Analysis Overview
SHA256
3334e3754179b8a49c17d76a4b89365384a2988980a01cc372553680a2425304
Threat Level: Known bad
The file Output.exe was found to be: Known bad.
Malicious Activity Summary
Detect Xworm Payload
Xworm
Sets service image path in registry
Command and Scripting Interpreter: PowerShell
Drops file in Drivers directory
Loads dropped DLL
Executes dropped EXE
Checks computer location settings
Drops startup file
Reads user/profile data of web browsers
Enumerates connected drives
Adds Run key to start application
Writes to the Master Boot Record (MBR)
Checks for any installed AV software in registry
Checks installed software on the system
Looks up external IP address via web service
Checks for VirtualBox DLLs, possible anti-VM trick
Enumerates physical storage devices
Unsigned PE
Suspicious behavior: GetForegroundWindowSpam
Creates scheduled task(s)
Suspicious behavior: LoadsDriver
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: AddClipboardFormatListener
Uses Volume Shadow Copy WMI provider
Suspicious use of FindShellTrayWindow
Uses Task Scheduler COM API
Modifies registry key
Runs ping.exe
Suspicious use of WriteProcessMemory
Suspicious use of SetWindowsHookEx
Suspicious behavior: EnumeratesProcesses
Modifies data under HKEY_USERS
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-05-31 03:39
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-31 03:39
Reported
2024-05-31 03:50
Platform
win10v2004-20240508-en
Max time kernel
602s
Max time network
606s
Command Line
Signatures
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Xworm
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Drops file in Drivers directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\System32\Drivers\87df702d.sys | C:\Users\Admin\AppData\Local\Temp\{dffda3b3-8afe-4823-a7c8-52f9b8e7a180}\227651fc.exe | N/A |
| File created | C:\Windows\System32\Drivers\klupd_87df702da_arkmon.sys | C:\Users\Admin\AppData\Local\Temp\{dffda3b3-8afe-4823-a7c8-52f9b8e7a180}\227651fc.exe | N/A |
Sets service image path in registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\klupd_87df702da_arkmon\ImagePath = "System32\\Drivers\\klupd_87df702da_arkmon.sys" | C:\Users\Admin\AppData\Local\Temp\{dffda3b3-8afe-4823-a7c8-52f9b8e7a180}\227651fc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\klupd_87df702da_klbg\ImagePath = "System32\\Drivers\\klupd_87df702da_klbg.sys" | C:\Users\Admin\AppData\Local\Temp\{dffda3b3-8afe-4823-a7c8-52f9b8e7a180}\227651fc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\klupd_87df702da_klark\ImagePath = "System32\\Drivers\\klupd_87df702da_klark.sys" | C:\Users\Admin\AppData\Local\Temp\{dffda3b3-8afe-4823-a7c8-52f9b8e7a180}\227651fc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\klupd_87df702da_mark\ImagePath = "System32\\Drivers\\klupd_87df702da_mark.sys" | C:\Users\Admin\AppData\Local\Temp\{dffda3b3-8afe-4823-a7c8-52f9b8e7a180}\227651fc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\klupd_87df702da_arkmon_FD710C43\ImagePath = "\\??\\C:\\KVRT2020_Data\\Temp\\FD710C439F89CA6B7D8CAF3EE6F307D0\\klupd_87df702da_arkmon.sys" | C:\Users\Admin\AppData\Local\Temp\{dffda3b3-8afe-4823-a7c8-52f9b8e7a180}\227651fc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\87df702d\ImagePath = "System32\\Drivers\\87df702d.sys" | C:\Users\Admin\AppData\Local\Temp\{dffda3b3-8afe-4823-a7c8-52f9b8e7a180}\227651fc.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Output.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\XClient.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\{dffda3b3-8afe-4823-a7c8-52f9b8e7a180}\227651fc.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\KVRT.lnk | C:\Users\Admin\AppData\Roaming\XClient.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\KVRT.lnk | C:\Users\Admin\AppData\Roaming\XClient.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\XClient.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\KVRT.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\{dffda3b3-8afe-4823-a7c8-52f9b8e7a180}\227651fc.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\KVRT.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\KVRT.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\KVRT.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\KVRT.exe | N/A |
Loads dropped DLL
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\KVRT = "C:\\Users\\Admin\\AppData\\Local\\Temp\\KVRT.exe" | C:\Users\Admin\AppData\Roaming\XClient.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\9c90243f-c43c-435a-8bb8-af3a0f3e9573 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\{04320283-d027-42ae-aacb-bc3469a70089}\\9c90243f-c43c-435a-8bb8-af3a0f3e9573.cmd\"" | C:\Users\Admin\AppData\Local\Temp\{dffda3b3-8afe-4823-a7c8-52f9b8e7a180}\227651fc.exe | N/A |
Checks for any installed AV software in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\KasperskyLab | C:\Users\Admin\AppData\Local\Temp\{dffda3b3-8afe-4823-a7c8-52f9b8e7a180}\227651fc.exe | N/A |
Checks installed software on the system
Enumerates connected drives
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\F: | C:\Users\Admin\AppData\Local\Temp\{dffda3b3-8afe-4823-a7c8-52f9b8e7a180}\227651fc.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Writes to the Master Boot Record (MBR)
| Description | Indicator | Process | Target |
| File opened for modification | \??\PhysicalDrive0 | C:\Users\Admin\AppData\Local\Temp\{dffda3b3-8afe-4823-a7c8-52f9b8e7a180}\227651fc.exe | N/A |
Checks for VirtualBox DLLs, possible anti-VM trick
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\VBoxMiniRdrDN | C:\Users\Admin\AppData\Local\Temp\{dffda3b3-8afe-4823-a7c8-52f9b8e7a180}\227651fc.exe | N/A |
| File opened (read-only) | \??\VBoxMiniRdrDN | C:\Users\Admin\AppData\Roaming\KVRT.exe | N/A |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\schtasks.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1" | C:\Windows\system32\LogonUI.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00 | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040" | C:\Windows\system32\LogonUI.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "197" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1" | C:\Windows\system32\LogonUI.exe | N/A |
Modifies registry key
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\reg.exe | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\{dffda3b3-8afe-4823-a7c8-52f9b8e7a180}\227651fc.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\XClient.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\{dffda3b3-8afe-4823-a7c8-52f9b8e7a180}\227651fc.exe | N/A |
Suspicious behavior: LoadsDriver
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\{dffda3b3-8afe-4823-a7c8-52f9b8e7a180}\227651fc.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\{dffda3b3-8afe-4823-a7c8-52f9b8e7a180}\227651fc.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\{dffda3b3-8afe-4823-a7c8-52f9b8e7a180}\227651fc.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\{dffda3b3-8afe-4823-a7c8-52f9b8e7a180}\227651fc.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\{dffda3b3-8afe-4823-a7c8-52f9b8e7a180}\227651fc.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\XClient.exe | N/A |
| N/A | N/A | C:\Windows\system32\LogonUI.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Uses Volume Shadow Copy WMI provider
Processes
C:\Users\Admin\AppData\Local\Temp\Output.exe
"C:\Users\Admin\AppData\Local\Temp\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\KVRT.exe
"C:\Users\Admin\AppData\Roaming\KVRT.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\XClient.exe'
C:\Users\Admin\AppData\Local\Temp\{dffda3b3-8afe-4823-a7c8-52f9b8e7a180}\227651fc.exe
C:/Users/Admin/AppData/Local/Temp/{dffda3b3-8afe-4823-a7c8-52f9b8e7a180}/\227651fc.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\KVRT.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'KVRT.exe'
C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "KVRT" /tr "C:\Users\Admin\AppData\Local\Temp\KVRT.exe"
C:\Users\Admin\AppData\Local\Temp\KVRT.exe
C:\Users\Admin\AppData\Local\Temp\KVRT.exe
C:\Users\Admin\AppData\Local\Temp\KVRT.exe
C:\Users\Admin\AppData\Local\Temp\KVRT.exe
C:\Users\Admin\AppData\Local\Temp\KVRT.exe
C:\Users\Admin\AppData\Local\Temp\KVRT.exe
C:\Users\Admin\AppData\Local\Temp\KVRT.exe
C:\Users\Admin\AppData\Local\Temp\KVRT.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\{04320283-d027-42ae-aacb-bc3469a70089}\9c90243f-c43c-435a-8bb8-af3a0f3e9573.cmd" "
C:\Windows\system32\PING.EXE
ping 127.0.0.1 -n 1
C:\Windows\system32\reg.exe
reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce /v 9c90243f-c43c-435a-8bb8-af3a0f3e9573 /f
C:\Windows\SYSTEM32\shutdown.exe
shutdown.exe /f /s /t 0
C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa393b855 /state1:0x41c64e6d
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 20.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | 1.112.95.208.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | us3.localto.net | udp |
| US | 130.51.20.126:40971 | us3.localto.net | tcp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 203.197.79.204.in-addr.arpa | udp |
| N/A | 127.0.0.1:40971 | tcp | |
| US | 8.8.8.8:53 | Name1442-40971.portmap.host | udp |
| DE | 193.161.193.99:40971 | Name1442-40971.portmap.host | tcp |
| US | 8.8.8.8:53 | 99.193.161.193.in-addr.arpa | udp |
| US | 8.8.8.8:53 | touch.kaspersky.com | udp |
| US | 8.8.8.8:53 | touch.kaspersky.com | udp |
| US | 8.8.8.8:53 | touch.kaspersky.com | udp |
| DE | 130.117.190.203:80 | touch.kaspersky.com | tcp |
| US | 8.8.8.8:53 | ds.kaspersky.com | udp |
| US | 8.8.8.8:53 | click.kaspersky.com | udp |
| CH | 82.202.185.148:443 | ds.kaspersky.com | tcp |
| US | 8.8.8.8:53 | click.kaspersky.com | udp |
| US | 8.8.8.8:53 | click.kaspersky.com | udp |
| DE | 80.239.169.154:80 | click.kaspersky.com | tcp |
| US | 8.8.8.8:53 | crl.kaspersky.com | udp |
| NL | 80.239.174.35:80 | crl.kaspersky.com | tcp |
| US | 8.8.8.8:53 | 203.190.117.130.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 148.185.202.82.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.169.239.80.in-addr.arpa | udp |
| US | 8.8.8.8:53 | dc1-file.ksn.kaspersky-labs.com | udp |
| US | 8.8.8.8:53 | dc1-file.ksn.kaspersky-labs.com | udp |
| US | 8.8.8.8:53 | dc1-file.ksn.kaspersky-labs.com | udp |
| DE | 130.117.190.148:443 | dc1-file.ksn.kaspersky-labs.com | tcp |
| N/A | 127.0.0.1:49922 | tcp | |
| N/A | 127.0.0.1:49924 | tcp | |
| N/A | 127.0.0.1:49937 | tcp | |
| US | 8.8.8.8:53 | 35.174.239.80.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 148.190.117.130.in-addr.arpa | udp |
| DE | 195.122.169.39:443 | click.kaspersky.com | tcp |
| US | 8.8.8.8:53 | devbuilds.s.kaspersky-labs.com | udp |
| FR | 212.73.221.196:443 | devbuilds.s.kaspersky-labs.com | tcp |
| US | 8.8.8.8:53 | 39.169.122.195.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.221.73.212.in-addr.arpa | udp |
| N/A | 127.0.0.1:50162 | tcp | |
| N/A | 127.0.0.1:50176 | tcp | |
| N/A | 127.0.0.1:50179 | tcp | |
| US | 8.8.8.8:53 | dc1-st.ksn.kaspersky-labs.com | udp |
| N/A | 127.0.0.1:50184 | tcp | |
| DE | 130.117.190.213:443 | dc1-st.ksn.kaspersky-labs.com | tcp |
| US | 8.8.8.8:53 | 213.190.117.130.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | dc1.ksn.kaspersky-labs.com | udp |
| DE | 195.27.253.11:443 | dc1.ksn.kaspersky-labs.com | tcp |
| US | 8.8.8.8:53 | 11.253.27.195.in-addr.arpa | udp |
| N/A | 127.0.0.1:50197 | tcp | |
| DE | 130.117.190.148:443 | dc1.ksn.kaspersky-labs.com | tcp |
| N/A | 127.0.0.1:50227 | tcp | |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | dc1-pp.ksn.kaspersky-labs.com | udp |
| CH | 82.202.185.151:443 | dc1-pp.ksn.kaspersky-labs.com | tcp |
| N/A | 127.0.0.1:50238 | tcp | |
| US | 8.8.8.8:53 | 151.185.202.82.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | www.microsoft.com | udp |
| BE | 23.55.97.181:80 | www.microsoft.com | tcp |
| US | 8.8.8.8:53 | 181.97.55.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 91.65.42.20.in-addr.arpa | udp |
| DE | 193.161.193.99:40971 | Name1442-40971.portmap.host | tcp |
Files
memory/3300-0-0x00007FF84DA23000-0x00007FF84DA25000-memory.dmp
memory/3300-1-0x00000000002B0000-0x00000000012B0000-memory.dmp
C:\Users\Admin\AppData\Roaming\XClient.exe
| MD5 | 895d9cd4167756a8cfb44977286f84ec |
| SHA1 | e26ce2bec5d62b7914c43545c59d097260cc7673 |
| SHA256 | f3090015a11a8d27705cb5b1a89834a7f96c64ca15313138a68089a2705092df |
| SHA512 | a913d27b5df4b1df88541f142ead5c9a533218452f1c1509e540f878e645e616b62b5246c64065940f5c28330433d699f8a5ad1cf2b6667234ae5508ad27f58e |
memory/2076-13-0x0000000000200000-0x000000000021C000-memory.dmp
memory/2076-14-0x00007FF84DA20000-0x00007FF84E4E1000-memory.dmp
memory/2076-53-0x00007FF84DA20000-0x00007FF84E4E1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_edmwsbgx.hg5.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/1220-114-0x0000022E6B730000-0x0000022E6B752000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\{dffda3b3-8afe-4823-a7c8-52f9b8e7a180}\227651fc.exe
| MD5 | 37226eb4f1c7a0b79275c1401f83cc6d |
| SHA1 | 71ed962d1e0d212869d92c23d6e20a4e1e7ad430 |
| SHA256 | be00dba953a6f26990e020bdc4e3f13e5799a3ff60384768ee6c1af37c656a4d |
| SHA512 | afea618c795406a49d159e1359e76168dc6b6dee07234666d21ee21bb5011fe9af57a3425e76126f2595e3d180cf2121db5d02258d7aca77b3c4d8621a8aa15d |
C:\Users\Admin\AppData\Local\Temp\{dffda3b3-8afe-4823-a7c8-52f9b8e7a180}\dbghelp.dll
| MD5 | 4003e34416ebd25e4c115d49dc15e1a7 |
| SHA1 | faf95ec65cde5bd833ce610bb8523363310ec4ad |
| SHA256 | c06430b8cb025be506be50a756488e1bcc3827c4f45158d93e4e3eeb98ce1e4f |
| SHA512 | 88f5d417377cd62bde417640a79b6ac493e80f0c8b1f63a99378a2a67695ef8e4a541cedb91acfa296ed608e821fee466983806f0d082ed2e74b0cd93eb4fb84 |
C:\Users\Admin\AppData\Local\Temp\{dffda3b3-8afe-4823-a7c8-52f9b8e7a180}\dumpwriter.dll
| MD5 | f56387639f201429fb31796b03251a92 |
| SHA1 | 23df943598a5e92615c42fc82e66387a73b960ff |
| SHA256 | e7eefcf569d98a5fb14a459d949756dc00faf32ed6bda1233d9d2c79ca11531c |
| SHA512 | 7bfce579b601408262c0edd342cb2cb1ef1353b6b73dce5aad540eb77f56d1184f71c56ea859bc4373aac4875b8861e2cc5d9c49518e6c40d0b2350a7ab26c0e |
C:\Users\Admin\AppData\Local\Temp\{dffda3b3-8afe-4823-a7c8-52f9b8e7a180}\KvrtGui.dll
| MD5 | 38717f028f7df6e29996dabe26375956 |
| SHA1 | 328c0ed49e079999ad0cc7c1315375b77531c8c9 |
| SHA256 | 9db65ebeaf888b6cc99c06d0f063e48932feb27f25b5350d9d870e9ce40d1e10 |
| SHA512 | 4c6de66d71527c1c0e8d666e85dde671ca6b2705e5e4584487be265f25c6369f5512c0601d251192c56ad44bec538161bded7fcfcd3a578cddf76d7617af237d |
C:\Users\Admin\AppData\Local\Temp\{dffda3b3-8afe-4823-a7c8-52f9b8e7a180}\Qt5Core.dll
| MD5 | 02b21d6184ec835fba23088e7c7368e4 |
| SHA1 | 2386e5cd242ad6abfadecc2d8ba416125f0bde56 |
| SHA256 | 5967b2240167500cfbb602408833776fb9be95ee404ad2bbdbdde18c752aaefe |
| SHA512 | e8b15e68c61f1a0f78fa4f4821a636e07ab3a87699fc45ace096d080d7bda62534af7acf93b9a32d730b0403b52dc1eac8df9175ae02d5f6f829c7849e340eb9 |
C:\Users\Admin\AppData\Local\Temp\{dffda3b3-8afe-4823-a7c8-52f9b8e7a180}\Qt5Gui.dll
| MD5 | 8fd0c7b86b4988b234614944edb565a7 |
| SHA1 | 120015375d66f6e3f1c889cbada3efc4f8ff7f5b |
| SHA256 | 449a105683a27ebce39f2a7a0fb413cbe2eb2df8c2c8f51870a40e9eb9708a7a |
| SHA512 | 3e92401ee9ed0dd51fe95f963378caa73fe07bae0186406b9689519d6b75926b5027339ea52c8643c92c21b621ddc05056a1338f0114a6902c2897406cf371f7 |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | a43e653ffb5ab07940f4bdd9cc8fade4 |
| SHA1 | af43d04e3427f111b22dc891c5c7ee8a10ac4123 |
| SHA256 | c4c53abb13e99475aebfbe9fec7a8fead81c14c80d9dcc2b81375304f3a683fe |
| SHA512 | 62a97e95e1f19a8d4302847110dae44f469877eed6aa8ea22345c6eb25ee220e7d310fa0b7ec5df42356815421c0af7c46a0f1fee8933cc446641800eda6cd1b |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 76692775e4781f0c9f0092f5804cfdb1 |
| SHA1 | 6740e4e4110028c62282ee1e7eb8be576a2bc23a |
| SHA256 | 0c451ff3823450d544066237cbfb08556b7ca36c4a0ea085055f69ab35795b00 |
| SHA512 | 6e0731e3736594d9e86da2fc33e08a663f29100074cc8d46e2716123c946b9eb150c804c7cf8428cac631e1cff984663d41ce3b5e1e77965bd8e2ecf0742af34 |
C:\Users\Admin\AppData\Local\Temp\{dffda3b3-8afe-4823-a7c8-52f9b8e7a180}\Qt5Widgets.dll
| MD5 | 8751f0205fc7a87b46afae8ceda42d90 |
| SHA1 | d7e41a64c09f580d9e63ff5ffc8ac37d1f7da4c1 |
| SHA256 | 7273600d11889adba9287e6d5a3b684a9d902d1b4db8cedec21562fa00c436cd |
| SHA512 | 18466c4c4b6dd07445862d8e6a84825b8b0edeaa95dc8fe58741527d5dd20cbfc7672825108acec69bae506b41fb01fc6413401759db3d8265503fea88ed9bba |
C:\Users\Admin\AppData\Local\Temp\{dffda3b3-8afe-4823-a7c8-52f9b8e7a180}\plugins\platforms\qwindows.dll
| MD5 | 869b64be13907d16f8108d4e46eb1ae4 |
| SHA1 | abf528676719f69a4d2f85147dc683d1c9bb606a |
| SHA256 | 93debc8c092905993932b16f165e0b959639920d0af6156a64b9c947784fbe73 |
| SHA512 | cbd294354d5f84103b7c2f31cca6ee7f390c7852266478fb790cdd2448b1a563ddc6fcf7e351b4b28c3f5e23a52a442064ed75409f076752d0d94f133c9d7e96 |
C:\Users\Admin\AppData\Local\Temp\{dffda3b3-8afe-4823-a7c8-52f9b8e7a180}\vcruntime140.dll
| MD5 | a37ee36b536409056a86f50e67777dd7 |
| SHA1 | 1cafa159292aa736fc595fc04e16325b27cd6750 |
| SHA256 | 8934aaeb65b6e6d253dfe72dea5d65856bd871e989d5d3a2a35edfe867bb4825 |
| SHA512 | 3a7c260646315cf8c01f44b2ec60974017496bd0d80dd055c7e43b707cadba2d63aab5e0efd435670aa77886ed86368390d42c4017fc433c3c4b9d1c47d0f356 |
C:\Users\Admin\AppData\Local\Temp\{dffda3b3-8afe-4823-a7c8-52f9b8e7a180}\plugins\imageformats\qwebp.dll
| MD5 | a23c6a3494e296a521a08dd2d676eb3c |
| SHA1 | 260ccb3b2f454bda853d003e3b71fb0789858873 |
| SHA256 | e58be278a435f44bf10e13d81fba5349d0f5ea224701c91f992276bcea173856 |
| SHA512 | a99eea4b72d20e34c37e0c7971f6e467b2421ff99f059c46f76d961093eea27d031edbd907ed2a99bc9ddaea9ec5b0980871b4a018284c3c324e59c00491b11f |
C:\Users\Admin\AppData\Local\Temp\{dffda3b3-8afe-4823-a7c8-52f9b8e7a180}\plugins\imageformats\qwbmp.dll
| MD5 | 43bc7f0b0b91676368db78d61e83edd3 |
| SHA1 | 628228c8c477f2e6e8d6f2f9dd8cc72b894d5fe6 |
| SHA256 | fe95bdae47201a7788c2cb18042c7eafa0041fb6ce6b2ea7e7d5ffd656086583 |
| SHA512 | 11e847fe59e28bdbf7448846b88578f5b0a1d6b1d7c11a80271d833ad540991d83cc1b89c2b5bfaf9b5dfa68dae538233575fac3b6f1cd5f09398b400b421872 |
C:\Users\Admin\AppData\Local\Temp\{dffda3b3-8afe-4823-a7c8-52f9b8e7a180}\plugins\imageformats\qtiff.dll
| MD5 | 058a1449a4656fe891bc589ea61434b1 |
| SHA1 | 8803afd1bb77e4804925610e6a94361a1e26c4d5 |
| SHA256 | fc271f33b879c7966564d04f698b7fd77d806e61107574d1240502e7c7666f26 |
| SHA512 | 91f43f8062095044ba41fea9fd4df490711f131437ee90a0354a629a7677c9c7fce84b1c1165e07a2b8c4e58beb1d66d953c1034923c986a2288553221761ca9 |
C:\Users\Admin\AppData\Local\Temp\{dffda3b3-8afe-4823-a7c8-52f9b8e7a180}\plugins\imageformats\qtga.dll
| MD5 | 82a65b1ce5a7041da64290b66a6a1c8c |
| SHA1 | 577e7174b02182ada17328cbac3ac1d3605fc023 |
| SHA256 | 6da0850ed1f6d93e1d99cecc31153e8993b7b20d68308c248c71e9af4c061336 |
| SHA512 | bbc0fd32e8bdcac4d7f5fac77d9a4386be671b9d6c18d14ac6807e521a0f5192af91e106e0a3258653afbba625c09f79542f1fd7a1eaf97d9b5b98cbd2bb1084 |
C:\Users\Admin\AppData\Local\Temp\{dffda3b3-8afe-4823-a7c8-52f9b8e7a180}\plugins\imageformats\qjpeg.dll
| MD5 | 03e1249b16b47fd240283f44636f6087 |
| SHA1 | e0a02adeee91ff330891ed93428956f1fb90ef44 |
| SHA256 | f1b0528f0b43b798b78580363f19bb75e68347755ef84bbf313cbb1c9fa649b2 |
| SHA512 | 287a13ebcddb151cd37ec60b47c6f674730d1886ee53d4a864e62d23aca084d9b3a4e0b8eefc07b8e1aee2e40a6b7327602aa547f1afc63dc4b254abe14749f1 |
C:\Users\Admin\AppData\Local\Temp\{dffda3b3-8afe-4823-a7c8-52f9b8e7a180}\plugins\imageformats\qico.dll
| MD5 | f463183ff33be64d8a61fc5d61b16064 |
| SHA1 | 5a2d6a62d293e8335d787c1e4681cca7e953b20a |
| SHA256 | e4773864ec821c90ff7b2b6a081c4abd7b9fb10829b7e067521b0b18d4e75422 |
| SHA512 | 6576842034440b4329a6cc99e419913316e2bb869e20053238add0adf23eb9e35e32ec758c93dddc8162c64049690db177791c11ed7fbdd2ef4780c6be0dbf2c |
C:\Users\Admin\AppData\Local\Temp\{dffda3b3-8afe-4823-a7c8-52f9b8e7a180}\plugins\imageformats\qicns.dll
| MD5 | 4d1fcfe0e08da0bfd61ad27863f05a8f |
| SHA1 | 51a9c2d12181b66f3f9fd9137a699a715df8d2fd |
| SHA256 | b95d07323612b27e04a716a3894e46a723a457e8c0be37ee838573eaee1624ab |
| SHA512 | 2251f8c7bdfa0ad6cda6d619f6df1cef76e8f317119ec4b495d0d98351e77e5f7c678f49f9c8c6eefadfee175304d00757689ff35f8c77693b2ea3435dac2aa9 |
C:\Users\Admin\AppData\Local\Temp\{dffda3b3-8afe-4823-a7c8-52f9b8e7a180}\plugins\imageformats\qgif.dll
| MD5 | 213734f42848f6cfb91b5d0f80a352dc |
| SHA1 | 72060bb18421eba12591e923929bc70b200b26fa |
| SHA256 | ed3a7867931a8c05d267a62522223ca78bd435d45af6dfde116e7eb72c2fde7c |
| SHA512 | 913afbd6e950f61d038f81ff7f0f08986469ee11cd7202cc0598d9caa7a4200e9e8e5e23f0c5062e01a6ef908e92a52f35dcf60f1af77a075200e8db466df807 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | c479fa6b22fe32f7cee57f34e3139f7e |
| SHA1 | 5b4fc2d270842aaac66a3b2a99ef51c6d70f350e |
| SHA256 | 53855181e3f0e38a3e96654f1a9a281a6e5295e05814d69183d44327a5af326c |
| SHA512 | 08239e5d253f86eabc12f7222bd9c060410c645fd21934b6ed7b558737dcc82a2507284e1e23358958a7dddc3c909e3c478a4fcce773e69066a6458fd941cb10 |
C:\Users\Admin\AppData\Local\Temp\{dffda3b3-8afe-4823-a7c8-52f9b8e7a180}\msvcp140.dll
| MD5 | 5ff1fca37c466d6723ec67be93b51442 |
| SHA1 | 34cc4e158092083b13d67d6d2bc9e57b798a303b |
| SHA256 | 5136a49a682ac8d7f1ce71b211de8688fce42ed57210af087a8e2dbc8a934062 |
| SHA512 | 4802ef62630c521d83a1d333969593fb00c9b38f82b4d07f70fbd21f495fea9b3f67676064573d2c71c42bc6f701992989742213501b16087bb6110e337c7546 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | aeceee3981c528bdc5e1c635b65d223d |
| SHA1 | de9939ed37edca6772f5cdd29f6a973b36b7d31b |
| SHA256 | b99f3c778a047e0348c92c16e0419fa29418d10d0fec61ad8283e92a094a2b32 |
| SHA512 | df48285f38e9284efdbd9f8d99e2e94a46fb5465953421ab88497b73ae06895b98ea5c98796560810a6f342c31a9112ea87e03cd3e267fd8518d7585f492a8fb |
memory/2076-219-0x00007FF84DA20000-0x00007FF84E4E1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\{dffda3b3-8afe-4823-a7c8-52f9b8e7a180}\klmd.sys
| MD5 | 990442d764ff1262c0b7be1e3088b6d3 |
| SHA1 | 0b161374074ef2acc101ed23204da00a0acaa86e |
| SHA256 | 6c7ccd465090354438b39da8430a5c47e7f24768a5b12ee02fecf8763e77c9e4 |
| SHA512 | af3c6dfe32266a9d546f13559dcba7c075d074bdfdaf0e6bf2a8cae787008afa579f0d5f90e0c657dd614bb244a6d95ff8366c14b388e1f4a3ab76cccb23add4 |
C:\Users\Admin\AppData\Local\Temp\{dffda3b3-8afe-4823-a7c8-52f9b8e7a180}\Bases\arkmon64.drv
| MD5 | fd710c439f89ca6b7d8caf3ee6f307d0 |
| SHA1 | 5273c87564d9fcbf99b846195ea8bd3102d65a76 |
| SHA256 | ca317c531bdd3a23d401a242a904e8eb81401c79073eee470b6e1078f3645faa |
| SHA512 | 3df58ac276362fb7d7999bc8e902f22e9ee1501ee2e4f653e58595d411752e18bf7ee0cbc95766ecb8da34a5ebd3a11fd5bbf5450b1c01fd3ed8ee0e22183b09 |
C:\Users\Admin\AppData\Local\Temp\{dffda3b3-8afe-4823-a7c8-52f9b8e7a180}\klsl.sys
| MD5 | a69adedb0d47cfb23f23a9562a4405bc |
| SHA1 | 9e70576571a15aaf71106ea0cd55e0973ef2dd15 |
| SHA256 | 31eaa7f1f9872c63091f4b3ec5310686b1dd1e2123af17991a6b4679eda3f62d |
| SHA512 | 77abb4435d8d445f7a29cdb8a318486a96122b5cc535da7a63da0fa920980e6ad73e78b72552f6949e66b349bbdc9aa9ea202481046e478c2829c155a1045820 |
C:\Users\Admin\AppData\Local\Temp\{dffda3b3-8afe-4823-a7c8-52f9b8e7a180}\app_core.dll
| MD5 | fe0964663cf9c5e4ff493198e035cc1f |
| SHA1 | ab9b19bd0e4efa36f78d2059b4ca556521eb35cb |
| SHA256 | ddd70011d86b8ec909295ef45f94b48b0252229b6182af9ef8a6029c30daaf39 |
| SHA512 | 923cfd9143d3850357bda901f66b5292f36ff025f05b2156667873861a02d9f498a03cdb73d2c477c0055d46600628f936b70dec46d7687fe0a97cbb1c8cf0ea |
C:\Users\Admin\AppData\Local\Temp\{dffda3b3-8afe-4823-a7c8-52f9b8e7a180}\instrumental_services.dll
| MD5 | c6acd1d9a80740f8a416b0a78e3fa546 |
| SHA1 | 7ea7b707d58bde0d5a14d8a7723f05e04189bce7 |
| SHA256 | db8acd14ace6d4c8d4d61016debe3c0d72677416661caf0d36e7306ed020920f |
| SHA512 | 46c889f4d84e2f8dc8bfd5bdc34a346aa393fc49adcbe95bc601e6d970599f579e5cb057196061c280cbfa976989c960ac2f1830fd61c0a9166f09a6c088c20d |
C:\Users\Admin\AppData\Local\Temp\{dffda3b3-8afe-4823-a7c8-52f9b8e7a180}\dblite.dll
| MD5 | 98b1a553c8c5944923814041e9a73b73 |
| SHA1 | 3e6169af53125b6da0e69890d51785a206c89975 |
| SHA256 | 6fc0104817caa1337531c9d8b284d80052770051efb76e5829895a3854ebaec8 |
| SHA512 | 8ee4467bce6495f492895a9dfaedaf85b76d6d1f67d9ff5c8c27888191c322863bc29c14ae3f505336a5317af66c31354afaeb63127e7e781f5b249f1c967363 |
C:\Users\Admin\AppData\Local\Temp\{dffda3b3-8afe-4823-a7c8-52f9b8e7a180}\storage.kvdb
| MD5 | 1a3330c4f388360e4c2b0d94fb48a788 |
| SHA1 | 127ad9be38c4aa491bd1bce6458f99a27c6d465b |
| SHA256 | 01b8d0d8c7114b59f159021384c8a59535f87018a6a136a276b5a297f54d776d |
| SHA512 | 1fcd1e99e35dc4ec972ab63299637322a27b471d02175d56409a3a114db6259f9cd767ac054c7a2bba075f36ab62f19c8118c3dda93e37b7deda05aa2b260553 |
C:\Users\Admin\AppData\Local\Temp\{dffda3b3-8afe-4823-a7c8-52f9b8e7a180}\settings.kvdb
| MD5 | 0cd7bac19edb301ce1b501bfac07acea |
| SHA1 | d66a1ba1d9a961b5f44d8d3356c79d60c7ae81d6 |
| SHA256 | f5d7c50ab67ff498fddf257193bea1ad496613c611b962a31ca39f96ef16bc05 |
| SHA512 | 9a744bd7829716afe7249094a63609c32da0a8988f9cd1881be6bca809a9f120521e7de1a30180581a8bd6f662ae18a8ac88629d404b807602e5a45a5f8ddb0a |
C:\Users\Admin\AppData\Local\Temp\{dffda3b3-8afe-4823-a7c8-52f9b8e7a180}\key_value_storage.dll
| MD5 | 9bf7f895cff1f0b9ddf5fc077bac314c |
| SHA1 | 7e9c0ce6569c6f12c57f34597b213cd4d8f55e68 |
| SHA256 | d03e0af01fbcd9ce714caf3db5ca2ab3ca4a717d5fda5c99b77e09b5672498a4 |
| SHA512 | d416cfa9446e6c92f0805278c744cf9f8ac6a2bfb96a6e0b2d65e701472ea6feaf5742ed6cef833555188a95c613499e7e14cfe5788427ec2616cfd723021a67 |
C:\Users\Admin\AppData\Local\Temp\{dffda3b3-8afe-4823-a7c8-52f9b8e7a180}\config.esm
| MD5 | 184a351c4d532405206e309c10af1d15 |
| SHA1 | 3cf49f2275f3f9bd8e385eddcdd04e3fc2a17352 |
| SHA256 | ef0b7e22d8f7bd06964969a7f2979a475ba1c9c34efccb0c3b9e03ae950c63f6 |
| SHA512 | 9a1a3cb0e3713ba41f36f4f01f2151b0c04454a05c986215ed2cc42180994f90d10e031d77452a2d0ad5a78f15d8d31c327d0d1ee676789780e6483dbe5e0341 |
C:\Users\Admin\AppData\Local\Temp\{dffda3b3-8afe-4823-a7c8-52f9b8e7a180}\crypto_components_meta.dll
| MD5 | 3d9d1753ed0f659e4db02e776a121862 |
| SHA1 | 031fb78fe7dc211fe9e0dc8ba0027c14e84cd07f |
| SHA256 | b6163ec9d4825102e3d423e02fb026259a6a17e7d7696ae060ec2b0ba97f54f2 |
| SHA512 | e1f50513db117c32505944bfb19fd3185b3231b6bd9f0495942bd9e80dd0f54ab575f1a2fca5e542174d3abe4106a9b5448d924c690e8548cd43aa77f6497c92 |
memory/4952-258-0x000000000F170000-0x000000000F182000-memory.dmp
memory/4952-257-0x000000000CC80000-0x000000000CC91000-memory.dmp
memory/4952-261-0x000000000F1E0000-0x000000000F1F1000-memory.dmp
memory/4952-264-0x000000000F270000-0x000000000F282000-memory.dmp
memory/4952-263-0x000000000F240000-0x000000000F251000-memory.dmp
memory/4952-262-0x000000000F210000-0x000000000F221000-memory.dmp
memory/4952-260-0x000000000F1B0000-0x000000000F1C6000-memory.dmp
memory/4952-259-0x000000000F190000-0x000000000F1A6000-memory.dmp
memory/4952-266-0x000000000F920000-0x000000000F968000-memory.dmp
memory/4952-265-0x000000000F710000-0x000000000F86A000-memory.dmp
memory/4952-270-0x000000000F980000-0x000000000F998000-memory.dmp
memory/4952-271-0x0000000014100000-0x000000001454D000-memory.dmp
memory/4952-269-0x0000000012200000-0x00000000122BB000-memory.dmp
memory/4952-268-0x000000000F8D0000-0x000000000F8F6000-memory.dmp
memory/4952-267-0x000000000F8A0000-0x000000000F8B4000-memory.dmp
memory/4952-277-0x0000000014910000-0x0000000014B06000-memory.dmp
memory/4952-280-0x0000000014550000-0x0000000014563000-memory.dmp
memory/4952-279-0x000000000FB10000-0x000000000FB21000-memory.dmp
memory/4952-278-0x0000000014B10000-0x0000000014CB8000-memory.dmp
memory/4952-276-0x000000000FAD0000-0x000000000FAF4000-memory.dmp
memory/4952-275-0x000000000FAA0000-0x000000000FAB7000-memory.dmp
memory/4952-274-0x000000000FA70000-0x000000000FA81000-memory.dmp
memory/4952-273-0x000000000FA30000-0x000000000FA51000-memory.dmp
memory/4952-272-0x000000000FA00000-0x000000000FA11000-memory.dmp
memory/4952-283-0x0000000014660000-0x00000000146A6000-memory.dmp
memory/4952-282-0x0000000014590000-0x00000000145A3000-memory.dmp
memory/4952-281-0x0000000014740000-0x00000000147E2000-memory.dmp
memory/4952-286-0x00000000146C0000-0x0000000014700000-memory.dmp
memory/4952-298-0x0000000015160000-0x00000000151B0000-memory.dmp
memory/4952-299-0x00000000159C0000-0x0000000015B18000-memory.dmp
memory/4952-297-0x0000000014FE0000-0x0000000015003000-memory.dmp
memory/4952-296-0x0000000015060000-0x00000000150CF000-memory.dmp
memory/4952-295-0x0000000014FB0000-0x0000000014FC9000-memory.dmp
memory/4952-294-0x0000000014F70000-0x0000000014FA1000-memory.dmp
memory/4952-293-0x0000000014EB0000-0x0000000014ECD000-memory.dmp
memory/4952-292-0x0000000014E80000-0x0000000014E91000-memory.dmp
memory/4952-291-0x0000000014F00000-0x0000000014F62000-memory.dmp
memory/4952-290-0x0000000014D10000-0x0000000014E6A000-memory.dmp
memory/4952-289-0x0000000014CC0000-0x0000000014CE0000-memory.dmp
memory/4952-288-0x00000000148C0000-0x00000000148FB000-memory.dmp
memory/4952-287-0x00000000147F0000-0x00000000148BD000-memory.dmp
memory/4952-284-0x0000000015300000-0x000000001569D000-memory.dmp
memory/4952-285-0x0000000014640000-0x0000000014655000-memory.dmp
memory/4952-300-0x0000000015040000-0x0000000015051000-memory.dmp
memory/4952-301-0x0000000015120000-0x0000000015134000-memory.dmp
memory/4952-305-0x0000000015250000-0x0000000015271000-memory.dmp
memory/4952-304-0x0000000015220000-0x0000000015233000-memory.dmp
memory/4952-303-0x00000000151E0000-0x0000000015202000-memory.dmp
memory/4952-302-0x00000000151B0000-0x00000000151DD000-memory.dmp
memory/4952-308-0x00000000152F0000-0x00000000152F1000-memory.dmp
memory/4952-307-0x00000000152D0000-0x00000000152D3000-memory.dmp
memory/4952-306-0x0000000015290000-0x00000000152BA000-memory.dmp
memory/4952-309-0x00000000156B0000-0x00000000156C5000-memory.dmp
memory/4952-310-0x00000000156E0000-0x00000000156EF000-memory.dmp
memory/4952-314-0x0000000015780000-0x0000000015781000-memory.dmp
memory/4952-313-0x0000000015760000-0x0000000015761000-memory.dmp
memory/4952-312-0x0000000015740000-0x0000000015748000-memory.dmp
memory/4952-311-0x0000000015840000-0x000000001591D000-memory.dmp
memory/4952-320-0x0000000015930000-0x0000000015932000-memory.dmp
memory/4952-319-0x0000000015830000-0x0000000015833000-memory.dmp
memory/4952-318-0x0000000015810000-0x0000000015811000-memory.dmp
memory/4952-317-0x00000000157F0000-0x00000000157F1000-memory.dmp
memory/4952-316-0x00000000157D0000-0x00000000157D1000-memory.dmp
memory/4952-315-0x0000000015D20000-0x0000000015E05000-memory.dmp
C:\Windows\System32\drivers\klupd_87df702da_klbg.sys
| MD5 | ed6cd641a02baf78ecbe069e0b18b3b0 |
| SHA1 | cc4d47d1d0fcd3deb841f58923ac309f3be42081 |
| SHA256 | 66e7b89188e292d0abce941fcb2469e515e2a1bdbe07ad9868a34feb5f47005d |
| SHA512 | cb945fa49683b92841a7a915c73eb11b00fbceee8715a166d256cab0971dc4b4d8b2c7ad3c96e4efb73a7ea9c43ef6bfc9ff3acaffdc08df40b00048ea903abb |
C:\Windows\System32\drivers\klupd_87df702da_klark.sys
| MD5 | 5ea5aa37289ae16948dc771223f94160 |
| SHA1 | 640392a0d01521cb0e4485d5641f74e64e1f38aa |
| SHA256 | 4b1fd5753737f72f2b8cb0fb299c6c0e3857df69dc19931351d9784f52f307b3 |
| SHA512 | 2721db2afd55f6abbe54b5865cb41f72216a52cddb6d07721cf0bd1b76fe58b47540467ce9b503ab56e4c614765c18f559b17d73479a4f5a0fae8f6093772455 |
C:\Windows\System32\drivers\klupd_87df702da_mark.sys
| MD5 | 124a94969ce6660453ccd66e40ecdbb0 |
| SHA1 | 46f7ad59b93bc1b78f76fc973ce728c7951352aa |
| SHA256 | 5938747dbf6aea335fdf9131fc912452cee781dff8be61750a9b2ef384b5f835 |
| SHA512 | 3b25bc9eead7f09350c81bca4eb1a11c5332b128918802385d15fb35d017bf2a5eef64966c3e6bb74d4450d794327a1a81c0521dda8b742fda17c0bcc50079e0 |
C:\Users\Admin\AppData\Local\Temp\{dffda3b3-8afe-4823-a7c8-52f9b8e7a180}\crls\c7e6bd7fe0e4965892ad706f0d2f42e88789b8041daf5b3eea9ca41785297798
| MD5 | 4b03934418970c06f092afe3d2155bf1 |
| SHA1 | 56a0e9666c3ee0071d70b9d2b364666fbb93068c |
| SHA256 | c3a63c68ae58f008e5eb52c8e515fe6f5f978e3a8e33ff3c4c4ec43b186486c6 |
| SHA512 | 7846f929ec6d68397c60155202365bbbae28c5faf053c67469b378bd059ac7fd8575ee4973d905e51471cabeadcf3251d229057fdba70eb5df478ab4eafb39f8 |
C:\Users\Admin\AppData\Local\Temp\{04320283-d027-42ae-aacb-bc3469a70089}\9c90243f-c43c-435a-8bb8-af3a0f3e9573.cmd
| MD5 | 8f8d51aeb41f8ee982c5d45884ea53da |
| SHA1 | 6d40fe047b0e73ffbefcd4d811c1a475cce6c48e |
| SHA256 | 0b92a76c64a3595f651092f8d6d51225c648bb68de93e55055f8c9a2903a6e67 |
| SHA512 | fb953d8cd3de3a0ff19436ebdb760ac6246891c5149cf2cba817842353873a9c2102dc709ea426e1bf2a5d336c16fef33f5fa08fdfa99f8dcd8c446b53b90e65 |
memory/2076-565-0x00000000008D0000-0x00000000008DC000-memory.dmp
memory/2076-566-0x00007FF84DA20000-0x00007FF84E4E1000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-31 03:39
Reported
2024-05-31 03:50
Platform
win11-20240508-en
Max time kernel
600s
Max time network
605s
Command Line
Signatures
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Xworm
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Drops file in Drivers directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\System32\Drivers\klupd_4de68b90a_arkmon.sys | C:\Users\Admin\AppData\Local\Temp\{096ffa49-d3dd-476f-b2e0-dff9e82b0a1c}\812718e5.exe | N/A |
| File created | C:\Windows\System32\Drivers\4de68b90.sys | C:\Users\Admin\AppData\Local\Temp\{096ffa49-d3dd-476f-b2e0-dff9e82b0a1c}\812718e5.exe | N/A |
Sets service image path in registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\4de68b90\ImagePath = "System32\\Drivers\\4de68b90.sys" | C:\Users\Admin\AppData\Local\Temp\{096ffa49-d3dd-476f-b2e0-dff9e82b0a1c}\812718e5.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\klupd_4de68b90a_arkmon\ImagePath = "System32\\Drivers\\klupd_4de68b90a_arkmon.sys" | C:\Users\Admin\AppData\Local\Temp\{096ffa49-d3dd-476f-b2e0-dff9e82b0a1c}\812718e5.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\klupd_4de68b90a_klbg\ImagePath = "System32\\Drivers\\klupd_4de68b90a_klbg.sys" | C:\Users\Admin\AppData\Local\Temp\{096ffa49-d3dd-476f-b2e0-dff9e82b0a1c}\812718e5.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\klupd_4de68b90a_klark\ImagePath = "System32\\Drivers\\klupd_4de68b90a_klark.sys" | C:\Users\Admin\AppData\Local\Temp\{096ffa49-d3dd-476f-b2e0-dff9e82b0a1c}\812718e5.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\klupd_4de68b90a_mark\ImagePath = "System32\\Drivers\\klupd_4de68b90a_mark.sys" | C:\Users\Admin\AppData\Local\Temp\{096ffa49-d3dd-476f-b2e0-dff9e82b0a1c}\812718e5.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\klupd_4de68b90a_arkmon_FD710C43\ImagePath = "\\??\\C:\\KVRT2020_Data\\Temp\\FD710C439F89CA6B7D8CAF3EE6F307D0\\klupd_4de68b90a_arkmon.sys" | C:\Users\Admin\AppData\Local\Temp\{096ffa49-d3dd-476f-b2e0-dff9e82b0a1c}\812718e5.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\KVRT.lnk | C:\Users\Admin\AppData\Roaming\XClient.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\KVRT.lnk | C:\Users\Admin\AppData\Roaming\XClient.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\XClient.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\KVRT.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\{096ffa49-d3dd-476f-b2e0-dff9e82b0a1c}\812718e5.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\KVRT.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\KVRT.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\KVRT.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\KVRT.exe | N/A |
Loads dropped DLL
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\a16f836a-9056-4520-8f42-052ee5706392 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\{9c1f7ea4-5677-4ca7-8c33-72db001da2e3}\\a16f836a-9056-4520-8f42-052ee5706392.cmd\"" | C:\Users\Admin\AppData\Local\Temp\{096ffa49-d3dd-476f-b2e0-dff9e82b0a1c}\812718e5.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000\Software\Microsoft\Windows\CurrentVersion\Run\KVRT = "C:\\Users\\Admin\\AppData\\Local\\Temp\\KVRT.exe" | C:\Users\Admin\AppData\Roaming\XClient.exe | N/A |
Checks for any installed AV software in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000\SOFTWARE\KasperskyLab | C:\Users\Admin\AppData\Local\Temp\{096ffa49-d3dd-476f-b2e0-dff9e82b0a1c}\812718e5.exe | N/A |
Checks installed software on the system
Enumerates connected drives
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\F: | C:\Users\Admin\AppData\Local\Temp\{096ffa49-d3dd-476f-b2e0-dff9e82b0a1c}\812718e5.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Writes to the Master Boot Record (MBR)
| Description | Indicator | Process | Target |
| File opened for modification | \??\PhysicalDrive0 | C:\Users\Admin\AppData\Local\Temp\{096ffa49-d3dd-476f-b2e0-dff9e82b0a1c}\812718e5.exe | N/A |
Checks for VirtualBox DLLs, possible anti-VM trick
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\VBoxMiniRdrDN | C:\Users\Admin\AppData\Roaming\KVRT.exe | N/A |
| File opened (read-only) | \??\VBoxMiniRdrDN | C:\Users\Admin\AppData\Local\Temp\{096ffa49-d3dd-476f-b2e0-dff9e82b0a1c}\812718e5.exe | N/A |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\schtasks.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = 99ebff004cc2ff000091f8000078d4000067c000003e9200001a6800f7630c00 | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4290799360" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365268" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "24" | C:\Windows\system32\LogonUI.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292114432" | C:\Windows\system32\LogonUI.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365268" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292114432" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" | C:\Windows\system32\LogonUI.exe | N/A |
Modifies registry key
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\reg.exe | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\{096ffa49-d3dd-476f-b2e0-dff9e82b0a1c}\812718e5.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\XClient.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\{096ffa49-d3dd-476f-b2e0-dff9e82b0a1c}\812718e5.exe | N/A |
Suspicious behavior: LoadsDriver
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\{096ffa49-d3dd-476f-b2e0-dff9e82b0a1c}\812718e5.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\{096ffa49-d3dd-476f-b2e0-dff9e82b0a1c}\812718e5.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\{096ffa49-d3dd-476f-b2e0-dff9e82b0a1c}\812718e5.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\{096ffa49-d3dd-476f-b2e0-dff9e82b0a1c}\812718e5.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\{096ffa49-d3dd-476f-b2e0-dff9e82b0a1c}\812718e5.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\XClient.exe | N/A |
| N/A | N/A | C:\Windows\system32\LogonUI.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Uses Volume Shadow Copy WMI provider
Processes
C:\Users\Admin\AppData\Local\Temp\Output.exe
"C:\Users\Admin\AppData\Local\Temp\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\KVRT.exe
"C:\Users\Admin\AppData\Roaming\KVRT.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\XClient.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
C:\Users\Admin\AppData\Local\Temp\{096ffa49-d3dd-476f-b2e0-dff9e82b0a1c}\812718e5.exe
C:/Users/Admin/AppData/Local/Temp/{096ffa49-d3dd-476f-b2e0-dff9e82b0a1c}/\812718e5.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\KVRT.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'KVRT.exe'
C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "KVRT" /tr "C:\Users\Admin\AppData\Local\Temp\KVRT.exe"
C:\Users\Admin\AppData\Local\Temp\KVRT.exe
C:\Users\Admin\AppData\Local\Temp\KVRT.exe
C:\Users\Admin\AppData\Local\Temp\KVRT.exe
C:\Users\Admin\AppData\Local\Temp\KVRT.exe
C:\Users\Admin\AppData\Local\Temp\KVRT.exe
C:\Users\Admin\AppData\Local\Temp\KVRT.exe
C:\Users\Admin\AppData\Local\Temp\KVRT.exe
C:\Users\Admin\AppData\Local\Temp\KVRT.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\{9c1f7ea4-5677-4ca7-8c33-72db001da2e3}\a16f836a-9056-4520-8f42-052ee5706392.cmd" "
C:\Windows\system32\PING.EXE
ping 127.0.0.1 -n 1
C:\Windows\system32\PING.EXE
ping 127.0.0.1 -n 1
C:\Windows\system32\reg.exe
reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce /v a16f836a-9056-4520-8f42-052ee5706392 /f
C:\Windows\SYSTEM32\shutdown.exe
shutdown.exe /f /s /t 0
C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa3a34855 /state1:0x41c64e6d
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | 1.112.95.208.in-addr.arpa | udp |
| N/A | 127.0.0.1:40971 | tcp | |
| US | 130.51.20.126:40971 | us3.localto.net | tcp |
| N/A | 127.0.0.1:40971 | tcp | |
| DE | 193.161.193.99:40971 | Name1442-40971.portmap.host | tcp |
| US | 8.8.8.8:53 | touch.kaspersky.com | udp |
| US | 8.8.8.8:53 | touch.kaspersky.com | udp |
| DE | 130.117.190.203:80 | touch.kaspersky.com | tcp |
| N/A | 127.0.0.1:49989 | tcp | |
| N/A | 127.0.0.1:49991 | tcp | |
| CH | 82.202.185.148:443 | ds.kaspersky.com | tcp |
| US | 8.8.8.8:53 | click.kaspersky.com | udp |
| US | 8.8.8.8:53 | click.kaspersky.com | udp |
| DE | 80.239.169.154:80 | click.kaspersky.com | tcp |
| N/A | 127.0.0.1:49995 | tcp | |
| DE | 195.27.253.3:80 | crl.kaspersky.com | tcp |
| US | 8.8.8.8:53 | dc1-file.ksn.kaspersky-labs.com | udp |
| US | 8.8.8.8:53 | dc1-file.ksn.kaspersky-labs.com | udp |
| DE | 81.19.104.212:443 | dc1-file.ksn.kaspersky-labs.com | tcp |
| US | 8.8.8.8:53 | 154.169.239.80.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 3.253.27.195.in-addr.arpa | udp |
| N/A | 127.0.0.1:50233 | tcp | |
| N/A | 127.0.0.1:50242 | tcp | |
| DE | 80.239.169.154:443 | click.kaspersky.com | tcp |
| N/A | 127.0.0.1:50246 | tcp | |
| NL | 80.239.174.35:443 | devbuilds.s.kaspersky-labs.com | tcp |
| DE | 81.19.104.212:443 | dc1-st.ksn.kaspersky-labs.com | tcp |
| N/A | 127.0.0.1:50251 | tcp | |
| DE | 130.117.190.148:443 | dc1-file.ksn.kaspersky-labs.com | tcp |
| N/A | 127.0.0.1:50256 | tcp | |
| DE | 195.27.253.15:443 | dc1-st.ksn.kaspersky-labs.com | tcp |
| N/A | 127.0.0.1:50286 | tcp | |
| CH | 82.202.185.152:443 | dc1-pp.ksn.kaspersky-labs.com | tcp |
| N/A | 127.0.0.1:50295 | tcp | |
| BE | 23.55.97.181:80 | www.microsoft.com | tcp |
Files
memory/1800-0-0x00007FFB4F953000-0x00007FFB4F955000-memory.dmp
memory/1800-1-0x0000000000360000-0x0000000001360000-memory.dmp
C:\Users\Admin\AppData\Roaming\XClient.exe
| MD5 | 895d9cd4167756a8cfb44977286f84ec |
| SHA1 | e26ce2bec5d62b7914c43545c59d097260cc7673 |
| SHA256 | f3090015a11a8d27705cb5b1a89834a7f96c64ca15313138a68089a2705092df |
| SHA512 | a913d27b5df4b1df88541f142ead5c9a533218452f1c1509e540f878e645e616b62b5246c64065940f5c28330433d699f8a5ad1cf2b6667234ae5508ad27f58e |
memory/2520-13-0x0000000000630000-0x000000000064C000-memory.dmp
memory/2520-14-0x00007FFB4F950000-0x00007FFB50412000-memory.dmp
memory/2520-26-0x00007FFB4F950000-0x00007FFB50412000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_pmebdgfu.f2w.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/2432-60-0x000001F232330000-0x000001F232352000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | 437395ef86850fbff98c12dff89eb621 |
| SHA1 | 9cec41e230fa9839de1e5c42b7dbc8b31df0d69c |
| SHA256 | 9c39f3e1ee674a289926fddddfc5549740c488686ec6513f53848a225c192ba6 |
| SHA512 | bc669893f5c97e80a62fc3d15383ed7c62ffc86bc986401735903019bb96a5f13e4d0f6356baa2021267503a4eb62681e58e28fcff435350e83aa425fa76cd64 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | c24caab1947646fcc49d6158d78a56f5 |
| SHA1 | aa2cd00401eb273991f2d6fdc739d473ff6e8319 |
| SHA256 | 0696315ad3df3edd5426276c265bd13d8bd2a0d101548bcaedd82e2aebde655a |
| SHA512 | 35e1d214dfb4c7f078496e3e303aea152aa48f9db5b9aa188aeb82b541582ed77f60bfe8712836232b5aa31d3645edfc79b42c8f90e92e06778f21aa44971bff |
C:\Users\Admin\AppData\Local\Temp\{096ffa49-d3dd-476f-b2e0-dff9e82b0a1c}\KVRT.exe
| MD5 | 37226eb4f1c7a0b79275c1401f83cc6d |
| SHA1 | 71ed962d1e0d212869d92c23d6e20a4e1e7ad430 |
| SHA256 | be00dba953a6f26990e020bdc4e3f13e5799a3ff60384768ee6c1af37c656a4d |
| SHA512 | afea618c795406a49d159e1359e76168dc6b6dee07234666d21ee21bb5011fe9af57a3425e76126f2595e3d180cf2121db5d02258d7aca77b3c4d8621a8aa15d |
C:\Users\Admin\AppData\Local\Temp\{096ffa49-d3dd-476f-b2e0-dff9e82b0a1c}\dumpwriter.dll
| MD5 | f56387639f201429fb31796b03251a92 |
| SHA1 | 23df943598a5e92615c42fc82e66387a73b960ff |
| SHA256 | e7eefcf569d98a5fb14a459d949756dc00faf32ed6bda1233d9d2c79ca11531c |
| SHA512 | 7bfce579b601408262c0edd342cb2cb1ef1353b6b73dce5aad540eb77f56d1184f71c56ea859bc4373aac4875b8861e2cc5d9c49518e6c40d0b2350a7ab26c0e |
C:\Users\Admin\AppData\Local\Temp\{096ffa49-d3dd-476f-b2e0-dff9e82b0a1c}\KvrtGui.dll
| MD5 | 38717f028f7df6e29996dabe26375956 |
| SHA1 | 328c0ed49e079999ad0cc7c1315375b77531c8c9 |
| SHA256 | 9db65ebeaf888b6cc99c06d0f063e48932feb27f25b5350d9d870e9ce40d1e10 |
| SHA512 | 4c6de66d71527c1c0e8d666e85dde671ca6b2705e5e4584487be265f25c6369f5512c0601d251192c56ad44bec538161bded7fcfcd3a578cddf76d7617af237d |
C:\Users\Admin\AppData\Local\Temp\{096ffa49-d3dd-476f-b2e0-dff9e82b0a1c}\MSVCP140.dll
| MD5 | 5ff1fca37c466d6723ec67be93b51442 |
| SHA1 | 34cc4e158092083b13d67d6d2bc9e57b798a303b |
| SHA256 | 5136a49a682ac8d7f1ce71b211de8688fce42ed57210af087a8e2dbc8a934062 |
| SHA512 | 4802ef62630c521d83a1d333969593fb00c9b38f82b4d07f70fbd21f495fea9b3f67676064573d2c71c42bc6f701992989742213501b16087bb6110e337c7546 |
C:\Users\Admin\AppData\Local\Temp\{096ffa49-d3dd-476f-b2e0-dff9e82b0a1c}\Qt5Core.dll
| MD5 | 02b21d6184ec835fba23088e7c7368e4 |
| SHA1 | 2386e5cd242ad6abfadecc2d8ba416125f0bde56 |
| SHA256 | 5967b2240167500cfbb602408833776fb9be95ee404ad2bbdbdde18c752aaefe |
| SHA512 | e8b15e68c61f1a0f78fa4f4821a636e07ab3a87699fc45ace096d080d7bda62534af7acf93b9a32d730b0403b52dc1eac8df9175ae02d5f6f829c7849e340eb9 |
C:\Users\Admin\AppData\Local\Temp\{096ffa49-d3dd-476f-b2e0-dff9e82b0a1c}\plugins\platforms\qwindows.dll
| MD5 | 869b64be13907d16f8108d4e46eb1ae4 |
| SHA1 | abf528676719f69a4d2f85147dc683d1c9bb606a |
| SHA256 | 93debc8c092905993932b16f165e0b959639920d0af6156a64b9c947784fbe73 |
| SHA512 | cbd294354d5f84103b7c2f31cca6ee7f390c7852266478fb790cdd2448b1a563ddc6fcf7e351b4b28c3f5e23a52a442064ed75409f076752d0d94f133c9d7e96 |
C:\Users\Admin\AppData\Local\Temp\{096ffa49-d3dd-476f-b2e0-dff9e82b0a1c}\plugins\imageformats\qtga.dll
| MD5 | 82a65b1ce5a7041da64290b66a6a1c8c |
| SHA1 | 577e7174b02182ada17328cbac3ac1d3605fc023 |
| SHA256 | 6da0850ed1f6d93e1d99cecc31153e8993b7b20d68308c248c71e9af4c061336 |
| SHA512 | bbc0fd32e8bdcac4d7f5fac77d9a4386be671b9d6c18d14ac6807e521a0f5192af91e106e0a3258653afbba625c09f79542f1fd7a1eaf97d9b5b98cbd2bb1084 |
C:\Users\Admin\AppData\Local\Temp\{096ffa49-d3dd-476f-b2e0-dff9e82b0a1c}\plugins\imageformats\qwebp.dll
| MD5 | a23c6a3494e296a521a08dd2d676eb3c |
| SHA1 | 260ccb3b2f454bda853d003e3b71fb0789858873 |
| SHA256 | e58be278a435f44bf10e13d81fba5349d0f5ea224701c91f992276bcea173856 |
| SHA512 | a99eea4b72d20e34c37e0c7971f6e467b2421ff99f059c46f76d961093eea27d031edbd907ed2a99bc9ddaea9ec5b0980871b4a018284c3c324e59c00491b11f |
C:\Users\Admin\AppData\Local\Temp\{096ffa49-d3dd-476f-b2e0-dff9e82b0a1c}\plugins\imageformats\qwbmp.dll
| MD5 | 43bc7f0b0b91676368db78d61e83edd3 |
| SHA1 | 628228c8c477f2e6e8d6f2f9dd8cc72b894d5fe6 |
| SHA256 | fe95bdae47201a7788c2cb18042c7eafa0041fb6ce6b2ea7e7d5ffd656086583 |
| SHA512 | 11e847fe59e28bdbf7448846b88578f5b0a1d6b1d7c11a80271d833ad540991d83cc1b89c2b5bfaf9b5dfa68dae538233575fac3b6f1cd5f09398b400b421872 |
C:\Users\Admin\AppData\Local\Temp\{096ffa49-d3dd-476f-b2e0-dff9e82b0a1c}\plugins\imageformats\qtiff.dll
| MD5 | 058a1449a4656fe891bc589ea61434b1 |
| SHA1 | 8803afd1bb77e4804925610e6a94361a1e26c4d5 |
| SHA256 | fc271f33b879c7966564d04f698b7fd77d806e61107574d1240502e7c7666f26 |
| SHA512 | 91f43f8062095044ba41fea9fd4df490711f131437ee90a0354a629a7677c9c7fce84b1c1165e07a2b8c4e58beb1d66d953c1034923c986a2288553221761ca9 |
C:\Users\Admin\AppData\Local\Temp\{096ffa49-d3dd-476f-b2e0-dff9e82b0a1c}\plugins\imageformats\qjpeg.dll
| MD5 | 03e1249b16b47fd240283f44636f6087 |
| SHA1 | e0a02adeee91ff330891ed93428956f1fb90ef44 |
| SHA256 | f1b0528f0b43b798b78580363f19bb75e68347755ef84bbf313cbb1c9fa649b2 |
| SHA512 | 287a13ebcddb151cd37ec60b47c6f674730d1886ee53d4a864e62d23aca084d9b3a4e0b8eefc07b8e1aee2e40a6b7327602aa547f1afc63dc4b254abe14749f1 |
C:\Users\Admin\AppData\Local\Temp\{096ffa49-d3dd-476f-b2e0-dff9e82b0a1c}\plugins\imageformats\qico.dll
| MD5 | f463183ff33be64d8a61fc5d61b16064 |
| SHA1 | 5a2d6a62d293e8335d787c1e4681cca7e953b20a |
| SHA256 | e4773864ec821c90ff7b2b6a081c4abd7b9fb10829b7e067521b0b18d4e75422 |
| SHA512 | 6576842034440b4329a6cc99e419913316e2bb869e20053238add0adf23eb9e35e32ec758c93dddc8162c64049690db177791c11ed7fbdd2ef4780c6be0dbf2c |
C:\Users\Admin\AppData\Local\Temp\{096ffa49-d3dd-476f-b2e0-dff9e82b0a1c}\plugins\imageformats\qicns.dll
| MD5 | 4d1fcfe0e08da0bfd61ad27863f05a8f |
| SHA1 | 51a9c2d12181b66f3f9fd9137a699a715df8d2fd |
| SHA256 | b95d07323612b27e04a716a3894e46a723a457e8c0be37ee838573eaee1624ab |
| SHA512 | 2251f8c7bdfa0ad6cda6d619f6df1cef76e8f317119ec4b495d0d98351e77e5f7c678f49f9c8c6eefadfee175304d00757689ff35f8c77693b2ea3435dac2aa9 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 4a7f03a7ad1cae046d8ceac04256e5ae |
| SHA1 | ef0bf767c91cba32b33c0b48f74f5eb153ae43d3 |
| SHA256 | e8aa3162f519e3670b0fc79dfbeeca68ea2b65a17900cf3aafc6a48de3296d60 |
| SHA512 | 382a91848be121734bce9f533bcb4747e5f21db5b1ea5dfc8cc567005f5be0f1dcc73a55516b83feb931cdc90601ed4d36fb890687f08e1056ff98da2365f01d |
C:\Users\Admin\AppData\Local\Temp\{096ffa49-d3dd-476f-b2e0-dff9e82b0a1c}\plugins\imageformats\qgif.dll
| MD5 | 213734f42848f6cfb91b5d0f80a352dc |
| SHA1 | 72060bb18421eba12591e923929bc70b200b26fa |
| SHA256 | ed3a7867931a8c05d267a62522223ca78bd435d45af6dfde116e7eb72c2fde7c |
| SHA512 | 913afbd6e950f61d038f81ff7f0f08986469ee11cd7202cc0598d9caa7a4200e9e8e5e23f0c5062e01a6ef908e92a52f35dcf60f1af77a075200e8db466df807 |
C:\Users\Admin\AppData\Local\Temp\{096ffa49-d3dd-476f-b2e0-dff9e82b0a1c}\vcruntime140.dll
| MD5 | a37ee36b536409056a86f50e67777dd7 |
| SHA1 | 1cafa159292aa736fc595fc04e16325b27cd6750 |
| SHA256 | 8934aaeb65b6e6d253dfe72dea5d65856bd871e989d5d3a2a35edfe867bb4825 |
| SHA512 | 3a7c260646315cf8c01f44b2ec60974017496bd0d80dd055c7e43b707cadba2d63aab5e0efd435670aa77886ed86368390d42c4017fc433c3c4b9d1c47d0f356 |
C:\Users\Admin\AppData\Local\Temp\{096ffa49-d3dd-476f-b2e0-dff9e82b0a1c}\Qt5Gui.dll
| MD5 | 8fd0c7b86b4988b234614944edb565a7 |
| SHA1 | 120015375d66f6e3f1c889cbada3efc4f8ff7f5b |
| SHA256 | 449a105683a27ebce39f2a7a0fb413cbe2eb2df8c2c8f51870a40e9eb9708a7a |
| SHA512 | 3e92401ee9ed0dd51fe95f963378caa73fe07bae0186406b9689519d6b75926b5027339ea52c8643c92c21b621ddc05056a1338f0114a6902c2897406cf371f7 |
C:\Users\Admin\AppData\Local\Temp\{096ffa49-d3dd-476f-b2e0-dff9e82b0a1c}\Qt5Widgets.dll
| MD5 | 8751f0205fc7a87b46afae8ceda42d90 |
| SHA1 | d7e41a64c09f580d9e63ff5ffc8ac37d1f7da4c1 |
| SHA256 | 7273600d11889adba9287e6d5a3b684a9d902d1b4db8cedec21562fa00c436cd |
| SHA512 | 18466c4c4b6dd07445862d8e6a84825b8b0edeaa95dc8fe58741527d5dd20cbfc7672825108acec69bae506b41fb01fc6413401759db3d8265503fea88ed9bba |
C:\Users\Admin\AppData\Local\Temp\{096ffa49-d3dd-476f-b2e0-dff9e82b0a1c}\dbghelp.dll
| MD5 | 4003e34416ebd25e4c115d49dc15e1a7 |
| SHA1 | faf95ec65cde5bd833ce610bb8523363310ec4ad |
| SHA256 | c06430b8cb025be506be50a756488e1bcc3827c4f45158d93e4e3eeb98ce1e4f |
| SHA512 | 88f5d417377cd62bde417640a79b6ac493e80f0c8b1f63a99378a2a67695ef8e4a541cedb91acfa296ed608e821fee466983806f0d082ed2e74b0cd93eb4fb84 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 05c6846bbca7b01c6f834b5f37da43b7 |
| SHA1 | e88c19451c20bb658df2ad4e14a21d2290e28f9b |
| SHA256 | 75fab4b59d3340da36c26678b271939175aed633c3f988f5f44c5634a4f0fff3 |
| SHA512 | 48091404c6136e24aaf9488592d935ec0a4a40997a549aacec96c58ff49ee4c1262eabd354dbd194f3bbaa565d23165499ca22293fda4d0b3c7a6f5e87cc7783 |
memory/2520-213-0x00007FFB4F950000-0x00007FFB50412000-memory.dmp
memory/2520-214-0x00007FFB4F950000-0x00007FFB50412000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\{096ffa49-d3dd-476f-b2e0-dff9e82b0a1c}\klmd.sys
| MD5 | 990442d764ff1262c0b7be1e3088b6d3 |
| SHA1 | 0b161374074ef2acc101ed23204da00a0acaa86e |
| SHA256 | 6c7ccd465090354438b39da8430a5c47e7f24768a5b12ee02fecf8763e77c9e4 |
| SHA512 | af3c6dfe32266a9d546f13559dcba7c075d074bdfdaf0e6bf2a8cae787008afa579f0d5f90e0c657dd614bb244a6d95ff8366c14b388e1f4a3ab76cccb23add4 |
C:\Users\Admin\AppData\Local\Temp\{096ffa49-d3dd-476f-b2e0-dff9e82b0a1c}\Bases\arkmon64.drv
| MD5 | fd710c439f89ca6b7d8caf3ee6f307d0 |
| SHA1 | 5273c87564d9fcbf99b846195ea8bd3102d65a76 |
| SHA256 | ca317c531bdd3a23d401a242a904e8eb81401c79073eee470b6e1078f3645faa |
| SHA512 | 3df58ac276362fb7d7999bc8e902f22e9ee1501ee2e4f653e58595d411752e18bf7ee0cbc95766ecb8da34a5ebd3a11fd5bbf5450b1c01fd3ed8ee0e22183b09 |
C:\Users\Admin\AppData\Local\Temp\{096ffa49-d3dd-476f-b2e0-dff9e82b0a1c}\klsl.sys
| MD5 | a69adedb0d47cfb23f23a9562a4405bc |
| SHA1 | 9e70576571a15aaf71106ea0cd55e0973ef2dd15 |
| SHA256 | 31eaa7f1f9872c63091f4b3ec5310686b1dd1e2123af17991a6b4679eda3f62d |
| SHA512 | 77abb4435d8d445f7a29cdb8a318486a96122b5cc535da7a63da0fa920980e6ad73e78b72552f6949e66b349bbdc9aa9ea202481046e478c2829c155a1045820 |
C:\Users\Admin\AppData\Local\Temp\{096ffa49-d3dd-476f-b2e0-dff9e82b0a1c}\app_core.dll
| MD5 | fe0964663cf9c5e4ff493198e035cc1f |
| SHA1 | ab9b19bd0e4efa36f78d2059b4ca556521eb35cb |
| SHA256 | ddd70011d86b8ec909295ef45f94b48b0252229b6182af9ef8a6029c30daaf39 |
| SHA512 | 923cfd9143d3850357bda901f66b5292f36ff025f05b2156667873861a02d9f498a03cdb73d2c477c0055d46600628f936b70dec46d7687fe0a97cbb1c8cf0ea |
C:\Users\Admin\AppData\Local\Temp\{096ffa49-d3dd-476f-b2e0-dff9e82b0a1c}\instrumental_services.dll
| MD5 | c6acd1d9a80740f8a416b0a78e3fa546 |
| SHA1 | 7ea7b707d58bde0d5a14d8a7723f05e04189bce7 |
| SHA256 | db8acd14ace6d4c8d4d61016debe3c0d72677416661caf0d36e7306ed020920f |
| SHA512 | 46c889f4d84e2f8dc8bfd5bdc34a346aa393fc49adcbe95bc601e6d970599f579e5cb057196061c280cbfa976989c960ac2f1830fd61c0a9166f09a6c088c20d |
C:\Users\Admin\AppData\Local\Temp\{096ffa49-d3dd-476f-b2e0-dff9e82b0a1c}\dblite.dll
| MD5 | 98b1a553c8c5944923814041e9a73b73 |
| SHA1 | 3e6169af53125b6da0e69890d51785a206c89975 |
| SHA256 | 6fc0104817caa1337531c9d8b284d80052770051efb76e5829895a3854ebaec8 |
| SHA512 | 8ee4467bce6495f492895a9dfaedaf85b76d6d1f67d9ff5c8c27888191c322863bc29c14ae3f505336a5317af66c31354afaeb63127e7e781f5b249f1c967363 |
C:\Users\Admin\AppData\Local\Temp\{096ffa49-d3dd-476f-b2e0-dff9e82b0a1c}\settings.kvdb
| MD5 | 0cd7bac19edb301ce1b501bfac07acea |
| SHA1 | d66a1ba1d9a961b5f44d8d3356c79d60c7ae81d6 |
| SHA256 | f5d7c50ab67ff498fddf257193bea1ad496613c611b962a31ca39f96ef16bc05 |
| SHA512 | 9a744bd7829716afe7249094a63609c32da0a8988f9cd1881be6bca809a9f120521e7de1a30180581a8bd6f662ae18a8ac88629d404b807602e5a45a5f8ddb0a |
C:\Users\Admin\AppData\Local\Temp\{096ffa49-d3dd-476f-b2e0-dff9e82b0a1c}\app_core_meta.dll
| MD5 | 81172e3cf5fc6df072b45c4f1fb6eb34 |
| SHA1 | 5eb293f0fe6c55e075c5ebef4d21991546f7e504 |
| SHA256 | 2a272a1990a3dfa35693adf0689512b068a831283a852f8f805cb28153115f57 |
| SHA512 | 8dc4b0d5593cf2c2262b2802b60672c392dfe0e1cd757a3410e5376bbe6bf6c473428a7ca0fc1c7f0d2de5f59017d8464e7789c76999b5d7b5379209b34c1813 |
C:\Users\Admin\AppData\Local\Temp\{096ffa49-d3dd-476f-b2e0-dff9e82b0a1c}\crypto_components_meta.dll
| MD5 | 3d9d1753ed0f659e4db02e776a121862 |
| SHA1 | 031fb78fe7dc211fe9e0dc8ba0027c14e84cd07f |
| SHA256 | b6163ec9d4825102e3d423e02fb026259a6a17e7d7696ae060ec2b0ba97f54f2 |
| SHA512 | e1f50513db117c32505944bfb19fd3185b3231b6bd9f0495942bd9e80dd0f54ab575f1a2fca5e542174d3abe4106a9b5448d924c690e8548cd43aa77f6497c92 |
C:\Users\Admin\AppData\Local\Temp\{096ffa49-d3dd-476f-b2e0-dff9e82b0a1c}\config.esm
| MD5 | 184a351c4d532405206e309c10af1d15 |
| SHA1 | 3cf49f2275f3f9bd8e385eddcdd04e3fc2a17352 |
| SHA256 | ef0b7e22d8f7bd06964969a7f2979a475ba1c9c34efccb0c3b9e03ae950c63f6 |
| SHA512 | 9a1a3cb0e3713ba41f36f4f01f2151b0c04454a05c986215ed2cc42180994f90d10e031d77452a2d0ad5a78f15d8d31c327d0d1ee676789780e6483dbe5e0341 |
C:\Users\Admin\AppData\Local\Temp\{096ffa49-d3dd-476f-b2e0-dff9e82b0a1c}\key_value_storage.dll
| MD5 | 9bf7f895cff1f0b9ddf5fc077bac314c |
| SHA1 | 7e9c0ce6569c6f12c57f34597b213cd4d8f55e68 |
| SHA256 | d03e0af01fbcd9ce714caf3db5ca2ab3ca4a717d5fda5c99b77e09b5672498a4 |
| SHA512 | d416cfa9446e6c92f0805278c744cf9f8ac6a2bfb96a6e0b2d65e701472ea6feaf5742ed6cef833555188a95c613499e7e14cfe5788427ec2616cfd723021a67 |
C:\Users\Admin\AppData\Local\Temp\{096ffa49-d3dd-476f-b2e0-dff9e82b0a1c}\storage.kvdb
| MD5 | 1a3330c4f388360e4c2b0d94fb48a788 |
| SHA1 | 127ad9be38c4aa491bd1bce6458f99a27c6d465b |
| SHA256 | 01b8d0d8c7114b59f159021384c8a59535f87018a6a136a276b5a297f54d776d |
| SHA512 | 1fcd1e99e35dc4ec972ab63299637322a27b471d02175d56409a3a114db6259f9cd767ac054c7a2bba075f36ab62f19c8118c3dda93e37b7deda05aa2b260553 |
memory/956-256-0x00000000070F0000-0x0000000007102000-memory.dmp
memory/956-255-0x00000000070C0000-0x00000000070D1000-memory.dmp
memory/956-262-0x000000000E170000-0x000000000E182000-memory.dmp
memory/956-261-0x000000000E140000-0x000000000E151000-memory.dmp
memory/956-260-0x000000000E110000-0x000000000E121000-memory.dmp
memory/956-259-0x000000000E0E0000-0x000000000E0F1000-memory.dmp
memory/956-258-0x000000000C000000-0x000000000C016000-memory.dmp
memory/956-257-0x000000000BF20000-0x000000000BF36000-memory.dmp
memory/956-264-0x000000000EC10000-0x000000000EC58000-memory.dmp
memory/956-263-0x000000000EF30000-0x000000000F08A000-memory.dmp
memory/956-266-0x000000000E270000-0x000000000E296000-memory.dmp
memory/956-265-0x000000000E240000-0x000000000E254000-memory.dmp
memory/956-268-0x000000000EC70000-0x000000000EC88000-memory.dmp
memory/956-274-0x000000000EDC0000-0x000000000EDE4000-memory.dmp
memory/956-273-0x000000000ED90000-0x000000000EDA7000-memory.dmp
memory/956-275-0x0000000014060000-0x0000000014256000-memory.dmp
memory/956-277-0x000000000EE00000-0x000000000EE11000-memory.dmp
memory/956-278-0x000000000F110000-0x000000000F123000-memory.dmp
memory/956-276-0x0000000013E50000-0x0000000013FF8000-memory.dmp
memory/956-272-0x000000000ED60000-0x000000000ED71000-memory.dmp
memory/956-271-0x000000000ED20000-0x000000000ED41000-memory.dmp
memory/956-270-0x000000000ECF0000-0x000000000ED01000-memory.dmp
memory/956-267-0x000000000EE20000-0x000000000EEDB000-memory.dmp
memory/956-269-0x0000000013A00000-0x0000000013E4D000-memory.dmp
memory/956-279-0x0000000011B90000-0x0000000011C32000-memory.dmp
memory/956-281-0x0000000011C40000-0x0000000011C86000-memory.dmp
memory/956-280-0x000000000F160000-0x000000000F173000-memory.dmp
memory/956-283-0x000000000F1A0000-0x000000000F1B5000-memory.dmp
memory/956-282-0x00000000142D0000-0x000000001466D000-memory.dmp
memory/956-284-0x0000000014000000-0x0000000014040000-memory.dmp
memory/956-299-0x0000000014AA0000-0x0000000014AB4000-memory.dmp
memory/956-298-0x00000000149C0000-0x00000000149D1000-memory.dmp
memory/956-286-0x0000000014670000-0x00000000146AB000-memory.dmp
memory/956-306-0x0000000014DD0000-0x0000000014DD1000-memory.dmp
memory/956-308-0x0000000014E20000-0x0000000014E2F000-memory.dmp
memory/956-307-0x0000000014DF0000-0x0000000014E05000-memory.dmp
memory/956-305-0x0000000014DB0000-0x0000000014DB3000-memory.dmp
memory/956-304-0x0000000014D70000-0x0000000014D9A000-memory.dmp
memory/956-303-0x0000000014BD0000-0x0000000014BF1000-memory.dmp
memory/956-302-0x0000000014BA0000-0x0000000014BB3000-memory.dmp
memory/956-301-0x0000000014B60000-0x0000000014B82000-memory.dmp
memory/956-300-0x0000000014B30000-0x0000000014B5D000-memory.dmp
memory/956-297-0x0000000015090000-0x00000000151E8000-memory.dmp
memory/956-296-0x0000000014AE0000-0x0000000014B30000-memory.dmp
memory/956-295-0x0000000014960000-0x0000000014983000-memory.dmp
memory/956-294-0x00000000149E0000-0x0000000014A4F000-memory.dmp
memory/956-293-0x00000000147E0000-0x00000000147F9000-memory.dmp
memory/956-292-0x0000000014790000-0x00000000147C1000-memory.dmp
memory/956-291-0x0000000014760000-0x000000001477D000-memory.dmp
memory/956-290-0x0000000014730000-0x0000000014741000-memory.dmp
memory/956-289-0x00000000148E0000-0x0000000014942000-memory.dmp
memory/956-288-0x0000000014C10000-0x0000000014D6A000-memory.dmp
memory/956-287-0x00000000146C0000-0x00000000146E0000-memory.dmp
memory/956-285-0x0000000014810000-0x00000000148DD000-memory.dmp
memory/956-309-0x0000000014F70000-0x000000001504D000-memory.dmp
memory/956-312-0x0000000014EC0000-0x0000000014EC1000-memory.dmp
memory/956-311-0x0000000014EA0000-0x0000000014EA1000-memory.dmp
memory/956-316-0x0000000014F50000-0x0000000014F51000-memory.dmp
memory/956-318-0x0000000015070000-0x0000000015072000-memory.dmp
memory/956-317-0x0000000015050000-0x0000000015053000-memory.dmp
memory/956-315-0x0000000014F30000-0x0000000014F31000-memory.dmp
memory/956-314-0x0000000014F10000-0x0000000014F11000-memory.dmp
memory/956-313-0x00000000153F0000-0x00000000154D5000-memory.dmp
memory/956-310-0x0000000014E80000-0x0000000014E88000-memory.dmp
C:\Windows\System32\drivers\klupd_4de68b90a_klbg.sys
| MD5 | ed6cd641a02baf78ecbe069e0b18b3b0 |
| SHA1 | cc4d47d1d0fcd3deb841f58923ac309f3be42081 |
| SHA256 | 66e7b89188e292d0abce941fcb2469e515e2a1bdbe07ad9868a34feb5f47005d |
| SHA512 | cb945fa49683b92841a7a915c73eb11b00fbceee8715a166d256cab0971dc4b4d8b2c7ad3c96e4efb73a7ea9c43ef6bfc9ff3acaffdc08df40b00048ea903abb |
C:\Windows\System32\drivers\klupd_4de68b90a_klark.sys
| MD5 | 5ea5aa37289ae16948dc771223f94160 |
| SHA1 | 640392a0d01521cb0e4485d5641f74e64e1f38aa |
| SHA256 | 4b1fd5753737f72f2b8cb0fb299c6c0e3857df69dc19931351d9784f52f307b3 |
| SHA512 | 2721db2afd55f6abbe54b5865cb41f72216a52cddb6d07721cf0bd1b76fe58b47540467ce9b503ab56e4c614765c18f559b17d73479a4f5a0fae8f6093772455 |
C:\Windows\System32\drivers\klupd_4de68b90a_mark.sys
| MD5 | 124a94969ce6660453ccd66e40ecdbb0 |
| SHA1 | 46f7ad59b93bc1b78f76fc973ce728c7951352aa |
| SHA256 | 5938747dbf6aea335fdf9131fc912452cee781dff8be61750a9b2ef384b5f835 |
| SHA512 | 3b25bc9eead7f09350c81bca4eb1a11c5332b128918802385d15fb35d017bf2a5eef64966c3e6bb74d4450d794327a1a81c0521dda8b742fda17c0bcc50079e0 |
C:\Users\Admin\AppData\Local\Temp\{096ffa49-d3dd-476f-b2e0-dff9e82b0a1c}\crls\c7e6bd7fe0e4965892ad706f0d2f42e88789b8041daf5b3eea9ca41785297798
| MD5 | 4b03934418970c06f092afe3d2155bf1 |
| SHA1 | 56a0e9666c3ee0071d70b9d2b364666fbb93068c |
| SHA256 | c3a63c68ae58f008e5eb52c8e515fe6f5f978e3a8e33ff3c4c4ec43b186486c6 |
| SHA512 | 7846f929ec6d68397c60155202365bbbae28c5faf053c67469b378bd059ac7fd8575ee4973d905e51471cabeadcf3251d229057fdba70eb5df478ab4eafb39f8 |
C:\Users\Admin\AppData\Local\Temp\{9c1f7ea4-5677-4ca7-8c33-72db001da2e3}\a16f836a-9056-4520-8f42-052ee5706392.cmd
| MD5 | 23d70ff4228e63c8a1128e2663a04791 |
| SHA1 | caabd3997ac9c87e57768560c988aa5113f20812 |
| SHA256 | a1459b836dc6d28a1014006848cd39e1ff47296d676070792355056b28852923 |
| SHA512 | a4a60fe1338431d50a291c101724face50dbef134bae490e80420a114606c6ce89ccf8e8166a1d695dde4a65965df6dc50ef658817c430f2bf3db5c8ce8cf8bc |
memory/2520-565-0x00007FFB4F950000-0x00007FFB50412000-memory.dmp