Analysis
-
max time kernel
85s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
-
submitted
11-05-2024 03:38
General
-
Target
6d5ba38a5e9bde7939ac5dcb8fdcb970701168064d30abcf518cf8d272a0f581.exe
-
Size
44.1MB
-
MD5
e4897ef7419e128b1f7473119ce0bd07
-
SHA1
5aad252412a5923438f30cb9c397731a9b020121
-
SHA256
6d5ba38a5e9bde7939ac5dcb8fdcb970701168064d30abcf518cf8d272a0f581
-
SHA512
db66ea2cb3f5f30934ab071e1dd2e7b41f6dc5c4be125f1d2d6aab627b3be8b6cf8fcbed517a414cdf037a068414b178176edba2e28de6419b65269e0abb162c
-
SSDEEP
786432:NCZkrrfdktmLX8t8lBBvUPlZIOPuOI64zlNWtVMoOIsuXzfVib4a9BWN:N4GlkcLMtUzilKUINzmtVkMfWo
Score
10/10
Malware Config
Signatures
-
MilleniumRat
MilleniumRat is a remote access trojan written in C#.
-
Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs
-
Suspicious use of NtCreateUserProcessOtherParentProcess 12 IoCs
-
Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs
Using powershell.exe command.
-
Contacts a large (1167) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Stops running service(s) 4 TTPs
-
Checks computer location settings 2 TTPs 5 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 64 IoCs
-
Loads dropped DLL 64 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
UPX packed file 37 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 6 IoCs
-
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory 4 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
-
Suspicious use of SetThreadContext 4 IoCs
-
Drops file in Program Files directory 1 IoCs
-
Launches sc.exe 10 IoCs
Sc.exe is a Windows utlilty to control services on the system.
-
Detects Pyinstaller 4 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 6 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Checks processor information in registry 2 TTPs 5 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Delays execution with timeout.exe 1 IoCs
-
Detects videocard installed 1 TTPs 1 IoCs
Uses WMIC.exe to determine videocard installed.
-
Enumerates processes with tasklist 1 TTPs 4 IoCs
-
Enumerates system info in registry 2 TTPs 4 IoCs
-
Gathers system information 1 TTPs 1 IoCs
Runs systeminfo.exe.
-
Modifies data under HKEY_USERS 64 IoCs
-
Modifies registry class 4 IoCs
-
Modifies registry key 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 16 IoCs
-
Suspicious use of SendNotifyMessage 4 IoCs
-
Suspicious use of SetWindowsHookEx 26 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵
-
C:\Windows\system32\dwm.exe"dwm.exe"2⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 1020 -s 30803⤵
- Checks processor information in registry
- Enumerates system info in registry
-
-
-
C:\Windows\system32\dwm.exe"dwm.exe"2⤵
- Checks SCSI registry key(s)
- Enumerates system info in registry
- Modifies data under HKEY_USERS
-
-
C:\Windows\system32\lsass.exeC:\Windows\system32\lsass.exe1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule1⤵
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}2⤵
-
-
C:\Program Files\Google\Chrome\updater.exe"C:\Program Files\Google\Chrome\updater.exe"2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious use of SetThreadContext
-
C:\Windows\System32\schtasks.exeC:\Windows\System32\schtasks.exe /create /f /ru "System" /tn "GoogleUpdateTaskMachineQC" /xml "C:\Windows\TEMP\yntnomxcupkb.xml"3⤵
- Creates scheduled task(s)
-
-
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog1⤵
- Drops file in System32 directory
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s nsi1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager1⤵
-
C:\Windows\system32\sihost.exesihost.exe2⤵
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s Themes1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s SENS1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalService -p -s netprofm1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection1⤵
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc1⤵
-
C:\Windows\sysmon.exeC:\Windows\sysmon.exe1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker1⤵
-
C:\Windows\system32\wbem\unsecapp.exeC:\Windows\system32\wbem\unsecapp.exe -Embedding1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Users\Admin\AppData\Local\Temp\6d5ba38a5e9bde7939ac5dcb8fdcb970701168064d30abcf518cf8d272a0f581.exe"C:\Users\Admin\AppData\Local\Temp\6d5ba38a5e9bde7939ac5dcb8fdcb970701168064d30abcf518cf8d272a0f581.exe"2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\cstealer.exe"C:\Users\Admin\AppData\Local\Temp\cstealer.exe"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\cstealer.exe"C:\Users\Admin\AppData\Local\Temp\cstealer.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet"5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV16⤵
-
-
C:\Users\Admin\AppData\Local\Temp\cstealer.exe"C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\cstealer.exe"C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet"8⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV19⤵
-
-
C:\Users\Admin\AppData\Local\Temp\cstealer.exe"C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\cstealer.exe"C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet"11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV112⤵
-
-
C:\Users\Admin\AppData\Local\Temp\cstealer.exe"C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\cstealer.exe"C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet"14⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV115⤵
-
-
C:\Users\Admin\AppData\Local\Temp\cstealer.exe"C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\cstealer.exe"C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet"17⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV118⤵
-
-
C:\Users\Admin\AppData\Local\Temp\cstealer.exe"C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\cstealer.exe"C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet"20⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV121⤵
-
-
C:\Users\Admin\AppData\Local\Temp\cstealer.exe"C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\cstealer.exe"C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet"23⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV124⤵
-
-
C:\Users\Admin\AppData\Local\Temp\cstealer.exe"C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet24⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\cstealer.exe"C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet25⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet"26⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV127⤵
-
-
C:\Users\Admin\AppData\Local\Temp\cstealer.exe"C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet27⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\cstealer.exe"C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet28⤵
- Executes dropped EXE
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet"29⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV130⤵
-
-
C:\Users\Admin\AppData\Local\Temp\cstealer.exe"C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet30⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\cstealer.exe"C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet31⤵
- Executes dropped EXE
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet"32⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV133⤵
-
-
C:\Users\Admin\AppData\Local\Temp\cstealer.exe"C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet33⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\cstealer.exe"C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet34⤵
- Executes dropped EXE
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet"35⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV136⤵
-
-
C:\Users\Admin\AppData\Local\Temp\cstealer.exe"C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet36⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\cstealer.exe"C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet37⤵
- Executes dropped EXE
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet"38⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV139⤵
-
-
C:\Users\Admin\AppData\Local\Temp\cstealer.exe"C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet39⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\cstealer.exe"C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet40⤵
- Executes dropped EXE
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet"41⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV142⤵
-
-
C:\Users\Admin\AppData\Local\Temp\cstealer.exe"C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet42⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\cstealer.exe"C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet43⤵
- Executes dropped EXE
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet"44⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV145⤵
-
-
C:\Users\Admin\AppData\Local\Temp\cstealer.exe"C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet45⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\cstealer.exe"C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet46⤵
- Executes dropped EXE
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet"47⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV148⤵
-
-
C:\Users\Admin\AppData\Local\Temp\cstealer.exe"C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet48⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\cstealer.exe"C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet49⤵
- Executes dropped EXE
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet"50⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV151⤵
-
-
C:\Users\Admin\AppData\Local\Temp\cstealer.exe"C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet51⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\cstealer.exe"C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet52⤵
- Executes dropped EXE
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet"53⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV154⤵
-
-
C:\Users\Admin\AppData\Local\Temp\cstealer.exe"C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet54⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\cstealer.exe"C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet55⤵
- Executes dropped EXE
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet"56⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV157⤵
-
-
C:\Users\Admin\AppData\Local\Temp\cstealer.exe"C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet57⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\cstealer.exe"C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet58⤵
- Executes dropped EXE
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet"59⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV160⤵
-
-
C:\Users\Admin\AppData\Local\Temp\cstealer.exe"C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet60⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\cstealer.exe"C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet61⤵
- Executes dropped EXE
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet"62⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV163⤵
-
-
C:\Users\Admin\AppData\Local\Temp\cstealer.exe"C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet63⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\cstealer.exe"C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet64⤵
- Executes dropped EXE
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet"65⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV166⤵
-
-
C:\Users\Admin\AppData\Local\Temp\cstealer.exe"C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet66⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\cstealer.exe"C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet67⤵
- Executes dropped EXE
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet"68⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV169⤵
-
-
C:\Users\Admin\AppData\Local\Temp\cstealer.exe"C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet69⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\cstealer.exe"C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet70⤵
- Executes dropped EXE
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet"71⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV172⤵
-
-
C:\Users\Admin\AppData\Local\Temp\cstealer.exe"C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet72⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\cstealer.exe"C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet73⤵
- Executes dropped EXE
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet"74⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV175⤵
-
-
C:\Users\Admin\AppData\Local\Temp\cstealer.exe"C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet75⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\cstealer.exe"C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet76⤵
- Executes dropped EXE
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet"77⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV178⤵
-
-
C:\Users\Admin\AppData\Local\Temp\cstealer.exe"C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet78⤵
-
C:\Users\Admin\AppData\Local\Temp\cstealer.exe"C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet79⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet"80⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV181⤵
-
-
C:\Users\Admin\AppData\Local\Temp\cstealer.exe"C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet81⤵
-
C:\Users\Admin\AppData\Local\Temp\cstealer.exe"C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet82⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet"83⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV184⤵
-
-
C:\Users\Admin\AppData\Local\Temp\cstealer.exe"C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet84⤵
-
C:\Users\Admin\AppData\Local\Temp\cstealer.exe"C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet85⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet"86⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV187⤵
-
-
C:\Users\Admin\AppData\Local\Temp\cstealer.exe"C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet87⤵
-
C:\Users\Admin\AppData\Local\Temp\cstealer.exe"C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet88⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet"89⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV190⤵
-
-
C:\Users\Admin\AppData\Local\Temp\cstealer.exe"C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet90⤵
-
C:\Users\Admin\AppData\Local\Temp\cstealer.exe"C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet91⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet"92⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV193⤵
-
-
C:\Users\Admin\AppData\Local\Temp\cstealer.exe"C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet93⤵
-
C:\Users\Admin\AppData\Local\Temp\cstealer.exe"C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet94⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet"95⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV196⤵
-
-
C:\Users\Admin\AppData\Local\Temp\cstealer.exe"C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet96⤵
-
C:\Users\Admin\AppData\Local\Temp\cstealer.exe"C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet97⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet"98⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV199⤵
-
-
C:\Users\Admin\AppData\Local\Temp\cstealer.exe"C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet99⤵
-
C:\Users\Admin\AppData\Local\Temp\cstealer.exe"C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet100⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet"101⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1102⤵
-
-
C:\Users\Admin\AppData\Local\Temp\cstealer.exe"C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet102⤵
-
C:\Users\Admin\AppData\Local\Temp\cstealer.exe"C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet103⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet"104⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1105⤵
-
-
C:\Users\Admin\AppData\Local\Temp\cstealer.exe"C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet105⤵
-
C:\Users\Admin\AppData\Local\Temp\cstealer.exe"C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet106⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet"107⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1108⤵
-
-
C:\Users\Admin\AppData\Local\Temp\cstealer.exe"C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet108⤵
-
C:\Users\Admin\AppData\Local\Temp\cstealer.exe"C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet109⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet"110⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1111⤵
-
-
C:\Users\Admin\AppData\Local\Temp\cstealer.exe"C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet111⤵
-
C:\Users\Admin\AppData\Local\Temp\cstealer.exe"C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet112⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet"113⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1114⤵
-
-
C:\Users\Admin\AppData\Local\Temp\cstealer.exe"C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet114⤵
-
C:\Users\Admin\AppData\Local\Temp\cstealer.exe"C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet115⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet"116⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1117⤵
- Suspicious use of SetWindowsHookEx
-
-
C:\Users\Admin\AppData\Local\Temp\cstealer.exe"C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet117⤵
-
C:\Users\Admin\AppData\Local\Temp\cstealer.exe"C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet118⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet"119⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1120⤵
-
-
C:\Users\Admin\AppData\Local\Temp\cstealer.exe"C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet120⤵
-
C:\Users\Admin\AppData\Local\Temp\cstealer.exe"C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet121⤵
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-