Malware Analysis Report

2024-09-23 03:05

Sample ID 240702-rsnztswgnf
Target CryptoFactory.exe
SHA256 c978fbdd5ce89e672a624c74e03fa89e0865b20e8bc84b0a882eb327abb96064
Tags
persistence asyncrat stormkitty default privilege_escalation rat spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

c978fbdd5ce89e672a624c74e03fa89e0865b20e8bc84b0a882eb327abb96064

Threat Level: Known bad

The file CryptoFactory.exe was found to be: Known bad.

Malicious Activity Summary

persistence asyncrat stormkitty default privilege_escalation rat spyware stealer

AsyncRat

StormKitty payload

StormKitty

Async RAT payload

Downloads MZ/PE file

Drops file in Drivers directory

Loads dropped DLL

Drops startup file

Checks computer location settings

Reads user/profile data of web browsers

Executes dropped EXE

Looks up geolocation information via web service

Drops desktop.ini file(s)

Looks up external IP address via web service

Adds Run key to start application

Legitimate hosting services abused for malware hosting/C2

Suspicious use of SetThreadContext

Unsigned PE

Event Triggered Execution: Netsh Helper DLL

Enumerates physical storage devices

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious behavior: AddClipboardFormatListener

Checks processor information in registry

Delays execution with timeout.exe

Modifies registry class

Suspicious use of WriteProcessMemory

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Suspicious behavior: EnumeratesProcesses

Scheduled Task/Job: Scheduled Task

Enumerates system info in registry

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: GetForegroundWindowSpam

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2024-07-02 14:27

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-02 14:27

Reported

2024-07-02 14:30

Platform

win7-20240508-en

Max time kernel

150s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\CryptoFactory.exe"

Signatures

Drops file in Drivers directory

Description Indicator Process Target
File opened for modification C:\Windows\system32\drivers\etc\hosts C:\Windows\system32\relog.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\psvhost.exe.lnk C:\Users\Admin\AppData\Roaming\nik.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\nik.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Smtp.exe N/A
N/A N/A C:\Windows\system32\relog.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\WpnUserService = "C:\\Users\\Admin\\AppData\\Roaming\\nik.exe" C:\Users\Admin\AppData\Roaming\nik.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1916 set thread context of 2060 N/A C:\Users\Admin\AppData\Roaming\nik.exe C:\Windows\system32\relog.exe

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Smtp.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Smtp.exe N/A
N/A N/A C:\Windows\system32\relog.exe N/A
N/A N/A C:\Windows\system32\relog.exe N/A
N/A N/A C:\Windows\system32\relog.exe N/A
N/A N/A C:\Windows\system32\relog.exe N/A
N/A N/A C:\Windows\system32\relog.exe N/A
N/A N/A C:\Windows\system32\relog.exe N/A
N/A N/A C:\Windows\system32\relog.exe N/A
N/A N/A C:\Windows\system32\relog.exe N/A
N/A N/A C:\Windows\system32\relog.exe N/A
N/A N/A C:\Windows\system32\relog.exe N/A
N/A N/A C:\Windows\system32\relog.exe N/A
N/A N/A C:\Windows\system32\relog.exe N/A
N/A N/A C:\Windows\system32\relog.exe N/A
N/A N/A C:\Windows\system32\relog.exe N/A
N/A N/A C:\Windows\system32\relog.exe N/A
N/A N/A C:\Windows\system32\relog.exe N/A
N/A N/A C:\Windows\system32\relog.exe N/A
N/A N/A C:\Windows\system32\relog.exe N/A
N/A N/A C:\Windows\system32\relog.exe N/A
N/A N/A C:\Windows\system32\relog.exe N/A
N/A N/A C:\Windows\system32\relog.exe N/A
N/A N/A C:\Windows\system32\relog.exe N/A
N/A N/A C:\Windows\system32\relog.exe N/A
N/A N/A C:\Windows\system32\relog.exe N/A
N/A N/A C:\Windows\system32\relog.exe N/A
N/A N/A C:\Windows\system32\relog.exe N/A
N/A N/A C:\Windows\system32\relog.exe N/A
N/A N/A C:\Windows\system32\relog.exe N/A
N/A N/A C:\Windows\system32\relog.exe N/A
N/A N/A C:\Windows\system32\relog.exe N/A
N/A N/A C:\Windows\system32\relog.exe N/A
N/A N/A C:\Windows\system32\relog.exe N/A
N/A N/A C:\Windows\system32\relog.exe N/A
N/A N/A C:\Windows\system32\relog.exe N/A
N/A N/A C:\Windows\system32\relog.exe N/A
N/A N/A C:\Windows\system32\relog.exe N/A
N/A N/A C:\Windows\system32\relog.exe N/A
N/A N/A C:\Windows\system32\relog.exe N/A
N/A N/A C:\Windows\system32\relog.exe N/A
N/A N/A C:\Windows\system32\relog.exe N/A
N/A N/A C:\Windows\system32\relog.exe N/A
N/A N/A C:\Windows\system32\relog.exe N/A
N/A N/A C:\Windows\system32\relog.exe N/A
N/A N/A C:\Windows\system32\relog.exe N/A
N/A N/A C:\Windows\system32\relog.exe N/A
N/A N/A C:\Windows\system32\relog.exe N/A
N/A N/A C:\Windows\system32\relog.exe N/A
N/A N/A C:\Windows\system32\relog.exe N/A
N/A N/A C:\Windows\system32\relog.exe N/A
N/A N/A C:\Windows\system32\relog.exe N/A
N/A N/A C:\Windows\system32\relog.exe N/A
N/A N/A C:\Windows\system32\relog.exe N/A
N/A N/A C:\Windows\system32\relog.exe N/A
N/A N/A C:\Windows\system32\relog.exe N/A
N/A N/A C:\Windows\system32\relog.exe N/A
N/A N/A C:\Windows\system32\relog.exe N/A
N/A N/A C:\Windows\system32\relog.exe N/A
N/A N/A C:\Windows\system32\relog.exe N/A
N/A N/A C:\Windows\system32\relog.exe N/A
N/A N/A C:\Windows\system32\relog.exe N/A
N/A N/A C:\Windows\system32\relog.exe N/A
N/A N/A C:\Windows\system32\relog.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Roaming\nik.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Roaming\nik.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Roaming\nik.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Roaming\nik.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Roaming\nik.exe N/A
Token: SeSystemtimePrivilege N/A C:\Users\Admin\AppData\Roaming\nik.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Roaming\nik.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\nik.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Roaming\nik.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Roaming\nik.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Roaming\nik.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Roaming\nik.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\nik.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Users\Admin\AppData\Roaming\nik.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Users\Admin\AppData\Roaming\nik.exe N/A
Token: SeUndockPrivilege N/A C:\Users\Admin\AppData\Roaming\nik.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Roaming\nik.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\nik.exe N/A
Token: 34 N/A C:\Users\Admin\AppData\Roaming\nik.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Roaming\nik.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Smtp.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\relog.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\relog.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\relog.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\relog.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\relog.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\relog.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\relog.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\relog.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\relog.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\relog.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\relog.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\relog.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\relog.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\relog.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\relog.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\relog.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\relog.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\relog.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\relog.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\relog.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\relog.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\relog.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\relog.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\relog.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\relog.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\relog.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\relog.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\relog.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\relog.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\relog.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\relog.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\relog.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\relog.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\relog.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\relog.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\relog.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\relog.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\relog.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\relog.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\relog.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\relog.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\relog.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\relog.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2232 wrote to memory of 1916 N/A C:\Users\Admin\AppData\Local\Temp\CryptoFactory.exe C:\Users\Admin\AppData\Roaming\nik.exe
PID 2232 wrote to memory of 1916 N/A C:\Users\Admin\AppData\Local\Temp\CryptoFactory.exe C:\Users\Admin\AppData\Roaming\nik.exe
PID 2232 wrote to memory of 1916 N/A C:\Users\Admin\AppData\Local\Temp\CryptoFactory.exe C:\Users\Admin\AppData\Roaming\nik.exe
PID 2232 wrote to memory of 1916 N/A C:\Users\Admin\AppData\Local\Temp\CryptoFactory.exe C:\Users\Admin\AppData\Roaming\nik.exe
PID 2232 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\CryptoFactory.exe C:\Users\Admin\AppData\Roaming\Smtp.exe
PID 2232 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\CryptoFactory.exe C:\Users\Admin\AppData\Roaming\Smtp.exe
PID 2232 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\CryptoFactory.exe C:\Users\Admin\AppData\Roaming\Smtp.exe
PID 2232 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\CryptoFactory.exe C:\Users\Admin\AppData\Roaming\Smtp.exe
PID 1916 wrote to memory of 2060 N/A C:\Users\Admin\AppData\Roaming\nik.exe C:\Windows\system32\relog.exe
PID 1916 wrote to memory of 2060 N/A C:\Users\Admin\AppData\Roaming\nik.exe C:\Windows\system32\relog.exe
PID 1916 wrote to memory of 2060 N/A C:\Users\Admin\AppData\Roaming\nik.exe C:\Windows\system32\relog.exe
PID 1916 wrote to memory of 2060 N/A C:\Users\Admin\AppData\Roaming\nik.exe C:\Windows\system32\relog.exe

Processes

C:\Users\Admin\AppData\Local\Temp\CryptoFactory.exe

"C:\Users\Admin\AppData\Local\Temp\CryptoFactory.exe"

C:\Users\Admin\AppData\Roaming\nik.exe

"C:\Users\Admin\AppData\Roaming\nik.exe"

C:\Users\Admin\AppData\Roaming\Smtp.exe

"C:\Users\Admin\AppData\Roaming\Smtp.exe"

C:\Windows\system32\relog.exe

C:\Windows\system32\relog.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 auth.xn--conbase-sfb.xyz udp
RU 46.23.96.107:3001 tcp
US 8.8.8.8:53 exchanger.ink udp
RU 46.23.96.107:3001 tcp
US 8.8.8.8:53 auth.xn--conbase-sfb.xyz udp
US 8.8.8.8:53 exchanger.ink udp
US 8.8.8.8:53 auth.xn--conbase-sfb.xyz udp
US 8.8.8.8:53 exchanger.ink udp

Files

\Users\Admin\AppData\Roaming\nik.exe

MD5 c848ac85788c3e3e23e9b20746cb978e
SHA1 5960836d8c29b7408a60421ee6c2558e4e1eb0a4
SHA256 a00fcfe94826aff5275d6c7d5af9701dee5610f3bec64a81256ee1dac86d0225
SHA512 5e0478133dfec564344f22706d17c52caf37120f32e8c2befa80d35cbcb4564e11f97bd96a9b3c1c143d0c5c16bfdb52307f84e6fa91a1c855f01557d532c821

\Users\Admin\AppData\Roaming\Smtp.exe

MD5 b8868b8ca49dc243910c548e69ca40f5
SHA1 7d97525e2210ba3ff8a5ea300e4cd95c5827aa39
SHA256 066fa46e73427f2f9e2d7d6128b2a283a1300114d25240a531bbea3f27039d6c
SHA512 809f8d5eb0a1d67416566ad358406a44d839e8336a22c6e489a4d03d250178331091c5c17231d1065df267060d1c3fc1226a1a38cf586944c3d0225cce17c186

memory/2836-10-0x0000000073F1E000-0x0000000073F1F000-memory.dmp

memory/2836-11-0x0000000000E90000-0x000000000141C000-memory.dmp

memory/2836-12-0x0000000000290000-0x0000000000296000-memory.dmp

memory/2836-13-0x000000000B820000-0x000000000BF66000-memory.dmp

memory/2836-14-0x0000000000AD0000-0x0000000000AD6000-memory.dmp

memory/2836-15-0x0000000073F10000-0x00000000745FE000-memory.dmp

memory/2836-16-0x0000000073F1E000-0x0000000073F1F000-memory.dmp

memory/2836-17-0x0000000073F10000-0x00000000745FE000-memory.dmp

C:\Windows\System32\drivers\etc\hosts

MD5 ee9d791fd900430e4d594e5bde5c096a
SHA1 25dd0ac5926d1d02bf4c9fe60d5aff6b602c9b7d
SHA256 74c6900b084deaf2ac76ee2113cfe73509e751c588707395fa2731e9bc154ccd
SHA512 cd1c18139594002e96c7094ff731812d9afb45fb34735731fb65eaecbd7918c2379fa52b8eea551ac9c51589827619f898a9a0ac95ee1ad8c0e94b589403efeb

memory/2060-27-0x000007FFFFFD9000-0x000007FFFFFDA000-memory.dmp

\Users\Admin\AppData\Local\Temp\THA219.tmp

MD5 59513d94d77979cec1d0b34cb9a990c3
SHA1 5e03e3eee9dab882f0f00afadc465c7121558d49
SHA256 a429e785198898dad7e54d29e6f925db8a78c77a971726014a456547ae8b57f1
SHA512 131069c7f03f36e5ca69010552109c09ec8a080eee6b75dde57b28065ff981e9fb4ade03eb94d1f48391806633ee94db4f1106a8d2b8fc8c473eec10db7ca0ea

memory/2836-65-0x0000000004900000-0x000000000490A000-memory.dmp

memory/2836-64-0x0000000004900000-0x000000000490A000-memory.dmp

memory/2836-66-0x0000000073F10000-0x00000000745FE000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-02 14:27

Reported

2024-07-02 14:30

Platform

win10v2004-20240508-en

Max time kernel

123s

Max time network

151s

Command Line

C:\Windows\Explorer.EXE

Signatures

AsyncRat

rat asyncrat

StormKitty

stealer stormkitty

StormKitty payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Async RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Downloads MZ/PE file

Drops file in Drivers directory

Description Indicator Process Target
File opened for modification C:\Windows\system32\drivers\etc\hosts C:\Windows\system32\relog.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\7A9E.tmp.Installer.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\psvhost.exe.lnk C:\Users\Admin\AppData\Roaming\nik.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Service_Adobe.exe.lnk C:\Users\Admin\AppData\Roaming\nik.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Service_Microsoft.exe.lnk C:\Users\Admin\AppData\Roaming\nik.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Service_Mozilla.exe.lnk C:\Users\Admin\AppData\Roaming\nik.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Service_Sun.exe.lnk C:\Users\Admin\AppData\Roaming\nik.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Service_Mozilla = "C:\\Users\\Admin\\AppData\\Roaming\\Mozilla\\Service_Mozilla.exe" C:\Users\Admin\AppData\Roaming\nik.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Service_Sun = "C:\\Users\\Admin\\AppData\\Roaming\\Sun\\Service_Sun.exe" C:\Users\Admin\AppData\Roaming\nik.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WpnUserService = "C:\\Users\\Admin\\AppData\\Roaming\\nik.exe" C:\Users\Admin\AppData\Roaming\nik.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ACCC Tools = "C:\\ProgramData\\KMSAuto\\accc.exe" C:\Users\Admin\AppData\Local\Temp\7A9E.tmp.Installer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Service_Adobe = "C:\\Users\\Admin\\AppData\\Roaming\\Adobe\\Service_Adobe.exe" C:\Users\Admin\AppData\Roaming\nik.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Service_Microsoft = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Service_Microsoft.exe" C:\Users\Admin\AppData\Roaming\nik.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File created C:\Users\Admin\AppData\Local\58b216eec3207a487158142771aa5745\Admin@SNFVGQLU_en-US\Grabber\DRIVE-C\Users\Admin\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\7E0A.tmp.Server.exe N/A
File created C:\Users\Admin\AppData\Local\58b216eec3207a487158142771aa5745\Admin@SNFVGQLU_en-US\Grabber\DRIVE-C\Users\Admin\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\7E0A.tmp.Server.exe N/A
File created C:\Users\Admin\AppData\Local\58b216eec3207a487158142771aa5745\Admin@SNFVGQLU_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\7E0A.tmp.Server.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\58b216eec3207a487158142771aa5745\Admin@SNFVGQLU_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\7E0A.tmp.Server.exe N/A
File created C:\Users\Admin\AppData\Local\58b216eec3207a487158142771aa5745\Admin@SNFVGQLU_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\7E0A.tmp.Server.exe N/A
File created C:\Users\Admin\AppData\Local\58b216eec3207a487158142771aa5745\Admin@SNFVGQLU_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Camera Roll\desktop.ini C:\Users\Admin\AppData\Local\Temp\7E0A.tmp.Server.exe N/A
File created C:\Users\Admin\AppData\Local\58b216eec3207a487158142771aa5745\Admin@SNFVGQLU_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Saved Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\7E0A.tmp.Server.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A icanhazip.com N/A N/A

Looks up geolocation information via web service

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2008 set thread context of 1008 N/A C:\Users\Admin\AppData\Roaming\nik.exe C:\Windows\system32\relog.exe

Enumerates physical storage devices

Event Triggered Execution: Netsh Helper DLL

persistence privilege_escalation
Description Indicator Process Target
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\7E0A.tmp.Server.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier C:\Users\Admin\AppData\Local\Temp\7E0A.tmp.Server.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\timeout.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Windows\Explorer.EXE N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\ProgramData\KMSAuto\accc.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Smtp.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Smtp.exe N/A
N/A N/A C:\Windows\system32\relog.exe N/A
N/A N/A C:\Windows\system32\relog.exe N/A
N/A N/A C:\Windows\system32\relog.exe N/A
N/A N/A C:\Windows\system32\relog.exe N/A
N/A N/A C:\Windows\system32\relog.exe N/A
N/A N/A C:\Windows\system32\relog.exe N/A
N/A N/A C:\Windows\system32\relog.exe N/A
N/A N/A C:\Windows\system32\relog.exe N/A
N/A N/A C:\Windows\system32\relog.exe N/A
N/A N/A C:\Windows\system32\relog.exe N/A
N/A N/A C:\Windows\system32\relog.exe N/A
N/A N/A C:\Windows\system32\relog.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\system32\relog.exe N/A
N/A N/A C:\Windows\system32\relog.exe N/A
N/A N/A C:\Windows\system32\relog.exe N/A
N/A N/A C:\Windows\system32\relog.exe N/A
N/A N/A C:\Windows\system32\relog.exe N/A
N/A N/A C:\Windows\system32\relog.exe N/A
N/A N/A C:\Windows\system32\relog.exe N/A
N/A N/A C:\Windows\system32\relog.exe N/A
N/A N/A C:\Windows\system32\relog.exe N/A
N/A N/A C:\Windows\system32\relog.exe N/A
N/A N/A C:\Windows\system32\relog.exe N/A
N/A N/A C:\Windows\system32\relog.exe N/A
N/A N/A C:\Windows\system32\relog.exe N/A
N/A N/A C:\Windows\system32\relog.exe N/A
N/A N/A C:\Windows\system32\relog.exe N/A
N/A N/A C:\Windows\system32\relog.exe N/A
N/A N/A C:\Windows\system32\relog.exe N/A
N/A N/A C:\Windows\system32\relog.exe N/A
N/A N/A C:\Windows\system32\relog.exe N/A
N/A N/A C:\Windows\system32\relog.exe N/A
N/A N/A C:\Windows\system32\relog.exe N/A
N/A N/A C:\Windows\system32\relog.exe N/A
N/A N/A C:\Windows\system32\relog.exe N/A
N/A N/A C:\Windows\system32\relog.exe N/A
N/A N/A C:\Windows\system32\relog.exe N/A
N/A N/A C:\Windows\system32\relog.exe N/A
N/A N/A C:\Windows\system32\relog.exe N/A
N/A N/A C:\Windows\system32\relog.exe N/A
N/A N/A C:\Windows\system32\relog.exe N/A
N/A N/A C:\Windows\system32\relog.exe N/A
N/A N/A C:\Windows\system32\relog.exe N/A
N/A N/A C:\Windows\system32\relog.exe N/A
N/A N/A C:\Windows\system32\relog.exe N/A
N/A N/A C:\Windows\system32\relog.exe N/A
N/A N/A C:\Windows\system32\relog.exe N/A
N/A N/A C:\Windows\system32\relog.exe N/A
N/A N/A C:\Windows\system32\relog.exe N/A
N/A N/A C:\Windows\system32\relog.exe N/A
N/A N/A C:\Windows\system32\relog.exe N/A
N/A N/A C:\Windows\system32\relog.exe N/A
N/A N/A C:\Windows\system32\relog.exe N/A
N/A N/A C:\Windows\system32\relog.exe N/A
N/A N/A C:\Windows\system32\relog.exe N/A
N/A N/A C:\Windows\system32\relog.exe N/A
N/A N/A C:\Windows\system32\relog.exe N/A
N/A N/A C:\Windows\system32\relog.exe N/A
N/A N/A C:\Windows\system32\relog.exe N/A
N/A N/A C:\Windows\system32\relog.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Roaming\nik.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Roaming\nik.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Roaming\nik.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Roaming\nik.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Roaming\nik.exe N/A
Token: SeSystemtimePrivilege N/A C:\Users\Admin\AppData\Roaming\nik.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Roaming\nik.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\nik.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Roaming\nik.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Roaming\nik.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Roaming\nik.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Roaming\nik.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\nik.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Users\Admin\AppData\Roaming\nik.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Users\Admin\AppData\Roaming\nik.exe N/A
Token: SeUndockPrivilege N/A C:\Users\Admin\AppData\Roaming\nik.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Roaming\nik.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\nik.exe N/A
Token: 34 N/A C:\Users\Admin\AppData\Roaming\nik.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Roaming\nik.exe N/A
Token: 36 N/A C:\Users\Admin\AppData\Roaming\nik.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Smtp.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\relog.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\relog.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\relog.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\relog.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\relog.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\relog.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\relog.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\relog.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\relog.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\relog.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\relog.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\relog.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\relog.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\relog.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\relog.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\relog.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\relog.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\relog.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\relog.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\relog.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\relog.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\relog.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\relog.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\relog.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\relog.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\relog.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\relog.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\relog.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\relog.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\relog.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\relog.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\relog.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\relog.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\relog.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\relog.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\relog.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\relog.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\relog.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\relog.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\relog.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\relog.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\relog.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Smtp.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1620 wrote to memory of 2008 N/A C:\Users\Admin\AppData\Local\Temp\CryptoFactory.exe C:\Users\Admin\AppData\Roaming\nik.exe
PID 1620 wrote to memory of 2008 N/A C:\Users\Admin\AppData\Local\Temp\CryptoFactory.exe C:\Users\Admin\AppData\Roaming\nik.exe
PID 1620 wrote to memory of 1408 N/A C:\Users\Admin\AppData\Local\Temp\CryptoFactory.exe C:\Users\Admin\AppData\Roaming\Smtp.exe
PID 1620 wrote to memory of 1408 N/A C:\Users\Admin\AppData\Local\Temp\CryptoFactory.exe C:\Users\Admin\AppData\Roaming\Smtp.exe
PID 1620 wrote to memory of 1408 N/A C:\Users\Admin\AppData\Local\Temp\CryptoFactory.exe C:\Users\Admin\AppData\Roaming\Smtp.exe
PID 2008 wrote to memory of 1008 N/A C:\Users\Admin\AppData\Roaming\nik.exe C:\Windows\system32\relog.exe
PID 2008 wrote to memory of 1008 N/A C:\Users\Admin\AppData\Roaming\nik.exe C:\Windows\system32\relog.exe
PID 2008 wrote to memory of 1008 N/A C:\Users\Admin\AppData\Roaming\nik.exe C:\Windows\system32\relog.exe
PID 1008 wrote to memory of 3536 N/A C:\Windows\system32\relog.exe C:\Windows\Explorer.EXE
PID 1008 wrote to memory of 3536 N/A C:\Windows\system32\relog.exe C:\Windows\Explorer.EXE
PID 3536 wrote to memory of 1792 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\7A9E.tmp.Installer.exe
PID 3536 wrote to memory of 1792 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\7A9E.tmp.Installer.exe
PID 3536 wrote to memory of 3376 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\7E0A.tmp.Server.exe
PID 3536 wrote to memory of 3376 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\7E0A.tmp.Server.exe
PID 3536 wrote to memory of 3376 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\7E0A.tmp.Server.exe
PID 1792 wrote to memory of 3192 N/A C:\Users\Admin\AppData\Local\Temp\7A9E.tmp.Installer.exe C:\Windows\system32\schtasks.exe
PID 1792 wrote to memory of 3192 N/A C:\Users\Admin\AppData\Local\Temp\7A9E.tmp.Installer.exe C:\Windows\system32\schtasks.exe
PID 1792 wrote to memory of 860 N/A C:\Users\Admin\AppData\Local\Temp\7A9E.tmp.Installer.exe C:\ProgramData\KMSAuto\accc.exe
PID 1792 wrote to memory of 860 N/A C:\Users\Admin\AppData\Local\Temp\7A9E.tmp.Installer.exe C:\ProgramData\KMSAuto\accc.exe
PID 1792 wrote to memory of 4812 N/A C:\Users\Admin\AppData\Local\Temp\7A9E.tmp.Installer.exe C:\Windows\system32\cmd.exe
PID 1792 wrote to memory of 4812 N/A C:\Users\Admin\AppData\Local\Temp\7A9E.tmp.Installer.exe C:\Windows\system32\cmd.exe
PID 4812 wrote to memory of 3728 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 4812 wrote to memory of 3728 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 3376 wrote to memory of 1564 N/A C:\Users\Admin\AppData\Local\Temp\7E0A.tmp.Server.exe C:\Windows\SysWOW64\cmd.exe
PID 3376 wrote to memory of 1564 N/A C:\Users\Admin\AppData\Local\Temp\7E0A.tmp.Server.exe C:\Windows\SysWOW64\cmd.exe
PID 3376 wrote to memory of 1564 N/A C:\Users\Admin\AppData\Local\Temp\7E0A.tmp.Server.exe C:\Windows\SysWOW64\cmd.exe
PID 1564 wrote to memory of 1100 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 1564 wrote to memory of 1100 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 1564 wrote to memory of 1100 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 1564 wrote to memory of 4920 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 1564 wrote to memory of 4920 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 1564 wrote to memory of 4920 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 1564 wrote to memory of 1156 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 1564 wrote to memory of 1156 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 1564 wrote to memory of 1156 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 3376 wrote to memory of 1372 N/A C:\Users\Admin\AppData\Local\Temp\7E0A.tmp.Server.exe C:\Windows\SysWOW64\cmd.exe
PID 3376 wrote to memory of 1372 N/A C:\Users\Admin\AppData\Local\Temp\7E0A.tmp.Server.exe C:\Windows\SysWOW64\cmd.exe
PID 3376 wrote to memory of 1372 N/A C:\Users\Admin\AppData\Local\Temp\7E0A.tmp.Server.exe C:\Windows\SysWOW64\cmd.exe
PID 1372 wrote to memory of 4072 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 1372 wrote to memory of 4072 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 1372 wrote to memory of 4072 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 1372 wrote to memory of 1428 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 1372 wrote to memory of 1428 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 1372 wrote to memory of 1428 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 1408 wrote to memory of 1812 N/A C:\Users\Admin\AppData\Roaming\Smtp.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1408 wrote to memory of 1812 N/A C:\Users\Admin\AppData\Roaming\Smtp.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1812 wrote to memory of 3020 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1812 wrote to memory of 3020 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1812 wrote to memory of 3336 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1812 wrote to memory of 3336 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1812 wrote to memory of 3336 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1812 wrote to memory of 3336 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1812 wrote to memory of 3336 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1812 wrote to memory of 3336 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1812 wrote to memory of 3336 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1812 wrote to memory of 3336 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1812 wrote to memory of 3336 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1812 wrote to memory of 3336 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1812 wrote to memory of 3336 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1812 wrote to memory of 3336 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1812 wrote to memory of 3336 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1812 wrote to memory of 3336 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1812 wrote to memory of 3336 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1812 wrote to memory of 3336 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\CryptoFactory.exe

"C:\Users\Admin\AppData\Local\Temp\CryptoFactory.exe"

C:\Users\Admin\AppData\Roaming\nik.exe

"C:\Users\Admin\AppData\Roaming\nik.exe"

C:\Users\Admin\AppData\Roaming\Smtp.exe

"C:\Users\Admin\AppData\Roaming\Smtp.exe"

C:\Windows\system32\relog.exe

C:\Windows\system32\relog.exe

C:\Users\Admin\AppData\Local\Temp\7A9E.tmp.Installer.exe

"C:\Users\Admin\AppData\Local\Temp\7A9E.tmp.Installer.exe"

C:\Users\Admin\AppData\Local\Temp\7E0A.tmp.Server.exe

"C:\Users\Admin\AppData\Local\Temp\7E0A.tmp.Server.exe"

C:\Windows\system32\schtasks.exe

"schtasks.exe" /create /tn ACCC Tools /tr "C:\ProgramData\KMSAuto\accc.exe" /st 14:32 /du 23:59 /sc daily /ri 1 /f

C:\ProgramData\KMSAuto\accc.exe

"C:\ProgramData\KMSAuto\accc.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp851E.tmp.bat""

C:\Windows\system32\timeout.exe

timeout 7

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\netsh.exe

netsh wlan show profile

C:\Windows\SysWOW64\findstr.exe

findstr All

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\netsh.exe

netsh wlan show networks mode=bssid

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://t.me/cm_adm

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0x9c,0x108,0x7ffef35346f8,0x7ffef3534708,0x7ffef3534718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2160,8405954338524375847,2237912957781779645,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2172 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2160,8405954338524375847,2237912957781779645,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2224 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2160,8405954338524375847,2237912957781779645,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2724 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,8405954338524375847,2237912957781779645,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3220 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,8405954338524375847,2237912957781779645,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3244 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,8405954338524375847,2237912957781779645,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4620 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2160,8405954338524375847,2237912957781779645,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3848 /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 91.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 auth.xn--conbase-sfb.xyz udp
US 104.21.13.213:443 auth.xn--conbase-sfb.xyz tcp
US 8.8.8.8:53 213.13.21.104.in-addr.arpa udp
US 8.8.8.8:53 x2.c.lencr.org udp
BE 104.90.25.32:80 x2.c.lencr.org tcp
US 8.8.8.8:53 32.25.90.104.in-addr.arpa udp
US 8.8.8.8:53 auth.xn--conbase-sfb.xyz udp
US 172.67.133.32:80 auth.xn--conbase-sfb.xyz tcp
US 8.8.8.8:53 32.133.67.172.in-addr.arpa udp
US 8.8.8.8:53 auth.xn--conbase-sfb.xyz udp
US 172.67.133.32:80 auth.xn--conbase-sfb.xyz tcp
US 172.67.133.32:80 auth.xn--conbase-sfb.xyz tcp
RU 46.23.96.107:3001 tcp
RU 46.23.96.107:3001 tcp
RU 46.23.96.107:3001 tcp
US 172.67.133.32:80 auth.xn--conbase-sfb.xyz tcp
US 8.8.8.8:53 107.96.23.46.in-addr.arpa udp
RU 46.23.96.107:3001 tcp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 www.igenius.org udp
US 192.3.140.185:80 www.igenius.org tcp
US 8.8.8.8:53 185.140.3.192.in-addr.arpa udp
US 8.8.8.8:53 hrdc.pk udp
US 64.31.40.18:80 hrdc.pk tcp
US 192.3.140.185:80 www.igenius.org tcp
US 8.8.8.8:53 18.40.31.64.in-addr.arpa udp
US 8.8.8.8:53 api.telegram.org udp
NL 149.154.167.220:443 api.telegram.org tcp
RU 46.23.96.107:3001 tcp
US 8.8.8.8:53 220.167.154.149.in-addr.arpa udp
NL 149.154.167.220:443 api.telegram.org tcp
RU 46.23.96.107:3001 tcp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
RU 46.23.96.107:3001 tcp
RU 46.23.96.107:3001 tcp
RU 46.23.96.107:3001 tcp
RU 46.23.96.107:3001 tcp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
RU 46.23.96.107:3001 tcp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
RU 46.23.96.107:3001 tcp
RU 46.23.96.107:3001 tcp
RU 46.23.96.107:3001 tcp
RU 46.23.96.107:3001 tcp
US 8.8.8.8:53 icanhazip.com udp
US 104.16.184.241:80 icanhazip.com tcp
US 8.8.8.8:53 api.mylnikov.org udp
US 104.21.44.66:443 api.mylnikov.org tcp
US 8.8.8.8:53 241.184.16.104.in-addr.arpa udp
NL 149.154.167.220:443 api.telegram.org tcp
NL 149.154.167.220:443 api.telegram.org tcp
US 8.8.8.8:53 66.44.21.104.in-addr.arpa udp
RU 46.23.96.107:3001 tcp
US 8.8.8.8:53 pastebin.com udp
US 104.20.3.235:443 pastebin.com tcp
US 8.8.8.8:53 235.3.20.104.in-addr.arpa udp
RU 46.23.96.107:3001 tcp
US 8.8.8.8:53 82.90.14.23.in-addr.arpa udp
RU 46.23.96.107:3001 tcp
US 8.8.8.8:53 t.me udp
NL 149.154.167.99:443 t.me tcp
US 8.8.8.8:53 telegram.org udp
US 8.8.8.8:53 cdn4.cdn-telegram.org udp
NL 149.154.167.99:443 telegram.org tcp
NL 149.154.167.99:443 telegram.org tcp
NL 149.154.167.99:443 telegram.org tcp
NL 149.154.167.99:443 telegram.org tcp
US 34.111.35.152:443 cdn4.cdn-telegram.org tcp
US 8.8.8.8:53 99.167.154.149.in-addr.arpa udp
US 8.8.8.8:53 152.35.111.34.in-addr.arpa udp
NL 149.154.167.99:443 telegram.org tcp
RU 46.23.96.107:3001 tcp
US 172.67.133.32:80 auth.xn--conbase-sfb.xyz tcp
N/A 127.0.0.1:6606 tcp
RU 46.23.96.107:3001 tcp
N/A 127.0.0.1:7707 tcp
US 52.111.229.43:443 tcp
RU 46.23.96.107:3001 tcp
RU 46.23.96.107:3001 tcp
RU 46.23.96.107:3001 tcp
N/A 127.0.0.1:6606 tcp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
N/A 127.0.0.1:6606 tcp
RU 46.23.96.107:3001 tcp
RU 46.23.96.107:3001 tcp
N/A 127.0.0.1:7707 tcp
RU 46.23.96.107:3001 tcp
N/A 127.0.0.1:8808 tcp
RU 46.23.96.107:3001 tcp
N/A 127.0.0.1:6606 tcp
RU 46.23.96.107:3001 tcp
N/A 127.0.0.1:8808 tcp
RU 46.23.96.107:3001 tcp
RU 46.23.96.107:3001 tcp
N/A 127.0.0.1:7707 tcp
RU 46.23.96.107:3001 tcp
US 172.67.133.32:80 auth.xn--conbase-sfb.xyz tcp
RU 46.23.96.107:3001 tcp
N/A 127.0.0.1:8808 tcp
RU 46.23.96.107:3001 tcp

Files

C:\Users\Admin\AppData\Roaming\nik.exe

MD5 c848ac85788c3e3e23e9b20746cb978e
SHA1 5960836d8c29b7408a60421ee6c2558e4e1eb0a4
SHA256 a00fcfe94826aff5275d6c7d5af9701dee5610f3bec64a81256ee1dac86d0225
SHA512 5e0478133dfec564344f22706d17c52caf37120f32e8c2befa80d35cbcb4564e11f97bd96a9b3c1c143d0c5c16bfdb52307f84e6fa91a1c855f01557d532c821

C:\Users\Admin\AppData\Roaming\Smtp.exe

MD5 b8868b8ca49dc243910c548e69ca40f5
SHA1 7d97525e2210ba3ff8a5ea300e4cd95c5827aa39
SHA256 066fa46e73427f2f9e2d7d6128b2a283a1300114d25240a531bbea3f27039d6c
SHA512 809f8d5eb0a1d67416566ad358406a44d839e8336a22c6e489a4d03d250178331091c5c17231d1065df267060d1c3fc1226a1a38cf586944c3d0225cce17c186

memory/1408-8-0x000000007487E000-0x000000007487F000-memory.dmp

memory/1408-9-0x0000000000FD0000-0x000000000155C000-memory.dmp

memory/1408-13-0x00000000039B0000-0x00000000039B6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\TH6580.tmp

MD5 59513d94d77979cec1d0b34cb9a990c3
SHA1 5e03e3eee9dab882f0f00afadc465c7121558d49
SHA256 a429e785198898dad7e54d29e6f925db8a78c77a971726014a456547ae8b57f1
SHA512 131069c7f03f36e5ca69010552109c09ec8a080eee6b75dde57b28065ff981e9fb4ade03eb94d1f48391806633ee94db4f1106a8d2b8fc8c473eec10db7ca0ea

C:\Windows\System32\drivers\etc\hosts

MD5 1530b50aac226cd50815c69326517e51
SHA1 e97855298b61d8a5b6cf2450a990d5cbc40c6aa4
SHA256 1c1eab02470f70f1067cc91ae1506955f2cd92eac3afac8eb3592cc718c2cab3
SHA512 c66ee426b16c2ab3439617774b914dd279351b4c3dc14e16d6e7cdb11cd0cf0d3346df87a315f5a0de885522e3bfdcc2513e73f2d01cf0e5f13f77f7facdb432

memory/1408-90-0x00000000093B0000-0x0000000009AF6000-memory.dmp

memory/1408-91-0x0000000005FE0000-0x0000000006002000-memory.dmp

memory/1408-92-0x0000000007030000-0x0000000007036000-memory.dmp

memory/1408-95-0x0000000074870000-0x0000000075020000-memory.dmp

memory/3536-103-0x0000000006AC0000-0x0000000006B11000-memory.dmp

memory/3536-101-0x0000000000700000-0x0000000000716000-memory.dmp

memory/3536-99-0x00000000026A0000-0x00000000026E3000-memory.dmp

memory/1408-105-0x000000000AC40000-0x000000000AF94000-memory.dmp

memory/1408-106-0x000000000A1A0000-0x000000000A206000-memory.dmp

memory/1408-108-0x000000000B180000-0x000000000B188000-memory.dmp

memory/1408-111-0x000000000BB10000-0x000000000BB1E000-memory.dmp

memory/1408-110-0x000000000BB30000-0x000000000BB68000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7A9E.tmp.Installer.exe

MD5 bed8cdced2d57be2bd750f0f59991ecd
SHA1 4e2a885b9387fcf040b7eb79892de2f9fe55bca4
SHA256 5f628663f71e3baa55f10e6021597f7860bef868284eb50b8958169dcbbff4fd
SHA512 b85990a778c2462d57c3b314270bd1f397749450e75508e1012a14f21661358b98021efb791f694d9eb05f49b0776ea3ff4c803f842f858db5669968c477433f

memory/1792-123-0x00000000004D0000-0x0000000000570000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7E0A.tmp.Server.exe

MD5 68fad5f5f8de1c290df5d3754b4af358
SHA1 0028395243f38a03b13726915144b9848e8da39a
SHA256 dbacc134902ee72d1464d3b61a3518402b7ab54807bb7b7541fc2916c8119e9e
SHA512 ce44611d5c47fdcb979c715352f5050c816d4e5a814b102836856ede279f774e4709ca48fb95639ca66476ca547176370da7afc5185af066832732da2c80ee01

memory/3376-135-0x00000000001E0000-0x0000000000212000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp851E.tmp.bat

MD5 ebf03295a4fbdae60b8aeea22bed3811
SHA1 9ee72d916485193d5944c1ca0f89d3be688e68bd
SHA256 f0a764b48d6dfa8ee78f361a6e8078491db73ca84ecb8fe69a5ae9d561f55c58
SHA512 a68542992298b26be0a598e8169335ed7420650c5837e4ecfe30aad5d97dae374148854053afff0a57d742c5a49eb39ef550200340e2fe5c07df2e5c766ec20e

C:\Users\Admin\AppData\Local\58b216eec3207a487158142771aa5745\Admin@SNFVGQLU_en-US\Browsers\Firefox\Bookmarks.txt

MD5 2e9d094dda5cdc3ce6519f75943a4ff4
SHA1 5d989b4ac8b699781681fe75ed9ef98191a5096c
SHA256 c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142
SHA512 d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7

C:\Users\Admin\AppData\Local\58b216eec3207a487158142771aa5745\Admin@SNFVGQLU_en-US\System\Process.txt

MD5 e8c09c94b982635aad45bde604f976c9
SHA1 e2ac9362459aadd0dd409656e86e3eede434cb92
SHA256 50131bb6f01199f11499c5ab8e4fdd83bfded1f958e5c9fb509c0a60c29dadc8
SHA512 efb6b4aa1996cfd7f70bc2262fdebc72f000b2dc530d64948310b550c8d1c2fd71bc063272cb25c8b244b4b74c27d5870bda56455d94932992e1749af5204e93

memory/3376-303-0x0000000005420000-0x00000000054B2000-memory.dmp

memory/3376-304-0x0000000005A70000-0x0000000006014000-memory.dmp

memory/3376-308-0x0000000005000000-0x000000000500A000-memory.dmp

C:\Users\Admin\AppData\Local\37cf7020496c4fcbdd5ae814560d299a\msgid.dat

MD5 cfcd208495d565ef66e7dff9f98764da
SHA1 b6589fc6ab0dc82cf12099d1c2d40ab994e8410c
SHA256 5feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9
SHA512 31bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99

memory/3376-314-0x0000000005540000-0x0000000005552000-memory.dmp

memory/1408-337-0x000000007487E000-0x000000007487F000-memory.dmp

memory/1408-338-0x0000000074870000-0x0000000075020000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 87f7abeb82600e1e640b843ad50fe0a1
SHA1 045bbada3f23fc59941bf7d0210fb160cb78ae87
SHA256 b35d6906050d90a81d23646f86c20a8f5d42f058ffc6436fb0a2b8bd71ee1262
SHA512 ea8e7f24ab823ad710ce079c86c40aa957353a00d2775732c23e31be88a10d212e974c4691279aa86016c4660f5795febf739a15207833df6ed964a9ed99d618

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 f61fa5143fe872d1d8f1e9f8dc6544f9
SHA1 df44bab94d7388fb38c63085ec4db80cfc5eb009
SHA256 284a24b5b40860240db00ef3ae6a33c9fa8349ab5490a634e27b2c6e9a191c64
SHA512 971000784a6518bb39c5cf043292c7ab659162275470f5f6b632ea91a6bcae83bc80517ceb983dd5abfe8fb4e157344cb65c27e609a879eec00b33c5fad563a6

\??\pipe\LOCAL\crashpad_1812_ATXSVKIJKNLWJFNM

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 29479fbedd74f6850947508e36c3fe6d
SHA1 d4548bf931a40131097d04e52b33bae5015adba7
SHA256 c7226c2f3b1120a658bf2b77439b857a009e9f64673b6769386413a2917f4717
SHA512 cd2e048c69b06b1d1e0673859b96ccfddd1b9069a38855ba8f2dcca9c1467d6ea9e6d32b47cb4fccc3129cf2bd097a3bd990fbb131ca827317885d1b87f7f2f9

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 477fdf2beb2996c22af54576fc8cff8e
SHA1 f9e6551c5e5dfa87249131270da5937e1bf24435
SHA256 426ef6804e6e5f30c13208cf660a71426bdd155aa800afdfc49c06812b57d280
SHA512 157c7b2c737facf7f68d2ea5ec786a525b20dc813c957ccfc8c162a1cdc8f83ef8b7e6e101c9bf29686d5aa97ce38eb200470288100594e1108249ed1412bd44

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 d1fb55ecc92f8a3281008b5c4f0c3ad5
SHA1 3f6d4d71fd376ce511d822013be3d9004f5c3d8a
SHA256 8f1a21c85ff6827863446426e4bc97da0e694b352368de39c14d298158102aef
SHA512 c644f3f1acb154c91a64c3e53591742eab2c1a3f171e554af1c6c3adb76ae8c5c5363ac9c080bb29a17fb8f96c8699c8b24ac3d56b2e90ca765306d0a9ef4eae

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 d419474a3b089613dafc9d4a328de735
SHA1 1d20c1bec0459084a1328e413a540caf6d36ada3
SHA256 9e03a56a0451b44529e2720bf6f9127a36b4dc6d3ff6429e139aea4359664cf3
SHA512 677191c93d9e3e0fa663d6d7271d1955a609789df04f35a016873a20ab8c5f995dc322f02544692f969272638e95822311e809f687116f8e148b13a947a570fb

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 2e7e192a8da63f4bd2da0def7689ef8e
SHA1 5cd273a7fe11c659dce3c5447ffc72d61f65c6ef
SHA256 38be2c1671771353215f4a4e90a78bf2c2ceda5e8bca803c216756ddd4ac6595
SHA512 e2b5d0e6a71e9fe49b4567d1b07a53839eb28169341eaf9f86be576ea14c7d8dfdd1ca96cd343c55b572a5c57c86b0fd1e4fdd6ae9f1ef40ac6417fad95c1876