Analysis Overview
SHA256
d321f75b27ffdadbe36f7f1a94727487e955a74ec629fdd054dec54e4b6fc87b
Threat Level: Known bad
The file d321f75b27ffdadbe36f7f1a94727487e955a74ec629fdd054dec54e4b6fc87b was found to be: Known bad.
Malicious Activity Summary
StormKitty payload
AsyncRat
StormKitty
Async RAT payload
Downloads MZ/PE file
Drops file in Drivers directory
Executes dropped EXE
Drops startup file
Checks computer location settings
Loads dropped DLL
Reads user/profile data of web browsers
Looks up geolocation information via web service
Adds Run key to start application
Looks up external IP address via web service
Legitimate hosting services abused for malware hosting/C2
Drops desktop.ini file(s)
Suspicious use of SetThreadContext
Detects Pyinstaller
Unsigned PE
Enumerates physical storage devices
Event Triggered Execution: Netsh Helper DLL
Scheduled Task/Job: Scheduled Task
Suspicious behavior: AddClipboardFormatListener
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Modifies system certificate store
Checks processor information in registry
Suspicious behavior: EnumeratesProcesses
Delays execution with timeout.exe
MITRE ATT&CK Matrix V13
Analysis: static1
Detonation Overview
Reported
2024-07-02 11:20
Signatures
Detects Pyinstaller
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-07-02 11:20
Reported
2024-07-02 11:22
Platform
win7-20240220-en
Max time kernel
24s
Max time network
146s
Command Line
Signatures
AsyncRat
StormKitty
StormKitty payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Async RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Downloads MZ/PE file
Drops file in Drivers directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\system32\drivers\etc\hosts | C:\Windows\system32\relog.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Service_Adobe.exe.lnk | C:\Users\Admin\AppData\Roaming\nik.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Service_Identities.exe.lnk | C:\Users\Admin\AppData\Roaming\nik.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Service_Macromedia.exe.lnk | C:\Users\Admin\AppData\Roaming\nik.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Service_Media Center Programs.exe.lnk | C:\Users\Admin\AppData\Roaming\nik.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Service_Microsoft.exe.lnk | C:\Users\Admin\AppData\Roaming\nik.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Service_Mozilla.exe.lnk | C:\Users\Admin\AppData\Roaming\nik.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\psvhost.exe.lnk | C:\Users\Admin\AppData\Roaming\nik.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\nik.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Smtp.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Smtp.exe | N/A |
| N/A | N/A | C:\Windows\system32\relog.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\538C.tmp.Installer.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\58CB.tmp.Server.exe | N/A |
| N/A | N/A | C:\ProgramData\KMSAuto\accc.exe | N/A |
Loads dropped DLL
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\Service_Identities = "C:\\Users\\Admin\\AppData\\Roaming\\Identities\\Service_Identities.exe" | C:\Users\Admin\AppData\Roaming\nik.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\Service_Macromedia = "C:\\Users\\Admin\\AppData\\Roaming\\Macromedia\\Service_Macromedia.exe" | C:\Users\Admin\AppData\Roaming\nik.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\Service_Media Center Programs = "C:\\Users\\Admin\\AppData\\Roaming\\Media Center Programs\\Service_Media Center Programs.exe" | C:\Users\Admin\AppData\Roaming\nik.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\Service_Microsoft = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Service_Microsoft.exe" | C:\Users\Admin\AppData\Roaming\nik.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\Service_Mozilla = "C:\\Users\\Admin\\AppData\\Roaming\\Mozilla\\Service_Mozilla.exe" | C:\Users\Admin\AppData\Roaming\nik.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\WpnUserService = "C:\\Users\\Admin\\AppData\\Roaming\\nik.exe" | C:\Users\Admin\AppData\Roaming\nik.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ACCC Tools = "C:\\ProgramData\\KMSAuto\\accc.exe" | C:\Users\Admin\AppData\Local\Temp\538C.tmp.Installer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\Service_Adobe = "C:\\Users\\Admin\\AppData\\Roaming\\Adobe\\Service_Adobe.exe" | C:\Users\Admin\AppData\Roaming\nik.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | icanhazip.com | N/A | N/A |
Looks up geolocation information via web service
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2744 set thread context of 1980 | N/A | C:\Users\Admin\AppData\Roaming\nik.exe | C:\Windows\system32\relog.exe |
Detects Pyinstaller
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Enumerates physical storage devices
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\timeout.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 | C:\Users\Admin\AppData\Roaming\nik.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 | C:\Users\Admin\AppData\Roaming\nik.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 | C:\Users\Admin\AppData\Roaming\nik.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13 | C:\Users\Admin\AppData\Roaming\nik.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 | C:\Users\Admin\AppData\Roaming\nik.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000000f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 | C:\Users\Admin\AppData\Roaming\nik.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Users\Admin\AppData\Roaming\nik.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Users\Admin\AppData\Roaming\nik.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Users\Admin\AppData\Roaming\nik.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Users\Admin\AppData\Roaming\nik.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Users\Admin\AppData\Roaming\nik.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Users\Admin\AppData\Roaming\nik.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Users\Admin\AppData\Roaming\nik.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Roaming\nik.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Users\Admin\AppData\Roaming\nik.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Users\Admin\AppData\Roaming\nik.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Users\Admin\AppData\Roaming\nik.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Users\Admin\AppData\Roaming\nik.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\nik.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Users\Admin\AppData\Roaming\nik.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Users\Admin\AppData\Roaming\nik.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Users\Admin\AppData\Roaming\nik.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Users\Admin\AppData\Roaming\nik.exe | N/A |
| Token: 33 | N/A | C:\Users\Admin\AppData\Roaming\nik.exe | N/A |
| Token: 34 | N/A | C:\Users\Admin\AppData\Roaming\nik.exe | N/A |
| Token: 35 | N/A | C:\Users\Admin\AppData\Roaming\nik.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\relog.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\relog.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\relog.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\relog.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\relog.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\relog.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\relog.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\relog.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\relog.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\relog.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\relog.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\relog.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\relog.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\relog.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\relog.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\relog.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\relog.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\relog.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\relog.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\relog.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\relog.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\relog.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\relog.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\relog.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\relog.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\relog.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\relog.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\relog.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\relog.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\relog.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\relog.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\relog.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\relog.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\relog.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\relog.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\relog.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\relog.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\relog.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\relog.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\relog.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\relog.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\relog.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\relog.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\relog.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\d321f75b27ffdadbe36f7f1a94727487e955a74ec629fdd054dec54e4b6fc87b.exe
"C:\Users\Admin\AppData\Local\Temp\d321f75b27ffdadbe36f7f1a94727487e955a74ec629fdd054dec54e4b6fc87b.exe"
C:\Users\Admin\AppData\Roaming\nik.exe
"C:\Users\Admin\AppData\Roaming\nik.exe"
C:\Users\Admin\AppData\Roaming\Smtp.exe
"C:\Users\Admin\AppData\Roaming\Smtp.exe"
C:\Users\Admin\AppData\Roaming\Smtp.exe
"C:\Users\Admin\AppData\Roaming\Smtp.exe"
C:\Windows\system32\relog.exe
C:\Windows\system32\relog.exe
C:\Users\Admin\AppData\Local\Temp\538C.tmp.Installer.exe
"C:\Users\Admin\AppData\Local\Temp\538C.tmp.Installer.exe"
C:\Users\Admin\AppData\Local\Temp\58CB.tmp.Server.exe
"C:\Users\Admin\AppData\Local\Temp\58CB.tmp.Server.exe"
C:\Windows\system32\schtasks.exe
"schtasks.exe" /create /tn ACCC Tools /tr "C:\ProgramData\KMSAuto\accc.exe" /st 11:25 /du 23:59 /sc daily /ri 1 /f
C:\ProgramData\KMSAuto\accc.exe
"C:\ProgramData\KMSAuto\accc.exe"
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp5EB3.tmp.bat""
C:\Windows\system32\timeout.exe
timeout 7
C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\netsh.exe
netsh wlan show profile
C:\Windows\SysWOW64\findstr.exe
findstr All
C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\netsh.exe
netsh wlan show networks mode=bssid
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | auth.xn--conbase-sfb.xyz | udp |
| US | 104.21.13.213:443 | auth.xn--conbase-sfb.xyz | tcp |
| US | 8.8.8.8:53 | apps.identrust.com | udp |
| BE | 23.14.90.73:80 | apps.identrust.com | tcp |
| US | 8.8.8.8:53 | x2.c.lencr.org | udp |
| BE | 23.55.97.11:80 | x2.c.lencr.org | tcp |
| US | 8.8.8.8:53 | auth.xn--conbase-sfb.xyz | udp |
| US | 172.67.133.32:80 | auth.xn--conbase-sfb.xyz | tcp |
| US | 8.8.8.8:53 | auth.xn--conbase-sfb.xyz | udp |
| US | 172.67.133.32:80 | auth.xn--conbase-sfb.xyz | tcp |
| US | 172.67.133.32:80 | auth.xn--conbase-sfb.xyz | tcp |
| US | 172.67.133.32:80 | auth.xn--conbase-sfb.xyz | tcp |
| US | 8.8.8.8:53 | www.igenius.org | udp |
| US | 192.3.140.185:80 | www.igenius.org | tcp |
| US | 8.8.8.8:53 | hrdc.pk | udp |
| US | 64.31.40.18:80 | hrdc.pk | tcp |
| US | 192.3.140.185:80 | www.igenius.org | tcp |
| US | 8.8.8.8:53 | api.telegram.org | udp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| US | 172.67.133.32:80 | auth.xn--conbase-sfb.xyz | tcp |
| US | 8.8.8.8:53 | icanhazip.com | udp |
| US | 104.16.185.241:80 | icanhazip.com | tcp |
| US | 8.8.8.8:53 | api.mylnikov.org | udp |
| US | 172.67.196.114:443 | api.mylnikov.org | tcp |
| US | 8.8.8.8:53 | api.telegram.org | udp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| US | 172.67.133.32:80 | auth.xn--conbase-sfb.xyz | tcp |
Files
\Users\Admin\AppData\Roaming\nik.exe
| MD5 | c848ac85788c3e3e23e9b20746cb978e |
| SHA1 | 5960836d8c29b7408a60421ee6c2558e4e1eb0a4 |
| SHA256 | a00fcfe94826aff5275d6c7d5af9701dee5610f3bec64a81256ee1dac86d0225 |
| SHA512 | 5e0478133dfec564344f22706d17c52caf37120f32e8c2befa80d35cbcb4564e11f97bd96a9b3c1c143d0c5c16bfdb52307f84e6fa91a1c855f01557d532c821 |
\Users\Admin\AppData\Roaming\Smtp.exe
| MD5 | 4e8ec4867bf90e7c6082f2a918ef7631 |
| SHA1 | 65b03b83a107fc8ced5cccc56de11c59862c0e45 |
| SHA256 | 0da1fddf259afe14e217714543d15545803a5e60519921288035c45161936e9d |
| SHA512 | 091f709047cd6778281f60b6127eee1f01e782639a17ae090b14716ef405da8b2815f874796a1d5fdd9934343b83b82e996c51e8b7443c3552374a326617813b |
C:\Users\Admin\AppData\Local\Temp\_MEI29242\python38.dll
| MD5 | eec355a6e9586f823a4f12bed11e6c80 |
| SHA1 | 33627398cb32f4fbb162f38f7c277ad5b13a99ba |
| SHA256 | 560a6a5f8b7afa99600cc47da26a802c342d7f50ffe23850372f2fcf536cd26f |
| SHA512 | 7b4b3c13383de62a17aa1aafabce657ea5f4aadd716430fcd6e0f3125b773ae1589b3eaa050ccd87b37f6fae2391c5e7a8a229c0b0fa135de8d0269e9752bea0 |
C:\Users\Admin\AppData\Local\Temp\_MEI29242\VCRUNTIME140.dll
| MD5 | 7942be5474a095f673582997ae3054f1 |
| SHA1 | e982f6ebc74d31153ba9738741a7eec03a9fa5e8 |
| SHA256 | 8ee6b49830436ff3bec9ba89213395427b5535813930489f118721fd3d2d942c |
| SHA512 | 49fbc9d441362b65a8d78b73d4fdcf988f22d38a35a36a233fcd54e99e95e29b804be7eabe2b174188c7860ebb34f701e13ed216f954886a285bed7127619039 |
C:\Users\Admin\AppData\Local\Temp\Cab20DB.tmp
| MD5 | ac05d27423a85adc1622c714f2cb6184 |
| SHA1 | b0fe2b1abddb97837ea0195be70ab2ff14d43198 |
| SHA256 | c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d |
| SHA512 | 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d |
C:\Users\Admin\AppData\Local\Temp\_MEI29242\base_library.zip
| MD5 | 877f89f4a141da5810ae8df658dae577 |
| SHA1 | df17d4bf2fa8bc3ce9a85f635ee8cfe640cdd3d2 |
| SHA256 | f009edc33aea2ee2dc1e9ed32e27ddda6204c45c87a6f722b883c76eb394555f |
| SHA512 | 988a3daf5df93fe509886c4af86039493667ba83957d41a48615101d3bbcd8b2c319ae59e59cc83a6765f33558e396294f8e9e349f8c21131c0f10a2bad6f212 |
C:\Users\Admin\AppData\Local\Temp\_MEI29242\_ctypes.pyd
| MD5 | 4786508ffadc542bd677f45af820fdb9 |
| SHA1 | fc0f7dae6e0d093594e4ff1c293ce004dbd16fd7 |
| SHA256 | 64f5072cd9536418ec0fd4b5c30c13b03cdddced1f9332d4d721c4b37ae3883e |
| SHA512 | ad4b0e6883c2f0c003c46b1b85f5fbc2c1f8366a212695b9e47664c8735a30d4c8a3c645b324d3d059582096a1fe78ac1043ba8a639ced0665ef8c5cc33d0b80 |
\Users\Admin\AppData\Local\Temp\_MEI29242\libffi-7.dll
| MD5 | eef7981412be8ea459064d3090f4b3aa |
| SHA1 | c60da4830ce27afc234b3c3014c583f7f0a5a925 |
| SHA256 | f60dd9f2fcbd495674dfc1555effb710eb081fc7d4cae5fa58c438ab50405081 |
| SHA512 | dc9ff4202f74a13ca9949a123dff4c0223da969f49e9348feaf93da4470f7be82cfa1d392566eaaa836d77dde7193fed15a8395509f72a0e9f97c66c0a096016 |
\Users\Admin\AppData\Local\Temp\_MEI29242\_socket.pyd
| MD5 | bc7b1b0112427976b83911e607213c37 |
| SHA1 | f4c7eb5b46ebe015a13de59f17ca158c01a377f4 |
| SHA256 | 85f200cb9adf0ef97d40b897868f6ad564211d3529f0b6dfe8e04c56a7b832bc |
| SHA512 | 18bc94c917ee894121241dcf65fab370a344caaf1120162fcb0966503c502b3e990a79553d2e4e1e3403e35d2b5e00cb365254c08f99c93c178e2e1fd7b2a040 |
\Users\Admin\AppData\Local\Temp\_MEI29242\select.pyd
| MD5 | bb6e9825bd4a98e0700d96b59ec64f68 |
| SHA1 | afd51547dad9cd7fac0efbda76b5e2388a027681 |
| SHA256 | bb81d220db83d5276fccda137d430160b8eafd40f4d92d86ebc718b4dfd555ac |
| SHA512 | 2380a0a2bd625ff79b04bb9d4f6611150512d72f719a3cc73806ea979c29b01fc3d947fb2998e308796a32061e0f2d34d158876924c71350c759e2a841abf964 |
C:\Users\Admin\AppData\Local\Temp\_MEI29242\libcrypto-1_1.dll
| MD5 | aa811bb63dbd4c5859b68332326f60b1 |
| SHA1 | 6e5584d5c59d2f79cbf60c6c71a92ecd7e4e0977 |
| SHA256 | 00a1eeb37372d11559bf44c9e68af9c841c41c95a173f3dfec4e0b5923d0cae0 |
| SHA512 | dad9b14f501fd63824480f8801acd4004dd46f7a6965ac8ab91e573676236a11099f4b7cfdf7b3f6c0cc52a3b2e5d9b50f715f53a1f4f858ea2a5eb15d5092cd |
\Users\Admin\AppData\Local\Temp\_MEI29242\_hashlib.pyd
| MD5 | ef3b935e7d9e1685b84636f908732b06 |
| SHA1 | 968bca85a6f61fa24d53fc6aa77a3f48d2b08dd6 |
| SHA256 | 46d3016b73ecf3713228df563971feefcbebcea9925349a0807b48f0e09877ce |
| SHA512 | 34c1779b8b7cd8449afaaeabb37a9bbb895c199d06557ea301361972ce4722f3db98e2e099eb2ce52486ab60567ac8041a4b3b3e8e917256bdd9954cbb9b05b3 |
C:\Users\Admin\AppData\Local\Temp\_MEI29242\_ssl.pyd
| MD5 | d1430e77cec5e84073700c3a65e3b8eb |
| SHA1 | 32009a7ea5e3097f38a33e3c5d73a9588f78e4a9 |
| SHA256 | 174ec95c793fc33a97c57709b5117ca17700b90e7c71d72c9ec4bc7757b747a9 |
| SHA512 | 1b49ce51e17b28eacc22e060b028697c93ee52a0a671ef615c6386c19e78a9ff67b84920fa5d8443970b53858a29c99dfcc395c0d6bc110ef125ec1c9da648f7 |
\Users\Admin\AppData\Local\Temp\_MEI29242\libssl-1_1.dll
| MD5 | 2335285f5ac87173bd304efeddfa1d85 |
| SHA1 | 64558d2150120abed3514db56299721c42c6fe58 |
| SHA256 | 1b57a201184559164dedbddcb43bb110a18cafa19ea3d00fc23274ccfc420e94 |
| SHA512 | 82737590d5ec7315ce8485c4794c01bfcce176ce443740a9f0cf5adfc3c3ed31a714556d33c1ca56db486636111d1ad855f606c87e5f322a505c535187ce2bde |
C:\Users\Admin\AppData\Local\Temp\_MEI29242\unicodedata.pyd
| MD5 | c5334880576bbc751b20f6bd4baba992 |
| SHA1 | ebd8b76221d4dad9931aabcbb0434752280a99d1 |
| SHA256 | e5ebcc99f94766951bb75731afe07b7c4481e7ff3d252f21d39ddea7c8da4147 |
| SHA512 | 08c964acd3064edf0210d6f12fe55896030756537b7e272c8e0f9b5e5606a6ed91094febabe3eadef51426bd6e4b06039cd9aa41a7756671edcac84684dfabb4 |
C:\Users\Admin\AppData\Local\Temp\_MEI29242\_queue.pyd
| MD5 | 04849a636d85ad8bc535643580466b50 |
| SHA1 | 17baef1ae4a1e33ed44e55c6b8de554b4814af0c |
| SHA256 | 80a803b8f9e2f1034cdbf47ba13efafaf2167a7ff9e5d97259506489e4ee58bd |
| SHA512 | 9a282680f9aaa5770cad88ee21ff1370a3a5209107d2965c2e6fed5d4fd40195e456c212ce4c27b89b29c68f30b666c803c9ef628e40ce8628c8664bbb8931f3 |
C:\Users\Admin\AppData\Local\Temp\_MEI29242\charset_normalizer\md.cp38-win_amd64.pyd
| MD5 | 38105df780eddd734027328e0dca0ca3 |
| SHA1 | 45f1d9e3472478f8e1ba86675f5c81c00b183bea |
| SHA256 | 9512896233d2119e78e2e1fcfd83643b2be2b427f08d16fc568fe98b9d4913cb |
| SHA512 | ba2a05c236ce47d87888f618be2b23532d0d882578707b07ae220a96883b468f7088a19ebbe3bac2adf4035da6b7ee6fa9e57b620e2bc67b28e54cd969d6bbb3 |
C:\Users\Admin\AppData\Local\Temp\_MEI29242\charset_normalizer\md__mypyc.cp38-win_amd64.pyd
| MD5 | 073f09e1edf5ec4173ce2de1121b9dd1 |
| SHA1 | 6cdb2559a1b706446cdd993e6fd680095e119b2e |
| SHA256 | 7412969bfe1bca38bbb25bab02b54506a05015a4944b54953fcfdb179ec3f13c |
| SHA512 | 70a1a766001ec78a5fce7eadf6cae07f11b3ca6b08115e130c77d024524879577ccab263c596102102b1569933c601592fbb5ee07c7db123bb850965ef8e8e96 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
| MD5 | 49aebf8cbd62d92ac215b2923fb1b9f5 |
| SHA1 | 1723be06719828dda65ad804298d0431f6aff976 |
| SHA256 | b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f |
| SHA512 | bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b |
C:\Users\Admin\AppData\Local\Temp\_MEI29242\_bz2.pyd
| MD5 | 712a8dba2916f0261a1290a8e3d85ebf |
| SHA1 | 27dbfa5de547c30c457855594272545dafaeb39d |
| SHA256 | d6e5763cecd267be0ff5355ff53e93428f3dd7ab20458fb1e7432dffa060cf82 |
| SHA512 | 662664189f3a426a2042c998a5396fcb660f1ec123fe8089ec740ae414e0da9173d2e1abb6a231b3271bba9c4cb2a3a0a6ea45c475531bb986a4d085e74de1d9 |
C:\Users\Admin\AppData\Local\Temp\Tar2278.tmp
| MD5 | 4ea6026cf93ec6338144661bf1202cd1 |
| SHA1 | a1dec9044f750ad887935a01430bf49322fbdcb7 |
| SHA256 | 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8 |
| SHA512 | 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b |
C:\Users\Admin\AppData\Local\Temp\_MEI29242\_lzma.pyd
| MD5 | fea0e77f594207b8af1d240a16c6650e |
| SHA1 | dd48f108074eade8c0f84916d619bce4a97c07bb |
| SHA256 | d7acc95049c07298af56a316419e6548f3e6b56fb22dfb3382607a803dddb5e0 |
| SHA512 | 3b06abcf29bd93232afd6ae0b8fbded6cc75c5a5cdbd5b410d16e6f19e034d4f903252eda243f670173cc05e78e36e767553e065648ce7c3af330d10922d51ff |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | d0cc9a0bc98c07593b3906ffa3d915cc |
| SHA1 | bddf7c72bfe1255a04bc449517cba0f8d7bc70e6 |
| SHA256 | a2fa2b1034848833cd6135be07b15ed3d202155475d0d54ba1858a60c0d7bbd0 |
| SHA512 | 1e37d8416e0e1ca1623c5ca5ab26f7f4d4816c27e6eedae796c96e785cd3425bd3d98d60d571450e9345ca87da2ad3d828a0b669b142d6220b3c5cdd3688f38b |
C:\Users\Admin\AppData\Local\Temp\_MEI29242\certifi\cacert.pem
| MD5 | 78d9dd608305a97773574d1c0fb10b61 |
| SHA1 | 9e177f31a3622ad71c3d403422c9a980e563fe32 |
| SHA256 | 794d039ffdf277c047e26f2c7d58f81a5865d8a0eb7024a0fac1164fea4d27cf |
| SHA512 | 0c2d08747712ed227b4992f6f8f3cc21168627a79e81c6e860ee2b5f711af7f4387d3b71b390aa70a13661fc82806cc77af8ab1e8a8df82ad15e29e05fa911bf |
C:\Windows\System32\drivers\etc\hosts
| MD5 | ee9d791fd900430e4d594e5bde5c096a |
| SHA1 | 25dd0ac5926d1d02bf4c9fe60d5aff6b602c9b7d |
| SHA256 | 74c6900b084deaf2ac76ee2113cfe73509e751c588707395fa2731e9bc154ccd |
| SHA512 | cd1c18139594002e96c7094ff731812d9afb45fb34735731fb65eaecbd7918c2379fa52b8eea551ac9c51589827619f898a9a0ac95ee1ad8c0e94b589403efeb |
memory/1980-225-0x000007FFFFFDF000-0x000007FFFFFE0000-memory.dmp
\Users\Admin\AppData\Local\Temp\TH2BD4.tmp
| MD5 | 59513d94d77979cec1d0b34cb9a990c3 |
| SHA1 | 5e03e3eee9dab882f0f00afadc465c7121558d49 |
| SHA256 | a429e785198898dad7e54d29e6f925db8a78c77a971726014a456547ae8b57f1 |
| SHA512 | 131069c7f03f36e5ca69010552109c09ec8a080eee6b75dde57b28065ff981e9fb4ade03eb94d1f48391806633ee94db4f1106a8d2b8fc8c473eec10db7ca0ea |
memory/1064-269-0x0000000002EB0000-0x0000000002EF3000-memory.dmp
memory/1064-267-0x0000000002EB0000-0x0000000002EF3000-memory.dmp
memory/1064-271-0x0000000004650000-0x00000000046A1000-memory.dmp
memory/1064-272-0x0000000002F60000-0x0000000002F76000-memory.dmp
memory/1064-274-0x0000000002F60000-0x0000000002F76000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\538C.tmp.Installer.exe
| MD5 | bed8cdced2d57be2bd750f0f59991ecd |
| SHA1 | 4e2a885b9387fcf040b7eb79892de2f9fe55bca4 |
| SHA256 | 5f628663f71e3baa55f10e6021597f7860bef868284eb50b8958169dcbbff4fd |
| SHA512 | b85990a778c2462d57c3b314270bd1f397749450e75508e1012a14f21661358b98021efb791f694d9eb05f49b0776ea3ff4c803f842f858db5669968c477433f |
memory/884-297-0x00000000008D0000-0x0000000000970000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\58CB.tmp.Server.exe
| MD5 | 68fad5f5f8de1c290df5d3754b4af358 |
| SHA1 | 0028395243f38a03b13726915144b9848e8da39a |
| SHA256 | dbacc134902ee72d1464d3b61a3518402b7ab54807bb7b7541fc2916c8119e9e |
| SHA512 | ce44611d5c47fdcb979c715352f5050c816d4e5a814b102836856ede279f774e4709ca48fb95639ca66476ca547176370da7afc5185af066832732da2c80ee01 |
memory/2284-304-0x00000000010E0000-0x0000000001112000-memory.dmp
memory/2432-317-0x00000000000A0000-0x0000000000140000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmp5EB3.tmp.bat
| MD5 | 5b8a7519058c78b87741b5d7d0799c93 |
| SHA1 | cd5cd2c3841b4849c4e286db95108236c2408f55 |
| SHA256 | e6f0862919925061c440ca1a80bce84217a9942cc001192049a3458a54739fb2 |
| SHA512 | 127728a32c4879be024c88625cb87b8805e20fd63ddf799bf104fbb4f248786728919534f4cd641da12034feda07f63218ffd44f0a9cd073a3f14565bd76f419 |
C:\Users\Admin\AppData\Local\bbe4d32d3a8785275f217713963c932e\msgid.dat
| MD5 | cfcd208495d565ef66e7dff9f98764da |
| SHA1 | b6589fc6ab0dc82cf12099d1c2d40ab994e8410c |
| SHA256 | 5feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9 |
| SHA512 | 31bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-07-02 11:20
Reported
2024-07-02 11:22
Platform
win10v2004-20240508-en
Max time kernel
85s
Max time network
143s
Command Line
Signatures
AsyncRat
StormKitty
StormKitty payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Async RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Downloads MZ/PE file
Drops file in Drivers directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\system32\drivers\etc\hosts | C:\Windows\system32\relog.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\83A7.tmp.Installer.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Service_Adobe.exe.lnk | C:\Users\Admin\AppData\Roaming\nik.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Service_Microsoft.exe.lnk | C:\Users\Admin\AppData\Roaming\nik.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Service_Mozilla.exe.lnk | C:\Users\Admin\AppData\Roaming\nik.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Service_Sun.exe.lnk | C:\Users\Admin\AppData\Roaming\nik.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\psvhost.exe.lnk | C:\Users\Admin\AppData\Roaming\nik.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\nik.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Smtp.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Smtp.exe | N/A |
| N/A | N/A | C:\Windows\system32\relog.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\83A7.tmp.Installer.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\87EE.tmp.Server.exe | N/A |
| N/A | N/A | C:\ProgramData\KMSAuto\accc.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Smtp.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Smtp.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Smtp.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Smtp.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Smtp.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Smtp.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Smtp.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Smtp.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Smtp.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Smtp.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Smtp.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Smtp.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Smtp.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Smtp.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Smtp.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Smtp.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Service_Adobe = "C:\\Users\\Admin\\AppData\\Roaming\\Adobe\\Service_Adobe.exe" | C:\Users\Admin\AppData\Roaming\nik.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Service_Microsoft = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Service_Microsoft.exe" | C:\Users\Admin\AppData\Roaming\nik.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Service_Mozilla = "C:\\Users\\Admin\\AppData\\Roaming\\Mozilla\\Service_Mozilla.exe" | C:\Users\Admin\AppData\Roaming\nik.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Service_Sun = "C:\\Users\\Admin\\AppData\\Roaming\\Sun\\Service_Sun.exe" | C:\Users\Admin\AppData\Roaming\nik.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WpnUserService = "C:\\Users\\Admin\\AppData\\Roaming\\nik.exe" | C:\Users\Admin\AppData\Roaming\nik.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ACCC Tools = "C:\\ProgramData\\KMSAuto\\accc.exe" | C:\Users\Admin\AppData\Local\Temp\83A7.tmp.Installer.exe | N/A |
Drops desktop.ini file(s)
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Local\d3e7dc1819b6c1200d977d410133478e\Admin@OBJIYUIE_en-US\Grabber\DRIVE-C\Users\Admin\Downloads\desktop.ini | C:\Users\Admin\AppData\Local\Temp\87EE.tmp.Server.exe | N/A |
| File created | C:\Users\Admin\AppData\Local\d3e7dc1819b6c1200d977d410133478e\Admin@OBJIYUIE_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini | C:\Users\Admin\AppData\Local\Temp\87EE.tmp.Server.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Local\d3e7dc1819b6c1200d977d410133478e\Admin@OBJIYUIE_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini | C:\Users\Admin\AppData\Local\Temp\87EE.tmp.Server.exe | N/A |
| File created | C:\Users\Admin\AppData\Local\d3e7dc1819b6c1200d977d410133478e\Admin@OBJIYUIE_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini | C:\Users\Admin\AppData\Local\Temp\87EE.tmp.Server.exe | N/A |
| File created | C:\Users\Admin\AppData\Local\d3e7dc1819b6c1200d977d410133478e\Admin@OBJIYUIE_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Camera Roll\desktop.ini | C:\Users\Admin\AppData\Local\Temp\87EE.tmp.Server.exe | N/A |
| File created | C:\Users\Admin\AppData\Local\d3e7dc1819b6c1200d977d410133478e\Admin@OBJIYUIE_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Saved Pictures\desktop.ini | C:\Users\Admin\AppData\Local\Temp\87EE.tmp.Server.exe | N/A |
| File created | C:\Users\Admin\AppData\Local\d3e7dc1819b6c1200d977d410133478e\Admin@OBJIYUIE_en-US\Grabber\DRIVE-C\Users\Admin\Documents\desktop.ini | C:\Users\Admin\AppData\Local\Temp\87EE.tmp.Server.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | icanhazip.com | N/A | N/A |
Looks up geolocation information via web service
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4872 set thread context of 2660 | N/A | C:\Users\Admin\AppData\Roaming\nik.exe | C:\Windows\system32\relog.exe |
Detects Pyinstaller
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Enumerates physical storage devices
Event Triggered Execution: Netsh Helper DLL
| Description | Indicator | Process | Target |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\87EE.tmp.Server.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier | C:\Users\Admin\AppData\Local\Temp\87EE.tmp.Server.exe | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\timeout.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\KMSAuto\accc.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Users\Admin\AppData\Roaming\nik.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Users\Admin\AppData\Roaming\nik.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Users\Admin\AppData\Roaming\nik.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Users\Admin\AppData\Roaming\nik.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Users\Admin\AppData\Roaming\nik.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Users\Admin\AppData\Roaming\nik.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Users\Admin\AppData\Roaming\nik.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Roaming\nik.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Users\Admin\AppData\Roaming\nik.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Users\Admin\AppData\Roaming\nik.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Users\Admin\AppData\Roaming\nik.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Users\Admin\AppData\Roaming\nik.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\nik.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Users\Admin\AppData\Roaming\nik.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Users\Admin\AppData\Roaming\nik.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Users\Admin\AppData\Roaming\nik.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Users\Admin\AppData\Roaming\nik.exe | N/A |
| Token: 33 | N/A | C:\Users\Admin\AppData\Roaming\nik.exe | N/A |
| Token: 34 | N/A | C:\Users\Admin\AppData\Roaming\nik.exe | N/A |
| Token: 35 | N/A | C:\Users\Admin\AppData\Roaming\nik.exe | N/A |
| Token: 36 | N/A | C:\Users\Admin\AppData\Roaming\nik.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\relog.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\relog.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\relog.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\relog.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\relog.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\relog.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\relog.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\relog.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\relog.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\relog.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\relog.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\relog.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\relog.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\relog.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\relog.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\relog.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\relog.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\relog.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\relog.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\relog.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\relog.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\relog.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\relog.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\relog.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\relog.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\relog.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\relog.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\relog.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\relog.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\relog.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\relog.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\relog.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\relog.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\relog.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\relog.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\relog.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\relog.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\relog.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\relog.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\relog.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\relog.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\relog.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\relog.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\d321f75b27ffdadbe36f7f1a94727487e955a74ec629fdd054dec54e4b6fc87b.exe
"C:\Users\Admin\AppData\Local\Temp\d321f75b27ffdadbe36f7f1a94727487e955a74ec629fdd054dec54e4b6fc87b.exe"
C:\Users\Admin\AppData\Roaming\nik.exe
"C:\Users\Admin\AppData\Roaming\nik.exe"
C:\Users\Admin\AppData\Roaming\Smtp.exe
"C:\Users\Admin\AppData\Roaming\Smtp.exe"
C:\Users\Admin\AppData\Roaming\Smtp.exe
"C:\Users\Admin\AppData\Roaming\Smtp.exe"
C:\Windows\system32\relog.exe
C:\Windows\system32\relog.exe
C:\Users\Admin\AppData\Local\Temp\83A7.tmp.Installer.exe
"C:\Users\Admin\AppData\Local\Temp\83A7.tmp.Installer.exe"
C:\Users\Admin\AppData\Local\Temp\87EE.tmp.Server.exe
"C:\Users\Admin\AppData\Local\Temp\87EE.tmp.Server.exe"
C:\Windows\system32\schtasks.exe
"schtasks.exe" /create /tn ACCC Tools /tr "C:\ProgramData\KMSAuto\accc.exe" /st 11:25 /du 23:59 /sc daily /ri 1 /f
C:\ProgramData\KMSAuto\accc.exe
"C:\ProgramData\KMSAuto\accc.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp8F7E.tmp.bat""
C:\Windows\system32\timeout.exe
timeout 7
C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\netsh.exe
netsh wlan show profile
C:\Windows\SysWOW64\findstr.exe
findstr All
C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\netsh.exe
netsh wlan show networks mode=bssid
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | auth.xn--conbase-sfb.xyz | udp |
| US | 104.21.13.213:443 | auth.xn--conbase-sfb.xyz | tcp |
| US | 8.8.8.8:53 | x2.c.lencr.org | udp |
| BE | 23.55.97.11:80 | x2.c.lencr.org | tcp |
| US | 8.8.8.8:53 | 213.13.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.97.55.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | auth.xn--conbase-sfb.xyz | udp |
| US | 172.67.133.32:80 | auth.xn--conbase-sfb.xyz | tcp |
| US | 8.8.8.8:53 | 32.133.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | auth.xn--conbase-sfb.xyz | udp |
| US | 104.21.13.213:80 | auth.xn--conbase-sfb.xyz | tcp |
| US | 104.21.13.213:80 | auth.xn--conbase-sfb.xyz | tcp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 104.21.13.213:80 | auth.xn--conbase-sfb.xyz | tcp |
| US | 8.8.8.8:53 | www.igenius.org | udp |
| US | 192.3.140.185:80 | www.igenius.org | tcp |
| US | 8.8.8.8:53 | hrdc.pk | udp |
| US | 64.31.40.18:80 | hrdc.pk | tcp |
| US | 192.3.140.185:80 | www.igenius.org | tcp |
| US | 8.8.8.8:53 | 185.140.3.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.40.31.64.in-addr.arpa | udp |
| US | 8.8.8.8:53 | api.telegram.org | udp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| US | 8.8.8.8:53 | 220.167.154.149.in-addr.arpa | udp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | icanhazip.com | udp |
| US | 104.16.184.241:80 | icanhazip.com | tcp |
| US | 8.8.8.8:53 | api.mylnikov.org | udp |
| US | 104.21.44.66:443 | api.mylnikov.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| US | 8.8.8.8:53 | 66.44.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.184.16.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | pastebin.com | udp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 8.8.8.8:53 | 235.4.20.104.in-addr.arpa | udp |
| US | 52.111.227.11:443 | tcp | |
| US | 104.21.13.213:80 | auth.xn--conbase-sfb.xyz | tcp |
| US | 8.8.8.8:53 | 31.243.111.52.in-addr.arpa | udp |
| N/A | 127.0.0.1:8808 | tcp | |
| N/A | 127.0.0.1:8808 | tcp | |
| US | 104.21.13.213:80 | auth.xn--conbase-sfb.xyz | tcp |
| N/A | 127.0.0.1:6606 | tcp |
Files
C:\Users\Admin\AppData\Roaming\nik.exe
| MD5 | c848ac85788c3e3e23e9b20746cb978e |
| SHA1 | 5960836d8c29b7408a60421ee6c2558e4e1eb0a4 |
| SHA256 | a00fcfe94826aff5275d6c7d5af9701dee5610f3bec64a81256ee1dac86d0225 |
| SHA512 | 5e0478133dfec564344f22706d17c52caf37120f32e8c2befa80d35cbcb4564e11f97bd96a9b3c1c143d0c5c16bfdb52307f84e6fa91a1c855f01557d532c821 |
C:\Users\Admin\AppData\Roaming\Smtp.exe
| MD5 | 4e8ec4867bf90e7c6082f2a918ef7631 |
| SHA1 | 65b03b83a107fc8ced5cccc56de11c59862c0e45 |
| SHA256 | 0da1fddf259afe14e217714543d15545803a5e60519921288035c45161936e9d |
| SHA512 | 091f709047cd6778281f60b6127eee1f01e782639a17ae090b14716ef405da8b2815f874796a1d5fdd9934343b83b82e996c51e8b7443c3552374a326617813b |
C:\Users\Admin\AppData\Local\Temp\_MEI50842\python38.dll
| MD5 | eec355a6e9586f823a4f12bed11e6c80 |
| SHA1 | 33627398cb32f4fbb162f38f7c277ad5b13a99ba |
| SHA256 | 560a6a5f8b7afa99600cc47da26a802c342d7f50ffe23850372f2fcf536cd26f |
| SHA512 | 7b4b3c13383de62a17aa1aafabce657ea5f4aadd716430fcd6e0f3125b773ae1589b3eaa050ccd87b37f6fae2391c5e7a8a229c0b0fa135de8d0269e9752bea0 |
C:\Users\Admin\AppData\Local\Temp\_MEI50842\VCRUNTIME140.dll
| MD5 | 7942be5474a095f673582997ae3054f1 |
| SHA1 | e982f6ebc74d31153ba9738741a7eec03a9fa5e8 |
| SHA256 | 8ee6b49830436ff3bec9ba89213395427b5535813930489f118721fd3d2d942c |
| SHA512 | 49fbc9d441362b65a8d78b73d4fdcf988f22d38a35a36a233fcd54e99e95e29b804be7eabe2b174188c7860ebb34f701e13ed216f954886a285bed7127619039 |
C:\Users\Admin\AppData\Local\Temp\_MEI50842\base_library.zip
| MD5 | 877f89f4a141da5810ae8df658dae577 |
| SHA1 | df17d4bf2fa8bc3ce9a85f635ee8cfe640cdd3d2 |
| SHA256 | f009edc33aea2ee2dc1e9ed32e27ddda6204c45c87a6f722b883c76eb394555f |
| SHA512 | 988a3daf5df93fe509886c4af86039493667ba83957d41a48615101d3bbcd8b2c319ae59e59cc83a6765f33558e396294f8e9e349f8c21131c0f10a2bad6f212 |
C:\Users\Admin\AppData\Local\Temp\_MEI50842\_ctypes.pyd
| MD5 | 4786508ffadc542bd677f45af820fdb9 |
| SHA1 | fc0f7dae6e0d093594e4ff1c293ce004dbd16fd7 |
| SHA256 | 64f5072cd9536418ec0fd4b5c30c13b03cdddced1f9332d4d721c4b37ae3883e |
| SHA512 | ad4b0e6883c2f0c003c46b1b85f5fbc2c1f8366a212695b9e47664c8735a30d4c8a3c645b324d3d059582096a1fe78ac1043ba8a639ced0665ef8c5cc33d0b80 |
C:\Users\Admin\AppData\Local\Temp\_MEI50842\_socket.pyd
| MD5 | bc7b1b0112427976b83911e607213c37 |
| SHA1 | f4c7eb5b46ebe015a13de59f17ca158c01a377f4 |
| SHA256 | 85f200cb9adf0ef97d40b897868f6ad564211d3529f0b6dfe8e04c56a7b832bc |
| SHA512 | 18bc94c917ee894121241dcf65fab370a344caaf1120162fcb0966503c502b3e990a79553d2e4e1e3403e35d2b5e00cb365254c08f99c93c178e2e1fd7b2a040 |
C:\Users\Admin\AppData\Local\Temp\_MEI50842\select.pyd
| MD5 | bb6e9825bd4a98e0700d96b59ec64f68 |
| SHA1 | afd51547dad9cd7fac0efbda76b5e2388a027681 |
| SHA256 | bb81d220db83d5276fccda137d430160b8eafd40f4d92d86ebc718b4dfd555ac |
| SHA512 | 2380a0a2bd625ff79b04bb9d4f6611150512d72f719a3cc73806ea979c29b01fc3d947fb2998e308796a32061e0f2d34d158876924c71350c759e2a841abf964 |
C:\Users\Admin\AppData\Local\Temp\_MEI50842\libffi-7.dll
| MD5 | eef7981412be8ea459064d3090f4b3aa |
| SHA1 | c60da4830ce27afc234b3c3014c583f7f0a5a925 |
| SHA256 | f60dd9f2fcbd495674dfc1555effb710eb081fc7d4cae5fa58c438ab50405081 |
| SHA512 | dc9ff4202f74a13ca9949a123dff4c0223da969f49e9348feaf93da4470f7be82cfa1d392566eaaa836d77dde7193fed15a8395509f72a0e9f97c66c0a096016 |
C:\Users\Admin\AppData\Local\Temp\_MEI50842\_hashlib.pyd
| MD5 | ef3b935e7d9e1685b84636f908732b06 |
| SHA1 | 968bca85a6f61fa24d53fc6aa77a3f48d2b08dd6 |
| SHA256 | 46d3016b73ecf3713228df563971feefcbebcea9925349a0807b48f0e09877ce |
| SHA512 | 34c1779b8b7cd8449afaaeabb37a9bbb895c199d06557ea301361972ce4722f3db98e2e099eb2ce52486ab60567ac8041a4b3b3e8e917256bdd9954cbb9b05b3 |
C:\Users\Admin\AppData\Local\Temp\_MEI50842\libcrypto-1_1.dll
| MD5 | aa811bb63dbd4c5859b68332326f60b1 |
| SHA1 | 6e5584d5c59d2f79cbf60c6c71a92ecd7e4e0977 |
| SHA256 | 00a1eeb37372d11559bf44c9e68af9c841c41c95a173f3dfec4e0b5923d0cae0 |
| SHA512 | dad9b14f501fd63824480f8801acd4004dd46f7a6965ac8ab91e573676236a11099f4b7cfdf7b3f6c0cc52a3b2e5d9b50f715f53a1f4f858ea2a5eb15d5092cd |
C:\Users\Admin\AppData\Local\Temp\TH52D3.tmp
| MD5 | 59513d94d77979cec1d0b34cb9a990c3 |
| SHA1 | 5e03e3eee9dab882f0f00afadc465c7121558d49 |
| SHA256 | a429e785198898dad7e54d29e6f925db8a78c77a971726014a456547ae8b57f1 |
| SHA512 | 131069c7f03f36e5ca69010552109c09ec8a080eee6b75dde57b28065ff981e9fb4ade03eb94d1f48391806633ee94db4f1106a8d2b8fc8c473eec10db7ca0ea |
C:\Windows\System32\drivers\etc\hosts
| MD5 | 1530b50aac226cd50815c69326517e51 |
| SHA1 | e97855298b61d8a5b6cf2450a990d5cbc40c6aa4 |
| SHA256 | 1c1eab02470f70f1067cc91ae1506955f2cd92eac3afac8eb3592cc718c2cab3 |
| SHA512 | c66ee426b16c2ab3439617774b914dd279351b4c3dc14e16d6e7cdb11cd0cf0d3346df87a315f5a0de885522e3bfdcc2513e73f2d01cf0e5f13f77f7facdb432 |
C:\Users\Admin\AppData\Local\Temp\_MEI50842\_ssl.pyd
| MD5 | d1430e77cec5e84073700c3a65e3b8eb |
| SHA1 | 32009a7ea5e3097f38a33e3c5d73a9588f78e4a9 |
| SHA256 | 174ec95c793fc33a97c57709b5117ca17700b90e7c71d72c9ec4bc7757b747a9 |
| SHA512 | 1b49ce51e17b28eacc22e060b028697c93ee52a0a671ef615c6386c19e78a9ff67b84920fa5d8443970b53858a29c99dfcc395c0d6bc110ef125ec1c9da648f7 |
C:\Users\Admin\AppData\Local\Temp\_MEI50842\libssl-1_1.dll
| MD5 | 2335285f5ac87173bd304efeddfa1d85 |
| SHA1 | 64558d2150120abed3514db56299721c42c6fe58 |
| SHA256 | 1b57a201184559164dedbddcb43bb110a18cafa19ea3d00fc23274ccfc420e94 |
| SHA512 | 82737590d5ec7315ce8485c4794c01bfcce176ce443740a9f0cf5adfc3c3ed31a714556d33c1ca56db486636111d1ad855f606c87e5f322a505c535187ce2bde |
C:\Users\Admin\AppData\Local\Temp\_MEI50842\unicodedata.pyd
| MD5 | c5334880576bbc751b20f6bd4baba992 |
| SHA1 | ebd8b76221d4dad9931aabcbb0434752280a99d1 |
| SHA256 | e5ebcc99f94766951bb75731afe07b7c4481e7ff3d252f21d39ddea7c8da4147 |
| SHA512 | 08c964acd3064edf0210d6f12fe55896030756537b7e272c8e0f9b5e5606a6ed91094febabe3eadef51426bd6e4b06039cd9aa41a7756671edcac84684dfabb4 |
C:\Users\Admin\AppData\Local\Temp\_MEI50842\_queue.pyd
| MD5 | 04849a636d85ad8bc535643580466b50 |
| SHA1 | 17baef1ae4a1e33ed44e55c6b8de554b4814af0c |
| SHA256 | 80a803b8f9e2f1034cdbf47ba13efafaf2167a7ff9e5d97259506489e4ee58bd |
| SHA512 | 9a282680f9aaa5770cad88ee21ff1370a3a5209107d2965c2e6fed5d4fd40195e456c212ce4c27b89b29c68f30b666c803c9ef628e40ce8628c8664bbb8931f3 |
C:\Users\Admin\AppData\Local\Temp\_MEI50842\charset_normalizer\md.cp38-win_amd64.pyd
| MD5 | 38105df780eddd734027328e0dca0ca3 |
| SHA1 | 45f1d9e3472478f8e1ba86675f5c81c00b183bea |
| SHA256 | 9512896233d2119e78e2e1fcfd83643b2be2b427f08d16fc568fe98b9d4913cb |
| SHA512 | ba2a05c236ce47d87888f618be2b23532d0d882578707b07ae220a96883b468f7088a19ebbe3bac2adf4035da6b7ee6fa9e57b620e2bc67b28e54cd969d6bbb3 |
C:\Users\Admin\AppData\Local\Temp\_MEI50842\_bz2.pyd
| MD5 | 712a8dba2916f0261a1290a8e3d85ebf |
| SHA1 | 27dbfa5de547c30c457855594272545dafaeb39d |
| SHA256 | d6e5763cecd267be0ff5355ff53e93428f3dd7ab20458fb1e7432dffa060cf82 |
| SHA512 | 662664189f3a426a2042c998a5396fcb660f1ec123fe8089ec740ae414e0da9173d2e1abb6a231b3271bba9c4cb2a3a0a6ea45c475531bb986a4d085e74de1d9 |
C:\Users\Admin\AppData\Local\Temp\_MEI50842\_lzma.pyd
| MD5 | fea0e77f594207b8af1d240a16c6650e |
| SHA1 | dd48f108074eade8c0f84916d619bce4a97c07bb |
| SHA256 | d7acc95049c07298af56a316419e6548f3e6b56fb22dfb3382607a803dddb5e0 |
| SHA512 | 3b06abcf29bd93232afd6ae0b8fbded6cc75c5a5cdbd5b410d16e6f19e034d4f903252eda243f670173cc05e78e36e767553e065648ce7c3af330d10922d51ff |
C:\Users\Admin\AppData\Local\Temp\_MEI50842\certifi\cacert.pem
| MD5 | 78d9dd608305a97773574d1c0fb10b61 |
| SHA1 | 9e177f31a3622ad71c3d403422c9a980e563fe32 |
| SHA256 | 794d039ffdf277c047e26f2c7d58f81a5865d8a0eb7024a0fac1164fea4d27cf |
| SHA512 | 0c2d08747712ed227b4992f6f8f3cc21168627a79e81c6e860ee2b5f711af7f4387d3b71b390aa70a13661fc82806cc77af8ab1e8a8df82ad15e29e05fa911bf |
C:\Users\Admin\AppData\Local\Temp\_MEI50842\charset_normalizer\md__mypyc.cp38-win_amd64.pyd
| MD5 | 073f09e1edf5ec4173ce2de1121b9dd1 |
| SHA1 | 6cdb2559a1b706446cdd993e6fd680095e119b2e |
| SHA256 | 7412969bfe1bca38bbb25bab02b54506a05015a4944b54953fcfdb179ec3f13c |
| SHA512 | 70a1a766001ec78a5fce7eadf6cae07f11b3ca6b08115e130c77d024524879577ccab263c596102102b1569933c601592fbb5ee07c7db123bb850965ef8e8e96 |
memory/3516-160-0x00000000081A0000-0x00000000081B6000-memory.dmp
memory/3516-162-0x0000000008510000-0x0000000008553000-memory.dmp
memory/3516-164-0x0000000008560000-0x00000000085B1000-memory.dmp
memory/3516-166-0x0000000000950000-0x0000000000958000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\83A7.tmp.Installer.exe
| MD5 | bed8cdced2d57be2bd750f0f59991ecd |
| SHA1 | 4e2a885b9387fcf040b7eb79892de2f9fe55bca4 |
| SHA256 | 5f628663f71e3baa55f10e6021597f7860bef868284eb50b8958169dcbbff4fd |
| SHA512 | b85990a778c2462d57c3b314270bd1f397749450e75508e1012a14f21661358b98021efb791f694d9eb05f49b0776ea3ff4c803f842f858db5669968c477433f |
memory/2288-178-0x0000000000010000-0x00000000000B0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\87EE.tmp.Server.exe
| MD5 | 68fad5f5f8de1c290df5d3754b4af358 |
| SHA1 | 0028395243f38a03b13726915144b9848e8da39a |
| SHA256 | dbacc134902ee72d1464d3b61a3518402b7ab54807bb7b7541fc2916c8119e9e |
| SHA512 | ce44611d5c47fdcb979c715352f5050c816d4e5a814b102836856ede279f774e4709ca48fb95639ca66476ca547176370da7afc5185af066832732da2c80ee01 |
memory/1336-190-0x00000000006F0000-0x0000000000722000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmp8F7E.tmp.bat
| MD5 | e44a1d99f6346771343608ea57a87734 |
| SHA1 | 5481c1e8fa2e44179b3d22d32b2b56b96f220b1b |
| SHA256 | 7b357698d411103b2c8ad8204d7bc43ff83a25b664f353efbea62430eece14f0 |
| SHA512 | 29f6fa02fabbb7a6e66d18276b1a42982a23e9ffd24abf8bcbb64bf0ae8ce49ddb463b0e490267bef31a497d80eaafb632b9d3b11de4c6041d25e0001b99bec1 |
memory/1336-207-0x00000000050D0000-0x0000000005136000-memory.dmp
C:\Users\Admin\AppData\Local\d3e7dc1819b6c1200d977d410133478e\Admin@OBJIYUIE_en-US\Browsers\Firefox\Bookmarks.txt
| MD5 | 2e9d094dda5cdc3ce6519f75943a4ff4 |
| SHA1 | 5d989b4ac8b699781681fe75ed9ef98191a5096c |
| SHA256 | c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142 |
| SHA512 | d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7 |
C:\Users\Admin\AppData\Local\d3e7dc1819b6c1200d977d410133478e\Admin@OBJIYUIE_en-US\System\Process.txt
| MD5 | 307283f2e25e04a93d70fc3bedc08a44 |
| SHA1 | 097d0e79877a6bbbc14c895f23b67eddd8c07d2d |
| SHA256 | 78ebf5e230f7c6a1d89e90e48226af0ae5e1e3328c1f2a9d0139f9ba13c16e7a |
| SHA512 | e74c01a2e45713f072ba789f7480e7563b4aaf4bf8d3d417869261fd33c7c5c322f0b6f48e86afcb19c3fa88a145475e2ac302524964d1c19f074d364b173865 |
memory/1336-377-0x0000000005FD0000-0x0000000006574000-memory.dmp
memory/1336-376-0x0000000005980000-0x0000000005A12000-memory.dmp
memory/1336-383-0x0000000005A20000-0x0000000005A2A000-memory.dmp
C:\Users\Admin\AppData\Local\f6b0a790c992db273661cfd075da7255\msgid.dat
| MD5 | cfcd208495d565ef66e7dff9f98764da |
| SHA1 | b6589fc6ab0dc82cf12099d1c2d40ab994e8410c |
| SHA256 | 5feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9 |
| SHA512 | 31bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99 |
memory/1336-389-0x0000000005AB0000-0x0000000005AC2000-memory.dmp