Malware Analysis Report

2024-11-16 12:11

Sample ID 240716-hlvdlazbpp
Target XClient.exe
SHA256 31053c2cbb304a77d3c454012374abec7a8c5a34312967a0e3c49164023c7304
Tags
xworm darkcomet neshta ramnit zeek banker evasion execution persistence rat spyware stealer trojan upx worm
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

31053c2cbb304a77d3c454012374abec7a8c5a34312967a0e3c49164023c7304

Threat Level: Known bad

The file XClient.exe was found to be: Known bad.

Malicious Activity Summary

xworm darkcomet neshta ramnit zeek banker evasion execution persistence rat spyware stealer trojan upx worm

Ramnit

Windows security bypass

Detect Xworm Payload

Modifies security service

Modifies WinLogon for persistence

Xworm

Modifies firewall policy service

Neshta

Detect Neshta payload

Xworm family

Darkcomet

Command and Scripting Interpreter: PowerShell

Sets file to hidden

Drops startup file

UPX packed file

Modifies system executable filetype association

Executes dropped EXE

Reads user/profile data of web browsers

Windows security modification

Looks up external IP address via web service

Adds Run key to start application

Drops file in Windows directory

Drops file in Program Files directory

Enumerates physical storage devices

Program crash

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Modifies registry class

Suspicious behavior: EnumeratesProcesses

System policy modification

Suspicious behavior: GetForegroundWindowSpam

Kills process with taskkill

Views/modifies file attributes

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-07-16 06:49

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A

Xworm family

xworm

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-16 06:49

Reported

2024-07-16 06:52

Platform

win11-20240709-en

Max time kernel

120s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\XClient.exe"

Signatures

Darkcomet

trojan rat darkcomet

Detect Neshta payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft\\svñhost.exe" C:\Users\Admin\AppData\Local\Temp\file2.exe N/A

Modifies firewall policy service

evasion
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile C:\Users\Admin\AppData\Local\Temp\MICROS~1\SVHOST~1.EXE N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Users\Admin\AppData\Local\Temp\MICROS~1\SVHOST~1.EXE N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "0" C:\Users\Admin\AppData\Local\Temp\MICROS~1\SVHOST~1.EXE N/A

Modifies security service

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" C:\Users\Admin\AppData\Local\Temp\MICROS~1\SVHOST~1.EXE N/A

Neshta

persistence spyware neshta

Ramnit

trojan spyware stealer worm banker ramnit

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\MICROS~1\SVHOST~1.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\MICROS~1\SVHOST~1.EXE N/A

Xworm

trojan rat xworm

Sets file to hidden

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\System.lnk C:\Users\Admin\AppData\Local\Temp\XClient.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\System.lnk C:\Users\Admin\AppData\Local\Temp\XClient.exe N/A

Modifies system executable filetype association

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\xemmta.exe N/A

Reads user/profile data of web browsers

spyware stealer

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\MICROS~1\SVHOST~1.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\MICROS~1\SVHOST~1.EXE N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3766757357-1293853516-507035944-1000\Software\Microsoft\Windows\CurrentVersion\Run\System = "C:\\Users\\Admin\\System" C:\Users\Admin\AppData\Local\Temp\XClient.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3766757357-1293853516-507035944-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft\\svñhost.exe" C:\Users\Admin\AppData\Local\Temp\file2.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3766757357-1293853516-507035944-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft\\svñhost.exe" C:\Users\Admin\AppData\Local\Temp\MICROS~1\SVHOST~1.EXE N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.exe C:\Users\Admin\AppData\Local\Temp\xemmta.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\Application\90.0.818.66\notification_helper.exe C:\Users\Admin\AppData\Local\Temp\xemmta.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\Application\pwahelper.exe C:\Users\Admin\AppData\Local\Temp\xemmta.exe N/A
File opened for modification C:\PROGRA~2\WI8A19~1\ImagingDevices.exe C:\Users\Admin\AppData\Local\Temp\xemmta.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\AdobeARM.exe C:\Users\Admin\AppData\Local\Temp\xemmta.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE C:\Users\Admin\AppData\Local\Temp\xemmta.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.371\GOOGLE~1.EXE C:\Users\Admin\AppData\Local\Temp\xemmta.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\Application\90.0.818.66\identity_helper.exe C:\Users\Admin\AppData\Local\Temp\xemmta.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\Application\90.0.818.66\pwahelper.exe C:\Users\Admin\AppData\Local\Temp\xemmta.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroCEF\RdrCEF.exe C:\Users\Admin\AppData\Local\Temp\xemmta.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\javaws.exe C:\Users\Admin\AppData\Local\Temp\xemmta.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~2\wabmig.exe C:\Users\Admin\AppData\Local\Temp\xemmta.exe N/A
File opened for modification C:\PROGRA~3\Adobe\Setup\{AC76B~1\setup.exe C:\Users\Admin\AppData\Local\Temp\xemmta.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\64BITM~1.EXE C:\Users\Admin\AppData\Local\Temp\xemmta.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\Application\90.0.818.66\msedgewebview2.exe C:\Users\Admin\AppData\Local\Temp\xemmta.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\Application\msedge.exe C:\Users\Admin\AppData\Local\Temp\xemmta.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~2\wab.exe C:\Users\Admin\AppData\Local\Temp\xemmta.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.371\GOOGLE~4.EXE C:\Users\Admin\AppData\Local\Temp\xemmta.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.371\GOOGLE~2.EXE C:\Users\Admin\AppData\Local\Temp\xemmta.exe N/A
File opened for modification C:\PROGRA~2\INTERN~1\iexplore.exe C:\Users\Admin\AppData\Local\Temp\xemmta.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE C:\Users\Admin\AppData\Local\Temp\xemmta.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\arh.exe C:\Users\Admin\AppData\Local\Temp\xemmta.exe N/A
File opened for modification C:\PROGRA~2\INTERN~1\ieinstal.exe C:\Users\Admin\AppData\Local\Temp\xemmta.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\Application\90.0.818.66\msedge_pwa_launcher.exe C:\Users\Admin\AppData\Local\Temp\xemmta.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\EdgeUpdate_bk\1.3.143.57\MicrosoftEdgeComRegisterShellARM64.exe C:\Users\Admin\AppData\Local\Temp\xemmta.exe N/A
File opened for modification C:\PROGRA~2\MOZILL~1\UNINST~1.EXE C:\Users\Admin\AppData\Local\Temp\xemmta.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~4\wmlaunch.exe C:\Users\Admin\AppData\Local\Temp\xemmta.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{57A73~1\VC_RED~1.EXE C:\Users\Admin\AppData\Local\Temp\xemmta.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE C:\Users\Admin\AppData\Local\Temp\xemmta.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADelRCP.exe C:\Users\Admin\AppData\Local\Temp\xemmta.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\Eula.exe C:\Users\Admin\AppData\Local\Temp\xemmta.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\READER~1.EXE C:\Users\Admin\AppData\Local\Temp\xemmta.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jaureg.exe C:\Users\Admin\AppData\Local\Temp\xemmta.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.371\GOBD5D~1.EXE C:\Users\Admin\AppData\Local\Temp\xemmta.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\EdgeUpdate_bk\1.3.143.57\MicrosoftEdgeUpdateCore.exe C:\Users\Admin\AppData\Local\Temp\xemmta.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~4\wmprph.exe C:\Users\Admin\AppData\Local\Temp\xemmta.exe N/A
File opened for modification C:\PROGRA~3\MICROS~1\CLICKT~1\{9AC08~1\INTEGR~1.EXE C:\Users\Admin\AppData\Local\Temp\xemmta.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{63880~1\WINDOW~1.EXE C:\Users\Admin\AppData\Local\Temp\xemmta.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\EdgeUpdate_bk\1.3.143.57\MicrosoftEdgeUpdateSetup.exe C:\Users\Admin\AppData\Local\Temp\xemmta.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{4D8DC~1\VC_RED~1.EXE C:\Users\Admin\AppData\Local\Temp\xemmta.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADOBEC~1.EXE C:\Users\Admin\AppData\Local\Temp\xemmta.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\ADOBEA~1.EXE C:\Users\Admin\AppData\Local\Temp\xemmta.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\java.exe C:\Users\Admin\AppData\Local\Temp\xemmta.exe N/A
File opened for modification C:\PROGRA~2\INTERN~1\ielowutil.exe C:\Users\Admin\AppData\Local\Temp\xemmta.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\Application\90.0.818.66\elevation_service.exe C:\Users\Admin\AppData\Local\Temp\xemmta.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\EdgeUpdate_bk\1.3.143.57\MicrosoftEdgeUpdateComRegisterShell64.exe C:\Users\Admin\AppData\Local\Temp\xemmta.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~3\ACCESS~1\wordpad.exe C:\Users\Admin\AppData\Local\Temp\xemmta.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{33D1F~1\VCREDI~1.EXE C:\Users\Admin\AppData\Local\Temp\xemmta.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\FULLTR~1.EXE C:\Users\Admin\AppData\Local\Temp\xemmta.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\WOW_HE~1.EXE C:\Users\Admin\AppData\Local\Temp\xemmta.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\javaw.exe C:\Users\Admin\AppData\Local\Temp\xemmta.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\Application\90.0.818.66\Installer\setup.exe C:\Users\Admin\AppData\Local\Temp\xemmta.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{D87AE~1\WINDOW~1.EXE C:\Users\Admin\AppData\Local\Temp\xemmta.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe C:\Users\Admin\AppData\Local\Temp\xemmta.exe N/A
File opened for modification C:\PROGRA~2\INTERN~1\ExtExport.exe C:\Users\Admin\AppData\Local\Temp\xemmta.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\Application\90.0.818.66\cookie_exporter.exe C:\Users\Admin\AppData\Local\Temp\xemmta.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\EdgeUpdate_bk\1.3.143.57\MicrosoftEdgeUpdateOnDemand.exe C:\Users\Admin\AppData\Local\Temp\xemmta.exe N/A
File opened for modification C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE C:\Users\Admin\AppData\Local\Temp\xemmta.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROBR~1.EXE C:\Users\Admin\AppData\Local\Temp\xemmta.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~4\wmplayer.exe C:\Users\Admin\AppData\Local\Temp\xemmta.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.371\GO664E~1.EXE C:\Users\Admin\AppData\Local\Temp\xemmta.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\EdgeUpdate_bk\1.3.143.57\MicrosoftEdgeUpdateBroker.exe C:\Users\Admin\AppData\Local\Temp\xemmta.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\LOGTRA~1.EXE C:\Users\Admin\AppData\Local\Temp\xemmta.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\32BITM~1.EXE C:\Users\Admin\AppData\Local\Temp\xemmta.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\xemmta.exe N/A
File opened for modification C:\Windows\directx.sys C:\Windows\svchost.com N/A
File opened for modification C:\Windows\svchost.com C:\Windows\svchost.com N/A
File opened for modification C:\Windows\directx.sys C:\Windows\svchost.com N/A
File opened for modification C:\Windows\svchost.com C:\Windows\svchost.com N/A
File opened for modification C:\Windows\directx.sys C:\Windows\svchost.com N/A
File opened for modification C:\Windows\directx.sys C:\Windows\svchost.com N/A
File opened for modification C:\Windows\svchost.com C:\Windows\svchost.com N/A
File opened for modification C:\Windows\directx.sys C:\Windows\svchost.com N/A
File opened for modification C:\Windows\svchost.com C:\Windows\svchost.com N/A
File opened for modification C:\Windows\svchost.com C:\Windows\svchost.com N/A
File opened for modification C:\Windows\svchost.com C:\Windows\svchost.com N/A
File opened for modification C:\Windows\directx.sys C:\Windows\svchost.com N/A
File opened for modification C:\Windows\directx.sys C:\Windows\svchost.com N/A

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\iasoukSrv.exe

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Users\Admin\AppData\Local\Temp\file2.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3766757357-1293853516-507035944-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\xemmta.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3766757357-1293853516-507035944-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\XClient.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3766757357-1293853516-507035944-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\gekveo.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3766757357-1293853516-507035944-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\file2.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3766757357-1293853516-507035944-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3766757357-1293853516-507035944-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3766757357-1293853516-507035944-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\iasouk.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\XClient.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\XClient.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\file2.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\file2.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\file2.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\file2.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\file2.exe N/A
Token: SeSystemtimePrivilege N/A C:\Users\Admin\AppData\Local\Temp\file2.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\file2.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\file2.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\file2.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\file2.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\file2.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\file2.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\file2.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\file2.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Users\Admin\AppData\Local\Temp\file2.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\file2.exe N/A
Token: SeUndockPrivilege N/A C:\Users\Admin\AppData\Local\Temp\file2.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\file2.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\file2.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Users\Admin\AppData\Local\Temp\file2.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\file2.exe N/A
Token: 34 N/A C:\Users\Admin\AppData\Local\Temp\file2.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\file2.exe N/A
Token: 36 N/A C:\Users\Admin\AppData\Local\Temp\file2.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\MICROS~1\SVHOST~1.EXE N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\MICROS~1\SVHOST~1.EXE N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\MICROS~1\SVHOST~1.EXE N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\MICROS~1\SVHOST~1.EXE N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\MICROS~1\SVHOST~1.EXE N/A
Token: SeSystemtimePrivilege N/A C:\Users\Admin\AppData\Local\Temp\MICROS~1\SVHOST~1.EXE N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\MICROS~1\SVHOST~1.EXE N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\MICROS~1\SVHOST~1.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\MICROS~1\SVHOST~1.EXE N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\MICROS~1\SVHOST~1.EXE N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\MICROS~1\SVHOST~1.EXE N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\MICROS~1\SVHOST~1.EXE N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\MICROS~1\SVHOST~1.EXE N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\MICROS~1\SVHOST~1.EXE N/A
Token: SeChangeNotifyPrivilege N/A C:\Users\Admin\AppData\Local\Temp\MICROS~1\SVHOST~1.EXE N/A
Token: SeRemoteShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\MICROS~1\SVHOST~1.EXE N/A
Token: SeUndockPrivilege N/A C:\Users\Admin\AppData\Local\Temp\MICROS~1\SVHOST~1.EXE N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\MICROS~1\SVHOST~1.EXE N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\MICROS~1\SVHOST~1.EXE N/A
Token: SeCreateGlobalPrivilege N/A C:\Users\Admin\AppData\Local\Temp\MICROS~1\SVHOST~1.EXE N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\MICROS~1\SVHOST~1.EXE N/A
Token: 34 N/A C:\Users\Admin\AppData\Local\Temp\MICROS~1\SVHOST~1.EXE N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\MICROS~1\SVHOST~1.EXE N/A
Token: 36 N/A C:\Users\Admin\AppData\Local\Temp\MICROS~1\SVHOST~1.EXE N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4656 wrote to memory of 5056 N/A C:\Users\Admin\AppData\Local\Temp\XClient.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4656 wrote to memory of 5056 N/A C:\Users\Admin\AppData\Local\Temp\XClient.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4656 wrote to memory of 3016 N/A C:\Users\Admin\AppData\Local\Temp\XClient.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4656 wrote to memory of 3016 N/A C:\Users\Admin\AppData\Local\Temp\XClient.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4656 wrote to memory of 2372 N/A C:\Users\Admin\AppData\Local\Temp\XClient.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4656 wrote to memory of 2372 N/A C:\Users\Admin\AppData\Local\Temp\XClient.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4656 wrote to memory of 3592 N/A C:\Users\Admin\AppData\Local\Temp\XClient.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4656 wrote to memory of 3592 N/A C:\Users\Admin\AppData\Local\Temp\XClient.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4656 wrote to memory of 3000 N/A C:\Users\Admin\AppData\Local\Temp\XClient.exe C:\Users\Admin\AppData\Local\Temp\xemmta.exe
PID 4656 wrote to memory of 3000 N/A C:\Users\Admin\AppData\Local\Temp\XClient.exe C:\Users\Admin\AppData\Local\Temp\xemmta.exe
PID 4656 wrote to memory of 3000 N/A C:\Users\Admin\AppData\Local\Temp\XClient.exe C:\Users\Admin\AppData\Local\Temp\xemmta.exe
PID 3000 wrote to memory of 2452 N/A C:\Users\Admin\AppData\Local\Temp\xemmta.exe C:\Users\Admin\AppData\Local\Temp\3582-490\xemmta.exe
PID 3000 wrote to memory of 2452 N/A C:\Users\Admin\AppData\Local\Temp\xemmta.exe C:\Users\Admin\AppData\Local\Temp\3582-490\xemmta.exe
PID 3000 wrote to memory of 2452 N/A C:\Users\Admin\AppData\Local\Temp\xemmta.exe C:\Users\Admin\AppData\Local\Temp\3582-490\xemmta.exe
PID 4656 wrote to memory of 932 N/A C:\Users\Admin\AppData\Local\Temp\XClient.exe C:\Windows\svchost.com
PID 4656 wrote to memory of 932 N/A C:\Users\Admin\AppData\Local\Temp\XClient.exe C:\Windows\svchost.com
PID 4656 wrote to memory of 932 N/A C:\Users\Admin\AppData\Local\Temp\XClient.exe C:\Windows\svchost.com
PID 932 wrote to memory of 3156 N/A C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\iasouk.exe
PID 932 wrote to memory of 3156 N/A C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\iasouk.exe
PID 932 wrote to memory of 3156 N/A C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\iasouk.exe
PID 3156 wrote to memory of 5040 N/A C:\Users\Admin\AppData\Local\Temp\iasouk.exe C:\Users\Admin\AppData\Local\Temp\iasoukSrv.exe
PID 3156 wrote to memory of 5040 N/A C:\Users\Admin\AppData\Local\Temp\iasouk.exe C:\Users\Admin\AppData\Local\Temp\iasoukSrv.exe
PID 3156 wrote to memory of 5040 N/A C:\Users\Admin\AppData\Local\Temp\iasouk.exe C:\Users\Admin\AppData\Local\Temp\iasoukSrv.exe
PID 4656 wrote to memory of 2124 N/A C:\Users\Admin\AppData\Local\Temp\XClient.exe C:\Windows\svchost.com
PID 4656 wrote to memory of 2124 N/A C:\Users\Admin\AppData\Local\Temp\XClient.exe C:\Windows\svchost.com
PID 4656 wrote to memory of 2124 N/A C:\Users\Admin\AppData\Local\Temp\XClient.exe C:\Windows\svchost.com
PID 2124 wrote to memory of 1744 N/A C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\gekveo.exe
PID 2124 wrote to memory of 1744 N/A C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\gekveo.exe
PID 2124 wrote to memory of 1744 N/A C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\gekveo.exe
PID 1744 wrote to memory of 4124 N/A C:\Users\Admin\AppData\Local\Temp\gekveo.exe C:\Windows\svchost.com
PID 1744 wrote to memory of 4124 N/A C:\Users\Admin\AppData\Local\Temp\gekveo.exe C:\Windows\svchost.com
PID 1744 wrote to memory of 4124 N/A C:\Users\Admin\AppData\Local\Temp\gekveo.exe C:\Windows\svchost.com
PID 4124 wrote to memory of 4028 N/A C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\file2.exe
PID 4124 wrote to memory of 4028 N/A C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\file2.exe
PID 4124 wrote to memory of 4028 N/A C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\file2.exe
PID 4028 wrote to memory of 3740 N/A C:\Users\Admin\AppData\Local\Temp\file2.exe C:\Windows\svchost.com
PID 4028 wrote to memory of 3740 N/A C:\Users\Admin\AppData\Local\Temp\file2.exe C:\Windows\svchost.com
PID 4028 wrote to memory of 3740 N/A C:\Users\Admin\AppData\Local\Temp\file2.exe C:\Windows\svchost.com
PID 4028 wrote to memory of 1044 N/A C:\Users\Admin\AppData\Local\Temp\file2.exe C:\Windows\svchost.com
PID 4028 wrote to memory of 1044 N/A C:\Users\Admin\AppData\Local\Temp\file2.exe C:\Windows\svchost.com
PID 4028 wrote to memory of 1044 N/A C:\Users\Admin\AppData\Local\Temp\file2.exe C:\Windows\svchost.com
PID 3740 wrote to memory of 4428 N/A C:\Windows\svchost.com C:\Windows\SysWOW64\cmd.exe
PID 3740 wrote to memory of 4428 N/A C:\Windows\svchost.com C:\Windows\SysWOW64\cmd.exe
PID 3740 wrote to memory of 4428 N/A C:\Windows\svchost.com C:\Windows\SysWOW64\cmd.exe
PID 1044 wrote to memory of 3988 N/A C:\Windows\svchost.com C:\Windows\SysWOW64\cmd.exe
PID 1044 wrote to memory of 3988 N/A C:\Windows\svchost.com C:\Windows\SysWOW64\cmd.exe
PID 1044 wrote to memory of 3988 N/A C:\Windows\svchost.com C:\Windows\SysWOW64\cmd.exe
PID 4428 wrote to memory of 4820 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 4428 wrote to memory of 4820 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 4428 wrote to memory of 4820 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 3988 wrote to memory of 2100 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 3988 wrote to memory of 2100 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 3988 wrote to memory of 2100 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 4028 wrote to memory of 4300 N/A C:\Users\Admin\AppData\Local\Temp\file2.exe C:\Windows\svchost.com
PID 4028 wrote to memory of 4300 N/A C:\Users\Admin\AppData\Local\Temp\file2.exe C:\Windows\svchost.com
PID 4028 wrote to memory of 4300 N/A C:\Users\Admin\AppData\Local\Temp\file2.exe C:\Windows\svchost.com
PID 4300 wrote to memory of 1660 N/A C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\MICROS~1\SVHOST~1.EXE
PID 4300 wrote to memory of 1660 N/A C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\MICROS~1\SVHOST~1.EXE
PID 4300 wrote to memory of 1660 N/A C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\MICROS~1\SVHOST~1.EXE
PID 1744 wrote to memory of 752 N/A C:\Users\Admin\AppData\Local\Temp\gekveo.exe C:\Windows\SysWOW64\taskkill.exe
PID 1744 wrote to memory of 752 N/A C:\Users\Admin\AppData\Local\Temp\gekveo.exe C:\Windows\SysWOW64\taskkill.exe
PID 1744 wrote to memory of 752 N/A C:\Users\Admin\AppData\Local\Temp\gekveo.exe C:\Windows\SysWOW64\taskkill.exe
PID 1744 wrote to memory of 1384 N/A C:\Users\Admin\AppData\Local\Temp\gekveo.exe C:\Windows\SysWOW64\taskkill.exe
PID 1744 wrote to memory of 1384 N/A C:\Users\Admin\AppData\Local\Temp\gekveo.exe C:\Windows\SysWOW64\taskkill.exe

System policy modification

evasion
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion C:\Users\Admin\AppData\Local\Temp\MICROS~1\SVHOST~1.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern C:\Users\Admin\AppData\Local\Temp\MICROS~1\SVHOST~1.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern\NoControlPanel = "1" C:\Users\Admin\AppData\Local\Temp\MICROS~1\SVHOST~1.EXE N/A

Views/modifies file attributes

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\XClient.exe

"C:\Users\Admin\AppData\Local\Temp\XClient.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\XClient.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\System'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'System'

C:\Users\Admin\AppData\Local\Temp\xemmta.exe

"C:\Users\Admin\AppData\Local\Temp\xemmta.exe"

C:\Users\Admin\AppData\Local\Temp\3582-490\xemmta.exe

"C:\Users\Admin\AppData\Local\Temp\3582-490\xemmta.exe"

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\iasouk.exe"

C:\Users\Admin\AppData\Local\Temp\iasouk.exe

C:\Users\Admin\AppData\Local\Temp\iasouk.exe

C:\Users\Admin\AppData\Local\Temp\iasoukSrv.exe

C:\Users\Admin\AppData\Local\Temp\iasoukSrv.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5040 -ip 5040

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5040 -s 320

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\gekveo.exe"

C:\Users\Admin\AppData\Local\Temp\gekveo.exe

C:\Users\Admin\AppData\Local\Temp\gekveo.exe

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\file2.exe"

C:\Users\Admin\AppData\Local\Temp\file2.exe

C:\Users\Admin\AppData\Local\Temp\file2.exe

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\file2.exe" +s +h

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h

C:\Windows\SysWOW64\cmd.exe

C:\Windows\System32\cmd.exe /k attrib C:\Users\Admin\AppData\Local\Temp\file2.exe +s +h

C:\Windows\SysWOW64\cmd.exe

C:\Windows\System32\cmd.exe /k attrib C:\Users\Admin\AppData\Local\Temp +s +h

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

C:\Windows\SysWOW64\attrib.exe

attrib C:\Users\Admin\AppData\Local\Temp\file2.exe +s +h

C:\Windows\SysWOW64\attrib.exe

attrib C:\Users\Admin\AppData\Local\Temp +s +h

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\MICROS~1\SVHOST~1.EXE"

C:\Users\Admin\AppData\Local\Temp\MICROS~1\SVHOST~1.EXE

C:\Users\Admin\AppData\Local\Temp\MICROS~1\SVHOST~1.EXE

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im spidernt.exe

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im avz.exe

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im drweb32w.exe

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im filemon.exe

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im regmon.exe

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im avp.exe

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im avp32.exe

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im bidef.exe

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im cv.exe

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im frv.exe

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im ndd32.exe

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im minilog.exe

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im zonealarm.exe

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\suekna.EXE"

Network

Country Destination Domain Proto
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 1.112.95.208.in-addr.arpa udp
NL 149.154.167.220:443 api.telegram.org tcp
US 147.185.221.21:14365 21.ip.gl.ply.gg tcp
US 147.185.221.21:14365 21.ip.gl.ply.gg tcp

Files

memory/4656-0-0x00007FFA813F3000-0x00007FFA813F5000-memory.dmp

memory/4656-1-0x0000000000450000-0x00000000004AE000-memory.dmp

memory/4656-2-0x00007FFA813F0000-0x00007FFA81EB2000-memory.dmp

memory/5056-12-0x00007FFA813F0000-0x00007FFA81EB2000-memory.dmp

memory/5056-11-0x0000025133140000-0x0000025133162000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_2o5wo4il.o3p.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/5056-13-0x00007FFA813F0000-0x00007FFA81EB2000-memory.dmp

memory/5056-14-0x00007FFA813F0000-0x00007FFA81EB2000-memory.dmp

memory/5056-18-0x00007FFA813F0000-0x00007FFA81EB2000-memory.dmp

memory/5056-17-0x00007FFA813F0000-0x00007FFA81EB2000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 627073ee3ca9676911bee35548eff2b8
SHA1 4c4b68c65e2cab9864b51167d710aa29ebdcff2e
SHA256 85b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c
SHA512 3c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 1a9fa92a4f2e2ec9e244d43a6a4f8fb9
SHA1 9910190edfaccece1dfcc1d92e357772f5dae8f7
SHA256 0ee052d5333fd5fd86bc84856fec98e045f077a7ac8051651bf7c521b9706888
SHA512 5d2361476fa22200e6f83883efe7dcb8c3fe7dae8d56e04e28a36e9ae1270c327b6aa161d92b239593da7661289d002c574446ecfd6bd19928209aae25e3ef64

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 55f30089624be31af328ba4e012ae45a
SHA1 121c28de7a5afe828ea395d94be8f5273817b678
SHA256 28e49da06bd64f06a4cf1a9caead354b94b4d11d5dc916a92da0ed96bad00473
SHA512 ef13cc5b22c754c7816e08b421de64bc8df527d7166e970454139410b2d381b53ebf288ec73013cdce92f0ac226d9ed5b342341db52a8cb0b85b5ad4d3090787

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 b1c1fe85a9cd8fa09682d3ff82540ac5
SHA1 85fa1d0d71c76d1cd02c59a928c582da1f39ddf5
SHA256 6592c430c3d57a89177dd054c34d64b72e2c7ed73b93a854187809e48c3348c0
SHA512 bd131eaa683df3b099e69ca736a33bb9db19bd164caa9f2977b45b41da4d83654a6a69018d5ad343a45e8dd9d69a2a176848b35d2661d80330222c175d0bd122

memory/4656-53-0x00007FFA813F3000-0x00007FFA813F5000-memory.dmp

memory/4656-54-0x00007FFA813F0000-0x00007FFA81EB2000-memory.dmp

memory/4656-55-0x000000001C160000-0x000000001C16C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xemmta.exe

MD5 ab9c7a7945f80ea4733b1de4aac476f7
SHA1 15685d78495de6f705a278270e099995aa440a3b
SHA256 3fb5bcd3edef67c75fa8428a5262e31bb4cf08e178ca53721695613902053f64
SHA512 29050245aeba46f0ad064f7dfd638d67461b50e4bac098d4e6fb307e5e32faff569b35791f25f443e74c87b8822f7244e1630fe9d3a54b0caa357858138cdc0c

C:\Users\Admin\AppData\Local\Temp\3582-490\xemmta.exe

MD5 2f0c1f93f38047e74921bfd00599c37a
SHA1 a052301f981f4ab4c8667b543e16bd407e23348b
SHA256 70d56bc08d401f0903a9421fa2434a82df7e72d30774fa21a51b822148c51cce
SHA512 fc962d66fd5d0ae865ad53bd5d914789e83304b1fb2cef3bbe32630ad0680a34faf580a8e10e646329a169e31cf98e1d42e02ab5a88cc333fa57f65779e1fc0f

memory/3000-179-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2452-180-0x0000000000400000-0x0000000000460000-memory.dmp

memory/3000-182-0x0000000000400000-0x000000000041B000-memory.dmp

C:\Windows\svchost.com

MD5 388f92187a6da936967e0693e5d2c57d
SHA1 425c118c53b3f82044f167da58f950f9a9652612
SHA256 b1f9e56a4f6c0134389e395147daa7e4a71cb148a8804eb9b4ffd8b0272580fc
SHA512 b1aaefa1b60be9c0a377b10cc6d7903b501879266a76e594edf66afc27d50ce366e70fda6f30d222256c9194dbf5af7dcf09201ddabef0673a58568cc6ada1f7

C:\Users\Admin\AppData\Local\Temp\iasouk.exe

MD5 f1a97729b6e7401062abb8a05266aa8f
SHA1 522eb9ba7abfaccb84c1c5318da5eb879d05ca7c
SHA256 5a0aeea01f95dd75eadfb2dcd684c615d828aaa6881703bac633921f1fa00074
SHA512 9ec6fe3a90b254708ccb155279ef8fc989882691c69ecc2d2701a86880a2776fe5d96aba9da39e30e319438d24c9fcfd76353d1e22a148400729df225dafc5f7

memory/3156-200-0x0000000000400000-0x0000000000481000-memory.dmp

memory/5040-204-0x0000000000400000-0x000000000042E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\iasoukSrv.exe

MD5 ff5e1f27193ce51eec318714ef038bef
SHA1 b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6
SHA256 fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320
SHA512 c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

C:\Users\Admin\AppData\Local\Temp\tmp5023.tmp

MD5 29e4ed8c96f26a6a8abc74476b048744
SHA1 b0c1d6647e2ae68aef89b8ca808e44c6e39e975d
SHA256 2bde52dbdaa962e72570ced59ffad8096df1d4dc0ce3d81a018179debb746708
SHA512 80723f8d57cf1db81a25c5ba6340cf8219b8ce1f7bb9d41d190861e6dec4ae91f931a8e78ac0345481943856ce675f9ac2cdd02704f49bd3d4e29de5423e39e0

memory/932-206-0x0000000000400000-0x000000000041B000-memory.dmp

memory/5040-207-0x0000000000400000-0x000000000042E000-memory.dmp

memory/2452-208-0x0000000000400000-0x0000000000460000-memory.dmp

memory/2452-209-0x0000000000400000-0x0000000000460000-memory.dmp

memory/3156-210-0x0000000000400000-0x0000000000481000-memory.dmp

C:\Windows\directx.sys

MD5 6d457279c93bdee8c49d95016889139b
SHA1 fa3224fe049387998ba6beb0f57f9ab9b73458fc
SHA256 9abe94a2ae48f887bdc0a5e3f87993d614621fd45ddc748e3f419fea75cb3d49
SHA512 5dd33c4eed326ede539dd4ecbd432faedd22d969a35d388433ed6ed68481dae252bbecbabbf767c9a3703914d5012d8c869a91ce406e7fb43fe22ca0a49c384d

C:\Users\Admin\AppData\Local\Temp\gekveo.exe

MD5 2fcb3e0be72e3a6ca0e0c439665afd85
SHA1 672e486f5b762fbfb6ce84ddc50278824890cc11
SHA256 809fa6cc92b87617af3beac0c187d3e12d29e0f27bda4fbcd399210ddef0022b
SHA512 2f47c2e99fd4cf78ae802fc8ca845e52075439e16f31376f978117bbaacbed8be334e2a663b039c6c704537efbcd12ae8c7a4d3b205c766af87869a68b4acbd9

memory/2124-243-0x0000000000400000-0x000000000041B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\file2.exe

MD5 f34221a58021fdba47a15cb5017dfffe
SHA1 1f63dc826f99cba1620b802e726585ad5939a2be
SHA256 cd5ff0f1d5d47eccc40633ee372b051b8609de0cf3e4b0c862e0a040f7df1b25
SHA512 32a1a010cd754d600a8acdea29710bda3a362895006f80f15bf3259201952310643b9be86c7fbe036cb3feb88bb08196bd21227960735791e1aa63b7573cac75

C:\Windows\directx.sys

MD5 915dd1ce4ea91678156d0d127284e404
SHA1 b024020f34cbc2a1fc686fca68d9feaf8a55c47e
SHA256 54096b12402af1d0b866f410b54efc58f543681c485d545f25b72d63abce79f5
SHA512 eb0cf116dcfa1934f3e6e3b56c899a4b9e4d70a6fa9c50c8c81870c639001c82002343b810429ceb0ecd8964c53146655bb9dca3183c954c91f0fb0f51305be9

C:\Users\Admin\AppData\Local\Temp\file3.empty

MD5 1ee80a3ca8c142c985758203c13c6a22
SHA1 a06c8b3471f21d8405e6c2e70c62055b7902de0d
SHA256 0359552b4a82ea8e7c3e3fc8d529f3b4f0af3cd8050d728ee49025c24aeb0197
SHA512 51c9545ce13f72af1c25385345a63f905d590a16a7ec8d4da4e3f0ba53a62c2ce0f129a4bd60b7a6536d40632852d84b59561409c99292d5e2dfaac867efb246

memory/4124-261-0x0000000000400000-0x000000000041B000-memory.dmp

C:\Windows\directx.sys

MD5 8e966011732995cd7680a1caa974fd57
SHA1 2b22d69074bfa790179858cc700a7cbfd01ca557
SHA256 97d597793ec8307b71f3cfb8a6754be45bf4c548914367f4dc9af315c3a93d9b
SHA512 892da55e0f4b3ff983019c11d58809fdcb8695d79c617ddc6251791308ee013bf097d1b4a7541140f7a01c56038a804974a4f154cc1b26e80e5cf5c07adf227c

memory/3740-275-0x0000000000400000-0x000000000041B000-memory.dmp

memory/1044-282-0x0000000000400000-0x000000000041B000-memory.dmp

\??\c:\program files (x86)\adobe\acrobat reader dc\reader\acrord32.exe

MD5 8ffc3bdf4a1903d9e28b99d1643fc9c7
SHA1 919ba8594db0ae245a8abd80f9f3698826fc6fe5
SHA256 8268d3fefe8ca96a25a73690d14bacf644170ab5e9e70d2f8eeb350a4c83f9f6
SHA512 0b94ead97374d74eaee87e7614ddd3911d2cf66d4c49abbfd06b02c03e5dd56fd00993b4947e8a4bcd9d891fa39cab18cc6b61efc7d0812e91eb3aea9cd1a427

C:\Windows\directx.sys

MD5 016bcbec29654abd8191fae00146a7ec
SHA1 1693427056ba3ae65ebcef448b6c45eef88f835f
SHA256 26510fc1074153ae66bd366f78a7ee34d3eb62de89e26fc91a8637db472498a9
SHA512 430efc57f48f6a2392670b8c01ca7b431587132973430a584aa3b45138f88e70a29f6a2e0402449bc7a069811b43d76e600c87a1578c04234c9cd3eee465447d

memory/4300-350-0x0000000000400000-0x000000000041B000-memory.dmp

memory/4028-352-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/1744-354-0x0000000000400000-0x0000000000490000-memory.dmp

memory/2452-355-0x0000000000400000-0x0000000000460000-memory.dmp

memory/3156-357-0x0000000000400000-0x0000000000481000-memory.dmp

memory/3156-356-0x0000000000400000-0x0000000000481000-memory.dmp

memory/2452-358-0x0000000000400000-0x0000000000460000-memory.dmp

memory/1660-360-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/3156-359-0x0000000000400000-0x0000000000481000-memory.dmp

C:\Windows\directx.sys

MD5 339c4d3e4f26e849623e75b0fbef9464
SHA1 ab1d6bb79eb938cde99d71dedc410abf59ceceb4
SHA256 d2c33c70716578fb62aeeaacf241403c48fa3ece07a2567d15576067db6e29bf
SHA512 a0dafbc45bfa6e435e1a48cebc65b44aaa7e6ca091d0c1ce76d4a011c30085040fe4452ce8386b6a3b1ba527b24081660a6b28c6040517ee2c4f1e0cfadaa1ff

C:\Users\Admin\AppData\Local\Temp\suekna.EXE

MD5 2d6b06b62a92035b54219f641b4023e5
SHA1 b02f7df020cfe3957ce702854d2a71f7224668cf
SHA256 45ee5d9ab589b9bba3c07e76607bbb077267bc8a186780a24a3283103d149b43
SHA512 be184148f8672734ab764d12f9609f26c66563f302ab0945ac848db9cf17c0fc50caf0a8c5fe39bb293ef7fd209140244b56806412c33c73ac0dfaf59edceaad

memory/2452-380-0x0000000000400000-0x0000000000460000-memory.dmp

memory/3156-381-0x0000000000400000-0x0000000000481000-memory.dmp

memory/1660-382-0x0000000000400000-0x00000000004B2000-memory.dmp