Technical Information
To ensure autorun and distribution
Modifies the following registry keys
- [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce] '751ebcf0-16ed-482f-a29f-c6aba389fe1c' = '"%TEMP%\{241f72a7-0af1-4f89-a783-e7e518265ccd}\751ebcf0-16ed-482f-a29f-c6aba389fe1c.cmd"'
Sets the following service settings
- [HKLM\SYSTEM\CurrentControlSet\Services\1C974g4_3956] 'ImagePath' = '%WINDIR%\Temp\gapa73fT_3956.sys'
- [HKLM\System\ControlSet001\Services\{21427802-3979-F011-BC9E-74BC8BA50102}] 'Start' = '00000000'
- [HKLM\System\ControlSet001\Services\{21427802-3979-F011-BC9E-74BC8BA50102}] 'ImagePath' = 'System32\{20427802-3979-F011-BC9E-74BC8BA50102}'
- [HKLM\SYSTEM\ControlSet001\Services\de0f7c71] 'ImagePath' = 'System32\Drivers\de0f7c71.sys'
- [HKLM\SYSTEM\ControlSet001\Services\klupd_de0f7c71a_arkmon] 'ImagePath' = 'System32\Drivers\klupd_de0f7c71a_arkmon.sys'
- [HKLM\SYSTEM\ControlSet001\Services\klupd_de0f7c71a_arkmon] 'Start' = '00000000'
- [HKLM\SYSTEM\ControlSet001\Services\klupd_de0f7c71a_klbg] 'ImagePath' = 'System32\Drivers\klupd_de0f7c71a_klbg.sys'
- [HKLM\SYSTEM\ControlSet001\Services\klupd_de0f7c71a_klbg] 'Start' = '00000000'
- [HKLM\SYSTEM\ControlSet001\Services\klupd_de0f7c71a_klark] 'ImagePath' = 'System32\Drivers\klupd_de0f7c71a_klark.sys'
- [HKLM\SYSTEM\ControlSet001\Services\klupd_de0f7c71a_mark] 'ImagePath' = 'System32\Drivers\klupd_de0f7c71a_mark.sys'
- [HKLM\SYSTEM\ControlSet001\Services\klupd_de0f7c71a_arkmon_969D785A] 'ImagePath' = 'C:\KVRT2020_Data\Temp\969D785A5A4208E64EE44FD1F93A608D\klupd_de0f7c71a_arkmon.sys'
Creates the following services
- '1C974g4_3956' %WINDIR%\Temp\gapa73fT_3956.sys
- 'klupd_de0f7c71a_arkmon_969D785A' C:\KVRT2020_Data\Temp\969D785A5A4208E64EE44FD1F93A608D\klupd_de0f7c71a_arkmon.sys
Malicious functions
To complicate detection of its presence in the operating system,
adds antivirus exclusion:
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath %WINDIR%\Temp\
Injects code into
the following system processes:
- <SYSTEM32>\svchost.exe
- <SYSTEM32>\werfault.exe
Terminates or attempts to terminate
the following system processes:
- <SYSTEM32>\svchost.exe
Modifies file system
Creates the following files
- %WINDIR%\temp\ea6u57u_3956.tmp
- %WINDIR%\temp\gapa73ft_3956.sys
- %TEMP%\t0p53kl.exe
- %TEMP%\{90fa0444-6f8e-44ff-8ec1-b54f548e0acd}\app_core.dll
- %TEMP%\{90fa0444-6f8e-44ff-8ec1-b54f548e0acd}\app_core_meta.dll
- %TEMP%\{90fa0444-6f8e-44ff-8ec1-b54f548e0acd}\instrumental_services.dll
- %TEMP%\{90fa0444-6f8e-44ff-8ec1-b54f548e0acd}\instrumental_meta.dll
- %TEMP%\{90fa0444-6f8e-44ff-8ec1-b54f548e0acd}\key_value_storage.dll
- %TEMP%\{90fa0444-6f8e-44ff-8ec1-b54f548e0acd}\dataformats-en.xml
- %TEMP%\{90fa0444-6f8e-44ff-8ec1-b54f548e0acd}\ksn_facade.dll
- %TEMP%\{90fa0444-6f8e-44ff-8ec1-b54f548e0acd}\ksn_meta.dll
- %TEMP%\{90fa0444-6f8e-44ff-8ec1-b54f548e0acd}\mc_statistic.dll
- %TEMP%\{90fa0444-6f8e-44ff-8ec1-b54f548e0acd}\uds.dll
- %TEMP%\{90fa0444-6f8e-44ff-8ec1-b54f548e0acd}\crypto_components.dll
- %TEMP%\{90fa0444-6f8e-44ff-8ec1-b54f548e0acd}\crypto_components_meta.dll
- %TEMP%\{90fa0444-6f8e-44ff-8ec1-b54f548e0acd}\storage.dll
- %TEMP%\{90fa0444-6f8e-44ff-8ec1-b54f548e0acd}\dblite.dll
- %TEMP%\{90fa0444-6f8e-44ff-8ec1-b54f548e0acd}\dbghelp.dll
- %TEMP%\{90fa0444-6f8e-44ff-8ec1-b54f548e0acd}\dumpwriter.dll
- %TEMP%\{90fa0444-6f8e-44ff-8ec1-b54f548e0acd}\kldw.exe
- %TEMP%\{90fa0444-6f8e-44ff-8ec1-b54f548e0acd}\config.esm
- %TEMP%\{90fa0444-6f8e-44ff-8ec1-b54f548e0acd}\settings.kvdb
- %TEMP%\{90fa0444-6f8e-44ff-8ec1-b54f548e0acd}\storage.kvdb
- %TEMP%\{90fa0444-6f8e-44ff-8ec1-b54f548e0acd}\settings.dat
- %TEMP%\{90fa0444-6f8e-44ff-8ec1-b54f548e0acd}\x86\redist.tar
- %TEMP%\{90fa0444-6f8e-44ff-8ec1-b54f548e0acd}\bases\arkmon32.drv
- %TEMP%\{90fa0444-6f8e-44ff-8ec1-b54f548e0acd}\bases\arkmon32.drv0
- %TEMP%\{90fa0444-6f8e-44ff-8ec1-b54f548e0acd}\bases\arkmon64.drv
- %TEMP%\{90fa0444-6f8e-44ff-8ec1-b54f548e0acd}\bases\arkmon64.drv0
- %TEMP%\{90fa0444-6f8e-44ff-8ec1-b54f548e0acd}\bases\certdb_v2.dat
- %TEMP%\{90fa0444-6f8e-44ff-8ec1-b54f548e0acd}\bases\klava\log0
- %TEMP%\{90fa0444-6f8e-44ff-8ec1-b54f548e0acd}\bases\ksn\log0
- %TEMP%\{90fa0444-6f8e-44ff-8ec1-b54f548e0acd}\bases\rootcertdb.dat
- %TEMP%\{90fa0444-6f8e-44ff-8ec1-b54f548e0acd}\bases\sco\log0
- %TEMP%\{90fa0444-6f8e-44ff-8ec1-b54f548e0acd}\crypto_ssl_1_1.dll
- %TEMP%\{90fa0444-6f8e-44ff-8ec1-b54f548e0acd}\kvrt.exe
- %TEMP%\{90fa0444-6f8e-44ff-8ec1-b54f548e0acd}\api-ms-win-core-xstate-l2-1-0.dll
- %TEMP%\{90fa0444-6f8e-44ff-8ec1-b54f548e0acd}\api-ms-win-core-console-l1-1-0.dll
- %TEMP%\{90fa0444-6f8e-44ff-8ec1-b54f548e0acd}\api-ms-win-core-datetime-l1-1-0.dll
- %TEMP%\{90fa0444-6f8e-44ff-8ec1-b54f548e0acd}\api-ms-win-core-debug-l1-1-0.dll
- %TEMP%\{90fa0444-6f8e-44ff-8ec1-b54f548e0acd}\api-ms-win-core-errorhandling-l1-1-0.dll
- %TEMP%\{90fa0444-6f8e-44ff-8ec1-b54f548e0acd}\api-ms-win-core-file-l1-1-0.dll
- %TEMP%\{90fa0444-6f8e-44ff-8ec1-b54f548e0acd}\api-ms-win-core-file-l1-2-0.dll
- %TEMP%\{90fa0444-6f8e-44ff-8ec1-b54f548e0acd}\api-ms-win-core-file-l2-1-0.dll
- %TEMP%\{90fa0444-6f8e-44ff-8ec1-b54f548e0acd}\api-ms-win-core-handle-l1-1-0.dll
- %TEMP%\{90fa0444-6f8e-44ff-8ec1-b54f548e0acd}\api-ms-win-core-heap-l1-1-0.dll
- %TEMP%\{90fa0444-6f8e-44ff-8ec1-b54f548e0acd}\api-ms-win-core-interlocked-l1-1-0.dll
- %TEMP%\{90fa0444-6f8e-44ff-8ec1-b54f548e0acd}\api-ms-win-core-libraryloader-l1-1-0.dll
- %TEMP%\{90fa0444-6f8e-44ff-8ec1-b54f548e0acd}\api-ms-win-core-localization-l1-2-0.dll
- %TEMP%\{90fa0444-6f8e-44ff-8ec1-b54f548e0acd}\api-ms-win-core-memory-l1-1-0.dll
- %TEMP%\{90fa0444-6f8e-44ff-8ec1-b54f548e0acd}\api-ms-win-core-namedpipe-l1-1-0.dll
- %TEMP%\{90fa0444-6f8e-44ff-8ec1-b54f548e0acd}\api-ms-win-core-processenvironment-l1-1-0.dll
- %TEMP%\{90fa0444-6f8e-44ff-8ec1-b54f548e0acd}\api-ms-win-core-processthreads-l1-1-0.dll
- %TEMP%\{90fa0444-6f8e-44ff-8ec1-b54f548e0acd}\api-ms-win-core-processthreads-l1-1-1.dll
- %TEMP%\{90fa0444-6f8e-44ff-8ec1-b54f548e0acd}\api-ms-win-core-profile-l1-1-0.dll
- %TEMP%\{90fa0444-6f8e-44ff-8ec1-b54f548e0acd}\api-ms-win-core-rtlsupport-l1-1-0.dll
- %TEMP%\{90fa0444-6f8e-44ff-8ec1-b54f548e0acd}\api-ms-win-core-string-l1-1-0.dll
- %TEMP%\{90fa0444-6f8e-44ff-8ec1-b54f548e0acd}\api-ms-win-core-synch-l1-1-0.dll
- %TEMP%\{90fa0444-6f8e-44ff-8ec1-b54f548e0acd}\api-ms-win-core-synch-l1-2-0.dll
- %TEMP%\{90fa0444-6f8e-44ff-8ec1-b54f548e0acd}\api-ms-win-core-sysinfo-l1-1-0.dll
- %TEMP%\{90fa0444-6f8e-44ff-8ec1-b54f548e0acd}\api-ms-win-core-timezone-l1-1-0.dll
- %TEMP%\{90fa0444-6f8e-44ff-8ec1-b54f548e0acd}\api-ms-win-core-util-l1-1-0.dll
- %TEMP%\{90fa0444-6f8e-44ff-8ec1-b54f548e0acd}\api-ms-win-crt-conio-l1-1-0.dll
- %TEMP%\{90fa0444-6f8e-44ff-8ec1-b54f548e0acd}\api-ms-win-crt-convert-l1-1-0.dll
- %TEMP%\{90fa0444-6f8e-44ff-8ec1-b54f548e0acd}\api-ms-win-crt-environment-l1-1-0.dll
- %TEMP%\{90fa0444-6f8e-44ff-8ec1-b54f548e0acd}\api-ms-win-crt-filesystem-l1-1-0.dll
- %TEMP%\{90fa0444-6f8e-44ff-8ec1-b54f548e0acd}\api-ms-win-crt-heap-l1-1-0.dll
- %TEMP%\{90fa0444-6f8e-44ff-8ec1-b54f548e0acd}\api-ms-win-crt-locale-l1-1-0.dll
- %TEMP%\{90fa0444-6f8e-44ff-8ec1-b54f548e0acd}\api-ms-win-crt-math-l1-1-0.dll
- %TEMP%\{90fa0444-6f8e-44ff-8ec1-b54f548e0acd}\api-ms-win-crt-multibyte-l1-1-0.dll
- %TEMP%\{90fa0444-6f8e-44ff-8ec1-b54f548e0acd}\api-ms-win-crt-private-l1-1-0.dll
- %TEMP%\{90fa0444-6f8e-44ff-8ec1-b54f548e0acd}\api-ms-win-crt-process-l1-1-0.dll
- %TEMP%\{90fa0444-6f8e-44ff-8ec1-b54f548e0acd}\api-ms-win-crt-runtime-l1-1-0.dll
- %TEMP%\{90fa0444-6f8e-44ff-8ec1-b54f548e0acd}\api-ms-win-crt-stdio-l1-1-0.dll
- %TEMP%\{90fa0444-6f8e-44ff-8ec1-b54f548e0acd}\api-ms-win-crt-string-l1-1-0.dll
- %TEMP%\{90fa0444-6f8e-44ff-8ec1-b54f548e0acd}\api-ms-win-crt-time-l1-1-0.dll
- %TEMP%\{90fa0444-6f8e-44ff-8ec1-b54f548e0acd}\api-ms-win-crt-utility-l1-1-0.dll
- %TEMP%\{90fa0444-6f8e-44ff-8ec1-b54f548e0acd}\ucrtbase.dll
- %TEMP%\{90fa0444-6f8e-44ff-8ec1-b54f548e0acd}\concrt140.dll
- %TEMP%\{90fa0444-6f8e-44ff-8ec1-b54f548e0acd}\msvcp140.dll
- %TEMP%\{90fa0444-6f8e-44ff-8ec1-b54f548e0acd}\vcruntime140.dll
- %TEMP%\{90fa0444-6f8e-44ff-8ec1-b54f548e0acd}\qt5core.dll
- %TEMP%\{90fa0444-6f8e-44ff-8ec1-b54f548e0acd}\qt5gui.dll
- %TEMP%\{90fa0444-6f8e-44ff-8ec1-b54f548e0acd}\qt5widgets.dll
- %TEMP%\{90fa0444-6f8e-44ff-8ec1-b54f548e0acd}\kvrtgui.dll
- %TEMP%\{90fa0444-6f8e-44ff-8ec1-b54f548e0acd}\plugins\imageformats\qgif.dll
- %TEMP%\{90fa0444-6f8e-44ff-8ec1-b54f548e0acd}\plugins\imageformats\qicns.dll
- %TEMP%\{90fa0444-6f8e-44ff-8ec1-b54f548e0acd}\plugins\imageformats\qico.dll
- %TEMP%\{90fa0444-6f8e-44ff-8ec1-b54f548e0acd}\plugins\imageformats\qjpeg.dll
- %TEMP%\{90fa0444-6f8e-44ff-8ec1-b54f548e0acd}\plugins\imageformats\qtga.dll
- %TEMP%\{90fa0444-6f8e-44ff-8ec1-b54f548e0acd}\plugins\imageformats\qtiff.dll
- %TEMP%\{90fa0444-6f8e-44ff-8ec1-b54f548e0acd}\plugins\imageformats\qwbmp.dll
- %TEMP%\{90fa0444-6f8e-44ff-8ec1-b54f548e0acd}\plugins\imageformats\qwebp.dll
- %TEMP%\{90fa0444-6f8e-44ff-8ec1-b54f548e0acd}\plugins\platforms\qwindows.dll
- %TEMP%\{90fa0444-6f8e-44ff-8ec1-b54f548e0acd}\klmd.sys
- %TEMP%\{90fa0444-6f8e-44ff-8ec1-b54f548e0acd}\klsl.sys
- %TEMP%\{90fa0444-6f8e-44ff-8ec1-b54f548e0acd}\c63a77dd.exe
- %TEMP%\{241f72a7-0af1-4f89-a783-e7e518265ccd}\751ebcf0-16ed-482f-a29f-c6aba389fe1c.cmd
- <DRIVERS>\de0f7c71.sys
- <DRIVERS>\klupd_de0f7c71a_arkmon.sys
- %TEMP%\{90fa0444-6f8e-44ff-8ec1-b54f548e0acd}\settings.kvdb-shm
- %TEMP%\{90fa0444-6f8e-44ff-8ec1-b54f548e0acd}\storage.kvdb-shm
- C:\kvrt2020_data\reports\report_2025.09.11_00.05.25.klr.enc1
- %TEMP%\{90fa0444-6f8e-44ff-8ec1-b54f548e0acd}\bases\cache\sys_critical_obj.dll.9459f36efc8c4120cb63f05ef06d9b03_0.tmp
- %TEMP%\{90fa0444-6f8e-44ff-8ec1-b54f548e0acd}\certdb_v2.3902343029a32da8cb1a.idx~0
- %TEMP%\{90fa0444-6f8e-44ff-8ec1-b54f548e0acd}\rootcertdb.26a22f4c598924a3053f.idx~0
- %TEMP%\{90fa0444-6f8e-44ff-8ec1-b54f548e0acd}\crls\tmp\27b37f1a-8989-0841-9b4e-6bef5c628383
- %TEMP%\{90fa0444-6f8e-44ff-8ec1-b54f548e0acd}\bases\cache\avengine.dll.5ff66cdb88d015e91ca10d0c7bb21aec_0.tmp
- %TEMP%\{90fa0444-6f8e-44ff-8ec1-b54f548e0acd}\bases\cache\kavbase.kdl.0af0803b8b47e85cab481fb47cc26353_0.tmp
- %TEMP%\{90fa0444-6f8e-44ff-8ec1-b54f548e0acd}\bases\cache\klavemu.kdl.08115cf99268bef3159cfb7c9c9970ff_0.tmp
- %TEMP%\{90fa0444-6f8e-44ff-8ec1-b54f548e0acd}\bases\cache\kjim.kdl.1e6008f42f48c47b892938cc16cc9c68_0.tmp
- %TEMP%\{90fa0444-6f8e-44ff-8ec1-b54f548e0acd}\bases\cache\qscan.kdl.776568cedabfd8879696d95591c90c05_0.tmp
- %TEMP%\{90fa0444-6f8e-44ff-8ec1-b54f548e0acd}\bases\cache\kavsys.kdl.98ab29aa9d0d9f53b1bcf4b70a320766_0.tmp
- C:\kvrt2020_data\temp\94796b4d72dae8cac2a540d72c7e4136_klbg64.drv
- <DRIVERS>\klupd_de0f7c71a_klbg.sys
- C:\kvrt2020_data\temp\6c535c6ca19a9ee2b35fd24cf384eb11_klark64.drv
- %TEMP%\{90fa0444-6f8e-44ff-8ec1-b54f548e0acd}\bases\cache\mark.kdl.aa58997a677048ee6c4ce4faa23b77ff_0.tmp
- C:\kvrt2020_data\temp\10caae75ab1bc1246dc1731e0426f94e_mark64.drv
- %TEMP%\{90fa0444-6f8e-44ff-8ec1-b54f548e0acd}\bases\cache\arkmon.kdl.1ed2be3be0242217d2e47bcb7a8cdc6a_0.tmp
- C:\kvrt2020_data\temp\969d785a5a4208e64ee44fd1f93a608d\klupd_de0f7c71a_arkmon.sys
- %TEMP%\{90fa0444-6f8e-44ff-8ec1-b54f548e0acd}\persistent_q.db-journal
- %TEMP%\{90fa0444-6f8e-44ff-8ec1-b54f548e0acd}\persistent_q.db
- %TEMP%\{90fa0444-6f8e-44ff-8ec1-b54f548e0acd}\persistent_q.db-shm
- %TEMP%\{90fa0444-6f8e-44ff-8ec1-b54f548e0acd}\persistent_q.db-wal
- %TEMP%\etmp9267c321-b2c3-0949-818e-f2da47698c73
- %TEMP%\{90fa0444-6f8e-44ff-8ec1-b54f548e0acd}\crls\tmp\78e4890e-affb-bc4a-8db6-df965b3d07b1
Moves the following files
- from %TEMP%\{90fa0444-6f8e-44ff-8ec1-b54f548e0acd}\bases\cache\sys_critical_obj.dll.9459f36efc8c4120cb63f05ef06d9b03_0.tmp to %TEMP%\{90fa0444-6f8e-44ff-8ec1-b54f548e0acd}\bases\cache\sys_critical_obj.dll.9459f36efc8c4120cb63f05ef06d9b03_0
- from %TEMP%\{90fa0444-6f8e-44ff-8ec1-b54f548e0acd}\crls\tmp\27b37f1a-8989-0841-9b4e-6bef5c628383 to %TEMP%\{90fa0444-6f8e-44ff-8ec1-b54f548e0acd}\crls\83800a305c339a22876d9ee5b34737e5f1dbcea18d5f19e2c38b54f4c721fabd
- from %TEMP%\{90fa0444-6f8e-44ff-8ec1-b54f548e0acd}\bases\cache\avengine.dll.5ff66cdb88d015e91ca10d0c7bb21aec_0.tmp to %TEMP%\{90fa0444-6f8e-44ff-8ec1-b54f548e0acd}\bases\cache\avengine.dll.5ff66cdb88d015e91ca10d0c7bb21aec_0
- from %TEMP%\{90fa0444-6f8e-44ff-8ec1-b54f548e0acd}\bases\cache\kavbase.kdl.0af0803b8b47e85cab481fb47cc26353_0.tmp to %TEMP%\{90fa0444-6f8e-44ff-8ec1-b54f548e0acd}\bases\cache\kavbase.kdl.0af0803b8b47e85cab481fb47cc26353_0
- from %TEMP%\{90fa0444-6f8e-44ff-8ec1-b54f548e0acd}\bases\cache\klavemu.kdl.08115cf99268bef3159cfb7c9c9970ff_0.tmp to %TEMP%\{90fa0444-6f8e-44ff-8ec1-b54f548e0acd}\bases\cache\klavemu.kdl.08115cf99268bef3159cfb7c9c9970ff_0
- from %TEMP%\{90fa0444-6f8e-44ff-8ec1-b54f548e0acd}\bases\cache\kjim.kdl.1e6008f42f48c47b892938cc16cc9c68_0.tmp to %TEMP%\{90fa0444-6f8e-44ff-8ec1-b54f548e0acd}\bases\cache\kjim.kdl.1e6008f42f48c47b892938cc16cc9c68_0
- from %TEMP%\{90fa0444-6f8e-44ff-8ec1-b54f548e0acd}\bases\cache\qscan.kdl.776568cedabfd8879696d95591c90c05_0.tmp to %TEMP%\{90fa0444-6f8e-44ff-8ec1-b54f548e0acd}\bases\cache\qscan.kdl.776568cedabfd8879696d95591c90c05_0
- from %TEMP%\{90fa0444-6f8e-44ff-8ec1-b54f548e0acd}\bases\cache\kavsys.kdl.98ab29aa9d0d9f53b1bcf4b70a320766_0.tmp to %TEMP%\{90fa0444-6f8e-44ff-8ec1-b54f548e0acd}\bases\cache\kavsys.kdl.98ab29aa9d0d9f53b1bcf4b70a320766_0
- from C:\kvrt2020_data\temp\6c535c6ca19a9ee2b35fd24cf384eb11_klark64.drv to <DRIVERS>\klupd_de0f7c71a_klark.sys
- from %TEMP%\{90fa0444-6f8e-44ff-8ec1-b54f548e0acd}\bases\cache\mark.kdl.aa58997a677048ee6c4ce4faa23b77ff_0.tmp to %TEMP%\{90fa0444-6f8e-44ff-8ec1-b54f548e0acd}\bases\cache\mark.kdl.aa58997a677048ee6c4ce4faa23b77ff_0
- from C:\kvrt2020_data\temp\10caae75ab1bc1246dc1731e0426f94e_mark64.drv to <DRIVERS>\klupd_de0f7c71a_mark.sys
- from %TEMP%\{90fa0444-6f8e-44ff-8ec1-b54f548e0acd}\bases\cache\arkmon.kdl.1ed2be3be0242217d2e47bcb7a8cdc6a_0.tmp to %TEMP%\{90fa0444-6f8e-44ff-8ec1-b54f548e0acd}\bases\cache\arkmon.kdl.1ed2be3be0242217d2e47bcb7a8cdc6a_0
- from %TEMP%\{90fa0444-6f8e-44ff-8ec1-b54f548e0acd}\crls\tmp\78e4890e-affb-bc4a-8db6-df965b3d07b1 to %TEMP%\{90fa0444-6f8e-44ff-8ec1-b54f548e0acd}\crls\c7e6bd7fe0e4965892ad706f0d2f42e88789b8041daf5b3eea9ca41785297798
Modifies the following files
- %LOCALAPPDATA%\microsoft\windows\usrclass.dat
- %LOCALAPPDATA%\packages\microsoft.windows.startmenuexperiencehost_cw5n1h2txyewy\settings\settings.dat
- %LOCALAPPDATA%\packages\microsoft.windows.shellexperiencehost_cw5n1h2txyewy\settings\settings.dat
Network activity
Connects to
- 'localhost':49695
- '23.##.245.178':80
- 'localhost':49698
- 'localhost':49699
- 'localhost':49702
- 'localhost':49707
- 'localhost':49709
- 'localhost':49713
- 'localhost':49714
- 'localhost':49719
- 'localhost':49722
- 'localhost':49725
- 'localhost':49726
- 'localhost':49731
- 'localhost':49732
- 'localhost':49738
- 'localhost':49737
- 'localhost':49743
- 'localhost':49744
- 'localhost':49749
- 'localhost':49752
- 'localhost':49754
- 'localhost':49757
- 'localhost':49759
- 'localhost':49762
- 'localhost':49765
- 'localhost':49768
- 'localhost':49773
- 'localhost':49776
- 'localhost':49778
- 'localhost':49780
- 'localhost':49782
- 'localhost':49784
- 'localhost':49786
- 'localhost':49788
- 'localhost':49790
- 'localhost':49800
- 'localhost':49802
- 'ma##r.info':443
- '23.##.245.178':443
- 'localhost':49806
- 'localhost':49809
- 'localhost':49812
- 'localhost':49815
- 'localhost':49818
- 'localhost':49819
- 'localhost':49824
- 'localhost':49827
- 'localhost':49828
- 'localhost':49833
- 'localhost':49836
- 'localhost':49838
- 'localhost':49842
- 'localhost':49844
- 'localhost':49848
- 'localhost':49850
- 'localhost':49854
- 'localhost':49855
- 'localhost':49862
- 'localhost':49864
- 'localhost':49872
- 'localhost':49874
- 'ds.kaspersky.com':443
- 'localhost':49877
- 'crl.kaspersky.com':80
- 'dc######.ksn.kaspersky-labs.com':443
- 'touch.kaspersky.com':80
- 'click.kaspersky.com':80
- 'localhost':49886
- 'localhost':49888
- 'dc#.###.kaspersky-labs.com':443
- 'localhost':49891
- 'dc####.##n.kaspersky-labs.com':443
TCP
HTTP GET requests
- http://crl.kaspersky.com/cdp/KSNGlobalRootCAECC.crl
Other
- 'localhost':49695
- 'localhost':49699
- 'localhost':49698
- 'localhost':49702
- 'localhost':49707
- 'localhost':49709
- 'localhost':49713
- 'localhost':49714
- 'localhost':49719
- 'localhost':49722
- 'localhost':49725
- 'localhost':49726
- 'localhost':49731
- 'localhost':49732
- 'localhost':49738
- 'localhost':49737
- 'localhost':49744
- 'localhost':49743
- 'localhost':49749
- 'localhost':49752
- 'localhost':49754
- 'localhost':49759
- 'localhost':49762
- 'localhost':49765
- 'localhost':49768
- 'localhost':49757
- 'localhost':49773
- 'localhost':49776
- 'localhost':49778
- 'localhost':49780
- 'localhost':49782
- 'localhost':49784
- 'localhost':49786
- 'localhost':49788
- 'localhost':49790
- 'localhost':49800
- 'localhost':49802
- 'localhost':49803
- 'localhost':49806
- 'ma##r.info':443
- 'localhost':49809
- 'localhost':49812
- 'localhost':49815
- 'localhost':49818
- 'localhost':49819
- 'localhost':49824
- 'localhost':49827
- 'localhost':49828
- 'localhost':49833
- 'localhost':49836
- 'localhost':49838
- 'localhost':49842
- 'localhost':49844
- 'localhost':49848
- 'localhost':49850
- 'localhost':49854
- 'localhost':49855
- 'localhost':49862
- 'localhost':49864
- 'localhost':49865
- 'localhost':49872
- 'localhost':49874
- 'localhost':49875
- 'ds.kaspersky.com':443
- 'localhost':49877
- 'localhost':49878
- 'localhost':49886
- 'localhost':49888
- 'localhost':49889
- 'dc#.###.kaspersky-labs.com':443
- 'localhost':49891
- 'localhost':49892
- 'dc######.ksn.kaspersky-labs.com':443
UDP
- DNS ASK ma##r.info
- DNS ASK touch.kaspersky.com
- DNS ASK ds.kaspersky.com
- DNS ASK crl.kaspersky.com
- DNS ASK dc######.ksn.kaspersky-labs.com
- DNS ASK click.kaspersky.com
- DNS ASK dc#.###.kaspersky-labs.com
- DNS ASK dc####.##n.kaspersky-labs.com
Miscellaneous
Creates and executes the following
- '%TEMP%\t0p53kl.exe' -accepteula -adinsilent -silent -processlevel 3 -postboot
- '%TEMP%\{90fa0444-6f8e-44ff-8ec1-b54f548e0acd}\c63a77dd.exe' -accepteula -adinsilent -silent -processlevel 3 -postboot
Executes the following
- '<SYSTEM32>\svchost.exe'
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' Remove-MpPreference -ExclusionPath %WINDIR%\Temp\
- '<SYSTEM32>\svchost.exe' ' (with hidden window)
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath %WINDIR%\Temp\' (with hidden window)
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' Remove-MpPreference -ExclusionPath %WINDIR%\Temp\' (with hidden window)
- '%TEMP%\{90fa0444-6f8e-44ff-8ec1-b54f548e0acd}\c63a77dd.exe' -accepteula -adinsilent -silent -processlevel 3 -postboot' (with hidden window)
