Analysis Overview
SHA256
db0d623ba3e20c740268c11638f22a96d9a4453dc8f1dc54839da993cca59abd
Threat Level: Shows suspicious behavior
The file FnPuller.exe was found to be: Shows suspicious behavior.
Malicious Activity Summary
Clipboard Data
Reads user/profile data of web browsers
Drops startup file
Loads dropped DLL
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
UPX packed file
Enumerates physical storage devices
Detects Pyinstaller
System Location Discovery: System Language Discovery
Browser Information Discovery
Unsigned PE
Detects videocard installed
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious behavior: GetForegroundWindowSpam
Modifies registry class
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-10 00:54
Signatures
Detects Pyinstaller
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-10 00:54
Reported
2024-11-10 00:57
Platform
win7-20241023-en
Max time kernel
119s
Max time network
121s
Command Line
Signatures
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\FnPuller.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2416 wrote to memory of 2832 | N/A | C:\Users\Admin\AppData\Local\Temp\FnPuller.exe | C:\Users\Admin\AppData\Local\Temp\FnPuller.exe |
| PID 2416 wrote to memory of 2832 | N/A | C:\Users\Admin\AppData\Local\Temp\FnPuller.exe | C:\Users\Admin\AppData\Local\Temp\FnPuller.exe |
| PID 2416 wrote to memory of 2832 | N/A | C:\Users\Admin\AppData\Local\Temp\FnPuller.exe | C:\Users\Admin\AppData\Local\Temp\FnPuller.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\FnPuller.exe
"C:\Users\Admin\AppData\Local\Temp\FnPuller.exe"
C:\Users\Admin\AppData\Local\Temp\FnPuller.exe
"C:\Users\Admin\AppData\Local\Temp\FnPuller.exe"
C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
Network
Files
C:\Users\Admin\AppData\Local\Temp\_MEI24162\python310.dll
| MD5 | f88ce4e677e2fae8e465111349e3ab15 |
| SHA1 | d6c4f7283c4d949af2cf9eedd756f3f625cc400d |
| SHA256 | 0c404b474c574ce4aa301b6a2528643e0008bf6ec0a3db5b8b436f1cca51ad04 |
| SHA512 | 58ebf534c38ceb26813c9c588d74050688a1ca75bb4d66a45eeea34942fd0352a846796e3eafd8bd9c483a194dd6aa62dad7c10bd3830cb60b5a8345e559e1f2 |
memory/2832-102-0x000007FEF60F0000-0x000007FEF6556000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-10 00:54
Reported
2024-11-10 00:57
Platform
win10v2004-20241007-en
Max time kernel
94s
Max time network
96s
Command Line
Signatures
Clipboard Data
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\cmd.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FnPuller.exe | C:\Users\Admin\AppData\Local\Temp\FnPuller.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FnPuller.exe | C:\Users\Admin\AppData\Local\Temp\FnPuller.exe | N/A |
Loads dropped DLL
Reads user/profile data of web browsers
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.ipify.org | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Browser Information Discovery
Detects videocard installed
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\FnPuller.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\FnPuller.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\FnPuller.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\FnPuller.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\FnPuller.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\FnPuller.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\FnPuller.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\FnPuller.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\FnPuller.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 36 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 36 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\FnPuller.exe
"C:\Users\Admin\AppData\Local\Temp\FnPuller.exe"
C:\Users\Admin\AppData\Local\Temp\FnPuller.exe
"C:\Users\Admin\AppData\Local\Temp\FnPuller.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "ver"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic os get Caption"
C:\Windows\System32\Wbem\WMIC.exe
wmic os get Caption
C:\Windows\System32\Wbem\wmic.exe
wmic cpu get Name
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
C:\Windows\System32\Wbem\WMIC.exe
wmic path win32_VideoController get name
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
C:\Windows\System32\Wbem\WMIC.exe
wmic computersystem get totalphysicalmemory
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\\Windows\\System32\\wbem\\WMIC.exe csproduct get uuid"
C:\Windows\System32\wbem\WMIC.exe
C:\\Windows\\System32\\wbem\\WMIC.exe csproduct get uuid
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 20.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | raw.githubusercontent.com | udp |
| US | 185.199.109.133:443 | raw.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 133.109.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | discord.com | udp |
| US | 162.159.135.232:443 | discord.com | tcp |
| US | 8.8.8.8:53 | 232.135.159.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | api.ipify.org | udp |
| US | 104.26.13.205:443 | api.ipify.org | tcp |
| US | 162.159.135.232:443 | discord.com | tcp |
| US | 162.159.135.232:443 | discord.com | tcp |
| US | 8.8.8.8:53 | 205.13.26.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 98.117.19.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\_MEI48442\python310.dll
| MD5 | f88ce4e677e2fae8e465111349e3ab15 |
| SHA1 | d6c4f7283c4d949af2cf9eedd756f3f625cc400d |
| SHA256 | 0c404b474c574ce4aa301b6a2528643e0008bf6ec0a3db5b8b436f1cca51ad04 |
| SHA512 | 58ebf534c38ceb26813c9c588d74050688a1ca75bb4d66a45eeea34942fd0352a846796e3eafd8bd9c483a194dd6aa62dad7c10bd3830cb60b5a8345e559e1f2 |
C:\Users\Admin\AppData\Local\Temp\_MEI48442\VCRUNTIME140.dll
| MD5 | f34eb034aa4a9735218686590cba2e8b |
| SHA1 | 2bc20acdcb201676b77a66fa7ec6b53fa2644713 |
| SHA256 | 9d2b40f0395cc5d1b4d5ea17b84970c29971d448c37104676db577586d4ad1b1 |
| SHA512 | d27d5e65e8206bd7923cf2a3c4384fec0fc59e8bc29e25f8c03d039f3741c01d1a8c82979d7b88c10b209db31fbbec23909e976b3ee593dc33481f0050a445af |
memory/3940-104-0x00007FFD31810000-0x00007FFD31C76000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI48442\base_library.zip
| MD5 | e0f56d9171cae24cb9c1fe074e5b7e41 |
| SHA1 | 29d00636d0bcef7e83498690ecbf68c677ad7e68 |
| SHA256 | d7bc411ff590156aea0398cff85a09d961e6a8d04dcfde6e31d3f8c1ee102c2f |
| SHA512 | 0719c97fd4d97101cfe9752242039ce0678740bb57bca5a92e522c1862826e693cf0791b899c7df05c8f0e1f0b852ab4e3a638f51dd3c87904f1a39f20fb7c3c |
C:\Users\Admin\AppData\Local\Temp\_MEI48442\_ctypes.pyd
| MD5 | c0e55fbd13cc1b9f53380f260d7ee4aa |
| SHA1 | 7d843783d997b99a5af24a6175baaaafed0f6806 |
| SHA256 | d2de4a82d579b0598dcd45b61804beecd6261b2d3315380861c753fb61b9d233 |
| SHA512 | 74882cf38940d07a9c42b560da05fa4e387d78600190dc1bf090b395352d0135b877e748a5637ff255954861042088fba5e0b30670313696c21e0fa3495c5f22 |
C:\Users\Admin\AppData\Local\Temp\_MEI48442\libffi-7.dll
| MD5 | 3e91e70021fcbe76c38d87a62f9f424f |
| SHA1 | 067d8076aba98177bc1aaaf0102ac5ed411f8312 |
| SHA256 | e2880494d9509fb0314fc77ab4c9a68a39cdb8a0a24838d04d4ac252fa12f270 |
| SHA512 | 7908116d924c1b5a424a5d998caa5f21587a622b3a1811293406b331934cc57077fe078e3e62ea471db37c59e108bba4e285e1caaa54a4e4ceb71c04382c649a |
memory/3940-114-0x00007FFD458F0000-0x00007FFD458FF000-memory.dmp
memory/3940-112-0x00007FFD45820000-0x00007FFD45844000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI48442\python3.dll
| MD5 | 24f4d5a96cd4110744766ea2da1b8ffa |
| SHA1 | b12a2205d3f70f5c636418811ab2f8431247da15 |
| SHA256 | 73b0f3952be222ce676672603ae3848ee6e8e479782bd06745116712a4834c53 |
| SHA512 | bd2f27441fe5c25c30bab22c967ef32306bcea2f6be6f4a5da8bbb5b54d3d5f59da1ffcb55172d2413fe0235dd7702d734654956e142e9a0810160b8c16225f4 |
C:\Users\Admin\AppData\Local\Temp\_MEI48442\_bz2.pyd
| MD5 | 2369e5808fb952c670086a15aaa7c10f |
| SHA1 | 63fce5d7f5c2e003d7367c77fa8f67c5341d8362 |
| SHA256 | 97374478e70671060e7258cbc1acaa46f8d311baa3c0a3ba9878b17284581ce1 |
| SHA512 | 23b564f25ff1b967d8c108bf5acc4eb112ad2778a93f0501d6f54616c91407c4d863ccb4220fca452440f52afafc1272a5e3768e0b396c74133ca0197a1e0af4 |
memory/3940-118-0x00007FFD456A0000-0x00007FFD456B8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI48442\_lzma.pyd
| MD5 | a4ff584ffa0bec3695b79eebab0da048 |
| SHA1 | 991b9209ab8a676a775ea34faada9b6190fc4fa7 |
| SHA256 | 822a41a74b58a46777054f2048fd3b8eaf85dbda7390a076107cfb18d70c6157 |
| SHA512 | 5fdeb5d014c408d9f0ab8e7c06956d2974d93f7964105159bccb7ce027acfcf830fddfaefbcaa7a57d3441f0082eb6f90192ddce96c219f2e8fcc2a6fe08ebc4 |
memory/3940-120-0x00007FFD41A70000-0x00007FFD41A9C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI48442\_socket.pyd
| MD5 | 8f3f194074b2c80bb66f47cb2a5ca7b6 |
| SHA1 | 2b58bab0676eb5c2f4e82e32c943fc23bf995908 |
| SHA256 | 5ecd17d7117ca794b6c1a377f8f4a56d325b360b52d433923af4e5b470fbe69d |
| SHA512 | a2ade13a1912d543aba9faa6b59afbb92ddbb01ea8ad385917bd392638b69d6ab418b35cceaf3af6663bf508de2397f0edb2510347003d89d554fd30267a44f7 |
C:\Users\Admin\AppData\Local\Temp\_MEI48442\_uuid.pyd
| MD5 | ecf3d9de103ba77730ed021fe69a2804 |
| SHA1 | ce7eae927712fda0c70267f7db6bcb8406d83815 |
| SHA256 | 7cf37a10023ebf6705963822a46f238395b1fbe8cb898899b3645c92d61b48ea |
| SHA512 | c2bf0e2ba6080e03eca22d74ea7022fb9581036ce46055ea244773d26d8e5b07caf6ed2c44c479fda317000a9fa08ca6913c23fa4f54b08ee6d3427b9603dfba |
C:\Users\Admin\AppData\Local\Temp\_MEI48442\_ssl.pyd
| MD5 | bf5caf087a0d31da52df5261c480ba30 |
| SHA1 | 216c0bb90ef7f1fbf464fb328070d641c7ab5aa7 |
| SHA256 | 7c6a05ddcbbd4b5f036b329e47eb3ccc6eba4c93e8fbb1f5d1f0b762824e84ad |
| SHA512 | d7a5c58cbc17a1bf46ceb6153af0c8a8d12af38db032b035962bf5adc036cf25a9e36c40de2c6c96af268b70308f86aac1f26726644fea8ed7d618206ac78afd |
C:\Users\Admin\AppData\Local\Temp\_MEI48442\_sqlite3.pyd
| MD5 | 8adb71f3b6ad7482464052874ae127b5 |
| SHA1 | 8d4f5a0f3c7bd69eba0a295f89cfc9eaef92cfb7 |
| SHA256 | 2f3d271dfdf6054916fd37ff1d3cca1a159df91e047ff4b9eccd8cff747f64fc |
| SHA512 | 239e573c764ac771f3661ee7bfb77df3546f25e8722a067a39ef4fe34b3ea5d816649766370eb6c23fc893dac5898bdf3fb90de736b0f9578e4f62b034225f2d |
C:\Users\Admin\AppData\Local\Temp\_MEI48442\_queue.pyd
| MD5 | ccfa9a994f0437b8b0807acfaed62fae |
| SHA1 | 516ed24c60064f897ee2bfbe0612e5df4df8feb3 |
| SHA256 | 7da026024909d1f0d3b124a3b0f0a477614b2efd9ef718ca79c8b4d0cc68492c |
| SHA512 | 19e54931189a08358d6f4b20ed2016d8fd0a31267a4d59d3db2b4f75f82c5c79cc448415ba7179a35677d9a05647e2b100ce153aed2dc5218eb72e0c87dcb57a |
C:\Users\Admin\AppData\Local\Temp\_MEI48442\_overlapped.pyd
| MD5 | 6982a44fe2ca2803a92af13fcdffdb38 |
| SHA1 | b693ebf6cc0a0b8cf30bac409e54720e6b817f51 |
| SHA256 | 6d0d05f543d44fc13097ca6695225f12ba0ecc1a9d2bccae26a82a7f27d3eff5 |
| SHA512 | 49aec3b1d1d70d2de785815306a96bdde8af63259b4df7fc3882c177c41c0e5b6de0e4467b27e46baf38469805d65b52216cf2937ab7dff8d0fd34ca7aacb42b |
C:\Users\Admin\AppData\Local\Temp\_MEI48442\_multiprocessing.pyd
| MD5 | ef34c446b11b90eaf53ad31539c3804c |
| SHA1 | a1a2d1921d5c4918751dd7d001d77d28b3e5afa0 |
| SHA256 | 88a802e2f519ba94e60c58fb50e083f064d001e9dca50b3730753b1fb5d04675 |
| SHA512 | fb9bcddb85be0c496a5310b2e02b3a7190f3fbb1920a4a575f659c3706ebdf07f0299ea030b79ac1e6775ff61ac1b067d6995aa271e52b61dac09daf00e8006d |
C:\Users\Admin\AppData\Local\Temp\_MEI48442\_hashlib.pyd
| MD5 | 5b0a212cfd3bf53a5573a265df6c8569 |
| SHA1 | 0a5eba50bf11b8317fff0824cdf67ba5925829fc |
| SHA256 | 9ddbed9b89e8a99c4fc94526e78559f068c20f9bdfa240ba17b4ed2b5ed8a412 |
| SHA512 | 1fe464211c587d7198dc4d36e0851d91c7147d351647f343e637c2633d8ca0453c4962d6fd0ca689ead91299ecbfd5f21a31bbb0b1f5c52c2393a017f0d39f31 |
C:\Users\Admin\AppData\Local\Temp\_MEI48442\_decimal.pyd
| MD5 | 7d3be1a8f9e964139a5f24f61cbaa1eb |
| SHA1 | d18d89decb0d814a5439a3e0141825c343188659 |
| SHA256 | 1fb89a01b1d204465e4aad6c397ee584eb4643aa5b00d9926872faa4fa5d9132 |
| SHA512 | bebfc2a15795d80437085700454ffc3e91a2e373ff437af5c9cbad5ae826bdf1b9434cb24742e5492ae533633211482c9c55ea73b19b432e2da4e910409c792e |
C:\Users\Admin\AppData\Local\Temp\_MEI48442\_cffi_backend.cp310-win_amd64.pyd
| MD5 | 2c10963a86452d7598ea524b9432b0ba |
| SHA1 | 1061560d76835415d600879e43e04d3315b0af67 |
| SHA256 | 3cd74813744062712d08fadc0d980c541d92d4ac6bbee91daf2b1599d9c3e5f7 |
| SHA512 | c179c256de828da85294a052e5db531ba43ab32f018f4c7d777f9dcda89432bed0042764d1259fd6796756fd05009b0aa0c33f6e6c8b7e898931262e0aadb32f |
C:\Users\Admin\AppData\Local\Temp\_MEI48442\_asyncio.pyd
| MD5 | 82f42833eb18bd7d504adbefdeb326d7 |
| SHA1 | bfc417facc03a5974f02333176848d5366409b78 |
| SHA256 | 9870a28fa3740135819f2f044fe67575d9f91d4e7ce02419a2f3a328510d56e9 |
| SHA512 | ffe4ea2bec8d12efdf75df500b7e53f36ed89f7a8f009d1e1e8789ec1c5e8e3586ff861ef535712d9ba0bb4826eb1beb966b2bbc3834eb5996821cfea1091c2c |
C:\Users\Admin\AppData\Local\Temp\_MEI48442\VCRUNTIME140_1.dll
| MD5 | 135359d350f72ad4bf716b764d39e749 |
| SHA1 | 2e59d9bbcce356f0fece56c9c4917a5cacec63d7 |
| SHA256 | 34048abaa070ecc13b318cea31425f4ca3edd133d350318ac65259e6058c8b32 |
| SHA512 | cf23513d63ab2192c78cae98bd3fea67d933212b630be111fa7e03be3e92af38e247eb2d3804437fd0fda70fdc87916cd24cf1d3911e9f3bfb2cc4ab72b459ba |
C:\Users\Admin\AppData\Local\Temp\_MEI48442\unicodedata.pyd
| MD5 | 309b253db57965d2514021356a0d8211 |
| SHA1 | 52be4d2872e34042d4da51182e9b5b5daced5e69 |
| SHA256 | 6052f89abee19fd0a6e5101a1f372ed32902670c563dd70baf17549d9f8c9c0b |
| SHA512 | b1d142948c3ee9c381cf387022c2554479278ca607584bd7e69bddc8ce38c8dde98e634ef44b06513e4472bae47ad01fe0c8a2ef7ecb7f13063fdd6989b0ce3a |
C:\Users\Admin\AppData\Local\Temp\_MEI48442\sqlite3.dll
| MD5 | 6030d7b5c3c9ad8392b2d4631941480d |
| SHA1 | a96dc733d7002ffb452bf64d655114c81c3761e7 |
| SHA256 | 0003ccd11d237c172cd98b2a2c2c76f95679ada35d47d24acb90f676cbe9649b |
| SHA512 | 28c320d48063c1bc8070168018aa5e3ca407d838948d979e7658adc2b567458d632fc12d125f7bbda457e60aef2e23304812572ede2babdd8eeedd3e2b493589 |
C:\Users\Admin\AppData\Local\Temp\_MEI48442\select.pyd
| MD5 | baae93d751ec31126b9ee16b9754bc9b |
| SHA1 | 7056b4555db26c2617637898ca64da9cab28fcfb |
| SHA256 | f8a11b0d1199a0f64a8a12d7d356ebf3ad758ef2dd0e54bc73ea6303784e2ed8 |
| SHA512 | b16faa1dff07750947fba86b96515f0501ea89d8c0c1c3e6e76c1086fd44e0328921a6b68cfea908b6ebf52413887dcd604537f33b5715f23c549639e8eac33d |
C:\Users\Admin\AppData\Local\Temp\_MEI48442\pyexpat.pyd
| MD5 | 0b6c52296f669e63dd3f862db0f8d70d |
| SHA1 | f72c0a345b9f7c32db79f7ddfcc17f57251b86a2 |
| SHA256 | 40e09427467ede4657969095bcc5596af50d52a8fdd70b3b35b23f82bef61010 |
| SHA512 | f6ab318c593767c130044691323f82c03e4d67233ec2ca0a0c6e44cf6f3882466a97bdf8e30987f350e6c5968bc865f5deb9227c09d0b9d8bd919eff38fbfce6 |
C:\Users\Admin\AppData\Local\Temp\_MEI48442\libssl-1_1.dll
| MD5 | 9a8c68f00a04b7c2efb0197c93db1c8a |
| SHA1 | 81a1342910c50ab64bfc77c8f25b1fc71b2348cf |
| SHA256 | 7b3027da7a291061c9e8ec1a7a0cc2a883680258893b44620861c0b7c2bb180d |
| SHA512 | 01fe96da6c63744941dd5d182af951742b23aa3560f228dcb16ba7887183ef73a60b09cee5d858ce237d2f15397db04685ff94c3c3e7ca8904fc70645e8eeb59 |
C:\Users\Admin\AppData\Local\Temp\_MEI48442\libcrypto-1_1.dll
| MD5 | 9086b4c10d41c366584ac2630725184c |
| SHA1 | 656e134dd2e55fc6ab16c2d22f6ccdd120ca638b |
| SHA256 | 1daf632226d071963d5403755040f8844924d85140b6e41991332dd96384e746 |
| SHA512 | ef72d880ad3f451a0bb4160357be0f02d111e20129f2aed79c23bbf823cbd168b3762c4cd980a2f292c9aa0d112475a3c28c62891ae29ab788f3e1ab55264e93 |
memory/3940-144-0x00007FFD410F0000-0x00007FFD41125000-memory.dmp
memory/3940-143-0x00007FFD45810000-0x00007FFD4581D000-memory.dmp
memory/3940-142-0x00007FFD41A50000-0x00007FFD41A69000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI48442\pywin32_system32\pywintypes310.dll
| MD5 | 4834c005c00a4ea31e940da3e2c75354 |
| SHA1 | cac4d010d0ee8b9d87106b4a5f1f1b63ce91bdfc |
| SHA256 | 2dc712b833e26819296ae2918cf297a1efabb37e5802a6738aa3a12906861e02 |
| SHA512 | 368b98894049b8fa77bd7ce2a3fecb949f53bd39f0927828e97e2f77ec9ada056a1ee426d456c126537d4205aabf55867a0710ea3bf6539baca5c73f86242a5c |
memory/3940-151-0x00007FFD40930000-0x00007FFD4095E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI48442\pywin32_system32\pythoncom310.dll
| MD5 | 94f9a7b80ddcbc0623be6e796ce119bd |
| SHA1 | 49a29ee4054dd8c2547c065b651102705024593d |
| SHA256 | 43f57b57e3e8666f52a7f6525cf107ca8b685c582a111e6891e23fd4742a502b |
| SHA512 | c2be1ac0bcfabfb331e67b9652bc02ab40a22c8c6bad053d646773a1ecdc4cbe57b4f024602ec48e1214110fa56191a6cf732de1c0871226c9462a25b15d7aff |
C:\Users\Admin\AppData\Local\Temp\_MEI48442\win32\win32api.pyd
| MD5 | 4de3f5e30d9c378ad545eb01450da7f5 |
| SHA1 | effbbb776bd64b9aef4134b7475675c77a646e8d |
| SHA256 | bc28f70df94e15fbc3bcc23097ca68609786c2b0ed063aa3da6b0c071e0ca03c |
| SHA512 | 3a2a8044235eb4e40c14fc13ce68d68885971c707c2b7966f64c0e1cce51c5535eb3e56d8ac2770cd5e2e1a6e3133cb4b2456831a2610af1c235deffbc9bef50 |
memory/3940-153-0x00007FFD31330000-0x00007FFD313EC000-memory.dmp
memory/3940-148-0x00007FFD41A40000-0x00007FFD41A4D000-memory.dmp
memory/3940-157-0x00007FFD408C0000-0x00007FFD408EB000-memory.dmp
memory/3940-156-0x00007FFD31810000-0x00007FFD31C76000-memory.dmp
memory/3940-166-0x0000028886800000-0x0000028886B75000-memory.dmp
memory/3940-165-0x00007FFD30AC0000-0x00007FFD30E35000-memory.dmp
memory/3940-164-0x00007FFD30E40000-0x00007FFD30EF8000-memory.dmp
memory/3940-160-0x00007FFD40350000-0x00007FFD4037E000-memory.dmp
memory/3940-159-0x00007FFD45820000-0x00007FFD45844000-memory.dmp
memory/3940-169-0x00007FFD40E50000-0x00007FFD40E64000-memory.dmp
memory/3940-168-0x00007FFD41A70000-0x00007FFD41A9C000-memory.dmp
memory/3940-174-0x00007FFD40E40000-0x00007FFD40E50000-memory.dmp
memory/3940-173-0x00007FFD41A50000-0x00007FFD41A69000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI48442\psutil\_psutil_windows.pyd
| MD5 | 34eb32bfd41bf6bcf6a7245371f990fe |
| SHA1 | 135990c9369d74e93eb995f7745466c0e99b1594 |
| SHA256 | 5cbdc1c8cac58465a38cadf83688bd1fe00207fe431b644e0a0104b7c556908b |
| SHA512 | a82ff0b989c9549a88e688aed78aa2b177ab91a1f5bc8814a6a0e256bafa7b98f3d6cb3f90143dd7562b90061394af27ca96ae6ace903b8570ab3c7faade6469 |
memory/3940-182-0x00007FFD40330000-0x00007FFD40348000-memory.dmp
memory/3940-179-0x00007FFD30450000-0x00007FFD305CD000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI48442\charset_normalizer\md__mypyc.cp310-win_amd64.pyd
| MD5 | 2d5a2a59ef7d0885edc341535e42e4f4 |
| SHA1 | 6e98703a9f09cb6241fabbc1906b2b662d51cebf |
| SHA256 | d7fe07386b0ce109ed00022e1d1bc741c24c269470d32600bd6e2376d5d1d37c |
| SHA512 | f2ce7cd672074aedc5a3d3f0d5586094e65c1e653371fa00128a8fc59d300570f46a7bda5bee54260e31ce89f3408f7dc96c6a365f85f073f06add4b00958999 |
memory/3940-198-0x00007FFD30FD0000-0x00007FFD310E8000-memory.dmp
memory/3940-197-0x0000028886800000-0x0000028886B75000-memory.dmp
memory/3940-196-0x00007FFD30AC0000-0x00007FFD30E35000-memory.dmp
memory/3940-195-0x00007FFD30E40000-0x00007FFD30EF8000-memory.dmp
memory/3940-193-0x00007FFD403A0000-0x00007FFD403C6000-memory.dmp
memory/3940-192-0x00007FFD40350000-0x00007FFD4037E000-memory.dmp
memory/3940-190-0x00007FFD40850000-0x00007FFD4085B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI48442\charset_normalizer\md.cp310-win_amd64.pyd
| MD5 | aee1fe0f4ed7a4860d1e80aa7f93c41e |
| SHA1 | ad318a3c47da5977841024892b8675bbf423ba78 |
| SHA256 | 612bf067dc69a86ca6bcaf314ca24b30f2abc774640abd0d2445e638810cb5b7 |
| SHA512 | c265e549f9d3b38fb7d95878e323b79ad6c1d9b6677577bdd288369820b88b695eb60cf0cc04b2fff229f93c9d9d39833efd468ff655dbc45ebfd0a5674b149a |
memory/3940-186-0x00007FFD40D60000-0x00007FFD40D75000-memory.dmp
memory/3940-185-0x00007FFD31330000-0x00007FFD313EC000-memory.dmp
memory/3940-189-0x00007FFD408C0000-0x00007FFD408EB000-memory.dmp
memory/3940-178-0x00007FFD40810000-0x00007FFD4082F000-memory.dmp
memory/3940-177-0x00007FFD410F0000-0x00007FFD41125000-memory.dmp
memory/3940-200-0x00007FFD3FC70000-0x00007FFD3FCA8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI48442\Cryptodome\Cipher\_raw_ecb.pyd
| MD5 | 385b027c79eb2d2f1bd5be36fa5e569c |
| SHA1 | 8a9bc96a85034a0d2b84d6cc6d8582f9f480b1c3 |
| SHA256 | 6347082d8379e8844e8f28fc2a2949e08d5aec7f2655dc5db3d418885af1ae30 |
| SHA512 | b0818869387a94f7499c5ce7442e25d699926d0e89523f58853491b835d15263dc3e7a4930b2b996fb2de49213df6d312cf1ed39a38b0a535a56cf57bf5f5103 |
memory/3940-203-0x00007FFD40E50000-0x00007FFD40E64000-memory.dmp
memory/3940-204-0x00007FFD407B0000-0x00007FFD407BB000-memory.dmp
memory/3940-205-0x00007FFD40390000-0x00007FFD4039B000-memory.dmp
memory/3940-209-0x00007FFD3FDC0000-0x00007FFD3FDCB000-memory.dmp
memory/3940-208-0x00007FFD40380000-0x00007FFD4038C000-memory.dmp
memory/3940-207-0x00007FFD30450000-0x00007FFD305CD000-memory.dmp
memory/3940-206-0x00007FFD40810000-0x00007FFD4082F000-memory.dmp
memory/3940-211-0x00007FFD39CB0000-0x00007FFD39CBB000-memory.dmp
memory/3940-210-0x00007FFD3FDB0000-0x00007FFD3FDBC000-memory.dmp
memory/3940-212-0x00007FFD37C70000-0x00007FFD37C7C000-memory.dmp
memory/3940-214-0x00007FFD37C60000-0x00007FFD37C6D000-memory.dmp
memory/3940-213-0x00007FFD403A0000-0x00007FFD403C6000-memory.dmp
memory/3940-218-0x00007FFD31310000-0x00007FFD3131C000-memory.dmp
memory/3940-219-0x00007FFD31300000-0x00007FFD3130B000-memory.dmp
memory/3940-220-0x00007FFD312F0000-0x00007FFD312FB000-memory.dmp
memory/3940-222-0x00007FFD312D0000-0x00007FFD312DC000-memory.dmp
memory/3940-224-0x00007FFD312A0000-0x00007FFD312B2000-memory.dmp
memory/3940-223-0x00007FFD312C0000-0x00007FFD312CD000-memory.dmp
memory/3940-225-0x00007FFD31290000-0x00007FFD3129C000-memory.dmp
memory/3940-221-0x00007FFD312E0000-0x00007FFD312EC000-memory.dmp
memory/3940-217-0x00007FFD3FC70000-0x00007FFD3FCA8000-memory.dmp
memory/3940-216-0x00007FFD31320000-0x00007FFD3132C000-memory.dmp
memory/3940-215-0x00007FFD375B0000-0x00007FFD375BE000-memory.dmp
memory/3940-226-0x00007FFD300F0000-0x00007FFD30373000-memory.dmp
memory/3940-227-0x00007FFD30FA0000-0x00007FFD30FC9000-memory.dmp
memory/4756-240-0x00007FFD2F573000-0x00007FFD2F575000-memory.dmp
memory/4756-246-0x00000209A4AE0000-0x00000209A4B02000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ks0j0mfr.z15.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/4756-251-0x00007FFD2F570000-0x00007FFD30031000-memory.dmp
memory/4756-252-0x00007FFD2F570000-0x00007FFD30031000-memory.dmp
memory/4756-255-0x00007FFD2F570000-0x00007FFD30031000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Z5RqHhQl7a\Browser\history.txt
| MD5 | 5638715e9aaa8d3f45999ec395e18e77 |
| SHA1 | 4e3dc4a1123edddf06d92575a033b42a662fe4ad |
| SHA256 | 4db7f6559c454d34d9c2d557524603c3f52649c2d69b26b6e8384a3d179aeae6 |
| SHA512 | 78c96efab1d941e34d3137eae32cef041e2db5b0ebbf883e6a2effa79a323f66e00cfb7c45eb3398b3cbd0469a2be513c3ff63e5622261857eefc1685f77f76b |
C:\Users\Admin\AppData\Local\Temp\Z5RqHhQl7a\Browser\cc's.txt
| MD5 | 5aa796b6950a92a226cc5c98ed1c47e8 |
| SHA1 | 6706a4082fc2c141272122f1ca424a446506c44d |
| SHA256 | c4c83da3a904a4e7114f9bd46790db502cdd04800e684accb991cd1a08ee151c |
| SHA512 | 976f403257671e8f652bf988f4047202e1a0fd368fdb2bab2e79ece1c20c7eb775c4b3a8853c223d4f750f4192cd09455ff024918276dc1dd1442fa3b36623ad |
memory/3940-291-0x00007FFD40330000-0x00007FFD40348000-memory.dmp
memory/3940-296-0x00007FFD300F0000-0x00007FFD30373000-memory.dmp
memory/3940-290-0x00007FFD30450000-0x00007FFD305CD000-memory.dmp
memory/3940-289-0x00007FFD40810000-0x00007FFD4082F000-memory.dmp
memory/3940-286-0x00007FFD30AC0000-0x00007FFD30E35000-memory.dmp
memory/3940-285-0x00007FFD30E40000-0x00007FFD30EF8000-memory.dmp
memory/3940-284-0x00007FFD40350000-0x00007FFD4037E000-memory.dmp
memory/3940-280-0x00007FFD41A40000-0x00007FFD41A4D000-memory.dmp
memory/3940-273-0x00007FFD45820000-0x00007FFD45844000-memory.dmp
memory/3940-272-0x00007FFD31810000-0x00007FFD31C76000-memory.dmp
memory/3940-349-0x00007FFD31300000-0x00007FFD3130B000-memory.dmp
memory/3940-348-0x00007FFD31310000-0x00007FFD3131C000-memory.dmp
memory/3940-347-0x00007FFD375B0000-0x00007FFD375BE000-memory.dmp
memory/3940-346-0x00007FFD37C60000-0x00007FFD37C6D000-memory.dmp
memory/3940-345-0x00007FFD37C70000-0x00007FFD37C7C000-memory.dmp
memory/3940-344-0x00007FFD3FDC0000-0x00007FFD3FDCB000-memory.dmp
memory/3940-343-0x00007FFD3FDB0000-0x00007FFD3FDBC000-memory.dmp
memory/3940-342-0x00007FFD40380000-0x00007FFD4038C000-memory.dmp
memory/3940-341-0x00007FFD40390000-0x00007FFD4039B000-memory.dmp
memory/3940-340-0x00007FFD407B0000-0x00007FFD407BB000-memory.dmp
memory/3940-339-0x00007FFD3FC70000-0x00007FFD3FCA8000-memory.dmp
memory/3940-338-0x00007FFD312F0000-0x00007FFD312FB000-memory.dmp
memory/3940-337-0x00007FFD39CB0000-0x00007FFD39CBB000-memory.dmp
memory/3940-336-0x00007FFD30AC0000-0x00007FFD30E35000-memory.dmp
memory/3940-335-0x00007FFD30E40000-0x00007FFD30EF8000-memory.dmp
memory/3940-334-0x00007FFD40350000-0x00007FFD4037E000-memory.dmp
memory/3940-333-0x00007FFD408C0000-0x00007FFD408EB000-memory.dmp
memory/3940-332-0x00007FFD31330000-0x00007FFD313EC000-memory.dmp
memory/3940-331-0x00007FFD456A0000-0x00007FFD456B8000-memory.dmp
memory/3940-330-0x00007FFD41A40000-0x00007FFD41A4D000-memory.dmp
memory/3940-329-0x00007FFD458F0000-0x00007FFD458FF000-memory.dmp
memory/3940-328-0x00007FFD45810000-0x00007FFD4581D000-memory.dmp
memory/3940-327-0x00007FFD41A50000-0x00007FFD41A69000-memory.dmp
memory/3940-326-0x00007FFD41A70000-0x00007FFD41A9C000-memory.dmp
memory/3940-325-0x00007FFD40930000-0x00007FFD4095E000-memory.dmp
memory/3940-324-0x00007FFD410F0000-0x00007FFD41125000-memory.dmp
memory/3940-323-0x00007FFD45820000-0x00007FFD45844000-memory.dmp
memory/3940-322-0x00007FFD31810000-0x00007FFD31C76000-memory.dmp
memory/3940-321-0x00007FFD30FD0000-0x00007FFD310E8000-memory.dmp
memory/3940-320-0x00007FFD403A0000-0x00007FFD403C6000-memory.dmp
memory/3940-319-0x00007FFD40850000-0x00007FFD4085B000-memory.dmp
memory/3940-318-0x00007FFD40D60000-0x00007FFD40D75000-memory.dmp
memory/3940-317-0x00007FFD40330000-0x00007FFD40348000-memory.dmp
memory/3940-316-0x00007FFD30450000-0x00007FFD305CD000-memory.dmp
memory/3940-315-0x00007FFD40810000-0x00007FFD4082F000-memory.dmp
memory/3940-314-0x00007FFD40E40000-0x00007FFD40E50000-memory.dmp
memory/3940-313-0x00007FFD40E50000-0x00007FFD40E64000-memory.dmp
Analysis: behavioral3
Detonation Overview
Submitted
2024-11-10 00:54
Reported
2024-11-10 00:57
Platform
win7-20240903-en
Max time kernel
122s
Max time network
123s
Command Line
Signatures
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_Classes\Local Settings | C:\Windows\system32\rundll32.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1628 wrote to memory of 2652 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 1628 wrote to memory of 2652 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 1628 wrote to memory of 2652 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 2652 wrote to memory of 2856 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 2652 wrote to memory of 2856 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 2652 wrote to memory of 2856 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 2652 wrote to memory of 2856 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\FnPuller.pyc
C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\FnPuller.pyc
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\FnPuller.pyc"
Network
Files
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents
| MD5 | 096cff0d3fd7f24e190630e8b0e9f968 |
| SHA1 | 58407779ccc820a3dbf75db62d026e12ae31a479 |
| SHA256 | 97039183b270944a392f4bcc9cdd382dc6deb7a2d9e019fe15f1c1028a9de797 |
| SHA512 | 51fcaa27b95e58529164857eaaa55604c400e0bed28e1282e9dbd6d111a40fd8b817805453f3ce42b3cc21344c02eb6e4d5bcb269150c099d88a035d799fb70b |
Analysis: behavioral4
Detonation Overview
Submitted
2024-11-10 00:54
Reported
2024-11-10 00:57
Platform
win10v2004-20241007-en
Max time kernel
95s
Max time network
136s
Command Line
Signatures
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings | C:\Windows\system32\cmd.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings | C:\Windows\system32\OpenWith.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\FnPuller.pyc
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 75.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 212.20.149.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 75.117.19.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 29.243.111.52.in-addr.arpa | udp |