Analysis Overview
SHA256
c015f2732beac7532552b3b4f58c07b89743484afacf27287cac5e48cc83e3aa
Threat Level: Known bad
The file source_prepared.exe was found to be: Known bad.
Malicious Activity Summary
Pysilon family
Detect Pysilon
Enumerates VirtualBox DLL files
Sets file to hidden
Command and Scripting Interpreter: PowerShell
Executes dropped EXE
Loads dropped DLL
Legitimate hosting services abused for malware hosting/C2
Adds Run key to start application
UPX packed file
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Detects Pyinstaller
Unsigned PE
Modifies registry class
Suspicious use of AdjustPrivilegeToken
Views/modifies file attributes
Kills process with taskkill
Suspicious use of SetWindowsHookEx
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious behavior: GetForegroundWindowSpam
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-12-19 16:38
Signatures
Detect Pysilon
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Pysilon family
Detects Pyinstaller
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral12
Detonation Overview
Submitted
2024-12-19 16:37
Reported
2024-12-19 16:41
Platform
win10v2004-20241007-de
Max time kernel
94s
Max time network
153s
Command Line
Signatures
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings | C:\Windows\system32\cmd.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings | C:\Windows\system32\OpenWith.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\source_prepared.pyc
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 197.87.175.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
Files
Analysis: behavioral2
Detonation Overview
Submitted
2024-12-19 16:37
Reported
2024-12-19 16:41
Platform
win10v2004-20241007-de
Max time kernel
140s
Max time network
141s
Command Line
Signatures
Enumerates VirtualBox DLL files
| Description | Indicator | Process | Target |
| File opened (read-only) | C:\windows\system32\vboxmrxnp.dll | C:\Users\Admin\Robux Generator\Robux Generator.exe | N/A |
| File opened (read-only) | C:\windows\system32\vboxhook.dll | C:\Users\Admin\AppData\Local\Temp\source_prepared.exe | N/A |
| File opened (read-only) | C:\windows\system32\vboxmrxnp.dll | C:\Users\Admin\AppData\Local\Temp\source_prepared.exe | N/A |
| File opened (read-only) | C:\windows\system32\vboxhook.dll | C:\Users\Admin\Robux Generator\Robux Generator.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Sets file to hidden
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\attrib.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Robux Generator\Robux Generator.exe | N/A |
| N/A | N/A | C:\Users\Admin\Robux Generator\Robux Generator.exe | N/A |
Loads dropped DLL
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Robux Generator = "C:\\Users\\Admin\\Robux Generator\\Robux Generator.exe" | C:\Users\Admin\AppData\Local\Temp\source_prepared.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\source_prepared.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\source_prepared.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\source_prepared.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\source_prepared.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Users\Admin\Robux Generator\Robux Generator.exe | N/A |
| N/A | N/A | C:\Users\Admin\Robux Generator\Robux Generator.exe | N/A |
| N/A | N/A | C:\Users\Admin\Robux Generator\Robux Generator.exe | N/A |
| N/A | N/A | C:\Users\Admin\Robux Generator\Robux Generator.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Robux Generator\Robux Generator.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Robux Generator\Robux Generator.exe | N/A |
Suspicious use of WriteProcessMemory
Views/modifies file attributes
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\attrib.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\source_prepared.exe
"C:\Users\Admin\AppData\Local\Temp\source_prepared.exe"
C:\Users\Admin\AppData\Local\Temp\source_prepared.exe
"C:\Users\Admin\AppData\Local\Temp\source_prepared.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "ver"
C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x444 0x2f4
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Add-MpPreference -ExclusionPath \"C:\Users\Admin\Robux Generator\""
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Robux Generator\activate.bat""
C:\Windows\system32\attrib.exe
attrib +s +h .
C:\Users\Admin\Robux Generator\Robux Generator.exe
"Robux Generator.exe"
C:\Windows\system32\taskkill.exe
taskkill /f /im "source_prepared.exe"
C:\Users\Admin\Robux Generator\Robux Generator.exe
"Robux Generator.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "ver"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Add-MpPreference -ExclusionPath \"C:\Users\Admin\Robux Generator\""
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell (Get-CimInstance Win32_ComputerSystemProduct).UUID
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 74.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | discord.com | udp |
| US | 162.159.138.232:443 | discord.com | tcp |
| N/A | 127.0.0.1:57529 | tcp | |
| US | 8.8.8.8:53 | gateway.discord.gg | udp |
| US | 162.159.136.234:443 | gateway.discord.gg | tcp |
| US | 162.159.135.234:443 | gateway.discord.gg | tcp |
| US | 8.8.8.8:53 | 234.135.159.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.138.159.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.163.245.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 92.12.20.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\_MEI24082\ucrtbase.dll
| MD5 | 14af9c0c20388e7d992baa016815f7b2 |
| SHA1 | 8a1477607bf73b3e4901f08a226ef8c6659c97de |
| SHA256 | 43cafe3b16453f1b213da185fab4951fc550678a410366be77e2a3cd00ed5f92 |
| SHA512 | ac69aa4bd2d8c9caece76bd45f49bb9542cb91f28f7408d6e0a2d98af30ebbf615a9e0b5950e9836c202dbc3c929b14eee167418c136e31a1073e3baed4340d4 |
C:\Users\Admin\AppData\Local\Temp\_MEI24082\python311.dll
| MD5 | 548809b87186356c7ac6421562015915 |
| SHA1 | 8fa683eed7f916302c2eb1a548c12118bea414fa |
| SHA256 | 6c65da37cf6464507ad9d187a34f5b5d61544b83d831547642d17c01852599a1 |
| SHA512 | c0b63bf9908e23457cf6c2551219c7951bc1a164f3a585cde750b244fa628753ee43fde35f2aa76223fd9f90cf5ea582241ab510f7373a247eae0b26817198fc |
C:\Users\Admin\AppData\Local\Temp\_MEI24082\VCRUNTIME140.dll
| MD5 | be8dbe2dc77ebe7f88f910c61aec691a |
| SHA1 | a19f08bb2b1c1de5bb61daf9f2304531321e0e40 |
| SHA256 | 4d292623516f65c80482081e62d5dadb759dc16e851de5db24c3cbb57b87db83 |
| SHA512 | 0da644472b374f1da449a06623983d0477405b5229e386accadb154b43b8b083ee89f07c3f04d2c0c7501ead99ad95aecaa5873ff34c5eeb833285b598d5a655 |
memory/2480-1312-0x00007FFF7F560000-0x00007FFF7FB52000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI24082\base_library.zip
| MD5 | add95481a8e9d5743eee394036ca4914 |
| SHA1 | eab5d38e7fa33ae86452e6609ed8afed21516969 |
| SHA256 | 396171544049d4554472e78cb41f873f7d8951d7450685f364d4487d09b98ad8 |
| SHA512 | 161b64229f676d1894954bef08fbc0cacc9a5aff5cbf607918f919aa7065e9b5edbaed7057d0113eec24c688b60e7dcd0aa8610105ab350c6c5c30e0f5e6db1a |
memory/2480-1320-0x00007FFF8F560000-0x00007FFF8F584000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI24082\_ctypes.pyd
| MD5 | 2ba320791c95526c2fdb2adf011764bf |
| SHA1 | f80c591acaab83e041d0756e5e7b2f4cb231fc41 |
| SHA256 | 73a7c35c3146990295758152992efb2f012c2066a01878fabdfda7acd42b6565 |
| SHA512 | 25ac02e5177ffd885799262c5dbaa319fe5ba6167b9134377fd321bc3dd37ba487c3167279e0365039f81a6f498d23ebb44f473304a1fc63be36304a6468ce3d |
C:\Users\Admin\AppData\Local\Temp\_MEI24082\python3.dll
| MD5 | 7e07c63636a01df77cd31cfca9a5c745 |
| SHA1 | 593765bc1729fdca66dd45bbb6ea9fcd882f42a6 |
| SHA256 | db84bc052cfb121fe4db36242ba5f1d2c031b600ef5d8d752cf25b7c02b6bac6 |
| SHA512 | 8c538625be972481c495c7271398993cfe188e2f0a71d38fb51eb18b62467205fe3944def156d0ff09a145670af375d2fc974c6b18313fa275ce6b420decc729 |
C:\Users\Admin\AppData\Local\Temp\_MEI24082\libffi-8.dll
| MD5 | 013a0b2653aa0eb6075419217a1ed6bd |
| SHA1 | 1b58ff8e160b29a43397499801cf8ab0344371e7 |
| SHA256 | e9d8eb01bb9b02ce3859ba4527938a71b4668f98897d46f29e94b27014036523 |
| SHA512 | 0bd13fa1d55133ee2a96387e0756f48133987bacd99d1f58bab3be7bffdf868092060c17ab792dcfbb4680f984f40d3f7cc24abdd657b756496aa8884b8f6099 |
memory/2480-1322-0x00007FFF8F650000-0x00007FFF8F65F000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI24082\_bz2.pyd
| MD5 | 4e37a3e1e62485fbbfb22250b1ec78fa |
| SHA1 | c9c7adf208a2444531fd7508eb306d6f6f9181b2 |
| SHA256 | 393249c5cb97e58251bc11e8aaae88294b6d5e9c94ed28ca0002b1958cb46570 |
| SHA512 | 4b02bde981c77422d5c1230adefe46f70b67a20fbd2da7cc18e8a5dfaa028e110141caf164423b0c60057e6ede32144d000a2d8dd6af6f3f399597555640091b |
memory/2480-1326-0x00007FFF8F540000-0x00007FFF8F559000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI24082\_lzma.pyd
| MD5 | d1347e8f92d3add8eaf2b53294be9438 |
| SHA1 | 3920bb7a621c13be46f53d1d86b3a06d56b4bd27 |
| SHA256 | f88748a9a677df9616ec492a02bae860ce5c5365c0e743d9e5a9fbf9198fc962 |
| SHA512 | b80542f8e61d6ac98efa244144e03c402a0aadfaa898b30a1b3964a0c800f384d7c1a174029c0b46bc697d0d724937c4a2e8e77b88aaf770fafe40b3017c57a3 |
memory/2480-1328-0x00007FFF8F510000-0x00007FFF8F53D000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI24082\api-ms-win-core-file-l1-1-0.dll
| MD5 | 7d7872fff6d171ae36fba24733829563 |
| SHA1 | 5dc523ede88183697b75c18bc0ca7685ecc23cc5 |
| SHA256 | b54b65de734cd23d436e4f2a54a4b3164a8f2bec31d8d5d43c147c63ad550f86 |
| SHA512 | 5d051d85a7f1072bee5d895e5bb40baa084a52664ea5fe651fc9ce46ecc6d257ec971f1b6370623b799140254d6dc96236412cfdc077e9e69503fd5673693f0a |
C:\Users\Admin\AppData\Local\Temp\_MEI24082\api-ms-win-core-fibers-l1-1-0.dll
| MD5 | 73e7b89a59542e2fa7a94d55c57f4b58 |
| SHA1 | dd58741045fa8b687a80ea6fa5bee8cb9942c427 |
| SHA256 | bb3506493e100eaa9a28557664b5ea81e1658a071ffd5cb15a7878a9b71f9ebe |
| SHA512 | e71974207a014674806646e2a59ba724b724cfb7c68e7e92b5369763bad5c864958b1e95f40935ea86851e43bacb1ee469a5506abc37bfd9b36e841a61c2baf0 |
C:\Users\Admin\AppData\Local\Temp\_MEI24082\api-ms-win-core-errorhandling-l1-1-0.dll
| MD5 | ebd4332bae4ae075b6bf2c30098a9591 |
| SHA1 | e96f50c78b9c0f2d39bb2bed12f4db02a4a59bd6 |
| SHA256 | c6ada446fa03ad878b00fd0e89de63e4201076dba65c55a26fabbfcdfa4526bc |
| SHA512 | 1706d190c4ba2981c0aadcdfbbf3cebee97023874dfce7b4454659d9c143e3318e1654a0dde769ae40457fa68454ec9354b6e522b74f09aedf88bc0cd2dbdd50 |
C:\Users\Admin\AppData\Local\Temp\_MEI24082\api-ms-win-core-debug-l1-1-0.dll
| MD5 | 423b951dcfda19e30018d43c73deabbe |
| SHA1 | 1df6ae34002533e5a61c8c4a9d391ed451e89302 |
| SHA256 | 1469c2ce39be577f9f76e9eaa17a0ddbbd6b115346e51606dd9421eba3ded66c |
| SHA512 | 1c0e3752b468e1faaf37852aceff469c237ded4c1eed3326bd8413bcc1fa7c32313f53d54a278be75a408af574e755f3d6bb14e9e9a87e05cc363f1827e5ee26 |
C:\Users\Admin\AppData\Local\Temp\_MEI24082\api-ms-win-core-console-l1-1-0.dll
| MD5 | 44fcee0e3bf16d3f7f355ef1a321b671 |
| SHA1 | 31507bbde19f8b7cdeff4f771fc8aa04aa9fbe0c |
| SHA256 | 0c75047ff843b616a3ad827d641ac0ea46985042a2231137557cc56a3b0d91d1 |
| SHA512 | ae13ac403a2b81028216ce6248416fd2145a3c87fcf8ae6e87aa43a8d289711ebc7507afff1b2e4c5c3ded709e57261b134a9a43d7c0115457f48a1e13e3c7ae |
C:\Users\Admin\AppData\Local\Temp\_MEI24082\api-ms-win-core-datetime-l1-1-0.dll
| MD5 | 229e9eafd60719f159bca46aa6000af6 |
| SHA1 | b09753ce4fbdcaabb68a7a1b58d4cd0c292ce23c |
| SHA256 | 92b379fe6be2ad94fa9031ac5427cd2671fb6ffcea1e4876b8d3e0b91a822da9 |
| SHA512 | 920c32c8be0f3ef1aa7337be212fc86cff79ef878688299a83369aa007ff0856813a33f7f250ad12a5495381baa1d81b320dafb365014cfb7b620c038472ef5e |
C:\Users\Admin\AppData\Local\Temp\_MEI24082\libmodplug-1.dll
| MD5 | 2bb2e7fa60884113f23dcb4fd266c4a6 |
| SHA1 | 36bbd1e8f7ee1747c7007a3c297d429500183d73 |
| SHA256 | 9319bf867ed6007f3c61da139c2ab8b74a4cb68bf56265a101e79396941f6d3b |
| SHA512 | 1ddd4b9b9238c1744e0a1fe403f136a1def8df94814b405e7b01dd871b3f22a2afe819a26e08752142f127c3efe4ebae8bfd1bd63563d5eb98b4644426f576b2 |
C:\Users\Admin\AppData\Local\Temp\_MEI24082\libjpeg-9.dll
| MD5 | c22b781bb21bffbea478b76ad6ed1a28 |
| SHA1 | 66cc6495ba5e531b0fe22731875250c720262db1 |
| SHA256 | 1eed2385030348c84bbdb75d41d64891be910c27fab8d20fc9e85485fcb569dd |
| SHA512 | 9b42cad4a715680a27cd79f466fd2913649b80657ff042528cba2946631387ed9fb027014d215e1baf05839509ca5915d533b91aa958ae0525dea6e2a869b9e4 |
C:\Users\Admin\AppData\Local\Temp\_MEI24082\libcrypto-3.dll
| MD5 | 8fed6a2bbb718bb44240a84662c79b53 |
| SHA1 | 2cd169a573922b3a0e35d0f9f252b55638a16bca |
| SHA256 | f8de79a5dd7eeb4b2a053315ab4c719cd48fe90b0533949f94b6a291e6bc70fd |
| SHA512 | 87787593e6a7d0556a4d05f07a276ffdbef551802eb2e4b07104362cb5af0b32bffd911fd9237799e10e0c8685e9e7a7345c3bce2ad966843c269b4c9bd83e03 |
C:\Users\Admin\AppData\Local\Temp\_MEI24082\freetype.dll
| MD5 | 04a9825dc286549ee3fa29e2b06ca944 |
| SHA1 | 5bed779bf591752bb7aa9428189ec7f3c1137461 |
| SHA256 | 50249f68b4faf85e7cd8d1220b7626a86bc507af9ae400d08c8e365f9ab97cde |
| SHA512 | 0e937e4de6cbc9d40035b94c289c2798c77c44fc1dc7097201f9fab97c7ff9e56113c06c51693f09908283eda92945b36de67351f893d4e3162e67c078cff4ec |
C:\Users\Admin\AppData\Local\Temp\_MEI24082\crypto_clipper.json
| MD5 | 6f7984b7fffe835d59f387ec567b62ad |
| SHA1 | 8eb4ed9ea86bf696ef77cbe0ffeeee76f0b39ee0 |
| SHA256 | 519fc78e5abcdba889647540ca681f4bcb75ab57624675fc60d60ab0e8e6b1c5 |
| SHA512 | 51d11368f704920fa5d993a73e3528037b5416213eed5cf1fbbea2817c7c0694518f08a272ad812166e15fcc5223be1bf766e38d3ee23e2528b58500f4c4932a |
C:\Users\Admin\AppData\Local\Temp\_MEI24082\api-ms-win-crt-utility-l1-1-0.dll
| MD5 | 63a5d350dc30bbc134459533da6f128a |
| SHA1 | 4ec78532ace556c1b4a6d126a766d205b62b8427 |
| SHA256 | 3bcf219b2b53189d8e2fa57cb011f4ad1c8f97854d9ddb1009e81f9d7e006646 |
| SHA512 | 5d041eb88006756d04375c1f30fd9a5dc43a4c03928aa0f1e5cf3a74421fb82575b9cf3281a323698779ec62834616bfc067294045e3c0f64b0fb4eae682afd9 |
C:\Users\Admin\AppData\Local\Temp\_MEI24082\api-ms-win-crt-time-l1-1-0.dll
| MD5 | d9a2005ae1657807f79874775fea3c00 |
| SHA1 | 42dd6104996cbfd14caf07565e01982a355efddf |
| SHA256 | 37a3bec1d66cb476259069e1b17d04986aea07a27a6567f4f8b1eae1e6f550d5 |
| SHA512 | 0a5fe265b4bc3b694dc9c64fc0bb3f4f385674816c05af014e95b849958d84e2c5998d21449385ce55aa37b572cbb19d37c068d95a30b4ad174ea27a5bba884f |
C:\Users\Admin\AppData\Local\Temp\_MEI24082\api-ms-win-crt-string-l1-1-0.dll
| MD5 | 3aa3a04324ca43e991b0d2b89904bc73 |
| SHA1 | 1e28769c421e878bcad02772e034ee1cb97d0d71 |
| SHA256 | d60ed7ec618b2ec8fbbe6534aa7f745a91b44d38d1a5d3123824aecfdd84b0b4 |
| SHA512 | 580c8276a6d0860d35f31708e48349259429dc4cb47c597fe73e4e0692c2aa5a091462c1fc48823533197c00ebeeffe35ccc710842fe43e387661f23f33f4822 |
C:\Users\Admin\AppData\Local\Temp\_MEI24082\api-ms-win-crt-stdio-l1-1-0.dll
| MD5 | e7910308a0e296bdc707d50b89255d6b |
| SHA1 | 63f2540555fc9626320c368d2bea83e1f78e26af |
| SHA256 | e1d807eee52945e63a0de73b6c3980bae7d95a66ad012352fcaf238147aa17f0 |
| SHA512 | 1392904454b29d109820f63a3219dff7b3186fb37f69a65698e0ea10503ce5a00d2c5359732c97113db5372844c0d2d97cab84422964ad61c80c0c050a8fbb1d |
C:\Users\Admin\AppData\Local\Temp\_MEI24082\api-ms-win-crt-runtime-l1-1-0.dll
| MD5 | 9674c7b1650d718d8caa09a510007a36 |
| SHA1 | 4b59980411cb882fd31fbf78879f56f2f5aacb96 |
| SHA256 | ecf19c06825579a6643a8828591c9d079fc16f5e55efc717258396929fc51d6c |
| SHA512 | 6db41f14a6c452ef2a91f55bf6498e52724c7b559d10f5f09a4781e444b1dd7f76da366fed8c8602ad4d4391392b8e2b78bc2c212563ad64418e5440a5aa044a |
C:\Users\Admin\AppData\Local\Temp\_MEI24082\api-ms-win-crt-process-l1-1-0.dll
| MD5 | 5cf2a54c01f2234f105ccae7b1d724cf |
| SHA1 | d0b040bf3d3b64ecd0bdf07307d557df62c975b8 |
| SHA256 | f8f069490dcdea65e895138c5fd5bea95ba88abaa303d2960b6cf921e8e0ab12 |
| SHA512 | ae72b5bc64f61973578fbba1a630523d823e79d598b4c6f69099f3c00ad6aed81880e83a8b715d2aea752aa59113a338f99b5e031c1b000e41da429e67d5a0cf |
C:\Users\Admin\AppData\Local\Temp\_MEI24082\api-ms-win-crt-private-l1-1-0.dll
| MD5 | 8304afdc9453773ef33a018187214cb9 |
| SHA1 | d6cb94d07d32df894526a550617e093fb6b3d6f4 |
| SHA256 | fb60455344dfd5bf683b857b8d6aadfb7083b5be9f97d27a69e88ab05b8ee8fe |
| SHA512 | fd95267ce8dd473cbea14176d56b507ec4f7f11f4d7947a264fb9d3c7dd866e3e84d3463ae6004b154a3f147b5a1c745b3944f9096de248c39a4d4dffc2c1a5e |
C:\Users\Admin\AppData\Local\Temp\_MEI24082\api-ms-win-crt-multibyte-l1-1-0.dll
| MD5 | 039c4bdd10d65c52bcf8a54f9ce36ce9 |
| SHA1 | ea371e9a44f2fb6177e7583b07d7a09bb5abcbac |
| SHA256 | 9c01b42da2d08d1ec01af9bb737bcf807c6925246c5499ffc287b962c9cccc8e |
| SHA512 | a0d6c13a55e917973234404bce57715f6abb4e7a37ac802a8fd6af62cf324536151e956e89a560ef7d79acd21287ac4ccc09b93dc72d0d374e5e46b36a70a890 |
C:\Users\Admin\AppData\Local\Temp\_MEI24082\api-ms-win-crt-math-l1-1-0.dll
| MD5 | 7de3b8efabee69ac28c4e22d82c85aa3 |
| SHA1 | 77b1105a4a278cc5f7e94994c731224cf2858b69 |
| SHA256 | 468804e158871b3a788f2143ef34e71c5ba51e1e5baa78d7e799803987443b0e |
| SHA512 | 76e84856776a291b5273e6ed3e498ad88fe8bf1e8db15c2427a291f13725e0de1efb1530ade194f91dd5b71749680353329126659761e506078696a26e7e0ee8 |
C:\Users\Admin\AppData\Local\Temp\_MEI24082\api-ms-win-crt-locale-l1-1-0.dll
| MD5 | ee71d3f0a3bb1b15f2270240f03602e0 |
| SHA1 | cbe40a530f5d7799e1ceb5da0910f57640c1d8f8 |
| SHA256 | b1a39c38ae2d41024ab738d82f01bc42bfc9a9b47dd247c23d3b580639dce47f |
| SHA512 | 25d1c320bea350b90efda663281c8779511217be5565748731e8f0f06894bfc354f410ae76fd69431b4fb134ff18fb425c37106da06f13bae152ee7ce249b6c9 |
C:\Users\Admin\AppData\Local\Temp\_MEI24082\api-ms-win-crt-heap-l1-1-0.dll
| MD5 | 115b9573bc0baacc78d6db85013561fc |
| SHA1 | b7382db94350949fc3371442886281a9ac0b29e5 |
| SHA256 | e14eb516616836dc843b68b9cf097c58d89ae9252be1e44217aee90eef3e8b3b |
| SHA512 | 8b7fea9ef92283c84139cbbc5a3f7cf4fca741edf6a3dfe42d6707246dc014faa31e23305103d08f4a6525ab1259e26cf6ceaaeb70c39802f3baef81d9e9964b |
C:\Users\Admin\AppData\Local\Temp\_MEI24082\api-ms-win-crt-filesystem-l1-1-0.dll
| MD5 | be31055800f7a32f65deb3cbb39a8f9f |
| SHA1 | 1f3a3484e4f680ab9c7653f83ffa274095a6d31a |
| SHA256 | 2081c703682140a5f56515a983f70645f6ca3845dfd2f168d503a42d142b22c2 |
| SHA512 | 99d8e2bf8fde79b52df42011dcd898e7304cb668c201a0992abfd2e759f8466e2e580d11dfb1b62996b73ef700748e34e7416821df3e0e4ffcbc45e205988f51 |
C:\Users\Admin\AppData\Local\Temp\_MEI24082\api-ms-win-crt-environment-l1-1-0.dll
| MD5 | ab3266868f4cc372eca9e24e245956ab |
| SHA1 | a8a1bbafbf0d8c48b9df6c1a4145c81f3499c459 |
| SHA256 | 43c870aa3e7e669f37cb18491617fa7327e307fc35c51ac9927323f1dbe0c852 |
| SHA512 | d73a234195d22a37ffa25498ff5c8c456dfc6de3c15050dc84d002b5ea1c7ec71ac2c305bbfaf392bd0f005b78d1d8157892565033ca75a916747a8fb8e6a53f |
C:\Users\Admin\AppData\Local\Temp\_MEI24082\api-ms-win-crt-convert-l1-1-0.dll
| MD5 | ae1b0c79c11b649aa1b34cc54351a3ad |
| SHA1 | 4edf57cb7b7935a085584c068960c9b3a7613097 |
| SHA256 | 763b26ef57a60bae8fe98db4224c4d79ed0d2ba5b20237239a2b4ae999745c86 |
| SHA512 | 4b914b3691576a7a266ed5d3450e814a1c540152fbc00c9d0063b640d29ecffdb66c979d1b676bd71c36d3a8891b9af65a8a67ad365d9056a5251c017636b97f |
C:\Users\Admin\AppData\Local\Temp\_MEI24082\api-ms-win-crt-conio-l1-1-0.dll
| MD5 | 82f9a7e2a7b468306b4c2c41d178f419 |
| SHA1 | 4b7d760fb4d54874c9a924ddfd6a1d15f397a472 |
| SHA256 | 34a53e07ff0e3c741db5076e1ac87cf1ebd969b92e2ead49e0fd3633f39ab50e |
| SHA512 | b231cc43efd717708984b703b435c32705f2ffe5b3b1b7c14c2d9ce844b3aa0159a822b675e5df16606d83e1679efc2d091b1f7347b51d12af3e4a52b4b094fa |
C:\Users\Admin\AppData\Local\Temp\_MEI24082\api-ms-win-core-util-l1-1-0.dll
| MD5 | b2dde3e607607f6d61f284bdc4009a71 |
| SHA1 | d197eb9ddffd65d4cc970108cc58bb38580dce1f |
| SHA256 | 34f0a158c997c8b3f397063582a4c8c182742bece0855678fbfac0e7fde0123e |
| SHA512 | 9e86dcd74678714ef87e7d6a0128312030080fcde979cdc8450d1835991877cddbceb8c630ba0954123e8d8de1bc49fbfa8e3c068f9ac5380221fb225ccaf59d |
C:\Users\Admin\AppData\Local\Temp\_MEI24082\api-ms-win-core-timezone-l1-1-0.dll
| MD5 | 8b181083e2598b6c19d9749f65fb0ed2 |
| SHA1 | 23ca8d38e5e02229a1092512b8260a531472f092 |
| SHA256 | 7517445bc875e8fdb109fbba7aa68d9aab26eeea75c3e8a3bc38904d1aa374cc |
| SHA512 | 5c2d2ad4a587eb28e2d30ed66c6a01fa056487aba998f6c276b31cf4d3c02395c85966c02fbf789fe4674fdc96108d8639d9cb03f355ca9ddeec4b170cd8e971 |
C:\Users\Admin\AppData\Local\Temp\_MEI24082\api-ms-win-core-sysinfo-l1-1-0.dll
| MD5 | 39041b385c0ca58136062604e418e8df |
| SHA1 | 7e9739479917d34eac6412812b283fef25bf2fac |
| SHA256 | f2a1fdbab2d74ad8870aa0b82c0544a0cbf49c260b4f9d4b4f9035dbe201ebf7 |
| SHA512 | bb699cba479da17e5c258de63abf231fdeab4b69d2b7bf79517eac67d9b9aa80ef576e53b0de4822de85b2ae87e987d85749f0742861f5bcc97b44fef8072e4a |
C:\Users\Admin\AppData\Local\Temp\_MEI24082\api-ms-win-core-synch-l1-2-0.dll
| MD5 | 4189fdf77a6e47635cc79c313660adda |
| SHA1 | de2ce46c85924ac5956690d3b2c31fb1df2356c5 |
| SHA256 | 1a2233b91d41cf1293ca696b37fef76eca2c7e714fe8d0e3ca5a1c94e2878d91 |
| SHA512 | 0cc685b26a229e78cf64fe45446f202148e8cc2734fd0e9d2fc9ff82d8d5421f51a8f5266bbee5bc4620d921d7407cf43436bed75716c72fe01f51e79a40bc5b |
C:\Users\Admin\AppData\Local\Temp\_MEI24082\api-ms-win-core-synch-l1-1-0.dll
| MD5 | e79cc7f68f23398921eedadb898b82c8 |
| SHA1 | 9084bcfbfedcc2deccdc65f549ca9de62fbc663e |
| SHA256 | 62b6a1eec8fc1875ed66beda1adff4138b86a8508711cbfde7428585bf287b2f |
| SHA512 | 259d2adc477c218cde28141905d117bc95ef737f2769a92307f5500a3110f802d6934a56ed2254dcfbbb8516d55fa24188cfd462edab5ce9313151fe89514897 |
C:\Users\Admin\AppData\Local\Temp\_MEI24082\api-ms-win-core-string-l1-1-0.dll
| MD5 | 5cc906db34ea48b27c767cd4595f4c1c |
| SHA1 | 03726fa35bd0a11f753e2489df024412fe026d56 |
| SHA256 | 1712ba58dfca56e0675c4704720adfa84fc1b37186bc697f18724463706cd96e |
| SHA512 | c01fc8416dd25397fa4d46d1856dd3fc47818a7b95d554d61915c466834255696335ed237ac35cd8a4f66552aa923c928148ec21c901d400fd8ba5743f238103 |
C:\Users\Admin\AppData\Local\Temp\_MEI24082\api-ms-win-core-rtlsupport-l1-1-0.dll
| MD5 | 4064496f12ebf4aeb863f3adbbd9394d |
| SHA1 | ebdc4c204a8fb1ba82c826d109f38e45053a47d6 |
| SHA256 | 380bc820de9f02b121d2e1830237e6b7c35fa49af0e2b3fc60c573c77211fd1d |
| SHA512 | df341eb6b0caf3a33a1927db64ac77a9fd829a60b8e7ce166594db2719b06decd49889c73ec27c141e32ea34950f9e984da800f75e59fd63db6c29889be4f2ee |
C:\Users\Admin\AppData\Local\Temp\_MEI24082\api-ms-win-core-profile-l1-1-0.dll
| MD5 | b3c930899c8b72a4e5b2058a8b753785 |
| SHA1 | 666450ee19731ed37543c435ca4c96cf043613f9 |
| SHA256 | 8fb140ab556425ba1016a579c88a0b7592d3a7c939ccf6d4539d92ee46b47117 |
| SHA512 | 995dd2d03e5d51e360ad40a694c0ac8fe6dd5643b4988d3aa43d205deb91f2b4ead394f62ab9ea08c9dfe53c86d90f64a8af8c29201a5cbfc597ec6c044a815e |
C:\Users\Admin\AppData\Local\Temp\_MEI24082\api-ms-win-core-processthreads-l1-1-1.dll
| MD5 | 642b5d00c665764485253799da0208d0 |
| SHA1 | 848247b2981525160f264aa5c169158035edd5e5 |
| SHA256 | 3c512ab982b1791b06866694efc115ea4da4e49166a14b28b90689830b8915c2 |
| SHA512 | bd946660ad98a437e31b627b96aa029952e34903c82cfccfc9b8027c9eb22bb0c58b4a716fb73f6b5cdb47d2a081b15b472f84ae8fffde2d4048410d65faae47 |
C:\Users\Admin\AppData\Local\Temp\_MEI24082\api-ms-win-core-processthreads-l1-1-0.dll
| MD5 | a9d2113080f45b6443372bcde228742b |
| SHA1 | 4d2e75bf325eb640b290b12ae98354b54562285b |
| SHA256 | 2c1058f119305647f9210de9dd188892c6371a3d999fe7d8896f7e52fa5f15a1 |
| SHA512 | 08b8531f404640fa4903141769dd08c394a203ce3c69937d7f11345b70ff27d05bae9ab9a9b238332a9f526e0258f212f5aa48228b271bb61fd06a62ed9dc865 |
C:\Users\Admin\AppData\Local\Temp\_MEI24082\api-ms-win-core-processenvironment-l1-1-0.dll
| MD5 | 05b5287148f1c6d9d092f809e6c194bc |
| SHA1 | de8d5086b6a5024fdc28bea5da40fb7250cd5589 |
| SHA256 | bbc0081373c5f70b4dccfe5fb44bb549610514f751542bcc96477760bb4bf928 |
| SHA512 | 214825eb2c99fec0cad6c960c55c5eee0780e5a1b4c53bbdeb46a9b5561c3499eefc995fe42ad7ac6a5afd5ed3fee58a80e55da37b21376df480982c91045d87 |
C:\Users\Admin\AppData\Local\Temp\_MEI24082\api-ms-win-core-namedpipe-l1-1-0.dll
| MD5 | d84a40853a1058c97cd25cccf4e42598 |
| SHA1 | 2dd61e507e206c6a4276821875f773dd8bad7927 |
| SHA256 | 9d2165613c919d04ef47cab455cb614929c6e02575a4d477e7c1fdaf58b8f503 |
| SHA512 | 9f7eb174da9761034aeb5e9c521008214770ed4cfda450a8b33c329e76dfe538c35bc9276fa4a3aa5c186cb880856091cbf6aa2cfd89e7c8f1564fd78f687977 |
C:\Users\Admin\AppData\Local\Temp\_MEI24082\api-ms-win-core-memory-l1-1-0.dll
| MD5 | 820471eaf1888b3ba54ba9bdd3f32df0 |
| SHA1 | 4ddff44e4bc22a047dc7f3f60b38c566f50aeeef |
| SHA256 | 4e40cecb1b3b0df44eb66b46dd8c80015203e2f39b384673ba16e98f89f9cde2 |
| SHA512 | 1810d0ac99feedd76a9e89e2d946a662521843589da51f73d849c0cd5fa4b35020a07c64f323429708bd4f81059435e2f135e865be7d61c7213598413ef1f5af |
C:\Users\Admin\AppData\Local\Temp\_MEI24082\api-ms-win-core-localization-l1-2-0.dll
| MD5 | a56cb984f78ef81747eb06929e51608d |
| SHA1 | da3bd23b420aabb4d788a1d487de97ac6d6f1f8e |
| SHA256 | 765f94c4e1c2639b32c6c218d2ffc73633101430670e0eab92a9b9dce1132fc0 |
| SHA512 | bf3b77089b8a1ae018ba5d90912fc60853fa2a078034837f9b17c0c9c13f44d7440600f118685741f48c52c4b30115e6d943ca35f437f005cab12ad3adc9f699 |
C:\Users\Admin\AppData\Local\Temp\_MEI24082\api-ms-win-core-libraryloader-l1-1-0.dll
| MD5 | bbf5e673be3e5ba0ca8c3b37e8936fa6 |
| SHA1 | 87a1d6d289adc6e525090e0c4405c81576a47041 |
| SHA256 | 32250852ea90a014c3645811d735542bee5dd04dab2833ff8c39cc61f8f3389f |
| SHA512 | cd248c588096581d84ecad35419be2804be86807816070aeb7dbde23b8e41517c8b89dcf04dfb605bf1ea3b6b5e163aaa254a2c88d144f27af4c29a32e5860c4 |
C:\Users\Admin\AppData\Local\Temp\_MEI24082\api-ms-win-core-interlocked-l1-1-0.dll
| MD5 | 1d0365a68ed1e9fd9de1d5508243a40f |
| SHA1 | 06aab366fdcfbcca3f2721ad7b4c85d777f3cb4c |
| SHA256 | b865f336dd8795133b222ce2a79c713253d0633c274b625c85dfdbd369a67d41 |
| SHA512 | b076760f8a0a419700f4cba92634e3f9d5bd7a8ee429d4e7b162f4f895adab077ef3438d0f570f16cfb5e6ea83fdd6c7f80398e23a9e1822212be586657c14c2 |
C:\Users\Admin\AppData\Local\Temp\_MEI24082\api-ms-win-core-heap-l1-1-0.dll
| MD5 | 9aec5391277f1426be6062c3925b2d85 |
| SHA1 | b0e5a478c7ef16c05c5df0831abb56036971e638 |
| SHA256 | 9c1700f610f9876a3571a1d66748735339559f6ce7606d49cdfccf02be8e0e4d |
| SHA512 | 7311b6746fbd797b69c7ff10f5c640620b61d010d14071e9ce4e6923216c359e50491e7846380e2a41d171b96b3acf5edddc53c05cffd39f7e5c9a260fa13f44 |
C:\Users\Admin\AppData\Local\Temp\_MEI24082\api-ms-win-core-handle-l1-1-0.dll
| MD5 | 03b0cfa2cd6e6a40abe31ca76b116364 |
| SHA1 | 618f4a6f92d6053bd6acd8e81220ba7735a068be |
| SHA256 | dd07c3508d6687d5cf56b4b7dc9356d401081df6d16bd80b02f2edfe2a343e89 |
| SHA512 | 218130b975007dcb944debecab37c9d8c95e11d99d89a8dc91e7e66569467b8dcaeb6517b36ebda2aaa4c0bb0275a44849c15c5c66c36108c7b41617c0146264 |
C:\Users\Admin\AppData\Local\Temp\_MEI24082\api-ms-win-core-file-l2-1-0.dll
| MD5 | 6ee594309656724d72e52d1bce38aa6c |
| SHA1 | 9f4376d8855c783486dd31a9e89984bc44d70e8c |
| SHA256 | 90319c14d93d2efe2aa9c48af44e41b662445b1c05e6f7ed8c6c3329b9a3c2f2 |
| SHA512 | 5ff55e8fb3050399ca7c98bbf43b64bff90ca11d094b9144f886df9b1df98b6ec501c29f0eb7c6251f5c07405c8bb2dc24249e9d36f45b6d93d7e790eea987d4 |
C:\Users\Admin\AppData\Local\Temp\_MEI24082\api-ms-win-core-file-l1-2-0.dll
| MD5 | d21990615e2a9feb29613cffddce5da0 |
| SHA1 | a701b95716677409e8997e3affccb38a7332efd3 |
| SHA256 | e374718baaeb789c0893bd906e491fabff6fab9b1abad826a962bf86b89d4896 |
| SHA512 | 20f7734713ade34c6e26cc8b69f48243b878aa19e6764d17688214e8fe0d03bc775dae62e368a3a81d14879214ba7388fc1ac31a58ae1bd375951ee80a84098a |
memory/2480-1375-0x00007FFF8F4F0000-0x00007FFF8F504000-memory.dmp
memory/2480-1376-0x00007FFF7F030000-0x00007FFF7F559000-memory.dmp
memory/2480-1377-0x00007FFF8F4D0000-0x00007FFF8F4E9000-memory.dmp
memory/2480-1378-0x00007FFF8F400000-0x00007FFF8F40D000-memory.dmp
memory/2480-1379-0x00007FFF8F3C0000-0x00007FFF8F3F3000-memory.dmp
memory/2480-1381-0x00007FFF8EE70000-0x00007FFF8EF3D000-memory.dmp
memory/2480-1380-0x00007FFF7F560000-0x00007FFF7FB52000-memory.dmp
memory/2480-1383-0x00007FFF8F370000-0x00007FFF8F37D000-memory.dmp
memory/2480-1382-0x00007FFF8F560000-0x00007FFF8F584000-memory.dmp
memory/2480-1384-0x00007FFF8F340000-0x00007FFF8F34B000-memory.dmp
memory/2480-1387-0x00007FFF8F510000-0x00007FFF8F53D000-memory.dmp
memory/2480-1386-0x00007FFF7EF10000-0x00007FFF7F02C000-memory.dmp
memory/2480-1385-0x00007FFF8E430000-0x00007FFF8E457000-memory.dmp
memory/2480-1389-0x00007FFF8B010000-0x00007FFF8B047000-memory.dmp
memory/2480-1388-0x00007FFF8F4F0000-0x00007FFF8F504000-memory.dmp
memory/2480-1390-0x00007FFF7F030000-0x00007FFF7F559000-memory.dmp
memory/2480-1404-0x00007FFF8AFF0000-0x00007FFF8AFFC000-memory.dmp
memory/2480-1410-0x00007FFF8F3C0000-0x00007FFF8F3F3000-memory.dmp
memory/2480-1409-0x00007FFF89860000-0x00007FFF8986C000-memory.dmp
memory/2480-1408-0x00007FFF89870000-0x00007FFF89882000-memory.dmp
memory/2480-1413-0x00007FFF85460000-0x00007FFF85472000-memory.dmp
memory/2480-1414-0x00007FFF85440000-0x00007FFF85454000-memory.dmp
memory/2480-1412-0x00007FFF85480000-0x00007FFF85495000-memory.dmp
memory/2480-1411-0x00007FFF8EE70000-0x00007FFF8EF3D000-memory.dmp
memory/2480-1407-0x00007FFF8AFD0000-0x00007FFF8AFDD000-memory.dmp
memory/2480-1406-0x00007FFF8AFE0000-0x00007FFF8AFEB000-memory.dmp
memory/2480-1405-0x00007FFF8F400000-0x00007FFF8F40D000-memory.dmp
memory/2480-1403-0x00007FFF8F4D0000-0x00007FFF8F4E9000-memory.dmp
memory/2480-1402-0x00007FFF8E110000-0x00007FFF8E11B000-memory.dmp
memory/2480-1401-0x00007FFF8B000000-0x00007FFF8B00B000-memory.dmp
memory/2480-1400-0x00007FFF8CD90000-0x00007FFF8CD9B000-memory.dmp
memory/2480-1399-0x00007FFF8CDA0000-0x00007FFF8CDAC000-memory.dmp
memory/2480-1398-0x00007FFF8CDB0000-0x00007FFF8CDBE000-memory.dmp
memory/2480-1397-0x00007FFF8E0E0000-0x00007FFF8E0ED000-memory.dmp
memory/2480-1396-0x00007FFF8E100000-0x00007FFF8E10C000-memory.dmp
memory/2480-1395-0x00007FFF8E120000-0x00007FFF8E12C000-memory.dmp
memory/2480-1394-0x00007FFF8E1A0000-0x00007FFF8E1AB000-memory.dmp
memory/2480-1393-0x00007FFF8E9C0000-0x00007FFF8E9CC000-memory.dmp
memory/2480-1392-0x00007FFF8EC10000-0x00007FFF8EC1B000-memory.dmp
memory/2480-1391-0x00007FFF8EC40000-0x00007FFF8EC4B000-memory.dmp
memory/2480-1415-0x00007FFF8E430000-0x00007FFF8E457000-memory.dmp
memory/2480-1418-0x00007FFF85420000-0x00007FFF8543B000-memory.dmp
memory/2480-1417-0x00007FFF80680000-0x00007FFF806A2000-memory.dmp
memory/2480-1416-0x00007FFF7EF10000-0x00007FFF7F02C000-memory.dmp
memory/2480-1419-0x00007FFF8B010000-0x00007FFF8B047000-memory.dmp
memory/2480-1421-0x00007FFF80380000-0x00007FFF803CD000-memory.dmp
memory/2480-1420-0x00007FFF803D0000-0x00007FFF803E9000-memory.dmp
memory/2480-1422-0x00007FFF7EEF0000-0x00007FFF7EF01000-memory.dmp
memory/2480-1423-0x00007FFF7EEB0000-0x00007FFF7EEE2000-memory.dmp
memory/2480-1424-0x00007FFF7EE90000-0x00007FFF7EEAE000-memory.dmp
memory/2480-1426-0x00007FFF7EE30000-0x00007FFF7EE8D000-memory.dmp
memory/2480-1425-0x00007FFF85480000-0x00007FFF85495000-memory.dmp
memory/2480-1427-0x00007FFF7EE00000-0x00007FFF7EE29000-memory.dmp
memory/2480-1428-0x00007FFF7EDD0000-0x00007FFF7EDFE000-memory.dmp
memory/2480-1429-0x00007FFF80680000-0x00007FFF806A2000-memory.dmp
memory/2480-1430-0x00007FFF7EDA0000-0x00007FFF7EDC3000-memory.dmp
memory/2480-1432-0x00007FFF7EC20000-0x00007FFF7ED9E000-memory.dmp
memory/2480-1431-0x00007FFF85420000-0x00007FFF8543B000-memory.dmp
memory/2480-1433-0x00007FFF7EC00000-0x00007FFF7EC18000-memory.dmp
memory/2480-1434-0x00007FFF80380000-0x00007FFF803CD000-memory.dmp
memory/2480-1435-0x00007FFF80670000-0x00007FFF8067B000-memory.dmp
memory/2480-1437-0x00007FFF7EBF0000-0x00007FFF7EBFB000-memory.dmp
memory/2480-1436-0x00007FFF7EEF0000-0x00007FFF7EF01000-memory.dmp
memory/2480-1439-0x00007FFF7EBE0000-0x00007FFF7EBEC000-memory.dmp
memory/2480-1438-0x00007FFF7EEB0000-0x00007FFF7EEE2000-memory.dmp
memory/2480-1441-0x00007FFF7EBD0000-0x00007FFF7EBDB000-memory.dmp
memory/2480-1440-0x00007FFF7EE90000-0x00007FFF7EEAE000-memory.dmp
memory/2480-1443-0x00007FFF7EBC0000-0x00007FFF7EBCC000-memory.dmp
memory/2480-1442-0x00007FFF7EE30000-0x00007FFF7EE8D000-memory.dmp
memory/2480-1445-0x00007FFF7EBB0000-0x00007FFF7EBBB000-memory.dmp
memory/2480-1444-0x00007FFF7EE00000-0x00007FFF7EE29000-memory.dmp
memory/2480-1447-0x00007FFF7EBA0000-0x00007FFF7EBAC000-memory.dmp
memory/2480-1446-0x00007FFF7EDD0000-0x00007FFF7EDFE000-memory.dmp
memory/2480-1449-0x00007FFF7EB90000-0x00007FFF7EB9D000-memory.dmp
memory/2480-1448-0x00007FFF7EDA0000-0x00007FFF7EDC3000-memory.dmp
memory/2480-1454-0x00007FFF7EC00000-0x00007FFF7EC18000-memory.dmp
memory/2480-1453-0x00007FFF7EB70000-0x00007FFF7EB7C000-memory.dmp
memory/2480-1452-0x00007FFF7EB60000-0x00007FFF7EB6B000-memory.dmp
memory/2480-1451-0x00007FFF7EB80000-0x00007FFF7EB8E000-memory.dmp
memory/2480-1450-0x00007FFF7EC20000-0x00007FFF7ED9E000-memory.dmp
memory/2480-1458-0x00007FFF7EB20000-0x00007FFF7EB2D000-memory.dmp
memory/2480-1457-0x00007FFF7EB30000-0x00007FFF7EB3B000-memory.dmp
memory/2480-1460-0x00007FFF7EAF0000-0x00007FFF7EAFC000-memory.dmp
memory/2480-1459-0x00007FFF7EB00000-0x00007FFF7EB12000-memory.dmp
memory/2480-1456-0x00007FFF7EB40000-0x00007FFF7EB4C000-memory.dmp
memory/2480-1455-0x00007FFF7EB50000-0x00007FFF7EB5B000-memory.dmp
memory/2480-1461-0x00007FFF7EAB0000-0x00007FFF7EAE6000-memory.dmp
memory/2480-1462-0x00007FFF7E9F0000-0x00007FFF7EAAC000-memory.dmp
memory/2480-1463-0x00007FFF7E9C0000-0x00007FFF7E9EB000-memory.dmp
memory/2480-1465-0x00007FFF7E770000-0x00007FFF7E9B9000-memory.dmp
memory/2480-1464-0x00007FFF7EB90000-0x00007FFF7EB9D000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_wksiwzv0.tsu.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/2480-1515-0x00007FFF7F560000-0x00007FFF7FB52000-memory.dmp
memory/2480-1529-0x00007FFF7EF10000-0x00007FFF7F02C000-memory.dmp
memory/2480-1537-0x00007FFF80380000-0x00007FFF803CD000-memory.dmp
memory/2480-1536-0x00007FFF803D0000-0x00007FFF803E9000-memory.dmp
memory/2480-1534-0x00007FFF80680000-0x00007FFF806A2000-memory.dmp
memory/2480-1533-0x00007FFF85440000-0x00007FFF85454000-memory.dmp
memory/2480-1532-0x00007FFF85460000-0x00007FFF85472000-memory.dmp
memory/2480-1531-0x00007FFF85480000-0x00007FFF85495000-memory.dmp
memory/2480-1521-0x00007FFF7F030000-0x00007FFF7F559000-memory.dmp
memory/2480-1538-0x00007FFF7EEF0000-0x00007FFF7EF01000-memory.dmp
memory/2480-1520-0x00007FFF8F4F0000-0x00007FFF8F504000-memory.dmp
memory/2480-1519-0x00007FFF8F510000-0x00007FFF8F53D000-memory.dmp
memory/2480-1518-0x00007FFF8F540000-0x00007FFF8F559000-memory.dmp
memory/2480-1517-0x00007FFF8F650000-0x00007FFF8F65F000-memory.dmp
memory/2480-1516-0x00007FFF8F560000-0x00007FFF8F584000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI15082\cryptography-44.0.0.dist-info\INSTALLER
| MD5 | 365c9bfeb7d89244f2ce01c1de44cb85 |
| SHA1 | d7a03141d5d6b1e88b6b59ef08b6681df212c599 |
| SHA256 | ceebae7b8927a3227e5303cf5e0f1f7b34bb542ad7250ac03fbcde36ec2f1508 |
| SHA512 | d220d322a4053d84130567d626a9f7bb2fb8f0b854da1621f001826dc61b0ed6d3f91793627e6f0ac2ac27aea2b986b6a7a63427f05fe004d8a2adfbdadc13c1 |
memory/3596-4021-0x00007FFF8CD90000-0x00007FFF8CD9B000-memory.dmp
memory/3596-4031-0x00007FFF85430000-0x00007FFF8547D000-memory.dmp
memory/3596-4030-0x00007FFF85480000-0x00007FFF85499000-memory.dmp
memory/3596-4029-0x00007FFF8AB90000-0x00007FFF8ABAB000-memory.dmp
memory/3596-4028-0x00007FFF89860000-0x00007FFF89882000-memory.dmp
memory/3596-4027-0x00007FFF8ABB0000-0x00007FFF8ABC4000-memory.dmp
memory/3596-4026-0x00007FFF8AFD0000-0x00007FFF8AFE2000-memory.dmp
memory/3596-4025-0x00007FFF8AFF0000-0x00007FFF8B005000-memory.dmp
memory/3596-4024-0x00007FFF8B010000-0x00007FFF8B01C000-memory.dmp
memory/3596-4023-0x00007FFF8B020000-0x00007FFF8B032000-memory.dmp
memory/3596-4022-0x00007FFF8B040000-0x00007FFF8B04D000-memory.dmp
memory/3596-4019-0x00007FFF8CDB0000-0x00007FFF8CDBB000-memory.dmp
memory/3596-4018-0x00007FFF8E0E0000-0x00007FFF8E0EB000-memory.dmp
memory/3596-4017-0x00007FFF8E100000-0x00007FFF8E10C000-memory.dmp
memory/3596-4016-0x00007FFF8E110000-0x00007FFF8E11E000-memory.dmp
memory/3596-4015-0x00007FFF8E120000-0x00007FFF8E12D000-memory.dmp
memory/3596-4014-0x00007FFF8E1A0000-0x00007FFF8E1AC000-memory.dmp
memory/3596-4013-0x00007FFF8E430000-0x00007FFF8E43B000-memory.dmp
memory/3596-4012-0x00007FFF8E440000-0x00007FFF8E44C000-memory.dmp
memory/3596-4011-0x00007FFF8E450000-0x00007FFF8E45B000-memory.dmp
memory/3596-4010-0x00007FFF8E9C0000-0x00007FFF8E9CC000-memory.dmp
memory/3596-4009-0x00007FFF8EC10000-0x00007FFF8EC1B000-memory.dmp
memory/3596-4008-0x00007FFF8EC40000-0x00007FFF8EC4B000-memory.dmp
memory/3596-4007-0x00007FFF8EE70000-0x00007FFF8EEA7000-memory.dmp
memory/3596-4006-0x00007FFF7EC40000-0x00007FFF7ED5C000-memory.dmp
memory/3596-4005-0x00007FFF8EEB0000-0x00007FFF8EED7000-memory.dmp
memory/3596-4004-0x00007FFF8F340000-0x00007FFF8F34B000-memory.dmp
memory/3596-4003-0x00007FFF8F370000-0x00007FFF8F37D000-memory.dmp
memory/3596-3998-0x00007FFF7EE30000-0x00007FFF7F359000-memory.dmp
memory/3596-3997-0x00007FFF8F3C0000-0x00007FFF8F3D4000-memory.dmp
memory/3596-3996-0x00007FFF8F3E0000-0x00007FFF8F40D000-memory.dmp
memory/3596-3995-0x00007FFF8F4E0000-0x00007FFF8F4F9000-memory.dmp
memory/3596-3994-0x00007FFF8F650000-0x00007FFF8F65F000-memory.dmp
memory/3596-3992-0x00007FFF7F360000-0x00007FFF7F952000-memory.dmp
memory/3596-4020-0x00007FFF8CDA0000-0x00007FFF8CDAC000-memory.dmp
memory/3596-4002-0x00007FFF7ED60000-0x00007FFF7EE2D000-memory.dmp
memory/3596-4001-0x00007FFF8EEE0000-0x00007FFF8EF13000-memory.dmp
memory/3596-4000-0x00007FFF8F4D0000-0x00007FFF8F4DD000-memory.dmp
memory/3596-3999-0x00007FFF8EF20000-0x00007FFF8EF39000-memory.dmp
memory/3596-3993-0x00007FFF8F500000-0x00007FFF8F524000-memory.dmp
Analysis: behavioral4
Detonation Overview
Submitted
2024-12-19 16:37
Reported
2024-12-19 16:41
Platform
win10v2004-20241007-de
Max time kernel
94s
Max time network
150s
Command Line
Signatures
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings | C:\Windows\system32\cmd.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings | C:\Windows\system32\OpenWith.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\discord_token_grabber.pyc
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.163.245.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 182.129.81.91.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
Files
Analysis: behavioral5
Detonation Overview
Submitted
2024-12-19 16:37
Reported
2024-12-19 16:38
Platform
win7-20241010-de
Max time kernel
11s
Max time network
19s
Command Line
Signatures
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_Classes\Local Settings | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\pyc_auto_file | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\.pyc | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\pyc_auto_file\shell\Read | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\pyc_auto_file\shell | C:\Windows\system32\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\pyc_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" | C:\Windows\system32\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\pyc_auto_file\ | C:\Windows\system32\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\.pyc\ = "pyc_auto_file" | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\pyc_auto_file\shell\Read\command | C:\Windows\system32\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2452 wrote to memory of 2760 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 2452 wrote to memory of 2760 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 2452 wrote to memory of 2760 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 2760 wrote to memory of 2688 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 2760 wrote to memory of 2688 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 2760 wrote to memory of 2688 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 2760 wrote to memory of 2688 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\get_cookies.pyc
C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\get_cookies.pyc
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\get_cookies.pyc"
C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0
C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x1
Network
Files
Analysis: behavioral6
Detonation Overview
Submitted
2024-12-19 16:37
Reported
2024-12-19 16:41
Platform
win10v2004-20241007-de
Max time kernel
94s
Max time network
95s
Command Line
Signatures
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings | C:\Windows\system32\cmd.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings | C:\Windows\system32\OpenWith.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\get_cookies.pyc
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.163.245.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 92.12.20.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
Files
Analysis: behavioral7
Detonation Overview
Submitted
2024-12-19 16:37
Reported
2024-12-19 16:41
Platform
win7-20240903-de
Max time kernel
119s
Max time network
120s
Command Line
Signatures
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\.pyc | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\pyc_auto_file\shell\Read | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\pyc_auto_file\shell | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\pyc_auto_file\shell\Read\command | C:\Windows\system32\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\pyc_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_Classes\Local Settings | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\pyc_auto_file | C:\Windows\system32\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\pyc_auto_file\ | C:\Windows\system32\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\.pyc\ = "pyc_auto_file" | C:\Windows\system32\rundll32.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3048 wrote to memory of 3032 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 3048 wrote to memory of 3032 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 3048 wrote to memory of 3032 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 3032 wrote to memory of 2684 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 3032 wrote to memory of 2684 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 3032 wrote to memory of 2684 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 3032 wrote to memory of 2684 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\misc.pyc
C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\misc.pyc
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\misc.pyc"
C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0
Network
Files
Analysis: behavioral8
Detonation Overview
Submitted
2024-12-19 16:37
Reported
2024-12-19 16:41
Platform
win10v2004-20241007-de
Max time kernel
102s
Max time network
104s
Command Line
Signatures
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings | C:\Windows\system32\cmd.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings | C:\Windows\system32\OpenWith.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\misc.pyc
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.163.245.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.130.81.91.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
Files
Analysis: behavioral11
Detonation Overview
Submitted
2024-12-19 16:37
Reported
2024-12-19 16:41
Platform
win7-20240903-de
Max time kernel
122s
Max time network
124s
Command Line
Signatures
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\.pyc | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\pyc_auto_file\shell\Read | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\pyc_auto_file\shell\Read\command | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\pyc_auto_file\shell | C:\Windows\system32\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\pyc_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_Classes\Local Settings | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\pyc_auto_file | C:\Windows\system32\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\pyc_auto_file\ | C:\Windows\system32\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\.pyc\ = "pyc_auto_file" | C:\Windows\system32\rundll32.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1672 wrote to memory of 2328 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 1672 wrote to memory of 2328 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 1672 wrote to memory of 2328 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 2328 wrote to memory of 2824 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 2328 wrote to memory of 2824 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 2328 wrote to memory of 2824 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 2328 wrote to memory of 2824 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\source_prepared.pyc
C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\source_prepared.pyc
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\source_prepared.pyc"
C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0
Network
Files
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents
| MD5 | ae6dfaba226903ecddb57ed2d074cc6f |
| SHA1 | aee092106f60b0e9f802235e918f45594d47a71e |
| SHA256 | 6351dbf3f2dc98202a61a19a546b0fcdab71f49cf6942c368560cec2d105255d |
| SHA512 | aaec5a4f55bee53fe8b7980d0b14fc7e9dd5518f3924506e92e009c7b12b9cb399d57222c2b8171c99c388f435e098c7bdb309c8bfa17a1d01c5238554cefb22 |
Analysis: behavioral1
Detonation Overview
Submitted
2024-12-19 16:37
Reported
2024-12-19 16:41
Platform
win7-20241023-de
Max time kernel
117s
Max time network
122s
Command Line
Signatures
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\source_prepared.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\source_prepared.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\source_prepared.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\source_prepared.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\source_prepared.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\source_prepared.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\source_prepared.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2932 wrote to memory of 2560 | N/A | C:\Users\Admin\AppData\Local\Temp\source_prepared.exe | C:\Users\Admin\AppData\Local\Temp\source_prepared.exe |
| PID 2932 wrote to memory of 2560 | N/A | C:\Users\Admin\AppData\Local\Temp\source_prepared.exe | C:\Users\Admin\AppData\Local\Temp\source_prepared.exe |
| PID 2932 wrote to memory of 2560 | N/A | C:\Users\Admin\AppData\Local\Temp\source_prepared.exe | C:\Users\Admin\AppData\Local\Temp\source_prepared.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\source_prepared.exe
"C:\Users\Admin\AppData\Local\Temp\source_prepared.exe"
C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
C:\Users\Admin\AppData\Local\Temp\source_prepared.exe
"C:\Users\Admin\AppData\Local\Temp\source_prepared.exe"
Network
Files
C:\Users\Admin\AppData\Local\Temp\_MEI29322\ucrtbase.dll
| MD5 | 14af9c0c20388e7d992baa016815f7b2 |
| SHA1 | 8a1477607bf73b3e4901f08a226ef8c6659c97de |
| SHA256 | 43cafe3b16453f1b213da185fab4951fc550678a410366be77e2a3cd00ed5f92 |
| SHA512 | ac69aa4bd2d8c9caece76bd45f49bb9542cb91f28f7408d6e0a2d98af30ebbf615a9e0b5950e9836c202dbc3c929b14eee167418c136e31a1073e3baed4340d4 |
\Users\Admin\AppData\Local\Temp\_MEI29322\python311.dll
| MD5 | 548809b87186356c7ac6421562015915 |
| SHA1 | 8fa683eed7f916302c2eb1a548c12118bea414fa |
| SHA256 | 6c65da37cf6464507ad9d187a34f5b5d61544b83d831547642d17c01852599a1 |
| SHA512 | c0b63bf9908e23457cf6c2551219c7951bc1a164f3a585cde750b244fa628753ee43fde35f2aa76223fd9f90cf5ea582241ab510f7373a247eae0b26817198fc |
memory/2560-1320-0x000007FEF62C0000-0x000007FEF68B2000-memory.dmp
\Users\Admin\AppData\Local\Temp\_MEI29322\api-ms-win-core-file-l2-1-0.dll
| MD5 | 6ee594309656724d72e52d1bce38aa6c |
| SHA1 | 9f4376d8855c783486dd31a9e89984bc44d70e8c |
| SHA256 | 90319c14d93d2efe2aa9c48af44e41b662445b1c05e6f7ed8c6c3329b9a3c2f2 |
| SHA512 | 5ff55e8fb3050399ca7c98bbf43b64bff90ca11d094b9144f886df9b1df98b6ec501c29f0eb7c6251f5c07405c8bb2dc24249e9d36f45b6d93d7e790eea987d4 |
\Users\Admin\AppData\Local\Temp\_MEI29322\api-ms-win-core-timezone-l1-1-0.dll
| MD5 | 8b181083e2598b6c19d9749f65fb0ed2 |
| SHA1 | 23ca8d38e5e02229a1092512b8260a531472f092 |
| SHA256 | 7517445bc875e8fdb109fbba7aa68d9aab26eeea75c3e8a3bc38904d1aa374cc |
| SHA512 | 5c2d2ad4a587eb28e2d30ed66c6a01fa056487aba998f6c276b31cf4d3c02395c85966c02fbf789fe4674fdc96108d8639d9cb03f355ca9ddeec4b170cd8e971 |
\Users\Admin\AppData\Local\Temp\_MEI29322\api-ms-win-core-processthreads-l1-1-1.dll
| MD5 | 642b5d00c665764485253799da0208d0 |
| SHA1 | 848247b2981525160f264aa5c169158035edd5e5 |
| SHA256 | 3c512ab982b1791b06866694efc115ea4da4e49166a14b28b90689830b8915c2 |
| SHA512 | bd946660ad98a437e31b627b96aa029952e34903c82cfccfc9b8027c9eb22bb0c58b4a716fb73f6b5cdb47d2a081b15b472f84ae8fffde2d4048410d65faae47 |
\Users\Admin\AppData\Local\Temp\_MEI29322\api-ms-win-core-localization-l1-2-0.dll
| MD5 | a56cb984f78ef81747eb06929e51608d |
| SHA1 | da3bd23b420aabb4d788a1d487de97ac6d6f1f8e |
| SHA256 | 765f94c4e1c2639b32c6c218d2ffc73633101430670e0eab92a9b9dce1132fc0 |
| SHA512 | bf3b77089b8a1ae018ba5d90912fc60853fa2a078034837f9b17c0c9c13f44d7440600f118685741f48c52c4b30115e6d943ca35f437f005cab12ad3adc9f699 |
\Users\Admin\AppData\Local\Temp\_MEI29322\api-ms-win-core-file-l1-2-0.dll
| MD5 | d21990615e2a9feb29613cffddce5da0 |
| SHA1 | a701b95716677409e8997e3affccb38a7332efd3 |
| SHA256 | e374718baaeb789c0893bd906e491fabff6fab9b1abad826a962bf86b89d4896 |
| SHA512 | 20f7734713ade34c6e26cc8b69f48243b878aa19e6764d17688214e8fe0d03bc775dae62e368a3a81d14879214ba7388fc1ac31a58ae1bd375951ee80a84098a |
memory/2560-1321-0x000007FEF62C0000-0x000007FEF68B2000-memory.dmp
Analysis: behavioral3
Detonation Overview
Submitted
2024-12-19 16:37
Reported
2024-12-19 16:41
Platform
win7-20240903-de
Max time kernel
117s
Max time network
119s
Command Line
Signatures
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\.pyc\ = "pyc_auto_file" | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_Classes\Local Settings | C:\Windows\system32\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\pyc_auto_file\ | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\.pyc | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\pyc_auto_file\shell\Read\command | C:\Windows\system32\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\pyc_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\pyc_auto_file | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\pyc_auto_file\shell\Read | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\pyc_auto_file\shell | C:\Windows\system32\rundll32.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2696 wrote to memory of 2788 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 2696 wrote to memory of 2788 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 2696 wrote to memory of 2788 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 2788 wrote to memory of 2740 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 2788 wrote to memory of 2740 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 2788 wrote to memory of 2740 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 2788 wrote to memory of 2740 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\discord_token_grabber.pyc
C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\discord_token_grabber.pyc
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\discord_token_grabber.pyc"
C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0
Network
Files
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents
| MD5 | 5c6811b180958e27b534b007e97cfcdb |
| SHA1 | 3d98a7fabec7f9a7605a8b17c2e882b3db3a78d0 |
| SHA256 | 189b900d43f182c3ebdd3a5b6a4e657a9bbc120b544bc4b1e2ae53737621f63b |
| SHA512 | aa36edc44c7e5e6f151995f5786559dcae7f534c12736ae52719223093262eec9f6cdbfceff1701e0fbfb42ee2d1506627f8ff06495278604ede782c7a802eca |
Analysis: behavioral9
Detonation Overview
Submitted
2024-12-19 16:37
Reported
2024-12-19 16:41
Platform
win7-20240903-de
Max time kernel
120s
Max time network
121s
Command Line
Signatures
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\.pyc | C:\Windows\system32\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\.pyc\ = "pyc_auto_file" | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\pyc_auto_file\shell\Read | C:\Windows\system32\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\pyc_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" | C:\Windows\system32\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\pyc_auto_file\ | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\pyc_auto_file | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\pyc_auto_file\shell | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\pyc_auto_file\shell\Read\command | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_Classes\Local Settings | C:\Windows\system32\rundll32.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1984 wrote to memory of 3068 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 1984 wrote to memory of 3068 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 1984 wrote to memory of 3068 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 3068 wrote to memory of 2616 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 3068 wrote to memory of 2616 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 3068 wrote to memory of 2616 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 3068 wrote to memory of 2616 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\passwords_grabber.pyc
C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\passwords_grabber.pyc
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\passwords_grabber.pyc"
C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0
Network
Files
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents
| MD5 | f8ae8c1e7c17508ca4d918221ce4d6e1 |
| SHA1 | 10c725c798b3bb6cb08d6862e651f432847e90a8 |
| SHA256 | 9d299efb38379ec4c65f31c1811c71ea8f1b0f273faa9dc0f1c18c298f8afd40 |
| SHA512 | 0cada9653f6171a44ac047fd45b0c816cf83eca7eb22071b8415602237bb64b9de4c956d0c43a25d0287954f4a87bb9a35e6bc06364b44baecdb6848411461c4 |
Analysis: behavioral10
Detonation Overview
Submitted
2024-12-19 16:37
Reported
2024-12-19 16:41
Platform
win10v2004-20241007-de
Max time kernel
96s
Max time network
150s
Command Line
Signatures
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings | C:\Windows\system32\cmd.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings | C:\Windows\system32\OpenWith.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\passwords_grabber.pyc
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 4.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.163.245.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 182.129.81.91.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |