darkvision | b7a2def2630cbbca20d06f0d40ceaf00f8df471adb12f62efbeb513681cf4878

Analysis

max time kernel
150s
max time network
152s
platform
windows11-21h2_x64
resource
win11-20250410-en
resource tags

arch:x64arch:x86image:win11-20250410-enlocale:en-usos:windows11-21h2-x64system
submitted
15/04/2025, 23:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

quarantine/235T1TS.exe
Size

1.2MB
MD5

9d0b654f17466ee2eda9e03dd303812c
SHA1

312957b2937309721aef5a5945daafd2dfe0623c
SHA256

f98627e83fc643c88937ba13f628be9b9666c18aa10dbd279e1b8822d332880e
SHA512

48e7bacddcd04b8200bd20f03fd1e4618deb02fc616708a7e6d899a8071e493e7609ea1cc8ce86c17dacd2995879d9c3e58e6cf854ec07f4f25a1e7c34948b7c
SSDEEP

24576:2GkbQjI/z3YQE6eakkvEDiTZsM18DvlmpvRUtIguzz+6wzI2uTw:2Gkb6QBea3sDiVsMIsmtEzCzy

Score

10^/10

darkvision bootkit defense_evasion discovery execution persistence privilege_escalation rat spyware stealer

Malware Config

Extracted

Family

darkvision

82.29.67.160

Attributes

url
http://107.174.192.179/data/003

https://grabify.link/ZATFQO

http://107.174.192.179/clean
user_agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36

Signatures

DarkVision Rat
DarkVision Rat is a trojan written in C++.
rat darkvision
Darkvision family
darkvision

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
4228	powershell.exe
13388	powershell.exe

Downloads MZ/PE file 1 IoCs

flow	pid	Process
1	5300	svchost.exe

Drops file in Drivers directory 3 IoCs

description	ioc	Process
File created	C:\Windows\System32\Drivers\5616767d.sys	236d2412.exe
File created	C:\Windows\System32\Drivers\klupd_5616767da_arkmon.sys	236d2412.exe
File created	C:\Windows\System32\Drivers\klupd_5616767da_klbg.sys	236d2412.exe

Sets service image path in registry 2 TTPs 7 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\klupd_5616767da_klark\ImagePath = "System32\\Drivers\\klupd_5616767da_klark.sys"	236d2412.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\klupd_5616767da_mark\ImagePath = "System32\\Drivers\\klupd_5616767da_mark.sys"	236d2412.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\klupd_5616767da_arkmon_7C924DD4\ImagePath = "\\??\\C:\\KVRT2020_Data\\Temp\\7C924DD4D20055C80007791130E2D03F\\klupd_5616767da_arkmon.sys"	236d2412.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\BZh8m_4508\ImagePath = "\\??\\C:\\Windows\\Temp\\rFC4lJ_4508.sys"	tzutil.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\5616767d\ImagePath = "System32\\Drivers\\5616767d.sys"	236d2412.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\klupd_5616767da_arkmon\ImagePath = "System32\\Drivers\\klupd_5616767da_arkmon.sys"	236d2412.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\klupd_5616767da_klbg\ImagePath = "System32\\Drivers\\klupd_5616767da_klbg.sys"	236d2412.exe

Deletes itself 1 IoCs

pid	Process
5300	svchost.exe

Executes dropped EXE 4 IoCs

pid	Process
4508	tzutil.exe
5108	w32tm.exe
14080	4ae93c8f.exe
5892	236d2412.exe

Impair Defenses: Safe Mode Boot 1 TTPs 2 IoCs

defense_evasion

Safe Mode Boot

T1562.009

description	ioc	Process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\5616767d.sys	236d2412.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\5616767d.sys\ = "Driver"	236d2412.exe

Loads dropped DLL 25 IoCs

pid	Process
5892	236d2412.exe
5892	236d2412.exe
5892	236d2412.exe
5892	236d2412.exe
5892	236d2412.exe
5892	236d2412.exe
5892	236d2412.exe
5892	236d2412.exe
5892	236d2412.exe
5892	236d2412.exe
5892	236d2412.exe
5892	236d2412.exe
5892	236d2412.exe
5892	236d2412.exe
5892	236d2412.exe
5892	236d2412.exe
5892	236d2412.exe
5892	236d2412.exe
5892	236d2412.exe
5892	236d2412.exe
5892	236d2412.exe
5892	236d2412.exe
5892	236d2412.exe
5892	236d2412.exe
5892	236d2412.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\{57F06FF0-B2D5-45F3-BFEE-970F76E38EFD} = "C:\\ProgramData\\{A332F586-BC6E-46FF-BB3B-A67E49F41010}\\aitstatic.exe {1CF6DD21-C538-4D1C-883F-AD3AF450FA11}"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\db2d813a-f972-494e-920e-97a814ef8bd8 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\{1ae3b760-78dc-4569-ac59-b89c45053561}\\db2d813a-f972-494e-920e-97a814ef8bd8.cmd\""	236d2412.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4239789418-2672923313-1754393631-1000\Software\Microsoft\Windows\CurrentVersion\Run\{57F06FF0-B2D5-45F3-BFEE-970F76E38EFD} = "C:\\ProgramData\\{A332F586-BC6E-46FF-BB3B-A67E49F41010}\\aitstatic.exe {1CF6DD21-C538-4D1C-883F-AD3AF450FA11}"	svchost.exe

Checks for any installed AV software in registry 1 TTPs 1 IoCs

Security Software Discovery

T1518.001

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-4239789418-2672923313-1754393631-1000\SOFTWARE\KasperskyLab	236d2412.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 1 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\F:	236d2412.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	236d2412.exe

Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 2 IoCs

Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\VBoxMiniRdrDN	4ae93c8f.exe
File opened (read-only)	\??\VBoxMiniRdrDN	236d2412.exe

Event Triggered Execution: Netsh Helper DLL 1 TTPs 2 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	236d2412.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	236d2412.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	235T1TS.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4ae93c8f.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	236d2412.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

pid	Process
4228	powershell.exe
4228	powershell.exe
13388	powershell.exe
13388	powershell.exe
13832	powershell.exe
13832	powershell.exe
5892	236d2412.exe
5892	236d2412.exe
5892	236d2412.exe
5892	236d2412.exe
5892	236d2412.exe
5892	236d2412.exe
5892	236d2412.exe
5892	236d2412.exe
5892	236d2412.exe
5892	236d2412.exe
5892	236d2412.exe
5892	236d2412.exe
5892	236d2412.exe
5892	236d2412.exe

Suspicious behavior: LoadsDriver 5 IoCs

pid	Process
4508	tzutil.exe
5892	236d2412.exe
5892	236d2412.exe
5892	236d2412.exe
5892	236d2412.exe

Suspicious behavior: MapViewOfSection 3 IoCs

pid	Process
2348	235T1TS.exe
2348	235T1TS.exe
2348	235T1TS.exe

Suspicious use of AdjustPrivilegeToken 51 IoCs

description	pid	Process
Token: SeDebugPrivilege	4228	powershell.exe
Token: SeDebugPrivilege	13388	powershell.exe
Token: SeLoadDriverPrivilege	4508	tzutil.exe
Token: SeDebugPrivilege	13832	powershell.exe
Token: SeDebugPrivilege	5892	236d2412.exe
Token: SeBackupPrivilege	5892	236d2412.exe
Token: SeRestorePrivilege	5892	236d2412.exe
Token: SeLoadDriverPrivilege	5892	236d2412.exe
Token: SeShutdownPrivilege	5892	236d2412.exe
Token: SeSystemEnvironmentPrivilege	5892	236d2412.exe
Token: SeSecurityPrivilege	5892	236d2412.exe
Token: SeBackupPrivilege	5892	236d2412.exe
Token: SeRestorePrivilege	5892	236d2412.exe
Token: SeDebugPrivilege	5892	236d2412.exe
Token: SeSystemEnvironmentPrivilege	5892	236d2412.exe
Token: SeSecurityPrivilege	5892	236d2412.exe
Token: SeCreatePermanentPrivilege	5892	236d2412.exe
Token: SeShutdownPrivilege	5892	236d2412.exe
Token: SeLoadDriverPrivilege	5892	236d2412.exe
Token: SeIncreaseQuotaPrivilege	5892	236d2412.exe
Token: SeSecurityPrivilege	5892	236d2412.exe
Token: SeSystemProfilePrivilege	5892	236d2412.exe
Token: SeDebugPrivilege	5892	236d2412.exe
Token: SeMachineAccountPrivilege	5892	236d2412.exe
Token: SeCreateTokenPrivilege	5892	236d2412.exe
Token: SeAssignPrimaryTokenPrivilege	5892	236d2412.exe
Token: SeTcbPrivilege	5892	236d2412.exe
Token: SeAuditPrivilege	5892	236d2412.exe
Token: SeSystemEnvironmentPrivilege	5892	236d2412.exe
Token: SeLoadDriverPrivilege	5892	236d2412.exe
Token: SeLoadDriverPrivilege	5892	236d2412.exe
Token: SeIncreaseQuotaPrivilege	5892	236d2412.exe
Token: SeSecurityPrivilege	5892	236d2412.exe
Token: SeSystemProfilePrivilege	5892	236d2412.exe
Token: SeDebugPrivilege	5892	236d2412.exe
Token: SeMachineAccountPrivilege	5892	236d2412.exe
Token: SeCreateTokenPrivilege	5892	236d2412.exe
Token: SeAssignPrimaryTokenPrivilege	5892	236d2412.exe
Token: SeTcbPrivilege	5892	236d2412.exe
Token: SeAuditPrivilege	5892	236d2412.exe
Token: SeSystemEnvironmentPrivilege	5892	236d2412.exe
Token: SeIncreaseQuotaPrivilege	5892	236d2412.exe
Token: SeSecurityPrivilege	5892	236d2412.exe
Token: SeSystemProfilePrivilege	5892	236d2412.exe
Token: SeDebugPrivilege	5892	236d2412.exe
Token: SeMachineAccountPrivilege	5892	236d2412.exe
Token: SeCreateTokenPrivilege	5892	236d2412.exe
Token: SeAssignPrimaryTokenPrivilege	5892	236d2412.exe
Token: SeTcbPrivilege	5892	236d2412.exe
Token: SeAuditPrivilege	5892	236d2412.exe
Token: SeSystemEnvironmentPrivilege	5892	236d2412.exe

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 2348 wrote to memory of 5324	2348	235T1TS.exe	78
PID 2348 wrote to memory of 5324	2348	235T1TS.exe	78
PID 2348 wrote to memory of 5300	2348	235T1TS.exe	80
PID 2348 wrote to memory of 5300	2348	235T1TS.exe	80
PID 5324 wrote to memory of 4228	5324	cmd.exe	81
PID 5324 wrote to memory of 4228	5324	cmd.exe	81
PID 5300 wrote to memory of 4508	5300	svchost.exe	86
PID 5300 wrote to memory of 4508	5300	svchost.exe	86
PID 5300 wrote to memory of 4612	5300	svchost.exe	87
PID 5300 wrote to memory of 4612	5300	svchost.exe	87
PID 5300 wrote to memory of 5108	5300	svchost.exe	89
PID 5300 wrote to memory of 5108	5300	svchost.exe	89
PID 4508 wrote to memory of 13388	4508	tzutil.exe	90
PID 4508 wrote to memory of 13388	4508	tzutil.exe	90
PID 4508 wrote to memory of 13832	4508	tzutil.exe	92
PID 4508 wrote to memory of 13832	4508	tzutil.exe	92
PID 5108 wrote to memory of 14080	5108	w32tm.exe	94
PID 5108 wrote to memory of 14080	5108	w32tm.exe	94
PID 5108 wrote to memory of 14080	5108	w32tm.exe	94
PID 14080 wrote to memory of 5892	14080	4ae93c8f.exe	95
PID 14080 wrote to memory of 5892	14080	4ae93c8f.exe	95
PID 14080 wrote to memory of 5892	14080	4ae93c8f.exe	95

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\quarantine\235T1TS.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\235T1TS.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2348
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /c powershell.exe Add-MpPreference -ExclusionPath 'C:'
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5324
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe Add-MpPreference -ExclusionPath 'C:'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4228
- C:\Windows\system32\svchost.exe
  "C:\Windows\system32\svchost.exe"
  2⤵
  - Downloads MZ/PE file
  - Deletes itself
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:5300
- - C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exe
    "C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exe" ""
    3⤵
    - Sets service image path in registry
    - Executes dropped EXE
    - Suspicious behavior: LoadsDriver
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4508
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Add-MpPreference -ExclusionPath C:\
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:13388
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Remove-MpPreference -ExclusionPath C:\
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:13832
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\set.bat" """
    3⤵
    PID:4612
- - C:\Users\Admin\AppData\Local\Temp\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\w32tm.exe
    "C:\Users\Admin\AppData\Local\Temp\\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\w32tm.exe" ""
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:5108
  - - C:\Users\Admin\AppData\Local\Temp\{96957815-a156-4e17-9b7f-abd88e917662}\4ae93c8f.exe
      "C:\Users\Admin\AppData\Local\Temp\{96957815-a156-4e17-9b7f-abd88e917662}\4ae93c8f.exe" -accepteula -adinsilent -silent -processlevel 2 -postboot
      4⤵
      Executes dropped EXE
      Checks for VirtualBox DLLs, possible anti-VM trick
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:14080
    - - C:\Users\Admin\AppData\Local\Temp\{9fe2e517-6b4d-48b3-bce5-a44d8f74c446}\236d2412.exe
        
        C:/Users/Admin/AppData/Local/Temp/{9fe2e517-6b4d-48b3-bce5-a44d8f74c446}/\236d2412.exe -accepteula -adinsilent -silent -processlevel 2 -postboot
        5⤵
        Drops file in Drivers directory
        Sets service image path in registry
        Executes dropped EXE
        Impair Defenses: Safe Mode Boot
        Loads dropped DLL
        Adds Run key to start application
        Checks for any installed AV software in registry
        Enumerates connected drives
        Writes to the Master Boot Record (MBR)
        Checks for VirtualBox DLLs, possible anti-VM trick
        Event Triggered Execution: Netsh Helper DLL
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: LoadsDriver
        Suspicious use of AdjustPrivilegeToken
        
        PID:5892

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\ProgramData\{A332F586-BC6E-46FF-BB3B-A67E49F41010}\aitstatic.exe {1CF6DD21-C538-4D1C-883F-AD3AF450FA11}
1⤵
PID:5484

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\ProgramData\{A332F586-BC6E-46FF-BB3B-A67E49F41010}\aitstatic.exe {1CF6DD21-C538-4D1C-883F-AD3AF450FA11}
1⤵
PID:4144

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\{1ae3b760-78dc-4569-ac59-b89c45053561}\db2d813a-f972-494e-920e-97a814ef8bd8.cmd"mmonProgramFiles(x86)=C:\Program Files (x86)\Common Files
1⤵
PID:612

Network

MITRE ATT&CK Enterprise v16

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Impair Defenses

T1562

Safe Mode Boot

T1562.009

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

Software Discovery

T1518

Security Software Discovery

T1518.001

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exe

Filesize
1.9MB

MD5
3cf1ad76cc9ee98b2ef901bc43d27e42

SHA1
6661ccb3bdba15713c4573de6bb6da1340ceb4d8

SHA256
ee6eb001007a24a393576197ff02b58b6f5c7cd673c3cfa33f6aaa65673a72fb

SHA512
8207080ec48518f5ea723b452fbcbc489003a944ef65371348adbf068b07e5cde477cc423f8c6c30c6b7a489d677d42e3b4f13742cb6efbb00ae0b3fcf1bedc1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
627073ee3ca9676911bee35548eff2b8

SHA1
4c4b68c65e2cab9864b51167d710aa29ebdcff2e

SHA256
85b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c

SHA512
3c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
d0a4a3b9a52b8fe3b019f6cd0ef3dad6

SHA1
fed70ce7834c3b97edbd078eccda1e5effa527cd

SHA256
21942e513f223fdad778348fbb20617dd29f986bccd87824c0ae7f15649f3f31

SHA512
1a66f837b4e7fb6346d0500aeacb44902fb8a239bce23416271263eba46fddae58a17075e188ae43eb516c841e02c87e32ebd73256c7cc2c0713d00c35f1761b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
38438a4316012154ae9ae948bfe7dd30

SHA1
3720f72b120583f8495c34c2d309bf1a8331783f

SHA256
b44274f6006964771bfc9482e419aab5fcd54f097086215aebe6be291d883a55

SHA512
44c0a937a10b51bbd20cf7785bc377d65a17068eb00c94ac0a3498392fc2bfd4afe3b2ae00fbb8cf699d429aca9957c414b5fbdcf4ebc2a9124007818ed41bd3

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_a0se211o.ku4.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\{1ae3b760-78dc-4569-ac59-b89c45053561}\db2d813a-f972-494e-920e-97a814ef8bd8.cmd

Filesize
695B

MD5
9a5d2e9c2b973403664b53f8586a242a

SHA1
6ca805c5b152c0951cb40e5d4dde2c3e0cb4f965

SHA256
7861c0c63cf02c5eeedc57d8af570290ebeb6e2f1ae06dc3ccd4135563e9834c

SHA512
9d34c1b1f36a82a8e37a952369d554f016de8978371bd9e101371010184ee04a47df8dcbde76d2439ea0e778a17c14ed44948779feab1bf29650340f708e20f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\set.bat

Filesize
153B

MD5
77d9ab6e61cf9928494530be8ed5d80d

SHA1
9da463abb2f54ce0497ab48aa04a9da8d1f77679

SHA256
0324ba4d164702b4020ec6bf79cfbfa93e9a635234085e96888854b173735cbc

SHA512
2cc2679229c783f5e243948f8e6d9a17d3cc187956a8b0eefc1f027dcfdcf9cb69f48f93d8eb2c4cd5c801f859882a7589a6f4919b32ebb77d90244329dab856

Download Submit
C:\Users\Admin\AppData\Local\Temp\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\w32tm.exe

Filesize
1.3MB

MD5
15bdc4bd67925ef33b926843b3b8154b

SHA1
646af399ef06ac70e6bd43afe0f978f0f51a75fd

SHA256
4f0b2c61bccfd9aa3db301ee4e15607df41ded533757de34c986a0ff25b6246d

SHA512
eac0736a06d0835758318d594d3560ee6be82889020a173463943956dd400d08cf1174a4c722dc45a3f3c034131982f4b19ff27db1163838afbfac37f397eaf8

Download Submit
C:\Users\Admin\AppData\Local\Temp\{9fe2e517-6b4d-48b3-bce5-a44d8f74c446}\Bases\Cache\arkmon.kdl.0dec8121a3970d8f281f9c60ea84aaf2_0

Filesize
449KB

MD5
0dec8121a3970d8f281f9c60ea84aaf2

SHA1
88155215f75013963f5544b3d0321255fc9a9c71

SHA256
98cd6e2e73f5653fa4860baa24b350b06cb35e45b7dde2b01f451e09d521fef4

SHA512
faac938df6acb89e243576007d2544f59b48f7f09531ee88703da3b6ff0d064058035073ce7239d71a908c0bbb50b59727f94661a40c4dccc4a90fdaf84b8788

Download Submit
C:\Users\Admin\AppData\Local\Temp\{9fe2e517-6b4d-48b3-bce5-a44d8f74c446}\Bases\Cache\avengine.dll.f98da395deb9d322340cd1a197ab3845_0

Filesize
960KB

MD5
f98da395deb9d322340cd1a197ab3845

SHA1
940cbfe4b39ac94e50b7b56ed1d4d8077d1cd329

SHA256
48cefaab52832b85dda4dd16b56d8dd97d433601bb4a72aec9affc2723588a4c

SHA512
a3a512154de900d50c3a12a885aaadc807503fc58be2f2874ac50ac1471df51105c7fc6e5cb0b57dff610493e96010065be88f78be3b193dc99e5e60947e8476

Download Submit
C:\Users\Admin\AppData\Local\Temp\{9fe2e517-6b4d-48b3-bce5-a44d8f74c446}\Bases\Cache\kavbase.kdl.bc977d840a8b86dbe363536372a2c057_0

Filesize
803KB

MD5
bc977d840a8b86dbe363536372a2c057

SHA1
5db7874d927fa8a9b7a60d9595c8dfbbcc3bb55e

SHA256
6d90490946e7a194056b0c61c5de3b0d85c3adb5fbbf560fba6458cefe552494

SHA512
a9dcd9d9b8ad08f67ae40819f6994d4f70ead96b69dfad66df052b2711c7d5e4566550fcb3cd29206d4c193725e84c627f5fbbfa61a5fe2233dcbf474391aeb5

Download Submit
C:\Users\Admin\AppData\Local\Temp\{9fe2e517-6b4d-48b3-bce5-a44d8f74c446}\Bases\Cache\kavsys.kdl.de816729fcdc2fb7e045c618ef2826f1_0

Filesize
949KB

MD5
de816729fcdc2fb7e045c618ef2826f1

SHA1
601bdfa82c53beb133ec1e0e9361bbaedf8cdb86

SHA256
a9658d18637215df8209cdfaa78d9e00cf02e244549a091c129427d51cc51a03

SHA512
b0a138afeb4d7106a5aa3d6f1c8b76409b411dc07d453f3dfbfaf2fb7c9f656f6f0b7266ec7c2aef9cb9ddde3a889ea716748b2f56993a9dc406de7c9d14f8e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\{9fe2e517-6b4d-48b3-bce5-a44d8f74c446}\Bases\Cache\kjim.kdl.c2d207d07ba877fec5d390cd3bc546cd_0

Filesize
6.3MB

MD5
c2d207d07ba877fec5d390cd3bc546cd

SHA1
08619dcc9609048056bad5e88c47ab394eec3132

SHA256
6eddc430a1645d8d4e9a11c582846c5251bccaf20240dfdaf18f1dffb28fb1cd

SHA512
daf5af896af5533c27d080cb4fe2672ae586f72e9cc3fb050cc39d421d08ff176ade70b46d376f3f488bffe20396283c3f832ca2c854289550983e4161195067

Download Submit
C:\Users\Admin\AppData\Local\Temp\{9fe2e517-6b4d-48b3-bce5-a44d8f74c446}\Bases\Cache\klavemu.kdl.0bcb5371a33229b4efd5d23a44e75b4e_0

Filesize
3.8MB

MD5
0bcb5371a33229b4efd5d23a44e75b4e

SHA1
fc36a913a5a5189371dcf2a7a2608761d36d3572

SHA256
19b222d627624598622cf081426d7d51e4cd4d4381ab111240e33e06be83bc80

SHA512
3fee1a171b48cd4b5eb78e1ee80ccda2689c8a79e6d7172d6a22a0e1287f3fbae37e650aa63ed93f24fbee5949ddce39610ae19cf4a08c6ad31e093793076b67

Download Submit
C:\Users\Admin\AppData\Local\Temp\{9fe2e517-6b4d-48b3-bce5-a44d8f74c446}\Bases\Cache\mark.kdl.3c7ca0f19e1c3e4833102f289f4af929_0

Filesize
421KB

MD5
3c7ca0f19e1c3e4833102f289f4af929

SHA1
cf03c3968e82f37e8138a74ab64622955aa54c22

SHA256
1ec1bb62b665cccd6930c0f387bac9715f10bb6a0eb16db01c0882a27cbbf796

SHA512
bfafd849a2f40a91bbb4bd6eabca2207e79e9ac9f5e2242d2890b8f65a6b6561d39e5473fce91953f529145bd6b7356389582db0057e1523174367a74877ace2

Download Submit
C:\Users\Admin\AppData\Local\Temp\{9fe2e517-6b4d-48b3-bce5-a44d8f74c446}\Bases\Cache\qscan.kdl.875cfd83439a31d83faabb7ba8796b61_0

Filesize
1.4MB

MD5
875cfd83439a31d83faabb7ba8796b61

SHA1
d1feee7a1c488f84ef2c7372ce46c88e29b1035e

SHA256
73a4e381605be241618aee01348c256ad57e6e4eb7ad1c10ca631301dd3c2312

SHA512
083a227ef1d07620bf4bfcfe59f2770553a1b1444e8b5603c283f3218a3cecf649825bf22ec79c07a1a774e5f1780c88ea4da6a9ff4ca019ed5c948b290662b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\{9fe2e517-6b4d-48b3-bce5-a44d8f74c446}\Bases\Cache\sys_critical_obj.dll.7a985f23681627a99a33ab3c0bdf1385_0

Filesize
725KB

MD5
7a985f23681627a99a33ab3c0bdf1385

SHA1
5cf4a11ce8ea6b427440fffbf4c1338e06b7c79a

SHA256
6e8f63491c98500aa9d6746bd44f002457a03eca3d1321501b7e76e1baa976c4

SHA512
bd0a195d7bc033a9b51e1b605041b9dcdb0c4abaa49961351c898355e500844be9bf192f65af9614f15ad6b474cbd474b26b995b7a371c4706131e46f49e9c51

Download Submit
C:\Users\Admin\AppData\Local\Temp\{9fe2e517-6b4d-48b3-bce5-a44d8f74c446}\Bases\KSN\log0

Filesize
584KB

MD5
0090d68cd98a1c0ebdc9b7a6a909f52e

SHA1
bf86500cc6af06dcfd47cf92eb2dfb022f2fdc22

SHA256
86bdb178b04e95a9091bd0f07b3089a99aa9af618e9964a483474c62b595bfeb

SHA512
1d9bb870bd23aef6100969b8894d6e7a3738a62a37fbeae044d08092f983021206568fc5de00605aad1fe6aa3deabb69175aea6afcaa676fff3357290654f689

Download Submit
C:\Users\Admin\AppData\Local\Temp\{9fe2e517-6b4d-48b3-bce5-a44d8f74c446}\Bases\SCO\log0

Filesize
810KB

MD5
229363765de004a2de108ae5b3ed8b21

SHA1
3bd09603f50614dfa0cb617d0fb2d78874db88e0

SHA256
9bf9e9b27c4ba20d1e1583084e3545f278be4ff54642f33c8cb61c74be1786c6

SHA512
52e2705b93421bb7e85c81df46839d3c79588c6971fb5699b376dfbe23fbbf1837b6467a5ec5c7ca52c80a494f9b9eb06452edd04dc5d745012d10166304fa07

Download Submit
C:\Users\Admin\AppData\Local\Temp\{9fe2e517-6b4d-48b3-bce5-a44d8f74c446}\Bases\arkmon64.drv

Filesize
390KB

MD5
7c924dd4d20055c80007791130e2d03f

SHA1
072f004ddcc8ddf12aba64e09d7ee0ce3030973e

SHA256
406ab7d6e45dbedcfbd2d7376a643620c7462cece3e41115c8fbc07861177ec6

SHA512
ab26005da50cbf1f45129834cb661b5b97aed5637d4ebc9821c8b744ff61c3f108f423ae5628602d99b3d859e184bfb23900797538dca2891186321d832ea806

Download Submit
C:\Users\Admin\AppData\Local\Temp\{9fe2e517-6b4d-48b3-bce5-a44d8f74c446}\Bases\certdb_v2.dat

Filesize
2.3MB

MD5
049e0c2549c1ca762b6b1b50acc89d71

SHA1
d711fd1c5114750621331664e0f6a34ab1e3781b

SHA256
b25cf878fb8bf9ca53a51648bcba21162a700e719fb1c2921f99f3ea62cf7de3

SHA512
e57b54b8215f5607586b483a3815eb2f4e6d74fb563b4292c6aebbd0d6a9de09e7ac647d9497ff87f59380b6075a6be9f8c1a834ef13f66ee1c8caec3eb391f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\{9fe2e517-6b4d-48b3-bce5-a44d8f74c446}\Bases\rootcertdb.dat

Filesize
730KB

MD5
926051cb0a2a35a72b3ef78a705caa8d

SHA1
39fc4903134e9db7f1a2d2c4d0b45e3f824f218f

SHA256
e14426389fcc7952f831ed97ccff75ae7225f59f98dd7f62876475983f9263fd

SHA512
bd28ac27ae8365e610d9ed2e59150e266a017933aae56efbc812a78136e67eb22372b21eab39f7f06a90879d61bf008af98149d9d5a55e40009deda28563a9f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\{9fe2e517-6b4d-48b3-bce5-a44d8f74c446}\DataFormats-en.xml

Filesize
23KB

MD5
595d314921d2926df0892e1bbd2d375d

SHA1
e64519c6def3c756b8ac71bde50720e137786111

SHA256
879d148eb719020a3e6261a83125b055cf79aff91ba88560da99e75658353680

SHA512
3488776442d9502a41b2c4c20841c44d2f13715d3440c30d5361092eb6f4d4e0735f47b6c8376251717ab45629d534a138d919d2633a3420add3fd809cd3c139

Download Submit
C:\Users\Admin\AppData\Local\Temp\{9fe2e517-6b4d-48b3-bce5-a44d8f74c446}\KVRT.exe

Filesize
2.6MB

MD5
3fb0ad61548021bea60cdb1e1145ed2c

SHA1
c9b1b765249bfd76573546e92287245127a06e47

SHA256
5d1a788260891c317f9d05b3387e732af908959c5ad4f5a84e7984bee71084f1

SHA512
38269c22fda1fdee5906c2bfdfc19b77b5f6d8da2be939c6d8259b536912f8bc6f261f5c508f47ade8ab591a54aafbfbcc302219820bad19feb78fcc3586d331

Download Submit
C:\Users\Admin\AppData\Local\Temp\{9fe2e517-6b4d-48b3-bce5-a44d8f74c446}\app_core.dll

Filesize
1.3MB

MD5
fe0964663cf9c5e4ff493198e035cc1f

SHA1
ab9b19bd0e4efa36f78d2059b4ca556521eb35cb

SHA256
ddd70011d86b8ec909295ef45f94b48b0252229b6182af9ef8a6029c30daaf39

SHA512
923cfd9143d3850357bda901f66b5292f36ff025f05b2156667873861a02d9f498a03cdb73d2c477c0055d46600628f936b70dec46d7687fe0a97cbb1c8cf0ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\{9fe2e517-6b4d-48b3-bce5-a44d8f74c446}\app_core_meta.dll

Filesize
619KB

MD5
81172e3cf5fc6df072b45c4f1fb6eb34

SHA1
5eb293f0fe6c55e075c5ebef4d21991546f7e504

SHA256
2a272a1990a3dfa35693adf0689512b068a831283a852f8f805cb28153115f57

SHA512
8dc4b0d5593cf2c2262b2802b60672c392dfe0e1cd757a3410e5376bbe6bf6c473428a7ca0fc1c7f0d2de5f59017d8464e7789c76999b5d7b5379209b34c1813

Download Submit
C:\Users\Admin\AppData\Local\Temp\{9fe2e517-6b4d-48b3-bce5-a44d8f74c446}\config.esm

Filesize
51KB

MD5
184a351c4d532405206e309c10af1d15

SHA1
3cf49f2275f3f9bd8e385eddcdd04e3fc2a17352

SHA256
ef0b7e22d8f7bd06964969a7f2979a475ba1c9c34efccb0c3b9e03ae950c63f6

SHA512
9a1a3cb0e3713ba41f36f4f01f2151b0c04454a05c986215ed2cc42180994f90d10e031d77452a2d0ad5a78f15d8d31c327d0d1ee676789780e6483dbe5e0341

Download Submit
C:\Users\Admin\AppData\Local\Temp\{9fe2e517-6b4d-48b3-bce5-a44d8f74c446}\crls\c7e6bd7fe0e4965892ad706f0d2f42e88789b8041daf5b3eea9ca41785297798

Filesize
367B

MD5
9cf88048f43fe6b203cf003706d3c609

SHA1
5a9aa718eb5369d640bf6523a7de17c09f8bfb44

SHA256
4bdbe6ea7610c570bc481e23c45c38d61e8b45062e305356108fd21f384b75bb

SHA512
1d0b42f31911ec8bd8eecc333674863794cfa2b97964cb511132f01a98afd0417b35423fb12461b10a786054f144e598f17d7546a1b17acc6c7efbce5f6f619e

Download Submit
C:\Users\Admin\AppData\Local\Temp\{9fe2e517-6b4d-48b3-bce5-a44d8f74c446}\crypto_components.dll

Filesize
1.9MB

MD5
faf8d079132fe4f01bf50a5b4dce8d00

SHA1
e7e5b6e6a1f302e6359bd0ec619fa18f81b395a2

SHA256
961c28a780b88f5a8efb9918f18b94f106e02a870d9418366e42badf0cd52716

SHA512
38d154ca6affdc3c090fb3baff82a719df3fe541d38413320e0700e661d6f86a4c8f818b8bfebd29e9d9154c7d2869354dbfc49fd901b63909ef0317952bd923

Download Submit
C:\Users\Admin\AppData\Local\Temp\{9fe2e517-6b4d-48b3-bce5-a44d8f74c446}\crypto_components_meta.dll

Filesize
61KB

MD5
3d9d1753ed0f659e4db02e776a121862

SHA1
031fb78fe7dc211fe9e0dc8ba0027c14e84cd07f

SHA256
b6163ec9d4825102e3d423e02fb026259a6a17e7d7696ae060ec2b0ba97f54f2

SHA512
e1f50513db117c32505944bfb19fd3185b3231b6bd9f0495942bd9e80dd0f54ab575f1a2fca5e542174d3abe4106a9b5448d924c690e8548cd43aa77f6497c92

Download Submit
C:\Users\Admin\AppData\Local\Temp\{9fe2e517-6b4d-48b3-bce5-a44d8f74c446}\crypto_ssl_1_1.dll

Filesize
2.0MB

MD5
717a092c6c1a5c129f0dd86bb69b20ba

SHA1
2a9b421678007dc7fba22f904a4e115d494e4ca8

SHA256
100619a8f1e92acc1c0002bda5dc2641b47819f7c05b92f9f1f4304a40d1caaa

SHA512
98bf0afadfc4ec588f8fe966b899e9762f5539bc479818e2d19673ecdd6ef6cfb7cd98effbf60eaef3250a56202ae43e7f574486759f4c1dfba46b32404169fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\{9fe2e517-6b4d-48b3-bce5-a44d8f74c446}\dbghelp.dll

Filesize
1.2MB

MD5
4003e34416ebd25e4c115d49dc15e1a7

SHA1
faf95ec65cde5bd833ce610bb8523363310ec4ad

SHA256
c06430b8cb025be506be50a756488e1bcc3827c4f45158d93e4e3eeb98ce1e4f

SHA512
88f5d417377cd62bde417640a79b6ac493e80f0c8b1f63a99378a2a67695ef8e4a541cedb91acfa296ed608e821fee466983806f0d082ed2e74b0cd93eb4fb84

Download Submit
C:\Users\Admin\AppData\Local\Temp\{9fe2e517-6b4d-48b3-bce5-a44d8f74c446}\dblite.dll

Filesize
703KB

MD5
98b1a553c8c5944923814041e9a73b73

SHA1
3e6169af53125b6da0e69890d51785a206c89975

SHA256
6fc0104817caa1337531c9d8b284d80052770051efb76e5829895a3854ebaec8

SHA512
8ee4467bce6495f492895a9dfaedaf85b76d6d1f67d9ff5c8c27888191c322863bc29c14ae3f505336a5317af66c31354afaeb63127e7e781f5b249f1c967363

Download Submit
C:\Users\Admin\AppData\Local\Temp\{9fe2e517-6b4d-48b3-bce5-a44d8f74c446}\dumpwriter.dll

Filesize
409KB

MD5
f56387639f201429fb31796b03251a92

SHA1
23df943598a5e92615c42fc82e66387a73b960ff

SHA256
e7eefcf569d98a5fb14a459d949756dc00faf32ed6bda1233d9d2c79ca11531c

SHA512
7bfce579b601408262c0edd342cb2cb1ef1353b6b73dce5aad540eb77f56d1184f71c56ea859bc4373aac4875b8861e2cc5d9c49518e6c40d0b2350a7ab26c0e

Download Submit
C:\Users\Admin\AppData\Local\Temp\{9fe2e517-6b4d-48b3-bce5-a44d8f74c446}\instrumental_services.dll

Filesize
3.4MB

MD5
c6acd1d9a80740f8a416b0a78e3fa546

SHA1
7ea7b707d58bde0d5a14d8a7723f05e04189bce7

SHA256
db8acd14ace6d4c8d4d61016debe3c0d72677416661caf0d36e7306ed020920f

SHA512
46c889f4d84e2f8dc8bfd5bdc34a346aa393fc49adcbe95bc601e6d970599f579e5cb057196061c280cbfa976989c960ac2f1830fd61c0a9166f09a6c088c20d

Download Submit
C:\Users\Admin\AppData\Local\Temp\{9fe2e517-6b4d-48b3-bce5-a44d8f74c446}\key_value_storage.dll

Filesize
158KB

MD5
9bf7f895cff1f0b9ddf5fc077bac314c

SHA1
7e9c0ce6569c6f12c57f34597b213cd4d8f55e68

SHA256
d03e0af01fbcd9ce714caf3db5ca2ab3ca4a717d5fda5c99b77e09b5672498a4

SHA512
d416cfa9446e6c92f0805278c744cf9f8ac6a2bfb96a6e0b2d65e701472ea6feaf5742ed6cef833555188a95c613499e7e14cfe5788427ec2616cfd723021a67

Download Submit
C:\Users\Admin\AppData\Local\Temp\{9fe2e517-6b4d-48b3-bce5-a44d8f74c446}\klmd.sys

Filesize
368KB

MD5
990442d764ff1262c0b7be1e3088b6d3

SHA1
0b161374074ef2acc101ed23204da00a0acaa86e

SHA256
6c7ccd465090354438b39da8430a5c47e7f24768a5b12ee02fecf8763e77c9e4

SHA512
af3c6dfe32266a9d546f13559dcba7c075d074bdfdaf0e6bf2a8cae787008afa579f0d5f90e0c657dd614bb244a6d95ff8366c14b388e1f4a3ab76cccb23add4

Download Submit
C:\Users\Admin\AppData\Local\Temp\{9fe2e517-6b4d-48b3-bce5-a44d8f74c446}\klsl.sys

Filesize
87KB

MD5
a69adedb0d47cfb23f23a9562a4405bc

SHA1
9e70576571a15aaf71106ea0cd55e0973ef2dd15

SHA256
31eaa7f1f9872c63091f4b3ec5310686b1dd1e2123af17991a6b4679eda3f62d

SHA512
77abb4435d8d445f7a29cdb8a318486a96122b5cc535da7a63da0fa920980e6ad73e78b72552f6949e66b349bbdc9aa9ea202481046e478c2829c155a1045820

Download Submit
C:\Users\Admin\AppData\Local\Temp\{9fe2e517-6b4d-48b3-bce5-a44d8f74c446}\ksn_facade.dll

Filesize
1.3MB

MD5
e6db25447957c55f3d9dac2a9a55a0f0

SHA1
a941c1a04ea07fd76b0c191e62d9621d55447cb5

SHA256
6c6305c220444294179da749d639c91bb97afd507d30a322d7c1c16ccf0ac9fc

SHA512
1a4634245990335fccfb3d4eed858f61ca40bb1a12c919b6c737cebcdbde4727a26dac0180de226ff4e7d7229e6d379500396a00f6c235495cfacf3014df099a

Download Submit
C:\Users\Admin\AppData\Local\Temp\{9fe2e517-6b4d-48b3-bce5-a44d8f74c446}\ksn_meta.dll

Filesize
333KB

MD5
ed5f35496139e9238e9ff33ca7f173b9

SHA1
ed230628b75ccf944ea2ed87317ece7ee8c377c7

SHA256
93c5feb98eb0b3a1cfe1640f6c0025c913bf79c416bebbe5ed28e1ed19341069

SHA512
eb2d3a8e246b961d31ede5a6a29a268a9b81fb8abbfa83eb8e0c12a992e36404e5829a530a7fbd4ba91ba3e0c0c6c19243e4d4740fa9bdf97a25fd629bc05aca

Download Submit
C:\Users\Admin\AppData\Local\Temp\{9fe2e517-6b4d-48b3-bce5-a44d8f74c446}\msvcp140.dll

Filesize
439KB

MD5
5ff1fca37c466d6723ec67be93b51442

SHA1
34cc4e158092083b13d67d6d2bc9e57b798a303b

SHA256
5136a49a682ac8d7f1ce71b211de8688fce42ed57210af087a8e2dbc8a934062

SHA512
4802ef62630c521d83a1d333969593fb00c9b38f82b4d07f70fbd21f495fea9b3f67676064573d2c71c42bc6f701992989742213501b16087bb6110e337c7546

Download Submit
C:\Users\Admin\AppData\Local\Temp\{9fe2e517-6b4d-48b3-bce5-a44d8f74c446}\settings.dat

Filesize
1KB

MD5
0a30b703f7c11790ee4cb6a6b37d2b52

SHA1
0a0f62b1d8941eeccceac80faa3c5c75b615c50c

SHA256
12f2b0817e2d8ad8b1c2fae6c5ec6ea81cfcfb7c722b4d0c09058c54b46aad1b

SHA512
6d9f9ffe04e420b8555326885c528004cc71022a5b289b356eb0c1d65f1ac5b2394fb68f16700708b0ebdbd2d46893b1aa0c54795addabdbd22439c983614c05

Download Submit
C:\Users\Admin\AppData\Local\Temp\{9fe2e517-6b4d-48b3-bce5-a44d8f74c446}\settings.kvdb

Filesize
11KB

MD5
173eee6007354de8cd873f59ffca955f

SHA1
395c5a7cb10d62cc4c63d2d65f849163e61cba5a

SHA256
17dfcf78dca415e3e7afac7519db911c0a93f36388c948aba40bcaa3176589a1

SHA512
465394c349dc74fd8a5c5ce5a89d65f0b0e09432d54517ea12de2bc8ccb329629dde03b0939800d30d008bedf0dca948fd84593bab7b7c8994ba041a7af1af2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\{9fe2e517-6b4d-48b3-bce5-a44d8f74c446}\storage.dll

Filesize
301KB

MD5
d470615822aa5c5f7078b743a676f152

SHA1
f069bfff46cf0e08b2d615d5a9a289b7c9a6b85c

SHA256
f77657ee84fd1790d0a765ed45a1c832fbeb340cce8ce9011544295c70c1b1dc

SHA512
8826f0924d4444cbe60ec5b24d89f36f6619308b4058e4790e0228614226516eb312dcceb1a3ffe8c0bee8f545efbcffe1188cbf17b9f1c7fb58dad6090be1f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\{9fe2e517-6b4d-48b3-bce5-a44d8f74c446}\storage.kvdb

Filesize
6KB

MD5
1a3330c4f388360e4c2b0d94fb48a788

SHA1
127ad9be38c4aa491bd1bce6458f99a27c6d465b

SHA256
01b8d0d8c7114b59f159021384c8a59535f87018a6a136a276b5a297f54d776d

SHA512
1fcd1e99e35dc4ec972ab63299637322a27b471d02175d56409a3a114db6259f9cd767ac054c7a2bba075f36ab62f19c8118c3dda93e37b7deda05aa2b260553

Download Submit
C:\Users\Admin\AppData\Local\Temp\{9fe2e517-6b4d-48b3-bce5-a44d8f74c446}\uds.dll

Filesize
224KB

MD5
02e3b9a72890922cc85080a5039f5d01

SHA1
eef9377cf0ec0ca90b74a2f3aff47218b01bcdd8

SHA256
b3c3a0cd5a8b6b94ae8d598463bcf15c19c07d7b20ca5bb69aa561745d4e83ed

SHA512
1e40f27a67db88f5220b7862cf651e1e51a80c1cfdb8cb473af6c1e47c391b1463ca7626d41000e6b792496d997f30d27597f5642e9f8507f7a99a3a0499d6e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\{9fe2e517-6b4d-48b3-bce5-a44d8f74c446}\vcruntime140.dll

Filesize
78KB

MD5
a37ee36b536409056a86f50e67777dd7

SHA1
1cafa159292aa736fc595fc04e16325b27cd6750

SHA256
8934aaeb65b6e6d253dfe72dea5d65856bd871e989d5d3a2a35edfe867bb4825

SHA512
3a7c260646315cf8c01f44b2ec60974017496bd0d80dd055c7e43b707cadba2d63aab5e0efd435670aa77886ed86368390d42c4017fc433c3c4b9d1c47d0f356

Download Submit
C:\Windows\System32\drivers\klupd_5616767da_klark.sys

Filesize
355KB

MD5
9cfe1ced0752035a26677843c0cbb4e3

SHA1
e8833ac499b41beb6763a684ba60333cdf955918

SHA256
3bdb393dfaa63b9650658d9288a1dc9a62acc0d44c2f5eab9170485356b9b634

SHA512
29e912e7e19f5ca984fb36fc38df87ed9f8eaa1b62fd0c21d75cbc7b7f16a441de3a97c40a813a8989953ff7c4045d6173066be2a6e6140c90325546b3d0773c

Download Submit
C:\Windows\System32\drivers\klupd_5616767da_klbg.sys

Filesize
199KB

MD5
424b93cb92e15e3f41e3dd01a6a8e9cc

SHA1
2897ab04f69a92218bfac78f085456f98a18bdd3

SHA256
ccb99a2eeb80cd74cc58691e7af7fce3264b941aea3d777d9e4a950b9e70b82e

SHA512
15e984a761d873eef0ab50f8292fbba771208ff97a57b131441666c6628936c29f8b1f0e04ef8e880f33ef6fccebd20db882997ca3504c9e5ea1db781b9ffb0f

Download Submit
C:\Windows\System32\drivers\klupd_5616767da_mark.sys

Filesize
260KB

MD5
66522d67917b7994ddfb5647f1c3472e

SHA1
f341b9b28ca7ac21740d4a7d20e4477dba451139

SHA256
5da15bcd1ad66b56b73994a073e8f0ff4170b9ed09c575ca1b046a59a01cc8a1

SHA512
921babab093c5bd1e0ec1615c8842081b402a491ecc744613929fa5fafde628cd9bcc1b38b70024a8fa4317aea0b0dce71cd19f44103e50d6ed7a8d9e2a55968

Download Submit
memory/2348-17-0x0000000000482000-0x000000000054B000-memory.dmp

Filesize
804KB

Download
memory/2348-1-0x0000000000400000-0x0000000000686000-memory.dmp

Filesize
2.5MB

Download
memory/2348-0-0x0000000000482000-0x000000000054B000-memory.dmp

Filesize
804KB

Download
memory/4228-13-0x00007FFF42813000-0x00007FFF42815000-memory.dmp

Filesize
8KB

Download
memory/4228-27-0x00007FFF42810000-0x00007FFF432D2000-memory.dmp

Filesize
10.8MB

Download
memory/4228-16-0x00007FFF42810000-0x00007FFF432D2000-memory.dmp

Filesize
10.8MB

Download
memory/4228-23-0x0000020064720000-0x0000020064742000-memory.dmp

Filesize
136KB

Download
memory/4228-30-0x00007FFF42810000-0x00007FFF432D2000-memory.dmp

Filesize
10.8MB

Download
memory/4508-90-0x0000000000830000-0x00000000009B8000-memory.dmp

Filesize
1.5MB

Download
memory/4508-50-0x0000000000830000-0x00000000009B8000-memory.dmp

Filesize
1.5MB

Download
memory/4508-91-0x0000000000830000-0x00000000009B8000-memory.dmp

Filesize
1.5MB

Download
memory/4508-93-0x0000000000830000-0x00000000009B8000-memory.dmp

Filesize
1.5MB

Download
memory/4508-43-0x0000000140000000-0x000000014043D000-memory.dmp

Filesize
4.2MB

Download
memory/4508-87-0x0000000000830000-0x00000000009B8000-memory.dmp

Filesize
1.5MB

Download
memory/4508-53-0x0000000000830000-0x00000000009B8000-memory.dmp

Filesize
1.5MB

Download
memory/4508-92-0x0000000000830000-0x00000000009B8000-memory.dmp

Filesize
1.5MB

Download
memory/4508-48-0x0000000000830000-0x00000000009B8000-memory.dmp

Filesize
1.5MB

Download
memory/4508-86-0x0000000000830000-0x00000000009B8000-memory.dmp

Filesize
1.5MB

Download
memory/4508-47-0x0000000000830000-0x00000000009B8000-memory.dmp

Filesize
1.5MB

Download
memory/4508-45-0x0000000000830000-0x00000000009B8000-memory.dmp

Filesize
1.5MB

Download
memory/4508-46-0x0000000000830000-0x00000000009B8000-memory.dmp

Filesize
1.5MB

Download
memory/4508-49-0x0000000000830000-0x00000000009B8000-memory.dmp

Filesize
1.5MB

Download
memory/4508-89-0x0000000000830000-0x00000000009B8000-memory.dmp

Filesize
1.5MB

Download
memory/5300-15-0x0000014486670000-0x00000144866E1000-memory.dmp

Filesize
452KB

Download
memory/5300-5-0x0000014486670000-0x00000144866E1000-memory.dmp

Filesize
452KB

Download
memory/5300-12-0x0000014486670000-0x00000144866E1000-memory.dmp

Filesize
452KB

Download
memory/5300-4-0x0000000000A90000-0x0000000000A92000-memory.dmp

Filesize
8KB

Download
memory/5300-14-0x0000014486670000-0x00000144866E1000-memory.dmp

Filesize
452KB

Download