc_auto_file | C:\Windows\system32\OpenWith.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000_Classes\.pyc\ = "pyc_auto_file" | C:\Windows\system32\OpenWith.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000_Classes\pyc_auto_file\shell\Read | C:\Windows\system32\OpenWith.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000_Classes\pyc_auto_file\shell | C:\Windows\system32\OpenWith.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000_Classes\pyc_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Reader\\AcroRd32.exe\" \"%1\"" | C:\Windows\system32\OpenWith.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\passwords_grabber.pyc
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\passwords_grabber.pyc"
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=2869EA611271467A67A5AD939A66DC91 --mojo-platform-channel-handle=1776 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=8583C9250408074DAA0620AEDFDD5DFB --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=8583C9250408074DAA0620AEDFDD5DFB --renderer-client-id=2 --mojo-platform-channel-handle=1784 --allow-no-sandbox-job /prefetch:1
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=234FC154FAEBC9F8380A010C4C9AD35F --mojo-platform-channel-handle=2308 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=774E212C7F0812D39306800B887F9F6F --mojo-platform-channel-handle=1940 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=9ECCBEC98DB87E3FFF25269F003B766C --mojo-platform-channel-handle=2536 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
Network
| Country | Destination | Domain | Proto |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
Files
Analysis: behavioral6
Detonation Overview
Submitted
2024-08-13 22:53
Reported
2024-08-13 23:24
Platform
win11-20240802-en
Max time kernel
1465s
Max time network
1477s
Command Line
Signatures
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000_Classes\Local Settings | C:\Windows\system32\cmd.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000_Classes\Local Settings | C:\Windows\system32\OpenWith.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\source_prepared.pyc
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
Network
| Country | Destination | Domain | Proto |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 54.120.234.20.in-addr.arpa | udp |