Malware Analysis Report

2024-09-23 02:58

Sample ID 240702-nffadatenr
Target d321f75b27ffdadbe36f7f1a94727487e955a74ec629fdd054dec54e4b6fc87b
SHA256 d321f75b27ffdadbe36f7f1a94727487e955a74ec629fdd054dec54e4b6fc87b
Tags
pyinstaller asyncrat stormkitty default persistence rat stealer privilege_escalation spyware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

d321f75b27ffdadbe36f7f1a94727487e955a74ec629fdd054dec54e4b6fc87b

Threat Level: Known bad

The file d321f75b27ffdadbe36f7f1a94727487e955a74ec629fdd054dec54e4b6fc87b was found to be: Known bad.

Malicious Activity Summary

pyinstaller asyncrat stormkitty default persistence rat stealer privilege_escalation spyware

StormKitty payload

AsyncRat

StormKitty

Async RAT payload

Downloads MZ/PE file

Drops file in Drivers directory

Executes dropped EXE

Drops startup file

Checks computer location settings

Loads dropped DLL

Reads user/profile data of web browsers

Looks up geolocation information via web service

Adds Run key to start application

Looks up external IP address via web service

Legitimate hosting services abused for malware hosting/C2

Drops desktop.ini file(s)

Suspicious use of SetThreadContext

Detects Pyinstaller

Unsigned PE

Enumerates physical storage devices

Event Triggered Execution: Netsh Helper DLL

Scheduled Task/Job: Scheduled Task

Suspicious behavior: AddClipboardFormatListener

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Modifies system certificate store

Checks processor information in registry

Suspicious behavior: EnumeratesProcesses

Delays execution with timeout.exe

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2024-07-02 11:20

Signatures

Detects Pyinstaller

pyinstaller
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-02 11:20

Reported

2024-07-02 11:22

Platform

win7-20240220-en

Max time kernel

24s

Max time network

146s

Command Line

C:\Windows\Explorer.EXE

Signatures

AsyncRat

rat asyncrat

StormKitty

stealer stormkitty

StormKitty payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Async RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Downloads MZ/PE file

Drops file in Drivers directory

Description Indicator Process Target
File opened for modification C:\Windows\system32\drivers\etc\hosts C:\Windows\system32\relog.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Service_Adobe.exe.lnk C:\Users\Admin\AppData\Roaming\nik.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Service_Identities.exe.lnk C:\Users\Admin\AppData\Roaming\nik.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Service_Macromedia.exe.lnk C:\Users\Admin\AppData\Roaming\nik.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Service_Media Center Programs.exe.lnk C:\Users\Admin\AppData\Roaming\nik.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Service_Microsoft.exe.lnk C:\Users\Admin\AppData\Roaming\nik.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Service_Mozilla.exe.lnk C:\Users\Admin\AppData\Roaming\nik.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\psvhost.exe.lnk C:\Users\Admin\AppData\Roaming\nik.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\Service_Identities = "C:\\Users\\Admin\\AppData\\Roaming\\Identities\\Service_Identities.exe" C:\Users\Admin\AppData\Roaming\nik.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\Service_Macromedia = "C:\\Users\\Admin\\AppData\\Roaming\\Macromedia\\Service_Macromedia.exe" C:\Users\Admin\AppData\Roaming\nik.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\Service_Media Center Programs = "C:\\Users\\Admin\\AppData\\Roaming\\Media Center Programs\\Service_Media Center Programs.exe" C:\Users\Admin\AppData\Roaming\nik.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\Service_Microsoft = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Service_Microsoft.exe" C:\Users\Admin\AppData\Roaming\nik.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\Service_Mozilla = "C:\\Users\\Admin\\AppData\\Roaming\\Mozilla\\Service_Mozilla.exe" C:\Users\Admin\AppData\Roaming\nik.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\WpnUserService = "C:\\Users\\Admin\\AppData\\Roaming\\nik.exe" C:\Users\Admin\AppData\Roaming\nik.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ACCC Tools = "C:\\ProgramData\\KMSAuto\\accc.exe" C:\Users\Admin\AppData\Local\Temp\538C.tmp.Installer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\Service_Adobe = "C:\\Users\\Admin\\AppData\\Roaming\\Adobe\\Service_Adobe.exe" C:\Users\Admin\AppData\Roaming\nik.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A icanhazip.com N/A N/A

Looks up geolocation information via web service

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2744 set thread context of 1980 N/A C:\Users\Admin\AppData\Roaming\nik.exe C:\Windows\system32\relog.exe

Detects Pyinstaller

pyinstaller
Description Indicator Process Target
N/A N/A N/A N/A

Enumerates physical storage devices

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\timeout.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 C:\Users\Admin\AppData\Roaming\nik.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 C:\Users\Admin\AppData\Roaming\nik.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 C:\Users\Admin\AppData\Roaming\nik.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13 C:\Users\Admin\AppData\Roaming\nik.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 C:\Users\Admin\AppData\Roaming\nik.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000000f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 C:\Users\Admin\AppData\Roaming\nik.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\relog.exe N/A
N/A N/A C:\Windows\system32\relog.exe N/A
N/A N/A C:\Windows\system32\relog.exe N/A
N/A N/A C:\Windows\system32\relog.exe N/A
N/A N/A C:\Windows\system32\relog.exe N/A
N/A N/A C:\Windows\system32\relog.exe N/A
N/A N/A C:\Windows\system32\relog.exe N/A
N/A N/A C:\Windows\system32\relog.exe N/A
N/A N/A C:\Windows\system32\relog.exe N/A
N/A N/A C:\Windows\system32\relog.exe N/A
N/A N/A C:\Windows\system32\relog.exe N/A
N/A N/A C:\Windows\system32\relog.exe N/A
N/A N/A C:\Windows\system32\relog.exe N/A
N/A N/A C:\Windows\system32\relog.exe N/A
N/A N/A C:\Windows\system32\relog.exe N/A
N/A N/A C:\Windows\system32\relog.exe N/A
N/A N/A C:\Windows\system32\relog.exe N/A
N/A N/A C:\Windows\system32\relog.exe N/A
N/A N/A C:\Windows\system32\relog.exe N/A
N/A N/A C:\Windows\system32\relog.exe N/A
N/A N/A C:\Windows\system32\relog.exe N/A
N/A N/A C:\Windows\system32\relog.exe N/A
N/A N/A C:\Windows\system32\relog.exe N/A
N/A N/A C:\Windows\system32\relog.exe N/A
N/A N/A C:\Windows\system32\relog.exe N/A
N/A N/A C:\Windows\system32\relog.exe N/A
N/A N/A C:\Windows\system32\relog.exe N/A
N/A N/A C:\Windows\system32\relog.exe N/A
N/A N/A C:\Windows\system32\relog.exe N/A
N/A N/A C:\Windows\system32\relog.exe N/A
N/A N/A C:\Windows\system32\relog.exe N/A
N/A N/A C:\Windows\system32\relog.exe N/A
N/A N/A C:\Windows\system32\relog.exe N/A
N/A N/A C:\Windows\system32\relog.exe N/A
N/A N/A C:\Windows\system32\relog.exe N/A
N/A N/A C:\Windows\system32\relog.exe N/A
N/A N/A C:\Windows\system32\relog.exe N/A
N/A N/A C:\Windows\system32\relog.exe N/A
N/A N/A C:\Windows\system32\relog.exe N/A
N/A N/A C:\Windows\system32\relog.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\system32\relog.exe N/A
N/A N/A C:\Windows\system32\relog.exe N/A
N/A N/A C:\Windows\system32\relog.exe N/A
N/A N/A C:\Windows\system32\relog.exe N/A
N/A N/A C:\Windows\system32\relog.exe N/A
N/A N/A C:\Windows\system32\relog.exe N/A
N/A N/A C:\Windows\system32\relog.exe N/A
N/A N/A C:\Windows\system32\relog.exe N/A
N/A N/A C:\Windows\system32\relog.exe N/A
N/A N/A C:\Windows\system32\relog.exe N/A
N/A N/A C:\Windows\system32\relog.exe N/A
N/A N/A C:\Windows\system32\relog.exe N/A
N/A N/A C:\Windows\system32\relog.exe N/A
N/A N/A C:\Windows\system32\relog.exe N/A
N/A N/A C:\Windows\system32\relog.exe N/A
N/A N/A C:\Windows\system32\relog.exe N/A
N/A N/A C:\Windows\system32\relog.exe N/A
N/A N/A C:\Windows\system32\relog.exe N/A
N/A N/A C:\Windows\system32\relog.exe N/A
N/A N/A C:\Windows\system32\relog.exe N/A
N/A N/A C:\Windows\system32\relog.exe N/A
N/A N/A C:\Windows\system32\relog.exe N/A
N/A N/A C:\Windows\system32\relog.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Roaming\nik.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Roaming\nik.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Roaming\nik.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Roaming\nik.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Roaming\nik.exe N/A
Token: SeSystemtimePrivilege N/A C:\Users\Admin\AppData\Roaming\nik.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Roaming\nik.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\nik.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Roaming\nik.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Roaming\nik.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Roaming\nik.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Roaming\nik.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\nik.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Users\Admin\AppData\Roaming\nik.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Users\Admin\AppData\Roaming\nik.exe N/A
Token: SeUndockPrivilege N/A C:\Users\Admin\AppData\Roaming\nik.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Roaming\nik.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\nik.exe N/A
Token: 34 N/A C:\Users\Admin\AppData\Roaming\nik.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Roaming\nik.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\relog.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\relog.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\relog.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\relog.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\relog.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\relog.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\relog.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\relog.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\relog.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\relog.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\relog.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\relog.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\relog.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\relog.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\relog.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\relog.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\relog.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\relog.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\relog.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\relog.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\relog.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\relog.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\relog.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\relog.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\relog.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\relog.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\relog.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\relog.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\relog.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\relog.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\relog.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\relog.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\relog.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\relog.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\relog.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\relog.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\relog.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\relog.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\relog.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\relog.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\relog.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\relog.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\relog.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\relog.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2268 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\d321f75b27ffdadbe36f7f1a94727487e955a74ec629fdd054dec54e4b6fc87b.exe C:\Users\Admin\AppData\Roaming\nik.exe
PID 2268 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\d321f75b27ffdadbe36f7f1a94727487e955a74ec629fdd054dec54e4b6fc87b.exe C:\Users\Admin\AppData\Roaming\nik.exe
PID 2268 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\d321f75b27ffdadbe36f7f1a94727487e955a74ec629fdd054dec54e4b6fc87b.exe C:\Users\Admin\AppData\Roaming\nik.exe
PID 2268 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\d321f75b27ffdadbe36f7f1a94727487e955a74ec629fdd054dec54e4b6fc87b.exe C:\Users\Admin\AppData\Roaming\nik.exe
PID 2268 wrote to memory of 2924 N/A C:\Users\Admin\AppData\Local\Temp\d321f75b27ffdadbe36f7f1a94727487e955a74ec629fdd054dec54e4b6fc87b.exe C:\Users\Admin\AppData\Roaming\Smtp.exe
PID 2268 wrote to memory of 2924 N/A C:\Users\Admin\AppData\Local\Temp\d321f75b27ffdadbe36f7f1a94727487e955a74ec629fdd054dec54e4b6fc87b.exe C:\Users\Admin\AppData\Roaming\Smtp.exe
PID 2268 wrote to memory of 2924 N/A C:\Users\Admin\AppData\Local\Temp\d321f75b27ffdadbe36f7f1a94727487e955a74ec629fdd054dec54e4b6fc87b.exe C:\Users\Admin\AppData\Roaming\Smtp.exe
PID 2268 wrote to memory of 2924 N/A C:\Users\Admin\AppData\Local\Temp\d321f75b27ffdadbe36f7f1a94727487e955a74ec629fdd054dec54e4b6fc87b.exe C:\Users\Admin\AppData\Roaming\Smtp.exe
PID 2924 wrote to memory of 2144 N/A C:\Users\Admin\AppData\Roaming\Smtp.exe C:\Users\Admin\AppData\Roaming\Smtp.exe
PID 2924 wrote to memory of 2144 N/A C:\Users\Admin\AppData\Roaming\Smtp.exe C:\Users\Admin\AppData\Roaming\Smtp.exe
PID 2924 wrote to memory of 2144 N/A C:\Users\Admin\AppData\Roaming\Smtp.exe C:\Users\Admin\AppData\Roaming\Smtp.exe
PID 2744 wrote to memory of 1980 N/A C:\Users\Admin\AppData\Roaming\nik.exe C:\Windows\system32\relog.exe
PID 2744 wrote to memory of 1980 N/A C:\Users\Admin\AppData\Roaming\nik.exe C:\Windows\system32\relog.exe
PID 2744 wrote to memory of 1980 N/A C:\Users\Admin\AppData\Roaming\nik.exe C:\Windows\system32\relog.exe
PID 2744 wrote to memory of 1980 N/A C:\Users\Admin\AppData\Roaming\nik.exe C:\Windows\system32\relog.exe
PID 1980 wrote to memory of 1064 N/A C:\Windows\system32\relog.exe C:\Windows\Explorer.EXE
PID 1980 wrote to memory of 1064 N/A C:\Windows\system32\relog.exe C:\Windows\Explorer.EXE
PID 1064 wrote to memory of 884 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\538C.tmp.Installer.exe
PID 1064 wrote to memory of 884 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\538C.tmp.Installer.exe
PID 1064 wrote to memory of 884 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\538C.tmp.Installer.exe
PID 1064 wrote to memory of 2284 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\58CB.tmp.Server.exe
PID 1064 wrote to memory of 2284 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\58CB.tmp.Server.exe
PID 1064 wrote to memory of 2284 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\58CB.tmp.Server.exe
PID 1064 wrote to memory of 2284 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\58CB.tmp.Server.exe
PID 884 wrote to memory of 2336 N/A C:\Users\Admin\AppData\Local\Temp\538C.tmp.Installer.exe C:\Windows\system32\schtasks.exe
PID 884 wrote to memory of 2336 N/A C:\Users\Admin\AppData\Local\Temp\538C.tmp.Installer.exe C:\Windows\system32\schtasks.exe
PID 884 wrote to memory of 2336 N/A C:\Users\Admin\AppData\Local\Temp\538C.tmp.Installer.exe C:\Windows\system32\schtasks.exe
PID 884 wrote to memory of 2432 N/A C:\Users\Admin\AppData\Local\Temp\538C.tmp.Installer.exe C:\ProgramData\KMSAuto\accc.exe
PID 884 wrote to memory of 2432 N/A C:\Users\Admin\AppData\Local\Temp\538C.tmp.Installer.exe C:\ProgramData\KMSAuto\accc.exe
PID 884 wrote to memory of 2432 N/A C:\Users\Admin\AppData\Local\Temp\538C.tmp.Installer.exe C:\ProgramData\KMSAuto\accc.exe
PID 884 wrote to memory of 1728 N/A C:\Users\Admin\AppData\Local\Temp\538C.tmp.Installer.exe C:\Windows\system32\cmd.exe
PID 884 wrote to memory of 1728 N/A C:\Users\Admin\AppData\Local\Temp\538C.tmp.Installer.exe C:\Windows\system32\cmd.exe
PID 884 wrote to memory of 1728 N/A C:\Users\Admin\AppData\Local\Temp\538C.tmp.Installer.exe C:\Windows\system32\cmd.exe
PID 1728 wrote to memory of 2324 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 1728 wrote to memory of 2324 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 1728 wrote to memory of 2324 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\d321f75b27ffdadbe36f7f1a94727487e955a74ec629fdd054dec54e4b6fc87b.exe

"C:\Users\Admin\AppData\Local\Temp\d321f75b27ffdadbe36f7f1a94727487e955a74ec629fdd054dec54e4b6fc87b.exe"

C:\Users\Admin\AppData\Roaming\nik.exe

"C:\Users\Admin\AppData\Roaming\nik.exe"

C:\Users\Admin\AppData\Roaming\Smtp.exe

"C:\Users\Admin\AppData\Roaming\Smtp.exe"

C:\Users\Admin\AppData\Roaming\Smtp.exe

"C:\Users\Admin\AppData\Roaming\Smtp.exe"

C:\Windows\system32\relog.exe

C:\Windows\system32\relog.exe

C:\Users\Admin\AppData\Local\Temp\538C.tmp.Installer.exe

"C:\Users\Admin\AppData\Local\Temp\538C.tmp.Installer.exe"

C:\Users\Admin\AppData\Local\Temp\58CB.tmp.Server.exe

"C:\Users\Admin\AppData\Local\Temp\58CB.tmp.Server.exe"

C:\Windows\system32\schtasks.exe

"schtasks.exe" /create /tn ACCC Tools /tr "C:\ProgramData\KMSAuto\accc.exe" /st 11:25 /du 23:59 /sc daily /ri 1 /f

C:\ProgramData\KMSAuto\accc.exe

"C:\ProgramData\KMSAuto\accc.exe"

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp5EB3.tmp.bat""

C:\Windows\system32\timeout.exe

timeout 7

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\netsh.exe

netsh wlan show profile

C:\Windows\SysWOW64\findstr.exe

findstr All

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\netsh.exe

netsh wlan show networks mode=bssid

Network

Country Destination Domain Proto
US 8.8.8.8:53 auth.xn--conbase-sfb.xyz udp
US 104.21.13.213:443 auth.xn--conbase-sfb.xyz tcp
US 8.8.8.8:53 apps.identrust.com udp
BE 23.14.90.73:80 apps.identrust.com tcp
US 8.8.8.8:53 x2.c.lencr.org udp
BE 23.55.97.11:80 x2.c.lencr.org tcp
US 8.8.8.8:53 auth.xn--conbase-sfb.xyz udp
US 172.67.133.32:80 auth.xn--conbase-sfb.xyz tcp
US 8.8.8.8:53 auth.xn--conbase-sfb.xyz udp
US 172.67.133.32:80 auth.xn--conbase-sfb.xyz tcp
US 172.67.133.32:80 auth.xn--conbase-sfb.xyz tcp
US 172.67.133.32:80 auth.xn--conbase-sfb.xyz tcp
US 8.8.8.8:53 www.igenius.org udp
US 192.3.140.185:80 www.igenius.org tcp
US 8.8.8.8:53 hrdc.pk udp
US 64.31.40.18:80 hrdc.pk tcp
US 192.3.140.185:80 www.igenius.org tcp
US 8.8.8.8:53 api.telegram.org udp
NL 149.154.167.220:443 api.telegram.org tcp
NL 149.154.167.220:443 api.telegram.org tcp
US 172.67.133.32:80 auth.xn--conbase-sfb.xyz tcp
US 8.8.8.8:53 icanhazip.com udp
US 104.16.185.241:80 icanhazip.com tcp
US 8.8.8.8:53 api.mylnikov.org udp
US 172.67.196.114:443 api.mylnikov.org tcp
US 8.8.8.8:53 api.telegram.org udp
NL 149.154.167.220:443 api.telegram.org tcp
NL 149.154.167.220:443 api.telegram.org tcp
US 172.67.133.32:80 auth.xn--conbase-sfb.xyz tcp

Files

\Users\Admin\AppData\Roaming\nik.exe

MD5 c848ac85788c3e3e23e9b20746cb978e
SHA1 5960836d8c29b7408a60421ee6c2558e4e1eb0a4
SHA256 a00fcfe94826aff5275d6c7d5af9701dee5610f3bec64a81256ee1dac86d0225
SHA512 5e0478133dfec564344f22706d17c52caf37120f32e8c2befa80d35cbcb4564e11f97bd96a9b3c1c143d0c5c16bfdb52307f84e6fa91a1c855f01557d532c821

\Users\Admin\AppData\Roaming\Smtp.exe

MD5 4e8ec4867bf90e7c6082f2a918ef7631
SHA1 65b03b83a107fc8ced5cccc56de11c59862c0e45
SHA256 0da1fddf259afe14e217714543d15545803a5e60519921288035c45161936e9d
SHA512 091f709047cd6778281f60b6127eee1f01e782639a17ae090b14716ef405da8b2815f874796a1d5fdd9934343b83b82e996c51e8b7443c3552374a326617813b

C:\Users\Admin\AppData\Local\Temp\_MEI29242\python38.dll

MD5 eec355a6e9586f823a4f12bed11e6c80
SHA1 33627398cb32f4fbb162f38f7c277ad5b13a99ba
SHA256 560a6a5f8b7afa99600cc47da26a802c342d7f50ffe23850372f2fcf536cd26f
SHA512 7b4b3c13383de62a17aa1aafabce657ea5f4aadd716430fcd6e0f3125b773ae1589b3eaa050ccd87b37f6fae2391c5e7a8a229c0b0fa135de8d0269e9752bea0

C:\Users\Admin\AppData\Local\Temp\_MEI29242\VCRUNTIME140.dll

MD5 7942be5474a095f673582997ae3054f1
SHA1 e982f6ebc74d31153ba9738741a7eec03a9fa5e8
SHA256 8ee6b49830436ff3bec9ba89213395427b5535813930489f118721fd3d2d942c
SHA512 49fbc9d441362b65a8d78b73d4fdcf988f22d38a35a36a233fcd54e99e95e29b804be7eabe2b174188c7860ebb34f701e13ed216f954886a285bed7127619039

C:\Users\Admin\AppData\Local\Temp\Cab20DB.tmp

MD5 ac05d27423a85adc1622c714f2cb6184
SHA1 b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256 c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA512 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

C:\Users\Admin\AppData\Local\Temp\_MEI29242\base_library.zip

MD5 877f89f4a141da5810ae8df658dae577
SHA1 df17d4bf2fa8bc3ce9a85f635ee8cfe640cdd3d2
SHA256 f009edc33aea2ee2dc1e9ed32e27ddda6204c45c87a6f722b883c76eb394555f
SHA512 988a3daf5df93fe509886c4af86039493667ba83957d41a48615101d3bbcd8b2c319ae59e59cc83a6765f33558e396294f8e9e349f8c21131c0f10a2bad6f212

C:\Users\Admin\AppData\Local\Temp\_MEI29242\_ctypes.pyd

MD5 4786508ffadc542bd677f45af820fdb9
SHA1 fc0f7dae6e0d093594e4ff1c293ce004dbd16fd7
SHA256 64f5072cd9536418ec0fd4b5c30c13b03cdddced1f9332d4d721c4b37ae3883e
SHA512 ad4b0e6883c2f0c003c46b1b85f5fbc2c1f8366a212695b9e47664c8735a30d4c8a3c645b324d3d059582096a1fe78ac1043ba8a639ced0665ef8c5cc33d0b80

\Users\Admin\AppData\Local\Temp\_MEI29242\libffi-7.dll

MD5 eef7981412be8ea459064d3090f4b3aa
SHA1 c60da4830ce27afc234b3c3014c583f7f0a5a925
SHA256 f60dd9f2fcbd495674dfc1555effb710eb081fc7d4cae5fa58c438ab50405081
SHA512 dc9ff4202f74a13ca9949a123dff4c0223da969f49e9348feaf93da4470f7be82cfa1d392566eaaa836d77dde7193fed15a8395509f72a0e9f97c66c0a096016

\Users\Admin\AppData\Local\Temp\_MEI29242\_socket.pyd

MD5 bc7b1b0112427976b83911e607213c37
SHA1 f4c7eb5b46ebe015a13de59f17ca158c01a377f4
SHA256 85f200cb9adf0ef97d40b897868f6ad564211d3529f0b6dfe8e04c56a7b832bc
SHA512 18bc94c917ee894121241dcf65fab370a344caaf1120162fcb0966503c502b3e990a79553d2e4e1e3403e35d2b5e00cb365254c08f99c93c178e2e1fd7b2a040

\Users\Admin\AppData\Local\Temp\_MEI29242\select.pyd

MD5 bb6e9825bd4a98e0700d96b59ec64f68
SHA1 afd51547dad9cd7fac0efbda76b5e2388a027681
SHA256 bb81d220db83d5276fccda137d430160b8eafd40f4d92d86ebc718b4dfd555ac
SHA512 2380a0a2bd625ff79b04bb9d4f6611150512d72f719a3cc73806ea979c29b01fc3d947fb2998e308796a32061e0f2d34d158876924c71350c759e2a841abf964

C:\Users\Admin\AppData\Local\Temp\_MEI29242\libcrypto-1_1.dll

MD5 aa811bb63dbd4c5859b68332326f60b1
SHA1 6e5584d5c59d2f79cbf60c6c71a92ecd7e4e0977
SHA256 00a1eeb37372d11559bf44c9e68af9c841c41c95a173f3dfec4e0b5923d0cae0
SHA512 dad9b14f501fd63824480f8801acd4004dd46f7a6965ac8ab91e573676236a11099f4b7cfdf7b3f6c0cc52a3b2e5d9b50f715f53a1f4f858ea2a5eb15d5092cd

\Users\Admin\AppData\Local\Temp\_MEI29242\_hashlib.pyd

MD5 ef3b935e7d9e1685b84636f908732b06
SHA1 968bca85a6f61fa24d53fc6aa77a3f48d2b08dd6
SHA256 46d3016b73ecf3713228df563971feefcbebcea9925349a0807b48f0e09877ce
SHA512 34c1779b8b7cd8449afaaeabb37a9bbb895c199d06557ea301361972ce4722f3db98e2e099eb2ce52486ab60567ac8041a4b3b3e8e917256bdd9954cbb9b05b3

C:\Users\Admin\AppData\Local\Temp\_MEI29242\_ssl.pyd

MD5 d1430e77cec5e84073700c3a65e3b8eb
SHA1 32009a7ea5e3097f38a33e3c5d73a9588f78e4a9
SHA256 174ec95c793fc33a97c57709b5117ca17700b90e7c71d72c9ec4bc7757b747a9
SHA512 1b49ce51e17b28eacc22e060b028697c93ee52a0a671ef615c6386c19e78a9ff67b84920fa5d8443970b53858a29c99dfcc395c0d6bc110ef125ec1c9da648f7

\Users\Admin\AppData\Local\Temp\_MEI29242\libssl-1_1.dll

MD5 2335285f5ac87173bd304efeddfa1d85
SHA1 64558d2150120abed3514db56299721c42c6fe58
SHA256 1b57a201184559164dedbddcb43bb110a18cafa19ea3d00fc23274ccfc420e94
SHA512 82737590d5ec7315ce8485c4794c01bfcce176ce443740a9f0cf5adfc3c3ed31a714556d33c1ca56db486636111d1ad855f606c87e5f322a505c535187ce2bde

C:\Users\Admin\AppData\Local\Temp\_MEI29242\unicodedata.pyd

MD5 c5334880576bbc751b20f6bd4baba992
SHA1 ebd8b76221d4dad9931aabcbb0434752280a99d1
SHA256 e5ebcc99f94766951bb75731afe07b7c4481e7ff3d252f21d39ddea7c8da4147
SHA512 08c964acd3064edf0210d6f12fe55896030756537b7e272c8e0f9b5e5606a6ed91094febabe3eadef51426bd6e4b06039cd9aa41a7756671edcac84684dfabb4

C:\Users\Admin\AppData\Local\Temp\_MEI29242\_queue.pyd

MD5 04849a636d85ad8bc535643580466b50
SHA1 17baef1ae4a1e33ed44e55c6b8de554b4814af0c
SHA256 80a803b8f9e2f1034cdbf47ba13efafaf2167a7ff9e5d97259506489e4ee58bd
SHA512 9a282680f9aaa5770cad88ee21ff1370a3a5209107d2965c2e6fed5d4fd40195e456c212ce4c27b89b29c68f30b666c803c9ef628e40ce8628c8664bbb8931f3

C:\Users\Admin\AppData\Local\Temp\_MEI29242\charset_normalizer\md.cp38-win_amd64.pyd

MD5 38105df780eddd734027328e0dca0ca3
SHA1 45f1d9e3472478f8e1ba86675f5c81c00b183bea
SHA256 9512896233d2119e78e2e1fcfd83643b2be2b427f08d16fc568fe98b9d4913cb
SHA512 ba2a05c236ce47d87888f618be2b23532d0d882578707b07ae220a96883b468f7088a19ebbe3bac2adf4035da6b7ee6fa9e57b620e2bc67b28e54cd969d6bbb3

C:\Users\Admin\AppData\Local\Temp\_MEI29242\charset_normalizer\md__mypyc.cp38-win_amd64.pyd

MD5 073f09e1edf5ec4173ce2de1121b9dd1
SHA1 6cdb2559a1b706446cdd993e6fd680095e119b2e
SHA256 7412969bfe1bca38bbb25bab02b54506a05015a4944b54953fcfdb179ec3f13c
SHA512 70a1a766001ec78a5fce7eadf6cae07f11b3ca6b08115e130c77d024524879577ccab263c596102102b1569933c601592fbb5ee07c7db123bb850965ef8e8e96

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\_MEI29242\_bz2.pyd

MD5 712a8dba2916f0261a1290a8e3d85ebf
SHA1 27dbfa5de547c30c457855594272545dafaeb39d
SHA256 d6e5763cecd267be0ff5355ff53e93428f3dd7ab20458fb1e7432dffa060cf82
SHA512 662664189f3a426a2042c998a5396fcb660f1ec123fe8089ec740ae414e0da9173d2e1abb6a231b3271bba9c4cb2a3a0a6ea45c475531bb986a4d085e74de1d9

C:\Users\Admin\AppData\Local\Temp\Tar2278.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

C:\Users\Admin\AppData\Local\Temp\_MEI29242\_lzma.pyd

MD5 fea0e77f594207b8af1d240a16c6650e
SHA1 dd48f108074eade8c0f84916d619bce4a97c07bb
SHA256 d7acc95049c07298af56a316419e6548f3e6b56fb22dfb3382607a803dddb5e0
SHA512 3b06abcf29bd93232afd6ae0b8fbded6cc75c5a5cdbd5b410d16e6f19e034d4f903252eda243f670173cc05e78e36e767553e065648ce7c3af330d10922d51ff

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 d0cc9a0bc98c07593b3906ffa3d915cc
SHA1 bddf7c72bfe1255a04bc449517cba0f8d7bc70e6
SHA256 a2fa2b1034848833cd6135be07b15ed3d202155475d0d54ba1858a60c0d7bbd0
SHA512 1e37d8416e0e1ca1623c5ca5ab26f7f4d4816c27e6eedae796c96e785cd3425bd3d98d60d571450e9345ca87da2ad3d828a0b669b142d6220b3c5cdd3688f38b

C:\Users\Admin\AppData\Local\Temp\_MEI29242\certifi\cacert.pem

MD5 78d9dd608305a97773574d1c0fb10b61
SHA1 9e177f31a3622ad71c3d403422c9a980e563fe32
SHA256 794d039ffdf277c047e26f2c7d58f81a5865d8a0eb7024a0fac1164fea4d27cf
SHA512 0c2d08747712ed227b4992f6f8f3cc21168627a79e81c6e860ee2b5f711af7f4387d3b71b390aa70a13661fc82806cc77af8ab1e8a8df82ad15e29e05fa911bf

C:\Windows\System32\drivers\etc\hosts

MD5 ee9d791fd900430e4d594e5bde5c096a
SHA1 25dd0ac5926d1d02bf4c9fe60d5aff6b602c9b7d
SHA256 74c6900b084deaf2ac76ee2113cfe73509e751c588707395fa2731e9bc154ccd
SHA512 cd1c18139594002e96c7094ff731812d9afb45fb34735731fb65eaecbd7918c2379fa52b8eea551ac9c51589827619f898a9a0ac95ee1ad8c0e94b589403efeb

memory/1980-225-0x000007FFFFFDF000-0x000007FFFFFE0000-memory.dmp

\Users\Admin\AppData\Local\Temp\TH2BD4.tmp

MD5 59513d94d77979cec1d0b34cb9a990c3
SHA1 5e03e3eee9dab882f0f00afadc465c7121558d49
SHA256 a429e785198898dad7e54d29e6f925db8a78c77a971726014a456547ae8b57f1
SHA512 131069c7f03f36e5ca69010552109c09ec8a080eee6b75dde57b28065ff981e9fb4ade03eb94d1f48391806633ee94db4f1106a8d2b8fc8c473eec10db7ca0ea

memory/1064-269-0x0000000002EB0000-0x0000000002EF3000-memory.dmp

memory/1064-267-0x0000000002EB0000-0x0000000002EF3000-memory.dmp

memory/1064-271-0x0000000004650000-0x00000000046A1000-memory.dmp

memory/1064-272-0x0000000002F60000-0x0000000002F76000-memory.dmp

memory/1064-274-0x0000000002F60000-0x0000000002F76000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\538C.tmp.Installer.exe

MD5 bed8cdced2d57be2bd750f0f59991ecd
SHA1 4e2a885b9387fcf040b7eb79892de2f9fe55bca4
SHA256 5f628663f71e3baa55f10e6021597f7860bef868284eb50b8958169dcbbff4fd
SHA512 b85990a778c2462d57c3b314270bd1f397749450e75508e1012a14f21661358b98021efb791f694d9eb05f49b0776ea3ff4c803f842f858db5669968c477433f

memory/884-297-0x00000000008D0000-0x0000000000970000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\58CB.tmp.Server.exe

MD5 68fad5f5f8de1c290df5d3754b4af358
SHA1 0028395243f38a03b13726915144b9848e8da39a
SHA256 dbacc134902ee72d1464d3b61a3518402b7ab54807bb7b7541fc2916c8119e9e
SHA512 ce44611d5c47fdcb979c715352f5050c816d4e5a814b102836856ede279f774e4709ca48fb95639ca66476ca547176370da7afc5185af066832732da2c80ee01

memory/2284-304-0x00000000010E0000-0x0000000001112000-memory.dmp

memory/2432-317-0x00000000000A0000-0x0000000000140000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp5EB3.tmp.bat

MD5 5b8a7519058c78b87741b5d7d0799c93
SHA1 cd5cd2c3841b4849c4e286db95108236c2408f55
SHA256 e6f0862919925061c440ca1a80bce84217a9942cc001192049a3458a54739fb2
SHA512 127728a32c4879be024c88625cb87b8805e20fd63ddf799bf104fbb4f248786728919534f4cd641da12034feda07f63218ffd44f0a9cd073a3f14565bd76f419

C:\Users\Admin\AppData\Local\bbe4d32d3a8785275f217713963c932e\msgid.dat

MD5 cfcd208495d565ef66e7dff9f98764da
SHA1 b6589fc6ab0dc82cf12099d1c2d40ab994e8410c
SHA256 5feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9
SHA512 31bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-02 11:20

Reported

2024-07-02 11:22

Platform

win10v2004-20240508-en

Max time kernel

85s

Max time network

143s

Command Line

C:\Windows\Explorer.EXE

Signatures

AsyncRat

rat asyncrat

StormKitty

stealer stormkitty

StormKitty payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Async RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Downloads MZ/PE file

Drops file in Drivers directory

Description Indicator Process Target
File opened for modification C:\Windows\system32\drivers\etc\hosts C:\Windows\system32\relog.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\83A7.tmp.Installer.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Service_Adobe.exe.lnk C:\Users\Admin\AppData\Roaming\nik.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Service_Microsoft.exe.lnk C:\Users\Admin\AppData\Roaming\nik.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Service_Mozilla.exe.lnk C:\Users\Admin\AppData\Roaming\nik.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Service_Sun.exe.lnk C:\Users\Admin\AppData\Roaming\nik.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\psvhost.exe.lnk C:\Users\Admin\AppData\Roaming\nik.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Service_Adobe = "C:\\Users\\Admin\\AppData\\Roaming\\Adobe\\Service_Adobe.exe" C:\Users\Admin\AppData\Roaming\nik.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Service_Microsoft = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Service_Microsoft.exe" C:\Users\Admin\AppData\Roaming\nik.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Service_Mozilla = "C:\\Users\\Admin\\AppData\\Roaming\\Mozilla\\Service_Mozilla.exe" C:\Users\Admin\AppData\Roaming\nik.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Service_Sun = "C:\\Users\\Admin\\AppData\\Roaming\\Sun\\Service_Sun.exe" C:\Users\Admin\AppData\Roaming\nik.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WpnUserService = "C:\\Users\\Admin\\AppData\\Roaming\\nik.exe" C:\Users\Admin\AppData\Roaming\nik.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ACCC Tools = "C:\\ProgramData\\KMSAuto\\accc.exe" C:\Users\Admin\AppData\Local\Temp\83A7.tmp.Installer.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File created C:\Users\Admin\AppData\Local\d3e7dc1819b6c1200d977d410133478e\Admin@OBJIYUIE_en-US\Grabber\DRIVE-C\Users\Admin\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\87EE.tmp.Server.exe N/A
File created C:\Users\Admin\AppData\Local\d3e7dc1819b6c1200d977d410133478e\Admin@OBJIYUIE_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\87EE.tmp.Server.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\d3e7dc1819b6c1200d977d410133478e\Admin@OBJIYUIE_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\87EE.tmp.Server.exe N/A
File created C:\Users\Admin\AppData\Local\d3e7dc1819b6c1200d977d410133478e\Admin@OBJIYUIE_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\87EE.tmp.Server.exe N/A
File created C:\Users\Admin\AppData\Local\d3e7dc1819b6c1200d977d410133478e\Admin@OBJIYUIE_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Camera Roll\desktop.ini C:\Users\Admin\AppData\Local\Temp\87EE.tmp.Server.exe N/A
File created C:\Users\Admin\AppData\Local\d3e7dc1819b6c1200d977d410133478e\Admin@OBJIYUIE_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Saved Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\87EE.tmp.Server.exe N/A
File created C:\Users\Admin\AppData\Local\d3e7dc1819b6c1200d977d410133478e\Admin@OBJIYUIE_en-US\Grabber\DRIVE-C\Users\Admin\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\87EE.tmp.Server.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A icanhazip.com N/A N/A

Looks up geolocation information via web service

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4872 set thread context of 2660 N/A C:\Users\Admin\AppData\Roaming\nik.exe C:\Windows\system32\relog.exe

Detects Pyinstaller

pyinstaller
Description Indicator Process Target
N/A N/A N/A N/A

Enumerates physical storage devices

Event Triggered Execution: Netsh Helper DLL

persistence privilege_escalation
Description Indicator Process Target
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\87EE.tmp.Server.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier C:\Users\Admin\AppData\Local\Temp\87EE.tmp.Server.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\timeout.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\ProgramData\KMSAuto\accc.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\relog.exe N/A
N/A N/A C:\Windows\system32\relog.exe N/A
N/A N/A C:\Windows\system32\relog.exe N/A
N/A N/A C:\Windows\system32\relog.exe N/A
N/A N/A C:\Windows\system32\relog.exe N/A
N/A N/A C:\Windows\system32\relog.exe N/A
N/A N/A C:\Windows\system32\relog.exe N/A
N/A N/A C:\Windows\system32\relog.exe N/A
N/A N/A C:\Windows\system32\relog.exe N/A
N/A N/A C:\Windows\system32\relog.exe N/A
N/A N/A C:\Windows\system32\relog.exe N/A
N/A N/A C:\Windows\system32\relog.exe N/A
N/A N/A C:\Windows\system32\relog.exe N/A
N/A N/A C:\Windows\system32\relog.exe N/A
N/A N/A C:\Windows\system32\relog.exe N/A
N/A N/A C:\Windows\system32\relog.exe N/A
N/A N/A C:\Windows\system32\relog.exe N/A
N/A N/A C:\Windows\system32\relog.exe N/A
N/A N/A C:\Windows\system32\relog.exe N/A
N/A N/A C:\Windows\system32\relog.exe N/A
N/A N/A C:\Windows\system32\relog.exe N/A
N/A N/A C:\Windows\system32\relog.exe N/A
N/A N/A C:\Windows\system32\relog.exe N/A
N/A N/A C:\Windows\system32\relog.exe N/A
N/A N/A C:\Windows\system32\relog.exe N/A
N/A N/A C:\Windows\system32\relog.exe N/A
N/A N/A C:\Windows\system32\relog.exe N/A
N/A N/A C:\Windows\system32\relog.exe N/A
N/A N/A C:\Windows\system32\relog.exe N/A
N/A N/A C:\Windows\system32\relog.exe N/A
N/A N/A C:\Windows\system32\relog.exe N/A
N/A N/A C:\Windows\system32\relog.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\system32\relog.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\system32\relog.exe N/A
N/A N/A C:\Windows\system32\relog.exe N/A
N/A N/A C:\Windows\system32\relog.exe N/A
N/A N/A C:\Windows\system32\relog.exe N/A
N/A N/A C:\Windows\system32\relog.exe N/A
N/A N/A C:\Windows\system32\relog.exe N/A
N/A N/A C:\Windows\system32\relog.exe N/A
N/A N/A C:\Windows\system32\relog.exe N/A
N/A N/A C:\Windows\system32\relog.exe N/A
N/A N/A C:\Windows\system32\relog.exe N/A
N/A N/A C:\Windows\system32\relog.exe N/A
N/A N/A C:\Windows\system32\relog.exe N/A
N/A N/A C:\Windows\system32\relog.exe N/A
N/A N/A C:\Windows\system32\relog.exe N/A
N/A N/A C:\Windows\system32\relog.exe N/A
N/A N/A C:\Windows\system32\relog.exe N/A
N/A N/A C:\Windows\system32\relog.exe N/A
N/A N/A C:\Windows\system32\relog.exe N/A
N/A N/A C:\Windows\system32\relog.exe N/A
N/A N/A C:\Windows\system32\relog.exe N/A
N/A N/A C:\Windows\system32\relog.exe N/A
N/A N/A C:\Windows\system32\relog.exe N/A
N/A N/A C:\Windows\system32\relog.exe N/A
N/A N/A C:\Windows\system32\relog.exe N/A
N/A N/A C:\Windows\system32\relog.exe N/A
N/A N/A C:\Windows\system32\relog.exe N/A
N/A N/A C:\Windows\system32\relog.exe N/A
N/A N/A C:\Windows\system32\relog.exe N/A
N/A N/A C:\Windows\system32\relog.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Roaming\nik.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Roaming\nik.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Roaming\nik.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Roaming\nik.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Roaming\nik.exe N/A
Token: SeSystemtimePrivilege N/A C:\Users\Admin\AppData\Roaming\nik.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Roaming\nik.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\nik.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Roaming\nik.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Roaming\nik.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Roaming\nik.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Roaming\nik.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\nik.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Users\Admin\AppData\Roaming\nik.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Users\Admin\AppData\Roaming\nik.exe N/A
Token: SeUndockPrivilege N/A C:\Users\Admin\AppData\Roaming\nik.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Roaming\nik.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\nik.exe N/A
Token: 34 N/A C:\Users\Admin\AppData\Roaming\nik.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Roaming\nik.exe N/A
Token: 36 N/A C:\Users\Admin\AppData\Roaming\nik.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\relog.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\relog.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\relog.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\relog.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\relog.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\relog.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\relog.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\relog.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\relog.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\relog.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\relog.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\relog.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\relog.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\relog.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\relog.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\relog.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\relog.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\relog.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\relog.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\relog.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\relog.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\relog.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\relog.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\relog.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\relog.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\relog.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\relog.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\relog.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\relog.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\relog.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\relog.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\relog.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\relog.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\relog.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\relog.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\relog.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\relog.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\relog.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\relog.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\relog.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\relog.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\relog.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\relog.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3368 wrote to memory of 4872 N/A C:\Users\Admin\AppData\Local\Temp\d321f75b27ffdadbe36f7f1a94727487e955a74ec629fdd054dec54e4b6fc87b.exe C:\Users\Admin\AppData\Roaming\nik.exe
PID 3368 wrote to memory of 4872 N/A C:\Users\Admin\AppData\Local\Temp\d321f75b27ffdadbe36f7f1a94727487e955a74ec629fdd054dec54e4b6fc87b.exe C:\Users\Admin\AppData\Roaming\nik.exe
PID 3368 wrote to memory of 5084 N/A C:\Users\Admin\AppData\Local\Temp\d321f75b27ffdadbe36f7f1a94727487e955a74ec629fdd054dec54e4b6fc87b.exe C:\Users\Admin\AppData\Roaming\Smtp.exe
PID 3368 wrote to memory of 5084 N/A C:\Users\Admin\AppData\Local\Temp\d321f75b27ffdadbe36f7f1a94727487e955a74ec629fdd054dec54e4b6fc87b.exe C:\Users\Admin\AppData\Roaming\Smtp.exe
PID 5084 wrote to memory of 3020 N/A C:\Users\Admin\AppData\Roaming\Smtp.exe C:\Users\Admin\AppData\Roaming\Smtp.exe
PID 5084 wrote to memory of 3020 N/A C:\Users\Admin\AppData\Roaming\Smtp.exe C:\Users\Admin\AppData\Roaming\Smtp.exe
PID 4872 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Roaming\nik.exe C:\Windows\system32\relog.exe
PID 4872 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Roaming\nik.exe C:\Windows\system32\relog.exe
PID 4872 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Roaming\nik.exe C:\Windows\system32\relog.exe
PID 2660 wrote to memory of 3516 N/A C:\Windows\system32\relog.exe C:\Windows\Explorer.EXE
PID 2660 wrote to memory of 3516 N/A C:\Windows\system32\relog.exe C:\Windows\Explorer.EXE
PID 3516 wrote to memory of 2288 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\83A7.tmp.Installer.exe
PID 3516 wrote to memory of 2288 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\83A7.tmp.Installer.exe
PID 3516 wrote to memory of 1336 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\87EE.tmp.Server.exe
PID 3516 wrote to memory of 1336 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\87EE.tmp.Server.exe
PID 3516 wrote to memory of 1336 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\87EE.tmp.Server.exe
PID 2288 wrote to memory of 1620 N/A C:\Users\Admin\AppData\Local\Temp\83A7.tmp.Installer.exe C:\Windows\system32\schtasks.exe
PID 2288 wrote to memory of 1620 N/A C:\Users\Admin\AppData\Local\Temp\83A7.tmp.Installer.exe C:\Windows\system32\schtasks.exe
PID 2288 wrote to memory of 1504 N/A C:\Users\Admin\AppData\Local\Temp\83A7.tmp.Installer.exe C:\ProgramData\KMSAuto\accc.exe
PID 2288 wrote to memory of 1504 N/A C:\Users\Admin\AppData\Local\Temp\83A7.tmp.Installer.exe C:\ProgramData\KMSAuto\accc.exe
PID 2288 wrote to memory of 3460 N/A C:\Users\Admin\AppData\Local\Temp\83A7.tmp.Installer.exe C:\Windows\system32\cmd.exe
PID 2288 wrote to memory of 3460 N/A C:\Users\Admin\AppData\Local\Temp\83A7.tmp.Installer.exe C:\Windows\system32\cmd.exe
PID 3460 wrote to memory of 4828 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 3460 wrote to memory of 4828 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 1336 wrote to memory of 3892 N/A C:\Users\Admin\AppData\Local\Temp\87EE.tmp.Server.exe C:\Windows\SysWOW64\cmd.exe
PID 1336 wrote to memory of 3892 N/A C:\Users\Admin\AppData\Local\Temp\87EE.tmp.Server.exe C:\Windows\SysWOW64\cmd.exe
PID 1336 wrote to memory of 3892 N/A C:\Users\Admin\AppData\Local\Temp\87EE.tmp.Server.exe C:\Windows\SysWOW64\cmd.exe
PID 3892 wrote to memory of 892 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 3892 wrote to memory of 892 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 3892 wrote to memory of 892 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 3892 wrote to memory of 1620 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 3892 wrote to memory of 1620 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 3892 wrote to memory of 1620 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 3892 wrote to memory of 1948 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 3892 wrote to memory of 1948 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 3892 wrote to memory of 1948 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 1336 wrote to memory of 3588 N/A C:\Users\Admin\AppData\Local\Temp\87EE.tmp.Server.exe C:\Windows\SysWOW64\cmd.exe
PID 1336 wrote to memory of 3588 N/A C:\Users\Admin\AppData\Local\Temp\87EE.tmp.Server.exe C:\Windows\SysWOW64\cmd.exe
PID 1336 wrote to memory of 3588 N/A C:\Users\Admin\AppData\Local\Temp\87EE.tmp.Server.exe C:\Windows\SysWOW64\cmd.exe
PID 3588 wrote to memory of 3644 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 3588 wrote to memory of 3644 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 3588 wrote to memory of 3644 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 3588 wrote to memory of 780 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 3588 wrote to memory of 780 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 3588 wrote to memory of 780 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\d321f75b27ffdadbe36f7f1a94727487e955a74ec629fdd054dec54e4b6fc87b.exe

"C:\Users\Admin\AppData\Local\Temp\d321f75b27ffdadbe36f7f1a94727487e955a74ec629fdd054dec54e4b6fc87b.exe"

C:\Users\Admin\AppData\Roaming\nik.exe

"C:\Users\Admin\AppData\Roaming\nik.exe"

C:\Users\Admin\AppData\Roaming\Smtp.exe

"C:\Users\Admin\AppData\Roaming\Smtp.exe"

C:\Users\Admin\AppData\Roaming\Smtp.exe

"C:\Users\Admin\AppData\Roaming\Smtp.exe"

C:\Windows\system32\relog.exe

C:\Windows\system32\relog.exe

C:\Users\Admin\AppData\Local\Temp\83A7.tmp.Installer.exe

"C:\Users\Admin\AppData\Local\Temp\83A7.tmp.Installer.exe"

C:\Users\Admin\AppData\Local\Temp\87EE.tmp.Server.exe

"C:\Users\Admin\AppData\Local\Temp\87EE.tmp.Server.exe"

C:\Windows\system32\schtasks.exe

"schtasks.exe" /create /tn ACCC Tools /tr "C:\ProgramData\KMSAuto\accc.exe" /st 11:25 /du 23:59 /sc daily /ri 1 /f

C:\ProgramData\KMSAuto\accc.exe

"C:\ProgramData\KMSAuto\accc.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp8F7E.tmp.bat""

C:\Windows\system32\timeout.exe

timeout 7

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\netsh.exe

netsh wlan show profile

C:\Windows\SysWOW64\findstr.exe

findstr All

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\netsh.exe

netsh wlan show networks mode=bssid

Network

Country Destination Domain Proto
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 23.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 auth.xn--conbase-sfb.xyz udp
US 104.21.13.213:443 auth.xn--conbase-sfb.xyz tcp
US 8.8.8.8:53 x2.c.lencr.org udp
BE 23.55.97.11:80 x2.c.lencr.org tcp
US 8.8.8.8:53 213.13.21.104.in-addr.arpa udp
US 8.8.8.8:53 11.97.55.23.in-addr.arpa udp
US 8.8.8.8:53 auth.xn--conbase-sfb.xyz udp
US 172.67.133.32:80 auth.xn--conbase-sfb.xyz tcp
US 8.8.8.8:53 32.133.67.172.in-addr.arpa udp
US 8.8.8.8:53 auth.xn--conbase-sfb.xyz udp
US 104.21.13.213:80 auth.xn--conbase-sfb.xyz tcp
US 104.21.13.213:80 auth.xn--conbase-sfb.xyz tcp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 104.21.13.213:80 auth.xn--conbase-sfb.xyz tcp
US 8.8.8.8:53 www.igenius.org udp
US 192.3.140.185:80 www.igenius.org tcp
US 8.8.8.8:53 hrdc.pk udp
US 64.31.40.18:80 hrdc.pk tcp
US 192.3.140.185:80 www.igenius.org tcp
US 8.8.8.8:53 185.140.3.192.in-addr.arpa udp
US 8.8.8.8:53 18.40.31.64.in-addr.arpa udp
US 8.8.8.8:53 api.telegram.org udp
NL 149.154.167.220:443 api.telegram.org tcp
US 8.8.8.8:53 220.167.154.149.in-addr.arpa udp
NL 149.154.167.220:443 api.telegram.org tcp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 icanhazip.com udp
US 104.16.184.241:80 icanhazip.com tcp
US 8.8.8.8:53 api.mylnikov.org udp
US 104.21.44.66:443 api.mylnikov.org tcp
NL 149.154.167.220:443 api.telegram.org tcp
NL 149.154.167.220:443 api.telegram.org tcp
US 8.8.8.8:53 66.44.21.104.in-addr.arpa udp
US 8.8.8.8:53 241.184.16.104.in-addr.arpa udp
US 8.8.8.8:53 pastebin.com udp
US 104.20.4.235:443 pastebin.com tcp
US 8.8.8.8:53 235.4.20.104.in-addr.arpa udp
US 52.111.227.11:443 tcp
US 104.21.13.213:80 auth.xn--conbase-sfb.xyz tcp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
N/A 127.0.0.1:8808 tcp
N/A 127.0.0.1:8808 tcp
US 104.21.13.213:80 auth.xn--conbase-sfb.xyz tcp
N/A 127.0.0.1:6606 tcp

Files

C:\Users\Admin\AppData\Roaming\nik.exe

MD5 c848ac85788c3e3e23e9b20746cb978e
SHA1 5960836d8c29b7408a60421ee6c2558e4e1eb0a4
SHA256 a00fcfe94826aff5275d6c7d5af9701dee5610f3bec64a81256ee1dac86d0225
SHA512 5e0478133dfec564344f22706d17c52caf37120f32e8c2befa80d35cbcb4564e11f97bd96a9b3c1c143d0c5c16bfdb52307f84e6fa91a1c855f01557d532c821

C:\Users\Admin\AppData\Roaming\Smtp.exe

MD5 4e8ec4867bf90e7c6082f2a918ef7631
SHA1 65b03b83a107fc8ced5cccc56de11c59862c0e45
SHA256 0da1fddf259afe14e217714543d15545803a5e60519921288035c45161936e9d
SHA512 091f709047cd6778281f60b6127eee1f01e782639a17ae090b14716ef405da8b2815f874796a1d5fdd9934343b83b82e996c51e8b7443c3552374a326617813b

C:\Users\Admin\AppData\Local\Temp\_MEI50842\python38.dll

MD5 eec355a6e9586f823a4f12bed11e6c80
SHA1 33627398cb32f4fbb162f38f7c277ad5b13a99ba
SHA256 560a6a5f8b7afa99600cc47da26a802c342d7f50ffe23850372f2fcf536cd26f
SHA512 7b4b3c13383de62a17aa1aafabce657ea5f4aadd716430fcd6e0f3125b773ae1589b3eaa050ccd87b37f6fae2391c5e7a8a229c0b0fa135de8d0269e9752bea0

C:\Users\Admin\AppData\Local\Temp\_MEI50842\VCRUNTIME140.dll

MD5 7942be5474a095f673582997ae3054f1
SHA1 e982f6ebc74d31153ba9738741a7eec03a9fa5e8
SHA256 8ee6b49830436ff3bec9ba89213395427b5535813930489f118721fd3d2d942c
SHA512 49fbc9d441362b65a8d78b73d4fdcf988f22d38a35a36a233fcd54e99e95e29b804be7eabe2b174188c7860ebb34f701e13ed216f954886a285bed7127619039

C:\Users\Admin\AppData\Local\Temp\_MEI50842\base_library.zip

MD5 877f89f4a141da5810ae8df658dae577
SHA1 df17d4bf2fa8bc3ce9a85f635ee8cfe640cdd3d2
SHA256 f009edc33aea2ee2dc1e9ed32e27ddda6204c45c87a6f722b883c76eb394555f
SHA512 988a3daf5df93fe509886c4af86039493667ba83957d41a48615101d3bbcd8b2c319ae59e59cc83a6765f33558e396294f8e9e349f8c21131c0f10a2bad6f212

C:\Users\Admin\AppData\Local\Temp\_MEI50842\_ctypes.pyd

MD5 4786508ffadc542bd677f45af820fdb9
SHA1 fc0f7dae6e0d093594e4ff1c293ce004dbd16fd7
SHA256 64f5072cd9536418ec0fd4b5c30c13b03cdddced1f9332d4d721c4b37ae3883e
SHA512 ad4b0e6883c2f0c003c46b1b85f5fbc2c1f8366a212695b9e47664c8735a30d4c8a3c645b324d3d059582096a1fe78ac1043ba8a639ced0665ef8c5cc33d0b80

C:\Users\Admin\AppData\Local\Temp\_MEI50842\_socket.pyd

MD5 bc7b1b0112427976b83911e607213c37
SHA1 f4c7eb5b46ebe015a13de59f17ca158c01a377f4
SHA256 85f200cb9adf0ef97d40b897868f6ad564211d3529f0b6dfe8e04c56a7b832bc
SHA512 18bc94c917ee894121241dcf65fab370a344caaf1120162fcb0966503c502b3e990a79553d2e4e1e3403e35d2b5e00cb365254c08f99c93c178e2e1fd7b2a040

C:\Users\Admin\AppData\Local\Temp\_MEI50842\select.pyd

MD5 bb6e9825bd4a98e0700d96b59ec64f68
SHA1 afd51547dad9cd7fac0efbda76b5e2388a027681
SHA256 bb81d220db83d5276fccda137d430160b8eafd40f4d92d86ebc718b4dfd555ac
SHA512 2380a0a2bd625ff79b04bb9d4f6611150512d72f719a3cc73806ea979c29b01fc3d947fb2998e308796a32061e0f2d34d158876924c71350c759e2a841abf964

C:\Users\Admin\AppData\Local\Temp\_MEI50842\libffi-7.dll

MD5 eef7981412be8ea459064d3090f4b3aa
SHA1 c60da4830ce27afc234b3c3014c583f7f0a5a925
SHA256 f60dd9f2fcbd495674dfc1555effb710eb081fc7d4cae5fa58c438ab50405081
SHA512 dc9ff4202f74a13ca9949a123dff4c0223da969f49e9348feaf93da4470f7be82cfa1d392566eaaa836d77dde7193fed15a8395509f72a0e9f97c66c0a096016

C:\Users\Admin\AppData\Local\Temp\_MEI50842\_hashlib.pyd

MD5 ef3b935e7d9e1685b84636f908732b06
SHA1 968bca85a6f61fa24d53fc6aa77a3f48d2b08dd6
SHA256 46d3016b73ecf3713228df563971feefcbebcea9925349a0807b48f0e09877ce
SHA512 34c1779b8b7cd8449afaaeabb37a9bbb895c199d06557ea301361972ce4722f3db98e2e099eb2ce52486ab60567ac8041a4b3b3e8e917256bdd9954cbb9b05b3

C:\Users\Admin\AppData\Local\Temp\_MEI50842\libcrypto-1_1.dll

MD5 aa811bb63dbd4c5859b68332326f60b1
SHA1 6e5584d5c59d2f79cbf60c6c71a92ecd7e4e0977
SHA256 00a1eeb37372d11559bf44c9e68af9c841c41c95a173f3dfec4e0b5923d0cae0
SHA512 dad9b14f501fd63824480f8801acd4004dd46f7a6965ac8ab91e573676236a11099f4b7cfdf7b3f6c0cc52a3b2e5d9b50f715f53a1f4f858ea2a5eb15d5092cd

C:\Users\Admin\AppData\Local\Temp\TH52D3.tmp

MD5 59513d94d77979cec1d0b34cb9a990c3
SHA1 5e03e3eee9dab882f0f00afadc465c7121558d49
SHA256 a429e785198898dad7e54d29e6f925db8a78c77a971726014a456547ae8b57f1
SHA512 131069c7f03f36e5ca69010552109c09ec8a080eee6b75dde57b28065ff981e9fb4ade03eb94d1f48391806633ee94db4f1106a8d2b8fc8c473eec10db7ca0ea

C:\Windows\System32\drivers\etc\hosts

MD5 1530b50aac226cd50815c69326517e51
SHA1 e97855298b61d8a5b6cf2450a990d5cbc40c6aa4
SHA256 1c1eab02470f70f1067cc91ae1506955f2cd92eac3afac8eb3592cc718c2cab3
SHA512 c66ee426b16c2ab3439617774b914dd279351b4c3dc14e16d6e7cdb11cd0cf0d3346df87a315f5a0de885522e3bfdcc2513e73f2d01cf0e5f13f77f7facdb432

C:\Users\Admin\AppData\Local\Temp\_MEI50842\_ssl.pyd

MD5 d1430e77cec5e84073700c3a65e3b8eb
SHA1 32009a7ea5e3097f38a33e3c5d73a9588f78e4a9
SHA256 174ec95c793fc33a97c57709b5117ca17700b90e7c71d72c9ec4bc7757b747a9
SHA512 1b49ce51e17b28eacc22e060b028697c93ee52a0a671ef615c6386c19e78a9ff67b84920fa5d8443970b53858a29c99dfcc395c0d6bc110ef125ec1c9da648f7

C:\Users\Admin\AppData\Local\Temp\_MEI50842\libssl-1_1.dll

MD5 2335285f5ac87173bd304efeddfa1d85
SHA1 64558d2150120abed3514db56299721c42c6fe58
SHA256 1b57a201184559164dedbddcb43bb110a18cafa19ea3d00fc23274ccfc420e94
SHA512 82737590d5ec7315ce8485c4794c01bfcce176ce443740a9f0cf5adfc3c3ed31a714556d33c1ca56db486636111d1ad855f606c87e5f322a505c535187ce2bde

C:\Users\Admin\AppData\Local\Temp\_MEI50842\unicodedata.pyd

MD5 c5334880576bbc751b20f6bd4baba992
SHA1 ebd8b76221d4dad9931aabcbb0434752280a99d1
SHA256 e5ebcc99f94766951bb75731afe07b7c4481e7ff3d252f21d39ddea7c8da4147
SHA512 08c964acd3064edf0210d6f12fe55896030756537b7e272c8e0f9b5e5606a6ed91094febabe3eadef51426bd6e4b06039cd9aa41a7756671edcac84684dfabb4

C:\Users\Admin\AppData\Local\Temp\_MEI50842\_queue.pyd

MD5 04849a636d85ad8bc535643580466b50
SHA1 17baef1ae4a1e33ed44e55c6b8de554b4814af0c
SHA256 80a803b8f9e2f1034cdbf47ba13efafaf2167a7ff9e5d97259506489e4ee58bd
SHA512 9a282680f9aaa5770cad88ee21ff1370a3a5209107d2965c2e6fed5d4fd40195e456c212ce4c27b89b29c68f30b666c803c9ef628e40ce8628c8664bbb8931f3

C:\Users\Admin\AppData\Local\Temp\_MEI50842\charset_normalizer\md.cp38-win_amd64.pyd

MD5 38105df780eddd734027328e0dca0ca3
SHA1 45f1d9e3472478f8e1ba86675f5c81c00b183bea
SHA256 9512896233d2119e78e2e1fcfd83643b2be2b427f08d16fc568fe98b9d4913cb
SHA512 ba2a05c236ce47d87888f618be2b23532d0d882578707b07ae220a96883b468f7088a19ebbe3bac2adf4035da6b7ee6fa9e57b620e2bc67b28e54cd969d6bbb3

C:\Users\Admin\AppData\Local\Temp\_MEI50842\_bz2.pyd

MD5 712a8dba2916f0261a1290a8e3d85ebf
SHA1 27dbfa5de547c30c457855594272545dafaeb39d
SHA256 d6e5763cecd267be0ff5355ff53e93428f3dd7ab20458fb1e7432dffa060cf82
SHA512 662664189f3a426a2042c998a5396fcb660f1ec123fe8089ec740ae414e0da9173d2e1abb6a231b3271bba9c4cb2a3a0a6ea45c475531bb986a4d085e74de1d9

C:\Users\Admin\AppData\Local\Temp\_MEI50842\_lzma.pyd

MD5 fea0e77f594207b8af1d240a16c6650e
SHA1 dd48f108074eade8c0f84916d619bce4a97c07bb
SHA256 d7acc95049c07298af56a316419e6548f3e6b56fb22dfb3382607a803dddb5e0
SHA512 3b06abcf29bd93232afd6ae0b8fbded6cc75c5a5cdbd5b410d16e6f19e034d4f903252eda243f670173cc05e78e36e767553e065648ce7c3af330d10922d51ff

C:\Users\Admin\AppData\Local\Temp\_MEI50842\certifi\cacert.pem

MD5 78d9dd608305a97773574d1c0fb10b61
SHA1 9e177f31a3622ad71c3d403422c9a980e563fe32
SHA256 794d039ffdf277c047e26f2c7d58f81a5865d8a0eb7024a0fac1164fea4d27cf
SHA512 0c2d08747712ed227b4992f6f8f3cc21168627a79e81c6e860ee2b5f711af7f4387d3b71b390aa70a13661fc82806cc77af8ab1e8a8df82ad15e29e05fa911bf

C:\Users\Admin\AppData\Local\Temp\_MEI50842\charset_normalizer\md__mypyc.cp38-win_amd64.pyd

MD5 073f09e1edf5ec4173ce2de1121b9dd1
SHA1 6cdb2559a1b706446cdd993e6fd680095e119b2e
SHA256 7412969bfe1bca38bbb25bab02b54506a05015a4944b54953fcfdb179ec3f13c
SHA512 70a1a766001ec78a5fce7eadf6cae07f11b3ca6b08115e130c77d024524879577ccab263c596102102b1569933c601592fbb5ee07c7db123bb850965ef8e8e96

memory/3516-160-0x00000000081A0000-0x00000000081B6000-memory.dmp

memory/3516-162-0x0000000008510000-0x0000000008553000-memory.dmp

memory/3516-164-0x0000000008560000-0x00000000085B1000-memory.dmp

memory/3516-166-0x0000000000950000-0x0000000000958000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\83A7.tmp.Installer.exe

MD5 bed8cdced2d57be2bd750f0f59991ecd
SHA1 4e2a885b9387fcf040b7eb79892de2f9fe55bca4
SHA256 5f628663f71e3baa55f10e6021597f7860bef868284eb50b8958169dcbbff4fd
SHA512 b85990a778c2462d57c3b314270bd1f397749450e75508e1012a14f21661358b98021efb791f694d9eb05f49b0776ea3ff4c803f842f858db5669968c477433f

memory/2288-178-0x0000000000010000-0x00000000000B0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\87EE.tmp.Server.exe

MD5 68fad5f5f8de1c290df5d3754b4af358
SHA1 0028395243f38a03b13726915144b9848e8da39a
SHA256 dbacc134902ee72d1464d3b61a3518402b7ab54807bb7b7541fc2916c8119e9e
SHA512 ce44611d5c47fdcb979c715352f5050c816d4e5a814b102836856ede279f774e4709ca48fb95639ca66476ca547176370da7afc5185af066832732da2c80ee01

memory/1336-190-0x00000000006F0000-0x0000000000722000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp8F7E.tmp.bat

MD5 e44a1d99f6346771343608ea57a87734
SHA1 5481c1e8fa2e44179b3d22d32b2b56b96f220b1b
SHA256 7b357698d411103b2c8ad8204d7bc43ff83a25b664f353efbea62430eece14f0
SHA512 29f6fa02fabbb7a6e66d18276b1a42982a23e9ffd24abf8bcbb64bf0ae8ce49ddb463b0e490267bef31a497d80eaafb632b9d3b11de4c6041d25e0001b99bec1

memory/1336-207-0x00000000050D0000-0x0000000005136000-memory.dmp

C:\Users\Admin\AppData\Local\d3e7dc1819b6c1200d977d410133478e\Admin@OBJIYUIE_en-US\Browsers\Firefox\Bookmarks.txt

MD5 2e9d094dda5cdc3ce6519f75943a4ff4
SHA1 5d989b4ac8b699781681fe75ed9ef98191a5096c
SHA256 c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142
SHA512 d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7

C:\Users\Admin\AppData\Local\d3e7dc1819b6c1200d977d410133478e\Admin@OBJIYUIE_en-US\System\Process.txt

MD5 307283f2e25e04a93d70fc3bedc08a44
SHA1 097d0e79877a6bbbc14c895f23b67eddd8c07d2d
SHA256 78ebf5e230f7c6a1d89e90e48226af0ae5e1e3328c1f2a9d0139f9ba13c16e7a
SHA512 e74c01a2e45713f072ba789f7480e7563b4aaf4bf8d3d417869261fd33c7c5c322f0b6f48e86afcb19c3fa88a145475e2ac302524964d1c19f074d364b173865

memory/1336-377-0x0000000005FD0000-0x0000000006574000-memory.dmp

memory/1336-376-0x0000000005980000-0x0000000005A12000-memory.dmp

memory/1336-383-0x0000000005A20000-0x0000000005A2A000-memory.dmp

C:\Users\Admin\AppData\Local\f6b0a790c992db273661cfd075da7255\msgid.dat

MD5 cfcd208495d565ef66e7dff9f98764da
SHA1 b6589fc6ab0dc82cf12099d1c2d40ab994e8410c
SHA256 5feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9
SHA512 31bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99

memory/1336-389-0x0000000005AB0000-0x0000000005AC2000-memory.dmp