darkvision | c81ece0b60ed50db7d3769388f34ba051a05c95bd026e78dabb6ce08ff91bbba

Analysis

max time kernel
146s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
06/04/2025, 11:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

UZPt0hR.exe
Size

1.2MB
MD5

bf6f64455cb1039947a3100e62f96a52
SHA1

28cdd5c2e82d4ad078420dcbf4b32b928861fcb6
SHA256

c81ece0b60ed50db7d3769388f34ba051a05c95bd026e78dabb6ce08ff91bbba
SHA512

c2ceb000b387710cf388e6699a2cb4465380bf5798d9f37c238db0701aaea6ccad1f44e6b9e45398050202ef875a5d7679890df2bb65538a0c8a9655c62c185b
SSDEEP

24576:dgnEunWewizz3Q/Nngwxx8T2d920PIGkbQjI/zC5rrpoJNlyZ4:+nEunFxz7Q/Nngp47AGkboF0l

Score

10^/10

darkvision bootkit defense_evasion discovery execution persistence rat

Malware Config

Extracted

Family

darkvision

82.29.67.160

Attributes

url
http://107.174.192.179/data/003

https://grabify.link/ZATFQO

http://107.174.192.179/clean
user_agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36

Signatures

DarkVision Rat
DarkVision Rat is a trojan written in C++.
rat darkvision
Darkvision family
darkvision

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
4644	powershell.exe

Downloads MZ/PE file 1 IoCs

flow	pid	Process
6	220	svchost.exe

Drops file in Drivers directory 2 IoCs

description	ioc	Process
File created	C:\Windows\System32\Drivers\klupd_b296ad91a_arkmon.sys	20601cc3.exe
File created	C:\Windows\System32\Drivers\b296ad91.sys	20601cc3.exe

Sets service image path in registry 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Nsk1fv7_5656\ImagePath = "\\??\\C:\\Windows\\Temp\\Nsk1fv7_5656.sys"	tzutil.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\b296ad91\ImagePath = "System32\\Drivers\\b296ad91.sys"	20601cc3.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\klupd_b296ad91a_arkmon\ImagePath = "System32\\Drivers\\klupd_b296ad91a_arkmon.sys"	20601cc3.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	20601cc3.exe

Deletes itself 1 IoCs

pid	Process
220	svchost.exe

Executes dropped EXE 4 IoCs

pid	Process
5656	tzutil.exe
2472	w32tm.exe
8092	62e866ad.exe
1020	20601cc3.exe

Impair Defenses: Safe Mode Boot 1 TTPs 3 IoCs

defense_evasion

Safe Mode Boot

T1562.009

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\b296ad91.sys	20601cc3.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\b296ad91.sys	20601cc3.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\b296ad91.sys\ = "Driver"	20601cc3.exe

Loads dropped DLL 15 IoCs

pid	Process
1020	20601cc3.exe
1020	20601cc3.exe
1020	20601cc3.exe
1020	20601cc3.exe
1020	20601cc3.exe
1020	20601cc3.exe
1020	20601cc3.exe
1020	20601cc3.exe
1020	20601cc3.exe
1020	20601cc3.exe
1020	20601cc3.exe
1020	20601cc3.exe
1020	20601cc3.exe
1020	20601cc3.exe
1020	20601cc3.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\{57F06FF0-B2D5-45F3-BFEE-970F76E38EFD} = "C:\\ProgramData\\{A332F586-BC6E-46FF-BB3B-A67E49F41010}\\aitstatic.exe {1CF6DD21-C538-4D1C-883F-AD3AF450FA11}"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\{57F06FF0-B2D5-45F3-BFEE-970F76E38EFD} = "C:\\ProgramData\\{A332F586-BC6E-46FF-BB3B-A67E49F41010}\\aitstatic.exe {1CF6DD21-C538-4D1C-883F-AD3AF450FA11}"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\e4c71990-ae69-46d9-b239-997eb29ac12f = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\{7b9987d9-efaa-4dd0-bcc6-b675dd3454e5}\\e4c71990-ae69-46d9-b239-997eb29ac12f.cmd\""	20601cc3.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	20601cc3.exe

Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 2 IoCs

Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\VBoxMiniRdrDN	62e866ad.exe
File opened (read-only)	\??\VBoxMiniRdrDN	20601cc3.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	UZPt0hR.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	62e866ad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	20601cc3.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 24 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
10184	PING.EXE
9632	PING.EXE
9484	PING.EXE
9300	PING.EXE
9840	PING.EXE
9888	PING.EXE
10112	PING.EXE
10356	PING.EXE
9236	PING.EXE
9580	PING.EXE
9680	PING.EXE
9740	PING.EXE
9448	PING.EXE
9352	PING.EXE
3208	PING.EXE
2676	PING.EXE
9936	PING.EXE
9532	PING.EXE
9400	PING.EXE
9788	PING.EXE
9988	PING.EXE
5820	PING.EXE
9200	PING.EXE
10068	PING.EXE

Modifies registry key 1 TTPs 2 IoCs

Modify Registry

T1112

pid	Process
10408	reg.exe
10424	reg.exe

Runs ping.exe 1 TTPs 24 IoCs

Remote System Discovery

T1018

pid	Process
3208	PING.EXE
9888	PING.EXE
9936	PING.EXE
9988	PING.EXE
10356	PING.EXE
9532	PING.EXE
9632	PING.EXE
9680	PING.EXE
9352	PING.EXE
2676	PING.EXE
9484	PING.EXE
9448	PING.EXE
9400	PING.EXE
10068	PING.EXE
9580	PING.EXE
9788	PING.EXE
9300	PING.EXE
9840	PING.EXE
5820	PING.EXE
9200	PING.EXE
10112	PING.EXE
10184	PING.EXE
9740	PING.EXE
9236	PING.EXE

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
4644	powershell.exe
4644	powershell.exe
6584	powershell.exe
6584	powershell.exe
6584	powershell.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
5656	tzutil.exe
1020	20601cc3.exe

Suspicious behavior: MapViewOfSection 3 IoCs

pid	Process
3676	UZPt0hR.exe
3676	UZPt0hR.exe
3676	UZPt0hR.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

description	pid	Process
Token: SeDebugPrivilege	4644	powershell.exe
Token: SeLoadDriverPrivilege	5656	tzutil.exe
Token: SeDebugPrivilege	6584	powershell.exe
Token: SeDebugPrivilege	1020	20601cc3.exe
Token: SeBackupPrivilege	1020	20601cc3.exe
Token: SeRestorePrivilege	1020	20601cc3.exe
Token: SeLoadDriverPrivilege	1020	20601cc3.exe
Token: SeShutdownPrivilege	1020	20601cc3.exe
Token: SeSystemEnvironmentPrivilege	1020	20601cc3.exe
Token: SeSecurityPrivilege	1020	20601cc3.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3676 wrote to memory of 3592	3676	UZPt0hR.exe	89
PID 3676 wrote to memory of 3592	3676	UZPt0hR.exe	89
PID 3676 wrote to memory of 220	3676	UZPt0hR.exe	91
PID 3676 wrote to memory of 220	3676	UZPt0hR.exe	91
PID 3592 wrote to memory of 4644	3592	cmd.exe	92
PID 3592 wrote to memory of 4644	3592	cmd.exe	92
PID 220 wrote to memory of 5656	220	svchost.exe	102
PID 220 wrote to memory of 5656	220	svchost.exe	102
PID 220 wrote to memory of 2472	220	svchost.exe	103
PID 220 wrote to memory of 2472	220	svchost.exe	103
PID 5656 wrote to memory of 6584	5656	tzutil.exe	109
PID 5656 wrote to memory of 6584	5656	tzutil.exe	109
PID 2472 wrote to memory of 8092	2472	w32tm.exe	118
PID 2472 wrote to memory of 8092	2472	w32tm.exe	118
PID 2472 wrote to memory of 8092	2472	w32tm.exe	118
PID 8092 wrote to memory of 1020	8092	62e866ad.exe	119
PID 8092 wrote to memory of 1020	8092	62e866ad.exe	119
PID 8092 wrote to memory of 1020	8092	62e866ad.exe	119
PID 8476 wrote to memory of 9200	8476	cmd.exe	122
PID 8476 wrote to memory of 9200	8476	cmd.exe	122
PID 8476 wrote to memory of 5820	8476	cmd.exe	123
PID 8476 wrote to memory of 5820	8476	cmd.exe	123
PID 8476 wrote to memory of 2676	8476	cmd.exe	124
PID 8476 wrote to memory of 2676	8476	cmd.exe	124
PID 8476 wrote to memory of 3208	8476	cmd.exe	125
PID 8476 wrote to memory of 3208	8476	cmd.exe	125
PID 8476 wrote to memory of 9236	8476	cmd.exe	126
PID 8476 wrote to memory of 9236	8476	cmd.exe	126
PID 8476 wrote to memory of 9300	8476	cmd.exe	127
PID 8476 wrote to memory of 9300	8476	cmd.exe	127
PID 8476 wrote to memory of 9352	8476	cmd.exe	128
PID 8476 wrote to memory of 9352	8476	cmd.exe	128
PID 8476 wrote to memory of 9400	8476	cmd.exe	129
PID 8476 wrote to memory of 9400	8476	cmd.exe	129
PID 8476 wrote to memory of 9448	8476	cmd.exe	130
PID 8476 wrote to memory of 9448	8476	cmd.exe	130
PID 8476 wrote to memory of 9484	8476	cmd.exe	131
PID 8476 wrote to memory of 9484	8476	cmd.exe	131
PID 8476 wrote to memory of 9532	8476	cmd.exe	132
PID 8476 wrote to memory of 9532	8476	cmd.exe	132
PID 8476 wrote to memory of 9580	8476	cmd.exe	133
PID 8476 wrote to memory of 9580	8476	cmd.exe	133
PID 8476 wrote to memory of 9632	8476	cmd.exe	134
PID 8476 wrote to memory of 9632	8476	cmd.exe	134
PID 8476 wrote to memory of 9680	8476	cmd.exe	135
PID 8476 wrote to memory of 9680	8476	cmd.exe	135
PID 8476 wrote to memory of 9740	8476	cmd.exe	136
PID 8476 wrote to memory of 9740	8476	cmd.exe	136
PID 8476 wrote to memory of 9788	8476	cmd.exe	137
PID 8476 wrote to memory of 9788	8476	cmd.exe	137
PID 8476 wrote to memory of 9840	8476	cmd.exe	138
PID 8476 wrote to memory of 9840	8476	cmd.exe	138
PID 8476 wrote to memory of 9888	8476	cmd.exe	139
PID 8476 wrote to memory of 9888	8476	cmd.exe	139
PID 8476 wrote to memory of 9936	8476	cmd.exe	140
PID 8476 wrote to memory of 9936	8476	cmd.exe	140
PID 8476 wrote to memory of 9988	8476	cmd.exe	141
PID 8476 wrote to memory of 9988	8476	cmd.exe	141
PID 8476 wrote to memory of 10068	8476	cmd.exe	142
PID 8476 wrote to memory of 10068	8476	cmd.exe	142
PID 8476 wrote to memory of 10112	8476	cmd.exe	143
PID 8476 wrote to memory of 10112	8476	cmd.exe	143
PID 8476 wrote to memory of 10184	8476	cmd.exe	144
PID 8476 wrote to memory of 10184	8476	cmd.exe	144

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\UZPt0hR.exe
"C:\Users\Admin\AppData\Local\Temp\UZPt0hR.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:3676
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /c powershell.exe Add-MpPreference -ExclusionPath 'C:'
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3592
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe Add-MpPreference -ExclusionPath 'C:'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4644
- C:\Windows\system32\svchost.exe
  "C:\Windows\system32\svchost.exe"
  2⤵
  - Downloads MZ/PE file
  - Deletes itself
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:220
- - C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exe
    "C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exe" ""
    3⤵
    - Sets service image path in registry
    - Executes dropped EXE
    - Suspicious behavior: LoadsDriver
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:5656
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Remove-MpPreference -ExclusionPath C:\
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:6584
- - C:\Users\Admin\AppData\Local\Temp\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\w32tm.exe
    "C:\Users\Admin\AppData\Local\Temp\\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\w32tm.exe" ""
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2472
  - - C:\Users\Admin\AppData\Local\Temp\{d978cfc9-af07-46d5-9948-fb36e9efb0b4}\62e866ad.exe
      "C:\Users\Admin\AppData\Local\Temp\{d978cfc9-af07-46d5-9948-fb36e9efb0b4}\62e866ad.exe" -accepteula -adinsilent -silent -processlevel 2 -postboot
      4⤵
      Executes dropped EXE
      Checks for VirtualBox DLLs, possible anti-VM trick
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:8092
    - - C:\Users\Admin\AppData\Local\Temp\{50a5dd31-6f5b-48c0-8a22-aed276f3c3bb}\20601cc3.exe
        
        C:/Users/Admin/AppData/Local/Temp/{50a5dd31-6f5b-48c0-8a22-aed276f3c3bb}/\20601cc3.exe -accepteula -adinsilent -silent -processlevel 2 -postboot
        5⤵
        Drops file in Drivers directory
        Sets service image path in registry
        Checks computer location settings
        Executes dropped EXE
        Impair Defenses: Safe Mode Boot
        Loads dropped DLL
        Adds Run key to start application
        Writes to the Master Boot Record (MBR)
        Checks for VirtualBox DLLs, possible anti-VM trick
        System Location Discovery: System Language Discovery
        Suspicious behavior: LoadsDriver
        Suspicious use of AdjustPrivilegeToken
        
        PID:1020
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\{7b9987d9-efaa-4dd0-bcc6-b675dd3454e5}\e4c71990-ae69-46d9-b239-997eb29ac12f.cmd" "
        6⤵
        
        PID:1316
        
        C:\Windows\system32\reg.exe
        
        reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce /v e4c71990-ae69-46d9-b239-997eb29ac12f /f
        7⤵
        Modifies registry key
        
        PID:10424

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\ProgramData\{A332F586-BC6E-46FF-BB3B-A67E49F41010}\aitstatic.exe {1CF6DD21-C538-4D1C-883F-AD3AF450FA11}
1⤵
PID:2408

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\ProgramData\{A332F586-BC6E-46FF-BB3B-A67E49F41010}\aitstatic.exe {1CF6DD21-C538-4D1C-883F-AD3AF450FA11}
1⤵
PID:2572

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\{7b9987d9-efaa-4dd0-bcc6-b675dd3454e5}\e4c71990-ae69-46d9-b239-997eb29ac12f.cmd"
1⤵
- Suspicious use of WriteProcessMemory
PID:8476
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:9200
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:5820
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:2676
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:3208
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:9236
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:9300
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:9352
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:9400
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:9448
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:9484
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:9532
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:9580
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:9632
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:9680
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:9740
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:9788
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:9840
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:9888
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:9936
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:9988
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:10068
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:10112
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:10184
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:10356
- C:\Windows\system32\reg.exe
  reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce /v e4c71990-ae69-46d9-b239-997eb29ac12f /f
  2⤵
  - Modifies registry key
  PID:10408

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Impair Defenses

T1562

Safe Mode Boot

T1562.009

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exe

Filesize
1.9MB

MD5
bcbec32483eb43840823c4f6bd653779

SHA1
3b83255512c5f268d0a1cb2997b1cc9d40f4252d

SHA256
d8a8e71a2be6d5fafa5d49029a37751c78be7e007152859233b8020a5c258167

SHA512
4cb807157807c72d599305eada37e85330314e43061f9af3ab9c44839bfc945431e320adf5259b9a9ecb531368cd9ab91d047eb8874f0ce6a8d4022ed69a6408

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
28cb2b4948aa809b5d5ec5e2562b2963

SHA1
cc362f9901466466bb8b9d9d4cdaad5fce5bcd27

SHA256
69c6169a7819f11757c1d64f76b0450562412b74624150f03c6d1a6929d20eec

SHA512
fe7fd11c33284f1bf00571030b8ba7b4b69fc5cf58157b7cb8d66b8dfe3baadb9cfc2a12f27f5a8a9decdba065f60d744adb5b6ac20af629821278d8f3757930

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_5imlosnz.33y.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\w32tm.exe

Filesize
1.3MB

MD5
15bdc4bd67925ef33b926843b3b8154b

SHA1
646af399ef06ac70e6bd43afe0f978f0f51a75fd

SHA256
4f0b2c61bccfd9aa3db301ee4e15607df41ded533757de34c986a0ff25b6246d

SHA512
eac0736a06d0835758318d594d3560ee6be82889020a173463943956dd400d08cf1174a4c722dc45a3f3c034131982f4b19ff27db1163838afbfac37f397eaf8

Download Submit
C:\Users\Admin\AppData\Local\Temp\{50a5dd31-6f5b-48c0-8a22-aed276f3c3bb}\AP25B1~1.DLL

Filesize
18KB

MD5
3940167ffb4383992e73f9a10e4b8b1e

SHA1
53541c824003b0f90b236eda83b06bec5e1acbf5

SHA256
ec573431338371504b7b9e57b2d91382b856aabf25d2b4ad96486efb794c198e

SHA512
9732acaa4db773f4f99f423d9feaebb35c197bbd468922348e0ad086f7131d83f6d9714dc7d375183e7cb8920cfe37f3da19b0041a9063cc60abe183375b1929

Download Submit
C:\Users\Admin\AppData\Local\Temp\{50a5dd31-6f5b-48c0-8a22-aed276f3c3bb}\AP26B7~1.DLL

Filesize
17KB

MD5
ff8026dab5d3dabca8f72b6fa7d258fa

SHA1
075c8719e226a34d7b883fd62b2d7f8823d70f1a

SHA256
535e9d20f00a2f1a62f843a4a26cfb763138d5dfe358b0126d33996fba9ca4d1

SHA512
9c56ff11d5843ba09cd29e3bc6c6b9396926c6a588194193ba220cfa784b770ab6756076f16f18cfea75b51a8184a1063ef47f63804839530382f8d39d5cf006

Download Submit
C:\Users\Admin\AppData\Local\Temp\{50a5dd31-6f5b-48c0-8a22-aed276f3c3bb}\AP345C~1.DLL

Filesize
17KB

MD5
d91bf81cf5178d47d1a588b0df98eb24

SHA1
75f9f2da06aa2735906b1c572dd556a3c30e7717

SHA256
f8e3b45fd3e22866006f16a9e73e28b5e357f31f3c275b517692a5f16918b492

SHA512
93d1b0d226e94235f1b32d42f6c1b95fadfaf103b8c1782423d2c5a4836102084fb53f871e3c434b85f0288e47f44345138de54ea5f982ca3e8bbf2d2bea0706

Download Submit
C:\Users\Admin\AppData\Local\Temp\{50a5dd31-6f5b-48c0-8a22-aed276f3c3bb}\AP40C7~1.DLL

Filesize
18KB

MD5
cfe87d58f973daeda4ee7d2cf4ae521d

SHA1
fd0aa97b7cb6e50c6d5d2bf2d21d757040b5204a

SHA256
4997fda5d0e90b8a0ab7da314cb56f25d1450b366701c45c294d8dd3254de483

SHA512
40eb68deb940bbe1b835954183eea711994c434de0abbdea0b1a51db6233a12e07827ad4a8639ae0baf46dd26c168a775ffe606c82cbe47bae655c7f28ab730b

Download Submit
C:\Users\Admin\AppData\Local\Temp\{50a5dd31-6f5b-48c0-8a22-aed276f3c3bb}\AP4F63~1.DLL

Filesize
17KB

MD5
18fd51821d0a6f3e94e3fa71db6de3af

SHA1
7d9700e98ef2d93fdbf8f27592678194b740f4e0

SHA256
dba84e704ffe5fcd42548856258109dc77c6a46fd0b784119a3548ec47e5644b

SHA512
4009b4d50e3cb17197009ac7e41a2351de980b2c5b79c0b440c7fe4c1c3c4e18f1089c6f43216eaa262062c395423f3ad92ca494f664636ff7592c540c5ef89d

Download Submit
C:\Users\Admin\AppData\Local\Temp\{50a5dd31-6f5b-48c0-8a22-aed276f3c3bb}\AP507A~1.DLL

Filesize
18KB

MD5
0c700b07c3497df4863c3f2fe37cd526

SHA1
f835118244d02304de9eb3a355420ba9d0bd9c13

SHA256
9f1f26794fd664e0a8b6fbd53bfca33dcf7b0dc37faf3eb7782bc38dff62cd8c

SHA512
8042dbd9e80e33e41993887b0289e143e967544389500ada9296b89bda37bb26918e4f370f8a1bdab8faacc4e0a6980794d6a3b5320e170ad4ef751384c9f0a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\{50a5dd31-6f5b-48c0-8a22-aed276f3c3bb}\AP6221~1.DLL

Filesize
20KB

MD5
23bd405a6cfd1e38c74c5150eec28d0a

SHA1
1d3be98e7dfe565e297e837a7085731ecd368c7b

SHA256
a7fa48de6c06666b80184afee7e544c258e0fb11399ab3fe47d4e74667779f41

SHA512
c52d487727a34fbb601b01031300a80eca7c4a08af87567da32cb5b60f7a41eb2cae06697cd11095322f2fc8307219111ee02b60045904b5c9b1f37e48a06a21

Download Submit
C:\Users\Admin\AppData\Local\Temp\{50a5dd31-6f5b-48c0-8a22-aed276f3c3bb}\AP8526~1.DLL

Filesize
17KB

MD5
990ac84ae2d83eeb532a28fe29602827

SHA1
0916f85cc6cc1f01dc08bdf71517a1dc1b8eaf78

SHA256
dbd788b1c5694d65fa6f6e2202bfabb30adf77eb1973ceb9a737efb16e9edae2

SHA512
f0e4705a6890b4f81b7d46f66ca6b8ee82f647e163bce9ecad11d0bbd69caf4ff3c4f15e0d3f829c048b6849b99a7641861e6caf319904d4d61a6084f10da353

Download Submit
C:\Users\Admin\AppData\Local\Temp\{50a5dd31-6f5b-48c0-8a22-aed276f3c3bb}\AP87F4~1.DLL

Filesize
21KB

MD5
eefe86b5a3ab256beed8621a05210df2

SHA1
90c1623a85c519adbc5ef67b63354f881507b8a7

SHA256
1d1c11fc1ad1febf9308225c4ccf0431606a4ab08680ba04494d276cb310bf15

SHA512
c326a2ca190db24e8e96c43d1df58a4859a32eb64b0363f9778a8902f1ac0307dca585be04f831a66bc32df54499681ad952ce654d607f5fdb93e9b4504d653f

Download Submit
C:\Users\Admin\AppData\Local\Temp\{50a5dd31-6f5b-48c0-8a22-aed276f3c3bb}\APC7B0~1.DLL

Filesize
17KB

MD5
3f224766fe9b090333fdb43d5a22f9ea

SHA1
548d1bb707ae7a3dfccc0c2d99908561a305f57b

SHA256
ae5e73416eb64bc18249ace99f6847024eceea7ce9c343696c84196460f3a357

SHA512
c12ea6758071b332368d7ef0857479d2b43a4b27ceeab86cbb542bd6f1515f605ea526dfa3480717f8f452989c25d0ee92bf3335550b15ecec79e9b25e66a2ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\{50a5dd31-6f5b-48c0-8a22-aed276f3c3bb}\APD0F3~1.DLL

Filesize
18KB

MD5
0c48220a4485f36feed84ef5dd0a5e9c

SHA1
1e7d4038c2765cffa6d4255737a2a8aa86b5551c

SHA256
2dd4ebaa12cbba142b5d61a0ebf84a14d0d1bb8826ba42b63e303fe6721408df

SHA512
e09951785b09f535340e1e6c256df1919485b4dad302b30d90126411cc49a13807b580fa2fcd0d6f7b64aac4f5b5ea3e250b66035a0e2f664d865408c9b43d48

Download Submit
C:\Users\Admin\AppData\Local\Temp\{50a5dd31-6f5b-48c0-8a22-aed276f3c3bb}\APDEA0~1.DLL

Filesize
17KB

MD5
79ee4a2fcbe24e9a65106de834ccda4a

SHA1
fd1ba674371af7116ea06ad42886185f98ba137b

SHA256
9f7bda59faafc8a455f98397a63a7f7d114efc4e8a41808c791256ebf33c7613

SHA512
6ef7857d856a1d23333669184a231ad402dc62c8f457a6305fe53ed5e792176ca6f9e561375a707da0d7dd27e6ea95f8c4355c5dc217e847e807000b310aa05c

Download Submit
C:\Users\Admin\AppData\Local\Temp\{50a5dd31-6f5b-48c0-8a22-aed276f3c3bb}\APEF2A~1.DLL

Filesize
19KB

MD5
1dda9cb13449ce2c6bb670598fc09dc8

SHA1
0a91fe11b9a8321ca369f665a623270e5ac23176

SHA256
4f187f1b4b14763360c325df6b04d3ec3cc6d2cecc9b796bc52a6c7196b0b2cc

SHA512
4e106c8a52033352c91b65cf65ec459de764c125136333a2f4ba026efdde65f3f71b1f6f11e4c580150ac8a9779825ba5e2af0e14df999a198cfe244e522c28d

Download Submit
C:\Users\Admin\AppData\Local\Temp\{50a5dd31-6f5b-48c0-8a22-aed276f3c3bb}\API-MS~2.DLL

Filesize
18KB

MD5
aabbb38c4110cc0bf7203a567734a7e7

SHA1
5df8d0cdd3e1977ffacca08faf8b1c92c13c6d48

SHA256
24b07028c1e38b9ca2f197750654a0dfb7d33c2e52c9dd67100609499e8028db

SHA512
c66c98d2669d7a180510c57bab707d1e224c12ab7e2b08994eb5fd5be2f3dee3dbdb934bcb9db168845e4d726114bce317045027215419d3f13dcfa0f143d713

Download Submit
C:\Users\Admin\AppData\Local\Temp\{50a5dd31-6f5b-48c0-8a22-aed276f3c3bb}\API-MS~3.DLL

Filesize
17KB

MD5
8894176af3ea65a09ae5cf4c0e6ff50f

SHA1
46858ea9029d7fc57318d27ca14e011327502910

SHA256
c64b7c6400e9bacc1a4f1baed6374bfbce9a3f8cf20c2d03f81ef18262f89c60

SHA512
64b31f9b180c2e4e692643d0ccd08c3499cae87211da6b2b737f67b5719f018ebcacc2476d487a0aeb91fea1666e6dbbf4ca7b08bb4ab5a031655bf9e02cea9a

Download Submit
C:\Users\Admin\AppData\Local\Temp\{50a5dd31-6f5b-48c0-8a22-aed276f3c3bb}\API-MS~4.DLL

Filesize
17KB

MD5
879920c7fa905036856bcb10875121d9

SHA1
a82787ea553eefa0e7c3bb3aedb2f2c60e39459a

SHA256
7e4cba620b87189278b5631536cdad9bfda6e12abd8e4eb647cb85369a204fe8

SHA512
06650248ddbc68529ef51c8b3bc3185a22cf1685c5fa9904aee766a24e12d8a2a359b1efd7f49cc2f91471015e7c1516c71ba9d6961850553d424fa400b7ea91

Download Submit
C:\Users\Admin\AppData\Local\Temp\{50a5dd31-6f5b-48c0-8a22-aed276f3c3bb}\Bases\Cache\sys_critical_obj.dll.7a985f23681627a99a33ab3c0bdf1385_0

Filesize
725KB

MD5
7a985f23681627a99a33ab3c0bdf1385

SHA1
5cf4a11ce8ea6b427440fffbf4c1338e06b7c79a

SHA256
6e8f63491c98500aa9d6746bd44f002457a03eca3d1321501b7e76e1baa976c4

SHA512
bd0a195d7bc033a9b51e1b605041b9dcdb0c4abaa49961351c898355e500844be9bf192f65af9614f15ad6b474cbd474b26b995b7a371c4706131e46f49e9c51

Download Submit
C:\Users\Admin\AppData\Local\Temp\{50a5dd31-6f5b-48c0-8a22-aed276f3c3bb}\Bases\KSN\log0

Filesize
586KB

MD5
3c97e086b7b22b65cca7fca69e9296d6

SHA1
289c96198b00399360d367909de26c76abbee29d

SHA256
f96e6e0e6f692c664ca88dfe6dbb9de865f55c0a408e6a26539f0e49578e194b

SHA512
dc2484a7f2148b8cb6b778a8b20604f6ae0aa43929264356ed6fca4f0499ed116c7e8b62ccb9c528240187a58d2f3915de1d826589bdd2caecd1de337d9cd66a

Download Submit
C:\Users\Admin\AppData\Local\Temp\{50a5dd31-6f5b-48c0-8a22-aed276f3c3bb}\Bases\SCO\log0

Filesize
810KB

MD5
e335d47e724b13f9889b04364cf679ec

SHA1
2bc87eeff98768cfd875e01710c996844e2d92e7

SHA256
f3cff629f8e570d9e4b8cae053098bb7e9a7257b20c532061ffc5cebb64b0e2b

SHA512
f7de40d43a1b71484cf871932f208635e53b7ad7d4e4e19bc2b2f86e0f9d9ab4ba159b309e3622459c787c04b3f6757c5567a3dd3af9d79abc05f928cb497e26

Download Submit
C:\Users\Admin\AppData\Local\Temp\{50a5dd31-6f5b-48c0-8a22-aed276f3c3bb}\Bases\arkmon64.drv

Filesize
390KB

MD5
7c924dd4d20055c80007791130e2d03f

SHA1
072f004ddcc8ddf12aba64e09d7ee0ce3030973e

SHA256
406ab7d6e45dbedcfbd2d7376a643620c7462cece3e41115c8fbc07861177ec6

SHA512
ab26005da50cbf1f45129834cb661b5b97aed5637d4ebc9821c8b744ff61c3f108f423ae5628602d99b3d859e184bfb23900797538dca2891186321d832ea806

Download Submit
C:\Users\Admin\AppData\Local\Temp\{50a5dd31-6f5b-48c0-8a22-aed276f3c3bb}\KVRT.exe

Filesize
2.6MB

MD5
3fb0ad61548021bea60cdb1e1145ed2c

SHA1
c9b1b765249bfd76573546e92287245127a06e47

SHA256
5d1a788260891c317f9d05b3387e732af908959c5ad4f5a84e7984bee71084f1

SHA512
38269c22fda1fdee5906c2bfdfc19b77b5f6d8da2be939c6d8259b536912f8bc6f261f5c508f47ade8ab591a54aafbfbcc302219820bad19feb78fcc3586d331

Download Submit
C:\Users\Admin\AppData\Local\Temp\{50a5dd31-6f5b-48c0-8a22-aed276f3c3bb}\app_core.dll

Filesize
1.3MB

MD5
fe0964663cf9c5e4ff493198e035cc1f

SHA1
ab9b19bd0e4efa36f78d2059b4ca556521eb35cb

SHA256
ddd70011d86b8ec909295ef45f94b48b0252229b6182af9ef8a6029c30daaf39

SHA512
923cfd9143d3850357bda901f66b5292f36ff025f05b2156667873861a02d9f498a03cdb73d2c477c0055d46600628f936b70dec46d7687fe0a97cbb1c8cf0ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\{50a5dd31-6f5b-48c0-8a22-aed276f3c3bb}\app_core_meta.dll

Filesize
619KB

MD5
81172e3cf5fc6df072b45c4f1fb6eb34

SHA1
5eb293f0fe6c55e075c5ebef4d21991546f7e504

SHA256
2a272a1990a3dfa35693adf0689512b068a831283a852f8f805cb28153115f57

SHA512
8dc4b0d5593cf2c2262b2802b60672c392dfe0e1cd757a3410e5376bbe6bf6c473428a7ca0fc1c7f0d2de5f59017d8464e7789c76999b5d7b5379209b34c1813

Download Submit
C:\Users\Admin\AppData\Local\Temp\{50a5dd31-6f5b-48c0-8a22-aed276f3c3bb}\config.esm

Filesize
51KB

MD5
184a351c4d532405206e309c10af1d15

SHA1
3cf49f2275f3f9bd8e385eddcdd04e3fc2a17352

SHA256
ef0b7e22d8f7bd06964969a7f2979a475ba1c9c34efccb0c3b9e03ae950c63f6

SHA512
9a1a3cb0e3713ba41f36f4f01f2151b0c04454a05c986215ed2cc42180994f90d10e031d77452a2d0ad5a78f15d8d31c327d0d1ee676789780e6483dbe5e0341

Download Submit
C:\Users\Admin\AppData\Local\Temp\{50a5dd31-6f5b-48c0-8a22-aed276f3c3bb}\crypto_components_meta.dll

Filesize
61KB

MD5
3d9d1753ed0f659e4db02e776a121862

SHA1
031fb78fe7dc211fe9e0dc8ba0027c14e84cd07f

SHA256
b6163ec9d4825102e3d423e02fb026259a6a17e7d7696ae060ec2b0ba97f54f2

SHA512
e1f50513db117c32505944bfb19fd3185b3231b6bd9f0495942bd9e80dd0f54ab575f1a2fca5e542174d3abe4106a9b5448d924c690e8548cd43aa77f6497c92

Download Submit
C:\Users\Admin\AppData\Local\Temp\{50a5dd31-6f5b-48c0-8a22-aed276f3c3bb}\dbghelp.dll

Filesize
1.2MB

MD5
4003e34416ebd25e4c115d49dc15e1a7

SHA1
faf95ec65cde5bd833ce610bb8523363310ec4ad

SHA256
c06430b8cb025be506be50a756488e1bcc3827c4f45158d93e4e3eeb98ce1e4f

SHA512
88f5d417377cd62bde417640a79b6ac493e80f0c8b1f63a99378a2a67695ef8e4a541cedb91acfa296ed608e821fee466983806f0d082ed2e74b0cd93eb4fb84

Download Submit
C:\Users\Admin\AppData\Local\Temp\{50a5dd31-6f5b-48c0-8a22-aed276f3c3bb}\dblite.dll

Filesize
703KB

MD5
98b1a553c8c5944923814041e9a73b73

SHA1
3e6169af53125b6da0e69890d51785a206c89975

SHA256
6fc0104817caa1337531c9d8b284d80052770051efb76e5829895a3854ebaec8

SHA512
8ee4467bce6495f492895a9dfaedaf85b76d6d1f67d9ff5c8c27888191c322863bc29c14ae3f505336a5317af66c31354afaeb63127e7e781f5b249f1c967363

Download Submit
C:\Users\Admin\AppData\Local\Temp\{50a5dd31-6f5b-48c0-8a22-aed276f3c3bb}\dumpwriter.dll

Filesize
409KB

MD5
f56387639f201429fb31796b03251a92

SHA1
23df943598a5e92615c42fc82e66387a73b960ff

SHA256
e7eefcf569d98a5fb14a459d949756dc00faf32ed6bda1233d9d2c79ca11531c

SHA512
7bfce579b601408262c0edd342cb2cb1ef1353b6b73dce5aad540eb77f56d1184f71c56ea859bc4373aac4875b8861e2cc5d9c49518e6c40d0b2350a7ab26c0e

Download Submit
C:\Users\Admin\AppData\Local\Temp\{50a5dd31-6f5b-48c0-8a22-aed276f3c3bb}\instrumental_services.dll

Filesize
3.4MB

MD5
c6acd1d9a80740f8a416b0a78e3fa546

SHA1
7ea7b707d58bde0d5a14d8a7723f05e04189bce7

SHA256
db8acd14ace6d4c8d4d61016debe3c0d72677416661caf0d36e7306ed020920f

SHA512
46c889f4d84e2f8dc8bfd5bdc34a346aa393fc49adcbe95bc601e6d970599f579e5cb057196061c280cbfa976989c960ac2f1830fd61c0a9166f09a6c088c20d

Download Submit
C:\Users\Admin\AppData\Local\Temp\{50a5dd31-6f5b-48c0-8a22-aed276f3c3bb}\key_value_storage.dll

Filesize
158KB

MD5
9bf7f895cff1f0b9ddf5fc077bac314c

SHA1
7e9c0ce6569c6f12c57f34597b213cd4d8f55e68

SHA256
d03e0af01fbcd9ce714caf3db5ca2ab3ca4a717d5fda5c99b77e09b5672498a4

SHA512
d416cfa9446e6c92f0805278c744cf9f8ac6a2bfb96a6e0b2d65e701472ea6feaf5742ed6cef833555188a95c613499e7e14cfe5788427ec2616cfd723021a67

Download Submit
C:\Users\Admin\AppData\Local\Temp\{50a5dd31-6f5b-48c0-8a22-aed276f3c3bb}\klmd.sys

Filesize
368KB

MD5
990442d764ff1262c0b7be1e3088b6d3

SHA1
0b161374074ef2acc101ed23204da00a0acaa86e

SHA256
6c7ccd465090354438b39da8430a5c47e7f24768a5b12ee02fecf8763e77c9e4

SHA512
af3c6dfe32266a9d546f13559dcba7c075d074bdfdaf0e6bf2a8cae787008afa579f0d5f90e0c657dd614bb244a6d95ff8366c14b388e1f4a3ab76cccb23add4

Download Submit
C:\Users\Admin\AppData\Local\Temp\{50a5dd31-6f5b-48c0-8a22-aed276f3c3bb}\klsl.sys

Filesize
87KB

MD5
a69adedb0d47cfb23f23a9562a4405bc

SHA1
9e70576571a15aaf71106ea0cd55e0973ef2dd15

SHA256
31eaa7f1f9872c63091f4b3ec5310686b1dd1e2123af17991a6b4679eda3f62d

SHA512
77abb4435d8d445f7a29cdb8a318486a96122b5cc535da7a63da0fa920980e6ad73e78b72552f6949e66b349bbdc9aa9ea202481046e478c2829c155a1045820

Download Submit
C:\Users\Admin\AppData\Local\Temp\{50a5dd31-6f5b-48c0-8a22-aed276f3c3bb}\ksn_facade.dll

Filesize
1.3MB

MD5
e6db25447957c55f3d9dac2a9a55a0f0

SHA1
a941c1a04ea07fd76b0c191e62d9621d55447cb5

SHA256
6c6305c220444294179da749d639c91bb97afd507d30a322d7c1c16ccf0ac9fc

SHA512
1a4634245990335fccfb3d4eed858f61ca40bb1a12c919b6c737cebcdbde4727a26dac0180de226ff4e7d7229e6d379500396a00f6c235495cfacf3014df099a

Download Submit
C:\Users\Admin\AppData\Local\Temp\{50a5dd31-6f5b-48c0-8a22-aed276f3c3bb}\ksn_meta.dll

Filesize
333KB

MD5
ed5f35496139e9238e9ff33ca7f173b9

SHA1
ed230628b75ccf944ea2ed87317ece7ee8c377c7

SHA256
93c5feb98eb0b3a1cfe1640f6c0025c913bf79c416bebbe5ed28e1ed19341069

SHA512
eb2d3a8e246b961d31ede5a6a29a268a9b81fb8abbfa83eb8e0c12a992e36404e5829a530a7fbd4ba91ba3e0c0c6c19243e4d4740fa9bdf97a25fd629bc05aca

Download Submit
C:\Users\Admin\AppData\Local\Temp\{50a5dd31-6f5b-48c0-8a22-aed276f3c3bb}\msvcp140.dll

Filesize
439KB

MD5
5ff1fca37c466d6723ec67be93b51442

SHA1
34cc4e158092083b13d67d6d2bc9e57b798a303b

SHA256
5136a49a682ac8d7f1ce71b211de8688fce42ed57210af087a8e2dbc8a934062

SHA512
4802ef62630c521d83a1d333969593fb00c9b38f82b4d07f70fbd21f495fea9b3f67676064573d2c71c42bc6f701992989742213501b16087bb6110e337c7546

Download Submit
C:\Users\Admin\AppData\Local\Temp\{50a5dd31-6f5b-48c0-8a22-aed276f3c3bb}\settings.dat

Filesize
1KB

MD5
0a30b703f7c11790ee4cb6a6b37d2b52

SHA1
0a0f62b1d8941eeccceac80faa3c5c75b615c50c

SHA256
12f2b0817e2d8ad8b1c2fae6c5ec6ea81cfcfb7c722b4d0c09058c54b46aad1b

SHA512
6d9f9ffe04e420b8555326885c528004cc71022a5b289b356eb0c1d65f1ac5b2394fb68f16700708b0ebdbd2d46893b1aa0c54795addabdbd22439c983614c05

Download Submit
C:\Users\Admin\AppData\Local\Temp\{50a5dd31-6f5b-48c0-8a22-aed276f3c3bb}\settings.kvdb

Filesize
11KB

MD5
173eee6007354de8cd873f59ffca955f

SHA1
395c5a7cb10d62cc4c63d2d65f849163e61cba5a

SHA256
17dfcf78dca415e3e7afac7519db911c0a93f36388c948aba40bcaa3176589a1

SHA512
465394c349dc74fd8a5c5ce5a89d65f0b0e09432d54517ea12de2bc8ccb329629dde03b0939800d30d008bedf0dca948fd84593bab7b7c8994ba041a7af1af2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\{50a5dd31-6f5b-48c0-8a22-aed276f3c3bb}\storage.dll

Filesize
301KB

MD5
d470615822aa5c5f7078b743a676f152

SHA1
f069bfff46cf0e08b2d615d5a9a289b7c9a6b85c

SHA256
f77657ee84fd1790d0a765ed45a1c832fbeb340cce8ce9011544295c70c1b1dc

SHA512
8826f0924d4444cbe60ec5b24d89f36f6619308b4058e4790e0228614226516eb312dcceb1a3ffe8c0bee8f545efbcffe1188cbf17b9f1c7fb58dad6090be1f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\{50a5dd31-6f5b-48c0-8a22-aed276f3c3bb}\storage.kvdb

Filesize
6KB

MD5
1a3330c4f388360e4c2b0d94fb48a788

SHA1
127ad9be38c4aa491bd1bce6458f99a27c6d465b

SHA256
01b8d0d8c7114b59f159021384c8a59535f87018a6a136a276b5a297f54d776d

SHA512
1fcd1e99e35dc4ec972ab63299637322a27b471d02175d56409a3a114db6259f9cd767ac054c7a2bba075f36ab62f19c8118c3dda93e37b7deda05aa2b260553

Download Submit
C:\Users\Admin\AppData\Local\Temp\{50a5dd31-6f5b-48c0-8a22-aed276f3c3bb}\vcruntime140.dll

Filesize
78KB

MD5
a37ee36b536409056a86f50e67777dd7

SHA1
1cafa159292aa736fc595fc04e16325b27cd6750

SHA256
8934aaeb65b6e6d253dfe72dea5d65856bd871e989d5d3a2a35edfe867bb4825

SHA512
3a7c260646315cf8c01f44b2ec60974017496bd0d80dd055c7e43b707cadba2d63aab5e0efd435670aa77886ed86368390d42c4017fc433c3c4b9d1c47d0f356

Download Submit
C:\Users\Admin\AppData\Local\Temp\{7b9987d9-efaa-4dd0-bcc6-b675dd3454e5}\e4c71990-ae69-46d9-b239-997eb29ac12f.cmd

Filesize
695B

MD5
fc7cbc1649a142e5020b31d9d90aecd9

SHA1
24d383e690a26bde4e37eae051440d292dd6bb73

SHA256
fa8f85f1d47c5253d325072706bd5acb0c45c52a1cbd5deaa6d4a4a1943e3cb9

SHA512
ae9ee8a6f1a80a0e1322dd8647360bbcf1f3af969f63d50412cf3e0ccaf9885ed0be9c5bbfed2fcd996846fdc40435c3f336fc01f46775908ac5a47171cd890d

Download Submit
memory/220-13-0x0000000000F50000-0x0000000000F52000-memory.dmp

Filesize
8KB

Download
memory/220-42-0x0000000000F50000-0x0000000000F52000-memory.dmp

Filesize
8KB

Download
memory/220-33-0x000002385EA80000-0x000002385EAF1000-memory.dmp

Filesize
452KB

Download
memory/220-4-0x0000000000F50000-0x0000000000F52000-memory.dmp

Filesize
8KB

Download
memory/220-12-0x000002385EA80000-0x000002385EAF1000-memory.dmp

Filesize
452KB

Download
memory/220-14-0x000002385EA80000-0x000002385EAF1000-memory.dmp

Filesize
452KB

Download
memory/220-5-0x000002385EA80000-0x000002385EAF1000-memory.dmp

Filesize
452KB

Download
memory/220-15-0x000002385EA80000-0x000002385EAF1000-memory.dmp

Filesize
452KB

Download
memory/3676-0-0x0000000000482000-0x0000000000549000-memory.dmp

Filesize
796KB

Download
memory/3676-1-0x0000000000400000-0x0000000000681000-memory.dmp

Filesize
2.5MB

Download
memory/3676-17-0x0000000000482000-0x0000000000549000-memory.dmp

Filesize
796KB

Download
memory/4644-18-0x00007FFFDC490000-0x00007FFFDCF51000-memory.dmp

Filesize
10.8MB

Download
memory/4644-29-0x00007FFFDC490000-0x00007FFFDCF51000-memory.dmp

Filesize
10.8MB

Download
memory/4644-32-0x00007FFFDC490000-0x00007FFFDCF51000-memory.dmp

Filesize
10.8MB

Download
memory/4644-16-0x00007FFFDC493000-0x00007FFFDC495000-memory.dmp

Filesize
8KB

Download
memory/4644-28-0x0000024C4D160000-0x0000024C4D182000-memory.dmp

Filesize
136KB

Download
memory/5656-53-0x0000000000920000-0x0000000000AA8000-memory.dmp

Filesize
1.5MB

Download
memory/5656-54-0x0000000000920000-0x0000000000AA8000-memory.dmp

Filesize
1.5MB

Download
memory/5656-45-0x0000000000920000-0x0000000000AA8000-memory.dmp

Filesize
1.5MB

Download
memory/5656-52-0x0000000000920000-0x0000000000AA8000-memory.dmp

Filesize
1.5MB

Download
memory/5656-43-0x0000000140000000-0x000000014043E000-memory.dmp

Filesize
4.2MB

Download
memory/5656-50-0x0000000000920000-0x0000000000AA8000-memory.dmp

Filesize
1.5MB

Download
memory/5656-49-0x0000000000920000-0x0000000000AA8000-memory.dmp

Filesize
1.5MB

Download
memory/5656-47-0x0000000000920000-0x0000000000AA8000-memory.dmp

Filesize
1.5MB

Download
memory/5656-46-0x0000000000920000-0x0000000000AA8000-memory.dmp

Filesize
1.5MB

Download
memory/5656-48-0x0000000000920000-0x0000000000AA8000-memory.dmp

Filesize
1.5MB

Download
memory/5656-51-0x0000000000920000-0x0000000000AA8000-memory.dmp

Filesize
1.5MB

Download