Malware Analysis Report

2024-11-16 13:39

Sample ID 240531-d7vt2adh4t
Target Output.exe
SHA256 3334e3754179b8a49c17d76a4b89365384a2988980a01cc372553680a2425304
Tags
xworm bootkit discovery execution persistence rat spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

3334e3754179b8a49c17d76a4b89365384a2988980a01cc372553680a2425304

Threat Level: Known bad

The file Output.exe was found to be: Known bad.

Malicious Activity Summary

xworm bootkit discovery execution persistence rat spyware stealer trojan

Detect Xworm Payload

Xworm

Sets service image path in registry

Command and Scripting Interpreter: PowerShell

Drops file in Drivers directory

Loads dropped DLL

Executes dropped EXE

Checks computer location settings

Drops startup file

Reads user/profile data of web browsers

Enumerates connected drives

Adds Run key to start application

Writes to the Master Boot Record (MBR)

Checks for any installed AV software in registry

Checks installed software on the system

Looks up external IP address via web service

Checks for VirtualBox DLLs, possible anti-VM trick

Enumerates physical storage devices

Unsigned PE

Suspicious behavior: GetForegroundWindowSpam

Creates scheduled task(s)

Suspicious behavior: LoadsDriver

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: AddClipboardFormatListener

Uses Volume Shadow Copy WMI provider

Suspicious use of FindShellTrayWindow

Uses Task Scheduler COM API

Modifies registry key

Runs ping.exe

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

Suspicious behavior: EnumeratesProcesses

Modifies data under HKEY_USERS

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-31 03:39

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-31 03:39

Reported

2024-05-31 03:50

Platform

win10v2004-20240508-en

Max time kernel

602s

Max time network

606s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Output.exe"

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Xworm

trojan rat xworm

Drops file in Drivers directory

Description Indicator Process Target
File created C:\Windows\System32\Drivers\87df702d.sys C:\Users\Admin\AppData\Local\Temp\{dffda3b3-8afe-4823-a7c8-52f9b8e7a180}\227651fc.exe N/A
File created C:\Windows\System32\Drivers\klupd_87df702da_arkmon.sys C:\Users\Admin\AppData\Local\Temp\{dffda3b3-8afe-4823-a7c8-52f9b8e7a180}\227651fc.exe N/A

Sets service image path in registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\klupd_87df702da_arkmon\ImagePath = "System32\\Drivers\\klupd_87df702da_arkmon.sys" C:\Users\Admin\AppData\Local\Temp\{dffda3b3-8afe-4823-a7c8-52f9b8e7a180}\227651fc.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\klupd_87df702da_klbg\ImagePath = "System32\\Drivers\\klupd_87df702da_klbg.sys" C:\Users\Admin\AppData\Local\Temp\{dffda3b3-8afe-4823-a7c8-52f9b8e7a180}\227651fc.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\klupd_87df702da_klark\ImagePath = "System32\\Drivers\\klupd_87df702da_klark.sys" C:\Users\Admin\AppData\Local\Temp\{dffda3b3-8afe-4823-a7c8-52f9b8e7a180}\227651fc.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\klupd_87df702da_mark\ImagePath = "System32\\Drivers\\klupd_87df702da_mark.sys" C:\Users\Admin\AppData\Local\Temp\{dffda3b3-8afe-4823-a7c8-52f9b8e7a180}\227651fc.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\klupd_87df702da_arkmon_FD710C43\ImagePath = "\\??\\C:\\KVRT2020_Data\\Temp\\FD710C439F89CA6B7D8CAF3EE6F307D0\\klupd_87df702da_arkmon.sys" C:\Users\Admin\AppData\Local\Temp\{dffda3b3-8afe-4823-a7c8-52f9b8e7a180}\227651fc.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\87df702d\ImagePath = "System32\\Drivers\\87df702d.sys" C:\Users\Admin\AppData\Local\Temp\{dffda3b3-8afe-4823-a7c8-52f9b8e7a180}\227651fc.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Output.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\XClient.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\{dffda3b3-8afe-4823-a7c8-52f9b8e7a180}\227651fc.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\KVRT.lnk C:\Users\Admin\AppData\Roaming\XClient.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\KVRT.lnk C:\Users\Admin\AppData\Roaming\XClient.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\{dffda3b3-8afe-4823-a7c8-52f9b8e7a180}\227651fc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\{dffda3b3-8afe-4823-a7c8-52f9b8e7a180}\227651fc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\{dffda3b3-8afe-4823-a7c8-52f9b8e7a180}\227651fc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\{dffda3b3-8afe-4823-a7c8-52f9b8e7a180}\227651fc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\{dffda3b3-8afe-4823-a7c8-52f9b8e7a180}\227651fc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\{dffda3b3-8afe-4823-a7c8-52f9b8e7a180}\227651fc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\{dffda3b3-8afe-4823-a7c8-52f9b8e7a180}\227651fc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\{dffda3b3-8afe-4823-a7c8-52f9b8e7a180}\227651fc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\{dffda3b3-8afe-4823-a7c8-52f9b8e7a180}\227651fc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\{dffda3b3-8afe-4823-a7c8-52f9b8e7a180}\227651fc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\{dffda3b3-8afe-4823-a7c8-52f9b8e7a180}\227651fc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\{dffda3b3-8afe-4823-a7c8-52f9b8e7a180}\227651fc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\{dffda3b3-8afe-4823-a7c8-52f9b8e7a180}\227651fc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\{dffda3b3-8afe-4823-a7c8-52f9b8e7a180}\227651fc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\{dffda3b3-8afe-4823-a7c8-52f9b8e7a180}\227651fc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\{dffda3b3-8afe-4823-a7c8-52f9b8e7a180}\227651fc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\{dffda3b3-8afe-4823-a7c8-52f9b8e7a180}\227651fc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\{dffda3b3-8afe-4823-a7c8-52f9b8e7a180}\227651fc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\{dffda3b3-8afe-4823-a7c8-52f9b8e7a180}\227651fc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\{dffda3b3-8afe-4823-a7c8-52f9b8e7a180}\227651fc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\{dffda3b3-8afe-4823-a7c8-52f9b8e7a180}\227651fc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\{dffda3b3-8afe-4823-a7c8-52f9b8e7a180}\227651fc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\{dffda3b3-8afe-4823-a7c8-52f9b8e7a180}\227651fc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\{dffda3b3-8afe-4823-a7c8-52f9b8e7a180}\227651fc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\{dffda3b3-8afe-4823-a7c8-52f9b8e7a180}\227651fc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\{dffda3b3-8afe-4823-a7c8-52f9b8e7a180}\227651fc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\{dffda3b3-8afe-4823-a7c8-52f9b8e7a180}\227651fc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\{dffda3b3-8afe-4823-a7c8-52f9b8e7a180}\227651fc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\{dffda3b3-8afe-4823-a7c8-52f9b8e7a180}\227651fc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\{dffda3b3-8afe-4823-a7c8-52f9b8e7a180}\227651fc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\{dffda3b3-8afe-4823-a7c8-52f9b8e7a180}\227651fc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\{dffda3b3-8afe-4823-a7c8-52f9b8e7a180}\227651fc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\{dffda3b3-8afe-4823-a7c8-52f9b8e7a180}\227651fc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\{dffda3b3-8afe-4823-a7c8-52f9b8e7a180}\227651fc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\{dffda3b3-8afe-4823-a7c8-52f9b8e7a180}\227651fc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\{dffda3b3-8afe-4823-a7c8-52f9b8e7a180}\227651fc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\{dffda3b3-8afe-4823-a7c8-52f9b8e7a180}\227651fc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\{dffda3b3-8afe-4823-a7c8-52f9b8e7a180}\227651fc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\{dffda3b3-8afe-4823-a7c8-52f9b8e7a180}\227651fc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\{dffda3b3-8afe-4823-a7c8-52f9b8e7a180}\227651fc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\{dffda3b3-8afe-4823-a7c8-52f9b8e7a180}\227651fc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\{dffda3b3-8afe-4823-a7c8-52f9b8e7a180}\227651fc.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\KVRT = "C:\\Users\\Admin\\AppData\\Local\\Temp\\KVRT.exe" C:\Users\Admin\AppData\Roaming\XClient.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\9c90243f-c43c-435a-8bb8-af3a0f3e9573 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\{04320283-d027-42ae-aacb-bc3469a70089}\\9c90243f-c43c-435a-8bb8-af3a0f3e9573.cmd\"" C:\Users\Admin\AppData\Local\Temp\{dffda3b3-8afe-4823-a7c8-52f9b8e7a180}\227651fc.exe N/A

Checks for any installed AV software in registry

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\KasperskyLab C:\Users\Admin\AppData\Local\Temp\{dffda3b3-8afe-4823-a7c8-52f9b8e7a180}\227651fc.exe N/A

Checks installed software on the system

discovery

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\F: C:\Users\Admin\AppData\Local\Temp\{dffda3b3-8afe-4823-a7c8-52f9b8e7a180}\227651fc.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Local\Temp\{dffda3b3-8afe-4823-a7c8-52f9b8e7a180}\227651fc.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\{dffda3b3-8afe-4823-a7c8-52f9b8e7a180}\227651fc.exe N/A
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Roaming\KVRT.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\System32\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1" C:\Windows\system32\LogonUI.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent C:\Windows\system32\LogonUI.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00 C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040" C:\Windows\system32\LogonUI.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "197" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1" C:\Windows\system32\LogonUI.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\system32\reg.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\PING.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\{dffda3b3-8afe-4823-a7c8-52f9b8e7a180}\227651fc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XClient.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\{dffda3b3-8afe-4823-a7c8-52f9b8e7a180}\227651fc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\{dffda3b3-8afe-4823-a7c8-52f9b8e7a180}\227651fc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\{dffda3b3-8afe-4823-a7c8-52f9b8e7a180}\227651fc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\{dffda3b3-8afe-4823-a7c8-52f9b8e7a180}\227651fc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\{dffda3b3-8afe-4823-a7c8-52f9b8e7a180}\227651fc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\{dffda3b3-8afe-4823-a7c8-52f9b8e7a180}\227651fc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\{dffda3b3-8afe-4823-a7c8-52f9b8e7a180}\227651fc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\{dffda3b3-8afe-4823-a7c8-52f9b8e7a180}\227651fc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\{dffda3b3-8afe-4823-a7c8-52f9b8e7a180}\227651fc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\{dffda3b3-8afe-4823-a7c8-52f9b8e7a180}\227651fc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\{dffda3b3-8afe-4823-a7c8-52f9b8e7a180}\227651fc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\{dffda3b3-8afe-4823-a7c8-52f9b8e7a180}\227651fc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\{dffda3b3-8afe-4823-a7c8-52f9b8e7a180}\227651fc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\{dffda3b3-8afe-4823-a7c8-52f9b8e7a180}\227651fc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\{dffda3b3-8afe-4823-a7c8-52f9b8e7a180}\227651fc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\{dffda3b3-8afe-4823-a7c8-52f9b8e7a180}\227651fc.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\{dffda3b3-8afe-4823-a7c8-52f9b8e7a180}\227651fc.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\XClient.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\{dffda3b3-8afe-4823-a7c8-52f9b8e7a180}\227651fc.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\{dffda3b3-8afe-4823-a7c8-52f9b8e7a180}\227651fc.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\{dffda3b3-8afe-4823-a7c8-52f9b8e7a180}\227651fc.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\{dffda3b3-8afe-4823-a7c8-52f9b8e7a180}\227651fc.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\{dffda3b3-8afe-4823-a7c8-52f9b8e7a180}\227651fc.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\{dffda3b3-8afe-4823-a7c8-52f9b8e7a180}\227651fc.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\{dffda3b3-8afe-4823-a7c8-52f9b8e7a180}\227651fc.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\XClient.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\KVRT.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\{dffda3b3-8afe-4823-a7c8-52f9b8e7a180}\227651fc.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\{dffda3b3-8afe-4823-a7c8-52f9b8e7a180}\227651fc.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\{dffda3b3-8afe-4823-a7c8-52f9b8e7a180}\227651fc.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\{dffda3b3-8afe-4823-a7c8-52f9b8e7a180}\227651fc.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\{dffda3b3-8afe-4823-a7c8-52f9b8e7a180}\227651fc.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\{dffda3b3-8afe-4823-a7c8-52f9b8e7a180}\227651fc.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\{dffda3b3-8afe-4823-a7c8-52f9b8e7a180}\227651fc.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\{dffda3b3-8afe-4823-a7c8-52f9b8e7a180}\227651fc.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\{dffda3b3-8afe-4823-a7c8-52f9b8e7a180}\227651fc.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\{dffda3b3-8afe-4823-a7c8-52f9b8e7a180}\227651fc.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\{dffda3b3-8afe-4823-a7c8-52f9b8e7a180}\227651fc.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\{dffda3b3-8afe-4823-a7c8-52f9b8e7a180}\227651fc.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Users\Admin\AppData\Local\Temp\{dffda3b3-8afe-4823-a7c8-52f9b8e7a180}\227651fc.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\{dffda3b3-8afe-4823-a7c8-52f9b8e7a180}\227651fc.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\{dffda3b3-8afe-4823-a7c8-52f9b8e7a180}\227651fc.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Local\Temp\{dffda3b3-8afe-4823-a7c8-52f9b8e7a180}\227651fc.exe N/A
Token: SeAuditPrivilege N/A C:\Users\Admin\AppData\Local\Temp\{dffda3b3-8afe-4823-a7c8-52f9b8e7a180}\227651fc.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\{dffda3b3-8afe-4823-a7c8-52f9b8e7a180}\227651fc.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\{dffda3b3-8afe-4823-a7c8-52f9b8e7a180}\227651fc.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\{dffda3b3-8afe-4823-a7c8-52f9b8e7a180}\227651fc.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\{dffda3b3-8afe-4823-a7c8-52f9b8e7a180}\227651fc.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\{dffda3b3-8afe-4823-a7c8-52f9b8e7a180}\227651fc.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\{dffda3b3-8afe-4823-a7c8-52f9b8e7a180}\227651fc.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\{dffda3b3-8afe-4823-a7c8-52f9b8e7a180}\227651fc.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Users\Admin\AppData\Local\Temp\{dffda3b3-8afe-4823-a7c8-52f9b8e7a180}\227651fc.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\{dffda3b3-8afe-4823-a7c8-52f9b8e7a180}\227651fc.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\{dffda3b3-8afe-4823-a7c8-52f9b8e7a180}\227651fc.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Local\Temp\{dffda3b3-8afe-4823-a7c8-52f9b8e7a180}\227651fc.exe N/A
Token: SeAuditPrivilege N/A C:\Users\Admin\AppData\Local\Temp\{dffda3b3-8afe-4823-a7c8-52f9b8e7a180}\227651fc.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\{dffda3b3-8afe-4823-a7c8-52f9b8e7a180}\227651fc.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\{dffda3b3-8afe-4823-a7c8-52f9b8e7a180}\227651fc.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\{dffda3b3-8afe-4823-a7c8-52f9b8e7a180}\227651fc.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\{dffda3b3-8afe-4823-a7c8-52f9b8e7a180}\227651fc.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\{dffda3b3-8afe-4823-a7c8-52f9b8e7a180}\227651fc.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Users\Admin\AppData\Local\Temp\{dffda3b3-8afe-4823-a7c8-52f9b8e7a180}\227651fc.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\{dffda3b3-8afe-4823-a7c8-52f9b8e7a180}\227651fc.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\{dffda3b3-8afe-4823-a7c8-52f9b8e7a180}\227651fc.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Local\Temp\{dffda3b3-8afe-4823-a7c8-52f9b8e7a180}\227651fc.exe N/A
Token: SeAuditPrivilege N/A C:\Users\Admin\AppData\Local\Temp\{dffda3b3-8afe-4823-a7c8-52f9b8e7a180}\227651fc.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\{dffda3b3-8afe-4823-a7c8-52f9b8e7a180}\227651fc.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\KVRT.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\KVRT.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\KVRT.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SYSTEM32\shutdown.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SYSTEM32\shutdown.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\{dffda3b3-8afe-4823-a7c8-52f9b8e7a180}\227651fc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\{dffda3b3-8afe-4823-a7c8-52f9b8e7a180}\227651fc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\{dffda3b3-8afe-4823-a7c8-52f9b8e7a180}\227651fc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\{dffda3b3-8afe-4823-a7c8-52f9b8e7a180}\227651fc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\{dffda3b3-8afe-4823-a7c8-52f9b8e7a180}\227651fc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\{dffda3b3-8afe-4823-a7c8-52f9b8e7a180}\227651fc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\{dffda3b3-8afe-4823-a7c8-52f9b8e7a180}\227651fc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\{dffda3b3-8afe-4823-a7c8-52f9b8e7a180}\227651fc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\{dffda3b3-8afe-4823-a7c8-52f9b8e7a180}\227651fc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\{dffda3b3-8afe-4823-a7c8-52f9b8e7a180}\227651fc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\{dffda3b3-8afe-4823-a7c8-52f9b8e7a180}\227651fc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\{dffda3b3-8afe-4823-a7c8-52f9b8e7a180}\227651fc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\{dffda3b3-8afe-4823-a7c8-52f9b8e7a180}\227651fc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\{dffda3b3-8afe-4823-a7c8-52f9b8e7a180}\227651fc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\{dffda3b3-8afe-4823-a7c8-52f9b8e7a180}\227651fc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\{dffda3b3-8afe-4823-a7c8-52f9b8e7a180}\227651fc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\{dffda3b3-8afe-4823-a7c8-52f9b8e7a180}\227651fc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\{dffda3b3-8afe-4823-a7c8-52f9b8e7a180}\227651fc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\{dffda3b3-8afe-4823-a7c8-52f9b8e7a180}\227651fc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\{dffda3b3-8afe-4823-a7c8-52f9b8e7a180}\227651fc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\{dffda3b3-8afe-4823-a7c8-52f9b8e7a180}\227651fc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\{dffda3b3-8afe-4823-a7c8-52f9b8e7a180}\227651fc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\{dffda3b3-8afe-4823-a7c8-52f9b8e7a180}\227651fc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\{dffda3b3-8afe-4823-a7c8-52f9b8e7a180}\227651fc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\{dffda3b3-8afe-4823-a7c8-52f9b8e7a180}\227651fc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\{dffda3b3-8afe-4823-a7c8-52f9b8e7a180}\227651fc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\{dffda3b3-8afe-4823-a7c8-52f9b8e7a180}\227651fc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\{dffda3b3-8afe-4823-a7c8-52f9b8e7a180}\227651fc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\{dffda3b3-8afe-4823-a7c8-52f9b8e7a180}\227651fc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\{dffda3b3-8afe-4823-a7c8-52f9b8e7a180}\227651fc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\{dffda3b3-8afe-4823-a7c8-52f9b8e7a180}\227651fc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\{dffda3b3-8afe-4823-a7c8-52f9b8e7a180}\227651fc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\{dffda3b3-8afe-4823-a7c8-52f9b8e7a180}\227651fc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\{dffda3b3-8afe-4823-a7c8-52f9b8e7a180}\227651fc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\{dffda3b3-8afe-4823-a7c8-52f9b8e7a180}\227651fc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\{dffda3b3-8afe-4823-a7c8-52f9b8e7a180}\227651fc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\{dffda3b3-8afe-4823-a7c8-52f9b8e7a180}\227651fc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\{dffda3b3-8afe-4823-a7c8-52f9b8e7a180}\227651fc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\{dffda3b3-8afe-4823-a7c8-52f9b8e7a180}\227651fc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\{dffda3b3-8afe-4823-a7c8-52f9b8e7a180}\227651fc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\{dffda3b3-8afe-4823-a7c8-52f9b8e7a180}\227651fc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\{dffda3b3-8afe-4823-a7c8-52f9b8e7a180}\227651fc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\{dffda3b3-8afe-4823-a7c8-52f9b8e7a180}\227651fc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\{dffda3b3-8afe-4823-a7c8-52f9b8e7a180}\227651fc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\{dffda3b3-8afe-4823-a7c8-52f9b8e7a180}\227651fc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\{dffda3b3-8afe-4823-a7c8-52f9b8e7a180}\227651fc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\{dffda3b3-8afe-4823-a7c8-52f9b8e7a180}\227651fc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\{dffda3b3-8afe-4823-a7c8-52f9b8e7a180}\227651fc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\{dffda3b3-8afe-4823-a7c8-52f9b8e7a180}\227651fc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\{dffda3b3-8afe-4823-a7c8-52f9b8e7a180}\227651fc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\{dffda3b3-8afe-4823-a7c8-52f9b8e7a180}\227651fc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\{dffda3b3-8afe-4823-a7c8-52f9b8e7a180}\227651fc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\{dffda3b3-8afe-4823-a7c8-52f9b8e7a180}\227651fc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\{dffda3b3-8afe-4823-a7c8-52f9b8e7a180}\227651fc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\{dffda3b3-8afe-4823-a7c8-52f9b8e7a180}\227651fc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\{dffda3b3-8afe-4823-a7c8-52f9b8e7a180}\227651fc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\{dffda3b3-8afe-4823-a7c8-52f9b8e7a180}\227651fc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\{dffda3b3-8afe-4823-a7c8-52f9b8e7a180}\227651fc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\{dffda3b3-8afe-4823-a7c8-52f9b8e7a180}\227651fc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\{dffda3b3-8afe-4823-a7c8-52f9b8e7a180}\227651fc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\{dffda3b3-8afe-4823-a7c8-52f9b8e7a180}\227651fc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\{dffda3b3-8afe-4823-a7c8-52f9b8e7a180}\227651fc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\{dffda3b3-8afe-4823-a7c8-52f9b8e7a180}\227651fc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\{dffda3b3-8afe-4823-a7c8-52f9b8e7a180}\227651fc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3300 wrote to memory of 2076 N/A C:\Users\Admin\AppData\Local\Temp\Output.exe C:\Users\Admin\AppData\Roaming\XClient.exe
PID 3300 wrote to memory of 2076 N/A C:\Users\Admin\AppData\Local\Temp\Output.exe C:\Users\Admin\AppData\Roaming\XClient.exe
PID 3300 wrote to memory of 4796 N/A C:\Users\Admin\AppData\Local\Temp\Output.exe C:\Users\Admin\AppData\Roaming\KVRT.exe
PID 3300 wrote to memory of 4796 N/A C:\Users\Admin\AppData\Local\Temp\Output.exe C:\Users\Admin\AppData\Roaming\KVRT.exe
PID 3300 wrote to memory of 4796 N/A C:\Users\Admin\AppData\Local\Temp\Output.exe C:\Users\Admin\AppData\Roaming\KVRT.exe
PID 2076 wrote to memory of 1220 N/A C:\Users\Admin\AppData\Roaming\XClient.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2076 wrote to memory of 1220 N/A C:\Users\Admin\AppData\Roaming\XClient.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4796 wrote to memory of 4952 N/A C:\Users\Admin\AppData\Roaming\KVRT.exe C:\Users\Admin\AppData\Local\Temp\{dffda3b3-8afe-4823-a7c8-52f9b8e7a180}\227651fc.exe
PID 4796 wrote to memory of 4952 N/A C:\Users\Admin\AppData\Roaming\KVRT.exe C:\Users\Admin\AppData\Local\Temp\{dffda3b3-8afe-4823-a7c8-52f9b8e7a180}\227651fc.exe
PID 4796 wrote to memory of 4952 N/A C:\Users\Admin\AppData\Roaming\KVRT.exe C:\Users\Admin\AppData\Local\Temp\{dffda3b3-8afe-4823-a7c8-52f9b8e7a180}\227651fc.exe
PID 2076 wrote to memory of 4052 N/A C:\Users\Admin\AppData\Roaming\XClient.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2076 wrote to memory of 4052 N/A C:\Users\Admin\AppData\Roaming\XClient.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2076 wrote to memory of 4836 N/A C:\Users\Admin\AppData\Roaming\XClient.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2076 wrote to memory of 4836 N/A C:\Users\Admin\AppData\Roaming\XClient.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2076 wrote to memory of 4468 N/A C:\Users\Admin\AppData\Roaming\XClient.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2076 wrote to memory of 4468 N/A C:\Users\Admin\AppData\Roaming\XClient.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2076 wrote to memory of 224 N/A C:\Users\Admin\AppData\Roaming\XClient.exe C:\Windows\System32\schtasks.exe
PID 2076 wrote to memory of 224 N/A C:\Users\Admin\AppData\Roaming\XClient.exe C:\Windows\System32\schtasks.exe
PID 4952 wrote to memory of 4536 N/A C:\Users\Admin\AppData\Local\Temp\{dffda3b3-8afe-4823-a7c8-52f9b8e7a180}\227651fc.exe C:\Windows\system32\cmd.exe
PID 4952 wrote to memory of 4536 N/A C:\Users\Admin\AppData\Local\Temp\{dffda3b3-8afe-4823-a7c8-52f9b8e7a180}\227651fc.exe C:\Windows\system32\cmd.exe
PID 4536 wrote to memory of 4636 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 4536 wrote to memory of 4636 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 4536 wrote to memory of 2484 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 4536 wrote to memory of 2484 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2076 wrote to memory of 5100 N/A C:\Users\Admin\AppData\Roaming\XClient.exe C:\Windows\SYSTEM32\shutdown.exe
PID 2076 wrote to memory of 5100 N/A C:\Users\Admin\AppData\Roaming\XClient.exe C:\Windows\SYSTEM32\shutdown.exe

Uses Task Scheduler COM API

persistence

Uses Volume Shadow Copy WMI provider

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\Output.exe

"C:\Users\Admin\AppData\Local\Temp\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\KVRT.exe

"C:\Users\Admin\AppData\Roaming\KVRT.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\XClient.exe'

C:\Users\Admin\AppData\Local\Temp\{dffda3b3-8afe-4823-a7c8-52f9b8e7a180}\227651fc.exe

C:/Users/Admin/AppData/Local/Temp/{dffda3b3-8afe-4823-a7c8-52f9b8e7a180}/\227651fc.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\KVRT.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'KVRT.exe'

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "KVRT" /tr "C:\Users\Admin\AppData\Local\Temp\KVRT.exe"

C:\Users\Admin\AppData\Local\Temp\KVRT.exe

C:\Users\Admin\AppData\Local\Temp\KVRT.exe

C:\Users\Admin\AppData\Local\Temp\KVRT.exe

C:\Users\Admin\AppData\Local\Temp\KVRT.exe

C:\Users\Admin\AppData\Local\Temp\KVRT.exe

C:\Users\Admin\AppData\Local\Temp\KVRT.exe

C:\Users\Admin\AppData\Local\Temp\KVRT.exe

C:\Users\Admin\AppData\Local\Temp\KVRT.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\{04320283-d027-42ae-aacb-bc3469a70089}\9c90243f-c43c-435a-8bb8-af3a0f3e9573.cmd" "

C:\Windows\system32\PING.EXE

ping 127.0.0.1 -n 1

C:\Windows\system32\reg.exe

reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce /v 9c90243f-c43c-435a-8bb8-af3a0f3e9573 /f

C:\Windows\SYSTEM32\shutdown.exe

shutdown.exe /f /s /t 0

C:\Windows\system32\LogonUI.exe

"LogonUI.exe" /flags:0x4 /state0:0xa393b855 /state1:0x41c64e6d

Network

Country Destination Domain Proto
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 20.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 1.112.95.208.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 us3.localto.net udp
US 130.51.20.126:40971 us3.localto.net tcp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 203.197.79.204.in-addr.arpa udp
N/A 127.0.0.1:40971 tcp
US 8.8.8.8:53 Name1442-40971.portmap.host udp
DE 193.161.193.99:40971 Name1442-40971.portmap.host tcp
US 8.8.8.8:53 99.193.161.193.in-addr.arpa udp
US 8.8.8.8:53 touch.kaspersky.com udp
US 8.8.8.8:53 touch.kaspersky.com udp
US 8.8.8.8:53 touch.kaspersky.com udp
DE 130.117.190.203:80 touch.kaspersky.com tcp
US 8.8.8.8:53 ds.kaspersky.com udp
US 8.8.8.8:53 click.kaspersky.com udp
CH 82.202.185.148:443 ds.kaspersky.com tcp
US 8.8.8.8:53 click.kaspersky.com udp
US 8.8.8.8:53 click.kaspersky.com udp
DE 80.239.169.154:80 click.kaspersky.com tcp
US 8.8.8.8:53 crl.kaspersky.com udp
NL 80.239.174.35:80 crl.kaspersky.com tcp
US 8.8.8.8:53 203.190.117.130.in-addr.arpa udp
US 8.8.8.8:53 148.185.202.82.in-addr.arpa udp
US 8.8.8.8:53 154.169.239.80.in-addr.arpa udp
US 8.8.8.8:53 dc1-file.ksn.kaspersky-labs.com udp
US 8.8.8.8:53 dc1-file.ksn.kaspersky-labs.com udp
US 8.8.8.8:53 dc1-file.ksn.kaspersky-labs.com udp
DE 130.117.190.148:443 dc1-file.ksn.kaspersky-labs.com tcp
N/A 127.0.0.1:49922 tcp
N/A 127.0.0.1:49924 tcp
N/A 127.0.0.1:49937 tcp
US 8.8.8.8:53 35.174.239.80.in-addr.arpa udp
US 8.8.8.8:53 148.190.117.130.in-addr.arpa udp
DE 195.122.169.39:443 click.kaspersky.com tcp
US 8.8.8.8:53 devbuilds.s.kaspersky-labs.com udp
FR 212.73.221.196:443 devbuilds.s.kaspersky-labs.com tcp
US 8.8.8.8:53 39.169.122.195.in-addr.arpa udp
US 8.8.8.8:53 196.221.73.212.in-addr.arpa udp
N/A 127.0.0.1:50162 tcp
N/A 127.0.0.1:50176 tcp
N/A 127.0.0.1:50179 tcp
US 8.8.8.8:53 dc1-st.ksn.kaspersky-labs.com udp
N/A 127.0.0.1:50184 tcp
DE 130.117.190.213:443 dc1-st.ksn.kaspersky-labs.com tcp
US 8.8.8.8:53 213.190.117.130.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 dc1.ksn.kaspersky-labs.com udp
DE 195.27.253.11:443 dc1.ksn.kaspersky-labs.com tcp
US 8.8.8.8:53 11.253.27.195.in-addr.arpa udp
N/A 127.0.0.1:50197 tcp
DE 130.117.190.148:443 dc1.ksn.kaspersky-labs.com tcp
N/A 127.0.0.1:50227 tcp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 dc1-pp.ksn.kaspersky-labs.com udp
CH 82.202.185.151:443 dc1-pp.ksn.kaspersky-labs.com tcp
N/A 127.0.0.1:50238 tcp
US 8.8.8.8:53 151.185.202.82.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 www.microsoft.com udp
BE 23.55.97.181:80 www.microsoft.com tcp
US 8.8.8.8:53 181.97.55.23.in-addr.arpa udp
US 8.8.8.8:53 91.65.42.20.in-addr.arpa udp
DE 193.161.193.99:40971 Name1442-40971.portmap.host tcp

Files

memory/3300-0-0x00007FF84DA23000-0x00007FF84DA25000-memory.dmp

memory/3300-1-0x00000000002B0000-0x00000000012B0000-memory.dmp

C:\Users\Admin\AppData\Roaming\XClient.exe

MD5 895d9cd4167756a8cfb44977286f84ec
SHA1 e26ce2bec5d62b7914c43545c59d097260cc7673
SHA256 f3090015a11a8d27705cb5b1a89834a7f96c64ca15313138a68089a2705092df
SHA512 a913d27b5df4b1df88541f142ead5c9a533218452f1c1509e540f878e645e616b62b5246c64065940f5c28330433d699f8a5ad1cf2b6667234ae5508ad27f58e

memory/2076-13-0x0000000000200000-0x000000000021C000-memory.dmp

memory/2076-14-0x00007FF84DA20000-0x00007FF84E4E1000-memory.dmp

memory/2076-53-0x00007FF84DA20000-0x00007FF84E4E1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_edmwsbgx.hg5.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/1220-114-0x0000022E6B730000-0x0000022E6B752000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\{dffda3b3-8afe-4823-a7c8-52f9b8e7a180}\227651fc.exe

MD5 37226eb4f1c7a0b79275c1401f83cc6d
SHA1 71ed962d1e0d212869d92c23d6e20a4e1e7ad430
SHA256 be00dba953a6f26990e020bdc4e3f13e5799a3ff60384768ee6c1af37c656a4d
SHA512 afea618c795406a49d159e1359e76168dc6b6dee07234666d21ee21bb5011fe9af57a3425e76126f2595e3d180cf2121db5d02258d7aca77b3c4d8621a8aa15d

C:\Users\Admin\AppData\Local\Temp\{dffda3b3-8afe-4823-a7c8-52f9b8e7a180}\dbghelp.dll

MD5 4003e34416ebd25e4c115d49dc15e1a7
SHA1 faf95ec65cde5bd833ce610bb8523363310ec4ad
SHA256 c06430b8cb025be506be50a756488e1bcc3827c4f45158d93e4e3eeb98ce1e4f
SHA512 88f5d417377cd62bde417640a79b6ac493e80f0c8b1f63a99378a2a67695ef8e4a541cedb91acfa296ed608e821fee466983806f0d082ed2e74b0cd93eb4fb84

C:\Users\Admin\AppData\Local\Temp\{dffda3b3-8afe-4823-a7c8-52f9b8e7a180}\dumpwriter.dll

MD5 f56387639f201429fb31796b03251a92
SHA1 23df943598a5e92615c42fc82e66387a73b960ff
SHA256 e7eefcf569d98a5fb14a459d949756dc00faf32ed6bda1233d9d2c79ca11531c
SHA512 7bfce579b601408262c0edd342cb2cb1ef1353b6b73dce5aad540eb77f56d1184f71c56ea859bc4373aac4875b8861e2cc5d9c49518e6c40d0b2350a7ab26c0e

C:\Users\Admin\AppData\Local\Temp\{dffda3b3-8afe-4823-a7c8-52f9b8e7a180}\KvrtGui.dll

MD5 38717f028f7df6e29996dabe26375956
SHA1 328c0ed49e079999ad0cc7c1315375b77531c8c9
SHA256 9db65ebeaf888b6cc99c06d0f063e48932feb27f25b5350d9d870e9ce40d1e10
SHA512 4c6de66d71527c1c0e8d666e85dde671ca6b2705e5e4584487be265f25c6369f5512c0601d251192c56ad44bec538161bded7fcfcd3a578cddf76d7617af237d

C:\Users\Admin\AppData\Local\Temp\{dffda3b3-8afe-4823-a7c8-52f9b8e7a180}\Qt5Core.dll

MD5 02b21d6184ec835fba23088e7c7368e4
SHA1 2386e5cd242ad6abfadecc2d8ba416125f0bde56
SHA256 5967b2240167500cfbb602408833776fb9be95ee404ad2bbdbdde18c752aaefe
SHA512 e8b15e68c61f1a0f78fa4f4821a636e07ab3a87699fc45ace096d080d7bda62534af7acf93b9a32d730b0403b52dc1eac8df9175ae02d5f6f829c7849e340eb9

C:\Users\Admin\AppData\Local\Temp\{dffda3b3-8afe-4823-a7c8-52f9b8e7a180}\Qt5Gui.dll

MD5 8fd0c7b86b4988b234614944edb565a7
SHA1 120015375d66f6e3f1c889cbada3efc4f8ff7f5b
SHA256 449a105683a27ebce39f2a7a0fb413cbe2eb2df8c2c8f51870a40e9eb9708a7a
SHA512 3e92401ee9ed0dd51fe95f963378caa73fe07bae0186406b9689519d6b75926b5027339ea52c8643c92c21b621ddc05056a1338f0114a6902c2897406cf371f7

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 a43e653ffb5ab07940f4bdd9cc8fade4
SHA1 af43d04e3427f111b22dc891c5c7ee8a10ac4123
SHA256 c4c53abb13e99475aebfbe9fec7a8fead81c14c80d9dcc2b81375304f3a683fe
SHA512 62a97e95e1f19a8d4302847110dae44f469877eed6aa8ea22345c6eb25ee220e7d310fa0b7ec5df42356815421c0af7c46a0f1fee8933cc446641800eda6cd1b

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 76692775e4781f0c9f0092f5804cfdb1
SHA1 6740e4e4110028c62282ee1e7eb8be576a2bc23a
SHA256 0c451ff3823450d544066237cbfb08556b7ca36c4a0ea085055f69ab35795b00
SHA512 6e0731e3736594d9e86da2fc33e08a663f29100074cc8d46e2716123c946b9eb150c804c7cf8428cac631e1cff984663d41ce3b5e1e77965bd8e2ecf0742af34

C:\Users\Admin\AppData\Local\Temp\{dffda3b3-8afe-4823-a7c8-52f9b8e7a180}\Qt5Widgets.dll

MD5 8751f0205fc7a87b46afae8ceda42d90
SHA1 d7e41a64c09f580d9e63ff5ffc8ac37d1f7da4c1
SHA256 7273600d11889adba9287e6d5a3b684a9d902d1b4db8cedec21562fa00c436cd
SHA512 18466c4c4b6dd07445862d8e6a84825b8b0edeaa95dc8fe58741527d5dd20cbfc7672825108acec69bae506b41fb01fc6413401759db3d8265503fea88ed9bba

C:\Users\Admin\AppData\Local\Temp\{dffda3b3-8afe-4823-a7c8-52f9b8e7a180}\plugins\platforms\qwindows.dll

MD5 869b64be13907d16f8108d4e46eb1ae4
SHA1 abf528676719f69a4d2f85147dc683d1c9bb606a
SHA256 93debc8c092905993932b16f165e0b959639920d0af6156a64b9c947784fbe73
SHA512 cbd294354d5f84103b7c2f31cca6ee7f390c7852266478fb790cdd2448b1a563ddc6fcf7e351b4b28c3f5e23a52a442064ed75409f076752d0d94f133c9d7e96

C:\Users\Admin\AppData\Local\Temp\{dffda3b3-8afe-4823-a7c8-52f9b8e7a180}\vcruntime140.dll

MD5 a37ee36b536409056a86f50e67777dd7
SHA1 1cafa159292aa736fc595fc04e16325b27cd6750
SHA256 8934aaeb65b6e6d253dfe72dea5d65856bd871e989d5d3a2a35edfe867bb4825
SHA512 3a7c260646315cf8c01f44b2ec60974017496bd0d80dd055c7e43b707cadba2d63aab5e0efd435670aa77886ed86368390d42c4017fc433c3c4b9d1c47d0f356

C:\Users\Admin\AppData\Local\Temp\{dffda3b3-8afe-4823-a7c8-52f9b8e7a180}\plugins\imageformats\qwebp.dll

MD5 a23c6a3494e296a521a08dd2d676eb3c
SHA1 260ccb3b2f454bda853d003e3b71fb0789858873
SHA256 e58be278a435f44bf10e13d81fba5349d0f5ea224701c91f992276bcea173856
SHA512 a99eea4b72d20e34c37e0c7971f6e467b2421ff99f059c46f76d961093eea27d031edbd907ed2a99bc9ddaea9ec5b0980871b4a018284c3c324e59c00491b11f

C:\Users\Admin\AppData\Local\Temp\{dffda3b3-8afe-4823-a7c8-52f9b8e7a180}\plugins\imageformats\qwbmp.dll

MD5 43bc7f0b0b91676368db78d61e83edd3
SHA1 628228c8c477f2e6e8d6f2f9dd8cc72b894d5fe6
SHA256 fe95bdae47201a7788c2cb18042c7eafa0041fb6ce6b2ea7e7d5ffd656086583
SHA512 11e847fe59e28bdbf7448846b88578f5b0a1d6b1d7c11a80271d833ad540991d83cc1b89c2b5bfaf9b5dfa68dae538233575fac3b6f1cd5f09398b400b421872

C:\Users\Admin\AppData\Local\Temp\{dffda3b3-8afe-4823-a7c8-52f9b8e7a180}\plugins\imageformats\qtiff.dll

MD5 058a1449a4656fe891bc589ea61434b1
SHA1 8803afd1bb77e4804925610e6a94361a1e26c4d5
SHA256 fc271f33b879c7966564d04f698b7fd77d806e61107574d1240502e7c7666f26
SHA512 91f43f8062095044ba41fea9fd4df490711f131437ee90a0354a629a7677c9c7fce84b1c1165e07a2b8c4e58beb1d66d953c1034923c986a2288553221761ca9

C:\Users\Admin\AppData\Local\Temp\{dffda3b3-8afe-4823-a7c8-52f9b8e7a180}\plugins\imageformats\qtga.dll

MD5 82a65b1ce5a7041da64290b66a6a1c8c
SHA1 577e7174b02182ada17328cbac3ac1d3605fc023
SHA256 6da0850ed1f6d93e1d99cecc31153e8993b7b20d68308c248c71e9af4c061336
SHA512 bbc0fd32e8bdcac4d7f5fac77d9a4386be671b9d6c18d14ac6807e521a0f5192af91e106e0a3258653afbba625c09f79542f1fd7a1eaf97d9b5b98cbd2bb1084

C:\Users\Admin\AppData\Local\Temp\{dffda3b3-8afe-4823-a7c8-52f9b8e7a180}\plugins\imageformats\qjpeg.dll

MD5 03e1249b16b47fd240283f44636f6087
SHA1 e0a02adeee91ff330891ed93428956f1fb90ef44
SHA256 f1b0528f0b43b798b78580363f19bb75e68347755ef84bbf313cbb1c9fa649b2
SHA512 287a13ebcddb151cd37ec60b47c6f674730d1886ee53d4a864e62d23aca084d9b3a4e0b8eefc07b8e1aee2e40a6b7327602aa547f1afc63dc4b254abe14749f1

C:\Users\Admin\AppData\Local\Temp\{dffda3b3-8afe-4823-a7c8-52f9b8e7a180}\plugins\imageformats\qico.dll

MD5 f463183ff33be64d8a61fc5d61b16064
SHA1 5a2d6a62d293e8335d787c1e4681cca7e953b20a
SHA256 e4773864ec821c90ff7b2b6a081c4abd7b9fb10829b7e067521b0b18d4e75422
SHA512 6576842034440b4329a6cc99e419913316e2bb869e20053238add0adf23eb9e35e32ec758c93dddc8162c64049690db177791c11ed7fbdd2ef4780c6be0dbf2c

C:\Users\Admin\AppData\Local\Temp\{dffda3b3-8afe-4823-a7c8-52f9b8e7a180}\plugins\imageformats\qicns.dll

MD5 4d1fcfe0e08da0bfd61ad27863f05a8f
SHA1 51a9c2d12181b66f3f9fd9137a699a715df8d2fd
SHA256 b95d07323612b27e04a716a3894e46a723a457e8c0be37ee838573eaee1624ab
SHA512 2251f8c7bdfa0ad6cda6d619f6df1cef76e8f317119ec4b495d0d98351e77e5f7c678f49f9c8c6eefadfee175304d00757689ff35f8c77693b2ea3435dac2aa9

C:\Users\Admin\AppData\Local\Temp\{dffda3b3-8afe-4823-a7c8-52f9b8e7a180}\plugins\imageformats\qgif.dll

MD5 213734f42848f6cfb91b5d0f80a352dc
SHA1 72060bb18421eba12591e923929bc70b200b26fa
SHA256 ed3a7867931a8c05d267a62522223ca78bd435d45af6dfde116e7eb72c2fde7c
SHA512 913afbd6e950f61d038f81ff7f0f08986469ee11cd7202cc0598d9caa7a4200e9e8e5e23f0c5062e01a6ef908e92a52f35dcf60f1af77a075200e8db466df807

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 c479fa6b22fe32f7cee57f34e3139f7e
SHA1 5b4fc2d270842aaac66a3b2a99ef51c6d70f350e
SHA256 53855181e3f0e38a3e96654f1a9a281a6e5295e05814d69183d44327a5af326c
SHA512 08239e5d253f86eabc12f7222bd9c060410c645fd21934b6ed7b558737dcc82a2507284e1e23358958a7dddc3c909e3c478a4fcce773e69066a6458fd941cb10

C:\Users\Admin\AppData\Local\Temp\{dffda3b3-8afe-4823-a7c8-52f9b8e7a180}\msvcp140.dll

MD5 5ff1fca37c466d6723ec67be93b51442
SHA1 34cc4e158092083b13d67d6d2bc9e57b798a303b
SHA256 5136a49a682ac8d7f1ce71b211de8688fce42ed57210af087a8e2dbc8a934062
SHA512 4802ef62630c521d83a1d333969593fb00c9b38f82b4d07f70fbd21f495fea9b3f67676064573d2c71c42bc6f701992989742213501b16087bb6110e337c7546

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 aeceee3981c528bdc5e1c635b65d223d
SHA1 de9939ed37edca6772f5cdd29f6a973b36b7d31b
SHA256 b99f3c778a047e0348c92c16e0419fa29418d10d0fec61ad8283e92a094a2b32
SHA512 df48285f38e9284efdbd9f8d99e2e94a46fb5465953421ab88497b73ae06895b98ea5c98796560810a6f342c31a9112ea87e03cd3e267fd8518d7585f492a8fb

memory/2076-219-0x00007FF84DA20000-0x00007FF84E4E1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\{dffda3b3-8afe-4823-a7c8-52f9b8e7a180}\klmd.sys

MD5 990442d764ff1262c0b7be1e3088b6d3
SHA1 0b161374074ef2acc101ed23204da00a0acaa86e
SHA256 6c7ccd465090354438b39da8430a5c47e7f24768a5b12ee02fecf8763e77c9e4
SHA512 af3c6dfe32266a9d546f13559dcba7c075d074bdfdaf0e6bf2a8cae787008afa579f0d5f90e0c657dd614bb244a6d95ff8366c14b388e1f4a3ab76cccb23add4

C:\Users\Admin\AppData\Local\Temp\{dffda3b3-8afe-4823-a7c8-52f9b8e7a180}\Bases\arkmon64.drv

MD5 fd710c439f89ca6b7d8caf3ee6f307d0
SHA1 5273c87564d9fcbf99b846195ea8bd3102d65a76
SHA256 ca317c531bdd3a23d401a242a904e8eb81401c79073eee470b6e1078f3645faa
SHA512 3df58ac276362fb7d7999bc8e902f22e9ee1501ee2e4f653e58595d411752e18bf7ee0cbc95766ecb8da34a5ebd3a11fd5bbf5450b1c01fd3ed8ee0e22183b09

C:\Users\Admin\AppData\Local\Temp\{dffda3b3-8afe-4823-a7c8-52f9b8e7a180}\klsl.sys

MD5 a69adedb0d47cfb23f23a9562a4405bc
SHA1 9e70576571a15aaf71106ea0cd55e0973ef2dd15
SHA256 31eaa7f1f9872c63091f4b3ec5310686b1dd1e2123af17991a6b4679eda3f62d
SHA512 77abb4435d8d445f7a29cdb8a318486a96122b5cc535da7a63da0fa920980e6ad73e78b72552f6949e66b349bbdc9aa9ea202481046e478c2829c155a1045820

C:\Users\Admin\AppData\Local\Temp\{dffda3b3-8afe-4823-a7c8-52f9b8e7a180}\app_core.dll

MD5 fe0964663cf9c5e4ff493198e035cc1f
SHA1 ab9b19bd0e4efa36f78d2059b4ca556521eb35cb
SHA256 ddd70011d86b8ec909295ef45f94b48b0252229b6182af9ef8a6029c30daaf39
SHA512 923cfd9143d3850357bda901f66b5292f36ff025f05b2156667873861a02d9f498a03cdb73d2c477c0055d46600628f936b70dec46d7687fe0a97cbb1c8cf0ea

C:\Users\Admin\AppData\Local\Temp\{dffda3b3-8afe-4823-a7c8-52f9b8e7a180}\instrumental_services.dll

MD5 c6acd1d9a80740f8a416b0a78e3fa546
SHA1 7ea7b707d58bde0d5a14d8a7723f05e04189bce7
SHA256 db8acd14ace6d4c8d4d61016debe3c0d72677416661caf0d36e7306ed020920f
SHA512 46c889f4d84e2f8dc8bfd5bdc34a346aa393fc49adcbe95bc601e6d970599f579e5cb057196061c280cbfa976989c960ac2f1830fd61c0a9166f09a6c088c20d

C:\Users\Admin\AppData\Local\Temp\{dffda3b3-8afe-4823-a7c8-52f9b8e7a180}\dblite.dll

MD5 98b1a553c8c5944923814041e9a73b73
SHA1 3e6169af53125b6da0e69890d51785a206c89975
SHA256 6fc0104817caa1337531c9d8b284d80052770051efb76e5829895a3854ebaec8
SHA512 8ee4467bce6495f492895a9dfaedaf85b76d6d1f67d9ff5c8c27888191c322863bc29c14ae3f505336a5317af66c31354afaeb63127e7e781f5b249f1c967363

C:\Users\Admin\AppData\Local\Temp\{dffda3b3-8afe-4823-a7c8-52f9b8e7a180}\storage.kvdb

MD5 1a3330c4f388360e4c2b0d94fb48a788
SHA1 127ad9be38c4aa491bd1bce6458f99a27c6d465b
SHA256 01b8d0d8c7114b59f159021384c8a59535f87018a6a136a276b5a297f54d776d
SHA512 1fcd1e99e35dc4ec972ab63299637322a27b471d02175d56409a3a114db6259f9cd767ac054c7a2bba075f36ab62f19c8118c3dda93e37b7deda05aa2b260553

C:\Users\Admin\AppData\Local\Temp\{dffda3b3-8afe-4823-a7c8-52f9b8e7a180}\settings.kvdb

MD5 0cd7bac19edb301ce1b501bfac07acea
SHA1 d66a1ba1d9a961b5f44d8d3356c79d60c7ae81d6
SHA256 f5d7c50ab67ff498fddf257193bea1ad496613c611b962a31ca39f96ef16bc05
SHA512 9a744bd7829716afe7249094a63609c32da0a8988f9cd1881be6bca809a9f120521e7de1a30180581a8bd6f662ae18a8ac88629d404b807602e5a45a5f8ddb0a

C:\Users\Admin\AppData\Local\Temp\{dffda3b3-8afe-4823-a7c8-52f9b8e7a180}\key_value_storage.dll

MD5 9bf7f895cff1f0b9ddf5fc077bac314c
SHA1 7e9c0ce6569c6f12c57f34597b213cd4d8f55e68
SHA256 d03e0af01fbcd9ce714caf3db5ca2ab3ca4a717d5fda5c99b77e09b5672498a4
SHA512 d416cfa9446e6c92f0805278c744cf9f8ac6a2bfb96a6e0b2d65e701472ea6feaf5742ed6cef833555188a95c613499e7e14cfe5788427ec2616cfd723021a67

C:\Users\Admin\AppData\Local\Temp\{dffda3b3-8afe-4823-a7c8-52f9b8e7a180}\config.esm

MD5 184a351c4d532405206e309c10af1d15
SHA1 3cf49f2275f3f9bd8e385eddcdd04e3fc2a17352
SHA256 ef0b7e22d8f7bd06964969a7f2979a475ba1c9c34efccb0c3b9e03ae950c63f6
SHA512 9a1a3cb0e3713ba41f36f4f01f2151b0c04454a05c986215ed2cc42180994f90d10e031d77452a2d0ad5a78f15d8d31c327d0d1ee676789780e6483dbe5e0341

C:\Users\Admin\AppData\Local\Temp\{dffda3b3-8afe-4823-a7c8-52f9b8e7a180}\crypto_components_meta.dll

MD5 3d9d1753ed0f659e4db02e776a121862
SHA1 031fb78fe7dc211fe9e0dc8ba0027c14e84cd07f
SHA256 b6163ec9d4825102e3d423e02fb026259a6a17e7d7696ae060ec2b0ba97f54f2
SHA512 e1f50513db117c32505944bfb19fd3185b3231b6bd9f0495942bd9e80dd0f54ab575f1a2fca5e542174d3abe4106a9b5448d924c690e8548cd43aa77f6497c92

memory/4952-258-0x000000000F170000-0x000000000F182000-memory.dmp

memory/4952-257-0x000000000CC80000-0x000000000CC91000-memory.dmp

memory/4952-261-0x000000000F1E0000-0x000000000F1F1000-memory.dmp

memory/4952-264-0x000000000F270000-0x000000000F282000-memory.dmp

memory/4952-263-0x000000000F240000-0x000000000F251000-memory.dmp

memory/4952-262-0x000000000F210000-0x000000000F221000-memory.dmp

memory/4952-260-0x000000000F1B0000-0x000000000F1C6000-memory.dmp

memory/4952-259-0x000000000F190000-0x000000000F1A6000-memory.dmp

memory/4952-266-0x000000000F920000-0x000000000F968000-memory.dmp

memory/4952-265-0x000000000F710000-0x000000000F86A000-memory.dmp

memory/4952-270-0x000000000F980000-0x000000000F998000-memory.dmp

memory/4952-271-0x0000000014100000-0x000000001454D000-memory.dmp

memory/4952-269-0x0000000012200000-0x00000000122BB000-memory.dmp

memory/4952-268-0x000000000F8D0000-0x000000000F8F6000-memory.dmp

memory/4952-267-0x000000000F8A0000-0x000000000F8B4000-memory.dmp

memory/4952-277-0x0000000014910000-0x0000000014B06000-memory.dmp

memory/4952-280-0x0000000014550000-0x0000000014563000-memory.dmp

memory/4952-279-0x000000000FB10000-0x000000000FB21000-memory.dmp

memory/4952-278-0x0000000014B10000-0x0000000014CB8000-memory.dmp

memory/4952-276-0x000000000FAD0000-0x000000000FAF4000-memory.dmp

memory/4952-275-0x000000000FAA0000-0x000000000FAB7000-memory.dmp

memory/4952-274-0x000000000FA70000-0x000000000FA81000-memory.dmp

memory/4952-273-0x000000000FA30000-0x000000000FA51000-memory.dmp

memory/4952-272-0x000000000FA00000-0x000000000FA11000-memory.dmp

memory/4952-283-0x0000000014660000-0x00000000146A6000-memory.dmp

memory/4952-282-0x0000000014590000-0x00000000145A3000-memory.dmp

memory/4952-281-0x0000000014740000-0x00000000147E2000-memory.dmp

memory/4952-286-0x00000000146C0000-0x0000000014700000-memory.dmp

memory/4952-298-0x0000000015160000-0x00000000151B0000-memory.dmp

memory/4952-299-0x00000000159C0000-0x0000000015B18000-memory.dmp

memory/4952-297-0x0000000014FE0000-0x0000000015003000-memory.dmp

memory/4952-296-0x0000000015060000-0x00000000150CF000-memory.dmp

memory/4952-295-0x0000000014FB0000-0x0000000014FC9000-memory.dmp

memory/4952-294-0x0000000014F70000-0x0000000014FA1000-memory.dmp

memory/4952-293-0x0000000014EB0000-0x0000000014ECD000-memory.dmp

memory/4952-292-0x0000000014E80000-0x0000000014E91000-memory.dmp

memory/4952-291-0x0000000014F00000-0x0000000014F62000-memory.dmp

memory/4952-290-0x0000000014D10000-0x0000000014E6A000-memory.dmp

memory/4952-289-0x0000000014CC0000-0x0000000014CE0000-memory.dmp

memory/4952-288-0x00000000148C0000-0x00000000148FB000-memory.dmp

memory/4952-287-0x00000000147F0000-0x00000000148BD000-memory.dmp

memory/4952-284-0x0000000015300000-0x000000001569D000-memory.dmp

memory/4952-285-0x0000000014640000-0x0000000014655000-memory.dmp

memory/4952-300-0x0000000015040000-0x0000000015051000-memory.dmp

memory/4952-301-0x0000000015120000-0x0000000015134000-memory.dmp

memory/4952-305-0x0000000015250000-0x0000000015271000-memory.dmp

memory/4952-304-0x0000000015220000-0x0000000015233000-memory.dmp

memory/4952-303-0x00000000151E0000-0x0000000015202000-memory.dmp

memory/4952-302-0x00000000151B0000-0x00000000151DD000-memory.dmp

memory/4952-308-0x00000000152F0000-0x00000000152F1000-memory.dmp

memory/4952-307-0x00000000152D0000-0x00000000152D3000-memory.dmp

memory/4952-306-0x0000000015290000-0x00000000152BA000-memory.dmp

memory/4952-309-0x00000000156B0000-0x00000000156C5000-memory.dmp

memory/4952-310-0x00000000156E0000-0x00000000156EF000-memory.dmp

memory/4952-314-0x0000000015780000-0x0000000015781000-memory.dmp

memory/4952-313-0x0000000015760000-0x0000000015761000-memory.dmp

memory/4952-312-0x0000000015740000-0x0000000015748000-memory.dmp

memory/4952-311-0x0000000015840000-0x000000001591D000-memory.dmp

memory/4952-320-0x0000000015930000-0x0000000015932000-memory.dmp

memory/4952-319-0x0000000015830000-0x0000000015833000-memory.dmp

memory/4952-318-0x0000000015810000-0x0000000015811000-memory.dmp

memory/4952-317-0x00000000157F0000-0x00000000157F1000-memory.dmp

memory/4952-316-0x00000000157D0000-0x00000000157D1000-memory.dmp

memory/4952-315-0x0000000015D20000-0x0000000015E05000-memory.dmp

C:\Windows\System32\drivers\klupd_87df702da_klbg.sys

MD5 ed6cd641a02baf78ecbe069e0b18b3b0
SHA1 cc4d47d1d0fcd3deb841f58923ac309f3be42081
SHA256 66e7b89188e292d0abce941fcb2469e515e2a1bdbe07ad9868a34feb5f47005d
SHA512 cb945fa49683b92841a7a915c73eb11b00fbceee8715a166d256cab0971dc4b4d8b2c7ad3c96e4efb73a7ea9c43ef6bfc9ff3acaffdc08df40b00048ea903abb

C:\Windows\System32\drivers\klupd_87df702da_klark.sys

MD5 5ea5aa37289ae16948dc771223f94160
SHA1 640392a0d01521cb0e4485d5641f74e64e1f38aa
SHA256 4b1fd5753737f72f2b8cb0fb299c6c0e3857df69dc19931351d9784f52f307b3
SHA512 2721db2afd55f6abbe54b5865cb41f72216a52cddb6d07721cf0bd1b76fe58b47540467ce9b503ab56e4c614765c18f559b17d73479a4f5a0fae8f6093772455

C:\Windows\System32\drivers\klupd_87df702da_mark.sys

MD5 124a94969ce6660453ccd66e40ecdbb0
SHA1 46f7ad59b93bc1b78f76fc973ce728c7951352aa
SHA256 5938747dbf6aea335fdf9131fc912452cee781dff8be61750a9b2ef384b5f835
SHA512 3b25bc9eead7f09350c81bca4eb1a11c5332b128918802385d15fb35d017bf2a5eef64966c3e6bb74d4450d794327a1a81c0521dda8b742fda17c0bcc50079e0

C:\Users\Admin\AppData\Local\Temp\{dffda3b3-8afe-4823-a7c8-52f9b8e7a180}\crls\c7e6bd7fe0e4965892ad706f0d2f42e88789b8041daf5b3eea9ca41785297798

MD5 4b03934418970c06f092afe3d2155bf1
SHA1 56a0e9666c3ee0071d70b9d2b364666fbb93068c
SHA256 c3a63c68ae58f008e5eb52c8e515fe6f5f978e3a8e33ff3c4c4ec43b186486c6
SHA512 7846f929ec6d68397c60155202365bbbae28c5faf053c67469b378bd059ac7fd8575ee4973d905e51471cabeadcf3251d229057fdba70eb5df478ab4eafb39f8

C:\Users\Admin\AppData\Local\Temp\{04320283-d027-42ae-aacb-bc3469a70089}\9c90243f-c43c-435a-8bb8-af3a0f3e9573.cmd

MD5 8f8d51aeb41f8ee982c5d45884ea53da
SHA1 6d40fe047b0e73ffbefcd4d811c1a475cce6c48e
SHA256 0b92a76c64a3595f651092f8d6d51225c648bb68de93e55055f8c9a2903a6e67
SHA512 fb953d8cd3de3a0ff19436ebdb760ac6246891c5149cf2cba817842353873a9c2102dc709ea426e1bf2a5d336c16fef33f5fa08fdfa99f8dcd8c446b53b90e65

memory/2076-565-0x00000000008D0000-0x00000000008DC000-memory.dmp

memory/2076-566-0x00007FF84DA20000-0x00007FF84E4E1000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-31 03:39

Reported

2024-05-31 03:50

Platform

win11-20240508-en

Max time kernel

600s

Max time network

605s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Output.exe"

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Xworm

trojan rat xworm

Drops file in Drivers directory

Description Indicator Process Target
File created C:\Windows\System32\Drivers\klupd_4de68b90a_arkmon.sys C:\Users\Admin\AppData\Local\Temp\{096ffa49-d3dd-476f-b2e0-dff9e82b0a1c}\812718e5.exe N/A
File created C:\Windows\System32\Drivers\4de68b90.sys C:\Users\Admin\AppData\Local\Temp\{096ffa49-d3dd-476f-b2e0-dff9e82b0a1c}\812718e5.exe N/A

Sets service image path in registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\4de68b90\ImagePath = "System32\\Drivers\\4de68b90.sys" C:\Users\Admin\AppData\Local\Temp\{096ffa49-d3dd-476f-b2e0-dff9e82b0a1c}\812718e5.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\klupd_4de68b90a_arkmon\ImagePath = "System32\\Drivers\\klupd_4de68b90a_arkmon.sys" C:\Users\Admin\AppData\Local\Temp\{096ffa49-d3dd-476f-b2e0-dff9e82b0a1c}\812718e5.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\klupd_4de68b90a_klbg\ImagePath = "System32\\Drivers\\klupd_4de68b90a_klbg.sys" C:\Users\Admin\AppData\Local\Temp\{096ffa49-d3dd-476f-b2e0-dff9e82b0a1c}\812718e5.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\klupd_4de68b90a_klark\ImagePath = "System32\\Drivers\\klupd_4de68b90a_klark.sys" C:\Users\Admin\AppData\Local\Temp\{096ffa49-d3dd-476f-b2e0-dff9e82b0a1c}\812718e5.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\klupd_4de68b90a_mark\ImagePath = "System32\\Drivers\\klupd_4de68b90a_mark.sys" C:\Users\Admin\AppData\Local\Temp\{096ffa49-d3dd-476f-b2e0-dff9e82b0a1c}\812718e5.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\klupd_4de68b90a_arkmon_FD710C43\ImagePath = "\\??\\C:\\KVRT2020_Data\\Temp\\FD710C439F89CA6B7D8CAF3EE6F307D0\\klupd_4de68b90a_arkmon.sys" C:\Users\Admin\AppData\Local\Temp\{096ffa49-d3dd-476f-b2e0-dff9e82b0a1c}\812718e5.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\KVRT.lnk C:\Users\Admin\AppData\Roaming\XClient.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\KVRT.lnk C:\Users\Admin\AppData\Roaming\XClient.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\{096ffa49-d3dd-476f-b2e0-dff9e82b0a1c}\812718e5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\{096ffa49-d3dd-476f-b2e0-dff9e82b0a1c}\812718e5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\{096ffa49-d3dd-476f-b2e0-dff9e82b0a1c}\812718e5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\{096ffa49-d3dd-476f-b2e0-dff9e82b0a1c}\812718e5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\{096ffa49-d3dd-476f-b2e0-dff9e82b0a1c}\812718e5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\{096ffa49-d3dd-476f-b2e0-dff9e82b0a1c}\812718e5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\{096ffa49-d3dd-476f-b2e0-dff9e82b0a1c}\812718e5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\{096ffa49-d3dd-476f-b2e0-dff9e82b0a1c}\812718e5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\{096ffa49-d3dd-476f-b2e0-dff9e82b0a1c}\812718e5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\{096ffa49-d3dd-476f-b2e0-dff9e82b0a1c}\812718e5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\{096ffa49-d3dd-476f-b2e0-dff9e82b0a1c}\812718e5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\{096ffa49-d3dd-476f-b2e0-dff9e82b0a1c}\812718e5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\{096ffa49-d3dd-476f-b2e0-dff9e82b0a1c}\812718e5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\{096ffa49-d3dd-476f-b2e0-dff9e82b0a1c}\812718e5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\{096ffa49-d3dd-476f-b2e0-dff9e82b0a1c}\812718e5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\{096ffa49-d3dd-476f-b2e0-dff9e82b0a1c}\812718e5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\{096ffa49-d3dd-476f-b2e0-dff9e82b0a1c}\812718e5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\{096ffa49-d3dd-476f-b2e0-dff9e82b0a1c}\812718e5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\{096ffa49-d3dd-476f-b2e0-dff9e82b0a1c}\812718e5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\{096ffa49-d3dd-476f-b2e0-dff9e82b0a1c}\812718e5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\{096ffa49-d3dd-476f-b2e0-dff9e82b0a1c}\812718e5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\{096ffa49-d3dd-476f-b2e0-dff9e82b0a1c}\812718e5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\{096ffa49-d3dd-476f-b2e0-dff9e82b0a1c}\812718e5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\{096ffa49-d3dd-476f-b2e0-dff9e82b0a1c}\812718e5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\{096ffa49-d3dd-476f-b2e0-dff9e82b0a1c}\812718e5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\{096ffa49-d3dd-476f-b2e0-dff9e82b0a1c}\812718e5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\{096ffa49-d3dd-476f-b2e0-dff9e82b0a1c}\812718e5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\{096ffa49-d3dd-476f-b2e0-dff9e82b0a1c}\812718e5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\{096ffa49-d3dd-476f-b2e0-dff9e82b0a1c}\812718e5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\{096ffa49-d3dd-476f-b2e0-dff9e82b0a1c}\812718e5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\{096ffa49-d3dd-476f-b2e0-dff9e82b0a1c}\812718e5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\{096ffa49-d3dd-476f-b2e0-dff9e82b0a1c}\812718e5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\{096ffa49-d3dd-476f-b2e0-dff9e82b0a1c}\812718e5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\{096ffa49-d3dd-476f-b2e0-dff9e82b0a1c}\812718e5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\{096ffa49-d3dd-476f-b2e0-dff9e82b0a1c}\812718e5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\{096ffa49-d3dd-476f-b2e0-dff9e82b0a1c}\812718e5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\{096ffa49-d3dd-476f-b2e0-dff9e82b0a1c}\812718e5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\{096ffa49-d3dd-476f-b2e0-dff9e82b0a1c}\812718e5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\{096ffa49-d3dd-476f-b2e0-dff9e82b0a1c}\812718e5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\{096ffa49-d3dd-476f-b2e0-dff9e82b0a1c}\812718e5.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\a16f836a-9056-4520-8f42-052ee5706392 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\{9c1f7ea4-5677-4ca7-8c33-72db001da2e3}\\a16f836a-9056-4520-8f42-052ee5706392.cmd\"" C:\Users\Admin\AppData\Local\Temp\{096ffa49-d3dd-476f-b2e0-dff9e82b0a1c}\812718e5.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000\Software\Microsoft\Windows\CurrentVersion\Run\KVRT = "C:\\Users\\Admin\\AppData\\Local\\Temp\\KVRT.exe" C:\Users\Admin\AppData\Roaming\XClient.exe N/A

Checks for any installed AV software in registry

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000\SOFTWARE\KasperskyLab C:\Users\Admin\AppData\Local\Temp\{096ffa49-d3dd-476f-b2e0-dff9e82b0a1c}\812718e5.exe N/A

Checks installed software on the system

discovery

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\F: C:\Users\Admin\AppData\Local\Temp\{096ffa49-d3dd-476f-b2e0-dff9e82b0a1c}\812718e5.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Local\Temp\{096ffa49-d3dd-476f-b2e0-dff9e82b0a1c}\812718e5.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Roaming\KVRT.exe N/A
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\{096ffa49-d3dd-476f-b2e0-dff9e82b0a1c}\812718e5.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\System32\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent C:\Windows\system32\LogonUI.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = 99ebff004cc2ff000091f8000078d4000067c000003e9200001a6800f7630c00 C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4290799360" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365268" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "24" C:\Windows\system32\LogonUI.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292114432" C:\Windows\system32\LogonUI.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365268" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292114432" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" C:\Windows\system32\LogonUI.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\system32\reg.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\system32\PING.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\{096ffa49-d3dd-476f-b2e0-dff9e82b0a1c}\812718e5.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XClient.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\{096ffa49-d3dd-476f-b2e0-dff9e82b0a1c}\812718e5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\{096ffa49-d3dd-476f-b2e0-dff9e82b0a1c}\812718e5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\{096ffa49-d3dd-476f-b2e0-dff9e82b0a1c}\812718e5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\{096ffa49-d3dd-476f-b2e0-dff9e82b0a1c}\812718e5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\{096ffa49-d3dd-476f-b2e0-dff9e82b0a1c}\812718e5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\{096ffa49-d3dd-476f-b2e0-dff9e82b0a1c}\812718e5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\{096ffa49-d3dd-476f-b2e0-dff9e82b0a1c}\812718e5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\{096ffa49-d3dd-476f-b2e0-dff9e82b0a1c}\812718e5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\{096ffa49-d3dd-476f-b2e0-dff9e82b0a1c}\812718e5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\{096ffa49-d3dd-476f-b2e0-dff9e82b0a1c}\812718e5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\{096ffa49-d3dd-476f-b2e0-dff9e82b0a1c}\812718e5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\{096ffa49-d3dd-476f-b2e0-dff9e82b0a1c}\812718e5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\{096ffa49-d3dd-476f-b2e0-dff9e82b0a1c}\812718e5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\{096ffa49-d3dd-476f-b2e0-dff9e82b0a1c}\812718e5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\{096ffa49-d3dd-476f-b2e0-dff9e82b0a1c}\812718e5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\{096ffa49-d3dd-476f-b2e0-dff9e82b0a1c}\812718e5.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XClient.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\{096ffa49-d3dd-476f-b2e0-dff9e82b0a1c}\812718e5.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\XClient.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\{096ffa49-d3dd-476f-b2e0-dff9e82b0a1c}\812718e5.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\{096ffa49-d3dd-476f-b2e0-dff9e82b0a1c}\812718e5.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\{096ffa49-d3dd-476f-b2e0-dff9e82b0a1c}\812718e5.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\{096ffa49-d3dd-476f-b2e0-dff9e82b0a1c}\812718e5.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\{096ffa49-d3dd-476f-b2e0-dff9e82b0a1c}\812718e5.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\{096ffa49-d3dd-476f-b2e0-dff9e82b0a1c}\812718e5.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\{096ffa49-d3dd-476f-b2e0-dff9e82b0a1c}\812718e5.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\XClient.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\KVRT.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\{096ffa49-d3dd-476f-b2e0-dff9e82b0a1c}\812718e5.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\{096ffa49-d3dd-476f-b2e0-dff9e82b0a1c}\812718e5.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\{096ffa49-d3dd-476f-b2e0-dff9e82b0a1c}\812718e5.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\{096ffa49-d3dd-476f-b2e0-dff9e82b0a1c}\812718e5.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\{096ffa49-d3dd-476f-b2e0-dff9e82b0a1c}\812718e5.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\{096ffa49-d3dd-476f-b2e0-dff9e82b0a1c}\812718e5.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\{096ffa49-d3dd-476f-b2e0-dff9e82b0a1c}\812718e5.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\{096ffa49-d3dd-476f-b2e0-dff9e82b0a1c}\812718e5.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\{096ffa49-d3dd-476f-b2e0-dff9e82b0a1c}\812718e5.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\{096ffa49-d3dd-476f-b2e0-dff9e82b0a1c}\812718e5.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\{096ffa49-d3dd-476f-b2e0-dff9e82b0a1c}\812718e5.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\{096ffa49-d3dd-476f-b2e0-dff9e82b0a1c}\812718e5.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Users\Admin\AppData\Local\Temp\{096ffa49-d3dd-476f-b2e0-dff9e82b0a1c}\812718e5.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\{096ffa49-d3dd-476f-b2e0-dff9e82b0a1c}\812718e5.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\{096ffa49-d3dd-476f-b2e0-dff9e82b0a1c}\812718e5.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Local\Temp\{096ffa49-d3dd-476f-b2e0-dff9e82b0a1c}\812718e5.exe N/A
Token: SeAuditPrivilege N/A C:\Users\Admin\AppData\Local\Temp\{096ffa49-d3dd-476f-b2e0-dff9e82b0a1c}\812718e5.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\{096ffa49-d3dd-476f-b2e0-dff9e82b0a1c}\812718e5.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\{096ffa49-d3dd-476f-b2e0-dff9e82b0a1c}\812718e5.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\{096ffa49-d3dd-476f-b2e0-dff9e82b0a1c}\812718e5.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\{096ffa49-d3dd-476f-b2e0-dff9e82b0a1c}\812718e5.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\{096ffa49-d3dd-476f-b2e0-dff9e82b0a1c}\812718e5.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\{096ffa49-d3dd-476f-b2e0-dff9e82b0a1c}\812718e5.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\{096ffa49-d3dd-476f-b2e0-dff9e82b0a1c}\812718e5.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Users\Admin\AppData\Local\Temp\{096ffa49-d3dd-476f-b2e0-dff9e82b0a1c}\812718e5.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\{096ffa49-d3dd-476f-b2e0-dff9e82b0a1c}\812718e5.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\{096ffa49-d3dd-476f-b2e0-dff9e82b0a1c}\812718e5.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Local\Temp\{096ffa49-d3dd-476f-b2e0-dff9e82b0a1c}\812718e5.exe N/A
Token: SeAuditPrivilege N/A C:\Users\Admin\AppData\Local\Temp\{096ffa49-d3dd-476f-b2e0-dff9e82b0a1c}\812718e5.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\{096ffa49-d3dd-476f-b2e0-dff9e82b0a1c}\812718e5.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\{096ffa49-d3dd-476f-b2e0-dff9e82b0a1c}\812718e5.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\{096ffa49-d3dd-476f-b2e0-dff9e82b0a1c}\812718e5.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\{096ffa49-d3dd-476f-b2e0-dff9e82b0a1c}\812718e5.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\{096ffa49-d3dd-476f-b2e0-dff9e82b0a1c}\812718e5.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Users\Admin\AppData\Local\Temp\{096ffa49-d3dd-476f-b2e0-dff9e82b0a1c}\812718e5.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\{096ffa49-d3dd-476f-b2e0-dff9e82b0a1c}\812718e5.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\{096ffa49-d3dd-476f-b2e0-dff9e82b0a1c}\812718e5.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Local\Temp\{096ffa49-d3dd-476f-b2e0-dff9e82b0a1c}\812718e5.exe N/A
Token: SeAuditPrivilege N/A C:\Users\Admin\AppData\Local\Temp\{096ffa49-d3dd-476f-b2e0-dff9e82b0a1c}\812718e5.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\{096ffa49-d3dd-476f-b2e0-dff9e82b0a1c}\812718e5.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\KVRT.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\KVRT.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\KVRT.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SYSTEM32\shutdown.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SYSTEM32\shutdown.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\{096ffa49-d3dd-476f-b2e0-dff9e82b0a1c}\812718e5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\{096ffa49-d3dd-476f-b2e0-dff9e82b0a1c}\812718e5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\{096ffa49-d3dd-476f-b2e0-dff9e82b0a1c}\812718e5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\{096ffa49-d3dd-476f-b2e0-dff9e82b0a1c}\812718e5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\{096ffa49-d3dd-476f-b2e0-dff9e82b0a1c}\812718e5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\{096ffa49-d3dd-476f-b2e0-dff9e82b0a1c}\812718e5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\{096ffa49-d3dd-476f-b2e0-dff9e82b0a1c}\812718e5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\{096ffa49-d3dd-476f-b2e0-dff9e82b0a1c}\812718e5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\{096ffa49-d3dd-476f-b2e0-dff9e82b0a1c}\812718e5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\{096ffa49-d3dd-476f-b2e0-dff9e82b0a1c}\812718e5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\{096ffa49-d3dd-476f-b2e0-dff9e82b0a1c}\812718e5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\{096ffa49-d3dd-476f-b2e0-dff9e82b0a1c}\812718e5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\{096ffa49-d3dd-476f-b2e0-dff9e82b0a1c}\812718e5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\{096ffa49-d3dd-476f-b2e0-dff9e82b0a1c}\812718e5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\{096ffa49-d3dd-476f-b2e0-dff9e82b0a1c}\812718e5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\{096ffa49-d3dd-476f-b2e0-dff9e82b0a1c}\812718e5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\{096ffa49-d3dd-476f-b2e0-dff9e82b0a1c}\812718e5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\{096ffa49-d3dd-476f-b2e0-dff9e82b0a1c}\812718e5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\{096ffa49-d3dd-476f-b2e0-dff9e82b0a1c}\812718e5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\{096ffa49-d3dd-476f-b2e0-dff9e82b0a1c}\812718e5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\{096ffa49-d3dd-476f-b2e0-dff9e82b0a1c}\812718e5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\{096ffa49-d3dd-476f-b2e0-dff9e82b0a1c}\812718e5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\{096ffa49-d3dd-476f-b2e0-dff9e82b0a1c}\812718e5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\{096ffa49-d3dd-476f-b2e0-dff9e82b0a1c}\812718e5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\{096ffa49-d3dd-476f-b2e0-dff9e82b0a1c}\812718e5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\{096ffa49-d3dd-476f-b2e0-dff9e82b0a1c}\812718e5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\{096ffa49-d3dd-476f-b2e0-dff9e82b0a1c}\812718e5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\{096ffa49-d3dd-476f-b2e0-dff9e82b0a1c}\812718e5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\{096ffa49-d3dd-476f-b2e0-dff9e82b0a1c}\812718e5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\{096ffa49-d3dd-476f-b2e0-dff9e82b0a1c}\812718e5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\{096ffa49-d3dd-476f-b2e0-dff9e82b0a1c}\812718e5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\{096ffa49-d3dd-476f-b2e0-dff9e82b0a1c}\812718e5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\{096ffa49-d3dd-476f-b2e0-dff9e82b0a1c}\812718e5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\{096ffa49-d3dd-476f-b2e0-dff9e82b0a1c}\812718e5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\{096ffa49-d3dd-476f-b2e0-dff9e82b0a1c}\812718e5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\{096ffa49-d3dd-476f-b2e0-dff9e82b0a1c}\812718e5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\{096ffa49-d3dd-476f-b2e0-dff9e82b0a1c}\812718e5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\{096ffa49-d3dd-476f-b2e0-dff9e82b0a1c}\812718e5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\{096ffa49-d3dd-476f-b2e0-dff9e82b0a1c}\812718e5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\{096ffa49-d3dd-476f-b2e0-dff9e82b0a1c}\812718e5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\{096ffa49-d3dd-476f-b2e0-dff9e82b0a1c}\812718e5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\{096ffa49-d3dd-476f-b2e0-dff9e82b0a1c}\812718e5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\{096ffa49-d3dd-476f-b2e0-dff9e82b0a1c}\812718e5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\{096ffa49-d3dd-476f-b2e0-dff9e82b0a1c}\812718e5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\{096ffa49-d3dd-476f-b2e0-dff9e82b0a1c}\812718e5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\{096ffa49-d3dd-476f-b2e0-dff9e82b0a1c}\812718e5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\{096ffa49-d3dd-476f-b2e0-dff9e82b0a1c}\812718e5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\{096ffa49-d3dd-476f-b2e0-dff9e82b0a1c}\812718e5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\{096ffa49-d3dd-476f-b2e0-dff9e82b0a1c}\812718e5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\{096ffa49-d3dd-476f-b2e0-dff9e82b0a1c}\812718e5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\{096ffa49-d3dd-476f-b2e0-dff9e82b0a1c}\812718e5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\{096ffa49-d3dd-476f-b2e0-dff9e82b0a1c}\812718e5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\{096ffa49-d3dd-476f-b2e0-dff9e82b0a1c}\812718e5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\{096ffa49-d3dd-476f-b2e0-dff9e82b0a1c}\812718e5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\{096ffa49-d3dd-476f-b2e0-dff9e82b0a1c}\812718e5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\{096ffa49-d3dd-476f-b2e0-dff9e82b0a1c}\812718e5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\{096ffa49-d3dd-476f-b2e0-dff9e82b0a1c}\812718e5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\{096ffa49-d3dd-476f-b2e0-dff9e82b0a1c}\812718e5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\{096ffa49-d3dd-476f-b2e0-dff9e82b0a1c}\812718e5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\{096ffa49-d3dd-476f-b2e0-dff9e82b0a1c}\812718e5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\{096ffa49-d3dd-476f-b2e0-dff9e82b0a1c}\812718e5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\{096ffa49-d3dd-476f-b2e0-dff9e82b0a1c}\812718e5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\{096ffa49-d3dd-476f-b2e0-dff9e82b0a1c}\812718e5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\{096ffa49-d3dd-476f-b2e0-dff9e82b0a1c}\812718e5.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1800 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\Output.exe C:\Users\Admin\AppData\Roaming\XClient.exe
PID 1800 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\Output.exe C:\Users\Admin\AppData\Roaming\XClient.exe
PID 1800 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\Output.exe C:\Users\Admin\AppData\Roaming\KVRT.exe
PID 1800 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\Output.exe C:\Users\Admin\AppData\Roaming\KVRT.exe
PID 1800 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\Output.exe C:\Users\Admin\AppData\Roaming\KVRT.exe
PID 2520 wrote to memory of 2432 N/A C:\Users\Admin\AppData\Roaming\XClient.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2520 wrote to memory of 2432 N/A C:\Users\Admin\AppData\Roaming\XClient.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2520 wrote to memory of 3408 N/A C:\Users\Admin\AppData\Roaming\XClient.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2520 wrote to memory of 3408 N/A C:\Users\Admin\AppData\Roaming\XClient.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1192 wrote to memory of 956 N/A C:\Users\Admin\AppData\Roaming\KVRT.exe C:\Users\Admin\AppData\Local\Temp\{096ffa49-d3dd-476f-b2e0-dff9e82b0a1c}\812718e5.exe
PID 1192 wrote to memory of 956 N/A C:\Users\Admin\AppData\Roaming\KVRT.exe C:\Users\Admin\AppData\Local\Temp\{096ffa49-d3dd-476f-b2e0-dff9e82b0a1c}\812718e5.exe
PID 1192 wrote to memory of 956 N/A C:\Users\Admin\AppData\Roaming\KVRT.exe C:\Users\Admin\AppData\Local\Temp\{096ffa49-d3dd-476f-b2e0-dff9e82b0a1c}\812718e5.exe
PID 2520 wrote to memory of 1568 N/A C:\Users\Admin\AppData\Roaming\XClient.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2520 wrote to memory of 1568 N/A C:\Users\Admin\AppData\Roaming\XClient.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2520 wrote to memory of 4460 N/A C:\Users\Admin\AppData\Roaming\XClient.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2520 wrote to memory of 4460 N/A C:\Users\Admin\AppData\Roaming\XClient.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2520 wrote to memory of 4856 N/A C:\Users\Admin\AppData\Roaming\XClient.exe C:\Windows\System32\schtasks.exe
PID 2520 wrote to memory of 4856 N/A C:\Users\Admin\AppData\Roaming\XClient.exe C:\Windows\System32\schtasks.exe
PID 956 wrote to memory of 3828 N/A C:\Users\Admin\AppData\Local\Temp\{096ffa49-d3dd-476f-b2e0-dff9e82b0a1c}\812718e5.exe C:\Windows\system32\cmd.exe
PID 956 wrote to memory of 3828 N/A C:\Users\Admin\AppData\Local\Temp\{096ffa49-d3dd-476f-b2e0-dff9e82b0a1c}\812718e5.exe C:\Windows\system32\cmd.exe
PID 3828 wrote to memory of 3832 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 3828 wrote to memory of 3832 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 3828 wrote to memory of 4612 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 3828 wrote to memory of 4612 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 3828 wrote to memory of 1648 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 3828 wrote to memory of 1648 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2520 wrote to memory of 4712 N/A C:\Users\Admin\AppData\Roaming\XClient.exe C:\Windows\SYSTEM32\shutdown.exe
PID 2520 wrote to memory of 4712 N/A C:\Users\Admin\AppData\Roaming\XClient.exe C:\Windows\SYSTEM32\shutdown.exe

Uses Task Scheduler COM API

persistence

Uses Volume Shadow Copy WMI provider

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\Output.exe

"C:\Users\Admin\AppData\Local\Temp\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\KVRT.exe

"C:\Users\Admin\AppData\Roaming\KVRT.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\XClient.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'

C:\Users\Admin\AppData\Local\Temp\{096ffa49-d3dd-476f-b2e0-dff9e82b0a1c}\812718e5.exe

C:/Users/Admin/AppData/Local/Temp/{096ffa49-d3dd-476f-b2e0-dff9e82b0a1c}/\812718e5.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\KVRT.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'KVRT.exe'

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "KVRT" /tr "C:\Users\Admin\AppData\Local\Temp\KVRT.exe"

C:\Users\Admin\AppData\Local\Temp\KVRT.exe

C:\Users\Admin\AppData\Local\Temp\KVRT.exe

C:\Users\Admin\AppData\Local\Temp\KVRT.exe

C:\Users\Admin\AppData\Local\Temp\KVRT.exe

C:\Users\Admin\AppData\Local\Temp\KVRT.exe

C:\Users\Admin\AppData\Local\Temp\KVRT.exe

C:\Users\Admin\AppData\Local\Temp\KVRT.exe

C:\Users\Admin\AppData\Local\Temp\KVRT.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\{9c1f7ea4-5677-4ca7-8c33-72db001da2e3}\a16f836a-9056-4520-8f42-052ee5706392.cmd" "

C:\Windows\system32\PING.EXE

ping 127.0.0.1 -n 1

C:\Windows\system32\PING.EXE

ping 127.0.0.1 -n 1

C:\Windows\system32\reg.exe

reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce /v a16f836a-9056-4520-8f42-052ee5706392 /f

C:\Windows\SYSTEM32\shutdown.exe

shutdown.exe /f /s /t 0

C:\Windows\system32\LogonUI.exe

"LogonUI.exe" /flags:0x4 /state0:0xa3a34855 /state1:0x41c64e6d

Network

Country Destination Domain Proto
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 1.112.95.208.in-addr.arpa udp
N/A 127.0.0.1:40971 tcp
US 130.51.20.126:40971 us3.localto.net tcp
N/A 127.0.0.1:40971 tcp
DE 193.161.193.99:40971 Name1442-40971.portmap.host tcp
US 8.8.8.8:53 touch.kaspersky.com udp
US 8.8.8.8:53 touch.kaspersky.com udp
DE 130.117.190.203:80 touch.kaspersky.com tcp
N/A 127.0.0.1:49989 tcp
N/A 127.0.0.1:49991 tcp
CH 82.202.185.148:443 ds.kaspersky.com tcp
US 8.8.8.8:53 click.kaspersky.com udp
US 8.8.8.8:53 click.kaspersky.com udp
DE 80.239.169.154:80 click.kaspersky.com tcp
N/A 127.0.0.1:49995 tcp
DE 195.27.253.3:80 crl.kaspersky.com tcp
US 8.8.8.8:53 dc1-file.ksn.kaspersky-labs.com udp
US 8.8.8.8:53 dc1-file.ksn.kaspersky-labs.com udp
DE 81.19.104.212:443 dc1-file.ksn.kaspersky-labs.com tcp
US 8.8.8.8:53 154.169.239.80.in-addr.arpa udp
US 8.8.8.8:53 3.253.27.195.in-addr.arpa udp
N/A 127.0.0.1:50233 tcp
N/A 127.0.0.1:50242 tcp
DE 80.239.169.154:443 click.kaspersky.com tcp
N/A 127.0.0.1:50246 tcp
NL 80.239.174.35:443 devbuilds.s.kaspersky-labs.com tcp
DE 81.19.104.212:443 dc1-st.ksn.kaspersky-labs.com tcp
N/A 127.0.0.1:50251 tcp
DE 130.117.190.148:443 dc1-file.ksn.kaspersky-labs.com tcp
N/A 127.0.0.1:50256 tcp
DE 195.27.253.15:443 dc1-st.ksn.kaspersky-labs.com tcp
N/A 127.0.0.1:50286 tcp
CH 82.202.185.152:443 dc1-pp.ksn.kaspersky-labs.com tcp
N/A 127.0.0.1:50295 tcp
BE 23.55.97.181:80 www.microsoft.com tcp

Files

memory/1800-0-0x00007FFB4F953000-0x00007FFB4F955000-memory.dmp

memory/1800-1-0x0000000000360000-0x0000000001360000-memory.dmp

C:\Users\Admin\AppData\Roaming\XClient.exe

MD5 895d9cd4167756a8cfb44977286f84ec
SHA1 e26ce2bec5d62b7914c43545c59d097260cc7673
SHA256 f3090015a11a8d27705cb5b1a89834a7f96c64ca15313138a68089a2705092df
SHA512 a913d27b5df4b1df88541f142ead5c9a533218452f1c1509e540f878e645e616b62b5246c64065940f5c28330433d699f8a5ad1cf2b6667234ae5508ad27f58e

memory/2520-13-0x0000000000630000-0x000000000064C000-memory.dmp

memory/2520-14-0x00007FFB4F950000-0x00007FFB50412000-memory.dmp

memory/2520-26-0x00007FFB4F950000-0x00007FFB50412000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_pmebdgfu.f2w.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/2432-60-0x000001F232330000-0x000001F232352000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 437395ef86850fbff98c12dff89eb621
SHA1 9cec41e230fa9839de1e5c42b7dbc8b31df0d69c
SHA256 9c39f3e1ee674a289926fddddfc5549740c488686ec6513f53848a225c192ba6
SHA512 bc669893f5c97e80a62fc3d15383ed7c62ffc86bc986401735903019bb96a5f13e4d0f6356baa2021267503a4eb62681e58e28fcff435350e83aa425fa76cd64

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 c24caab1947646fcc49d6158d78a56f5
SHA1 aa2cd00401eb273991f2d6fdc739d473ff6e8319
SHA256 0696315ad3df3edd5426276c265bd13d8bd2a0d101548bcaedd82e2aebde655a
SHA512 35e1d214dfb4c7f078496e3e303aea152aa48f9db5b9aa188aeb82b541582ed77f60bfe8712836232b5aa31d3645edfc79b42c8f90e92e06778f21aa44971bff

C:\Users\Admin\AppData\Local\Temp\{096ffa49-d3dd-476f-b2e0-dff9e82b0a1c}\KVRT.exe

MD5 37226eb4f1c7a0b79275c1401f83cc6d
SHA1 71ed962d1e0d212869d92c23d6e20a4e1e7ad430
SHA256 be00dba953a6f26990e020bdc4e3f13e5799a3ff60384768ee6c1af37c656a4d
SHA512 afea618c795406a49d159e1359e76168dc6b6dee07234666d21ee21bb5011fe9af57a3425e76126f2595e3d180cf2121db5d02258d7aca77b3c4d8621a8aa15d

C:\Users\Admin\AppData\Local\Temp\{096ffa49-d3dd-476f-b2e0-dff9e82b0a1c}\dumpwriter.dll

MD5 f56387639f201429fb31796b03251a92
SHA1 23df943598a5e92615c42fc82e66387a73b960ff
SHA256 e7eefcf569d98a5fb14a459d949756dc00faf32ed6bda1233d9d2c79ca11531c
SHA512 7bfce579b601408262c0edd342cb2cb1ef1353b6b73dce5aad540eb77f56d1184f71c56ea859bc4373aac4875b8861e2cc5d9c49518e6c40d0b2350a7ab26c0e

C:\Users\Admin\AppData\Local\Temp\{096ffa49-d3dd-476f-b2e0-dff9e82b0a1c}\KvrtGui.dll

MD5 38717f028f7df6e29996dabe26375956
SHA1 328c0ed49e079999ad0cc7c1315375b77531c8c9
SHA256 9db65ebeaf888b6cc99c06d0f063e48932feb27f25b5350d9d870e9ce40d1e10
SHA512 4c6de66d71527c1c0e8d666e85dde671ca6b2705e5e4584487be265f25c6369f5512c0601d251192c56ad44bec538161bded7fcfcd3a578cddf76d7617af237d

C:\Users\Admin\AppData\Local\Temp\{096ffa49-d3dd-476f-b2e0-dff9e82b0a1c}\MSVCP140.dll

MD5 5ff1fca37c466d6723ec67be93b51442
SHA1 34cc4e158092083b13d67d6d2bc9e57b798a303b
SHA256 5136a49a682ac8d7f1ce71b211de8688fce42ed57210af087a8e2dbc8a934062
SHA512 4802ef62630c521d83a1d333969593fb00c9b38f82b4d07f70fbd21f495fea9b3f67676064573d2c71c42bc6f701992989742213501b16087bb6110e337c7546

C:\Users\Admin\AppData\Local\Temp\{096ffa49-d3dd-476f-b2e0-dff9e82b0a1c}\Qt5Core.dll

MD5 02b21d6184ec835fba23088e7c7368e4
SHA1 2386e5cd242ad6abfadecc2d8ba416125f0bde56
SHA256 5967b2240167500cfbb602408833776fb9be95ee404ad2bbdbdde18c752aaefe
SHA512 e8b15e68c61f1a0f78fa4f4821a636e07ab3a87699fc45ace096d080d7bda62534af7acf93b9a32d730b0403b52dc1eac8df9175ae02d5f6f829c7849e340eb9

C:\Users\Admin\AppData\Local\Temp\{096ffa49-d3dd-476f-b2e0-dff9e82b0a1c}\plugins\platforms\qwindows.dll

MD5 869b64be13907d16f8108d4e46eb1ae4
SHA1 abf528676719f69a4d2f85147dc683d1c9bb606a
SHA256 93debc8c092905993932b16f165e0b959639920d0af6156a64b9c947784fbe73
SHA512 cbd294354d5f84103b7c2f31cca6ee7f390c7852266478fb790cdd2448b1a563ddc6fcf7e351b4b28c3f5e23a52a442064ed75409f076752d0d94f133c9d7e96

C:\Users\Admin\AppData\Local\Temp\{096ffa49-d3dd-476f-b2e0-dff9e82b0a1c}\plugins\imageformats\qtga.dll

MD5 82a65b1ce5a7041da64290b66a6a1c8c
SHA1 577e7174b02182ada17328cbac3ac1d3605fc023
SHA256 6da0850ed1f6d93e1d99cecc31153e8993b7b20d68308c248c71e9af4c061336
SHA512 bbc0fd32e8bdcac4d7f5fac77d9a4386be671b9d6c18d14ac6807e521a0f5192af91e106e0a3258653afbba625c09f79542f1fd7a1eaf97d9b5b98cbd2bb1084

C:\Users\Admin\AppData\Local\Temp\{096ffa49-d3dd-476f-b2e0-dff9e82b0a1c}\plugins\imageformats\qwebp.dll

MD5 a23c6a3494e296a521a08dd2d676eb3c
SHA1 260ccb3b2f454bda853d003e3b71fb0789858873
SHA256 e58be278a435f44bf10e13d81fba5349d0f5ea224701c91f992276bcea173856
SHA512 a99eea4b72d20e34c37e0c7971f6e467b2421ff99f059c46f76d961093eea27d031edbd907ed2a99bc9ddaea9ec5b0980871b4a018284c3c324e59c00491b11f

C:\Users\Admin\AppData\Local\Temp\{096ffa49-d3dd-476f-b2e0-dff9e82b0a1c}\plugins\imageformats\qwbmp.dll

MD5 43bc7f0b0b91676368db78d61e83edd3
SHA1 628228c8c477f2e6e8d6f2f9dd8cc72b894d5fe6
SHA256 fe95bdae47201a7788c2cb18042c7eafa0041fb6ce6b2ea7e7d5ffd656086583
SHA512 11e847fe59e28bdbf7448846b88578f5b0a1d6b1d7c11a80271d833ad540991d83cc1b89c2b5bfaf9b5dfa68dae538233575fac3b6f1cd5f09398b400b421872

C:\Users\Admin\AppData\Local\Temp\{096ffa49-d3dd-476f-b2e0-dff9e82b0a1c}\plugins\imageformats\qtiff.dll

MD5 058a1449a4656fe891bc589ea61434b1
SHA1 8803afd1bb77e4804925610e6a94361a1e26c4d5
SHA256 fc271f33b879c7966564d04f698b7fd77d806e61107574d1240502e7c7666f26
SHA512 91f43f8062095044ba41fea9fd4df490711f131437ee90a0354a629a7677c9c7fce84b1c1165e07a2b8c4e58beb1d66d953c1034923c986a2288553221761ca9

C:\Users\Admin\AppData\Local\Temp\{096ffa49-d3dd-476f-b2e0-dff9e82b0a1c}\plugins\imageformats\qjpeg.dll

MD5 03e1249b16b47fd240283f44636f6087
SHA1 e0a02adeee91ff330891ed93428956f1fb90ef44
SHA256 f1b0528f0b43b798b78580363f19bb75e68347755ef84bbf313cbb1c9fa649b2
SHA512 287a13ebcddb151cd37ec60b47c6f674730d1886ee53d4a864e62d23aca084d9b3a4e0b8eefc07b8e1aee2e40a6b7327602aa547f1afc63dc4b254abe14749f1

C:\Users\Admin\AppData\Local\Temp\{096ffa49-d3dd-476f-b2e0-dff9e82b0a1c}\plugins\imageformats\qico.dll

MD5 f463183ff33be64d8a61fc5d61b16064
SHA1 5a2d6a62d293e8335d787c1e4681cca7e953b20a
SHA256 e4773864ec821c90ff7b2b6a081c4abd7b9fb10829b7e067521b0b18d4e75422
SHA512 6576842034440b4329a6cc99e419913316e2bb869e20053238add0adf23eb9e35e32ec758c93dddc8162c64049690db177791c11ed7fbdd2ef4780c6be0dbf2c

C:\Users\Admin\AppData\Local\Temp\{096ffa49-d3dd-476f-b2e0-dff9e82b0a1c}\plugins\imageformats\qicns.dll

MD5 4d1fcfe0e08da0bfd61ad27863f05a8f
SHA1 51a9c2d12181b66f3f9fd9137a699a715df8d2fd
SHA256 b95d07323612b27e04a716a3894e46a723a457e8c0be37ee838573eaee1624ab
SHA512 2251f8c7bdfa0ad6cda6d619f6df1cef76e8f317119ec4b495d0d98351e77e5f7c678f49f9c8c6eefadfee175304d00757689ff35f8c77693b2ea3435dac2aa9

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 4a7f03a7ad1cae046d8ceac04256e5ae
SHA1 ef0bf767c91cba32b33c0b48f74f5eb153ae43d3
SHA256 e8aa3162f519e3670b0fc79dfbeeca68ea2b65a17900cf3aafc6a48de3296d60
SHA512 382a91848be121734bce9f533bcb4747e5f21db5b1ea5dfc8cc567005f5be0f1dcc73a55516b83feb931cdc90601ed4d36fb890687f08e1056ff98da2365f01d

C:\Users\Admin\AppData\Local\Temp\{096ffa49-d3dd-476f-b2e0-dff9e82b0a1c}\plugins\imageformats\qgif.dll

MD5 213734f42848f6cfb91b5d0f80a352dc
SHA1 72060bb18421eba12591e923929bc70b200b26fa
SHA256 ed3a7867931a8c05d267a62522223ca78bd435d45af6dfde116e7eb72c2fde7c
SHA512 913afbd6e950f61d038f81ff7f0f08986469ee11cd7202cc0598d9caa7a4200e9e8e5e23f0c5062e01a6ef908e92a52f35dcf60f1af77a075200e8db466df807

C:\Users\Admin\AppData\Local\Temp\{096ffa49-d3dd-476f-b2e0-dff9e82b0a1c}\vcruntime140.dll

MD5 a37ee36b536409056a86f50e67777dd7
SHA1 1cafa159292aa736fc595fc04e16325b27cd6750
SHA256 8934aaeb65b6e6d253dfe72dea5d65856bd871e989d5d3a2a35edfe867bb4825
SHA512 3a7c260646315cf8c01f44b2ec60974017496bd0d80dd055c7e43b707cadba2d63aab5e0efd435670aa77886ed86368390d42c4017fc433c3c4b9d1c47d0f356

C:\Users\Admin\AppData\Local\Temp\{096ffa49-d3dd-476f-b2e0-dff9e82b0a1c}\Qt5Gui.dll

MD5 8fd0c7b86b4988b234614944edb565a7
SHA1 120015375d66f6e3f1c889cbada3efc4f8ff7f5b
SHA256 449a105683a27ebce39f2a7a0fb413cbe2eb2df8c2c8f51870a40e9eb9708a7a
SHA512 3e92401ee9ed0dd51fe95f963378caa73fe07bae0186406b9689519d6b75926b5027339ea52c8643c92c21b621ddc05056a1338f0114a6902c2897406cf371f7

C:\Users\Admin\AppData\Local\Temp\{096ffa49-d3dd-476f-b2e0-dff9e82b0a1c}\Qt5Widgets.dll

MD5 8751f0205fc7a87b46afae8ceda42d90
SHA1 d7e41a64c09f580d9e63ff5ffc8ac37d1f7da4c1
SHA256 7273600d11889adba9287e6d5a3b684a9d902d1b4db8cedec21562fa00c436cd
SHA512 18466c4c4b6dd07445862d8e6a84825b8b0edeaa95dc8fe58741527d5dd20cbfc7672825108acec69bae506b41fb01fc6413401759db3d8265503fea88ed9bba

C:\Users\Admin\AppData\Local\Temp\{096ffa49-d3dd-476f-b2e0-dff9e82b0a1c}\dbghelp.dll

MD5 4003e34416ebd25e4c115d49dc15e1a7
SHA1 faf95ec65cde5bd833ce610bb8523363310ec4ad
SHA256 c06430b8cb025be506be50a756488e1bcc3827c4f45158d93e4e3eeb98ce1e4f
SHA512 88f5d417377cd62bde417640a79b6ac493e80f0c8b1f63a99378a2a67695ef8e4a541cedb91acfa296ed608e821fee466983806f0d082ed2e74b0cd93eb4fb84

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 05c6846bbca7b01c6f834b5f37da43b7
SHA1 e88c19451c20bb658df2ad4e14a21d2290e28f9b
SHA256 75fab4b59d3340da36c26678b271939175aed633c3f988f5f44c5634a4f0fff3
SHA512 48091404c6136e24aaf9488592d935ec0a4a40997a549aacec96c58ff49ee4c1262eabd354dbd194f3bbaa565d23165499ca22293fda4d0b3c7a6f5e87cc7783

memory/2520-213-0x00007FFB4F950000-0x00007FFB50412000-memory.dmp

memory/2520-214-0x00007FFB4F950000-0x00007FFB50412000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\{096ffa49-d3dd-476f-b2e0-dff9e82b0a1c}\klmd.sys

MD5 990442d764ff1262c0b7be1e3088b6d3
SHA1 0b161374074ef2acc101ed23204da00a0acaa86e
SHA256 6c7ccd465090354438b39da8430a5c47e7f24768a5b12ee02fecf8763e77c9e4
SHA512 af3c6dfe32266a9d546f13559dcba7c075d074bdfdaf0e6bf2a8cae787008afa579f0d5f90e0c657dd614bb244a6d95ff8366c14b388e1f4a3ab76cccb23add4

C:\Users\Admin\AppData\Local\Temp\{096ffa49-d3dd-476f-b2e0-dff9e82b0a1c}\Bases\arkmon64.drv

MD5 fd710c439f89ca6b7d8caf3ee6f307d0
SHA1 5273c87564d9fcbf99b846195ea8bd3102d65a76
SHA256 ca317c531bdd3a23d401a242a904e8eb81401c79073eee470b6e1078f3645faa
SHA512 3df58ac276362fb7d7999bc8e902f22e9ee1501ee2e4f653e58595d411752e18bf7ee0cbc95766ecb8da34a5ebd3a11fd5bbf5450b1c01fd3ed8ee0e22183b09

C:\Users\Admin\AppData\Local\Temp\{096ffa49-d3dd-476f-b2e0-dff9e82b0a1c}\klsl.sys

MD5 a69adedb0d47cfb23f23a9562a4405bc
SHA1 9e70576571a15aaf71106ea0cd55e0973ef2dd15
SHA256 31eaa7f1f9872c63091f4b3ec5310686b1dd1e2123af17991a6b4679eda3f62d
SHA512 77abb4435d8d445f7a29cdb8a318486a96122b5cc535da7a63da0fa920980e6ad73e78b72552f6949e66b349bbdc9aa9ea202481046e478c2829c155a1045820

C:\Users\Admin\AppData\Local\Temp\{096ffa49-d3dd-476f-b2e0-dff9e82b0a1c}\app_core.dll

MD5 fe0964663cf9c5e4ff493198e035cc1f
SHA1 ab9b19bd0e4efa36f78d2059b4ca556521eb35cb
SHA256 ddd70011d86b8ec909295ef45f94b48b0252229b6182af9ef8a6029c30daaf39
SHA512 923cfd9143d3850357bda901f66b5292f36ff025f05b2156667873861a02d9f498a03cdb73d2c477c0055d46600628f936b70dec46d7687fe0a97cbb1c8cf0ea

C:\Users\Admin\AppData\Local\Temp\{096ffa49-d3dd-476f-b2e0-dff9e82b0a1c}\instrumental_services.dll

MD5 c6acd1d9a80740f8a416b0a78e3fa546
SHA1 7ea7b707d58bde0d5a14d8a7723f05e04189bce7
SHA256 db8acd14ace6d4c8d4d61016debe3c0d72677416661caf0d36e7306ed020920f
SHA512 46c889f4d84e2f8dc8bfd5bdc34a346aa393fc49adcbe95bc601e6d970599f579e5cb057196061c280cbfa976989c960ac2f1830fd61c0a9166f09a6c088c20d

C:\Users\Admin\AppData\Local\Temp\{096ffa49-d3dd-476f-b2e0-dff9e82b0a1c}\dblite.dll

MD5 98b1a553c8c5944923814041e9a73b73
SHA1 3e6169af53125b6da0e69890d51785a206c89975
SHA256 6fc0104817caa1337531c9d8b284d80052770051efb76e5829895a3854ebaec8
SHA512 8ee4467bce6495f492895a9dfaedaf85b76d6d1f67d9ff5c8c27888191c322863bc29c14ae3f505336a5317af66c31354afaeb63127e7e781f5b249f1c967363

C:\Users\Admin\AppData\Local\Temp\{096ffa49-d3dd-476f-b2e0-dff9e82b0a1c}\settings.kvdb

MD5 0cd7bac19edb301ce1b501bfac07acea
SHA1 d66a1ba1d9a961b5f44d8d3356c79d60c7ae81d6
SHA256 f5d7c50ab67ff498fddf257193bea1ad496613c611b962a31ca39f96ef16bc05
SHA512 9a744bd7829716afe7249094a63609c32da0a8988f9cd1881be6bca809a9f120521e7de1a30180581a8bd6f662ae18a8ac88629d404b807602e5a45a5f8ddb0a

C:\Users\Admin\AppData\Local\Temp\{096ffa49-d3dd-476f-b2e0-dff9e82b0a1c}\app_core_meta.dll

MD5 81172e3cf5fc6df072b45c4f1fb6eb34
SHA1 5eb293f0fe6c55e075c5ebef4d21991546f7e504
SHA256 2a272a1990a3dfa35693adf0689512b068a831283a852f8f805cb28153115f57
SHA512 8dc4b0d5593cf2c2262b2802b60672c392dfe0e1cd757a3410e5376bbe6bf6c473428a7ca0fc1c7f0d2de5f59017d8464e7789c76999b5d7b5379209b34c1813

C:\Users\Admin\AppData\Local\Temp\{096ffa49-d3dd-476f-b2e0-dff9e82b0a1c}\crypto_components_meta.dll

MD5 3d9d1753ed0f659e4db02e776a121862
SHA1 031fb78fe7dc211fe9e0dc8ba0027c14e84cd07f
SHA256 b6163ec9d4825102e3d423e02fb026259a6a17e7d7696ae060ec2b0ba97f54f2
SHA512 e1f50513db117c32505944bfb19fd3185b3231b6bd9f0495942bd9e80dd0f54ab575f1a2fca5e542174d3abe4106a9b5448d924c690e8548cd43aa77f6497c92

C:\Users\Admin\AppData\Local\Temp\{096ffa49-d3dd-476f-b2e0-dff9e82b0a1c}\config.esm

MD5 184a351c4d532405206e309c10af1d15
SHA1 3cf49f2275f3f9bd8e385eddcdd04e3fc2a17352
SHA256 ef0b7e22d8f7bd06964969a7f2979a475ba1c9c34efccb0c3b9e03ae950c63f6
SHA512 9a1a3cb0e3713ba41f36f4f01f2151b0c04454a05c986215ed2cc42180994f90d10e031d77452a2d0ad5a78f15d8d31c327d0d1ee676789780e6483dbe5e0341

C:\Users\Admin\AppData\Local\Temp\{096ffa49-d3dd-476f-b2e0-dff9e82b0a1c}\key_value_storage.dll

MD5 9bf7f895cff1f0b9ddf5fc077bac314c
SHA1 7e9c0ce6569c6f12c57f34597b213cd4d8f55e68
SHA256 d03e0af01fbcd9ce714caf3db5ca2ab3ca4a717d5fda5c99b77e09b5672498a4
SHA512 d416cfa9446e6c92f0805278c744cf9f8ac6a2bfb96a6e0b2d65e701472ea6feaf5742ed6cef833555188a95c613499e7e14cfe5788427ec2616cfd723021a67

C:\Users\Admin\AppData\Local\Temp\{096ffa49-d3dd-476f-b2e0-dff9e82b0a1c}\storage.kvdb

MD5 1a3330c4f388360e4c2b0d94fb48a788
SHA1 127ad9be38c4aa491bd1bce6458f99a27c6d465b
SHA256 01b8d0d8c7114b59f159021384c8a59535f87018a6a136a276b5a297f54d776d
SHA512 1fcd1e99e35dc4ec972ab63299637322a27b471d02175d56409a3a114db6259f9cd767ac054c7a2bba075f36ab62f19c8118c3dda93e37b7deda05aa2b260553

memory/956-256-0x00000000070F0000-0x0000000007102000-memory.dmp

memory/956-255-0x00000000070C0000-0x00000000070D1000-memory.dmp

memory/956-262-0x000000000E170000-0x000000000E182000-memory.dmp

memory/956-261-0x000000000E140000-0x000000000E151000-memory.dmp

memory/956-260-0x000000000E110000-0x000000000E121000-memory.dmp

memory/956-259-0x000000000E0E0000-0x000000000E0F1000-memory.dmp

memory/956-258-0x000000000C000000-0x000000000C016000-memory.dmp

memory/956-257-0x000000000BF20000-0x000000000BF36000-memory.dmp

memory/956-264-0x000000000EC10000-0x000000000EC58000-memory.dmp

memory/956-263-0x000000000EF30000-0x000000000F08A000-memory.dmp

memory/956-266-0x000000000E270000-0x000000000E296000-memory.dmp

memory/956-265-0x000000000E240000-0x000000000E254000-memory.dmp

memory/956-268-0x000000000EC70000-0x000000000EC88000-memory.dmp

memory/956-274-0x000000000EDC0000-0x000000000EDE4000-memory.dmp

memory/956-273-0x000000000ED90000-0x000000000EDA7000-memory.dmp

memory/956-275-0x0000000014060000-0x0000000014256000-memory.dmp

memory/956-277-0x000000000EE00000-0x000000000EE11000-memory.dmp

memory/956-278-0x000000000F110000-0x000000000F123000-memory.dmp

memory/956-276-0x0000000013E50000-0x0000000013FF8000-memory.dmp

memory/956-272-0x000000000ED60000-0x000000000ED71000-memory.dmp

memory/956-271-0x000000000ED20000-0x000000000ED41000-memory.dmp

memory/956-270-0x000000000ECF0000-0x000000000ED01000-memory.dmp

memory/956-267-0x000000000EE20000-0x000000000EEDB000-memory.dmp

memory/956-269-0x0000000013A00000-0x0000000013E4D000-memory.dmp

memory/956-279-0x0000000011B90000-0x0000000011C32000-memory.dmp

memory/956-281-0x0000000011C40000-0x0000000011C86000-memory.dmp

memory/956-280-0x000000000F160000-0x000000000F173000-memory.dmp

memory/956-283-0x000000000F1A0000-0x000000000F1B5000-memory.dmp

memory/956-282-0x00000000142D0000-0x000000001466D000-memory.dmp

memory/956-284-0x0000000014000000-0x0000000014040000-memory.dmp

memory/956-299-0x0000000014AA0000-0x0000000014AB4000-memory.dmp

memory/956-298-0x00000000149C0000-0x00000000149D1000-memory.dmp

memory/956-286-0x0000000014670000-0x00000000146AB000-memory.dmp

memory/956-306-0x0000000014DD0000-0x0000000014DD1000-memory.dmp

memory/956-308-0x0000000014E20000-0x0000000014E2F000-memory.dmp

memory/956-307-0x0000000014DF0000-0x0000000014E05000-memory.dmp

memory/956-305-0x0000000014DB0000-0x0000000014DB3000-memory.dmp

memory/956-304-0x0000000014D70000-0x0000000014D9A000-memory.dmp

memory/956-303-0x0000000014BD0000-0x0000000014BF1000-memory.dmp

memory/956-302-0x0000000014BA0000-0x0000000014BB3000-memory.dmp

memory/956-301-0x0000000014B60000-0x0000000014B82000-memory.dmp

memory/956-300-0x0000000014B30000-0x0000000014B5D000-memory.dmp

memory/956-297-0x0000000015090000-0x00000000151E8000-memory.dmp

memory/956-296-0x0000000014AE0000-0x0000000014B30000-memory.dmp

memory/956-295-0x0000000014960000-0x0000000014983000-memory.dmp

memory/956-294-0x00000000149E0000-0x0000000014A4F000-memory.dmp

memory/956-293-0x00000000147E0000-0x00000000147F9000-memory.dmp

memory/956-292-0x0000000014790000-0x00000000147C1000-memory.dmp

memory/956-291-0x0000000014760000-0x000000001477D000-memory.dmp

memory/956-290-0x0000000014730000-0x0000000014741000-memory.dmp

memory/956-289-0x00000000148E0000-0x0000000014942000-memory.dmp

memory/956-288-0x0000000014C10000-0x0000000014D6A000-memory.dmp

memory/956-287-0x00000000146C0000-0x00000000146E0000-memory.dmp

memory/956-285-0x0000000014810000-0x00000000148DD000-memory.dmp

memory/956-309-0x0000000014F70000-0x000000001504D000-memory.dmp

memory/956-312-0x0000000014EC0000-0x0000000014EC1000-memory.dmp

memory/956-311-0x0000000014EA0000-0x0000000014EA1000-memory.dmp

memory/956-316-0x0000000014F50000-0x0000000014F51000-memory.dmp

memory/956-318-0x0000000015070000-0x0000000015072000-memory.dmp

memory/956-317-0x0000000015050000-0x0000000015053000-memory.dmp

memory/956-315-0x0000000014F30000-0x0000000014F31000-memory.dmp

memory/956-314-0x0000000014F10000-0x0000000014F11000-memory.dmp

memory/956-313-0x00000000153F0000-0x00000000154D5000-memory.dmp

memory/956-310-0x0000000014E80000-0x0000000014E88000-memory.dmp

C:\Windows\System32\drivers\klupd_4de68b90a_klbg.sys

MD5 ed6cd641a02baf78ecbe069e0b18b3b0
SHA1 cc4d47d1d0fcd3deb841f58923ac309f3be42081
SHA256 66e7b89188e292d0abce941fcb2469e515e2a1bdbe07ad9868a34feb5f47005d
SHA512 cb945fa49683b92841a7a915c73eb11b00fbceee8715a166d256cab0971dc4b4d8b2c7ad3c96e4efb73a7ea9c43ef6bfc9ff3acaffdc08df40b00048ea903abb

C:\Windows\System32\drivers\klupd_4de68b90a_klark.sys

MD5 5ea5aa37289ae16948dc771223f94160
SHA1 640392a0d01521cb0e4485d5641f74e64e1f38aa
SHA256 4b1fd5753737f72f2b8cb0fb299c6c0e3857df69dc19931351d9784f52f307b3
SHA512 2721db2afd55f6abbe54b5865cb41f72216a52cddb6d07721cf0bd1b76fe58b47540467ce9b503ab56e4c614765c18f559b17d73479a4f5a0fae8f6093772455

C:\Windows\System32\drivers\klupd_4de68b90a_mark.sys

MD5 124a94969ce6660453ccd66e40ecdbb0
SHA1 46f7ad59b93bc1b78f76fc973ce728c7951352aa
SHA256 5938747dbf6aea335fdf9131fc912452cee781dff8be61750a9b2ef384b5f835
SHA512 3b25bc9eead7f09350c81bca4eb1a11c5332b128918802385d15fb35d017bf2a5eef64966c3e6bb74d4450d794327a1a81c0521dda8b742fda17c0bcc50079e0

C:\Users\Admin\AppData\Local\Temp\{096ffa49-d3dd-476f-b2e0-dff9e82b0a1c}\crls\c7e6bd7fe0e4965892ad706f0d2f42e88789b8041daf5b3eea9ca41785297798

MD5 4b03934418970c06f092afe3d2155bf1
SHA1 56a0e9666c3ee0071d70b9d2b364666fbb93068c
SHA256 c3a63c68ae58f008e5eb52c8e515fe6f5f978e3a8e33ff3c4c4ec43b186486c6
SHA512 7846f929ec6d68397c60155202365bbbae28c5faf053c67469b378bd059ac7fd8575ee4973d905e51471cabeadcf3251d229057fdba70eb5df478ab4eafb39f8

C:\Users\Admin\AppData\Local\Temp\{9c1f7ea4-5677-4ca7-8c33-72db001da2e3}\a16f836a-9056-4520-8f42-052ee5706392.cmd

MD5 23d70ff4228e63c8a1128e2663a04791
SHA1 caabd3997ac9c87e57768560c988aa5113f20812
SHA256 a1459b836dc6d28a1014006848cd39e1ff47296d676070792355056b28852923
SHA512 a4a60fe1338431d50a291c101724face50dbef134bae490e80420a114606c6ce89ccf8e8166a1d695dde4a65965df6dc50ef658817c430f2bf3db5c8ce8cf8bc

memory/2520-565-0x00007FFB4F950000-0x00007FFB50412000-memory.dmp