Malware Analysis Report

2025-08-06 02:47

Sample ID 241031-cy141swmez
Target 64be2f3a38522ca4b5f4d7887cd5832363f00d1a07b8bb531424bf6e81939fce.exe
SHA256 64be2f3a38522ca4b5f4d7887cd5832363f00d1a07b8bb531424bf6e81939fce
Tags
defense_evasion discovery evasion execution persistence privilege_escalation pyinstaller
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

64be2f3a38522ca4b5f4d7887cd5832363f00d1a07b8bb531424bf6e81939fce

Threat Level: Likely malicious

The file 64be2f3a38522ca4b5f4d7887cd5832363f00d1a07b8bb531424bf6e81939fce.exe was found to be: Likely malicious.

Malicious Activity Summary

defense_evasion discovery evasion execution persistence privilege_escalation pyinstaller

Command and Scripting Interpreter: PowerShell

Modifies Windows Firewall

Executes dropped EXE

Checks computer location settings

Loads dropped DLL

Deletes itself

Indicator Removal: Clear Persistence

Detects Pyinstaller

Unsigned PE

Event Triggered Execution: Netsh Helper DLL

System Location Discovery: System Language Discovery

System Network Configuration Discovery: Internet Connection Discovery

Enumerates physical storage devices

Runs ping.exe

Suspicious use of AdjustPrivilegeToken

Uses Task Scheduler COM API

Scheduled Task/Job: Scheduled Task

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-31 02:29

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-31 02:29

Reported

2024-10-31 02:33

Platform

win7-20241010-en

Max time kernel

146s

Max time network

145s

Command Line

"C:\Users\Admin\AppData\Local\Temp\64be2f3a38522ca4b5f4d7887cd5832363f00d1a07b8bb531424bf6e81939fce.exe"

Signatures

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\system32\cmd.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\ProgramData\Microsoft\Internet Explorer\iexplore.exe N/A
N/A N/A C:\ProgramData\Microsoft\Internet Explorer\iexplore.exe N/A
N/A N/A C:\ProgramData\Microsoft\Internet Explorer\iexplore.exe N/A
N/A N/A C:\ProgramData\Microsoft\Internet Explorer\iexplore.exe N/A
N/A N/A C:\ProgramData\Microsoft\Internet Explorer\iexplore.exe N/A
N/A N/A C:\ProgramData\Microsoft\Internet Explorer\iexplore.exe N/A
N/A N/A C:\ProgramData\Microsoft\Internet Explorer\iexplore.exe N/A
N/A N/A C:\ProgramData\Microsoft\Internet Explorer\iexplore.exe N/A
N/A N/A C:\ProgramData\Microsoft\Internet Explorer\iexplore.exe N/A
N/A N/A C:\ProgramData\Microsoft\Internet Explorer\iexplore.exe N/A
N/A N/A C:\ProgramData\Microsoft\Internet Explorer\iexplore.exe N/A
N/A N/A C:\ProgramData\Microsoft\Internet Explorer\iexplore.exe N/A
N/A N/A C:\ProgramData\Microsoft\Internet Explorer\iexplore.exe N/A
N/A N/A C:\ProgramData\Microsoft\Internet Explorer\iexplore.exe N/A
N/A N/A C:\ProgramData\Microsoft\Internet Explorer\iexplore.exe N/A
N/A N/A C:\ProgramData\Microsoft\Internet Explorer\iexplore.exe N/A
N/A N/A C:\ProgramData\Microsoft\Internet Explorer\iexplore.exe N/A
N/A N/A C:\ProgramData\Microsoft\Internet Explorer\iexplore.exe N/A
N/A N/A C:\ProgramData\Microsoft\Internet Explorer\iexplore.exe N/A
N/A N/A C:\ProgramData\Microsoft\Internet Explorer\iexplore.exe N/A
N/A N/A C:\ProgramData\Microsoft\Internet Explorer\iexplore.exe N/A
N/A N/A C:\ProgramData\Microsoft\Internet Explorer\iexplore.exe N/A
N/A N/A C:\ProgramData\Microsoft\Internet Explorer\iexplore.exe N/A
N/A N/A C:\ProgramData\Microsoft\Internet Explorer\iexplore.exe N/A
N/A N/A C:\ProgramData\Microsoft\Internet Explorer\iexplore.exe N/A
N/A N/A C:\ProgramData\Microsoft\Internet Explorer\iexplore.exe N/A
N/A N/A C:\ProgramData\Microsoft\Internet Explorer\iexplore.exe N/A
N/A N/A C:\ProgramData\Microsoft\Internet Explorer\iexplore.exe N/A
N/A N/A C:\ProgramData\Microsoft\Internet Explorer\iexplore.exe N/A
N/A N/A C:\ProgramData\Microsoft\Internet Explorer\iexplore.exe N/A
N/A N/A C:\ProgramData\Microsoft\Internet Explorer\iexplore.exe N/A
N/A N/A C:\ProgramData\Microsoft\Internet Explorer\iexplore.exe N/A
N/A N/A C:\ProgramData\Microsoft\Internet Explorer\iexplore.exe N/A
N/A N/A C:\ProgramData\Microsoft\Internet Explorer\iexplore.exe N/A
N/A N/A C:\ProgramData\Microsoft\Internet Explorer\iexplore.exe N/A
N/A N/A C:\ProgramData\Microsoft\Internet Explorer\iexplore.exe N/A
N/A N/A C:\ProgramData\Microsoft\Internet Explorer\iexplore.exe N/A
N/A N/A C:\ProgramData\Microsoft\Internet Explorer\iexplore.exe N/A
N/A N/A C:\ProgramData\Microsoft\Internet Explorer\iexplore.exe N/A
N/A N/A C:\ProgramData\Microsoft\Internet Explorer\iexplore.exe N/A
N/A N/A C:\ProgramData\Microsoft\Internet Explorer\iexplore.exe N/A
N/A N/A C:\ProgramData\Microsoft\Internet Explorer\iexplore.exe N/A
N/A N/A C:\ProgramData\Microsoft\Internet Explorer\iexplore.exe N/A
N/A N/A C:\ProgramData\Microsoft\Internet Explorer\iexplore.exe N/A
N/A N/A C:\ProgramData\Microsoft\Internet Explorer\iexplore.exe N/A
N/A N/A C:\ProgramData\Microsoft\Internet Explorer\iexplore.exe N/A
N/A N/A C:\ProgramData\Microsoft\Internet Explorer\iexplore.exe N/A
N/A N/A C:\ProgramData\Microsoft\Internet Explorer\iexplore.exe N/A

Indicator Removal: Clear Persistence

defense_evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\cmd.exe N/A

Detects Pyinstaller

pyinstaller
Description Indicator Process Target
N/A N/A N/A N/A

Enumerates physical storage devices

Event Triggered Execution: Netsh Helper DLL

persistence privilege_escalation
Description Indicator Process Target
Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\ProgramData\Microsoft\Internet Explorer\iexplore.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\ProgramData\Microsoft\Internet Explorer\iexplore.exe N/A

System Network Configuration Discovery: Internet Connection Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Windows\system32\PING.EXE N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\PING.EXE N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2372 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\64be2f3a38522ca4b5f4d7887cd5832363f00d1a07b8bb531424bf6e81939fce.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2372 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\64be2f3a38522ca4b5f4d7887cd5832363f00d1a07b8bb531424bf6e81939fce.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2372 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\64be2f3a38522ca4b5f4d7887cd5832363f00d1a07b8bb531424bf6e81939fce.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2372 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\64be2f3a38522ca4b5f4d7887cd5832363f00d1a07b8bb531424bf6e81939fce.exe C:\Windows\system32\cmd.exe
PID 2372 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\64be2f3a38522ca4b5f4d7887cd5832363f00d1a07b8bb531424bf6e81939fce.exe C:\Windows\system32\cmd.exe
PID 2372 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\64be2f3a38522ca4b5f4d7887cd5832363f00d1a07b8bb531424bf6e81939fce.exe C:\Windows\system32\cmd.exe
PID 2656 wrote to memory of 2840 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 2656 wrote to memory of 2840 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 2656 wrote to memory of 2840 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 2372 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\64be2f3a38522ca4b5f4d7887cd5832363f00d1a07b8bb531424bf6e81939fce.exe C:\Windows\system32\cmd.exe
PID 2372 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\64be2f3a38522ca4b5f4d7887cd5832363f00d1a07b8bb531424bf6e81939fce.exe C:\Windows\system32\cmd.exe
PID 2372 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\64be2f3a38522ca4b5f4d7887cd5832363f00d1a07b8bb531424bf6e81939fce.exe C:\Windows\system32\cmd.exe
PID 2640 wrote to memory of 1128 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 2640 wrote to memory of 1128 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 2640 wrote to memory of 1128 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 2372 wrote to memory of 2264 N/A C:\Users\Admin\AppData\Local\Temp\64be2f3a38522ca4b5f4d7887cd5832363f00d1a07b8bb531424bf6e81939fce.exe C:\ProgramData\Microsoft\MicrosoftEdgeUpdate.exe
PID 2372 wrote to memory of 2264 N/A C:\Users\Admin\AppData\Local\Temp\64be2f3a38522ca4b5f4d7887cd5832363f00d1a07b8bb531424bf6e81939fce.exe C:\ProgramData\Microsoft\MicrosoftEdgeUpdate.exe
PID 2372 wrote to memory of 2264 N/A C:\Users\Admin\AppData\Local\Temp\64be2f3a38522ca4b5f4d7887cd5832363f00d1a07b8bb531424bf6e81939fce.exe C:\ProgramData\Microsoft\MicrosoftEdgeUpdate.exe
PID 2264 wrote to memory of 1420 N/A C:\ProgramData\Microsoft\MicrosoftEdgeUpdate.exe C:\ProgramData\Microsoft\Internet Explorer\iexplore.exe
PID 2264 wrote to memory of 1420 N/A C:\ProgramData\Microsoft\MicrosoftEdgeUpdate.exe C:\ProgramData\Microsoft\Internet Explorer\iexplore.exe
PID 2264 wrote to memory of 1420 N/A C:\ProgramData\Microsoft\MicrosoftEdgeUpdate.exe C:\ProgramData\Microsoft\Internet Explorer\iexplore.exe
PID 2264 wrote to memory of 1420 N/A C:\ProgramData\Microsoft\MicrosoftEdgeUpdate.exe C:\ProgramData\Microsoft\Internet Explorer\iexplore.exe
PID 2372 wrote to memory of 2196 N/A C:\Users\Admin\AppData\Local\Temp\64be2f3a38522ca4b5f4d7887cd5832363f00d1a07b8bb531424bf6e81939fce.exe C:\ProgramData\Microsoft\Bound.exe
PID 2372 wrote to memory of 2196 N/A C:\Users\Admin\AppData\Local\Temp\64be2f3a38522ca4b5f4d7887cd5832363f00d1a07b8bb531424bf6e81939fce.exe C:\ProgramData\Microsoft\Bound.exe
PID 2372 wrote to memory of 2196 N/A C:\Users\Admin\AppData\Local\Temp\64be2f3a38522ca4b5f4d7887cd5832363f00d1a07b8bb531424bf6e81939fce.exe C:\ProgramData\Microsoft\Bound.exe
PID 2264 wrote to memory of 1624 N/A C:\ProgramData\Microsoft\MicrosoftEdgeUpdate.exe C:\Windows\system32\WerFault.exe
PID 2264 wrote to memory of 1624 N/A C:\ProgramData\Microsoft\MicrosoftEdgeUpdate.exe C:\Windows\system32\WerFault.exe
PID 2264 wrote to memory of 1624 N/A C:\ProgramData\Microsoft\MicrosoftEdgeUpdate.exe C:\Windows\system32\WerFault.exe
PID 2196 wrote to memory of 356 N/A C:\ProgramData\Microsoft\Bound.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2196 wrote to memory of 356 N/A C:\ProgramData\Microsoft\Bound.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2196 wrote to memory of 356 N/A C:\ProgramData\Microsoft\Bound.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2372 wrote to memory of 704 N/A C:\Users\Admin\AppData\Local\Temp\64be2f3a38522ca4b5f4d7887cd5832363f00d1a07b8bb531424bf6e81939fce.exe C:\Windows\system32\cmd.exe
PID 2372 wrote to memory of 704 N/A C:\Users\Admin\AppData\Local\Temp\64be2f3a38522ca4b5f4d7887cd5832363f00d1a07b8bb531424bf6e81939fce.exe C:\Windows\system32\cmd.exe
PID 2372 wrote to memory of 704 N/A C:\Users\Admin\AppData\Local\Temp\64be2f3a38522ca4b5f4d7887cd5832363f00d1a07b8bb531424bf6e81939fce.exe C:\Windows\system32\cmd.exe
PID 356 wrote to memory of 2588 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\netsh.exe
PID 356 wrote to memory of 2588 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\netsh.exe
PID 356 wrote to memory of 2588 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\netsh.exe
PID 1420 wrote to memory of 2236 N/A C:\ProgramData\Microsoft\Internet Explorer\iexplore.exe C:\ProgramData\Microsoft\Internet Explorer\iexplore.exe
PID 1420 wrote to memory of 2236 N/A C:\ProgramData\Microsoft\Internet Explorer\iexplore.exe C:\ProgramData\Microsoft\Internet Explorer\iexplore.exe
PID 1420 wrote to memory of 2236 N/A C:\ProgramData\Microsoft\Internet Explorer\iexplore.exe C:\ProgramData\Microsoft\Internet Explorer\iexplore.exe
PID 1420 wrote to memory of 2236 N/A C:\ProgramData\Microsoft\Internet Explorer\iexplore.exe C:\ProgramData\Microsoft\Internet Explorer\iexplore.exe
PID 2196 wrote to memory of 780 N/A C:\ProgramData\Microsoft\Bound.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2196 wrote to memory of 780 N/A C:\ProgramData\Microsoft\Bound.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2196 wrote to memory of 780 N/A C:\ProgramData\Microsoft\Bound.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 780 wrote to memory of 836 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\netsh.exe
PID 780 wrote to memory of 836 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\netsh.exe
PID 780 wrote to memory of 836 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\netsh.exe
PID 2196 wrote to memory of 288 N/A C:\ProgramData\Microsoft\Bound.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2196 wrote to memory of 288 N/A C:\ProgramData\Microsoft\Bound.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2196 wrote to memory of 288 N/A C:\ProgramData\Microsoft\Bound.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 288 wrote to memory of 2804 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\netsh.exe
PID 288 wrote to memory of 2804 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\netsh.exe
PID 288 wrote to memory of 2804 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\netsh.exe
PID 2196 wrote to memory of 2764 N/A C:\ProgramData\Microsoft\Bound.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2196 wrote to memory of 2764 N/A C:\ProgramData\Microsoft\Bound.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2196 wrote to memory of 2764 N/A C:\ProgramData\Microsoft\Bound.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2764 wrote to memory of 2872 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\netsh.exe
PID 2764 wrote to memory of 2872 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\netsh.exe
PID 2764 wrote to memory of 2872 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\netsh.exe
PID 2196 wrote to memory of 2724 N/A C:\ProgramData\Microsoft\Bound.exe C:\Windows\system32\cmd.exe
PID 2196 wrote to memory of 2724 N/A C:\ProgramData\Microsoft\Bound.exe C:\Windows\system32\cmd.exe
PID 2196 wrote to memory of 2724 N/A C:\ProgramData\Microsoft\Bound.exe C:\Windows\system32\cmd.exe
PID 2724 wrote to memory of 1128 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 2724 wrote to memory of 1128 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\64be2f3a38522ca4b5f4d7887cd5832363f00d1a07b8bb531424bf6e81939fce.exe

"C:\Users\Admin\AppData\Local\Temp\64be2f3a38522ca4b5f4d7887cd5832363f00d1a07b8bb531424bf6e81939fce.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft';Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Internet Explorer'"

C:\Windows\system32\cmd.exe

"cmd.exe" /c schtasks /delete /tn "MicrosoftEdgeUpdateTaskMachineCore{53F2EB3B-2C85-ABAA-BD9C-FC4F0859F018}" /f

C:\Windows\system32\schtasks.exe

schtasks /delete /tn "MicrosoftEdgeUpdateTaskMachineCore{53F2EB3B-2C85-ABAA-BD9C-FC4F0859F018}" /f

C:\Windows\system32\cmd.exe

"cmd.exe" /c schtasks /create /tn "MicrosoftEdgeUpdateTaskMachineCore{53F2EB3B-2C85-ABAB-BD9C-FC4F0859F018}" /tr "\"C:\ProgramData\Microsoft\MicrosoftEdgeUpdate.exe\"" /sc onlogon /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks /create /tn "MicrosoftEdgeUpdateTaskMachineCore{53F2EB3B-2C85-ABAB-BD9C-FC4F0859F018}" /tr "\"C:\ProgramData\Microsoft\MicrosoftEdgeUpdate.exe\"" /sc onlogon /rl HIGHEST /f

C:\ProgramData\Microsoft\MicrosoftEdgeUpdate.exe

"C:\ProgramData\Microsoft\MicrosoftEdgeUpdate.exe"

C:\ProgramData\Microsoft\Internet Explorer\iexplore.exe

"C:\ProgramData\Microsoft\Internet Explorer\iexplore.exe"

C:\ProgramData\Microsoft\Bound.exe

"C:\ProgramData\Microsoft\Bound.exe"

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 2264 -s 804

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command "netsh advfirewall firewall delete rule name=all dir=in program='C:\ProgramData\Microsoft\Internet Explorer\iexplore.exe'"

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\selfdelete.bat""

C:\Windows\system32\netsh.exe

"C:\Windows\system32\netsh.exe" advfirewall firewall delete rule name=all dir=in "program=C:\ProgramData\Microsoft\Internet Explorer\iexplore.exe"

C:\ProgramData\Microsoft\Internet Explorer\iexplore.exe

"C:\ProgramData\Microsoft\Internet Explorer\iexplore.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command "netsh advfirewall firewall delete rule name=all dir=out program='C:\ProgramData\Microsoft\Internet Explorer\iexplore.exe'"

C:\Windows\system32\netsh.exe

"C:\Windows\system32\netsh.exe" advfirewall firewall delete rule name=all dir=out "program=C:\ProgramData\Microsoft\Internet Explorer\iexplore.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command "netsh advfirewall firewall add rule name='Allow Internet Explorer Inbound' dir=in action=allow program='C:\ProgramData\Microsoft\Internet Explorer\iexplore.exe' enable=yes profile=private,public"

C:\Windows\system32\netsh.exe

"C:\Windows\system32\netsh.exe" advfirewall firewall add rule "name=Allow Internet Explorer Inbound" dir=in action=allow "program=C:\ProgramData\Microsoft\Internet Explorer\iexplore.exe" enable=yes profile=private public

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command "netsh advfirewall firewall add rule name='Allow Internet Explorer Outbound' dir=out action=allow program='C:\ProgramData\Microsoft\Internet Explorer\iexplore.exe' enable=yes profile=private,public"

C:\Windows\system32\netsh.exe

"C:\Windows\system32\netsh.exe" advfirewall firewall add rule "name=Allow Internet Explorer Outbound" dir=out action=allow "program=C:\ProgramData\Microsoft\Internet Explorer\iexplore.exe" enable=yes profile=private public

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpA988.tmp.bat""

C:\Windows\system32\PING.EXE

ping 127.0.0.1 -n 2

Network

Country Destination Domain Proto
US 8.8.8.8:53 nt89s.kro.kr udp
US 8.8.8.8:53 nt89.kro.kr udp

Files

memory/2372-0-0x000007FEF6783000-0x000007FEF6784000-memory.dmp

memory/2372-1-0x0000000000810000-0x0000000003048000-memory.dmp

memory/2372-2-0x0000000025DE0000-0x0000000028632000-memory.dmp

memory/2372-7-0x000007FEF6780000-0x000007FEF716C000-memory.dmp

memory/2744-8-0x0000000002C70000-0x0000000002CF0000-memory.dmp

memory/2744-9-0x000000001B710000-0x000000001B9F2000-memory.dmp

memory/2744-10-0x00000000027A0000-0x00000000027A8000-memory.dmp

memory/2372-11-0x000007FEF6783000-0x000007FEF6784000-memory.dmp

C:\ProgramData\Microsoft\MicrosoftEdgeUpdate.exe

MD5 962db502e0db073caeb3a49fc7007776
SHA1 208876794c15ba08b3b8ecac7162355ccdabed88
SHA256 fa72704398c20844b85dab2e59c51d707eb97888845d2c3eb85ffbbf4f471c0e
SHA512 86397cbb9d270fe7be023d511cbba75b204a2d90c03ca868b96f566f55bbf4c73f06f940b060db186fdd1f77ea8887890955e9c64ef7b0384e7065a4b5ac7dff

memory/2264-20-0x00000000009B0000-0x00000000009B8000-memory.dmp

C:\ProgramData\Microsoft\Internet Explorer\iexplore.exe

MD5 9b4b06703c314b8bd494570f443a74ae
SHA1 62c8f8d72483de243e616c4b79990ae12c863415
SHA256 7e29899f0defd73c0e89c8eb14cb736e7199165293721910dbc2426d13f3bf47
SHA512 d33da82d8c9c9b283661975c786f6d968819a6479fe8996e0d6381ec1c4fd135c85141abab30ae5e546486389ca76ddcb9c1f87cdf3791a24f3b9a1418186332

memory/2196-27-0x0000000001190000-0x0000000001198000-memory.dmp

C:\ProgramData\Microsoft\Bound.exe

MD5 a1f8a5c21afc60d046c9075e41bb36a4
SHA1 e8c89980bdd3e6ff4e513a6cd6f0b9a3324976a6
SHA256 911ecfce427a97d8dc5f56bca9d4fa1c20f4ea7410d1bf0f17f002e02859b645
SHA512 acc394eede4492022cdb9f4b5a446e1624b1437e81457b4ef270393d5dfc4f4d7c7bcae748c536285b79eab20304dfcf20f6bd2ce041c1ba25bac725465aa72e

\??\PIPE\srvsvc

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 9271be97d61b2475ff289f5c950f69bb
SHA1 2f8af4f3628d52e1e6f76faa32d6b3900afe1e76
SHA256 7336115e3933c53328749ae0f9d9d2fa1148864acc8ee3d469737c2a506eb811
SHA512 985927930752599f8b01e0471e1e4fcc622016c1ba3c1a1080b7de3891da1430dd70fd90177cfa39ffd541076d07d2a165214fde1b8f366fb4fdf790f9c37330

memory/356-82-0x00000000028E0000-0x00000000028E8000-memory.dmp

memory/356-81-0x000000001B660000-0x000000001B942000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\selfdelete.bat

MD5 ae5479d0bbae6b351bb3b34bfb485d84
SHA1 838a27989fb2c7c40e692769ea26a64338f0f4eb
SHA256 bfecc9a27a0cc8a1748961f697c77a184c311366aaf59a4f11843d428f50042e
SHA512 289552785f195d38be11a68318994984a3ca35fade2a6d9ddde5e496e4cd3de1319526f49d3133b0760a25776f4ba104c1f39f2f7b1bfcc08c79c431e66a5e5e

memory/2372-92-0x000007FEF6780000-0x000007FEF716C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI14202\ucrtbase.dll

MD5 a924b24d71829da17e8908e05a5321e4
SHA1 fa5c69798b997c34c87a8b32130f664cdef8c124
SHA256 f32a61d91264aff96efd719915bed80785a8db4c8d881d6da28909b620fe466f
SHA512 9223ec0e6e0f70b92473e897e4fd4635a19e9ca3aff2fe7c5c065764b58e86460442991787525ed53e425ecd36f2881a6df34c35d2a0e21b7ac4bc61bf1cbeab

\Users\Admin\AppData\Local\Temp\_MEI14202\api-ms-win-core-file-l1-2-0.dll

MD5 5576fdd1f244be3f29072f3d0ef710e1
SHA1 653a08eee34c6391ce6bc3786875505578058a29
SHA256 26c712d65bd2d3621dbd75ec9cd9c25b5a43035137171c64c101c66f6943daa0
SHA512 d9e08ef90645037fbb06e7e6c98a5d66837de1c1f51381a4ec0473ef2dc3085838d90ed69d9f0902cb2c6e41b603c7061637eb79655c1131d33c2a7c67a2f9c3

\Users\Admin\AppData\Local\Temp\_MEI14202\api-ms-win-core-processthreads-l1-1-1.dll

MD5 eba234a05bd7fa9650ef9184d67554f2
SHA1 ca1d5a8e1cbbf741baced4040aa4b57131f2737b
SHA256 c51565cc52ea3e372acca10ffad2cd2ae43eaa8bca18742b045c7e99919b775f
SHA512 0f3bb6bbc8d865d2c5261509ee4480953c6d89526ceca67b36eb96d0430f56e9d4b8dbd236588ac150a1219c36e412a3916dbf0719f75e984aa65fbda1821dea

\Users\Admin\AppData\Local\Temp\_MEI14202\api-ms-win-core-localization-l1-2-0.dll

MD5 a28c593b3efad3870be8c59957a65ca5
SHA1 fe90b4dff833d2a488e36c02d8cd0da1e9eb4bdd
SHA256 7ff7b17ecc55f978dab562a5bd26826085d9f80131ed415cee7c3b95c95b246a
SHA512 b34230e6ae04335975ee9bb8759767a8e74bbd1e220fa17568d95c755b3f959291a45a45cd27f845d38b940b2062145c21fabadd1985ec92b49e4761942bd90c

\Users\Admin\AppData\Local\Temp\_MEI14202\api-ms-win-core-file-l2-1-0.dll

MD5 718b88fc6f158a62309419cdc7c511ed
SHA1 294701dfa10801bf6bf8e8d6e3ec471ea81255d4
SHA256 8cd67dbc62070c1288e83d5789f41664951fb0c120070ab5334ac7719a5c8ac9
SHA512 8d41158b776fe31f9b2e785c9e1c90f86d69fe85ec777c171fd5063b73faf20a7473cb3ff4afae9666c6e4473210b94a837b847a0d2455fec2516e7ca6304c56

\Users\Admin\AppData\Local\Temp\_MEI14202\api-ms-win-core-timezone-l1-1-0.dll

MD5 f605bbc701e9a9ac82d5fe9533d46ebd
SHA1 e3231c03659dcd4edaf1869849e1b5060c8a9481
SHA256 b4d6282b721ec240ccf03c396e0aa589d113e6e5d49942ac7e1d9bedc50561e4
SHA512 c158db8a931fad6261673142cafec366d1c70bd962788dde99b7895b2057b29aa26fc07e2ee7bfc2a8204ea07d1faf03cd313bc4836cdbb642226babd9bf4f2b

C:\Users\Admin\AppData\Local\Temp\_MEI14202\python37.dll

MD5 465089eaced8159ec533e4a37033e227
SHA1 074596adae6f53f33b8297f02e21f6a6f7ac6ff1
SHA256 2b29ae140cb9f08af872acf9e17f785ef99398ef3367549b55242bc064d6ae40
SHA512 55eca0922074162c22fff2b4f97bd2972540fa893b9b02b7d9bfa26345186dbbdaf1fbc37a9eba6366743d0d42fb5bb88e708877dfd57cb02ca4d3a6953cfb81

\Users\Admin\AppData\Local\Temp\_MEI14202\api-ms-win-crt-filesystem-l1-1-0.dll

MD5 34664ea68d4dc7b94015a90869b55604
SHA1 5bd6abb07694159e4bb9b979669bd674747892ea
SHA256 c45fd7fe182b3edd287f5ae36e8e77198885be931607ca207af7dc8489b60bad
SHA512 4ac1b9caa40988e313e6075445906c372e8f0d6fd3e3092d2358e9584bb0f0c51586c8579ea8c4031d314a6d5ece31bfa8f4025225800f33ef9b290edb8d7dc3

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 7227373e19dcdd8bf64781cd8aff9cd3
SHA1 a29a87b09a8efe871cc3381f85c943228268b93d
SHA256 c54578243be8788bdc161c571790bd50704e4dd2ad1d2a85e7f915f4fb0cf51a
SHA512 e8a22fd21ca8adeb80dfbf5e84489774a20a64eb363a98d5216cd47c0573f66fb767e1f6b98e284badb88cb0e7765395f3f3e0e73a4aeea060064af078d546ae

C:\Users\Admin\AppData\Local\Temp\_MEI14202\base_library.zip

MD5 8386cf8add72bab03573064b6e1d89d2
SHA1 c451d2f3eed6b944543f19c5bd15ae7e8832bbd4
SHA256 2eea4b6202a6a6f61cb4d75c78be5ec2e1052897f54973797885f2c3b24d202c
SHA512 2bb61f7fac7ecc7d5654756ae8286d5fd9e2730e6ac42f3e7516f598e00fd8b9b6d3e77373994bb31d89831278e6833d379f306d52033fa5c48a786ac67da2b2

\Users\Admin\AppData\Local\Temp\_MEI14202\api-ms-win-crt-conio-l1-1-0.dll

MD5 4be787d220b988d8936584b1c534b9a4
SHA1 e06f728abcb6ee4892d6ce4075a72d6567560c26
SHA256 b0fc7123806fbc54b32584cda425ab8c7553ca6d1fe382c8c137bbdd5872c5f1
SHA512 32204579e3f27b31d5043b08e7d014d00774f4008331b53134012be194eb8c696dfd3690d09b4ec6685c99b6b7801be1ec9dc234fee1088e961022344dfd902c

\Users\Admin\AppData\Local\Temp\_MEI14202\api-ms-win-crt-process-l1-1-0.dll

MD5 0691f7dbc96e4f42908e337fc20ffe9f
SHA1 4828f5a36e20e72e7679f0a70061a3c091c4f41f
SHA256 73747a60a92703f2eb0d83826093203357538a72ca321cfadc2e60427a6ed053
SHA512 cb6f40517be63ddca0bdb9649d5da50c11856c53c3200830eb2939e08ace338678455adf346df84ea1f81fd6d0e91e4bfbe58aa5933ce87bc5337442af1bffc3

\Users\Admin\AppData\Local\Temp\_MEI14202\api-ms-win-crt-environment-l1-1-0.dll

MD5 6f1a2d17995baff500d9a2e2ea4bf493
SHA1 18de93491e362de93f9e61c00f1c94aef2d880c5
SHA256 2ed73364a84581e67b5ce98ee8f69ddc03f49a202a94f367e9855b50eb8ae9a4
SHA512 d56bf9a90f05ba17119886a82218e60b1a2c31dd05396ab4894523658c6299a353aada786b6272ce1fe88886d17ac43f0d71dbef569ddbcc71d1621ff27fe5d7

\Users\Admin\AppData\Local\Temp\_MEI14202\api-ms-win-crt-time-l1-1-0.dll

MD5 8f5eca7b9be54bede759b2ba2f018bb2
SHA1 f7fb27990f9629332074fe4a3703dd3cdacf78b9
SHA256 9e5d937c72c6d5709b907130cf4c2bd12e3427e44d217a2047d461940c281c1f
SHA512 45de9e9b66303554487016d448c11cc38e6ead5b48b8660cc311c182a7b3cc20a83063eef0f4071ca126341b8083f4a55523445b13e060e5b745527e3b6b44d4

\Users\Admin\AppData\Local\Temp\_MEI14202\api-ms-win-crt-locale-l1-1-0.dll

MD5 9a69eb348d7bc3c58e2e30fb2b8dd62b
SHA1 f18b5d1efed27de795207b413f19cf2643d9cadd
SHA256 70e06ed73bec7ac66c43ebaa03a020a2b976eb480ded429db74d31d47933fe78
SHA512 f3a74a7b311884179cefeeb07551c09385f6f5d76a378a4f5be66d5a155c3a8820e256b5a312f5f9ff24a5d87b7ee65db503c7c721149c50e62263b0fc9adf5e

memory/780-179-0x0000000002790000-0x0000000002798000-memory.dmp

memory/780-178-0x000000001B630000-0x000000001B912000-memory.dmp

\Users\Admin\AppData\Local\Temp\_MEI14202\api-ms-win-crt-math-l1-1-0.dll

MD5 5559d8f37665f327c295b4cd1638a3f2
SHA1 36d1a51b7d1741b0c3659be51fcb5d0c997752f1
SHA256 0c257ab2ba4553470b14c159fea39673fd7cfd02cedc2aa1294ab75618e19f7f
SHA512 aad4b0fe7172c1472deefa1dcd10072af73c14c50cb8e0b6e1b189dc9ce3bb043cf8dbb8306045bf36d0f46c9272d87664ed11670ebccdd16528ef2a35d59510

\Users\Admin\AppData\Local\Temp\_MEI14202\api-ms-win-crt-convert-l1-1-0.dll

MD5 c4a790e9b5371d5179bff78b3577edcc
SHA1 60d4c670643ca8e0bb6f482b7133efd3c59037df
SHA256 f3334fd8cde800152651200258dc4719271010677e1a55218c5f24bc6e7c7ff5
SHA512 b32df7ab4f4ab53c2357ef1e872740736f34f74a72a1ab07ba889a77f09ff2f7918c572c8255f70365729a1bd3f0ade23c09b08d4c0a44dc4e45318f4515fed8

\Users\Admin\AppData\Local\Temp\_MEI14202\api-ms-win-crt-stdio-l1-1-0.dll

MD5 6cc5e2392b5617175da2406b7187c6c8
SHA1 055cd8fd422de7630a256774bd90e70b1346a8a7
SHA256 15d2aac51ef02eb8242e7c121d4f405237da415e4a05f41a16b8e3640dc27298
SHA512 6b99ca77f45063ba4ecdaea214f42e8ee3431ce03e54f5119c284385408f438273ba3c881bb71bcf4059f8ae5ce6f05a1cf36fc84a65d9bfa9ce595a0a0be295

\Users\Admin\AppData\Local\Temp\_MEI14202\api-ms-win-crt-heap-l1-1-0.dll

MD5 fd5925326354d9186891eb6da64da666
SHA1 3786f18ffd4b8f2e053f1568529c6b2c4a3d1b69
SHA256 05e695d316b0ab969cc221a99bf6f2581cbe5dadd2b966e811d151dfc9dbaeb4
SHA512 aad816e7c124ab0cbb3d1f5b472ed5e74f568df7b2da14d802d3e25a86fb3bda3c4d1f60ccd89aa07a941d48befabd0506403e4f3a10b770947649c1e234032e

\Users\Admin\AppData\Local\Temp\_MEI14202\api-ms-win-crt-string-l1-1-0.dll

MD5 8db568b36f13feeefd150da0b63adcbe
SHA1 03bb29284802db358609c2cd10398d8a5077e417
SHA256 8597f9f239b350b86350f3cdb326bdca49cb23022703fe049f838998a8a32cd5
SHA512 8d57fa2975e45c2df82634135e57f29579778a118e033f036bb093e654a9a9d6a0b450c45b24d68fac2232d3255dbe9c88368ea8f6d697a86d035417b9ce61e6

\Users\Admin\AppData\Local\Temp\_MEI14202\api-ms-win-crt-runtime-l1-1-0.dll

MD5 9eceedbc48924ad17950e0ef64bfc78d
SHA1 8bad15420dceb3e250dc88fe6ec8c5c5fd0953cb
SHA256 9b5dfbb6027d28c1a41cab008148e4a98bcd3d6a6d43269cd08dd8bbc366aa0f
SHA512 f986673bcfd71cbed8ede8e8063d3911d499c9600017781f38ab2014db0e24467b0ebf398400d949219e84c13596248530fb9de297af83f98967f7faee55fcd3

\Users\Admin\AppData\Local\Temp\_MEI14202\VCRUNTIME140.dll

MD5 aeab74db6bc6c914997f1a8a9ff013ec
SHA1 6b717f23227d158d6aa566498c438b8f305a29b5
SHA256 18ccb2dd8af853f4e6221bb5513e3154ef67ae61cee6ec319a8a97615987dc4b
SHA512 a2832b7720599361e2537f79a2597acb1a2d5633fdfe20a0d1075e9457683fdb1d5676d121c0bf1a825ff99512dcd924254f1151b50aae922acc0cc10f461036

\Users\Admin\AppData\Local\Temp\_MEI14202\_ctypes.pyd

MD5 10861d3fa19d7dc3b41eb6f837340782
SHA1 b258d223b444ab994ec2fec95acaa9f82dc3938c
SHA256 6255bab0b7f3e2209a9c8b89a3e1ec1bbc7a29849a18e70c0cf582a63c90bed1
SHA512 ec83134c9bce9cedeee8ebdb8e382fb7f944a7bc9d3bb47c7e3144ef2ef95114a36ac1cc8c0d52f434ee4c359d938a2d7c035e699c4407df728e200de7da4af9

\Users\Admin\AppData\Local\Temp\_MEI14202\python3.dll

MD5 167ebefcf1a2cb0ce7f4118fe826f58b
SHA1 5d532467d78dcc2b63848452c4f600513b4136cf
SHA256 112c98099e5e6156a8844c6c39b2136f3146e1f2221c37b9064ab7af6fdfabb7
SHA512 bcd67bf4f7e5adbd8e06a28fe3f805f79323369fbe3f37d32a513aa0336f6ffd4e1c7d978fa0480742ba1ae5d91ceb2e255e9d7033d00670e738335387f92e22

C:\Users\Admin\AppData\Local\Temp\_MEI14202\_bz2.pyd

MD5 1c52ba084a3723940c0778ab5186893a
SHA1 5150a800f217562490e25dd74d9eead992e10b2d
SHA256 cb008e0a6c65ddb5f20ab96e65285dee874468df203faeafca5e9b4a9f2918dc
SHA512 b397508607a1c7ccef88c6a941398f78ba4f97cf8a32f40764673db34c20eea61364148260d87014348613eb07e959a043b505702437e33927249899bf4522b3

C:\Users\Admin\AppData\Local\Temp\_MEI14202\numpy\core\_multiarray_umath.cp37-win32.pyd

MD5 915dc7c223a98b234eb9c5ae106be9eb
SHA1 6d2ad35e8c2c7334c99316a0b3c0d77805c9cd05
SHA256 bca7506498451c7417af0d94ae916189f256d5f72c708e572c787d3f330ab431
SHA512 ccb629807bca86a8c0c449a730cbe698908b318a629df03a81aa8b7e8e4d881da6805f670a2c22011f9974bcbaf6edf17eb68b1b1948fe7bf911731348e9f1d2

C:\Users\Admin\AppData\Local\Temp\_MEI14202\cv2\__init__.py

MD5 eab99b31f1fd18e46e6e081ba3b5c06e
SHA1 9ca76b1097d58ef9c652aebfbeff32bfec17b25b
SHA256 b05b8000c71987cd4df824c1ed134b7fcd34617665e437b1aaec128f93d7f1c3
SHA512 7c4ea4a28f7876249b503155187bd59bcd9cf18a80264c8892e59e9fd7f3d461c91afc4c3c177dba48e1dfdd0feb5705b54b504f7daa886a2a0b72fddd1e80fc

\Users\Admin\AppData\Local\Temp\_MEI14202\_lzma.pyd

MD5 f91a9f1f2efee2f5dbae42ea5d5d7153
SHA1 2575cc77b51cb080fceed9810a9f4b2903ae1384
SHA256 1f82bb06c79b6b392c92cad87ffa736377fa25cd6d10da8d61441d42c0d0101e
SHA512 df1dfb8c8cee3496a60eeeb6f0d3fe48e1de8af5d04667f9a3124b769e8edd886cc46e6e4d4b277ee5d30f9f70f6f8c755097ddd996573a6817a5bb335de919f

C:\Users\Admin\AppData\Local\Temp\_MEI14202\libopenblas.VTYUM5MXKVFE4PZZER3L7PNO6YB4XFF3.gfortran-win32.dll

MD5 2c6987a20731cd6ee6b71c66359bbb66
SHA1 082ac909de3f06a92d6e8a0eee2c66084e85fa84
SHA256 3f5bf77ea9831fb57bb1d663858946ede0c9155f4cb1d064f20cf3800448026d
SHA512 eef3cc0a24d926b8688be591d83b78f1d96be243e3a0109881e2919034bf00f9504ade6d165a6105d968612a2d79cf3e05a97bac2def0833048197ceb6d694c9

memory/2236-192-0x0000000002A60000-0x000000000413C000-memory.dmp

memory/288-198-0x000000001B790000-0x000000001BA72000-memory.dmp

memory/288-199-0x0000000001F30000-0x0000000001F38000-memory.dmp

memory/2764-204-0x000000001B590000-0x000000001B872000-memory.dmp

memory/2764-205-0x0000000001F80000-0x0000000001F88000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpA988.tmp.bat

MD5 27e37abea3e32370a2f834911a82cb76
SHA1 d887f27420bca066512e3b4ae2e13fcfb6fc83f7
SHA256 1d30fa8de4352a8c9c5f9d1ab3cc5f1dfaca762e9c032858c0c640e671bd44e6
SHA512 7351c0102e59c0764284cf6204a2ff0fe55f0076d19b0a0e82aa9aa82114d0dd127e194b98ffd68560db1ca58e461d9d8eeddcdea2b23a81ddc792884ccc54e1

memory/2236-213-0x0000000002A60000-0x000000000413C000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-31 02:29

Reported

2024-10-31 02:33

Platform

win10v2004-20241007-en

Max time kernel

148s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\64be2f3a38522ca4b5f4d7887cd5832363f00d1a07b8bb531424bf6e81939fce.exe"

Signatures

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\64be2f3a38522ca4b5f4d7887cd5832363f00d1a07b8bb531424bf6e81939fce.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation C:\ProgramData\Microsoft\MicrosoftEdgeUpdate.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\ProgramData\Microsoft\Internet Explorer\iexplore.exe N/A
N/A N/A C:\ProgramData\Microsoft\Internet Explorer\iexplore.exe N/A
N/A N/A C:\ProgramData\Microsoft\Internet Explorer\iexplore.exe N/A
N/A N/A C:\ProgramData\Microsoft\Internet Explorer\iexplore.exe N/A
N/A N/A C:\ProgramData\Microsoft\Internet Explorer\iexplore.exe N/A
N/A N/A C:\ProgramData\Microsoft\Internet Explorer\iexplore.exe N/A
N/A N/A C:\ProgramData\Microsoft\Internet Explorer\iexplore.exe N/A
N/A N/A C:\ProgramData\Microsoft\Internet Explorer\iexplore.exe N/A
N/A N/A C:\ProgramData\Microsoft\Internet Explorer\iexplore.exe N/A
N/A N/A C:\ProgramData\Microsoft\Internet Explorer\iexplore.exe N/A
N/A N/A C:\ProgramData\Microsoft\Internet Explorer\iexplore.exe N/A
N/A N/A C:\ProgramData\Microsoft\Internet Explorer\iexplore.exe N/A
N/A N/A C:\ProgramData\Microsoft\Internet Explorer\iexplore.exe N/A
N/A N/A C:\ProgramData\Microsoft\Internet Explorer\iexplore.exe N/A
N/A N/A C:\ProgramData\Microsoft\Internet Explorer\iexplore.exe N/A
N/A N/A C:\ProgramData\Microsoft\Internet Explorer\iexplore.exe N/A
N/A N/A C:\ProgramData\Microsoft\Internet Explorer\iexplore.exe N/A
N/A N/A C:\ProgramData\Microsoft\Internet Explorer\iexplore.exe N/A
N/A N/A C:\ProgramData\Microsoft\Internet Explorer\iexplore.exe N/A
N/A N/A C:\ProgramData\Microsoft\Internet Explorer\iexplore.exe N/A
N/A N/A C:\ProgramData\Microsoft\Internet Explorer\iexplore.exe N/A
N/A N/A C:\ProgramData\Microsoft\Internet Explorer\iexplore.exe N/A
N/A N/A C:\ProgramData\Microsoft\Internet Explorer\iexplore.exe N/A
N/A N/A C:\ProgramData\Microsoft\Internet Explorer\iexplore.exe N/A
N/A N/A C:\ProgramData\Microsoft\Internet Explorer\iexplore.exe N/A
N/A N/A C:\ProgramData\Microsoft\Internet Explorer\iexplore.exe N/A
N/A N/A C:\ProgramData\Microsoft\Internet Explorer\iexplore.exe N/A
N/A N/A C:\ProgramData\Microsoft\Internet Explorer\iexplore.exe N/A
N/A N/A C:\ProgramData\Microsoft\Internet Explorer\iexplore.exe N/A
N/A N/A C:\ProgramData\Microsoft\Internet Explorer\iexplore.exe N/A
N/A N/A C:\ProgramData\Microsoft\Internet Explorer\iexplore.exe N/A

Indicator Removal: Clear Persistence

defense_evasion
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\cmd.exe N/A

Detects Pyinstaller

pyinstaller
Description Indicator Process Target
N/A N/A N/A N/A

Enumerates physical storage devices

Event Triggered Execution: Netsh Helper DLL

persistence privilege_escalation
Description Indicator Process Target
Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\ProgramData\Microsoft\Internet Explorer\iexplore.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\ProgramData\Microsoft\Internet Explorer\iexplore.exe N/A

System Network Configuration Discovery: Internet Connection Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Windows\system32\PING.EXE N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\PING.EXE N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4164 wrote to memory of 628 N/A C:\Users\Admin\AppData\Local\Temp\64be2f3a38522ca4b5f4d7887cd5832363f00d1a07b8bb531424bf6e81939fce.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4164 wrote to memory of 628 N/A C:\Users\Admin\AppData\Local\Temp\64be2f3a38522ca4b5f4d7887cd5832363f00d1a07b8bb531424bf6e81939fce.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4164 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\64be2f3a38522ca4b5f4d7887cd5832363f00d1a07b8bb531424bf6e81939fce.exe C:\Windows\SYSTEM32\cmd.exe
PID 4164 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\64be2f3a38522ca4b5f4d7887cd5832363f00d1a07b8bb531424bf6e81939fce.exe C:\Windows\SYSTEM32\cmd.exe
PID 2828 wrote to memory of 2804 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\schtasks.exe
PID 2828 wrote to memory of 2804 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\schtasks.exe
PID 4164 wrote to memory of 1964 N/A C:\Users\Admin\AppData\Local\Temp\64be2f3a38522ca4b5f4d7887cd5832363f00d1a07b8bb531424bf6e81939fce.exe C:\Windows\SYSTEM32\cmd.exe
PID 4164 wrote to memory of 1964 N/A C:\Users\Admin\AppData\Local\Temp\64be2f3a38522ca4b5f4d7887cd5832363f00d1a07b8bb531424bf6e81939fce.exe C:\Windows\SYSTEM32\cmd.exe
PID 1964 wrote to memory of 3512 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\schtasks.exe
PID 1964 wrote to memory of 3512 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\schtasks.exe
PID 4164 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\64be2f3a38522ca4b5f4d7887cd5832363f00d1a07b8bb531424bf6e81939fce.exe C:\ProgramData\Microsoft\MicrosoftEdgeUpdate.exe
PID 4164 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\64be2f3a38522ca4b5f4d7887cd5832363f00d1a07b8bb531424bf6e81939fce.exe C:\ProgramData\Microsoft\MicrosoftEdgeUpdate.exe
PID 2660 wrote to memory of 4024 N/A C:\ProgramData\Microsoft\MicrosoftEdgeUpdate.exe C:\ProgramData\Microsoft\Internet Explorer\iexplore.exe
PID 2660 wrote to memory of 4024 N/A C:\ProgramData\Microsoft\MicrosoftEdgeUpdate.exe C:\ProgramData\Microsoft\Internet Explorer\iexplore.exe
PID 2660 wrote to memory of 4024 N/A C:\ProgramData\Microsoft\MicrosoftEdgeUpdate.exe C:\ProgramData\Microsoft\Internet Explorer\iexplore.exe
PID 4164 wrote to memory of 4644 N/A C:\Users\Admin\AppData\Local\Temp\64be2f3a38522ca4b5f4d7887cd5832363f00d1a07b8bb531424bf6e81939fce.exe C:\ProgramData\Microsoft\Bound.exe
PID 4164 wrote to memory of 4644 N/A C:\Users\Admin\AppData\Local\Temp\64be2f3a38522ca4b5f4d7887cd5832363f00d1a07b8bb531424bf6e81939fce.exe C:\ProgramData\Microsoft\Bound.exe
PID 4644 wrote to memory of 3932 N/A C:\ProgramData\Microsoft\Bound.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4644 wrote to memory of 3932 N/A C:\ProgramData\Microsoft\Bound.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3932 wrote to memory of 2764 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\netsh.exe
PID 3932 wrote to memory of 2764 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\netsh.exe
PID 4164 wrote to memory of 4616 N/A C:\Users\Admin\AppData\Local\Temp\64be2f3a38522ca4b5f4d7887cd5832363f00d1a07b8bb531424bf6e81939fce.exe C:\Windows\system32\cmd.exe
PID 4164 wrote to memory of 4616 N/A C:\Users\Admin\AppData\Local\Temp\64be2f3a38522ca4b5f4d7887cd5832363f00d1a07b8bb531424bf6e81939fce.exe C:\Windows\system32\cmd.exe
PID 4644 wrote to memory of 2788 N/A C:\ProgramData\Microsoft\Bound.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4644 wrote to memory of 2788 N/A C:\ProgramData\Microsoft\Bound.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4024 wrote to memory of 4920 N/A C:\ProgramData\Microsoft\Internet Explorer\iexplore.exe C:\ProgramData\Microsoft\Internet Explorer\iexplore.exe
PID 4024 wrote to memory of 4920 N/A C:\ProgramData\Microsoft\Internet Explorer\iexplore.exe C:\ProgramData\Microsoft\Internet Explorer\iexplore.exe
PID 4024 wrote to memory of 4920 N/A C:\ProgramData\Microsoft\Internet Explorer\iexplore.exe C:\ProgramData\Microsoft\Internet Explorer\iexplore.exe
PID 2788 wrote to memory of 5068 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\netsh.exe
PID 2788 wrote to memory of 5068 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\netsh.exe
PID 4644 wrote to memory of 4052 N/A C:\ProgramData\Microsoft\Bound.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4644 wrote to memory of 4052 N/A C:\ProgramData\Microsoft\Bound.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4052 wrote to memory of 4860 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\netsh.exe
PID 4052 wrote to memory of 4860 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\netsh.exe
PID 4644 wrote to memory of 4628 N/A C:\ProgramData\Microsoft\Bound.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4644 wrote to memory of 4628 N/A C:\ProgramData\Microsoft\Bound.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4628 wrote to memory of 4620 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\netsh.exe
PID 4628 wrote to memory of 4620 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\netsh.exe
PID 4644 wrote to memory of 704 N/A C:\ProgramData\Microsoft\Bound.exe C:\Windows\system32\cmd.exe
PID 4644 wrote to memory of 704 N/A C:\ProgramData\Microsoft\Bound.exe C:\Windows\system32\cmd.exe
PID 704 wrote to memory of 4616 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 704 wrote to memory of 4616 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\64be2f3a38522ca4b5f4d7887cd5832363f00d1a07b8bb531424bf6e81939fce.exe

"C:\Users\Admin\AppData\Local\Temp\64be2f3a38522ca4b5f4d7887cd5832363f00d1a07b8bb531424bf6e81939fce.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft';Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Internet Explorer'"

C:\Windows\SYSTEM32\cmd.exe

"cmd.exe" /c schtasks /delete /tn "MicrosoftEdgeUpdateTaskMachineCore{53F2EB3B-2C85-ABAA-BD9C-FC4F0859F018}" /f

C:\Windows\system32\schtasks.exe

schtasks /delete /tn "MicrosoftEdgeUpdateTaskMachineCore{53F2EB3B-2C85-ABAA-BD9C-FC4F0859F018}" /f

C:\Windows\SYSTEM32\cmd.exe

"cmd.exe" /c schtasks /create /tn "MicrosoftEdgeUpdateTaskMachineCore{53F2EB3B-2C85-ABAB-BD9C-FC4F0859F018}" /tr "\"C:\ProgramData\Microsoft\MicrosoftEdgeUpdate.exe\"" /sc onlogon /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks /create /tn "MicrosoftEdgeUpdateTaskMachineCore{53F2EB3B-2C85-ABAB-BD9C-FC4F0859F018}" /tr "\"C:\ProgramData\Microsoft\MicrosoftEdgeUpdate.exe\"" /sc onlogon /rl HIGHEST /f

C:\ProgramData\Microsoft\MicrosoftEdgeUpdate.exe

"C:\ProgramData\Microsoft\MicrosoftEdgeUpdate.exe"

C:\ProgramData\Microsoft\Internet Explorer\iexplore.exe

"C:\ProgramData\Microsoft\Internet Explorer\iexplore.exe"

C:\ProgramData\Microsoft\Bound.exe

"C:\ProgramData\Microsoft\Bound.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command "netsh advfirewall firewall delete rule name=all dir=in program='C:\ProgramData\Microsoft\Internet Explorer\iexplore.exe'"

C:\Windows\system32\netsh.exe

"C:\Windows\system32\netsh.exe" advfirewall firewall delete rule name=all dir=in "program=C:\ProgramData\Microsoft\Internet Explorer\iexplore.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\selfdelete.bat""

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command "netsh advfirewall firewall delete rule name=all dir=out program='C:\ProgramData\Microsoft\Internet Explorer\iexplore.exe'"

C:\ProgramData\Microsoft\Internet Explorer\iexplore.exe

"C:\ProgramData\Microsoft\Internet Explorer\iexplore.exe"

C:\Windows\system32\netsh.exe

"C:\Windows\system32\netsh.exe" advfirewall firewall delete rule name=all dir=out "program=C:\ProgramData\Microsoft\Internet Explorer\iexplore.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command "netsh advfirewall firewall add rule name='Allow Internet Explorer Inbound' dir=in action=allow program='C:\ProgramData\Microsoft\Internet Explorer\iexplore.exe' enable=yes profile=private,public"

C:\Windows\system32\netsh.exe

"C:\Windows\system32\netsh.exe" advfirewall firewall add rule "name=Allow Internet Explorer Inbound" dir=in action=allow "program=C:\ProgramData\Microsoft\Internet Explorer\iexplore.exe" enable=yes profile=private,public

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command "netsh advfirewall firewall add rule name='Allow Internet Explorer Outbound' dir=out action=allow program='C:\ProgramData\Microsoft\Internet Explorer\iexplore.exe' enable=yes profile=private,public"

C:\Windows\system32\netsh.exe

"C:\Windows\system32\netsh.exe" advfirewall firewall add rule "name=Allow Internet Explorer Outbound" dir=out action=allow "program=C:\ProgramData\Microsoft\Internet Explorer\iexplore.exe" enable=yes profile=private,public

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpE82D.tmp.bat""

C:\Windows\system32\PING.EXE

ping 127.0.0.1 -n 2

Network

Country Destination Domain Proto
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 2.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 150.171.27.10:443 g.bing.com tcp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 nt89s.kro.kr udp
US 8.8.8.8:53 nt89.kro.kr udp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 72.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 nt89s.kro.kr udp
US 8.8.8.8:53 nt89.kro.kr udp
US 8.8.8.8:53 nt89s.kro.kr udp
US 8.8.8.8:53 nt89.kro.kr udp
US 8.8.8.8:53 nt89s.kro.kr udp
US 8.8.8.8:53 nt89.kro.kr udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 nt89s.kro.kr udp
US 8.8.8.8:53 nt89.kro.kr udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 nt89s.kro.kr udp
US 8.8.8.8:53 nt89.kro.kr udp
US 8.8.8.8:53 nt89s.kro.kr udp
US 8.8.8.8:53 nt89.kro.kr udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 nt89s.kro.kr udp
US 8.8.8.8:53 nt89.kro.kr udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 nt89s.kro.kr udp
US 8.8.8.8:53 nt89.kro.kr udp
US 8.8.8.8:53 nt89s.kro.kr udp
US 8.8.8.8:53 nt89.kro.kr udp
US 8.8.8.8:53 nt89s.kro.kr udp
US 8.8.8.8:53 nt89.kro.kr udp
US 8.8.8.8:53 nt89s.kro.kr udp
US 8.8.8.8:53 nt89.kro.kr udp
US 8.8.8.8:53 nt89s.kro.kr udp
US 8.8.8.8:53 nt89.kro.kr udp

Files

memory/4164-0-0x00007FF868283000-0x00007FF868285000-memory.dmp

memory/4164-1-0x00000279E7970000-0x00000279EA1A8000-memory.dmp

memory/4164-2-0x00000279F5810000-0x00000279F8062000-memory.dmp

memory/4164-3-0x00007FF868280000-0x00007FF868D41000-memory.dmp

memory/4164-4-0x00007FF868283000-0x00007FF868285000-memory.dmp

memory/628-5-0x00007FF868280000-0x00007FF868D41000-memory.dmp

memory/628-6-0x00007FF868280000-0x00007FF868D41000-memory.dmp

memory/628-7-0x00007FF868280000-0x00007FF868D41000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_idy4tpab.oci.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/628-13-0x00000164F62E0000-0x00000164F6302000-memory.dmp

memory/628-20-0x00007FF868280000-0x00007FF868D41000-memory.dmp

C:\ProgramData\Microsoft\MicrosoftEdgeUpdate.exe

MD5 962db502e0db073caeb3a49fc7007776
SHA1 208876794c15ba08b3b8ecac7162355ccdabed88
SHA256 fa72704398c20844b85dab2e59c51d707eb97888845d2c3eb85ffbbf4f471c0e
SHA512 86397cbb9d270fe7be023d511cbba75b204a2d90c03ca868b96f566f55bbf4c73f06f940b060db186fdd1f77ea8887890955e9c64ef7b0384e7065a4b5ac7dff

memory/2660-35-0x000002922AC40000-0x000002922AC48000-memory.dmp

C:\ProgramData\Microsoft\Internet Explorer\iexplore.exe

MD5 9b4b06703c314b8bd494570f443a74ae
SHA1 62c8f8d72483de243e616c4b79990ae12c863415
SHA256 7e29899f0defd73c0e89c8eb14cb736e7199165293721910dbc2426d13f3bf47
SHA512 d33da82d8c9c9b283661975c786f6d968819a6479fe8996e0d6381ec1c4fd135c85141abab30ae5e546486389ca76ddcb9c1f87cdf3791a24f3b9a1418186332

C:\ProgramData\Microsoft\Bound.exe

MD5 a1f8a5c21afc60d046c9075e41bb36a4
SHA1 e8c89980bdd3e6ff4e513a6cd6f0b9a3324976a6
SHA256 911ecfce427a97d8dc5f56bca9d4fa1c20f4ea7410d1bf0f17f002e02859b645
SHA512 acc394eede4492022cdb9f4b5a446e1624b1437e81457b4ef270393d5dfc4f4d7c7bcae748c536285b79eab20304dfcf20f6bd2ce041c1ba25bac725465aa72e

memory/4644-48-0x00000211C08A0000-0x00000211C08A8000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 d85ba6ff808d9e5444a4b369f5bc2730
SHA1 31aa9d96590fff6981b315e0b391b575e4c0804a
SHA256 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA512 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 6d42b6da621e8df5674e26b799c8e2aa
SHA1 ab3ce1327ea1eeedb987ec823d5e0cb146bafa48
SHA256 5ab6a1726f425c6d0158f55eb8d81754ddedd51e651aa0a899a29b7a58619c4c
SHA512 53faffbda8a835bc1143e894c118c15901a5fd09cfc2224dd2f754c06dc794897315049a579b9a8382d4564f071576045aaaf824019b7139d939152dca38ce29

memory/4164-112-0x00007FF868280000-0x00007FF868D41000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\selfdelete.bat

MD5 ae5479d0bbae6b351bb3b34bfb485d84
SHA1 838a27989fb2c7c40e692769ea26a64338f0f4eb
SHA256 bfecc9a27a0cc8a1748961f697c77a184c311366aaf59a4f11843d428f50042e
SHA512 289552785f195d38be11a68318994984a3ca35fade2a6d9ddde5e496e4cd3de1319526f49d3133b0760a25776f4ba104c1f39f2f7b1bfcc08c79c431e66a5e5e

C:\Users\Admin\AppData\Local\Temp\_MEI40242\ucrtbase.dll

MD5 a924b24d71829da17e8908e05a5321e4
SHA1 fa5c69798b997c34c87a8b32130f664cdef8c124
SHA256 f32a61d91264aff96efd719915bed80785a8db4c8d881d6da28909b620fe466f
SHA512 9223ec0e6e0f70b92473e897e4fd4635a19e9ca3aff2fe7c5c065764b58e86460442991787525ed53e425ecd36f2881a6df34c35d2a0e21b7ac4bc61bf1cbeab

C:\Users\Admin\AppData\Local\Temp\_MEI40242\python37.dll

MD5 465089eaced8159ec533e4a37033e227
SHA1 074596adae6f53f33b8297f02e21f6a6f7ac6ff1
SHA256 2b29ae140cb9f08af872acf9e17f785ef99398ef3367549b55242bc064d6ae40
SHA512 55eca0922074162c22fff2b4f97bd2972540fa893b9b02b7d9bfa26345186dbbdaf1fbc37a9eba6366743d0d42fb5bb88e708877dfd57cb02ca4d3a6953cfb81

C:\Users\Admin\AppData\Local\Temp\_MEI40242\VCRUNTIME140.dll

MD5 aeab74db6bc6c914997f1a8a9ff013ec
SHA1 6b717f23227d158d6aa566498c438b8f305a29b5
SHA256 18ccb2dd8af853f4e6221bb5513e3154ef67ae61cee6ec319a8a97615987dc4b
SHA512 a2832b7720599361e2537f79a2597acb1a2d5633fdfe20a0d1075e9457683fdb1d5676d121c0bf1a825ff99512dcd924254f1151b50aae922acc0cc10f461036

C:\Users\Admin\AppData\Local\Temp\_MEI40242\base_library.zip

MD5 8386cf8add72bab03573064b6e1d89d2
SHA1 c451d2f3eed6b944543f19c5bd15ae7e8832bbd4
SHA256 2eea4b6202a6a6f61cb4d75c78be5ec2e1052897f54973797885f2c3b24d202c
SHA512 2bb61f7fac7ecc7d5654756ae8286d5fd9e2730e6ac42f3e7516f598e00fd8b9b6d3e77373994bb31d89831278e6833d379f306d52033fa5c48a786ac67da2b2

C:\Users\Admin\AppData\Local\Temp\_MEI40242\_ctypes.pyd

MD5 10861d3fa19d7dc3b41eb6f837340782
SHA1 b258d223b444ab994ec2fec95acaa9f82dc3938c
SHA256 6255bab0b7f3e2209a9c8b89a3e1ec1bbc7a29849a18e70c0cf582a63c90bed1
SHA512 ec83134c9bce9cedeee8ebdb8e382fb7f944a7bc9d3bb47c7e3144ef2ef95114a36ac1cc8c0d52f434ee4c359d938a2d7c035e699c4407df728e200de7da4af9

C:\Users\Admin\AppData\Local\Temp\_MEI40242\_lzma.pyd

MD5 f91a9f1f2efee2f5dbae42ea5d5d7153
SHA1 2575cc77b51cb080fceed9810a9f4b2903ae1384
SHA256 1f82bb06c79b6b392c92cad87ffa736377fa25cd6d10da8d61441d42c0d0101e
SHA512 df1dfb8c8cee3496a60eeeb6f0d3fe48e1de8af5d04667f9a3124b769e8edd886cc46e6e4d4b277ee5d30f9f70f6f8c755097ddd996573a6817a5bb335de919f

C:\Users\Admin\AppData\Local\Temp\_MEI40242\libopenblas.VTYUM5MXKVFE4PZZER3L7PNO6YB4XFF3.gfortran-win32.dll

MD5 2c6987a20731cd6ee6b71c66359bbb66
SHA1 082ac909de3f06a92d6e8a0eee2c66084e85fa84
SHA256 3f5bf77ea9831fb57bb1d663858946ede0c9155f4cb1d064f20cf3800448026d
SHA512 eef3cc0a24d926b8688be591d83b78f1d96be243e3a0109881e2919034bf00f9504ade6d165a6105d968612a2d79cf3e05a97bac2def0833048197ceb6d694c9

C:\Users\Admin\AppData\Local\Temp\_MEI40242\numpy\core\_multiarray_umath.cp37-win32.pyd

MD5 915dc7c223a98b234eb9c5ae106be9eb
SHA1 6d2ad35e8c2c7334c99316a0b3c0d77805c9cd05
SHA256 bca7506498451c7417af0d94ae916189f256d5f72c708e572c787d3f330ab431
SHA512 ccb629807bca86a8c0c449a730cbe698908b318a629df03a81aa8b7e8e4d881da6805f670a2c22011f9974bcbaf6edf17eb68b1b1948fe7bf911731348e9f1d2

C:\Users\Admin\AppData\Local\Temp\_MEI40242\numpy\core\_multiarray_tests.cp37-win32.pyd

MD5 f815462afc28b8ba914249775a6b5a23
SHA1 4bd5a3cfc2a15744058462e50a6d666104337107
SHA256 f43b22dfdfbd766c78c8bc337fbb9edb1553b510117d618c3005aaf536e9af12
SHA512 f0d99d629683745a95a322b0003c16b93d524d7f74e462eeed67d80732311ba45f7a6dfd6a380546186c88ac7c8c8864d9fba0acab5e85f78d74dc5206a2ff18

C:\Users\Admin\AppData\Local\Temp\_MEI40242\_socket.pyd

MD5 b3af79bbfd7d5c5285660819792a3a9c
SHA1 1fa470b280ab5751889eaa7bdb7ba37ff1270a06
SHA256 eb6132b253c40d7c3e00b2bbb392a1573075f8bbc0b2d59e2b077d2cfe8b028c
SHA512 dac7da4cd493c0753d477da222c9b1e8c2486a4b6587c7cea45661192f2d51316b6e6f3951ffbbcb83952e51ab61cc79326beacb3d5e8637d13f2831e093f124

C:\Users\Admin\AppData\Local\Temp\_MEI40242\numpy\linalg\_umath_linalg.cp37-win32.pyd

MD5 f0cbc33387601858844b5a09e8007723
SHA1 76685f939f45528c72b3f8534ef6d430bde44eda
SHA256 e6192f06b3dfd4e7bb655370a31c9b38279e0596acbc11c25d948c86738f9b4d
SHA512 3bf7275c4d0d075c0a0b0db8fc36380a3179352090c9f22ee61d2906960e2d52efa2c391a2cafd8506ca16a953cc2f150c4225602c3dc77c4ee80f49145e385e

C:\Users\Admin\AppData\Local\Temp\_MEI40242\numpy\linalg\lapack_lite.cp37-win32.pyd

MD5 a22890e1ac499d35c71ea619ccdd3952
SHA1 204055e1494d598b3ed4a80553a1947a68e30ee5
SHA256 b13eea8930bcfb37f148f6796a499f85ed7b90e58574d61239338348325a584f
SHA512 d71ff52cac6cbcc7c9c125a261b5308cdbaa3b0db11b39a7d9ed578a37a002b17b935e2fa5e6b4870a980ed9c6d894f72b8118dfc58ccdeb82bf5112cd5e2850

C:\Users\Admin\AppData\Local\Temp\_MEI40242\select.pyd

MD5 d3bf89184b94a4120f4f19f5bcd128d6
SHA1 c7f22bb0b957bd7103cf32f8958cfd2145eaa5b8
SHA256 568efdc33f1fcc1af1d030c75fccedc2d9b1fcbf49c239726e2cf49d47add902
SHA512 1da8ebf323d170c5e9f6bfbb738e60119ccc690a08234dd23f2d9c1a33519fd4ad154805b012cca3dc7565bee672d334ca877afe2b5211e2122dd6e1ce337971

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 b0c56d87abcf88da216fd270b0e04efb
SHA1 ef8a73c27c039c712b2c3f65b7eef4c081786653
SHA256 191418cdac1ad3547fcc2c18d14b8c195d8a666803bccfec0313ece1a15f1afb
SHA512 8df437695ad224d4105f6beb3b4cc2a75342490a153746d3d281f2be54c14f703024343b18dcfcc6b28018cd0e6bb6788c798708abe6744a2a9430e6c30cf9a4

memory/4920-179-0x0000000003510000-0x0000000004BEC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI40242\cv2\__init__.py

MD5 eab99b31f1fd18e46e6e081ba3b5c06e
SHA1 9ca76b1097d58ef9c652aebfbeff32bfec17b25b
SHA256 b05b8000c71987cd4df824c1ed134b7fcd34617665e437b1aaec128f93d7f1c3
SHA512 7c4ea4a28f7876249b503155187bd59bcd9cf18a80264c8892e59e9fd7f3d461c91afc4c3c177dba48e1dfdd0feb5705b54b504f7daa886a2a0b72fddd1e80fc

C:\Users\Admin\AppData\Local\Temp\_MEI40242\_bz2.pyd

MD5 1c52ba084a3723940c0778ab5186893a
SHA1 5150a800f217562490e25dd74d9eead992e10b2d
SHA256 cb008e0a6c65ddb5f20ab96e65285dee874468df203faeafca5e9b4a9f2918dc
SHA512 b397508607a1c7ccef88c6a941398f78ba4f97cf8a32f40764673db34c20eea61364148260d87014348613eb07e959a043b505702437e33927249899bf4522b3

C:\Users\Admin\AppData\Local\Temp\_MEI40242\python3.dll

MD5 167ebefcf1a2cb0ce7f4118fe826f58b
SHA1 5d532467d78dcc2b63848452c4f600513b4136cf
SHA256 112c98099e5e6156a8844c6c39b2136f3146e1f2221c37b9064ab7af6fdfabb7
SHA512 bcd67bf4f7e5adbd8e06a28fe3f805f79323369fbe3f37d32a513aa0336f6ffd4e1c7d978fa0480742ba1ae5d91ceb2e255e9d7033d00670e738335387f92e22

C:\Users\Admin\AppData\Local\Temp\_MEI40242\numpy\fft\_pocketfft_internal.cp37-win32.pyd

MD5 747e45624f43d16005eaf21cf8b8e732
SHA1 4fb1a83e25435f2e408631d29de01502178ab58d
SHA256 4400d8d3ae53eb785727f4386a967c91641ad9f2a40eca0d0e147ba6dec20ea4
SHA512 90c8b01108d433e1760a5c687962f3a3f7b5bd3d314d9b397d6abeaa868b6062eb5f9436e12de488e225192f412eaa8ac32fb99f7ec1eeb919ba84dc57f46d99

C:\Users\Admin\AppData\Local\Temp\_MEI40242\numpy\random\bit_generator.cp37-win32.pyd

MD5 47695af1ab112f82c90eea6359a45070
SHA1 9ff07a50541b72df8106dfbb901ac20889ec99bb
SHA256 9854825f2856a88b0ce184605431cf147b7c33ae7cf799ccbf97c4ecab65809f
SHA512 eec8945a8e918f737aeba8d4b9c1ec8ec2cdb91a4207c76bd02d7c7cdc401a04b29f4d9b0c2e2e005138e1ad18af0826fb52b490306018a759d3434ef6eb202a

C:\Users\Admin\AppData\Local\Temp\_MEI40242\_hashlib.pyd

MD5 4f51ed287bbae386090a9bcc3531b2b8
SHA1 26bd991ae8c86b6535bb618c2d20069f6d98e446
SHA256 5b6da4b43c258b459159c4fbc7ad3521b387c377c058fe77ad74ba000606d72e
SHA512 2eb2ccd8e9c333b5179cf8f9fd8520cb3d025e23a10dca3922e28521cfb9a38f9dd95f5d4f2784643eed08925d9008e5238ff9f93bdd39ee55414131186edff8

C:\Users\Admin\AppData\Local\Temp\_MEI40242\numpy\random\_bounded_integers.cp37-win32.pyd

MD5 12c576bed9265e9b2066809304175265
SHA1 d4a7b4f73e16845ec9fa1d0c4a82efe456743561
SHA256 e4f4cf6fd794793c16b51ffa9dbcae6e15edf71740a588a1fcb385fb9b18baa1
SHA512 7eddb7d9044a9dd249cf4a58512acbe8956f4840be1abf24145eac2de108c58ccf53a3f4605b8430ce67af6e7d759bb495eceeb94ec5793eef5bdf9661de00a7

C:\Users\Admin\AppData\Local\Temp\_MEI40242\numpy\random\_pcg64.cp37-win32.pyd

MD5 8df3470a00132c5fcb6bc6c116e80fc6
SHA1 50aa20885d4469966f16a01c0a962efb761e1c1f
SHA256 7a61f88a7d693d85f869ae78a9210d140de61f675580188fb992106eb4c6e17e
SHA512 9cf3da43ce994cbeee0182ae1e6c4d56e5b873c2a718d57f4c3e1fd40eecd13ed566c4c906a75f955513ab466d159e0b0696d01d263937b645990372276c05e3

C:\Users\Admin\AppData\Local\Temp\_MEI40242\numpy\random\_sfc64.cp37-win32.pyd

MD5 83658c53d0dc9a5cf872afb6b7c549eb
SHA1 c171283019b4c4386073a212155764d2d8a8236c
SHA256 fcb39f9f35d7770329818094000dfa334e3d0b4edfd851abfb0683765166ae2c
SHA512 f51aac64a797c7261f7b17216a8e89594f736b624f44e5093242948af29ae8ef87bae46ed6ff8de52ccfa6c8d391f3b7ceea29e8ace067b1632610f8d4e4a49d

C:\Users\Admin\AppData\Local\Temp\_MEI40242\numpy\random\_philox.cp37-win32.pyd

MD5 1e538508bd3dd2ec1eed553887250c08
SHA1 30a0c14d976b54ab0a0c90aead2509d7a6766198
SHA256 46660527fa1c8e7fe4e4937905170267a30522889dbc663a658e3d143b801efa
SHA512 2f239121c0c375670ca2758a1752acefff9a30e355499d88fe0d9bbf28cfccfb06e8ca379d8c35a4b9c2592d7832e6d8b7e5a877e27c2d8a81bfbc642cd8bb5e

C:\Users\Admin\AppData\Local\Temp\_MEI40242\numpy\random\_mt19937.cp37-win32.pyd

MD5 80094e5ce71d0e1d95d5dacde37c01d2
SHA1 7cd5bbef324f3878701943b5dd9256ee4ee7362e
SHA256 5eaa43bea5832386f5716f572d33e4f365e2daea16ca9e43f8cc7a3994f5b608
SHA512 e237c3e34386ecf3c03cf7bcf984ad33f76b6b330d40a70e2b7c4408b5e9378903e7c605f8e65b795d1dcd357eba5d46c320f7001dc39c36d5da82809e2ef757

C:\Users\Admin\AppData\Local\Temp\_MEI40242\libcrypto-1_1.dll

MD5 aad424a6a0ae6d6e7d4c50a1d96a17fc
SHA1 4336017ae32a48315afe1b10ff14d6159c7923bc
SHA256 3a2dba6098e77e36a9d20c647349a478cb0149020f909665d209f548dfa71377
SHA512 aa4b74b7971cb774e4ae847a226cae9d125fadc7cde4f997b7564dff4d71b590dcbc06a7103451b72b2afe3517ab46d3be099c3620c3d591ccbd1839f0e8f94a

C:\Users\Admin\AppData\Local\Temp\_MEI40242\numpy\random\_common.cp37-win32.pyd

MD5 85dcd3431f6ac186e8ebbd2b6b9feaf9
SHA1 647c56a3f2742419b98d28eea2788829c914a21a
SHA256 37d30793e220ed8038d00b41fa1f4e157f7b39eeb7201d17a54d0de8e0a055e3
SHA512 8018cb55a28cdf05902716cdbe235282497a108cf63ad0644c7936885273c7bd3219b6b3045e13889d01b719ac1b6867bffa2fe1415577217c35ff5ee4affc78

C:\Users\Admin\AppData\Local\Temp\_MEI40242\numpy\random\mtrand.cp37-win32.pyd

MD5 64daffd976f2fbfb6d586249f6c15636
SHA1 420a215f757c342967a3e481b899978bb4000849
SHA256 0d4871f762e97f34972dd824fcfde4ee92431ea406b0c8bfde0f42c6851d1e1c
SHA512 19c464673726e9707588b00db459e40d48a8913b97e6321d4509b2b7fddf3def7c38d64461ef9e32418dddb4984f0c3b1ca504636d86ed0773de4eeba7ddc73e

memory/4920-242-0x0000000003510000-0x0000000004BEC000-memory.dmp