Analysis
-
max time kernel
24s -
max time network
146s -
platform
windows7_x64 -
resource
win7-20240220-en -
resource tags
arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system -
submitted
02-07-2024 11:20
Behavioral task
behavioral1
Sample
d321f75b27ffdadbe36f7f1a94727487e955a74ec629fdd054dec54e4b6fc87b.exe
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
d321f75b27ffdadbe36f7f1a94727487e955a74ec629fdd054dec54e4b6fc87b.exe
Resource
win10v2004-20240508-en
General
-
Target
d321f75b27ffdadbe36f7f1a94727487e955a74ec629fdd054dec54e4b6fc87b.exe
-
Size
7.8MB
-
MD5
6474262f1aa80327912862eb9f816fa9
-
SHA1
b2fdabb371ea4a23adae02e3aa939b13c948c03b
-
SHA256
d321f75b27ffdadbe36f7f1a94727487e955a74ec629fdd054dec54e4b6fc87b
-
SHA512
fbb8e81c8d87661899ee8b105a6065affcf7c2b53c6a9d5700b2030e1a63886aefb7d4875ebc837d91757d972767918037d50a7b5661257dd55ac9fdad388427
-
SSDEEP
98304:XTCadF2VfHNZO2ZoXYS185r8YRYUbMO1RnUEJXzPtPki6g7oayYHkqibu/0eBKR3:jc0MhC85r3uO1Z3JXLtPki63Kns/CY
Malware Config
Extracted
asyncrat
Default
127.0.0.1:6606
127.0.0.1:7707
127.0.0.1:8808
https://api.telegram.org/bot6082381502:AAEEe5dVvSMdEf-_fKUh7iRqcNun3Q5DzxM/sendMessage?chat_id=5795480469
AsyncMutex_6SI8OkPnk
-
delay
3
-
install
false
-
install_folder
%AppData%
Signatures
-
StormKitty
StormKitty is an open source info stealer written in C#.
-
StormKitty payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\58CB.tmp.Server.exe family_stormkitty behavioral1/memory/2284-304-0x00000000010E0000-0x0000000001112000-memory.dmp family_stormkitty -
Async RAT payload 1 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\58CB.tmp.Server.exe family_asyncrat -
Downloads MZ/PE file
-
Drops file in Drivers directory 1 IoCs
Processes:
relog.exedescription ioc process File opened for modification C:\Windows\system32\drivers\etc\hosts relog.exe -
Drops startup file 7 IoCs
Processes:
nik.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Service_Adobe.exe.lnk nik.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Service_Identities.exe.lnk nik.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Service_Macromedia.exe.lnk nik.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Service_Media Center Programs.exe.lnk nik.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Service_Microsoft.exe.lnk nik.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Service_Mozilla.exe.lnk nik.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\psvhost.exe.lnk nik.exe -
Executes dropped EXE 7 IoCs
Processes:
nik.exeSmtp.exeSmtp.exerelog.exe538C.tmp.Installer.exe58CB.tmp.Server.exeaccc.exepid process 2744 nik.exe 2924 Smtp.exe 2144 Smtp.exe 1980 relog.exe 884 538C.tmp.Installer.exe 2284 58CB.tmp.Server.exe 2432 accc.exe -
Loads dropped DLL 25 IoCs
Processes:
d321f75b27ffdadbe36f7f1a94727487e955a74ec629fdd054dec54e4b6fc87b.exeSmtp.exenik.exepid process 2268 d321f75b27ffdadbe36f7f1a94727487e955a74ec629fdd054dec54e4b6fc87b.exe 2268 d321f75b27ffdadbe36f7f1a94727487e955a74ec629fdd054dec54e4b6fc87b.exe 2144 Smtp.exe 2144 Smtp.exe 2144 Smtp.exe 2144 Smtp.exe 2144 Smtp.exe 2144 Smtp.exe 2144 Smtp.exe 2144 Smtp.exe 2144 Smtp.exe 2144 Smtp.exe 2144 Smtp.exe 2144 Smtp.exe 2144 Smtp.exe 2144 Smtp.exe 2144 Smtp.exe 2144 Smtp.exe 2744 nik.exe 2744 nik.exe 2744 nik.exe 2744 nik.exe 2744 nik.exe 2744 nik.exe 2744 nik.exe -
Adds Run key to start application 2 TTPs 8 IoCs
Processes:
nik.exe538C.tmp.Installer.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\Service_Identities = "C:\\Users\\Admin\\AppData\\Roaming\\Identities\\Service_Identities.exe" nik.exe Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\Service_Macromedia = "C:\\Users\\Admin\\AppData\\Roaming\\Macromedia\\Service_Macromedia.exe" nik.exe Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\Service_Media Center Programs = "C:\\Users\\Admin\\AppData\\Roaming\\Media Center Programs\\Service_Media Center Programs.exe" nik.exe Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\Service_Microsoft = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Service_Microsoft.exe" nik.exe Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\Service_Mozilla = "C:\\Users\\Admin\\AppData\\Roaming\\Mozilla\\Service_Mozilla.exe" nik.exe Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\WpnUserService = "C:\\Users\\Admin\\AppData\\Roaming\\nik.exe" nik.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ACCC Tools = "C:\\ProgramData\\KMSAuto\\accc.exe" 538C.tmp.Installer.exe Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\Service_Adobe = "C:\\Users\\Admin\\AppData\\Roaming\\Adobe\\Service_Adobe.exe" nik.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 32 icanhazip.com -
Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
nik.exedescription pid process target process PID 2744 set thread context of 1980 2744 nik.exe relog.exe -
Detects Pyinstaller 1 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Roaming\Smtp.exe pyinstaller -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 2324 timeout.exe -
Processes:
nik.exedescription ioc process Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 nik.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 nik.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 nik.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13 nik.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 nik.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000000f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 nik.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
relog.exeExplorer.EXEpid process 1980 relog.exe 1980 relog.exe 1980 relog.exe 1980 relog.exe 1980 relog.exe 1980 relog.exe 1980 relog.exe 1980 relog.exe 1980 relog.exe 1980 relog.exe 1980 relog.exe 1980 relog.exe 1980 relog.exe 1980 relog.exe 1980 relog.exe 1980 relog.exe 1980 relog.exe 1980 relog.exe 1980 relog.exe 1980 relog.exe 1980 relog.exe 1980 relog.exe 1980 relog.exe 1980 relog.exe 1980 relog.exe 1980 relog.exe 1980 relog.exe 1980 relog.exe 1980 relog.exe 1980 relog.exe 1980 relog.exe 1980 relog.exe 1980 relog.exe 1980 relog.exe 1980 relog.exe 1980 relog.exe 1980 relog.exe 1980 relog.exe 1980 relog.exe 1980 relog.exe 1064 Explorer.EXE 1980 relog.exe 1980 relog.exe 1980 relog.exe 1980 relog.exe 1980 relog.exe 1980 relog.exe 1980 relog.exe 1980 relog.exe 1980 relog.exe 1980 relog.exe 1980 relog.exe 1980 relog.exe 1980 relog.exe 1980 relog.exe 1980 relog.exe 1980 relog.exe 1980 relog.exe 1980 relog.exe 1980 relog.exe 1980 relog.exe 1980 relog.exe 1980 relog.exe 1980 relog.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
nik.exerelog.exedescription pid process Token: SeIncreaseQuotaPrivilege 2744 nik.exe Token: SeSecurityPrivilege 2744 nik.exe Token: SeTakeOwnershipPrivilege 2744 nik.exe Token: SeLoadDriverPrivilege 2744 nik.exe Token: SeSystemProfilePrivilege 2744 nik.exe Token: SeSystemtimePrivilege 2744 nik.exe Token: SeProfSingleProcessPrivilege 2744 nik.exe Token: SeIncBasePriorityPrivilege 2744 nik.exe Token: SeCreatePagefilePrivilege 2744 nik.exe Token: SeBackupPrivilege 2744 nik.exe Token: SeRestorePrivilege 2744 nik.exe Token: SeShutdownPrivilege 2744 nik.exe Token: SeDebugPrivilege 2744 nik.exe Token: SeSystemEnvironmentPrivilege 2744 nik.exe Token: SeRemoteShutdownPrivilege 2744 nik.exe Token: SeUndockPrivilege 2744 nik.exe Token: SeManageVolumePrivilege 2744 nik.exe Token: 33 2744 nik.exe Token: 34 2744 nik.exe Token: 35 2744 nik.exe Token: SeDebugPrivilege 1980 relog.exe Token: SeDebugPrivilege 1980 relog.exe Token: SeDebugPrivilege 1980 relog.exe Token: SeDebugPrivilege 1980 relog.exe Token: SeDebugPrivilege 1980 relog.exe Token: SeDebugPrivilege 1980 relog.exe Token: SeDebugPrivilege 1980 relog.exe Token: SeDebugPrivilege 1980 relog.exe Token: SeDebugPrivilege 1980 relog.exe Token: SeDebugPrivilege 1980 relog.exe Token: SeDebugPrivilege 1980 relog.exe Token: SeDebugPrivilege 1980 relog.exe Token: SeDebugPrivilege 1980 relog.exe Token: SeDebugPrivilege 1980 relog.exe Token: SeDebugPrivilege 1980 relog.exe Token: SeDebugPrivilege 1980 relog.exe Token: SeDebugPrivilege 1980 relog.exe Token: SeDebugPrivilege 1980 relog.exe Token: SeDebugPrivilege 1980 relog.exe Token: SeDebugPrivilege 1980 relog.exe Token: SeDebugPrivilege 1980 relog.exe Token: SeDebugPrivilege 1980 relog.exe Token: SeDebugPrivilege 1980 relog.exe Token: SeDebugPrivilege 1980 relog.exe Token: SeDebugPrivilege 1980 relog.exe Token: SeDebugPrivilege 1980 relog.exe Token: SeDebugPrivilege 1980 relog.exe Token: SeDebugPrivilege 1980 relog.exe Token: SeDebugPrivilege 1980 relog.exe Token: SeDebugPrivilege 1980 relog.exe Token: SeDebugPrivilege 1980 relog.exe Token: SeDebugPrivilege 1980 relog.exe Token: SeDebugPrivilege 1980 relog.exe Token: SeDebugPrivilege 1980 relog.exe Token: SeDebugPrivilege 1980 relog.exe Token: SeDebugPrivilege 1980 relog.exe Token: SeDebugPrivilege 1980 relog.exe Token: SeDebugPrivilege 1980 relog.exe Token: SeDebugPrivilege 1980 relog.exe Token: SeDebugPrivilege 1980 relog.exe Token: SeDebugPrivilege 1980 relog.exe Token: SeDebugPrivilege 1980 relog.exe Token: SeDebugPrivilege 1980 relog.exe Token: SeDebugPrivilege 1980 relog.exe -
Suspicious use of WriteProcessMemory 36 IoCs
Processes:
d321f75b27ffdadbe36f7f1a94727487e955a74ec629fdd054dec54e4b6fc87b.exeSmtp.exenik.exerelog.exeExplorer.EXE538C.tmp.Installer.execmd.exedescription pid process target process PID 2268 wrote to memory of 2744 2268 d321f75b27ffdadbe36f7f1a94727487e955a74ec629fdd054dec54e4b6fc87b.exe nik.exe PID 2268 wrote to memory of 2744 2268 d321f75b27ffdadbe36f7f1a94727487e955a74ec629fdd054dec54e4b6fc87b.exe nik.exe PID 2268 wrote to memory of 2744 2268 d321f75b27ffdadbe36f7f1a94727487e955a74ec629fdd054dec54e4b6fc87b.exe nik.exe PID 2268 wrote to memory of 2744 2268 d321f75b27ffdadbe36f7f1a94727487e955a74ec629fdd054dec54e4b6fc87b.exe nik.exe PID 2268 wrote to memory of 2924 2268 d321f75b27ffdadbe36f7f1a94727487e955a74ec629fdd054dec54e4b6fc87b.exe Smtp.exe PID 2268 wrote to memory of 2924 2268 d321f75b27ffdadbe36f7f1a94727487e955a74ec629fdd054dec54e4b6fc87b.exe Smtp.exe PID 2268 wrote to memory of 2924 2268 d321f75b27ffdadbe36f7f1a94727487e955a74ec629fdd054dec54e4b6fc87b.exe Smtp.exe PID 2268 wrote to memory of 2924 2268 d321f75b27ffdadbe36f7f1a94727487e955a74ec629fdd054dec54e4b6fc87b.exe Smtp.exe PID 2924 wrote to memory of 2144 2924 Smtp.exe Smtp.exe PID 2924 wrote to memory of 2144 2924 Smtp.exe Smtp.exe PID 2924 wrote to memory of 2144 2924 Smtp.exe Smtp.exe PID 2744 wrote to memory of 1980 2744 nik.exe relog.exe PID 2744 wrote to memory of 1980 2744 nik.exe relog.exe PID 2744 wrote to memory of 1980 2744 nik.exe relog.exe PID 2744 wrote to memory of 1980 2744 nik.exe relog.exe PID 1980 wrote to memory of 1064 1980 relog.exe Explorer.EXE PID 1980 wrote to memory of 1064 1980 relog.exe Explorer.EXE PID 1064 wrote to memory of 884 1064 Explorer.EXE 538C.tmp.Installer.exe PID 1064 wrote to memory of 884 1064 Explorer.EXE 538C.tmp.Installer.exe PID 1064 wrote to memory of 884 1064 Explorer.EXE 538C.tmp.Installer.exe PID 1064 wrote to memory of 2284 1064 Explorer.EXE 58CB.tmp.Server.exe PID 1064 wrote to memory of 2284 1064 Explorer.EXE 58CB.tmp.Server.exe PID 1064 wrote to memory of 2284 1064 Explorer.EXE 58CB.tmp.Server.exe PID 1064 wrote to memory of 2284 1064 Explorer.EXE 58CB.tmp.Server.exe PID 884 wrote to memory of 2336 884 538C.tmp.Installer.exe schtasks.exe PID 884 wrote to memory of 2336 884 538C.tmp.Installer.exe schtasks.exe PID 884 wrote to memory of 2336 884 538C.tmp.Installer.exe schtasks.exe PID 884 wrote to memory of 2432 884 538C.tmp.Installer.exe accc.exe PID 884 wrote to memory of 2432 884 538C.tmp.Installer.exe accc.exe PID 884 wrote to memory of 2432 884 538C.tmp.Installer.exe accc.exe PID 884 wrote to memory of 1728 884 538C.tmp.Installer.exe cmd.exe PID 884 wrote to memory of 1728 884 538C.tmp.Installer.exe cmd.exe PID 884 wrote to memory of 1728 884 538C.tmp.Installer.exe cmd.exe PID 1728 wrote to memory of 2324 1728 cmd.exe timeout.exe PID 1728 wrote to memory of 2324 1728 cmd.exe timeout.exe PID 1728 wrote to memory of 2324 1728 cmd.exe timeout.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\d321f75b27ffdadbe36f7f1a94727487e955a74ec629fdd054dec54e4b6fc87b.exe"C:\Users\Admin\AppData\Local\Temp\d321f75b27ffdadbe36f7f1a94727487e955a74ec629fdd054dec54e4b6fc87b.exe"2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\nik.exe"C:\Users\Admin\AppData\Roaming\nik.exe"3⤵
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\relog.exeC:\Windows\system32\relog.exe4⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Smtp.exe"C:\Users\Admin\AppData\Roaming\Smtp.exe"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Smtp.exe"C:\Users\Admin\AppData\Roaming\Smtp.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\538C.tmp.Installer.exe"C:\Users\Admin\AppData\Local\Temp\538C.tmp.Installer.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exe"schtasks.exe" /create /tn ACCC Tools /tr "C:\ProgramData\KMSAuto\accc.exe" /st 11:25 /du 23:59 /sc daily /ri 1 /f3⤵
- Scheduled Task/Job: Scheduled Task
-
C:\ProgramData\KMSAuto\accc.exe"C:\ProgramData\KMSAuto\accc.exe"3⤵
- Executes dropped EXE
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp5EB3.tmp.bat""3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\timeout.exetimeout 74⤵
- Delays execution with timeout.exe
-
C:\Users\Admin\AppData\Local\Temp\58CB.tmp.Server.exe"C:\Users\Admin\AppData\Local\Temp\58CB.tmp.Server.exe"2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All3⤵
-
C:\Windows\SysWOW64\chcp.comchcp 650014⤵
-
C:\Windows\SysWOW64\netsh.exenetsh wlan show profile4⤵
-
C:\Windows\SysWOW64\findstr.exefindstr All4⤵
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid3⤵
-
C:\Windows\SysWOW64\chcp.comchcp 650014⤵
-
C:\Windows\SysWOW64\netsh.exenetsh wlan show networks mode=bssid4⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
342B
MD5d0cc9a0bc98c07593b3906ffa3d915cc
SHA1bddf7c72bfe1255a04bc449517cba0f8d7bc70e6
SHA256a2fa2b1034848833cd6135be07b15ed3d202155475d0d54ba1858a60c0d7bbd0
SHA5121e37d8416e0e1ca1623c5ca5ab26f7f4d4816c27e6eedae796c96e785cd3425bd3d98d60d571450e9345ca87da2ad3d828a0b669b142d6220b3c5cdd3688f38b
-
C:\Users\Admin\AppData\Local\Temp\538C.tmp.Installer.exeFilesize
616KB
MD5bed8cdced2d57be2bd750f0f59991ecd
SHA14e2a885b9387fcf040b7eb79892de2f9fe55bca4
SHA2565f628663f71e3baa55f10e6021597f7860bef868284eb50b8958169dcbbff4fd
SHA512b85990a778c2462d57c3b314270bd1f397749450e75508e1012a14f21661358b98021efb791f694d9eb05f49b0776ea3ff4c803f842f858db5669968c477433f
-
C:\Users\Admin\AppData\Local\Temp\58CB.tmp.Server.exeFilesize
175KB
MD568fad5f5f8de1c290df5d3754b4af358
SHA10028395243f38a03b13726915144b9848e8da39a
SHA256dbacc134902ee72d1464d3b61a3518402b7ab54807bb7b7541fc2916c8119e9e
SHA512ce44611d5c47fdcb979c715352f5050c816d4e5a814b102836856ede279f774e4709ca48fb95639ca66476ca547176370da7afc5185af066832732da2c80ee01
-
C:\Users\Admin\AppData\Local\Temp\Cab20DB.tmpFilesize
65KB
MD5ac05d27423a85adc1622c714f2cb6184
SHA1b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA5126d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d
-
C:\Users\Admin\AppData\Local\Temp\Tar2278.tmpFilesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
C:\Users\Admin\AppData\Local\Temp\_MEI29242\VCRUNTIME140.dllFilesize
91KB
MD57942be5474a095f673582997ae3054f1
SHA1e982f6ebc74d31153ba9738741a7eec03a9fa5e8
SHA2568ee6b49830436ff3bec9ba89213395427b5535813930489f118721fd3d2d942c
SHA51249fbc9d441362b65a8d78b73d4fdcf988f22d38a35a36a233fcd54e99e95e29b804be7eabe2b174188c7860ebb34f701e13ed216f954886a285bed7127619039
-
C:\Users\Admin\AppData\Local\Temp\_MEI29242\_bz2.pydFilesize
85KB
MD5712a8dba2916f0261a1290a8e3d85ebf
SHA127dbfa5de547c30c457855594272545dafaeb39d
SHA256d6e5763cecd267be0ff5355ff53e93428f3dd7ab20458fb1e7432dffa060cf82
SHA512662664189f3a426a2042c998a5396fcb660f1ec123fe8089ec740ae414e0da9173d2e1abb6a231b3271bba9c4cb2a3a0a6ea45c475531bb986a4d085e74de1d9
-
C:\Users\Admin\AppData\Local\Temp\_MEI29242\_ctypes.pydFilesize
123KB
MD54786508ffadc542bd677f45af820fdb9
SHA1fc0f7dae6e0d093594e4ff1c293ce004dbd16fd7
SHA25664f5072cd9536418ec0fd4b5c30c13b03cdddced1f9332d4d721c4b37ae3883e
SHA512ad4b0e6883c2f0c003c46b1b85f5fbc2c1f8366a212695b9e47664c8735a30d4c8a3c645b324d3d059582096a1fe78ac1043ba8a639ced0665ef8c5cc33d0b80
-
C:\Users\Admin\AppData\Local\Temp\_MEI29242\_lzma.pydFilesize
159KB
MD5fea0e77f594207b8af1d240a16c6650e
SHA1dd48f108074eade8c0f84916d619bce4a97c07bb
SHA256d7acc95049c07298af56a316419e6548f3e6b56fb22dfb3382607a803dddb5e0
SHA5123b06abcf29bd93232afd6ae0b8fbded6cc75c5a5cdbd5b410d16e6f19e034d4f903252eda243f670173cc05e78e36e767553e065648ce7c3af330d10922d51ff
-
C:\Users\Admin\AppData\Local\Temp\_MEI29242\_queue.pydFilesize
28KB
MD504849a636d85ad8bc535643580466b50
SHA117baef1ae4a1e33ed44e55c6b8de554b4814af0c
SHA25680a803b8f9e2f1034cdbf47ba13efafaf2167a7ff9e5d97259506489e4ee58bd
SHA5129a282680f9aaa5770cad88ee21ff1370a3a5209107d2965c2e6fed5d4fd40195e456c212ce4c27b89b29c68f30b666c803c9ef628e40ce8628c8664bbb8931f3
-
C:\Users\Admin\AppData\Local\Temp\_MEI29242\_ssl.pydFilesize
151KB
MD5d1430e77cec5e84073700c3a65e3b8eb
SHA132009a7ea5e3097f38a33e3c5d73a9588f78e4a9
SHA256174ec95c793fc33a97c57709b5117ca17700b90e7c71d72c9ec4bc7757b747a9
SHA5121b49ce51e17b28eacc22e060b028697c93ee52a0a671ef615c6386c19e78a9ff67b84920fa5d8443970b53858a29c99dfcc395c0d6bc110ef125ec1c9da648f7
-
C:\Users\Admin\AppData\Local\Temp\_MEI29242\base_library.zipFilesize
760KB
MD5877f89f4a141da5810ae8df658dae577
SHA1df17d4bf2fa8bc3ce9a85f635ee8cfe640cdd3d2
SHA256f009edc33aea2ee2dc1e9ed32e27ddda6204c45c87a6f722b883c76eb394555f
SHA512988a3daf5df93fe509886c4af86039493667ba83957d41a48615101d3bbcd8b2c319ae59e59cc83a6765f33558e396294f8e9e349f8c21131c0f10a2bad6f212
-
C:\Users\Admin\AppData\Local\Temp\_MEI29242\certifi\cacert.pemFilesize
275KB
MD578d9dd608305a97773574d1c0fb10b61
SHA19e177f31a3622ad71c3d403422c9a980e563fe32
SHA256794d039ffdf277c047e26f2c7d58f81a5865d8a0eb7024a0fac1164fea4d27cf
SHA5120c2d08747712ed227b4992f6f8f3cc21168627a79e81c6e860ee2b5f711af7f4387d3b71b390aa70a13661fc82806cc77af8ab1e8a8df82ad15e29e05fa911bf
-
C:\Users\Admin\AppData\Local\Temp\_MEI29242\charset_normalizer\md.cp38-win_amd64.pydFilesize
10KB
MD538105df780eddd734027328e0dca0ca3
SHA145f1d9e3472478f8e1ba86675f5c81c00b183bea
SHA2569512896233d2119e78e2e1fcfd83643b2be2b427f08d16fc568fe98b9d4913cb
SHA512ba2a05c236ce47d87888f618be2b23532d0d882578707b07ae220a96883b468f7088a19ebbe3bac2adf4035da6b7ee6fa9e57b620e2bc67b28e54cd969d6bbb3
-
C:\Users\Admin\AppData\Local\Temp\_MEI29242\charset_normalizer\md__mypyc.cp38-win_amd64.pydFilesize
116KB
MD5073f09e1edf5ec4173ce2de1121b9dd1
SHA16cdb2559a1b706446cdd993e6fd680095e119b2e
SHA2567412969bfe1bca38bbb25bab02b54506a05015a4944b54953fcfdb179ec3f13c
SHA51270a1a766001ec78a5fce7eadf6cae07f11b3ca6b08115e130c77d024524879577ccab263c596102102b1569933c601592fbb5ee07c7db123bb850965ef8e8e96
-
C:\Users\Admin\AppData\Local\Temp\_MEI29242\libcrypto-1_1.dllFilesize
3.2MB
MD5aa811bb63dbd4c5859b68332326f60b1
SHA16e5584d5c59d2f79cbf60c6c71a92ecd7e4e0977
SHA25600a1eeb37372d11559bf44c9e68af9c841c41c95a173f3dfec4e0b5923d0cae0
SHA512dad9b14f501fd63824480f8801acd4004dd46f7a6965ac8ab91e573676236a11099f4b7cfdf7b3f6c0cc52a3b2e5d9b50f715f53a1f4f858ea2a5eb15d5092cd
-
C:\Users\Admin\AppData\Local\Temp\_MEI29242\python38.dllFilesize
4.0MB
MD5eec355a6e9586f823a4f12bed11e6c80
SHA133627398cb32f4fbb162f38f7c277ad5b13a99ba
SHA256560a6a5f8b7afa99600cc47da26a802c342d7f50ffe23850372f2fcf536cd26f
SHA5127b4b3c13383de62a17aa1aafabce657ea5f4aadd716430fcd6e0f3125b773ae1589b3eaa050ccd87b37f6fae2391c5e7a8a229c0b0fa135de8d0269e9752bea0
-
C:\Users\Admin\AppData\Local\Temp\_MEI29242\unicodedata.pydFilesize
1.0MB
MD5c5334880576bbc751b20f6bd4baba992
SHA1ebd8b76221d4dad9931aabcbb0434752280a99d1
SHA256e5ebcc99f94766951bb75731afe07b7c4481e7ff3d252f21d39ddea7c8da4147
SHA51208c964acd3064edf0210d6f12fe55896030756537b7e272c8e0f9b5e5606a6ed91094febabe3eadef51426bd6e4b06039cd9aa41a7756671edcac84684dfabb4
-
C:\Users\Admin\AppData\Local\Temp\tmp5EB3.tmp.batFilesize
170B
MD55b8a7519058c78b87741b5d7d0799c93
SHA1cd5cd2c3841b4849c4e286db95108236c2408f55
SHA256e6f0862919925061c440ca1a80bce84217a9942cc001192049a3458a54739fb2
SHA512127728a32c4879be024c88625cb87b8805e20fd63ddf799bf104fbb4f248786728919534f4cd641da12034feda07f63218ffd44f0a9cd073a3f14565bd76f419
-
C:\Users\Admin\AppData\Local\bbe4d32d3a8785275f217713963c932e\msgid.datFilesize
1B
MD5cfcd208495d565ef66e7dff9f98764da
SHA1b6589fc6ab0dc82cf12099d1c2d40ab994e8410c
SHA2565feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9
SHA51231bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99
-
C:\Windows\System32\drivers\etc\hostsFilesize
1KB
MD5ee9d791fd900430e4d594e5bde5c096a
SHA125dd0ac5926d1d02bf4c9fe60d5aff6b602c9b7d
SHA25674c6900b084deaf2ac76ee2113cfe73509e751c588707395fa2731e9bc154ccd
SHA512cd1c18139594002e96c7094ff731812d9afb45fb34735731fb65eaecbd7918c2379fa52b8eea551ac9c51589827619f898a9a0ac95ee1ad8c0e94b589403efeb
-
\Users\Admin\AppData\Local\Temp\TH2BD4.tmpFilesize
232KB
MD559513d94d77979cec1d0b34cb9a990c3
SHA15e03e3eee9dab882f0f00afadc465c7121558d49
SHA256a429e785198898dad7e54d29e6f925db8a78c77a971726014a456547ae8b57f1
SHA512131069c7f03f36e5ca69010552109c09ec8a080eee6b75dde57b28065ff981e9fb4ade03eb94d1f48391806633ee94db4f1106a8d2b8fc8c473eec10db7ca0ea
-
\Users\Admin\AppData\Local\Temp\_MEI29242\_hashlib.pydFilesize
46KB
MD5ef3b935e7d9e1685b84636f908732b06
SHA1968bca85a6f61fa24d53fc6aa77a3f48d2b08dd6
SHA25646d3016b73ecf3713228df563971feefcbebcea9925349a0807b48f0e09877ce
SHA51234c1779b8b7cd8449afaaeabb37a9bbb895c199d06557ea301361972ce4722f3db98e2e099eb2ce52486ab60567ac8041a4b3b3e8e917256bdd9954cbb9b05b3
-
\Users\Admin\AppData\Local\Temp\_MEI29242\_socket.pydFilesize
77KB
MD5bc7b1b0112427976b83911e607213c37
SHA1f4c7eb5b46ebe015a13de59f17ca158c01a377f4
SHA25685f200cb9adf0ef97d40b897868f6ad564211d3529f0b6dfe8e04c56a7b832bc
SHA51218bc94c917ee894121241dcf65fab370a344caaf1120162fcb0966503c502b3e990a79553d2e4e1e3403e35d2b5e00cb365254c08f99c93c178e2e1fd7b2a040
-
\Users\Admin\AppData\Local\Temp\_MEI29242\libffi-7.dllFilesize
32KB
MD5eef7981412be8ea459064d3090f4b3aa
SHA1c60da4830ce27afc234b3c3014c583f7f0a5a925
SHA256f60dd9f2fcbd495674dfc1555effb710eb081fc7d4cae5fa58c438ab50405081
SHA512dc9ff4202f74a13ca9949a123dff4c0223da969f49e9348feaf93da4470f7be82cfa1d392566eaaa836d77dde7193fed15a8395509f72a0e9f97c66c0a096016
-
\Users\Admin\AppData\Local\Temp\_MEI29242\libssl-1_1.dllFilesize
673KB
MD52335285f5ac87173bd304efeddfa1d85
SHA164558d2150120abed3514db56299721c42c6fe58
SHA2561b57a201184559164dedbddcb43bb110a18cafa19ea3d00fc23274ccfc420e94
SHA51282737590d5ec7315ce8485c4794c01bfcce176ce443740a9f0cf5adfc3c3ed31a714556d33c1ca56db486636111d1ad855f606c87e5f322a505c535187ce2bde
-
\Users\Admin\AppData\Local\Temp\_MEI29242\select.pydFilesize
27KB
MD5bb6e9825bd4a98e0700d96b59ec64f68
SHA1afd51547dad9cd7fac0efbda76b5e2388a027681
SHA256bb81d220db83d5276fccda137d430160b8eafd40f4d92d86ebc718b4dfd555ac
SHA5122380a0a2bd625ff79b04bb9d4f6611150512d72f719a3cc73806ea979c29b01fc3d947fb2998e308796a32061e0f2d34d158876924c71350c759e2a841abf964
-
\Users\Admin\AppData\Roaming\Smtp.exeFilesize
7.2MB
MD54e8ec4867bf90e7c6082f2a918ef7631
SHA165b03b83a107fc8ced5cccc56de11c59862c0e45
SHA2560da1fddf259afe14e217714543d15545803a5e60519921288035c45161936e9d
SHA512091f709047cd6778281f60b6127eee1f01e782639a17ae090b14716ef405da8b2815f874796a1d5fdd9934343b83b82e996c51e8b7443c3552374a326617813b
-
\Users\Admin\AppData\Roaming\nik.exeFilesize
232KB
MD5c848ac85788c3e3e23e9b20746cb978e
SHA15960836d8c29b7408a60421ee6c2558e4e1eb0a4
SHA256a00fcfe94826aff5275d6c7d5af9701dee5610f3bec64a81256ee1dac86d0225
SHA5125e0478133dfec564344f22706d17c52caf37120f32e8c2befa80d35cbcb4564e11f97bd96a9b3c1c143d0c5c16bfdb52307f84e6fa91a1c855f01557d532c821
-
memory/884-297-0x00000000008D0000-0x0000000000970000-memory.dmpFilesize
640KB
-
memory/1064-267-0x0000000002EB0000-0x0000000002EF3000-memory.dmpFilesize
268KB
-
memory/1064-271-0x0000000004650000-0x00000000046A1000-memory.dmpFilesize
324KB
-
memory/1064-272-0x0000000002F60000-0x0000000002F76000-memory.dmpFilesize
88KB
-
memory/1064-274-0x0000000002F60000-0x0000000002F76000-memory.dmpFilesize
88KB
-
memory/1064-269-0x0000000002EB0000-0x0000000002EF3000-memory.dmpFilesize
268KB
-
memory/1980-225-0x000007FFFFFDF000-0x000007FFFFFE0000-memory.dmpFilesize
4KB
-
memory/2284-304-0x00000000010E0000-0x0000000001112000-memory.dmpFilesize
200KB
-
memory/2432-317-0x00000000000A0000-0x0000000000140000-memory.dmpFilesize
640KB