Malware Analysis Report

2024-11-13 17:37

Sample ID 241110-a9m1esymhp
Target FnPuller.exe
SHA256 db0d623ba3e20c740268c11638f22a96d9a4453dc8f1dc54839da993cca59abd
Tags
pyinstaller upx collection discovery spyware stealer
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

db0d623ba3e20c740268c11638f22a96d9a4453dc8f1dc54839da993cca59abd

Threat Level: Shows suspicious behavior

The file FnPuller.exe was found to be: Shows suspicious behavior.

Malicious Activity Summary

pyinstaller upx collection discovery spyware stealer

Clipboard Data

Reads user/profile data of web browsers

Drops startup file

Loads dropped DLL

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

UPX packed file

Enumerates physical storage devices

Detects Pyinstaller

System Location Discovery: System Language Discovery

Browser Information Discovery

Unsigned PE

Detects videocard installed

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Suspicious behavior: GetForegroundWindowSpam

Modifies registry class

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-10 00:54

Signatures

Detects Pyinstaller

pyinstaller
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-10 00:54

Reported

2024-11-10 00:57

Platform

win7-20241023-en

Max time kernel

119s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\FnPuller.exe"

Signatures

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\FnPuller.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Processes

C:\Users\Admin\AppData\Local\Temp\FnPuller.exe

"C:\Users\Admin\AppData\Local\Temp\FnPuller.exe"

C:\Users\Admin\AppData\Local\Temp\FnPuller.exe

"C:\Users\Admin\AppData\Local\Temp\FnPuller.exe"

C:\Windows\explorer.exe

"C:\Windows\explorer.exe"

Network

N/A

Files

C:\Users\Admin\AppData\Local\Temp\_MEI24162\python310.dll

MD5 f88ce4e677e2fae8e465111349e3ab15
SHA1 d6c4f7283c4d949af2cf9eedd756f3f625cc400d
SHA256 0c404b474c574ce4aa301b6a2528643e0008bf6ec0a3db5b8b436f1cca51ad04
SHA512 58ebf534c38ceb26813c9c588d74050688a1ca75bb4d66a45eeea34942fd0352a846796e3eafd8bd9c483a194dd6aa62dad7c10bd3830cb60b5a8345e559e1f2

memory/2832-102-0x000007FEF60F0000-0x000007FEF6556000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-10 00:54

Reported

2024-11-10 00:57

Platform

win10v2004-20241007-en

Max time kernel

94s

Max time network

96s

Command Line

"C:\Users\Admin\AppData\Local\Temp\FnPuller.exe"

Signatures

Clipboard Data

collection
Description Indicator Process Target
N/A N/A C:\Windows\system32\cmd.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FnPuller.exe C:\Users\Admin\AppData\Local\Temp\FnPuller.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FnPuller.exe C:\Users\Admin\AppData\Local\Temp\FnPuller.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\FnPuller.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FnPuller.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FnPuller.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FnPuller.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FnPuller.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FnPuller.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FnPuller.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FnPuller.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FnPuller.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FnPuller.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FnPuller.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FnPuller.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FnPuller.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FnPuller.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FnPuller.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FnPuller.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FnPuller.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FnPuller.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FnPuller.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FnPuller.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FnPuller.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FnPuller.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FnPuller.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FnPuller.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FnPuller.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FnPuller.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FnPuller.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FnPuller.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FnPuller.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FnPuller.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FnPuller.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FnPuller.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FnPuller.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FnPuller.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FnPuller.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FnPuller.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FnPuller.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FnPuller.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FnPuller.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FnPuller.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FnPuller.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FnPuller.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FnPuller.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FnPuller.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FnPuller.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FnPuller.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FnPuller.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FnPuller.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FnPuller.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FnPuller.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FnPuller.exe N/A

Reads user/profile data of web browsers

spyware stealer

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.ipify.org N/A N/A
N/A api.ipify.org N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Browser Information Discovery

discovery

Detects videocard installed

Description Indicator Process Target
N/A N/A C:\Windows\System32\Wbem\WMIC.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\FnPuller.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\wmic.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4844 wrote to memory of 3940 N/A C:\Users\Admin\AppData\Local\Temp\FnPuller.exe C:\Users\Admin\AppData\Local\Temp\FnPuller.exe
PID 4844 wrote to memory of 3940 N/A C:\Users\Admin\AppData\Local\Temp\FnPuller.exe C:\Users\Admin\AppData\Local\Temp\FnPuller.exe
PID 3940 wrote to memory of 4668 N/A C:\Users\Admin\AppData\Local\Temp\FnPuller.exe C:\Windows\system32\cmd.exe
PID 3940 wrote to memory of 4668 N/A C:\Users\Admin\AppData\Local\Temp\FnPuller.exe C:\Windows\system32\cmd.exe
PID 3940 wrote to memory of 3020 N/A C:\Users\Admin\AppData\Local\Temp\FnPuller.exe C:\Windows\system32\cmd.exe
PID 3940 wrote to memory of 3020 N/A C:\Users\Admin\AppData\Local\Temp\FnPuller.exe C:\Windows\system32\cmd.exe
PID 3020 wrote to memory of 4756 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3020 wrote to memory of 4756 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3940 wrote to memory of 1584 N/A C:\Users\Admin\AppData\Local\Temp\FnPuller.exe C:\Windows\system32\cmd.exe
PID 3940 wrote to memory of 1584 N/A C:\Users\Admin\AppData\Local\Temp\FnPuller.exe C:\Windows\system32\cmd.exe
PID 1584 wrote to memory of 3636 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 1584 wrote to memory of 3636 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 3940 wrote to memory of 3140 N/A C:\Users\Admin\AppData\Local\Temp\FnPuller.exe C:\Windows\System32\Wbem\wmic.exe
PID 3940 wrote to memory of 3140 N/A C:\Users\Admin\AppData\Local\Temp\FnPuller.exe C:\Windows\System32\Wbem\wmic.exe
PID 3940 wrote to memory of 4064 N/A C:\Users\Admin\AppData\Local\Temp\FnPuller.exe C:\Windows\system32\cmd.exe
PID 3940 wrote to memory of 4064 N/A C:\Users\Admin\AppData\Local\Temp\FnPuller.exe C:\Windows\system32\cmd.exe
PID 4064 wrote to memory of 2032 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 4064 wrote to memory of 2032 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 3940 wrote to memory of 5092 N/A C:\Users\Admin\AppData\Local\Temp\FnPuller.exe C:\Windows\system32\cmd.exe
PID 3940 wrote to memory of 5092 N/A C:\Users\Admin\AppData\Local\Temp\FnPuller.exe C:\Windows\system32\cmd.exe
PID 5092 wrote to memory of 4968 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 5092 wrote to memory of 4968 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 3940 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\FnPuller.exe C:\Windows\system32\cmd.exe
PID 3940 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\FnPuller.exe C:\Windows\system32\cmd.exe
PID 2520 wrote to memory of 4128 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\wbem\WMIC.exe
PID 2520 wrote to memory of 4128 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\wbem\WMIC.exe

Processes

C:\Users\Admin\AppData\Local\Temp\FnPuller.exe

"C:\Users\Admin\AppData\Local\Temp\FnPuller.exe"

C:\Users\Admin\AppData\Local\Temp\FnPuller.exe

"C:\Users\Admin\AppData\Local\Temp\FnPuller.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "ver"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "wmic os get Caption"

C:\Windows\System32\Wbem\WMIC.exe

wmic os get Caption

C:\Windows\System32\Wbem\wmic.exe

wmic cpu get Name

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"

C:\Windows\System32\Wbem\WMIC.exe

wmic path win32_VideoController get name

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"

C:\Windows\System32\Wbem\WMIC.exe

wmic computersystem get totalphysicalmemory

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\\Windows\\System32\\wbem\\WMIC.exe csproduct get uuid"

C:\Windows\System32\wbem\WMIC.exe

C:\\Windows\\System32\\wbem\\WMIC.exe csproduct get uuid

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 20.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 raw.githubusercontent.com udp
US 185.199.109.133:443 raw.githubusercontent.com tcp
US 8.8.8.8:53 133.109.199.185.in-addr.arpa udp
US 8.8.8.8:53 discord.com udp
US 162.159.135.232:443 discord.com tcp
US 8.8.8.8:53 232.135.159.162.in-addr.arpa udp
US 8.8.8.8:53 api.ipify.org udp
US 104.26.13.205:443 api.ipify.org tcp
US 162.159.135.232:443 discord.com tcp
US 162.159.135.232:443 discord.com tcp
US 8.8.8.8:53 205.13.26.104.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 98.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\_MEI48442\python310.dll

MD5 f88ce4e677e2fae8e465111349e3ab15
SHA1 d6c4f7283c4d949af2cf9eedd756f3f625cc400d
SHA256 0c404b474c574ce4aa301b6a2528643e0008bf6ec0a3db5b8b436f1cca51ad04
SHA512 58ebf534c38ceb26813c9c588d74050688a1ca75bb4d66a45eeea34942fd0352a846796e3eafd8bd9c483a194dd6aa62dad7c10bd3830cb60b5a8345e559e1f2

C:\Users\Admin\AppData\Local\Temp\_MEI48442\VCRUNTIME140.dll

MD5 f34eb034aa4a9735218686590cba2e8b
SHA1 2bc20acdcb201676b77a66fa7ec6b53fa2644713
SHA256 9d2b40f0395cc5d1b4d5ea17b84970c29971d448c37104676db577586d4ad1b1
SHA512 d27d5e65e8206bd7923cf2a3c4384fec0fc59e8bc29e25f8c03d039f3741c01d1a8c82979d7b88c10b209db31fbbec23909e976b3ee593dc33481f0050a445af

memory/3940-104-0x00007FFD31810000-0x00007FFD31C76000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI48442\base_library.zip

MD5 e0f56d9171cae24cb9c1fe074e5b7e41
SHA1 29d00636d0bcef7e83498690ecbf68c677ad7e68
SHA256 d7bc411ff590156aea0398cff85a09d961e6a8d04dcfde6e31d3f8c1ee102c2f
SHA512 0719c97fd4d97101cfe9752242039ce0678740bb57bca5a92e522c1862826e693cf0791b899c7df05c8f0e1f0b852ab4e3a638f51dd3c87904f1a39f20fb7c3c

C:\Users\Admin\AppData\Local\Temp\_MEI48442\_ctypes.pyd

MD5 c0e55fbd13cc1b9f53380f260d7ee4aa
SHA1 7d843783d997b99a5af24a6175baaaafed0f6806
SHA256 d2de4a82d579b0598dcd45b61804beecd6261b2d3315380861c753fb61b9d233
SHA512 74882cf38940d07a9c42b560da05fa4e387d78600190dc1bf090b395352d0135b877e748a5637ff255954861042088fba5e0b30670313696c21e0fa3495c5f22

C:\Users\Admin\AppData\Local\Temp\_MEI48442\libffi-7.dll

MD5 3e91e70021fcbe76c38d87a62f9f424f
SHA1 067d8076aba98177bc1aaaf0102ac5ed411f8312
SHA256 e2880494d9509fb0314fc77ab4c9a68a39cdb8a0a24838d04d4ac252fa12f270
SHA512 7908116d924c1b5a424a5d998caa5f21587a622b3a1811293406b331934cc57077fe078e3e62ea471db37c59e108bba4e285e1caaa54a4e4ceb71c04382c649a

memory/3940-114-0x00007FFD458F0000-0x00007FFD458FF000-memory.dmp

memory/3940-112-0x00007FFD45820000-0x00007FFD45844000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI48442\python3.dll

MD5 24f4d5a96cd4110744766ea2da1b8ffa
SHA1 b12a2205d3f70f5c636418811ab2f8431247da15
SHA256 73b0f3952be222ce676672603ae3848ee6e8e479782bd06745116712a4834c53
SHA512 bd2f27441fe5c25c30bab22c967ef32306bcea2f6be6f4a5da8bbb5b54d3d5f59da1ffcb55172d2413fe0235dd7702d734654956e142e9a0810160b8c16225f4

C:\Users\Admin\AppData\Local\Temp\_MEI48442\_bz2.pyd

MD5 2369e5808fb952c670086a15aaa7c10f
SHA1 63fce5d7f5c2e003d7367c77fa8f67c5341d8362
SHA256 97374478e70671060e7258cbc1acaa46f8d311baa3c0a3ba9878b17284581ce1
SHA512 23b564f25ff1b967d8c108bf5acc4eb112ad2778a93f0501d6f54616c91407c4d863ccb4220fca452440f52afafc1272a5e3768e0b396c74133ca0197a1e0af4

memory/3940-118-0x00007FFD456A0000-0x00007FFD456B8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI48442\_lzma.pyd

MD5 a4ff584ffa0bec3695b79eebab0da048
SHA1 991b9209ab8a676a775ea34faada9b6190fc4fa7
SHA256 822a41a74b58a46777054f2048fd3b8eaf85dbda7390a076107cfb18d70c6157
SHA512 5fdeb5d014c408d9f0ab8e7c06956d2974d93f7964105159bccb7ce027acfcf830fddfaefbcaa7a57d3441f0082eb6f90192ddce96c219f2e8fcc2a6fe08ebc4

memory/3940-120-0x00007FFD41A70000-0x00007FFD41A9C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI48442\_socket.pyd

MD5 8f3f194074b2c80bb66f47cb2a5ca7b6
SHA1 2b58bab0676eb5c2f4e82e32c943fc23bf995908
SHA256 5ecd17d7117ca794b6c1a377f8f4a56d325b360b52d433923af4e5b470fbe69d
SHA512 a2ade13a1912d543aba9faa6b59afbb92ddbb01ea8ad385917bd392638b69d6ab418b35cceaf3af6663bf508de2397f0edb2510347003d89d554fd30267a44f7

C:\Users\Admin\AppData\Local\Temp\_MEI48442\_uuid.pyd

MD5 ecf3d9de103ba77730ed021fe69a2804
SHA1 ce7eae927712fda0c70267f7db6bcb8406d83815
SHA256 7cf37a10023ebf6705963822a46f238395b1fbe8cb898899b3645c92d61b48ea
SHA512 c2bf0e2ba6080e03eca22d74ea7022fb9581036ce46055ea244773d26d8e5b07caf6ed2c44c479fda317000a9fa08ca6913c23fa4f54b08ee6d3427b9603dfba

C:\Users\Admin\AppData\Local\Temp\_MEI48442\_ssl.pyd

MD5 bf5caf087a0d31da52df5261c480ba30
SHA1 216c0bb90ef7f1fbf464fb328070d641c7ab5aa7
SHA256 7c6a05ddcbbd4b5f036b329e47eb3ccc6eba4c93e8fbb1f5d1f0b762824e84ad
SHA512 d7a5c58cbc17a1bf46ceb6153af0c8a8d12af38db032b035962bf5adc036cf25a9e36c40de2c6c96af268b70308f86aac1f26726644fea8ed7d618206ac78afd

C:\Users\Admin\AppData\Local\Temp\_MEI48442\_sqlite3.pyd

MD5 8adb71f3b6ad7482464052874ae127b5
SHA1 8d4f5a0f3c7bd69eba0a295f89cfc9eaef92cfb7
SHA256 2f3d271dfdf6054916fd37ff1d3cca1a159df91e047ff4b9eccd8cff747f64fc
SHA512 239e573c764ac771f3661ee7bfb77df3546f25e8722a067a39ef4fe34b3ea5d816649766370eb6c23fc893dac5898bdf3fb90de736b0f9578e4f62b034225f2d

C:\Users\Admin\AppData\Local\Temp\_MEI48442\_queue.pyd

MD5 ccfa9a994f0437b8b0807acfaed62fae
SHA1 516ed24c60064f897ee2bfbe0612e5df4df8feb3
SHA256 7da026024909d1f0d3b124a3b0f0a477614b2efd9ef718ca79c8b4d0cc68492c
SHA512 19e54931189a08358d6f4b20ed2016d8fd0a31267a4d59d3db2b4f75f82c5c79cc448415ba7179a35677d9a05647e2b100ce153aed2dc5218eb72e0c87dcb57a

C:\Users\Admin\AppData\Local\Temp\_MEI48442\_overlapped.pyd

MD5 6982a44fe2ca2803a92af13fcdffdb38
SHA1 b693ebf6cc0a0b8cf30bac409e54720e6b817f51
SHA256 6d0d05f543d44fc13097ca6695225f12ba0ecc1a9d2bccae26a82a7f27d3eff5
SHA512 49aec3b1d1d70d2de785815306a96bdde8af63259b4df7fc3882c177c41c0e5b6de0e4467b27e46baf38469805d65b52216cf2937ab7dff8d0fd34ca7aacb42b

C:\Users\Admin\AppData\Local\Temp\_MEI48442\_multiprocessing.pyd

MD5 ef34c446b11b90eaf53ad31539c3804c
SHA1 a1a2d1921d5c4918751dd7d001d77d28b3e5afa0
SHA256 88a802e2f519ba94e60c58fb50e083f064d001e9dca50b3730753b1fb5d04675
SHA512 fb9bcddb85be0c496a5310b2e02b3a7190f3fbb1920a4a575f659c3706ebdf07f0299ea030b79ac1e6775ff61ac1b067d6995aa271e52b61dac09daf00e8006d

C:\Users\Admin\AppData\Local\Temp\_MEI48442\_hashlib.pyd

MD5 5b0a212cfd3bf53a5573a265df6c8569
SHA1 0a5eba50bf11b8317fff0824cdf67ba5925829fc
SHA256 9ddbed9b89e8a99c4fc94526e78559f068c20f9bdfa240ba17b4ed2b5ed8a412
SHA512 1fe464211c587d7198dc4d36e0851d91c7147d351647f343e637c2633d8ca0453c4962d6fd0ca689ead91299ecbfd5f21a31bbb0b1f5c52c2393a017f0d39f31

C:\Users\Admin\AppData\Local\Temp\_MEI48442\_decimal.pyd

MD5 7d3be1a8f9e964139a5f24f61cbaa1eb
SHA1 d18d89decb0d814a5439a3e0141825c343188659
SHA256 1fb89a01b1d204465e4aad6c397ee584eb4643aa5b00d9926872faa4fa5d9132
SHA512 bebfc2a15795d80437085700454ffc3e91a2e373ff437af5c9cbad5ae826bdf1b9434cb24742e5492ae533633211482c9c55ea73b19b432e2da4e910409c792e

C:\Users\Admin\AppData\Local\Temp\_MEI48442\_cffi_backend.cp310-win_amd64.pyd

MD5 2c10963a86452d7598ea524b9432b0ba
SHA1 1061560d76835415d600879e43e04d3315b0af67
SHA256 3cd74813744062712d08fadc0d980c541d92d4ac6bbee91daf2b1599d9c3e5f7
SHA512 c179c256de828da85294a052e5db531ba43ab32f018f4c7d777f9dcda89432bed0042764d1259fd6796756fd05009b0aa0c33f6e6c8b7e898931262e0aadb32f

C:\Users\Admin\AppData\Local\Temp\_MEI48442\_asyncio.pyd

MD5 82f42833eb18bd7d504adbefdeb326d7
SHA1 bfc417facc03a5974f02333176848d5366409b78
SHA256 9870a28fa3740135819f2f044fe67575d9f91d4e7ce02419a2f3a328510d56e9
SHA512 ffe4ea2bec8d12efdf75df500b7e53f36ed89f7a8f009d1e1e8789ec1c5e8e3586ff861ef535712d9ba0bb4826eb1beb966b2bbc3834eb5996821cfea1091c2c

C:\Users\Admin\AppData\Local\Temp\_MEI48442\VCRUNTIME140_1.dll

MD5 135359d350f72ad4bf716b764d39e749
SHA1 2e59d9bbcce356f0fece56c9c4917a5cacec63d7
SHA256 34048abaa070ecc13b318cea31425f4ca3edd133d350318ac65259e6058c8b32
SHA512 cf23513d63ab2192c78cae98bd3fea67d933212b630be111fa7e03be3e92af38e247eb2d3804437fd0fda70fdc87916cd24cf1d3911e9f3bfb2cc4ab72b459ba

C:\Users\Admin\AppData\Local\Temp\_MEI48442\unicodedata.pyd

MD5 309b253db57965d2514021356a0d8211
SHA1 52be4d2872e34042d4da51182e9b5b5daced5e69
SHA256 6052f89abee19fd0a6e5101a1f372ed32902670c563dd70baf17549d9f8c9c0b
SHA512 b1d142948c3ee9c381cf387022c2554479278ca607584bd7e69bddc8ce38c8dde98e634ef44b06513e4472bae47ad01fe0c8a2ef7ecb7f13063fdd6989b0ce3a

C:\Users\Admin\AppData\Local\Temp\_MEI48442\sqlite3.dll

MD5 6030d7b5c3c9ad8392b2d4631941480d
SHA1 a96dc733d7002ffb452bf64d655114c81c3761e7
SHA256 0003ccd11d237c172cd98b2a2c2c76f95679ada35d47d24acb90f676cbe9649b
SHA512 28c320d48063c1bc8070168018aa5e3ca407d838948d979e7658adc2b567458d632fc12d125f7bbda457e60aef2e23304812572ede2babdd8eeedd3e2b493589

C:\Users\Admin\AppData\Local\Temp\_MEI48442\select.pyd

MD5 baae93d751ec31126b9ee16b9754bc9b
SHA1 7056b4555db26c2617637898ca64da9cab28fcfb
SHA256 f8a11b0d1199a0f64a8a12d7d356ebf3ad758ef2dd0e54bc73ea6303784e2ed8
SHA512 b16faa1dff07750947fba86b96515f0501ea89d8c0c1c3e6e76c1086fd44e0328921a6b68cfea908b6ebf52413887dcd604537f33b5715f23c549639e8eac33d

C:\Users\Admin\AppData\Local\Temp\_MEI48442\pyexpat.pyd

MD5 0b6c52296f669e63dd3f862db0f8d70d
SHA1 f72c0a345b9f7c32db79f7ddfcc17f57251b86a2
SHA256 40e09427467ede4657969095bcc5596af50d52a8fdd70b3b35b23f82bef61010
SHA512 f6ab318c593767c130044691323f82c03e4d67233ec2ca0a0c6e44cf6f3882466a97bdf8e30987f350e6c5968bc865f5deb9227c09d0b9d8bd919eff38fbfce6

C:\Users\Admin\AppData\Local\Temp\_MEI48442\libssl-1_1.dll

MD5 9a8c68f00a04b7c2efb0197c93db1c8a
SHA1 81a1342910c50ab64bfc77c8f25b1fc71b2348cf
SHA256 7b3027da7a291061c9e8ec1a7a0cc2a883680258893b44620861c0b7c2bb180d
SHA512 01fe96da6c63744941dd5d182af951742b23aa3560f228dcb16ba7887183ef73a60b09cee5d858ce237d2f15397db04685ff94c3c3e7ca8904fc70645e8eeb59

C:\Users\Admin\AppData\Local\Temp\_MEI48442\libcrypto-1_1.dll

MD5 9086b4c10d41c366584ac2630725184c
SHA1 656e134dd2e55fc6ab16c2d22f6ccdd120ca638b
SHA256 1daf632226d071963d5403755040f8844924d85140b6e41991332dd96384e746
SHA512 ef72d880ad3f451a0bb4160357be0f02d111e20129f2aed79c23bbf823cbd168b3762c4cd980a2f292c9aa0d112475a3c28c62891ae29ab788f3e1ab55264e93

memory/3940-144-0x00007FFD410F0000-0x00007FFD41125000-memory.dmp

memory/3940-143-0x00007FFD45810000-0x00007FFD4581D000-memory.dmp

memory/3940-142-0x00007FFD41A50000-0x00007FFD41A69000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI48442\pywin32_system32\pywintypes310.dll

MD5 4834c005c00a4ea31e940da3e2c75354
SHA1 cac4d010d0ee8b9d87106b4a5f1f1b63ce91bdfc
SHA256 2dc712b833e26819296ae2918cf297a1efabb37e5802a6738aa3a12906861e02
SHA512 368b98894049b8fa77bd7ce2a3fecb949f53bd39f0927828e97e2f77ec9ada056a1ee426d456c126537d4205aabf55867a0710ea3bf6539baca5c73f86242a5c

memory/3940-151-0x00007FFD40930000-0x00007FFD4095E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI48442\pywin32_system32\pythoncom310.dll

MD5 94f9a7b80ddcbc0623be6e796ce119bd
SHA1 49a29ee4054dd8c2547c065b651102705024593d
SHA256 43f57b57e3e8666f52a7f6525cf107ca8b685c582a111e6891e23fd4742a502b
SHA512 c2be1ac0bcfabfb331e67b9652bc02ab40a22c8c6bad053d646773a1ecdc4cbe57b4f024602ec48e1214110fa56191a6cf732de1c0871226c9462a25b15d7aff

C:\Users\Admin\AppData\Local\Temp\_MEI48442\win32\win32api.pyd

MD5 4de3f5e30d9c378ad545eb01450da7f5
SHA1 effbbb776bd64b9aef4134b7475675c77a646e8d
SHA256 bc28f70df94e15fbc3bcc23097ca68609786c2b0ed063aa3da6b0c071e0ca03c
SHA512 3a2a8044235eb4e40c14fc13ce68d68885971c707c2b7966f64c0e1cce51c5535eb3e56d8ac2770cd5e2e1a6e3133cb4b2456831a2610af1c235deffbc9bef50

memory/3940-153-0x00007FFD31330000-0x00007FFD313EC000-memory.dmp

memory/3940-148-0x00007FFD41A40000-0x00007FFD41A4D000-memory.dmp

memory/3940-157-0x00007FFD408C0000-0x00007FFD408EB000-memory.dmp

memory/3940-156-0x00007FFD31810000-0x00007FFD31C76000-memory.dmp

memory/3940-166-0x0000028886800000-0x0000028886B75000-memory.dmp

memory/3940-165-0x00007FFD30AC0000-0x00007FFD30E35000-memory.dmp

memory/3940-164-0x00007FFD30E40000-0x00007FFD30EF8000-memory.dmp

memory/3940-160-0x00007FFD40350000-0x00007FFD4037E000-memory.dmp

memory/3940-159-0x00007FFD45820000-0x00007FFD45844000-memory.dmp

memory/3940-169-0x00007FFD40E50000-0x00007FFD40E64000-memory.dmp

memory/3940-168-0x00007FFD41A70000-0x00007FFD41A9C000-memory.dmp

memory/3940-174-0x00007FFD40E40000-0x00007FFD40E50000-memory.dmp

memory/3940-173-0x00007FFD41A50000-0x00007FFD41A69000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI48442\psutil\_psutil_windows.pyd

MD5 34eb32bfd41bf6bcf6a7245371f990fe
SHA1 135990c9369d74e93eb995f7745466c0e99b1594
SHA256 5cbdc1c8cac58465a38cadf83688bd1fe00207fe431b644e0a0104b7c556908b
SHA512 a82ff0b989c9549a88e688aed78aa2b177ab91a1f5bc8814a6a0e256bafa7b98f3d6cb3f90143dd7562b90061394af27ca96ae6ace903b8570ab3c7faade6469

memory/3940-182-0x00007FFD40330000-0x00007FFD40348000-memory.dmp

memory/3940-179-0x00007FFD30450000-0x00007FFD305CD000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI48442\charset_normalizer\md__mypyc.cp310-win_amd64.pyd

MD5 2d5a2a59ef7d0885edc341535e42e4f4
SHA1 6e98703a9f09cb6241fabbc1906b2b662d51cebf
SHA256 d7fe07386b0ce109ed00022e1d1bc741c24c269470d32600bd6e2376d5d1d37c
SHA512 f2ce7cd672074aedc5a3d3f0d5586094e65c1e653371fa00128a8fc59d300570f46a7bda5bee54260e31ce89f3408f7dc96c6a365f85f073f06add4b00958999

memory/3940-198-0x00007FFD30FD0000-0x00007FFD310E8000-memory.dmp

memory/3940-197-0x0000028886800000-0x0000028886B75000-memory.dmp

memory/3940-196-0x00007FFD30AC0000-0x00007FFD30E35000-memory.dmp

memory/3940-195-0x00007FFD30E40000-0x00007FFD30EF8000-memory.dmp

memory/3940-193-0x00007FFD403A0000-0x00007FFD403C6000-memory.dmp

memory/3940-192-0x00007FFD40350000-0x00007FFD4037E000-memory.dmp

memory/3940-190-0x00007FFD40850000-0x00007FFD4085B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI48442\charset_normalizer\md.cp310-win_amd64.pyd

MD5 aee1fe0f4ed7a4860d1e80aa7f93c41e
SHA1 ad318a3c47da5977841024892b8675bbf423ba78
SHA256 612bf067dc69a86ca6bcaf314ca24b30f2abc774640abd0d2445e638810cb5b7
SHA512 c265e549f9d3b38fb7d95878e323b79ad6c1d9b6677577bdd288369820b88b695eb60cf0cc04b2fff229f93c9d9d39833efd468ff655dbc45ebfd0a5674b149a

memory/3940-186-0x00007FFD40D60000-0x00007FFD40D75000-memory.dmp

memory/3940-185-0x00007FFD31330000-0x00007FFD313EC000-memory.dmp

memory/3940-189-0x00007FFD408C0000-0x00007FFD408EB000-memory.dmp

memory/3940-178-0x00007FFD40810000-0x00007FFD4082F000-memory.dmp

memory/3940-177-0x00007FFD410F0000-0x00007FFD41125000-memory.dmp

memory/3940-200-0x00007FFD3FC70000-0x00007FFD3FCA8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI48442\Cryptodome\Cipher\_raw_ecb.pyd

MD5 385b027c79eb2d2f1bd5be36fa5e569c
SHA1 8a9bc96a85034a0d2b84d6cc6d8582f9f480b1c3
SHA256 6347082d8379e8844e8f28fc2a2949e08d5aec7f2655dc5db3d418885af1ae30
SHA512 b0818869387a94f7499c5ce7442e25d699926d0e89523f58853491b835d15263dc3e7a4930b2b996fb2de49213df6d312cf1ed39a38b0a535a56cf57bf5f5103

memory/3940-203-0x00007FFD40E50000-0x00007FFD40E64000-memory.dmp

memory/3940-204-0x00007FFD407B0000-0x00007FFD407BB000-memory.dmp

memory/3940-205-0x00007FFD40390000-0x00007FFD4039B000-memory.dmp

memory/3940-209-0x00007FFD3FDC0000-0x00007FFD3FDCB000-memory.dmp

memory/3940-208-0x00007FFD40380000-0x00007FFD4038C000-memory.dmp

memory/3940-207-0x00007FFD30450000-0x00007FFD305CD000-memory.dmp

memory/3940-206-0x00007FFD40810000-0x00007FFD4082F000-memory.dmp

memory/3940-211-0x00007FFD39CB0000-0x00007FFD39CBB000-memory.dmp

memory/3940-210-0x00007FFD3FDB0000-0x00007FFD3FDBC000-memory.dmp

memory/3940-212-0x00007FFD37C70000-0x00007FFD37C7C000-memory.dmp

memory/3940-214-0x00007FFD37C60000-0x00007FFD37C6D000-memory.dmp

memory/3940-213-0x00007FFD403A0000-0x00007FFD403C6000-memory.dmp

memory/3940-218-0x00007FFD31310000-0x00007FFD3131C000-memory.dmp

memory/3940-219-0x00007FFD31300000-0x00007FFD3130B000-memory.dmp

memory/3940-220-0x00007FFD312F0000-0x00007FFD312FB000-memory.dmp

memory/3940-222-0x00007FFD312D0000-0x00007FFD312DC000-memory.dmp

memory/3940-224-0x00007FFD312A0000-0x00007FFD312B2000-memory.dmp

memory/3940-223-0x00007FFD312C0000-0x00007FFD312CD000-memory.dmp

memory/3940-225-0x00007FFD31290000-0x00007FFD3129C000-memory.dmp

memory/3940-221-0x00007FFD312E0000-0x00007FFD312EC000-memory.dmp

memory/3940-217-0x00007FFD3FC70000-0x00007FFD3FCA8000-memory.dmp

memory/3940-216-0x00007FFD31320000-0x00007FFD3132C000-memory.dmp

memory/3940-215-0x00007FFD375B0000-0x00007FFD375BE000-memory.dmp

memory/3940-226-0x00007FFD300F0000-0x00007FFD30373000-memory.dmp

memory/3940-227-0x00007FFD30FA0000-0x00007FFD30FC9000-memory.dmp

memory/4756-240-0x00007FFD2F573000-0x00007FFD2F575000-memory.dmp

memory/4756-246-0x00000209A4AE0000-0x00000209A4B02000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ks0j0mfr.z15.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4756-251-0x00007FFD2F570000-0x00007FFD30031000-memory.dmp

memory/4756-252-0x00007FFD2F570000-0x00007FFD30031000-memory.dmp

memory/4756-255-0x00007FFD2F570000-0x00007FFD30031000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Z5RqHhQl7a\Browser\history.txt

MD5 5638715e9aaa8d3f45999ec395e18e77
SHA1 4e3dc4a1123edddf06d92575a033b42a662fe4ad
SHA256 4db7f6559c454d34d9c2d557524603c3f52649c2d69b26b6e8384a3d179aeae6
SHA512 78c96efab1d941e34d3137eae32cef041e2db5b0ebbf883e6a2effa79a323f66e00cfb7c45eb3398b3cbd0469a2be513c3ff63e5622261857eefc1685f77f76b

C:\Users\Admin\AppData\Local\Temp\Z5RqHhQl7a\Browser\cc's.txt

MD5 5aa796b6950a92a226cc5c98ed1c47e8
SHA1 6706a4082fc2c141272122f1ca424a446506c44d
SHA256 c4c83da3a904a4e7114f9bd46790db502cdd04800e684accb991cd1a08ee151c
SHA512 976f403257671e8f652bf988f4047202e1a0fd368fdb2bab2e79ece1c20c7eb775c4b3a8853c223d4f750f4192cd09455ff024918276dc1dd1442fa3b36623ad

memory/3940-291-0x00007FFD40330000-0x00007FFD40348000-memory.dmp

memory/3940-296-0x00007FFD300F0000-0x00007FFD30373000-memory.dmp

memory/3940-290-0x00007FFD30450000-0x00007FFD305CD000-memory.dmp

memory/3940-289-0x00007FFD40810000-0x00007FFD4082F000-memory.dmp

memory/3940-286-0x00007FFD30AC0000-0x00007FFD30E35000-memory.dmp

memory/3940-285-0x00007FFD30E40000-0x00007FFD30EF8000-memory.dmp

memory/3940-284-0x00007FFD40350000-0x00007FFD4037E000-memory.dmp

memory/3940-280-0x00007FFD41A40000-0x00007FFD41A4D000-memory.dmp

memory/3940-273-0x00007FFD45820000-0x00007FFD45844000-memory.dmp

memory/3940-272-0x00007FFD31810000-0x00007FFD31C76000-memory.dmp

memory/3940-349-0x00007FFD31300000-0x00007FFD3130B000-memory.dmp

memory/3940-348-0x00007FFD31310000-0x00007FFD3131C000-memory.dmp

memory/3940-347-0x00007FFD375B0000-0x00007FFD375BE000-memory.dmp

memory/3940-346-0x00007FFD37C60000-0x00007FFD37C6D000-memory.dmp

memory/3940-345-0x00007FFD37C70000-0x00007FFD37C7C000-memory.dmp

memory/3940-344-0x00007FFD3FDC0000-0x00007FFD3FDCB000-memory.dmp

memory/3940-343-0x00007FFD3FDB0000-0x00007FFD3FDBC000-memory.dmp

memory/3940-342-0x00007FFD40380000-0x00007FFD4038C000-memory.dmp

memory/3940-341-0x00007FFD40390000-0x00007FFD4039B000-memory.dmp

memory/3940-340-0x00007FFD407B0000-0x00007FFD407BB000-memory.dmp

memory/3940-339-0x00007FFD3FC70000-0x00007FFD3FCA8000-memory.dmp

memory/3940-338-0x00007FFD312F0000-0x00007FFD312FB000-memory.dmp

memory/3940-337-0x00007FFD39CB0000-0x00007FFD39CBB000-memory.dmp

memory/3940-336-0x00007FFD30AC0000-0x00007FFD30E35000-memory.dmp

memory/3940-335-0x00007FFD30E40000-0x00007FFD30EF8000-memory.dmp

memory/3940-334-0x00007FFD40350000-0x00007FFD4037E000-memory.dmp

memory/3940-333-0x00007FFD408C0000-0x00007FFD408EB000-memory.dmp

memory/3940-332-0x00007FFD31330000-0x00007FFD313EC000-memory.dmp

memory/3940-331-0x00007FFD456A0000-0x00007FFD456B8000-memory.dmp

memory/3940-330-0x00007FFD41A40000-0x00007FFD41A4D000-memory.dmp

memory/3940-329-0x00007FFD458F0000-0x00007FFD458FF000-memory.dmp

memory/3940-328-0x00007FFD45810000-0x00007FFD4581D000-memory.dmp

memory/3940-327-0x00007FFD41A50000-0x00007FFD41A69000-memory.dmp

memory/3940-326-0x00007FFD41A70000-0x00007FFD41A9C000-memory.dmp

memory/3940-325-0x00007FFD40930000-0x00007FFD4095E000-memory.dmp

memory/3940-324-0x00007FFD410F0000-0x00007FFD41125000-memory.dmp

memory/3940-323-0x00007FFD45820000-0x00007FFD45844000-memory.dmp

memory/3940-322-0x00007FFD31810000-0x00007FFD31C76000-memory.dmp

memory/3940-321-0x00007FFD30FD0000-0x00007FFD310E8000-memory.dmp

memory/3940-320-0x00007FFD403A0000-0x00007FFD403C6000-memory.dmp

memory/3940-319-0x00007FFD40850000-0x00007FFD4085B000-memory.dmp

memory/3940-318-0x00007FFD40D60000-0x00007FFD40D75000-memory.dmp

memory/3940-317-0x00007FFD40330000-0x00007FFD40348000-memory.dmp

memory/3940-316-0x00007FFD30450000-0x00007FFD305CD000-memory.dmp

memory/3940-315-0x00007FFD40810000-0x00007FFD4082F000-memory.dmp

memory/3940-314-0x00007FFD40E40000-0x00007FFD40E50000-memory.dmp

memory/3940-313-0x00007FFD40E50000-0x00007FFD40E64000-memory.dmp

Analysis: behavioral3

Detonation Overview

Submitted

2024-11-10 00:54

Reported

2024-11-10 00:57

Platform

win7-20240903-en

Max time kernel

122s

Max time network

123s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\FnPuller.pyc

Signatures

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_Classes\Local Settings C:\Windows\system32\rundll32.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\FnPuller.pyc

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\FnPuller.pyc

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe

"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\FnPuller.pyc"

Network

N/A

Files

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

MD5 096cff0d3fd7f24e190630e8b0e9f968
SHA1 58407779ccc820a3dbf75db62d026e12ae31a479
SHA256 97039183b270944a392f4bcc9cdd382dc6deb7a2d9e019fe15f1c1028a9de797
SHA512 51fcaa27b95e58529164857eaaa55604c400e0bed28e1282e9dbd6d111a40fd8b817805453f3ce42b3cc21344c02eb6e4d5bcb269150c099d88a035d799fb70b

Analysis: behavioral4

Detonation Overview

Submitted

2024-11-10 00:54

Reported

2024-11-10 00:57

Platform

win10v2004-20241007-en

Max time kernel

95s

Max time network

136s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\FnPuller.pyc

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\FnPuller.pyc

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 75.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp

Files

N/A