Analysis Overview
SHA256
31053c2cbb304a77d3c454012374abec7a8c5a34312967a0e3c49164023c7304
Threat Level: Known bad
The file XClient.exe was found to be: Known bad.
Malicious Activity Summary
Ramnit
Windows security bypass
Detect Xworm Payload
Modifies security service
Modifies WinLogon for persistence
Xworm
Modifies firewall policy service
Neshta
Detect Neshta payload
Xworm family
Darkcomet
Command and Scripting Interpreter: PowerShell
Sets file to hidden
Drops startup file
UPX packed file
Modifies system executable filetype association
Executes dropped EXE
Reads user/profile data of web browsers
Windows security modification
Looks up external IP address via web service
Adds Run key to start application
Drops file in Windows directory
Drops file in Program Files directory
Enumerates physical storage devices
Program crash
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Modifies registry class
Suspicious behavior: EnumeratesProcesses
System policy modification
Suspicious behavior: GetForegroundWindowSpam
Kills process with taskkill
Views/modifies file attributes
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-07-16 06:49
Signatures
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xworm family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-07-16 06:49
Reported
2024-07-16 06:52
Platform
win11-20240709-en
Max time kernel
120s
Max time network
121s
Command Line
Signatures
Darkcomet
Detect Neshta payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Modifies WinLogon for persistence
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft\\svñhost.exe" | C:\Users\Admin\AppData\Local\Temp\file2.exe | N/A |
Modifies firewall policy service
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile | C:\Users\Admin\AppData\Local\Temp\MICROS~1\SVHOST~1.EXE | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" | C:\Users\Admin\AppData\Local\Temp\MICROS~1\SVHOST~1.EXE | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "0" | C:\Users\Admin\AppData\Local\Temp\MICROS~1\SVHOST~1.EXE | N/A |
Modifies security service
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" | C:\Users\Admin\AppData\Local\Temp\MICROS~1\SVHOST~1.EXE | N/A |
Neshta
Ramnit
Windows security bypass
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" | C:\Users\Admin\AppData\Local\Temp\MICROS~1\SVHOST~1.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" | C:\Users\Admin\AppData\Local\Temp\MICROS~1\SVHOST~1.EXE | N/A |
Xworm
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Sets file to hidden
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\System.lnk | C:\Users\Admin\AppData\Local\Temp\XClient.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\System.lnk | C:\Users\Admin\AppData\Local\Temp\XClient.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xemmta.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3582-490\xemmta.exe | N/A |
| N/A | N/A | C:\Windows\svchost.com | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\iasouk.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\iasoukSrv.exe | N/A |
| N/A | N/A | C:\Windows\svchost.com | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\gekveo.exe | N/A |
| N/A | N/A | C:\Windows\svchost.com | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\file2.exe | N/A |
| N/A | N/A | C:\Windows\svchost.com | N/A |
| N/A | N/A | C:\Windows\svchost.com | N/A |
| N/A | N/A | C:\Windows\svchost.com | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\MICROS~1\SVHOST~1.EXE | N/A |
| N/A | N/A | C:\Windows\svchost.com | N/A |
Modifies system executable filetype association
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" | C:\Users\Admin\AppData\Local\Temp\xemmta.exe | N/A |
Reads user/profile data of web browsers
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" | C:\Users\Admin\AppData\Local\Temp\MICROS~1\SVHOST~1.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" | C:\Users\Admin\AppData\Local\Temp\MICROS~1\SVHOST~1.EXE | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3766757357-1293853516-507035944-1000\Software\Microsoft\Windows\CurrentVersion\Run\System = "C:\\Users\\Admin\\System" | C:\Users\Admin\AppData\Local\Temp\XClient.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3766757357-1293853516-507035944-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft\\svñhost.exe" | C:\Users\Admin\AppData\Local\Temp\file2.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3766757357-1293853516-507035944-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft\\svñhost.exe" | C:\Users\Admin\AppData\Local\Temp\MICROS~1\SVHOST~1.EXE | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.exe | C:\Users\Admin\AppData\Local\Temp\xemmta.exe | N/A |
| File opened for modification | C:\PROGRA~2\MICROS~1\Edge\Application\90.0.818.66\notification_helper.exe | C:\Users\Admin\AppData\Local\Temp\xemmta.exe | N/A |
| File opened for modification | C:\PROGRA~2\MICROS~1\Edge\Application\pwahelper.exe | C:\Users\Admin\AppData\Local\Temp\xemmta.exe | N/A |
| File opened for modification | C:\PROGRA~2\WI8A19~1\ImagingDevices.exe | C:\Users\Admin\AppData\Local\Temp\xemmta.exe | N/A |
| File opened for modification | C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\AdobeARM.exe | C:\Users\Admin\AppData\Local\Temp\xemmta.exe | N/A |
| File opened for modification | C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE | C:\Users\Admin\AppData\Local\Temp\xemmta.exe | N/A |
| File opened for modification | C:\PROGRA~2\Google\Update\1336~1.371\GOOGLE~1.EXE | C:\Users\Admin\AppData\Local\Temp\xemmta.exe | N/A |
| File opened for modification | C:\PROGRA~2\MICROS~1\Edge\Application\90.0.818.66\identity_helper.exe | C:\Users\Admin\AppData\Local\Temp\xemmta.exe | N/A |
| File opened for modification | C:\PROGRA~2\MICROS~1\Edge\Application\90.0.818.66\pwahelper.exe | C:\Users\Admin\AppData\Local\Temp\xemmta.exe | N/A |
| File opened for modification | C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroCEF\RdrCEF.exe | C:\Users\Admin\AppData\Local\Temp\xemmta.exe | N/A |
| File opened for modification | C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\javaws.exe | C:\Users\Admin\AppData\Local\Temp\xemmta.exe | N/A |
| File opened for modification | C:\PROGRA~2\WINDOW~2\wabmig.exe | C:\Users\Admin\AppData\Local\Temp\xemmta.exe | N/A |
| File opened for modification | C:\PROGRA~3\Adobe\Setup\{AC76B~1\setup.exe | C:\Users\Admin\AppData\Local\Temp\xemmta.exe | N/A |
| File opened for modification | C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\64BITM~1.EXE | C:\Users\Admin\AppData\Local\Temp\xemmta.exe | N/A |
| File opened for modification | C:\PROGRA~2\MICROS~1\Edge\Application\90.0.818.66\msedgewebview2.exe | C:\Users\Admin\AppData\Local\Temp\xemmta.exe | N/A |
| File opened for modification | C:\PROGRA~2\MICROS~1\Edge\Application\msedge.exe | C:\Users\Admin\AppData\Local\Temp\xemmta.exe | N/A |
| File opened for modification | C:\PROGRA~2\WINDOW~2\wab.exe | C:\Users\Admin\AppData\Local\Temp\xemmta.exe | N/A |
| File opened for modification | C:\PROGRA~2\Google\Update\1336~1.371\GOOGLE~4.EXE | C:\Users\Admin\AppData\Local\Temp\xemmta.exe | N/A |
| File opened for modification | C:\PROGRA~2\Google\Update\1336~1.371\GOOGLE~2.EXE | C:\Users\Admin\AppData\Local\Temp\xemmta.exe | N/A |
| File opened for modification | C:\PROGRA~2\INTERN~1\iexplore.exe | C:\Users\Admin\AppData\Local\Temp\xemmta.exe | N/A |
| File opened for modification | C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE | C:\Users\Admin\AppData\Local\Temp\xemmta.exe | N/A |
| File opened for modification | C:\PROGRA~2\Adobe\ACROBA~1\Reader\arh.exe | C:\Users\Admin\AppData\Local\Temp\xemmta.exe | N/A |
| File opened for modification | C:\PROGRA~2\INTERN~1\ieinstal.exe | C:\Users\Admin\AppData\Local\Temp\xemmta.exe | N/A |
| File opened for modification | C:\PROGRA~2\MICROS~1\Edge\Application\90.0.818.66\msedge_pwa_launcher.exe | C:\Users\Admin\AppData\Local\Temp\xemmta.exe | N/A |
| File opened for modification | C:\PROGRA~2\MICROS~1\EdgeUpdate_bk\1.3.143.57\MicrosoftEdgeComRegisterShellARM64.exe | C:\Users\Admin\AppData\Local\Temp\xemmta.exe | N/A |
| File opened for modification | C:\PROGRA~2\MOZILL~1\UNINST~1.EXE | C:\Users\Admin\AppData\Local\Temp\xemmta.exe | N/A |
| File opened for modification | C:\PROGRA~2\WINDOW~4\wmlaunch.exe | C:\Users\Admin\AppData\Local\Temp\xemmta.exe | N/A |
| File opened for modification | C:\PROGRA~3\PACKAG~1\{57A73~1\VC_RED~1.EXE | C:\Users\Admin\AppData\Local\Temp\xemmta.exe | N/A |
| File opened for modification | C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE | C:\Users\Admin\AppData\Local\Temp\xemmta.exe | N/A |
| File opened for modification | C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADelRCP.exe | C:\Users\Admin\AppData\Local\Temp\xemmta.exe | N/A |
| File opened for modification | C:\PROGRA~2\Adobe\ACROBA~1\Reader\Eula.exe | C:\Users\Admin\AppData\Local\Temp\xemmta.exe | N/A |
| File opened for modification | C:\PROGRA~2\Adobe\ACROBA~1\Reader\READER~1.EXE | C:\Users\Admin\AppData\Local\Temp\xemmta.exe | N/A |
| File opened for modification | C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jaureg.exe | C:\Users\Admin\AppData\Local\Temp\xemmta.exe | N/A |
| File opened for modification | C:\PROGRA~2\Google\Update\1336~1.371\GOBD5D~1.EXE | C:\Users\Admin\AppData\Local\Temp\xemmta.exe | N/A |
| File opened for modification | C:\PROGRA~2\MICROS~1\EdgeUpdate_bk\1.3.143.57\MicrosoftEdgeUpdateCore.exe | C:\Users\Admin\AppData\Local\Temp\xemmta.exe | N/A |
| File opened for modification | C:\PROGRA~2\WINDOW~4\wmprph.exe | C:\Users\Admin\AppData\Local\Temp\xemmta.exe | N/A |
| File opened for modification | C:\PROGRA~3\MICROS~1\CLICKT~1\{9AC08~1\INTEGR~1.EXE | C:\Users\Admin\AppData\Local\Temp\xemmta.exe | N/A |
| File opened for modification | C:\PROGRA~3\PACKAG~1\{63880~1\WINDOW~1.EXE | C:\Users\Admin\AppData\Local\Temp\xemmta.exe | N/A |
| File opened for modification | C:\PROGRA~2\MICROS~1\EdgeUpdate_bk\1.3.143.57\MicrosoftEdgeUpdateSetup.exe | C:\Users\Admin\AppData\Local\Temp\xemmta.exe | N/A |
| File opened for modification | C:\PROGRA~3\PACKAG~1\{4D8DC~1\VC_RED~1.EXE | C:\Users\Admin\AppData\Local\Temp\xemmta.exe | N/A |
| File opened for modification | C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADOBEC~1.EXE | C:\Users\Admin\AppData\Local\Temp\xemmta.exe | N/A |
| File opened for modification | C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\ADOBEA~1.EXE | C:\Users\Admin\AppData\Local\Temp\xemmta.exe | N/A |
| File opened for modification | C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\java.exe | C:\Users\Admin\AppData\Local\Temp\xemmta.exe | N/A |
| File opened for modification | C:\PROGRA~2\INTERN~1\ielowutil.exe | C:\Users\Admin\AppData\Local\Temp\xemmta.exe | N/A |
| File opened for modification | C:\PROGRA~2\MICROS~1\Edge\Application\90.0.818.66\elevation_service.exe | C:\Users\Admin\AppData\Local\Temp\xemmta.exe | N/A |
| File opened for modification | C:\PROGRA~2\MICROS~1\EdgeUpdate_bk\1.3.143.57\MicrosoftEdgeUpdateComRegisterShell64.exe | C:\Users\Admin\AppData\Local\Temp\xemmta.exe | N/A |
| File opened for modification | C:\PROGRA~2\WINDOW~3\ACCESS~1\wordpad.exe | C:\Users\Admin\AppData\Local\Temp\xemmta.exe | N/A |
| File opened for modification | C:\PROGRA~3\PACKAG~1\{33D1F~1\VCREDI~1.EXE | C:\Users\Admin\AppData\Local\Temp\xemmta.exe | N/A |
| File opened for modification | C:\PROGRA~2\Adobe\ACROBA~1\Reader\FULLTR~1.EXE | C:\Users\Admin\AppData\Local\Temp\xemmta.exe | N/A |
| File opened for modification | C:\PROGRA~2\Adobe\ACROBA~1\Reader\WOW_HE~1.EXE | C:\Users\Admin\AppData\Local\Temp\xemmta.exe | N/A |
| File opened for modification | C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\javaw.exe | C:\Users\Admin\AppData\Local\Temp\xemmta.exe | N/A |
| File opened for modification | C:\PROGRA~2\MICROS~1\Edge\Application\90.0.818.66\Installer\setup.exe | C:\Users\Admin\AppData\Local\Temp\xemmta.exe | N/A |
| File opened for modification | C:\PROGRA~3\PACKAG~1\{D87AE~1\WINDOW~1.EXE | C:\Users\Admin\AppData\Local\Temp\xemmta.exe | N/A |
| File opened for modification | C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe | C:\Users\Admin\AppData\Local\Temp\xemmta.exe | N/A |
| File opened for modification | C:\PROGRA~2\INTERN~1\ExtExport.exe | C:\Users\Admin\AppData\Local\Temp\xemmta.exe | N/A |
| File opened for modification | C:\PROGRA~2\MICROS~1\Edge\Application\90.0.818.66\cookie_exporter.exe | C:\Users\Admin\AppData\Local\Temp\xemmta.exe | N/A |
| File opened for modification | C:\PROGRA~2\MICROS~1\EdgeUpdate_bk\1.3.143.57\MicrosoftEdgeUpdateOnDemand.exe | C:\Users\Admin\AppData\Local\Temp\xemmta.exe | N/A |
| File opened for modification | C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE | C:\Users\Admin\AppData\Local\Temp\xemmta.exe | N/A |
| File opened for modification | C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROBR~1.EXE | C:\Users\Admin\AppData\Local\Temp\xemmta.exe | N/A |
| File opened for modification | C:\PROGRA~2\WINDOW~4\wmplayer.exe | C:\Users\Admin\AppData\Local\Temp\xemmta.exe | N/A |
| File opened for modification | C:\PROGRA~2\Google\Update\1336~1.371\GO664E~1.EXE | C:\Users\Admin\AppData\Local\Temp\xemmta.exe | N/A |
| File opened for modification | C:\PROGRA~2\MICROS~1\EdgeUpdate_bk\1.3.143.57\MicrosoftEdgeUpdateBroker.exe | C:\Users\Admin\AppData\Local\Temp\xemmta.exe | N/A |
| File opened for modification | C:\PROGRA~2\Adobe\ACROBA~1\Reader\LOGTRA~1.EXE | C:\Users\Admin\AppData\Local\Temp\xemmta.exe | N/A |
| File opened for modification | C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\32BITM~1.EXE | C:\Users\Admin\AppData\Local\Temp\xemmta.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\svchost.com | C:\Users\Admin\AppData\Local\Temp\xemmta.exe | N/A |
| File opened for modification | C:\Windows\directx.sys | C:\Windows\svchost.com | N/A |
| File opened for modification | C:\Windows\svchost.com | C:\Windows\svchost.com | N/A |
| File opened for modification | C:\Windows\directx.sys | C:\Windows\svchost.com | N/A |
| File opened for modification | C:\Windows\svchost.com | C:\Windows\svchost.com | N/A |
| File opened for modification | C:\Windows\directx.sys | C:\Windows\svchost.com | N/A |
| File opened for modification | C:\Windows\directx.sys | C:\Windows\svchost.com | N/A |
| File opened for modification | C:\Windows\svchost.com | C:\Windows\svchost.com | N/A |
| File opened for modification | C:\Windows\directx.sys | C:\Windows\svchost.com | N/A |
| File opened for modification | C:\Windows\svchost.com | C:\Windows\svchost.com | N/A |
| File opened for modification | C:\Windows\svchost.com | C:\Windows\svchost.com | N/A |
| File opened for modification | C:\Windows\svchost.com | C:\Windows\svchost.com | N/A |
| File opened for modification | C:\Windows\directx.sys | C:\Windows\svchost.com | N/A |
| File opened for modification | C:\Windows\directx.sys | C:\Windows\svchost.com | N/A |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\iasoukSrv.exe |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ | C:\Users\Admin\AppData\Local\Temp\file2.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3766757357-1293853516-507035944-1000_Classes\Local Settings | C:\Windows\system32\OpenWith.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" | C:\Users\Admin\AppData\Local\Temp\xemmta.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3766757357-1293853516-507035944-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\XClient.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3766757357-1293853516-507035944-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\gekveo.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3766757357-1293853516-507035944-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\file2.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3766757357-1293853516-507035944-1000_Classes\Local Settings | C:\Windows\system32\OpenWith.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3766757357-1293853516-507035944-1000_Classes\Local Settings | C:\Windows\system32\OpenWith.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3766757357-1293853516-507035944-1000_Classes\Local Settings | C:\Windows\system32\OpenWith.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\XClient.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\iasouk.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\XClient.exe | N/A |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\MICROS~1\SVHOST~1.EXE | N/A |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
Suspicious use of WriteProcessMemory
System policy modification
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion | C:\Users\Admin\AppData\Local\Temp\MICROS~1\SVHOST~1.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern | C:\Users\Admin\AppData\Local\Temp\MICROS~1\SVHOST~1.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern\NoControlPanel = "1" | C:\Users\Admin\AppData\Local\Temp\MICROS~1\SVHOST~1.EXE | N/A |
Views/modifies file attributes
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\XClient.exe
"C:\Users\Admin\AppData\Local\Temp\XClient.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\XClient.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\System'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'System'
C:\Users\Admin\AppData\Local\Temp\xemmta.exe
"C:\Users\Admin\AppData\Local\Temp\xemmta.exe"
C:\Users\Admin\AppData\Local\Temp\3582-490\xemmta.exe
"C:\Users\Admin\AppData\Local\Temp\3582-490\xemmta.exe"
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\iasouk.exe"
C:\Users\Admin\AppData\Local\Temp\iasouk.exe
C:\Users\Admin\AppData\Local\Temp\iasouk.exe
C:\Users\Admin\AppData\Local\Temp\iasoukSrv.exe
C:\Users\Admin\AppData\Local\Temp\iasoukSrv.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5040 -ip 5040
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5040 -s 320
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\gekveo.exe"
C:\Users\Admin\AppData\Local\Temp\gekveo.exe
C:\Users\Admin\AppData\Local\Temp\gekveo.exe
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\file2.exe"
C:\Users\Admin\AppData\Local\Temp\file2.exe
C:\Users\Admin\AppData\Local\Temp\file2.exe
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\file2.exe" +s +h
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
C:\Windows\SysWOW64\cmd.exe
C:\Windows\System32\cmd.exe /k attrib C:\Users\Admin\AppData\Local\Temp\file2.exe +s +h
C:\Windows\SysWOW64\cmd.exe
C:\Windows\System32\cmd.exe /k attrib C:\Users\Admin\AppData\Local\Temp +s +h
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
C:\Windows\SysWOW64\attrib.exe
attrib C:\Users\Admin\AppData\Local\Temp\file2.exe +s +h
C:\Windows\SysWOW64\attrib.exe
attrib C:\Users\Admin\AppData\Local\Temp +s +h
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\MICROS~1\SVHOST~1.EXE"
C:\Users\Admin\AppData\Local\Temp\MICROS~1\SVHOST~1.EXE
C:\Users\Admin\AppData\Local\Temp\MICROS~1\SVHOST~1.EXE
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im spidernt.exe
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im avz.exe
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im drweb32w.exe
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im filemon.exe
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im regmon.exe
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im avp.exe
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im avp32.exe
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im bidef.exe
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im cv.exe
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im frv.exe
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im ndd32.exe
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im minilog.exe
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im zonealarm.exe
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\suekna.EXE"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | 1.112.95.208.in-addr.arpa | udp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| US | 147.185.221.21:14365 | 21.ip.gl.ply.gg | tcp |
| US | 147.185.221.21:14365 | 21.ip.gl.ply.gg | tcp |
Files
memory/4656-0-0x00007FFA813F3000-0x00007FFA813F5000-memory.dmp
memory/4656-1-0x0000000000450000-0x00000000004AE000-memory.dmp
memory/4656-2-0x00007FFA813F0000-0x00007FFA81EB2000-memory.dmp
memory/5056-12-0x00007FFA813F0000-0x00007FFA81EB2000-memory.dmp
memory/5056-11-0x0000025133140000-0x0000025133162000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_2o5wo4il.o3p.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/5056-13-0x00007FFA813F0000-0x00007FFA81EB2000-memory.dmp
memory/5056-14-0x00007FFA813F0000-0x00007FFA81EB2000-memory.dmp
memory/5056-18-0x00007FFA813F0000-0x00007FFA81EB2000-memory.dmp
memory/5056-17-0x00007FFA813F0000-0x00007FFA81EB2000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | 627073ee3ca9676911bee35548eff2b8 |
| SHA1 | 4c4b68c65e2cab9864b51167d710aa29ebdcff2e |
| SHA256 | 85b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c |
| SHA512 | 3c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 1a9fa92a4f2e2ec9e244d43a6a4f8fb9 |
| SHA1 | 9910190edfaccece1dfcc1d92e357772f5dae8f7 |
| SHA256 | 0ee052d5333fd5fd86bc84856fec98e045f077a7ac8051651bf7c521b9706888 |
| SHA512 | 5d2361476fa22200e6f83883efe7dcb8c3fe7dae8d56e04e28a36e9ae1270c327b6aa161d92b239593da7661289d002c574446ecfd6bd19928209aae25e3ef64 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 55f30089624be31af328ba4e012ae45a |
| SHA1 | 121c28de7a5afe828ea395d94be8f5273817b678 |
| SHA256 | 28e49da06bd64f06a4cf1a9caead354b94b4d11d5dc916a92da0ed96bad00473 |
| SHA512 | ef13cc5b22c754c7816e08b421de64bc8df527d7166e970454139410b2d381b53ebf288ec73013cdce92f0ac226d9ed5b342341db52a8cb0b85b5ad4d3090787 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | b1c1fe85a9cd8fa09682d3ff82540ac5 |
| SHA1 | 85fa1d0d71c76d1cd02c59a928c582da1f39ddf5 |
| SHA256 | 6592c430c3d57a89177dd054c34d64b72e2c7ed73b93a854187809e48c3348c0 |
| SHA512 | bd131eaa683df3b099e69ca736a33bb9db19bd164caa9f2977b45b41da4d83654a6a69018d5ad343a45e8dd9d69a2a176848b35d2661d80330222c175d0bd122 |
memory/4656-53-0x00007FFA813F3000-0x00007FFA813F5000-memory.dmp
memory/4656-54-0x00007FFA813F0000-0x00007FFA81EB2000-memory.dmp
memory/4656-55-0x000000001C160000-0x000000001C16C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\xemmta.exe
| MD5 | ab9c7a7945f80ea4733b1de4aac476f7 |
| SHA1 | 15685d78495de6f705a278270e099995aa440a3b |
| SHA256 | 3fb5bcd3edef67c75fa8428a5262e31bb4cf08e178ca53721695613902053f64 |
| SHA512 | 29050245aeba46f0ad064f7dfd638d67461b50e4bac098d4e6fb307e5e32faff569b35791f25f443e74c87b8822f7244e1630fe9d3a54b0caa357858138cdc0c |
C:\Users\Admin\AppData\Local\Temp\3582-490\xemmta.exe
| MD5 | 2f0c1f93f38047e74921bfd00599c37a |
| SHA1 | a052301f981f4ab4c8667b543e16bd407e23348b |
| SHA256 | 70d56bc08d401f0903a9421fa2434a82df7e72d30774fa21a51b822148c51cce |
| SHA512 | fc962d66fd5d0ae865ad53bd5d914789e83304b1fb2cef3bbe32630ad0680a34faf580a8e10e646329a169e31cf98e1d42e02ab5a88cc333fa57f65779e1fc0f |
memory/3000-179-0x0000000000400000-0x000000000041B000-memory.dmp
memory/2452-180-0x0000000000400000-0x0000000000460000-memory.dmp
memory/3000-182-0x0000000000400000-0x000000000041B000-memory.dmp
C:\Windows\svchost.com
| MD5 | 388f92187a6da936967e0693e5d2c57d |
| SHA1 | 425c118c53b3f82044f167da58f950f9a9652612 |
| SHA256 | b1f9e56a4f6c0134389e395147daa7e4a71cb148a8804eb9b4ffd8b0272580fc |
| SHA512 | b1aaefa1b60be9c0a377b10cc6d7903b501879266a76e594edf66afc27d50ce366e70fda6f30d222256c9194dbf5af7dcf09201ddabef0673a58568cc6ada1f7 |
C:\Users\Admin\AppData\Local\Temp\iasouk.exe
| MD5 | f1a97729b6e7401062abb8a05266aa8f |
| SHA1 | 522eb9ba7abfaccb84c1c5318da5eb879d05ca7c |
| SHA256 | 5a0aeea01f95dd75eadfb2dcd684c615d828aaa6881703bac633921f1fa00074 |
| SHA512 | 9ec6fe3a90b254708ccb155279ef8fc989882691c69ecc2d2701a86880a2776fe5d96aba9da39e30e319438d24c9fcfd76353d1e22a148400729df225dafc5f7 |
memory/3156-200-0x0000000000400000-0x0000000000481000-memory.dmp
memory/5040-204-0x0000000000400000-0x000000000042E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\iasoukSrv.exe
| MD5 | ff5e1f27193ce51eec318714ef038bef |
| SHA1 | b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6 |
| SHA256 | fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320 |
| SHA512 | c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a |
C:\Users\Admin\AppData\Local\Temp\tmp5023.tmp
| MD5 | 29e4ed8c96f26a6a8abc74476b048744 |
| SHA1 | b0c1d6647e2ae68aef89b8ca808e44c6e39e975d |
| SHA256 | 2bde52dbdaa962e72570ced59ffad8096df1d4dc0ce3d81a018179debb746708 |
| SHA512 | 80723f8d57cf1db81a25c5ba6340cf8219b8ce1f7bb9d41d190861e6dec4ae91f931a8e78ac0345481943856ce675f9ac2cdd02704f49bd3d4e29de5423e39e0 |
memory/932-206-0x0000000000400000-0x000000000041B000-memory.dmp
memory/5040-207-0x0000000000400000-0x000000000042E000-memory.dmp
memory/2452-208-0x0000000000400000-0x0000000000460000-memory.dmp
memory/2452-209-0x0000000000400000-0x0000000000460000-memory.dmp
memory/3156-210-0x0000000000400000-0x0000000000481000-memory.dmp
C:\Windows\directx.sys
| MD5 | 6d457279c93bdee8c49d95016889139b |
| SHA1 | fa3224fe049387998ba6beb0f57f9ab9b73458fc |
| SHA256 | 9abe94a2ae48f887bdc0a5e3f87993d614621fd45ddc748e3f419fea75cb3d49 |
| SHA512 | 5dd33c4eed326ede539dd4ecbd432faedd22d969a35d388433ed6ed68481dae252bbecbabbf767c9a3703914d5012d8c869a91ce406e7fb43fe22ca0a49c384d |
C:\Users\Admin\AppData\Local\Temp\gekveo.exe
| MD5 | 2fcb3e0be72e3a6ca0e0c439665afd85 |
| SHA1 | 672e486f5b762fbfb6ce84ddc50278824890cc11 |
| SHA256 | 809fa6cc92b87617af3beac0c187d3e12d29e0f27bda4fbcd399210ddef0022b |
| SHA512 | 2f47c2e99fd4cf78ae802fc8ca845e52075439e16f31376f978117bbaacbed8be334e2a663b039c6c704537efbcd12ae8c7a4d3b205c766af87869a68b4acbd9 |
memory/2124-243-0x0000000000400000-0x000000000041B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\file2.exe
| MD5 | f34221a58021fdba47a15cb5017dfffe |
| SHA1 | 1f63dc826f99cba1620b802e726585ad5939a2be |
| SHA256 | cd5ff0f1d5d47eccc40633ee372b051b8609de0cf3e4b0c862e0a040f7df1b25 |
| SHA512 | 32a1a010cd754d600a8acdea29710bda3a362895006f80f15bf3259201952310643b9be86c7fbe036cb3feb88bb08196bd21227960735791e1aa63b7573cac75 |
C:\Windows\directx.sys
| MD5 | 915dd1ce4ea91678156d0d127284e404 |
| SHA1 | b024020f34cbc2a1fc686fca68d9feaf8a55c47e |
| SHA256 | 54096b12402af1d0b866f410b54efc58f543681c485d545f25b72d63abce79f5 |
| SHA512 | eb0cf116dcfa1934f3e6e3b56c899a4b9e4d70a6fa9c50c8c81870c639001c82002343b810429ceb0ecd8964c53146655bb9dca3183c954c91f0fb0f51305be9 |
C:\Users\Admin\AppData\Local\Temp\file3.empty
| MD5 | 1ee80a3ca8c142c985758203c13c6a22 |
| SHA1 | a06c8b3471f21d8405e6c2e70c62055b7902de0d |
| SHA256 | 0359552b4a82ea8e7c3e3fc8d529f3b4f0af3cd8050d728ee49025c24aeb0197 |
| SHA512 | 51c9545ce13f72af1c25385345a63f905d590a16a7ec8d4da4e3f0ba53a62c2ce0f129a4bd60b7a6536d40632852d84b59561409c99292d5e2dfaac867efb246 |
memory/4124-261-0x0000000000400000-0x000000000041B000-memory.dmp
C:\Windows\directx.sys
| MD5 | 8e966011732995cd7680a1caa974fd57 |
| SHA1 | 2b22d69074bfa790179858cc700a7cbfd01ca557 |
| SHA256 | 97d597793ec8307b71f3cfb8a6754be45bf4c548914367f4dc9af315c3a93d9b |
| SHA512 | 892da55e0f4b3ff983019c11d58809fdcb8695d79c617ddc6251791308ee013bf097d1b4a7541140f7a01c56038a804974a4f154cc1b26e80e5cf5c07adf227c |
memory/3740-275-0x0000000000400000-0x000000000041B000-memory.dmp
memory/1044-282-0x0000000000400000-0x000000000041B000-memory.dmp
\??\c:\program files (x86)\adobe\acrobat reader dc\reader\acrord32.exe
| MD5 | 8ffc3bdf4a1903d9e28b99d1643fc9c7 |
| SHA1 | 919ba8594db0ae245a8abd80f9f3698826fc6fe5 |
| SHA256 | 8268d3fefe8ca96a25a73690d14bacf644170ab5e9e70d2f8eeb350a4c83f9f6 |
| SHA512 | 0b94ead97374d74eaee87e7614ddd3911d2cf66d4c49abbfd06b02c03e5dd56fd00993b4947e8a4bcd9d891fa39cab18cc6b61efc7d0812e91eb3aea9cd1a427 |
C:\Windows\directx.sys
| MD5 | 016bcbec29654abd8191fae00146a7ec |
| SHA1 | 1693427056ba3ae65ebcef448b6c45eef88f835f |
| SHA256 | 26510fc1074153ae66bd366f78a7ee34d3eb62de89e26fc91a8637db472498a9 |
| SHA512 | 430efc57f48f6a2392670b8c01ca7b431587132973430a584aa3b45138f88e70a29f6a2e0402449bc7a069811b43d76e600c87a1578c04234c9cd3eee465447d |
memory/4300-350-0x0000000000400000-0x000000000041B000-memory.dmp
memory/4028-352-0x0000000000400000-0x00000000004B2000-memory.dmp
memory/1744-354-0x0000000000400000-0x0000000000490000-memory.dmp
memory/2452-355-0x0000000000400000-0x0000000000460000-memory.dmp
memory/3156-357-0x0000000000400000-0x0000000000481000-memory.dmp
memory/3156-356-0x0000000000400000-0x0000000000481000-memory.dmp
memory/2452-358-0x0000000000400000-0x0000000000460000-memory.dmp
memory/1660-360-0x0000000000400000-0x00000000004B2000-memory.dmp
memory/3156-359-0x0000000000400000-0x0000000000481000-memory.dmp
C:\Windows\directx.sys
| MD5 | 339c4d3e4f26e849623e75b0fbef9464 |
| SHA1 | ab1d6bb79eb938cde99d71dedc410abf59ceceb4 |
| SHA256 | d2c33c70716578fb62aeeaacf241403c48fa3ece07a2567d15576067db6e29bf |
| SHA512 | a0dafbc45bfa6e435e1a48cebc65b44aaa7e6ca091d0c1ce76d4a011c30085040fe4452ce8386b6a3b1ba527b24081660a6b28c6040517ee2c4f1e0cfadaa1ff |
C:\Users\Admin\AppData\Local\Temp\suekna.EXE
| MD5 | 2d6b06b62a92035b54219f641b4023e5 |
| SHA1 | b02f7df020cfe3957ce702854d2a71f7224668cf |
| SHA256 | 45ee5d9ab589b9bba3c07e76607bbb077267bc8a186780a24a3283103d149b43 |
| SHA512 | be184148f8672734ab764d12f9609f26c66563f302ab0945ac848db9cf17c0fc50caf0a8c5fe39bb293ef7fd209140244b56806412c33c73ac0dfaf59edceaad |
memory/2452-380-0x0000000000400000-0x0000000000460000-memory.dmp
memory/3156-381-0x0000000000400000-0x0000000000481000-memory.dmp
memory/1660-382-0x0000000000400000-0x00000000004B2000-memory.dmp