darkvision | b7a2def2630cbbca20d06f0d40ceaf00f8df471adb12f62efbeb513681cf4878

Analysis

max time kernel
147s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20250410-en
resource tags

arch:x64arch:x86image:win10v2004-20250410-enlocale:en-usos:windows10-2004-x64system
submitted
15/04/2025, 23:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

quarantine/235T1TS.exe
Size

1.2MB
MD5

9d0b654f17466ee2eda9e03dd303812c
SHA1

312957b2937309721aef5a5945daafd2dfe0623c
SHA256

f98627e83fc643c88937ba13f628be9b9666c18aa10dbd279e1b8822d332880e
SHA512

48e7bacddcd04b8200bd20f03fd1e4618deb02fc616708a7e6d899a8071e493e7609ea1cc8ce86c17dacd2995879d9c3e58e6cf854ec07f4f25a1e7c34948b7c
SSDEEP

24576:2GkbQjI/z3YQE6eakkvEDiTZsM18DvlmpvRUtIguzz+6wzI2uTw:2Gkb6QBea3sDiVsMIsmtEzCzy

Score

10^/10

darkvision bootkit defense_evasion discovery execution persistence rat

Malware Config

Extracted

Family

darkvision

82.29.67.160

Attributes

url
http://107.174.192.179/data/003

https://grabify.link/ZATFQO

http://107.174.192.179/clean
user_agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36

Signatures

DarkVision Rat
DarkVision Rat is a trojan written in C++.
rat darkvision
Darkvision family
darkvision

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
5932	powershell.exe

Downloads MZ/PE file 1 IoCs

flow	pid	Process
12	2484	svchost.exe

Drops file in Drivers directory 2 IoCs

description	ioc	Process
File created	C:\Windows\System32\Drivers\04a2f6df.sys	3822fcae.exe
File created	C:\Windows\System32\Drivers\klupd_04a2f6dfa_arkmon.sys	3822fcae.exe

Sets service image path in registry 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\04a2f6df\ImagePath = "System32\\Drivers\\04a2f6df.sys"	3822fcae.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\klupd_04a2f6dfa_arkmon\ImagePath = "System32\\Drivers\\klupd_04a2f6dfa_arkmon.sys"	3822fcae.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\Control Panel\International\Geo\Nation	3822fcae.exe

Deletes itself 1 IoCs

pid	Process
2484	svchost.exe

Executes dropped EXE 4 IoCs

pid	Process
4796	tzutil.exe
2136	w32tm.exe
12932	3d843c03.exe
1528	3822fcae.exe

Impair Defenses: Safe Mode Boot 1 TTPs 3 IoCs

defense_evasion

Safe Mode Boot

T1562.009

description	ioc	Process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\04a2f6df.sys	3822fcae.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\04a2f6df.sys\ = "Driver"	3822fcae.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\04a2f6df.sys	3822fcae.exe

Loads dropped DLL 13 IoCs

pid	Process
1528	3822fcae.exe
1528	3822fcae.exe
1528	3822fcae.exe
1528	3822fcae.exe
1528	3822fcae.exe
1528	3822fcae.exe
1528	3822fcae.exe
1528	3822fcae.exe
1528	3822fcae.exe
1528	3822fcae.exe
1528	3822fcae.exe
1528	3822fcae.exe
1528	3822fcae.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\9fc24471-da4b-4726-9b37-dfd6b19ac3c1 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\{25ab4ebf-3b48-471f-928f-7d313a09a22e}\\9fc24471-da4b-4726-9b37-dfd6b19ac3c1.cmd\""	3822fcae.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\{57F06FF0-B2D5-45F3-BFEE-970F76E38EFD} = "C:\\ProgramData\\{A332F586-BC6E-46FF-BB3B-A67E49F41010}\\aitstatic.exe {1CF6DD21-C538-4D1C-883F-AD3AF450FA11}"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\{57F06FF0-B2D5-45F3-BFEE-970F76E38EFD} = "C:\\ProgramData\\{A332F586-BC6E-46FF-BB3B-A67E49F41010}\\aitstatic.exe {1CF6DD21-C538-4D1C-883F-AD3AF450FA11}"	svchost.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	3822fcae.exe

Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 2 IoCs

Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\VBoxMiniRdrDN	3d843c03.exe
File opened (read-only)	\??\VBoxMiniRdrDN	3822fcae.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	235T1TS.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3d843c03.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3822fcae.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 31 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
1460	PING.EXE
7120	PING.EXE
880	PING.EXE
7028	PING.EXE
6780	PING.EXE
2132	PING.EXE
6484	PING.EXE
6396	PING.EXE
5384	PING.EXE
6976	PING.EXE
7216	PING.EXE
1448	PING.EXE
4292	PING.EXE
6432	PING.EXE
5092	PING.EXE
660	PING.EXE
2280	PING.EXE
3060	PING.EXE
4588	PING.EXE
4180	PING.EXE
6924	PING.EXE
6680	PING.EXE
6580	PING.EXE
2380	PING.EXE
6532	PING.EXE
5884	PING.EXE
6876	PING.EXE
6352	PING.EXE
7068	PING.EXE
6828	PING.EXE
1728	PING.EXE

Modifies registry key 1 TTPs 2 IoCs

Modify Registry

T1112

pid	Process
7284	reg.exe
7296	reg.exe

Runs ping.exe 1 TTPs 31 IoCs

Remote System Discovery

T1018

pid	Process
1460	PING.EXE
4588	PING.EXE
4292	PING.EXE
5884	PING.EXE
6924	PING.EXE
6580	PING.EXE
6352	PING.EXE
6484	PING.EXE
6396	PING.EXE
5384	PING.EXE
880	PING.EXE
6976	PING.EXE
3060	PING.EXE
6780	PING.EXE
4180	PING.EXE
6432	PING.EXE
7120	PING.EXE
7068	PING.EXE
6828	PING.EXE
1728	PING.EXE
6680	PING.EXE
1448	PING.EXE
2380	PING.EXE
7216	PING.EXE
2280	PING.EXE
2132	PING.EXE
6532	PING.EXE
660	PING.EXE
7028	PING.EXE
5092	PING.EXE
6876	PING.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
5932	powershell.exe
5932	powershell.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
1528	3822fcae.exe

Suspicious behavior: MapViewOfSection 3 IoCs

pid	Process
6008	235T1TS.exe
6008	235T1TS.exe
6008	235T1TS.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeDebugPrivilege	5932	powershell.exe
Token: SeDebugPrivilege	1528	3822fcae.exe
Token: SeBackupPrivilege	1528	3822fcae.exe
Token: SeRestorePrivilege	1528	3822fcae.exe
Token: SeLoadDriverPrivilege	1528	3822fcae.exe
Token: SeShutdownPrivilege	1528	3822fcae.exe
Token: SeSystemEnvironmentPrivilege	1528	3822fcae.exe
Token: SeSecurityPrivilege	1528	3822fcae.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 6008 wrote to memory of 2440	6008	235T1TS.exe	86
PID 6008 wrote to memory of 2440	6008	235T1TS.exe	86
PID 6008 wrote to memory of 2484	6008	235T1TS.exe	88
PID 6008 wrote to memory of 2484	6008	235T1TS.exe	88
PID 2440 wrote to memory of 5932	2440	cmd.exe	89
PID 2440 wrote to memory of 5932	2440	cmd.exe	89
PID 2484 wrote to memory of 4796	2484	svchost.exe	97
PID 2484 wrote to memory of 4796	2484	svchost.exe	97
PID 2484 wrote to memory of 5008	2484	svchost.exe	98
PID 2484 wrote to memory of 5008	2484	svchost.exe	98
PID 2484 wrote to memory of 2136	2484	svchost.exe	99
PID 2484 wrote to memory of 2136	2484	svchost.exe	99
PID 2136 wrote to memory of 12932	2136	w32tm.exe	104
PID 2136 wrote to memory of 12932	2136	w32tm.exe	104
PID 2136 wrote to memory of 12932	2136	w32tm.exe	104
PID 12932 wrote to memory of 1528	12932	3d843c03.exe	105
PID 12932 wrote to memory of 1528	12932	3d843c03.exe	105
PID 12932 wrote to memory of 1528	12932	3d843c03.exe	105
PID 5768 wrote to memory of 6352	5768	cmd.exe	108
PID 5768 wrote to memory of 6352	5768	cmd.exe	108
PID 5768 wrote to memory of 6396	5768	cmd.exe	109
PID 5768 wrote to memory of 6396	5768	cmd.exe	109
PID 5768 wrote to memory of 6432	5768	cmd.exe	110
PID 5768 wrote to memory of 6432	5768	cmd.exe	110
PID 5768 wrote to memory of 6484	5768	cmd.exe	111
PID 5768 wrote to memory of 6484	5768	cmd.exe	111
PID 5768 wrote to memory of 6532	5768	cmd.exe	112
PID 5768 wrote to memory of 6532	5768	cmd.exe	112
PID 5768 wrote to memory of 6580	5768	cmd.exe	113
PID 5768 wrote to memory of 6580	5768	cmd.exe	113
PID 5768 wrote to memory of 4180	5768	cmd.exe	114
PID 5768 wrote to memory of 4180	5768	cmd.exe	114
PID 5768 wrote to memory of 6680	5768	cmd.exe	115
PID 5768 wrote to memory of 6680	5768	cmd.exe	115
PID 5768 wrote to memory of 1728	5768	cmd.exe	116
PID 5768 wrote to memory of 1728	5768	cmd.exe	116
PID 5768 wrote to memory of 6780	5768	cmd.exe	117
PID 5768 wrote to memory of 6780	5768	cmd.exe	117
PID 5768 wrote to memory of 6828	5768	cmd.exe	118
PID 5768 wrote to memory of 6828	5768	cmd.exe	118
PID 5768 wrote to memory of 6876	5768	cmd.exe	119
PID 5768 wrote to memory of 6876	5768	cmd.exe	119
PID 5768 wrote to memory of 6924	5768	cmd.exe	120
PID 5768 wrote to memory of 6924	5768	cmd.exe	120
PID 5768 wrote to memory of 6976	5768	cmd.exe	121
PID 5768 wrote to memory of 6976	5768	cmd.exe	121
PID 5768 wrote to memory of 7028	5768	cmd.exe	122
PID 5768 wrote to memory of 7028	5768	cmd.exe	122
PID 5768 wrote to memory of 7068	5768	cmd.exe	123
PID 5768 wrote to memory of 7068	5768	cmd.exe	123
PID 5768 wrote to memory of 7120	5768	cmd.exe	124
PID 5768 wrote to memory of 7120	5768	cmd.exe	124
PID 5768 wrote to memory of 660	5768	cmd.exe	125
PID 5768 wrote to memory of 660	5768	cmd.exe	125
PID 5768 wrote to memory of 1460	5768	cmd.exe	126
PID 5768 wrote to memory of 1460	5768	cmd.exe	126
PID 5768 wrote to memory of 5884	5768	cmd.exe	127
PID 5768 wrote to memory of 5884	5768	cmd.exe	127
PID 5768 wrote to memory of 2280	5768	cmd.exe	128
PID 5768 wrote to memory of 2280	5768	cmd.exe	128
PID 5768 wrote to memory of 5384	5768	cmd.exe	129
PID 5768 wrote to memory of 5384	5768	cmd.exe	129
PID 5768 wrote to memory of 880	5768	cmd.exe	130
PID 5768 wrote to memory of 880	5768	cmd.exe	130

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\quarantine\235T1TS.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\235T1TS.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:6008
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /c powershell.exe Add-MpPreference -ExclusionPath 'C:'
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2440
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe Add-MpPreference -ExclusionPath 'C:'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:5932
- C:\Windows\system32\svchost.exe
  "C:\Windows\system32\svchost.exe"
  2⤵
  - Downloads MZ/PE file
  - Deletes itself
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2484
- - C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exe
    "C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exe" ""
    3⤵
    - Executes dropped EXE
    PID:4796
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\set.bat" """
    3⤵
    PID:5008
- - C:\Users\Admin\AppData\Local\Temp\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\w32tm.exe
    "C:\Users\Admin\AppData\Local\Temp\\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\w32tm.exe" ""
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2136
  - - C:\Users\Admin\AppData\Local\Temp\{fffe0ae3-3e03-4ec3-afe5-9f9d12c5df41}\3d843c03.exe
      "C:\Users\Admin\AppData\Local\Temp\{fffe0ae3-3e03-4ec3-afe5-9f9d12c5df41}\3d843c03.exe" -accepteula -adinsilent -silent -processlevel 2 -postboot
      4⤵
      Executes dropped EXE
      Checks for VirtualBox DLLs, possible anti-VM trick
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:12932
    - - C:\Users\Admin\AppData\Local\Temp\{808a4fe5-b9cb-462a-809e-e7380e8c0f9f}\3822fcae.exe
        
        C:/Users/Admin/AppData/Local/Temp/{808a4fe5-b9cb-462a-809e-e7380e8c0f9f}/\3822fcae.exe -accepteula -adinsilent -silent -processlevel 2 -postboot
        5⤵
        Drops file in Drivers directory
        Sets service image path in registry
        Checks computer location settings
        Executes dropped EXE
        Impair Defenses: Safe Mode Boot
        Loads dropped DLL
        Adds Run key to start application
        Writes to the Master Boot Record (MBR)
        Checks for VirtualBox DLLs, possible anti-VM trick
        System Location Discovery: System Language Discovery
        Suspicious behavior: LoadsDriver
        Suspicious use of AdjustPrivilegeToken
        
        PID:1528
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\{25ab4ebf-3b48-471f-928f-7d313a09a22e}\9fc24471-da4b-4726-9b37-dfd6b19ac3c1.cmd" "
        6⤵
        
        PID:2244
        
        C:\Windows\system32\reg.exe
        
        reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce /v 9fc24471-da4b-4726-9b37-dfd6b19ac3c1 /f
        7⤵
        Modifies registry key
        
        PID:7284

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\ProgramData\{A332F586-BC6E-46FF-BB3B-A67E49F41010}\aitstatic.exe {1CF6DD21-C538-4D1C-883F-AD3AF450FA11}
1⤵
PID:1172

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\ProgramData\{A332F586-BC6E-46FF-BB3B-A67E49F41010}\aitstatic.exe {1CF6DD21-C538-4D1C-883F-AD3AF450FA11}
1⤵
PID:1196

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\{25ab4ebf-3b48-471f-928f-7d313a09a22e}\9fc24471-da4b-4726-9b37-dfd6b19ac3c1.cmd"
1⤵
- Suspicious use of WriteProcessMemory
PID:5768
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:6352
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:6396
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:6432
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:6484
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:6532
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:6580
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:4180
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:6680
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:1728
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:6780
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:6828
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:6876
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:6924
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:6976
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:7028
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:7068
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:7120
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:660
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:1460
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:5884
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:2280
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:5384
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:880
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:3060
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:4588
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:2132
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:1448
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:5092
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:2380
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:4292
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:7216
- C:\Windows\system32\reg.exe
  reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce /v 9fc24471-da4b-4726-9b37-dfd6b19ac3c1 /f
  2⤵
  - Modifies registry key
  PID:7296

Network

MITRE ATT&CK Enterprise v16

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Impair Defenses

T1562

Safe Mode Boot

T1562.009

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exe

Filesize
1.9MB

MD5
3cf1ad76cc9ee98b2ef901bc43d27e42

SHA1
6661ccb3bdba15713c4573de6bb6da1340ceb4d8

SHA256
ee6eb001007a24a393576197ff02b58b6f5c7cd673c3cfa33f6aaa65673a72fb

SHA512
8207080ec48518f5ea723b452fbcbc489003a944ef65371348adbf068b07e5cde477cc423f8c6c30c6b7a489d677d42e3b4f13742cb6efbb00ae0b3fcf1bedc1

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_54udgrvs.5nx.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\{25ab4ebf-3b48-471f-928f-7d313a09a22e}\9fc24471-da4b-4726-9b37-dfd6b19ac3c1.cmd

Filesize
695B

MD5
967f160f45af197427d7bebb70524483

SHA1
6d7e57f44e1bfef9f137633e529db4dfb5eca2e8

SHA256
94033c8148b79d6ee55bb9bf990eae7ca1efdc52897164bbfe6fbc39e7a2f652

SHA512
d20cba60ebc7ef31178c3993ed74070ebffc8e8c5b4aaec0ba6044bece2a012b85631fb8baa915abf892e3b8db3693d80730b3eb483d918b553fb47f30ffb434

Download Submit
C:\Users\Admin\AppData\Local\Temp\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\set.bat

Filesize
153B

MD5
77d9ab6e61cf9928494530be8ed5d80d

SHA1
9da463abb2f54ce0497ab48aa04a9da8d1f77679

SHA256
0324ba4d164702b4020ec6bf79cfbfa93e9a635234085e96888854b173735cbc

SHA512
2cc2679229c783f5e243948f8e6d9a17d3cc187956a8b0eefc1f027dcfdcf9cb69f48f93d8eb2c4cd5c801f859882a7589a6f4919b32ebb77d90244329dab856

Download Submit
C:\Users\Admin\AppData\Local\Temp\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\w32tm.exe

Filesize
1.3MB

MD5
15bdc4bd67925ef33b926843b3b8154b

SHA1
646af399ef06ac70e6bd43afe0f978f0f51a75fd

SHA256
4f0b2c61bccfd9aa3db301ee4e15607df41ded533757de34c986a0ff25b6246d

SHA512
eac0736a06d0835758318d594d3560ee6be82889020a173463943956dd400d08cf1174a4c722dc45a3f3c034131982f4b19ff27db1163838afbfac37f397eaf8

Download Submit
C:\Users\Admin\AppData\Local\Temp\{808a4fe5-b9cb-462a-809e-e7380e8c0f9f}\AP25B1~1.DLL

Filesize
18KB

MD5
3940167ffb4383992e73f9a10e4b8b1e

SHA1
53541c824003b0f90b236eda83b06bec5e1acbf5

SHA256
ec573431338371504b7b9e57b2d91382b856aabf25d2b4ad96486efb794c198e

SHA512
9732acaa4db773f4f99f423d9feaebb35c197bbd468922348e0ad086f7131d83f6d9714dc7d375183e7cb8920cfe37f3da19b0041a9063cc60abe183375b1929

Download Submit
C:\Users\Admin\AppData\Local\Temp\{808a4fe5-b9cb-462a-809e-e7380e8c0f9f}\AP26B7~1.DLL

Filesize
17KB

MD5
ff8026dab5d3dabca8f72b6fa7d258fa

SHA1
075c8719e226a34d7b883fd62b2d7f8823d70f1a

SHA256
535e9d20f00a2f1a62f843a4a26cfb763138d5dfe358b0126d33996fba9ca4d1

SHA512
9c56ff11d5843ba09cd29e3bc6c6b9396926c6a588194193ba220cfa784b770ab6756076f16f18cfea75b51a8184a1063ef47f63804839530382f8d39d5cf006

Download Submit
C:\Users\Admin\AppData\Local\Temp\{808a4fe5-b9cb-462a-809e-e7380e8c0f9f}\AP345C~1.DLL

Filesize
17KB

MD5
d91bf81cf5178d47d1a588b0df98eb24

SHA1
75f9f2da06aa2735906b1c572dd556a3c30e7717

SHA256
f8e3b45fd3e22866006f16a9e73e28b5e357f31f3c275b517692a5f16918b492

SHA512
93d1b0d226e94235f1b32d42f6c1b95fadfaf103b8c1782423d2c5a4836102084fb53f871e3c434b85f0288e47f44345138de54ea5f982ca3e8bbf2d2bea0706

Download Submit
C:\Users\Admin\AppData\Local\Temp\{808a4fe5-b9cb-462a-809e-e7380e8c0f9f}\AP40C7~1.DLL

Filesize
18KB

MD5
cfe87d58f973daeda4ee7d2cf4ae521d

SHA1
fd0aa97b7cb6e50c6d5d2bf2d21d757040b5204a

SHA256
4997fda5d0e90b8a0ab7da314cb56f25d1450b366701c45c294d8dd3254de483

SHA512
40eb68deb940bbe1b835954183eea711994c434de0abbdea0b1a51db6233a12e07827ad4a8639ae0baf46dd26c168a775ffe606c82cbe47bae655c7f28ab730b

Download Submit
C:\Users\Admin\AppData\Local\Temp\{808a4fe5-b9cb-462a-809e-e7380e8c0f9f}\AP4F63~1.DLL

Filesize
17KB

MD5
18fd51821d0a6f3e94e3fa71db6de3af

SHA1
7d9700e98ef2d93fdbf8f27592678194b740f4e0

SHA256
dba84e704ffe5fcd42548856258109dc77c6a46fd0b784119a3548ec47e5644b

SHA512
4009b4d50e3cb17197009ac7e41a2351de980b2c5b79c0b440c7fe4c1c3c4e18f1089c6f43216eaa262062c395423f3ad92ca494f664636ff7592c540c5ef89d

Download Submit
C:\Users\Admin\AppData\Local\Temp\{808a4fe5-b9cb-462a-809e-e7380e8c0f9f}\AP507A~1.DLL

Filesize
18KB

MD5
0c700b07c3497df4863c3f2fe37cd526

SHA1
f835118244d02304de9eb3a355420ba9d0bd9c13

SHA256
9f1f26794fd664e0a8b6fbd53bfca33dcf7b0dc37faf3eb7782bc38dff62cd8c

SHA512
8042dbd9e80e33e41993887b0289e143e967544389500ada9296b89bda37bb26918e4f370f8a1bdab8faacc4e0a6980794d6a3b5320e170ad4ef751384c9f0a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\{808a4fe5-b9cb-462a-809e-e7380e8c0f9f}\AP5574~1.DLL

Filesize
17KB

MD5
cedefd460bc1e36ae111668f3b658052

SHA1
9bd529fe189e0b214b9e0e51717bdf62f1da44ea

SHA256
f941c232964d01e4680e54ab04955ec6264058011b03889fe29db86509511eba

SHA512
2c845642b054bc12c2911bfe2b850f06fecafef022180c22f6ffd670f821e84fcad041c4d81ddadb781ddb36cb3e98dfe4eb75ec02b88306ef1d410cbb021454

Download Submit
C:\Users\Admin\AppData\Local\Temp\{808a4fe5-b9cb-462a-809e-e7380e8c0f9f}\AP6221~1.DLL

Filesize
20KB

MD5
23bd405a6cfd1e38c74c5150eec28d0a

SHA1
1d3be98e7dfe565e297e837a7085731ecd368c7b

SHA256
a7fa48de6c06666b80184afee7e544c258e0fb11399ab3fe47d4e74667779f41

SHA512
c52d487727a34fbb601b01031300a80eca7c4a08af87567da32cb5b60f7a41eb2cae06697cd11095322f2fc8307219111ee02b60045904b5c9b1f37e48a06a21

Download Submit
C:\Users\Admin\AppData\Local\Temp\{808a4fe5-b9cb-462a-809e-e7380e8c0f9f}\AP750A~1.DLL

Filesize
18KB

MD5
95c5b49af7f2c7d3cd0bc14b1e9efacb

SHA1
c400205c81140e60dffa8811c1906ce87c58971e

SHA256
ff9b51aff7fbec8d7fe5cc478b12492a59b38b068dc2b518324173bb3179a0e1

SHA512
f320937b90068877c46d30a15440dc9ace652c3319f5d75e0c8bb83f37e78be0efb7767b2bd713be6d38943c8db3d3d4c3da44849271605324e599e1242309c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\{808a4fe5-b9cb-462a-809e-e7380e8c0f9f}\AP8526~1.DLL

Filesize
17KB

MD5
990ac84ae2d83eeb532a28fe29602827

SHA1
0916f85cc6cc1f01dc08bdf71517a1dc1b8eaf78

SHA256
dbd788b1c5694d65fa6f6e2202bfabb30adf77eb1973ceb9a737efb16e9edae2

SHA512
f0e4705a6890b4f81b7d46f66ca6b8ee82f647e163bce9ecad11d0bbd69caf4ff3c4f15e0d3f829c048b6849b99a7641861e6caf319904d4d61a6084f10da353

Download Submit
C:\Users\Admin\AppData\Local\Temp\{808a4fe5-b9cb-462a-809e-e7380e8c0f9f}\AP87F4~1.DLL

Filesize
21KB

MD5
eefe86b5a3ab256beed8621a05210df2

SHA1
90c1623a85c519adbc5ef67b63354f881507b8a7

SHA256
1d1c11fc1ad1febf9308225c4ccf0431606a4ab08680ba04494d276cb310bf15

SHA512
c326a2ca190db24e8e96c43d1df58a4859a32eb64b0363f9778a8902f1ac0307dca585be04f831a66bc32df54499681ad952ce654d607f5fdb93e9b4504d653f

Download Submit
C:\Users\Admin\AppData\Local\Temp\{808a4fe5-b9cb-462a-809e-e7380e8c0f9f}\APC7B0~1.DLL

Filesize
17KB

MD5
3f224766fe9b090333fdb43d5a22f9ea

SHA1
548d1bb707ae7a3dfccc0c2d99908561a305f57b

SHA256
ae5e73416eb64bc18249ace99f6847024eceea7ce9c343696c84196460f3a357

SHA512
c12ea6758071b332368d7ef0857479d2b43a4b27ceeab86cbb542bd6f1515f605ea526dfa3480717f8f452989c25d0ee92bf3335550b15ecec79e9b25e66a2ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\{808a4fe5-b9cb-462a-809e-e7380e8c0f9f}\APD0F3~1.DLL

Filesize
18KB

MD5
0c48220a4485f36feed84ef5dd0a5e9c

SHA1
1e7d4038c2765cffa6d4255737a2a8aa86b5551c

SHA256
2dd4ebaa12cbba142b5d61a0ebf84a14d0d1bb8826ba42b63e303fe6721408df

SHA512
e09951785b09f535340e1e6c256df1919485b4dad302b30d90126411cc49a13807b580fa2fcd0d6f7b64aac4f5b5ea3e250b66035a0e2f664d865408c9b43d48

Download Submit
C:\Users\Admin\AppData\Local\Temp\{808a4fe5-b9cb-462a-809e-e7380e8c0f9f}\APDC30~1.DLL

Filesize
17KB

MD5
65fc0b6c2ceff31336983e33b84a9313

SHA1
980de034cc3a36021fd8bafff3846b0731b7068e

SHA256
966a38ed7034f8d355e1e8772dfc92f23fb3c8a669780ed4ac3b075625d09744

SHA512
f4ebc7a6d12ae6afa5b96c06413a3438e1678b276b1517da07d33912818fc863b4d35cb46280f12cf90e37bc93e3ab5e44ea6f75767a314c59222b7d397e5b6a

Download Submit
C:\Users\Admin\AppData\Local\Temp\{808a4fe5-b9cb-462a-809e-e7380e8c0f9f}\APDEA0~1.DLL

Filesize
17KB

MD5
79ee4a2fcbe24e9a65106de834ccda4a

SHA1
fd1ba674371af7116ea06ad42886185f98ba137b

SHA256
9f7bda59faafc8a455f98397a63a7f7d114efc4e8a41808c791256ebf33c7613

SHA512
6ef7857d856a1d23333669184a231ad402dc62c8f457a6305fe53ed5e792176ca6f9e561375a707da0d7dd27e6ea95f8c4355c5dc217e847e807000b310aa05c

Download Submit
C:\Users\Admin\AppData\Local\Temp\{808a4fe5-b9cb-462a-809e-e7380e8c0f9f}\APEF2A~1.DLL

Filesize
19KB

MD5
1dda9cb13449ce2c6bb670598fc09dc8

SHA1
0a91fe11b9a8321ca369f665a623270e5ac23176

SHA256
4f187f1b4b14763360c325df6b04d3ec3cc6d2cecc9b796bc52a6c7196b0b2cc

SHA512
4e106c8a52033352c91b65cf65ec459de764c125136333a2f4ba026efdde65f3f71b1f6f11e4c580150ac8a9779825ba5e2af0e14df999a198cfe244e522c28d

Download Submit
C:\Users\Admin\AppData\Local\Temp\{808a4fe5-b9cb-462a-809e-e7380e8c0f9f}\API-MS~2.DLL

Filesize
18KB

MD5
aabbb38c4110cc0bf7203a567734a7e7

SHA1
5df8d0cdd3e1977ffacca08faf8b1c92c13c6d48

SHA256
24b07028c1e38b9ca2f197750654a0dfb7d33c2e52c9dd67100609499e8028db

SHA512
c66c98d2669d7a180510c57bab707d1e224c12ab7e2b08994eb5fd5be2f3dee3dbdb934bcb9db168845e4d726114bce317045027215419d3f13dcfa0f143d713

Download Submit
C:\Users\Admin\AppData\Local\Temp\{808a4fe5-b9cb-462a-809e-e7380e8c0f9f}\API-MS~3.DLL

Filesize
17KB

MD5
8894176af3ea65a09ae5cf4c0e6ff50f

SHA1
46858ea9029d7fc57318d27ca14e011327502910

SHA256
c64b7c6400e9bacc1a4f1baed6374bfbce9a3f8cf20c2d03f81ef18262f89c60

SHA512
64b31f9b180c2e4e692643d0ccd08c3499cae87211da6b2b737f67b5719f018ebcacc2476d487a0aeb91fea1666e6dbbf4ca7b08bb4ab5a031655bf9e02cea9a

Download Submit
C:\Users\Admin\AppData\Local\Temp\{808a4fe5-b9cb-462a-809e-e7380e8c0f9f}\API-MS~4.DLL

Filesize
17KB

MD5
879920c7fa905036856bcb10875121d9

SHA1
a82787ea553eefa0e7c3bb3aedb2f2c60e39459a

SHA256
7e4cba620b87189278b5631536cdad9bfda6e12abd8e4eb647cb85369a204fe8

SHA512
06650248ddbc68529ef51c8b3bc3185a22cf1685c5fa9904aee766a24e12d8a2a359b1efd7f49cc2f91471015e7c1516c71ba9d6961850553d424fa400b7ea91

Download Submit
C:\Users\Admin\AppData\Local\Temp\{808a4fe5-b9cb-462a-809e-e7380e8c0f9f}\Bases\KSN\log0

Filesize
584KB

MD5
0090d68cd98a1c0ebdc9b7a6a909f52e

SHA1
bf86500cc6af06dcfd47cf92eb2dfb022f2fdc22

SHA256
86bdb178b04e95a9091bd0f07b3089a99aa9af618e9964a483474c62b595bfeb

SHA512
1d9bb870bd23aef6100969b8894d6e7a3738a62a37fbeae044d08092f983021206568fc5de00605aad1fe6aa3deabb69175aea6afcaa676fff3357290654f689

Download Submit
C:\Users\Admin\AppData\Local\Temp\{808a4fe5-b9cb-462a-809e-e7380e8c0f9f}\Bases\SCO\log0

Filesize
810KB

MD5
229363765de004a2de108ae5b3ed8b21

SHA1
3bd09603f50614dfa0cb617d0fb2d78874db88e0

SHA256
9bf9e9b27c4ba20d1e1583084e3545f278be4ff54642f33c8cb61c74be1786c6

SHA512
52e2705b93421bb7e85c81df46839d3c79588c6971fb5699b376dfbe23fbbf1837b6467a5ec5c7ca52c80a494f9b9eb06452edd04dc5d745012d10166304fa07

Download Submit
C:\Users\Admin\AppData\Local\Temp\{808a4fe5-b9cb-462a-809e-e7380e8c0f9f}\Bases\arkmon64.drv

Filesize
390KB

MD5
7c924dd4d20055c80007791130e2d03f

SHA1
072f004ddcc8ddf12aba64e09d7ee0ce3030973e

SHA256
406ab7d6e45dbedcfbd2d7376a643620c7462cece3e41115c8fbc07861177ec6

SHA512
ab26005da50cbf1f45129834cb661b5b97aed5637d4ebc9821c8b744ff61c3f108f423ae5628602d99b3d859e184bfb23900797538dca2891186321d832ea806

Download Submit
C:\Users\Admin\AppData\Local\Temp\{808a4fe5-b9cb-462a-809e-e7380e8c0f9f}\KVRT.exe

Filesize
2.6MB

MD5
3fb0ad61548021bea60cdb1e1145ed2c

SHA1
c9b1b765249bfd76573546e92287245127a06e47

SHA256
5d1a788260891c317f9d05b3387e732af908959c5ad4f5a84e7984bee71084f1

SHA512
38269c22fda1fdee5906c2bfdfc19b77b5f6d8da2be939c6d8259b536912f8bc6f261f5c508f47ade8ab591a54aafbfbcc302219820bad19feb78fcc3586d331

Download Submit
C:\Users\Admin\AppData\Local\Temp\{808a4fe5-b9cb-462a-809e-e7380e8c0f9f}\app_core.dll

Filesize
1.3MB

MD5
fe0964663cf9c5e4ff493198e035cc1f

SHA1
ab9b19bd0e4efa36f78d2059b4ca556521eb35cb

SHA256
ddd70011d86b8ec909295ef45f94b48b0252229b6182af9ef8a6029c30daaf39

SHA512
923cfd9143d3850357bda901f66b5292f36ff025f05b2156667873861a02d9f498a03cdb73d2c477c0055d46600628f936b70dec46d7687fe0a97cbb1c8cf0ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\{808a4fe5-b9cb-462a-809e-e7380e8c0f9f}\app_core_meta.dll

Filesize
619KB

MD5
81172e3cf5fc6df072b45c4f1fb6eb34

SHA1
5eb293f0fe6c55e075c5ebef4d21991546f7e504

SHA256
2a272a1990a3dfa35693adf0689512b068a831283a852f8f805cb28153115f57

SHA512
8dc4b0d5593cf2c2262b2802b60672c392dfe0e1cd757a3410e5376bbe6bf6c473428a7ca0fc1c7f0d2de5f59017d8464e7789c76999b5d7b5379209b34c1813

Download Submit
C:\Users\Admin\AppData\Local\Temp\{808a4fe5-b9cb-462a-809e-e7380e8c0f9f}\config.esm

Filesize
51KB

MD5
184a351c4d532405206e309c10af1d15

SHA1
3cf49f2275f3f9bd8e385eddcdd04e3fc2a17352

SHA256
ef0b7e22d8f7bd06964969a7f2979a475ba1c9c34efccb0c3b9e03ae950c63f6

SHA512
9a1a3cb0e3713ba41f36f4f01f2151b0c04454a05c986215ed2cc42180994f90d10e031d77452a2d0ad5a78f15d8d31c327d0d1ee676789780e6483dbe5e0341

Download Submit
C:\Users\Admin\AppData\Local\Temp\{808a4fe5-b9cb-462a-809e-e7380e8c0f9f}\crypto_components_meta.dll

Filesize
61KB

MD5
3d9d1753ed0f659e4db02e776a121862

SHA1
031fb78fe7dc211fe9e0dc8ba0027c14e84cd07f

SHA256
b6163ec9d4825102e3d423e02fb026259a6a17e7d7696ae060ec2b0ba97f54f2

SHA512
e1f50513db117c32505944bfb19fd3185b3231b6bd9f0495942bd9e80dd0f54ab575f1a2fca5e542174d3abe4106a9b5448d924c690e8548cd43aa77f6497c92

Download Submit
C:\Users\Admin\AppData\Local\Temp\{808a4fe5-b9cb-462a-809e-e7380e8c0f9f}\dbghelp.dll

Filesize
1.2MB

MD5
4003e34416ebd25e4c115d49dc15e1a7

SHA1
faf95ec65cde5bd833ce610bb8523363310ec4ad

SHA256
c06430b8cb025be506be50a756488e1bcc3827c4f45158d93e4e3eeb98ce1e4f

SHA512
88f5d417377cd62bde417640a79b6ac493e80f0c8b1f63a99378a2a67695ef8e4a541cedb91acfa296ed608e821fee466983806f0d082ed2e74b0cd93eb4fb84

Download Submit
C:\Users\Admin\AppData\Local\Temp\{808a4fe5-b9cb-462a-809e-e7380e8c0f9f}\dblite.dll

Filesize
703KB

MD5
98b1a553c8c5944923814041e9a73b73

SHA1
3e6169af53125b6da0e69890d51785a206c89975

SHA256
6fc0104817caa1337531c9d8b284d80052770051efb76e5829895a3854ebaec8

SHA512
8ee4467bce6495f492895a9dfaedaf85b76d6d1f67d9ff5c8c27888191c322863bc29c14ae3f505336a5317af66c31354afaeb63127e7e781f5b249f1c967363

Download Submit
C:\Users\Admin\AppData\Local\Temp\{808a4fe5-b9cb-462a-809e-e7380e8c0f9f}\dumpwriter.dll

Filesize
409KB

MD5
f56387639f201429fb31796b03251a92

SHA1
23df943598a5e92615c42fc82e66387a73b960ff

SHA256
e7eefcf569d98a5fb14a459d949756dc00faf32ed6bda1233d9d2c79ca11531c

SHA512
7bfce579b601408262c0edd342cb2cb1ef1353b6b73dce5aad540eb77f56d1184f71c56ea859bc4373aac4875b8861e2cc5d9c49518e6c40d0b2350a7ab26c0e

Download Submit
C:\Users\Admin\AppData\Local\Temp\{808a4fe5-b9cb-462a-809e-e7380e8c0f9f}\instrumental_services.dll

Filesize
3.4MB

MD5
c6acd1d9a80740f8a416b0a78e3fa546

SHA1
7ea7b707d58bde0d5a14d8a7723f05e04189bce7

SHA256
db8acd14ace6d4c8d4d61016debe3c0d72677416661caf0d36e7306ed020920f

SHA512
46c889f4d84e2f8dc8bfd5bdc34a346aa393fc49adcbe95bc601e6d970599f579e5cb057196061c280cbfa976989c960ac2f1830fd61c0a9166f09a6c088c20d

Download Submit
C:\Users\Admin\AppData\Local\Temp\{808a4fe5-b9cb-462a-809e-e7380e8c0f9f}\key_value_storage.dll

Filesize
158KB

MD5
9bf7f895cff1f0b9ddf5fc077bac314c

SHA1
7e9c0ce6569c6f12c57f34597b213cd4d8f55e68

SHA256
d03e0af01fbcd9ce714caf3db5ca2ab3ca4a717d5fda5c99b77e09b5672498a4

SHA512
d416cfa9446e6c92f0805278c744cf9f8ac6a2bfb96a6e0b2d65e701472ea6feaf5742ed6cef833555188a95c613499e7e14cfe5788427ec2616cfd723021a67

Download Submit
C:\Users\Admin\AppData\Local\Temp\{808a4fe5-b9cb-462a-809e-e7380e8c0f9f}\klmd.sys

Filesize
368KB

MD5
990442d764ff1262c0b7be1e3088b6d3

SHA1
0b161374074ef2acc101ed23204da00a0acaa86e

SHA256
6c7ccd465090354438b39da8430a5c47e7f24768a5b12ee02fecf8763e77c9e4

SHA512
af3c6dfe32266a9d546f13559dcba7c075d074bdfdaf0e6bf2a8cae787008afa579f0d5f90e0c657dd614bb244a6d95ff8366c14b388e1f4a3ab76cccb23add4

Download Submit
C:\Users\Admin\AppData\Local\Temp\{808a4fe5-b9cb-462a-809e-e7380e8c0f9f}\klsl.sys

Filesize
87KB

MD5
a69adedb0d47cfb23f23a9562a4405bc

SHA1
9e70576571a15aaf71106ea0cd55e0973ef2dd15

SHA256
31eaa7f1f9872c63091f4b3ec5310686b1dd1e2123af17991a6b4679eda3f62d

SHA512
77abb4435d8d445f7a29cdb8a318486a96122b5cc535da7a63da0fa920980e6ad73e78b72552f6949e66b349bbdc9aa9ea202481046e478c2829c155a1045820

Download Submit
C:\Users\Admin\AppData\Local\Temp\{808a4fe5-b9cb-462a-809e-e7380e8c0f9f}\ksn_facade.dll

Filesize
1.3MB

MD5
e6db25447957c55f3d9dac2a9a55a0f0

SHA1
a941c1a04ea07fd76b0c191e62d9621d55447cb5

SHA256
6c6305c220444294179da749d639c91bb97afd507d30a322d7c1c16ccf0ac9fc

SHA512
1a4634245990335fccfb3d4eed858f61ca40bb1a12c919b6c737cebcdbde4727a26dac0180de226ff4e7d7229e6d379500396a00f6c235495cfacf3014df099a

Download Submit
C:\Users\Admin\AppData\Local\Temp\{808a4fe5-b9cb-462a-809e-e7380e8c0f9f}\ksn_meta.dll

Filesize
333KB

MD5
ed5f35496139e9238e9ff33ca7f173b9

SHA1
ed230628b75ccf944ea2ed87317ece7ee8c377c7

SHA256
93c5feb98eb0b3a1cfe1640f6c0025c913bf79c416bebbe5ed28e1ed19341069

SHA512
eb2d3a8e246b961d31ede5a6a29a268a9b81fb8abbfa83eb8e0c12a992e36404e5829a530a7fbd4ba91ba3e0c0c6c19243e4d4740fa9bdf97a25fd629bc05aca

Download Submit
C:\Users\Admin\AppData\Local\Temp\{808a4fe5-b9cb-462a-809e-e7380e8c0f9f}\msvcp140.dll

Filesize
439KB

MD5
5ff1fca37c466d6723ec67be93b51442

SHA1
34cc4e158092083b13d67d6d2bc9e57b798a303b

SHA256
5136a49a682ac8d7f1ce71b211de8688fce42ed57210af087a8e2dbc8a934062

SHA512
4802ef62630c521d83a1d333969593fb00c9b38f82b4d07f70fbd21f495fea9b3f67676064573d2c71c42bc6f701992989742213501b16087bb6110e337c7546

Download Submit
C:\Users\Admin\AppData\Local\Temp\{808a4fe5-b9cb-462a-809e-e7380e8c0f9f}\settings.dat

Filesize
1KB

MD5
0a30b703f7c11790ee4cb6a6b37d2b52

SHA1
0a0f62b1d8941eeccceac80faa3c5c75b615c50c

SHA256
12f2b0817e2d8ad8b1c2fae6c5ec6ea81cfcfb7c722b4d0c09058c54b46aad1b

SHA512
6d9f9ffe04e420b8555326885c528004cc71022a5b289b356eb0c1d65f1ac5b2394fb68f16700708b0ebdbd2d46893b1aa0c54795addabdbd22439c983614c05

Download Submit
C:\Users\Admin\AppData\Local\Temp\{808a4fe5-b9cb-462a-809e-e7380e8c0f9f}\settings.kvdb

Filesize
11KB

MD5
173eee6007354de8cd873f59ffca955f

SHA1
395c5a7cb10d62cc4c63d2d65f849163e61cba5a

SHA256
17dfcf78dca415e3e7afac7519db911c0a93f36388c948aba40bcaa3176589a1

SHA512
465394c349dc74fd8a5c5ce5a89d65f0b0e09432d54517ea12de2bc8ccb329629dde03b0939800d30d008bedf0dca948fd84593bab7b7c8994ba041a7af1af2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\{808a4fe5-b9cb-462a-809e-e7380e8c0f9f}\storage.dll

Filesize
301KB

MD5
d470615822aa5c5f7078b743a676f152

SHA1
f069bfff46cf0e08b2d615d5a9a289b7c9a6b85c

SHA256
f77657ee84fd1790d0a765ed45a1c832fbeb340cce8ce9011544295c70c1b1dc

SHA512
8826f0924d4444cbe60ec5b24d89f36f6619308b4058e4790e0228614226516eb312dcceb1a3ffe8c0bee8f545efbcffe1188cbf17b9f1c7fb58dad6090be1f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\{808a4fe5-b9cb-462a-809e-e7380e8c0f9f}\storage.kvdb

Filesize
6KB

MD5
1a3330c4f388360e4c2b0d94fb48a788

SHA1
127ad9be38c4aa491bd1bce6458f99a27c6d465b

SHA256
01b8d0d8c7114b59f159021384c8a59535f87018a6a136a276b5a297f54d776d

SHA512
1fcd1e99e35dc4ec972ab63299637322a27b471d02175d56409a3a114db6259f9cd767ac054c7a2bba075f36ab62f19c8118c3dda93e37b7deda05aa2b260553

Download Submit
C:\Users\Admin\AppData\Local\Temp\{808a4fe5-b9cb-462a-809e-e7380e8c0f9f}\vcruntime140.dll

Filesize
78KB

MD5
a37ee36b536409056a86f50e67777dd7

SHA1
1cafa159292aa736fc595fc04e16325b27cd6750

SHA256
8934aaeb65b6e6d253dfe72dea5d65856bd871e989d5d3a2a35edfe867bb4825

SHA512
3a7c260646315cf8c01f44b2ec60974017496bd0d80dd055c7e43b707cadba2d63aab5e0efd435670aa77886ed86368390d42c4017fc433c3c4b9d1c47d0f356

Download Submit
memory/2484-4-0x00000000005B0000-0x00000000005B2000-memory.dmp

Filesize
8KB

Download
memory/2484-14-0x00000246F1740000-0x00000246F17B1000-memory.dmp

Filesize
452KB

Download
memory/2484-13-0x00000246F1740000-0x00000246F17B1000-memory.dmp

Filesize
452KB

Download
memory/2484-5-0x00000246F1740000-0x00000246F17B1000-memory.dmp

Filesize
452KB

Download
memory/2484-12-0x00000246F1740000-0x00000246F17B1000-memory.dmp

Filesize
452KB

Download
memory/4796-48-0x0000000000880000-0x0000000000A08000-memory.dmp

Filesize
1.5MB

Download
memory/4796-52-0x0000000000880000-0x0000000000A08000-memory.dmp

Filesize
1.5MB

Download
memory/4796-50-0x0000000000880000-0x0000000000A08000-memory.dmp

Filesize
1.5MB

Download
memory/4796-49-0x0000000000880000-0x0000000000A08000-memory.dmp

Filesize
1.5MB

Download
memory/4796-46-0x0000000000880000-0x0000000000A08000-memory.dmp

Filesize
1.5MB

Download
memory/4796-43-0x0000000140000000-0x000000014043D000-memory.dmp

Filesize
4.2MB

Download
memory/4796-51-0x0000000000880000-0x0000000000A08000-memory.dmp

Filesize
1.5MB

Download
memory/4796-47-0x0000000000880000-0x0000000000A08000-memory.dmp

Filesize
1.5MB

Download
memory/4796-45-0x0000000000880000-0x0000000000A08000-memory.dmp

Filesize
1.5MB

Download
memory/5932-27-0x0000028330ED0000-0x0000028330EF2000-memory.dmp

Filesize
136KB

Download
memory/5932-15-0x00007FFB7F0D3000-0x00007FFB7F0D5000-memory.dmp

Filesize
8KB

Download
memory/5932-26-0x00007FFB7F0D0000-0x00007FFB7FB91000-memory.dmp

Filesize
10.8MB

Download
memory/5932-28-0x00007FFB7F0D0000-0x00007FFB7FB91000-memory.dmp

Filesize
10.8MB

Download
memory/5932-31-0x00007FFB7F0D0000-0x00007FFB7FB91000-memory.dmp

Filesize
10.8MB

Download
memory/6008-16-0x0000000000482000-0x000000000054B000-memory.dmp

Filesize
804KB

Download
memory/6008-0-0x0000000000482000-0x000000000054B000-memory.dmp

Filesize
804KB

Download
memory/6008-1-0x0000000000400000-0x0000000000686000-memory.dmp

Filesize
2.5MB

Download