Analysis Overview
SHA256
fd423dc5c37065f1bef1c9acacb859f0f6d8bb779d6f24a0c8f3bf8f2585f1a8
Threat Level: Known bad
The file source_prepared.exe was found to be: Known bad.
Malicious Activity Summary
Detect Pysilon
Pysilon family
Enumerates VirtualBox DLL files
Command and Scripting Interpreter: PowerShell
Sets file to hidden
Loads dropped DLL
Executes dropped EXE
Adds Run key to start application
Legitimate hosting services abused for malware hosting/C2
UPX packed file
System Location Discovery: System Language Discovery
Detects Pyinstaller
Enumerates physical storage devices
Unsigned PE
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
Kills process with taskkill
Suspicious behavior: GetForegroundWindowSpam
Views/modifies file attributes
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-12-15 22:40
Signatures
Detect Pysilon
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Pysilon family
Detects Pyinstaller
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-12-15 22:39
Reported
2024-12-15 22:43
Platform
win10v2004-20241007-en
Max time kernel
141s
Max time network
152s
Command Line
Signatures
Enumerates VirtualBox DLL files
| Description | Indicator | Process | Target |
| File opened (read-only) | C:\windows\system32\vboxhook.dll | C:\Users\Admin\AppData\Local\Temp\source_prepared.exe | N/A |
| File opened (read-only) | C:\windows\system32\vboxmrxnp.dll | C:\Users\Admin\AppData\Local\Temp\source_prepared.exe | N/A |
| File opened (read-only) | C:\windows\system32\vboxhook.dll | C:\Users\Admin\testing.exe | N/A |
| File opened (read-only) | C:\windows\system32\vboxmrxnp.dll | C:\Users\Admin\testing.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Sets file to hidden
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\attrib.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\testing.exe | N/A |
| N/A | N/A | C:\Users\Admin\testing.exe | N/A |
Loads dropped DLL
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ = "C:\\Users\\Admin\\\\testing.exe" | C:\Users\Admin\AppData\Local\Temp\source_prepared.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\source_prepared.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\source_prepared.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\source_prepared.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\source_prepared.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Users\Admin\testing.exe | N/A |
| N/A | N/A | C:\Users\Admin\testing.exe | N/A |
| N/A | N/A | C:\Users\Admin\testing.exe | N/A |
| N/A | N/A | C:\Users\Admin\testing.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Views/modifies file attributes
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\attrib.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\source_prepared.exe
"C:\Users\Admin\AppData\Local\Temp\source_prepared.exe"
C:\Users\Admin\AppData\Local\Temp\source_prepared.exe
"C:\Users\Admin\AppData\Local\Temp\source_prepared.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Add-MpPreference -ExclusionPath \"C:\Users\Admin\\\""
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\\activate.bat
C:\Windows\system32\attrib.exe
attrib +s +h .
C:\Users\Admin\testing.exe
"testing.exe"
C:\Windows\system32\taskkill.exe
taskkill /f /im "source_prepared.exe"
C:\Users\Admin\testing.exe
"testing.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Add-MpPreference -ExclusionPath \"C:\Users\Admin\\\""
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell (Get-CimInstance Win32_ComputerSystemProduct).UUID
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 4.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | discord.com | udp |
| US | 162.159.135.232:443 | discord.com | tcp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | gateway.discord.gg | udp |
| US | 162.159.136.234:443 | gateway.discord.gg | tcp |
| N/A | 127.0.0.1:53460 | tcp | |
| US | 8.8.8.8:53 | 232.135.159.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 234.136.159.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.163.245.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\_MEI30562\python312.dll
| MD5 | cfa2e5cdda9039831f12174573b20c7b |
| SHA1 | c63a1ffd741a85e483fc01d6a2d0f7616b223291 |
| SHA256 | b93e682bddb5c3e2af1f0264e83fbc40481fe6abd90c3ab26e94f246c8ce8d7d |
| SHA512 | f1ac568bd1a16d5ab2623ac42a83aed32d9867a0e016e0ac3c922f28ceb1bb7e114dab44553949008a6e2fd3bb67fc2be8fc283560d9f4b1f1552137a0c104aa |
C:\Users\Admin\AppData\Local\Temp\_MEI30562\VCRUNTIME140.dll
| MD5 | be8dbe2dc77ebe7f88f910c61aec691a |
| SHA1 | a19f08bb2b1c1de5bb61daf9f2304531321e0e40 |
| SHA256 | 4d292623516f65c80482081e62d5dadb759dc16e851de5db24c3cbb57b87db83 |
| SHA512 | 0da644472b374f1da449a06623983d0477405b5229e386accadb154b43b8b083ee89f07c3f04d2c0c7501ead99ad95aecaa5873ff34c5eeb833285b598d5a655 |
memory/4120-1113-0x00007FFB415B0000-0x00007FFB41C88000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI30562\python3.DLL
| MD5 | 4038af0427bce296ca8f3e98591e0723 |
| SHA1 | b2975225721959d87996454d049e6d878994cbf2 |
| SHA256 | a5bb3eb6fdfd23e0d8b2e4bccd6016290c013389e06daae6cb83964fa69e2a4f |
| SHA512 | db762442c6355512625b36f112eca6923875d10aaf6476d79dc6f6ffc9114e8c7757ac91dbcd1fb00014122bc7f656115160cf5d62fa7fa1ba70bc71346c1ad3 |
C:\Users\Admin\AppData\Local\Temp\_MEI30562\_ctypes.pyd
| MD5 | c685e7b6ef76cafc4ec106b9784b6cd6 |
| SHA1 | 89038e7c2ea9a07796191689ea83c530f608a437 |
| SHA256 | 5dc7f9409c83d146586d27c150534db326c52abfb499d6ba09d03f98259fa0a5 |
| SHA512 | ac10ef1ec237637c5b0459aff5925348d1d04dbf717ea2c5b75992b11ecb388bcc082ef113b3899e9bda7b1132e609a5c77b77492904e66e73be40d196bc3507 |
C:\Users\Admin\AppData\Local\Temp\_MEI30562\base_library.zip
| MD5 | dd2a549e3bf063946773515641cf38d8 |
| SHA1 | c057d6982c179eecc4fd926a494e6402863bb6b6 |
| SHA256 | bf391035a8252787dca3d40d4a0304538a46f75015a8b555f5ff90b7118fa268 |
| SHA512 | e9b585008cbe2661cfd489f37f36faa488db82dc90694baa0cff227b304a4839eb04b19bb202ef62a41b5171259e2c41589251b07aab25edc26d5091bf5d8f63 |
C:\Users\Admin\AppData\Local\Temp\_MEI30562\libffi-8.dll
| MD5 | 013a0b2653aa0eb6075419217a1ed6bd |
| SHA1 | 1b58ff8e160b29a43397499801cf8ab0344371e7 |
| SHA256 | e9d8eb01bb9b02ce3859ba4527938a71b4668f98897d46f29e94b27014036523 |
| SHA512 | 0bd13fa1d55133ee2a96387e0756f48133987bacd99d1f58bab3be7bffdf868092060c17ab792dcfbb4680f984f40d3f7cc24abdd657b756496aa8884b8f6099 |
memory/4120-1123-0x00007FFB513B0000-0x00007FFB513BF000-memory.dmp
memory/4120-1122-0x00007FFB50970000-0x00007FFB50995000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI30562\_bz2.pyd
| MD5 | 2eace32292e07ee5c0036b7392172f61 |
| SHA1 | 5ca189cf84855d9b86865ade7060193acd560a93 |
| SHA256 | 8c0571c2d937f8161626bb05acf6db121db399474be107467122b27b350310d8 |
| SHA512 | 1257cbf7d1fbb5932d644b855c63dc5c31391af9d838115037aa583f119f4aac2a24da71f566039b13357af92c15275a933be311c13cd91d89dcfc272af7f1f6 |
memory/4120-1127-0x00007FFB50950000-0x00007FFB50969000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI30562\_lzma.pyd
| MD5 | 03c89c56f917c131e6c08a222aae07b8 |
| SHA1 | 1abc34d56b4cca58bf1d93463bbd27cf42d4d062 |
| SHA256 | dacc3b750b2c9d961064e3c7c35e46399405d8a2a544a6d243eb79a2b73338f4 |
| SHA512 | 4a2087c7daf28b796ad6b3341d3c51226f490a4cf53f43ff230e7eaaa9af73d9b2eb6ba21465738008e996c2de66c78eaf8e655342edd382288197489fe32280 |
memory/4120-1156-0x00007FFB50870000-0x00007FFB50884000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI30562\libcrypto-3.dll
| MD5 | f8076a47c6f0dac4754d2a0186f63884 |
| SHA1 | d228339ff131fba16f023ec8fa40c658991eb01f |
| SHA256 | 3423134795ab8fce58190ae156d4b5d70053bebe6c9a228bea3281855e5357fa |
| SHA512 | a6d4144cbba4a26edf563806696d312d8a3486122b165aae2c1692defc2828f3ff6bd6a7f24df730ff11c12bc60ac4408f9475c19b543ed1116b0a5d3466300b |
memory/4120-1158-0x00007FFB41080000-0x00007FFB415A2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI30562\select.pyd
| MD5 | 0c130ea965aa11fb0fe131433d6e1dd1 |
| SHA1 | fdc6fd706d82d073db432831533ab2fee5e7bd9d |
| SHA256 | 4f36ba1427114fc9f13f632baedea4984e8267c912525722a7ade73ef450e582 |
| SHA512 | 58f11c095ec2c5d909b687d6a3ab9b1b556eccf4d7789f688d8eff953092bf301714e8a016a927a047babdf20d7472ebcfd0c5f7b6d19b7252614fbd0aeefbfa |
C:\Users\Admin\AppData\Local\Temp\_MEI30562\libssl-3.dll
| MD5 | f4dd15287cd387b289143e65e37ad5ae |
| SHA1 | f37b85d8e24b85eedda5958658cdaa36c4a14651 |
| SHA256 | 6844483a33468eb919e9a3ef3561c80dd9c4cd3a11ad0961c9c4f2025b0a8dff |
| SHA512 | 8583692f19c686cbb58baaf27b4ab464d597025f1ff8596c51ec357e2f71136995b414807a2a84f5409f25a0798cb7c497ddb0018df3a96b75aba39950581a19 |
memory/4120-1165-0x00007FFB50770000-0x00007FFB507A3000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI30562\_ssl.pyd
| MD5 | f106aacfa4ae591b69b9730ce57f4534 |
| SHA1 | 74f68f6717ca7366a11a0b2b2d6708d1c238addc |
| SHA256 | 631d08922a56b6f046fcc6302c6f756d90f75d64e3d2801899d3ea47059f2987 |
| SHA512 | 9f420af97c94ac891cd4f07bfa22da80fa20b7bf3b59f19a5bc76fb57ee7615d63de39df27c4a7e8460d754017e62a3a9cefbfb8e9d0a1858fca5c64c5d21105 |
memory/4120-1162-0x00007FFB50940000-0x00007FFB5094D000-memory.dmp
memory/4120-1160-0x00007FFB507B0000-0x00007FFB507C9000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI30562\_socket.pyd
| MD5 | c1cef567062a30296307c93b21d1e18c |
| SHA1 | f11ab11aeb3dea68520c75c1c8e69d2f7a93fc64 |
| SHA256 | 77c2585bf2f850decb93561da8bd6b85399a663def188d4b51b71b3fcf57df59 |
| SHA512 | f55a89b5b3ff81dea86a6ef12d0a0ed86970fc49d530569c0b1c6dbefdec9525acf9d155d651e0e9a866f97263fc077bab8b90ca10c1093bfaef9819edfd72fc |
C:\Users\Admin\AppData\Local\Temp\_MEI30562\_hashlib.pyd
| MD5 | da977167a315fba3ce140ecb18354f11 |
| SHA1 | 5d10fa5ade758675b36caf4e8cf9007ac3a99615 |
| SHA256 | 8df27ad5c38c51dc55e789184ed25a31d0a71b720f646f3f8e9a44250857cf4f |
| SHA512 | 44f326c2813e407fb9c93f6a51f1ffa98a80bfa3ea58082819efc441e5fa8691da9ea631cc4f129f9c56f5f9245f777dd0ad90bac2a81667da495d821f29930d |
memory/4120-1154-0x00007FFB507D0000-0x00007FFB507FD000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI30562\_wmi.pyd
| MD5 | 1890d5c2401a459e34a192930d1d6422 |
| SHA1 | b52c21766bee765fb6e2e24f1e9f34cb1f53aac6 |
| SHA256 | e898deac8e0ba83500383bafb0ca1abd9af84f95109e0624a30ea1ead6926b5e |
| SHA512 | 3818a2349aa25cccb9e00d0cb1350c8fd7c4dd6f85412421e483b9ca086319a6c2dc80fee7e8d761d12b190ee07bc916076de460e288ab08736ff62920e4db71 |
C:\Users\Admin\AppData\Local\Temp\_MEI30562\_uuid.pyd
| MD5 | b9e2ab3d934221a25f2ad0a8c2247f94 |
| SHA1 | af792b19b81c1d90d570bdfedbd5789bdf8b9e0c |
| SHA256 | d462f34aca50d1f37b9ea03036c881ee4452e1fd37e1b303cd6daaecc53e260e |
| SHA512 | 9a278bfe339f3cfbd02a1bb177c3bc7a7ce36eb5b4fadaaee590834ad4d29cbe91c8c4c843263d91296500c5536df6ac98c96f59f31676cecdccf93237942a72 |
C:\Users\Admin\AppData\Local\Temp\_MEI30562\_tkinter.pyd
| MD5 | 7522da7a80c4831918d7bf26fcee6a8b |
| SHA1 | 3550d58220333943b37a59fe38625469f791ef9d |
| SHA256 | 1ed1d321870f7ab3d29fd5c21a5e2adc04664ec16d380a633c69992c45aa1ad6 |
| SHA512 | 2a3961e4f7d91045ada17d24bf16b69b82a6beaa35e277109c7c01b4b5d36bc48e4de74f0cd22ea869c3d42c5cfec507a9ef5e11e937ecf1572bd61a5adbcd05 |
C:\Users\Admin\AppData\Local\Temp\_MEI30562\_sqlite3.pyd
| MD5 | e7940561d82e12a092a592c7dedfae12 |
| SHA1 | 625fae53d931a3c0fbfd9a17f8d4c7342d542587 |
| SHA256 | 34d5f7623f95b412e66a8bad907f6952a81538c41b14a42556a048dacea0230d |
| SHA512 | 73af6252cf879a4292e6eece4a1c053d6c494cd3db5744fe4d77eb835e77674a9fb4150da11351c7a9b43948356fd534d7c19770779a8468fe945ed6ca2a3d74 |
C:\Users\Admin\AppData\Local\Temp\_MEI30562\_queue.pyd
| MD5 | 6cf8bd2c2b4498b1b0c015752eac6240 |
| SHA1 | e019e90049ce38b484c8843ee42a294abb62d667 |
| SHA256 | addffbb7a9f83ef580c7a4f3baaa2ba6fb3c8ba87f5f6366a979404ee7bd034a |
| SHA512 | 6a47b63c0a29e816c345d9cc6c6ae376c597e9b948b91011791d75813c83a532d6855d37d9fcfb6fb966364e38ade962557656b378f39c1d1443dc8cbecaf160 |
C:\Users\Admin\AppData\Local\Temp\_MEI30562\_overlapped.pyd
| MD5 | de12dbc5179985d360d26d86daed6e27 |
| SHA1 | a51ffb2e190bd5d31025b7081db25949c206c446 |
| SHA256 | 996b793e67974eba1d2f05cfd790d7c4cae8c0631e9d860b93442c71790d4f70 |
| SHA512 | da8ec05fe50cd3b5ace716cb83423fc1b4e5a148438268b48d1b78bb868c02a080911b70bdf16fd7b4ef67cbfe567eea0967c88aa23c9e887a6f18ecf9df9472 |
C:\Users\Admin\AppData\Local\Temp\_MEI30562\_multiprocessing.pyd
| MD5 | 429fcc16a7180712d2cc0ca2e0960923 |
| SHA1 | c649b32b5ac65d96eca53f588439de14f43c0880 |
| SHA256 | 2cba53a6b9c294beb6e5ac04a11b325d7e045b58d43bed9b22f92ff52be87a02 |
| SHA512 | 24b843f3b132a66e454b919d77888df280494a89b372c381e1b221e14ae1c43a741a34dbba0e00a9aeaba268eb1068a11c2f77810865722aedc8bf26fa6cfe6e |
C:\Users\Admin\AppData\Local\Temp\_MEI30562\_elementtree.pyd
| MD5 | 5313190dbe0767135c391106489cf35e |
| SHA1 | 6d008c89d7f498765c4db914664151a4b079206b |
| SHA256 | 534860e0ac8f503250530e610840d2de9211bf9197b0cbadb5e7faadbebd315c |
| SHA512 | 1e86bff644ab12097cf31461c62069acf1ba16a5a40c90492c9d11c0e2820d2dd686b0af13bc537f7320ba20aa5e504dfde59ba8a31308c1fc27dbb2366bfa0d |
C:\Users\Admin\AppData\Local\Temp\_MEI30562\_decimal.pyd
| MD5 | cf32b33b530159b7dda8796a32170b0f |
| SHA1 | 112daec7436a6febf3bb9b3cffc90f3554ee1132 |
| SHA256 | 620daebfd9d8f56d9eb32c424cc474fc45160c09982e93d91e6e18f89050dbb3 |
| SHA512 | 3175b087ad61357a0e957958a6acd2cf924c8c219de1d7e2221ed9ff783ab38c8bd7fecb640d521518d294c4783546f3ff1d677f085d6d44b1dbb6cb10f6d052 |
C:\Users\Admin\AppData\Local\Temp\_MEI30562\_cffi_backend.cp312-win_amd64.pyd
| MD5 | c7f92cfef4af07b6c38ab2cb186f4682 |
| SHA1 | b6d112dafbcc6693eda269de115236033ecb992d |
| SHA256 | 326547bdcfc759f83070de22433b8f5460b1563bfef2f375218cc31c814f7cae |
| SHA512 | 6e321e85778f48e96602e2e502367c5c44ac45c098eed217d19eddc3b3e203ded4012cab85bcad0b42562df1f64076a14598b94257069d53783b572f1f35ae5c |
C:\Users\Admin\AppData\Local\Temp\_MEI30562\_asyncio.pyd
| MD5 | eda8638c32995d8e48e5293b0b9dba21 |
| SHA1 | 840b1255f62c4c8e46428277808023f6c60911a0 |
| SHA256 | db7719e7bde6c21ef4dcaf315fe3bea500ce70a80b92be61dfd0d00cb46da142 |
| SHA512 | c356d77d90a84cef84156cf053e243c94c2d9b423f52d41ef30a280426ce4a564d57df4e7c714f50c2825d9a6088fa7b774b45a9c29703e044ce521194ac36af |
C:\Users\Admin\AppData\Local\Temp\_MEI30562\zlib1.dll
| MD5 | 4420536613ba131f0c17faa4a0d232ad |
| SHA1 | 73b1396baa8d1d3d15d856850d8bb8f073564eba |
| SHA256 | 36827107e06ed45ea6aa06b540eb78c68a00eaa7e6e630edfd15f8c4a25ec737 |
| SHA512 | 3ab746a6462f4a138153f4a8d99ec1fb1e0d694b4db99b401c595eb97ffc67140019f2fd5c3e759f518659edda550c0ce9322907ed631d30a9b6a176522552d0 |
C:\Users\Admin\AppData\Local\Temp\_MEI30562\VCRUNTIME140_1.dll
| MD5 | f8dfa78045620cf8a732e67d1b1eb53d |
| SHA1 | ff9a604d8c99405bfdbbf4295825d3fcbc792704 |
| SHA256 | a113f192195f245f17389e6ecbed8005990bcb2476ddad33f7c4c6c86327afe5 |
| SHA512 | ba7f8b7ab0deb7a7113124c28092b543e216ca08d1cf158d9f40a326fb69f4a2511a41a59ea8482a10c9ec4ec8ac69b70dfe9ca65e525097d93b819d498da371 |
C:\Users\Admin\AppData\Local\Temp\_MEI30562\unicodedata.pyd
| MD5 | bbc5bf1e060d2ecc654c6f2f9bb53b40 |
| SHA1 | 47be8c2ae3031cd86f3933f2620a40a1dfcf9c6a |
| SHA256 | 158c385e7186c418db48b9345b599ffc605eaca35d47280b106fa05aaa68fb3b |
| SHA512 | 7b86cfe7e4ee8bc43f3e34becffe0d6abd38ea051222a0dc880b3bfc8c9bd5ee4026b4a0017e739cb1aa62d05c394fa27b5e2588df8b95ca2284d370ca1503bd |
C:\Users\Admin\AppData\Local\Temp\_MEI30562\tk86t.dll
| MD5 | 53d85aaa8044c66f3ff69d618ecfdf47 |
| SHA1 | a681e0a044594a66144e0a193599ff68446b8f05 |
| SHA256 | b69003b8c2f30ac0486fd383a1d28cbbeec4e156ef3c962f828f90663466c49e |
| SHA512 | 84f31734a3b92e374f819a86dcf3a55bd2e124b8e8eab2089d21f7b87b49aba64dbdb4bd9b1d1b395e507fd742969b567985f97b768a2fe684f5e1dc9139c717 |
C:\Users\Admin\AppData\Local\Temp\_MEI30562\tcl86t.dll
| MD5 | d8d21c45429142d11afa87ac4e4b1844 |
| SHA1 | 479360a69aed55ea34335f509bd1d06abd0193e1 |
| SHA256 | d6f817f67275cd587b1ad39055f4ead3812dc96c14010d834740388c98691d4e |
| SHA512 | af12b41bd148ae5596b376b80a55f084b474fcd82444a0bf46afd3795f9a767b4c69e7452372fd8798ace58ab1d13d971c6c2c0997246d4b094d6d587487c37b |
C:\Users\Admin\AppData\Local\Temp\_MEI30562\sqlite3.dll
| MD5 | 72f315d0016666a9ea1bd9161185e9ff |
| SHA1 | 7fe2b599b329fd057679938dfcfa8506d136e671 |
| SHA256 | 2bcdef677d17f776e622e802b2a020cf5d2597f1e7a4a2dd2ab1fcd266e5c263 |
| SHA512 | ffc1f1d8768ed94a143c0d932d9a303577e90bc5b77d3da857f90a10b49cd1de5a31760b9dd59edb98d569f880be311417a0be6f0ce744c721d0c4f6a9b5aa56 |
C:\Users\Admin\AppData\Local\Temp\_MEI30562\pyexpat.pyd
| MD5 | 4abfba91c47328272c9b69b2a6db4dd2 |
| SHA1 | dd95d2bc2ce19bded4a0d342a2da08f0a7778fe5 |
| SHA256 | a7a095d822ddc5d26c18b3afba8df7a158ed57a7389c0c67ccaceb5b2047fa8e |
| SHA512 | 8f19d7d648670307898df061ea2c2cec83555780c8c263992381405c188eb37f5e02bf05073c9568da101c5699b1add170e1bc2bc20cab73d5f62622303fe3c1 |
C:\Users\Admin\AppData\Local\Temp\_MEI30562\libopus-0.x64.dll
| MD5 | e56f1b8c782d39fd19b5c9ade735b51b |
| SHA1 | 3d1dc7e70a655ba9058958a17efabe76953a00b4 |
| SHA256 | fa8715dd0df84fdedbe4aa17763b2ab0db8941fa33421b6d42e25e59c4ae8732 |
| SHA512 | b7702e48b20a8991a5c537f5ba22834de8bb4ba55862b75024eace299263963b953606ee29e64d68b438bb0904273c4c20e71f22ccef3f93552c36fb2d1b2c46 |
memory/4120-1167-0x00007FFB50020000-0x00007FFB500ED000-memory.dmp
memory/4120-1166-0x00007FFB415B0000-0x00007FFB41C88000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI30562\charset_normalizer\md.cp312-win_amd64.pyd
| MD5 | 8ff998858e30924db2d767c23b3348f9 |
| SHA1 | 21fe8cec2c6d71dba898ac4d1bb09ce0f3eac158 |
| SHA256 | 938f973f8b9ca94e8c418fa3d13decb139cf1a69a81666770b745f99e34486eb |
| SHA512 | b017f9836d1158f397edc81438aa0de442f63e3371a996cb43d81d6ab0117b5cf2c8fbc9ac36340e6c78670b69fb23fdd60299fd23b0a1a1e769257dc01dca5f |
C:\Users\Admin\AppData\Local\Temp\_MEI30562\charset_normalizer\md__mypyc.cp312-win_amd64.pyd
| MD5 | 5212fd660452b75fb0cf527c6057a06a |
| SHA1 | 77239a13ca23b1e5f4f0a04233a5973291c35e3b |
| SHA256 | 15d0d3d640a30394add6ce767fb48fce2f4a97c83cd673468a6df3d49f2c1ef5 |
| SHA512 | 6e60c7f131c510f373dd89ac84acdb5f43bcc897ceb470c1f6d43a457f06675f8911f22a90fc2c1aa5f4137bda92043b6630f54e3d37ae369cdb00e9c286629c |
memory/4120-1176-0x00007FFB50720000-0x00007FFB50747000-memory.dmp
memory/4120-1175-0x00007FFB50750000-0x00007FFB5075B000-memory.dmp
memory/4120-1170-0x00007FFB50760000-0x00007FFB5076D000-memory.dmp
memory/4120-1178-0x00007FFB4FF00000-0x00007FFB5001B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI30562\certifi\cacert.pem
| MD5 | 52a8319281308de49ccef4850a7245bc |
| SHA1 | 43d20d833b084454311ca9b00dd7595c527ce3bb |
| SHA256 | 807897254f383a27f45e44f49656f378abab2141ede43a4ad3c2420a597dd23f |
| SHA512 | 2764222c0cd8c862906ac0e3e51f201e748822fe9ce9b1008f3367fdd7f0db7cc12bf86e319511157af087dd2093c42e2d84232fae023d35ee1e425e7c43382d |
memory/4120-1169-0x00007FFB50970000-0x00007FFB50995000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI30562\Crypto\Cipher\_raw_ecb.pyd
| MD5 | 1dfafb0703e7e2a4c69b07dc26e02d6a |
| SHA1 | c81d67803d11661b95c5deb3bf67bf012b0042be |
| SHA256 | 3814206c295e84122211f8d123a2467005acb18e48bf3cc8d673fedd26680313 |
| SHA512 | 816d3b71e3a5f40131073048afbe303fe75ca86a027d5485d06114be05ae2df01242ed9dfafa7c93ca0f8e79a77c20d5257fc7a22bacfff7d9bc60ce7d07bbc4 |
memory/4120-1205-0x00007FFB4F9A0000-0x00007FFB4F9AB000-memory.dmp
memory/4120-1204-0x00007FFB50770000-0x00007FFB507A3000-memory.dmp
memory/4120-1203-0x00007FFB4FA00000-0x00007FFB4FA0B000-memory.dmp
memory/4120-1202-0x00007FFB4F9B0000-0x00007FFB4F9BB000-memory.dmp
memory/4120-1201-0x00007FFB4F9C0000-0x00007FFB4F9CC000-memory.dmp
memory/4120-1200-0x00007FFB4F9D0000-0x00007FFB4F9DE000-memory.dmp
memory/4120-1199-0x00007FFB4F9E0000-0x00007FFB4F9ED000-memory.dmp
memory/4120-1198-0x00007FFB4F9F0000-0x00007FFB4F9FC000-memory.dmp
memory/4120-1197-0x00007FFB41080000-0x00007FFB415A2000-memory.dmp
memory/4120-1196-0x00007FFB50270000-0x00007FFB5027C000-memory.dmp
memory/4120-1195-0x00007FFB50280000-0x00007FFB5028B000-memory.dmp
memory/4120-1194-0x00007FFB50290000-0x00007FFB5029C000-memory.dmp
memory/4120-1193-0x00007FFB502A0000-0x00007FFB502AB000-memory.dmp
memory/4120-1192-0x00007FFB502B0000-0x00007FFB502BB000-memory.dmp
memory/4120-1191-0x00007FFB505A0000-0x00007FFB505AD000-memory.dmp
memory/4120-1190-0x00007FFB50870000-0x00007FFB50884000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI30562\Crypto\Cipher\_raw_ctr.pyd
| MD5 | 5289590e846458681ab5f88ea5c0e794 |
| SHA1 | ad6bc58e1566651bdd7508ce95b1c7e7f9bb9879 |
| SHA256 | c1b02d5892df640cb390a4295b37bed1bd7adbf8db79298fc3ceca228fb99612 |
| SHA512 | 62c8fb2c148acef74e07f19a7d8036e2a8febeed064899317787c60be87066df61b75d75ccbaf155ead68129ff5ad021f9e83d7c6a3c33669ef38ecd9895104f |
C:\Users\Admin\AppData\Local\Temp\_MEI30562\Crypto\Cipher\_raw_ofb.pyd
| MD5 | 162c4224976c7636cbdffb3bd8a41994 |
| SHA1 | db24eaad4a68ec9524d21c6ea649da81e401b78e |
| SHA256 | 1831f1c3857b95a2e6b923cb230b935fe839a64b0dc5aaba5aa92e31a9971551 |
| SHA512 | a53c4c2fbead0ec2c8c321d4c6edec287b4eb92d5852a1bf373cb1ff76d1e6c9a51443766e4b2a4e612381b373921b8b0d4f4c48c843d2c4272eccd6fda36a9e |
C:\Users\Admin\AppData\Local\Temp\_MEI30562\Crypto\Cipher\_raw_cfb.pyd
| MD5 | 778a2ded9a84ad9759141c285e915b11 |
| SHA1 | 2915fb4ca42d79ee32859d67c1299c0e4dfc32e7 |
| SHA256 | bb6d327d0e42d953a318a7a97953b0e530a0164a610fcab9a098ef9b407ee8a7 |
| SHA512 | 4c3f7945f97a57f74765e064050cfb6a1dd6abcffe1e2a8ce19132709c1dc554562efe188be4357202b6e3ea1998dc75cca4804684b47904547044db5574be67 |
C:\Users\Admin\AppData\Local\Temp\_MEI30562\Crypto\Cipher\_raw_cbc.pyd
| MD5 | 270fd535f94a87b973874b33f35e5af8 |
| SHA1 | bb7113a47070b629e878502fc1d929879850856b |
| SHA256 | b7ab0516b698a9f4ef50f08ef53af907c83d841d117af16ca742b7e186d3ef51 |
| SHA512 | 829dc409327562736b7d58df6e5e78e8e7595b08fa2c5a993a595032386946ccdf1ef62311c44ffbc31c41165511b40251457a0cf7b92ecec3342850876e5d31 |
memory/4120-1209-0x00007FFB48E10000-0x00007FFB48E22000-memory.dmp
memory/4120-1210-0x00007FFB50020000-0x00007FFB500ED000-memory.dmp
memory/4120-1208-0x00007FFB4E680000-0x00007FFB4E68D000-memory.dmp
memory/4120-1207-0x00007FFB4F6E0000-0x00007FFB4F6EB000-memory.dmp
memory/4120-1206-0x00007FFB4F990000-0x00007FFB4F99C000-memory.dmp
memory/4120-1211-0x00007FFB4E670000-0x00007FFB4E67C000-memory.dmp
memory/4120-1212-0x00007FFB50720000-0x00007FFB50747000-memory.dmp
memory/4120-1213-0x00007FFB47BA0000-0x00007FFB47BB6000-memory.dmp
memory/4120-1215-0x00007FFB41060000-0x00007FFB41074000-memory.dmp
memory/4120-1214-0x00007FFB47B80000-0x00007FFB47B92000-memory.dmp
memory/4120-1216-0x00007FFB41030000-0x00007FFB41052000-memory.dmp
memory/4120-1217-0x00007FFB41010000-0x00007FFB4102B000-memory.dmp
memory/4120-1218-0x00007FFB40D90000-0x00007FFB40DA9000-memory.dmp
memory/4120-1219-0x00007FFB40D40000-0x00007FFB40D8D000-memory.dmp
memory/4120-1221-0x00007FFB40D20000-0x00007FFB40D31000-memory.dmp
memory/4120-1220-0x00007FFB48E10000-0x00007FFB48E22000-memory.dmp
memory/4120-1222-0x00007FFB40CE0000-0x00007FFB40D12000-memory.dmp
memory/4120-1224-0x00007FFB40CC0000-0x00007FFB40CDE000-memory.dmp
memory/4120-1223-0x00007FFB4E670000-0x00007FFB4E67C000-memory.dmp
memory/4120-1226-0x00007FFB40C60000-0x00007FFB40CBD000-memory.dmp
memory/4120-1225-0x00007FFB47BA0000-0x00007FFB47BB6000-memory.dmp
memory/4120-1227-0x00007FFB40C20000-0x00007FFB40C58000-memory.dmp
memory/4120-1229-0x00007FFB40BF0000-0x00007FFB40C1A000-memory.dmp
memory/4120-1228-0x00007FFB41060000-0x00007FFB41074000-memory.dmp
memory/4120-1231-0x00007FFB40BC0000-0x00007FFB40BEF000-memory.dmp
memory/4120-1230-0x00007FFB41030000-0x00007FFB41052000-memory.dmp
memory/4120-1233-0x00007FFB40B90000-0x00007FFB40BB4000-memory.dmp
memory/4120-1232-0x00007FFB41010000-0x00007FFB4102B000-memory.dmp
memory/4120-1235-0x00007FFB40A10000-0x00007FFB40B86000-memory.dmp
memory/4120-1234-0x00007FFB40D90000-0x00007FFB40DA9000-memory.dmp
memory/4120-1237-0x00007FFB409F0000-0x00007FFB40A08000-memory.dmp
memory/4120-1236-0x00007FFB40D40000-0x00007FFB40D8D000-memory.dmp
memory/4120-1239-0x00007FFB47B40000-0x00007FFB47B4B000-memory.dmp
memory/4120-1238-0x00007FFB40D20000-0x00007FFB40D31000-memory.dmp
memory/4120-1244-0x00007FFB409E0000-0x00007FFB409EB000-memory.dmp
memory/4120-1243-0x00007FFB40C60000-0x00007FFB40CBD000-memory.dmp
memory/4120-1242-0x00007FFB42130000-0x00007FFB4213C000-memory.dmp
memory/4120-1241-0x00007FFB47490000-0x00007FFB4749B000-memory.dmp
memory/4120-1240-0x00007FFB40CE0000-0x00007FFB40D12000-memory.dmp
memory/4120-1247-0x00007FFB409C0000-0x00007FFB409CB000-memory.dmp
memory/4120-1253-0x00007FFB40970000-0x00007FFB4097B000-memory.dmp
memory/4120-1252-0x00007FFB40BF0000-0x00007FFB40C1A000-memory.dmp
memory/4120-1251-0x00007FFB40980000-0x00007FFB4098C000-memory.dmp
memory/4120-1250-0x00007FFB40990000-0x00007FFB4099E000-memory.dmp
memory/4120-1249-0x00007FFB409A0000-0x00007FFB409AD000-memory.dmp
memory/4120-1248-0x00007FFB409B0000-0x00007FFB409BC000-memory.dmp
memory/4120-1246-0x00007FFB409D0000-0x00007FFB409DC000-memory.dmp
memory/4120-1245-0x00007FFB40C20000-0x00007FFB40C58000-memory.dmp
memory/4120-1255-0x00007FFB40960000-0x00007FFB4096B000-memory.dmp
memory/4120-1254-0x00007FFB40BC0000-0x00007FFB40BEF000-memory.dmp
memory/4120-1257-0x00007FFB40950000-0x00007FFB4095C000-memory.dmp
memory/4120-1256-0x00007FFB40B90000-0x00007FFB40BB4000-memory.dmp
memory/4120-1263-0x00007FFB40930000-0x00007FFB4093D000-memory.dmp
memory/4120-1262-0x00007FFB40900000-0x00007FFB4090C000-memory.dmp
memory/4120-1261-0x00007FFB40910000-0x00007FFB40922000-memory.dmp
memory/4120-1260-0x00007FFB40940000-0x00007FFB4094B000-memory.dmp
memory/4120-1259-0x00007FFB409F0000-0x00007FFB40A08000-memory.dmp
memory/4120-1258-0x00007FFB40A10000-0x00007FFB40B86000-memory.dmp
memory/4120-1265-0x00007FFB408C0000-0x00007FFB408F5000-memory.dmp
memory/4120-1264-0x00007FFB47B40000-0x00007FFB47B4B000-memory.dmp
memory/4120-1266-0x00007FFB40670000-0x00007FFB408BA000-memory.dmp
memory/4120-1267-0x00007FFB3FE70000-0x00007FFB4066B000-memory.dmp
memory/4120-1268-0x00007FFB3FE10000-0x00007FFB3FE65000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_nkdwfca5.qhz.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/4120-1339-0x00007FFB40D90000-0x00007FFB40DA9000-memory.dmp
memory/4120-1316-0x00007FFB505A0000-0x00007FFB505AD000-memory.dmp
memory/4120-1312-0x00007FFB50760000-0x00007FFB5076D000-memory.dmp
memory/4120-1343-0x00007FFB40B90000-0x00007FFB40BB4000-memory.dmp
memory/4120-1342-0x00007FFB40CE0000-0x00007FFB40D12000-memory.dmp
memory/4120-1341-0x00007FFB40D20000-0x00007FFB40D31000-memory.dmp
memory/4120-1340-0x00007FFB40D40000-0x00007FFB40D8D000-memory.dmp
memory/4120-1338-0x00007FFB41010000-0x00007FFB4102B000-memory.dmp
memory/4120-1337-0x00007FFB41030000-0x00007FFB41052000-memory.dmp
memory/4120-1336-0x00007FFB41060000-0x00007FFB41074000-memory.dmp
memory/4120-1335-0x00007FFB47B80000-0x00007FFB47B92000-memory.dmp
memory/4120-1334-0x00007FFB47BA0000-0x00007FFB47BB6000-memory.dmp
memory/4120-1333-0x00007FFB4E670000-0x00007FFB4E67C000-memory.dmp
memory/4120-1332-0x00007FFB48E10000-0x00007FFB48E22000-memory.dmp
memory/4120-1331-0x00007FFB4E680000-0x00007FFB4E68D000-memory.dmp
memory/4120-1330-0x00007FFB4F6E0000-0x00007FFB4F6EB000-memory.dmp
memory/4120-1329-0x00007FFB4F990000-0x00007FFB4F99C000-memory.dmp
memory/4120-1328-0x00007FFB4F9A0000-0x00007FFB4F9AB000-memory.dmp
memory/4120-1327-0x00007FFB4F9B0000-0x00007FFB4F9BB000-memory.dmp
memory/4120-1326-0x00007FFB4F9C0000-0x00007FFB4F9CC000-memory.dmp
memory/4120-1325-0x00007FFB4F9D0000-0x00007FFB4F9DE000-memory.dmp
memory/4120-1324-0x00007FFB4F9E0000-0x00007FFB4F9ED000-memory.dmp
memory/4120-1323-0x00007FFB4F9F0000-0x00007FFB4F9FC000-memory.dmp
memory/4120-1322-0x00007FFB4FA00000-0x00007FFB4FA0B000-memory.dmp
memory/4120-1321-0x00007FFB50270000-0x00007FFB5027C000-memory.dmp
memory/4120-1320-0x00007FFB50280000-0x00007FFB5028B000-memory.dmp
memory/4120-1319-0x00007FFB50290000-0x00007FFB5029C000-memory.dmp
memory/4120-1318-0x00007FFB502A0000-0x00007FFB502AB000-memory.dmp
memory/4120-1317-0x00007FFB502B0000-0x00007FFB502BB000-memory.dmp
memory/4120-1315-0x00007FFB4FF00000-0x00007FFB5001B000-memory.dmp
memory/4120-1314-0x00007FFB50720000-0x00007FFB50747000-memory.dmp
memory/4120-1313-0x00007FFB50750000-0x00007FFB5075B000-memory.dmp
memory/4120-1311-0x00007FFB50020000-0x00007FFB500ED000-memory.dmp
memory/4120-1310-0x00007FFB50770000-0x00007FFB507A3000-memory.dmp
memory/4120-1307-0x00007FFB41080000-0x00007FFB415A2000-memory.dmp
memory/4120-1306-0x00007FFB50870000-0x00007FFB50884000-memory.dmp
memory/4120-1305-0x00007FFB507D0000-0x00007FFB507FD000-memory.dmp
memory/4120-1304-0x00007FFB50950000-0x00007FFB50969000-memory.dmp
memory/4120-1303-0x00007FFB513B0000-0x00007FFB513BF000-memory.dmp
memory/4120-1309-0x00007FFB50940000-0x00007FFB5094D000-memory.dmp
memory/4120-1308-0x00007FFB507B0000-0x00007FFB507C9000-memory.dmp
memory/4120-1302-0x00007FFB50970000-0x00007FFB50995000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI23162\attrs-24.2.0.dist-info\INSTALLER
| MD5 | 365c9bfeb7d89244f2ce01c1de44cb85 |
| SHA1 | d7a03141d5d6b1e88b6b59ef08b6681df212c599 |
| SHA256 | ceebae7b8927a3227e5303cf5e0f1f7b34bb542ad7250ac03fbcde36ec2f1508 |
| SHA512 | d220d322a4053d84130567d626a9f7bb2fb8f0b854da1621f001826dc61b0ed6d3f91793627e6f0ac2ac27aea2b986b6a7a63427f05fe004d8a2adfbdadc13c1 |
memory/1064-2633-0x00007FFB415B0000-0x00007FFB41C88000-memory.dmp
memory/1064-2648-0x00007FFB505A0000-0x00007FFB505AD000-memory.dmp
memory/1064-2644-0x00007FFB50760000-0x00007FFB5076D000-memory.dmp
memory/1064-2642-0x00007FFB50770000-0x00007FFB507A3000-memory.dmp
memory/1064-2639-0x00007FFB41080000-0x00007FFB415A2000-memory.dmp
memory/1064-2634-0x00007FFB50970000-0x00007FFB50995000-memory.dmp
Analysis: behavioral3
Detonation Overview
Submitted
2024-12-15 22:39
Reported
2024-12-15 22:43
Platform
win7-20240903-en
Max time kernel
121s
Max time network
122s
Command Line
Signatures
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_Classes\Local Settings | C:\Windows\system32\rundll32.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3028 wrote to memory of 2836 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 3028 wrote to memory of 2836 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 3028 wrote to memory of 2836 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 2836 wrote to memory of 2720 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 2836 wrote to memory of 2720 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 2836 wrote to memory of 2720 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 2836 wrote to memory of 2720 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\discord_token_grabber.pyc
C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\discord_token_grabber.pyc
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\discord_token_grabber.pyc"
Network
Files
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents
| MD5 | 558d4b528ed5b1b13f1e6c2a0eb12e1a |
| SHA1 | 62abb315af2df3a49e5a7f4d3dde5f000dde15f0 |
| SHA256 | de33cbad854089c0fa3c0883718b99aa35967185ec85b4d9f5dc26367801077f |
| SHA512 | 2e4a418b717a01346037d90b2b26af1d2df843fe2edd62ad100eebd346438637f0f77195c2e6a930a4fd6d0c819558b77f1799ff3df59ae2fc65be7e92ce6cf2 |
Analysis: behavioral5
Detonation Overview
Submitted
2024-12-15 22:39
Reported
2024-12-15 22:43
Platform
win7-20240903-en
Max time kernel
118s
Max time network
119s
Command Line
Signatures
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_Classes\Local Settings | C:\Windows\system32\rundll32.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2684 wrote to memory of 2320 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 2684 wrote to memory of 2320 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 2684 wrote to memory of 2320 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 2320 wrote to memory of 2836 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 2320 wrote to memory of 2836 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 2320 wrote to memory of 2836 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 2320 wrote to memory of 2836 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\get_cookies.pyc
C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\get_cookies.pyc
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\get_cookies.pyc"
Network
Files
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents
| MD5 | e90afdf617d6a580c31b6ce1ed52c8da |
| SHA1 | 3dbff157f030b796c331ea6268b887dae4e11e31 |
| SHA256 | 84b3a9aecf2ab4971a492631686f8afe162fafb606aac9e33ce20d3af4038080 |
| SHA512 | f7404108c6c7492ee4f41279fb967b553596a2c8194d013ef0949d25fed39d73394ac9a1ee54e309045d1ce6effd1ba306325291bfba70fca897e2765f73925f |
Analysis: behavioral6
Detonation Overview
Submitted
2024-12-15 22:39
Reported
2024-12-15 22:43
Platform
win10v2004-20241007-en
Max time kernel
93s
Max time network
143s
Command Line
Signatures
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings | C:\Windows\system32\cmd.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings | C:\Windows\system32\OpenWith.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\get_cookies.pyc
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 197.87.175.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 92.12.20.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
Files
Analysis: behavioral8
Detonation Overview
Submitted
2024-12-15 22:39
Reported
2024-12-15 22:43
Platform
win10v2004-20241007-en
Max time kernel
93s
Max time network
139s
Command Line
Signatures
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings | C:\Windows\system32\cmd.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings | C:\Windows\system32\OpenWith.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\misc.pyc
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
Files
Analysis: behavioral10
Detonation Overview
Submitted
2024-12-15 22:39
Reported
2024-12-15 22:43
Platform
win10v2004-20241007-en
Max time kernel
95s
Max time network
148s
Command Line
Signatures
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings | C:\Windows\system32\cmd.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings | C:\Windows\system32\OpenWith.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\passwords_grabber.pyc
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
Files
Analysis: behavioral11
Detonation Overview
Submitted
2024-12-15 22:39
Reported
2024-12-15 22:43
Platform
win7-20240903-en
Max time kernel
117s
Max time network
118s
Command Line
Signatures
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_Classes\Local Settings | C:\Windows\system32\rundll32.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2224 wrote to memory of 2240 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 2224 wrote to memory of 2240 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 2224 wrote to memory of 2240 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 2240 wrote to memory of 3056 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 2240 wrote to memory of 3056 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 2240 wrote to memory of 3056 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 2240 wrote to memory of 3056 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\source_prepared.pyc
C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\source_prepared.pyc
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\source_prepared.pyc"
Network
Files
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents
| MD5 | 12ba47ecd9c5017e2ad5814ba223ee59 |
| SHA1 | 292d6b4f13f692678688ddc964299a38ff022487 |
| SHA256 | 65ae4731877fcd098884351b641e2c1cceaa5ed0a3a709b9a6dd96672c6bcaae |
| SHA512 | 1ad9cd0928ff4c904c1e964477e0d409cea902e689009731aa909497db04281a47b824e2a5c9f1b851b0ff854eb09fcc6e383ac104a0540687c7fd51169032e9 |
Analysis: behavioral1
Detonation Overview
Submitted
2024-12-15 22:39
Reported
2024-12-15 22:41
Platform
win7-20240903-en
Max time kernel
14s
Max time network
17s
Command Line
Signatures
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\source_prepared.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2424 wrote to memory of 1784 | N/A | C:\Users\Admin\AppData\Local\Temp\source_prepared.exe | C:\Users\Admin\AppData\Local\Temp\source_prepared.exe |
| PID 2424 wrote to memory of 1784 | N/A | C:\Users\Admin\AppData\Local\Temp\source_prepared.exe | C:\Users\Admin\AppData\Local\Temp\source_prepared.exe |
| PID 2424 wrote to memory of 1784 | N/A | C:\Users\Admin\AppData\Local\Temp\source_prepared.exe | C:\Users\Admin\AppData\Local\Temp\source_prepared.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\source_prepared.exe
"C:\Users\Admin\AppData\Local\Temp\source_prepared.exe"
C:\Users\Admin\AppData\Local\Temp\source_prepared.exe
"C:\Users\Admin\AppData\Local\Temp\source_prepared.exe"
Network
Files
C:\Users\Admin\AppData\Local\Temp\_MEI24242\python312.dll
| MD5 | cfa2e5cdda9039831f12174573b20c7b |
| SHA1 | c63a1ffd741a85e483fc01d6a2d0f7616b223291 |
| SHA256 | b93e682bddb5c3e2af1f0264e83fbc40481fe6abd90c3ab26e94f246c8ce8d7d |
| SHA512 | f1ac568bd1a16d5ab2623ac42a83aed32d9867a0e016e0ac3c922f28ceb1bb7e114dab44553949008a6e2fd3bb67fc2be8fc283560d9f4b1f1552137a0c104aa |
memory/1784-1111-0x000007FEF5480000-0x000007FEF5B58000-memory.dmp
Analysis: behavioral4
Detonation Overview
Submitted
2024-12-15 22:39
Reported
2024-12-15 22:43
Platform
win10v2004-20241007-en
Max time kernel
149s
Max time network
149s
Command Line
Signatures
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings | C:\Windows\system32\cmd.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings | C:\Windows\system32\OpenWith.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\discord_token_grabber.pyc
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| N/A | 13.69.239.77:443 | tcp | |
| SE | 192.229.221.95:80 | tcp |
Files
Analysis: behavioral7
Detonation Overview
Submitted
2024-12-15 22:39
Reported
2024-12-15 22:43
Platform
win7-20241010-en
Max time kernel
118s
Max time network
119s
Command Line
Signatures
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000_Classes\Local Settings | C:\Windows\system32\rundll32.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 956 wrote to memory of 2372 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 956 wrote to memory of 2372 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 956 wrote to memory of 2372 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 2372 wrote to memory of 2896 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 2372 wrote to memory of 2896 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 2372 wrote to memory of 2896 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 2372 wrote to memory of 2896 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\misc.pyc
C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\misc.pyc
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\misc.pyc"
Network
Files
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents
| MD5 | 81b202956cc3c5769f2873d282ef085c |
| SHA1 | 9e52b786f36a02b735c8e4ca18c83de368f4e00d |
| SHA256 | 9f61c03adc42762dd04b5b06a2626af3b825da96249c9ec4eb94038e41b9c281 |
| SHA512 | 97469b4f520361237cff9fd37c5696587123070540109210297f5790a896f2beee964173b37f9dd4a268b2010fcb66c643859b5b7630d5672adf48fda7476ca2 |
Analysis: behavioral9
Detonation Overview
Submitted
2024-12-15 22:39
Reported
2024-12-15 22:43
Platform
win7-20240903-en
Max time kernel
121s
Max time network
122s
Command Line
Signatures
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_Classes\Local Settings | C:\Windows\system32\rundll32.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2404 wrote to memory of 1032 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 2404 wrote to memory of 1032 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 2404 wrote to memory of 1032 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 1032 wrote to memory of 2900 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 1032 wrote to memory of 2900 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 1032 wrote to memory of 2900 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 1032 wrote to memory of 2900 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\passwords_grabber.pyc
C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\passwords_grabber.pyc
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\passwords_grabber.pyc"
Network
Files
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents
| MD5 | f1566633e294c1969b1be96604c79043 |
| SHA1 | f50c3c6da12ae547bce37f8714a8345d1e57fdae |
| SHA256 | 71402a66f4a7d45b8c1ffe96a369d0d614df3a7e54f1d152cc897c01fbe22d35 |
| SHA512 | c906f88038abb68018e18ea208a6e89bf1a58121f48acc420f8e9b9e10d7bb5d6981340a1a18db34eb033ef3958d60603392a20694de8bfc2f9b407ef1e38684 |
Analysis: behavioral12
Detonation Overview
Submitted
2024-12-15 22:39
Reported
2024-12-15 22:43
Platform
win10v2004-20241007-en
Max time kernel
95s
Max time network
140s
Command Line
Signatures
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings | C:\Windows\system32\cmd.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings | C:\Windows\system32\OpenWith.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\source_prepared.pyc
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 64.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |