Overview

overview

10

Static

static

1

BBQ.html

windows7-x64

1

BBQ.html

windows10-2004-x64

10

Analysis

  • max time kernel
    145s
  • max time network
    145s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    16-05-2024 09:49

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    BBQ.html

  • Size

    21KB

  • MD5

    10b8faa7c6df2ea9cd4845ca2bcb7252

  • SHA1

    4462a99a4f41ab622e2ea0c161a8dd79f73eacf7

  • SHA256

    3f76c7416a51ba3f2bd3fc67e87b9a29dc833943b444170cbfe2687f0c6b165b

  • SHA512

    16528e1ba46890192a90f0e3600a6aefe0329dee4496acbedba587a66994dc8d09c7cf8ee91dd218b95016dae9fe680ab7ea52283ea62a518b6cc15d39f9b5df

  • SSDEEP

    384:bbg5xWgrGaXdQ+vTMCpgexi1WFDmwtygLXT8OZru12ttkDo5gM0rxMjfSSVsBEK7:bbg5xWgrdtQ+vTMCpgaiAFDmwt3DAOZ+

Score
10/10
lokibotcollectionexecutionspywarestealertrojan

Malware Config

Extracted

Family

lokibot

C2

http://spencerstuartllc.top/evie2/five/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Signatures

  • Lokibot

    Lokibot is a Password and CryptoCoin Wallet Stealer.

    trojanspywarestealerlokibot
  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 3 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
    collection
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies registry class 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 28 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 8 IoCs
  • Suspicious use of FindShellTrayWindow 34 IoCs
  • Suspicious use of SendNotifyMessage 24 IoCs
  • Suspicious use of SetWindowsHookEx 58 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\BBQ.html
    1⤵
    • Enumerates system info in registry
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:2660
    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc314346f8,0x7ffc31434708,0x7ffc31434718
      2⤵
        PID:4488
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2144,16649941055276258484,6129257517795682312,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2152 /prefetch:2
        2⤵
          PID:4832
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2144,16649941055276258484,6129257517795682312,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2204 /prefetch:3
          2⤵
          • Suspicious behavior: EnumeratesProcesses
          PID:1836
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2144,16649941055276258484,6129257517795682312,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2772 /prefetch:8
          2⤵
            PID:4512
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,16649941055276258484,6129257517795682312,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3280 /prefetch:1
            2⤵
              PID:4504
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,16649941055276258484,6129257517795682312,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3292 /prefetch:1
              2⤵
                PID:1120
              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,16649941055276258484,6129257517795682312,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4676 /prefetch:1
                2⤵
                  PID:2944
                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2144,16649941055276258484,6129257517795682312,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5180 /prefetch:8
                  2⤵
                    PID:1448
                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,16649941055276258484,6129257517795682312,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3392 /prefetch:1
                    2⤵
                      PID:1188
                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2144,16649941055276258484,6129257517795682312,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5420 /prefetch:8
                      2⤵
                      • Suspicious behavior: EnumeratesProcesses
                      PID:3904
                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,16649941055276258484,6129257517795682312,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5804 /prefetch:1
                      2⤵
                        PID:5044
                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,16649941055276258484,6129257517795682312,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5816 /prefetch:1
                        2⤵
                          PID:4628
                        • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2144,16649941055276258484,6129257517795682312,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5372 /prefetch:8
                          2⤵
                            PID:4356
                          • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                            "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2144,16649941055276258484,6129257517795682312,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5372 /prefetch:8
                            2⤵
                            • Suspicious behavior: EnumeratesProcesses
                            PID:4568
                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,16649941055276258484,6129257517795682312,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6188 /prefetch:1
                            2⤵
                              PID:4248
                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,16649941055276258484,6129257517795682312,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6204 /prefetch:1
                              2⤵
                                PID:3132
                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2144,16649941055276258484,6129257517795682312,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3280 /prefetch:2
                                2⤵
                                • Suspicious behavior: EnumeratesProcesses
                                PID:4780
                            • C:\Windows\System32\CompPkgSrv.exe
                              C:\Windows\System32\CompPkgSrv.exe -Embedding
                              1⤵
                                PID:2084
                              • C:\Windows\System32\CompPkgSrv.exe
                                C:\Windows\System32\CompPkgSrv.exe -Embedding
                                1⤵
                                  PID:3088
                                • C:\Windows\system32\OpenWith.exe
                                  C:\Windows\system32\OpenWith.exe -Embedding
                                  1⤵
                                  • Modifies registry class
                                  • Suspicious behavior: GetForegroundWindowSpam
                                  • Suspicious use of SetWindowsHookEx
                                  PID:5704
                                • C:\Windows\System32\rundll32.exe
                                  C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
                                  1⤵
                                    PID:5996
                                  • C:\Windows\system32\OpenWith.exe
                                    C:\Windows\system32\OpenWith.exe -Embedding
                                    1⤵
                                    • Modifies registry class
                                    • Suspicious use of SetWindowsHookEx
                                    PID:6136
                                  • C:\Program Files\7-Zip\7zG.exe
                                    "C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\" -an -ai#7zMap11938:106:7zEvent13702
                                    1⤵
                                    • Suspicious use of AdjustPrivilegeToken
                                    • Suspicious use of FindShellTrayWindow
                                    PID:536
                                  • C:\Users\Admin\Downloads\Documents_details_info.exe
                                    "C:\Users\Admin\Downloads\Documents_details_info.exe"
                                    1⤵
                                    • Checks computer location settings
                                    • Executes dropped EXE
                                    • Suspicious use of SetThreadContext
                                    • Suspicious behavior: EnumeratesProcesses
                                    • Suspicious use of AdjustPrivilegeToken
                                    PID:3088
                                    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\Downloads\Documents_details_info.exe"
                                      2⤵
                                      • Command and Scripting Interpreter: PowerShell
                                      • Suspicious behavior: EnumeratesProcesses
                                      • Suspicious use of AdjustPrivilegeToken
                                      PID:5812
                                    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\JJPGquDyHol.exe"
                                      2⤵
                                      • Command and Scripting Interpreter: PowerShell
                                      • Suspicious behavior: EnumeratesProcesses
                                      • Suspicious use of AdjustPrivilegeToken
                                      PID:3192
                                    • C:\Windows\SysWOW64\schtasks.exe
                                      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\JJPGquDyHol" /XML "C:\Users\Admin\AppData\Local\Temp\tmp8A2A.tmp"
                                      2⤵
                                      • Creates scheduled task(s)
                                      PID:5928
                                    • C:\Users\Admin\Downloads\Documents_details_info.exe
                                      "C:\Users\Admin\Downloads\Documents_details_info.exe"
                                      2⤵
                                      • Executes dropped EXE
                                      PID:5948
                                    • C:\Users\Admin\Downloads\Documents_details_info.exe
                                      "C:\Users\Admin\Downloads\Documents_details_info.exe"
                                      2⤵
                                      • Executes dropped EXE
                                      • Accesses Microsoft Outlook profiles
                                      • Suspicious use of AdjustPrivilegeToken
                                      • outlook_office_path
                                      • outlook_win_path
                                      PID:5968

                                  Network

                                  MITRE ATT&CK Enterprise v15

                                  Replay Monitor

                                  Loading Replay Monitor...

                                  Downloads

                                  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
                                    Filesize

                                    2KB

                                    MD5

                                    968cb9309758126772781b83adb8a28f

                                    SHA1

                                    8da30e71accf186b2ba11da1797cf67f8f78b47c

                                    SHA256

                                    92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a

                                    SHA512

                                    4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

                                    Download Submit

                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\2c8ea0cc-d021-473c-b910-6ed1adff360f.tmp
                                    Filesize

                                    11KB

                                    MD5

                                    311ad2429b2c63e01893fd64e5c55f04

                                    SHA1

                                    7defb300627ac955160ad9248087134e2f58ee7b

                                    SHA256

                                    31388d95e96e58defcd2c04afbb835c5ebbf34d413073832311d1083a8ec2e3c

                                    SHA512

                                    8c736139db69a43331eac92dd71ab603d916f713d84a1afed66eb8f2f39f0e75b1738b5c508575e186f4578bfad6678b002bb52e793541ffeba265d413db36b2

                                    Download Submit

                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
                                    Filesize

                                    152B

                                    MD5

                                    c9c4c494f8fba32d95ba2125f00586a3

                                    SHA1

                                    8a600205528aef7953144f1cf6f7a5115e3611de

                                    SHA256

                                    a0ca609205813c307df9122c0c5b0967c5472755700f615b0033129cf7d6b35b

                                    SHA512

                                    9d30cea6cfc259e97b0305f8b5cd19774044fb78feedfcef2014b2947f2e6a101273bc4ad30db9cc1724e62eb441266d7df376e28ac58693f128b9cce2c7d20d

                                    Download Submit

                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
                                    Filesize

                                    152B

                                    MD5

                                    4dc6fc5e708279a3310fe55d9c44743d

                                    SHA1

                                    a42e8bdf9d1c25ef3e223d59f6b1d16b095f46d2

                                    SHA256

                                    a1c5f48659d4b3af960971b3a0f433a95fee5bfafe5680a34110c68b342377d8

                                    SHA512

                                    5874b2310187f242b852fa6dcded244cc860abb2be4f6f5a6a1db8322e12e1fef8f825edc0aae75adbb7284a2cd64730650d0643b1e2bb7ead9350e50e1d8c13

                                    Download Submit

                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
                                    Filesize

                                    184B

                                    MD5

                                    9a0bbc08341d476952df1fc83490c7b2

                                    SHA1

                                    e18018cfe45e678b67e36bb8336ad0cc6d57a329

                                    SHA256

                                    0e84ba3474ab29ba18a0bf1c8ee48fce2358e70de9cd9298430e573efd403b66

                                    SHA512

                                    4d6e1ba302517d2b429b66e18409e4a37eed75dce9905113bb6e8d181321000cc8b4bc1a1c987dfb252ae6abec7b41c1ea334bf69af863aa6afa4e232197ee71

                                    Download Submit

                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                                    Filesize

                                    5KB

                                    MD5

                                    82317ad5140ac463eed5a9abfe78dab4

                                    SHA1

                                    7bc93772f5ffe3a2b2302a1ee170774db01527fc

                                    SHA256

                                    6c289e538aa76368bfcd34006c1a08a1e6e341d1adf7e2db2d74136ea1ea76db

                                    SHA512

                                    d59c7584ff70c0b8c3761234bd9990589830e950c9734d88d311f21733df9638443f577c08d3fec93b1013df6dbe303da4d4c84962d7277e1140c23f7b7162b1

                                    Download Submit

                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                                    Filesize

                                    6KB

                                    MD5

                                    319ccc1bbfa085ed12b388c5a75808a3

                                    SHA1

                                    2bc9239804693eb63f1cbcc5c4946ab9b29bf31a

                                    SHA256

                                    ff3d01988b86bbcb1cf550dc12da250ba3d01bca304a6bc7a9b787fc6c3219e5

                                    SHA512

                                    770621f06ef5808a5524de61cc9e3eba927708b5f26c750c402768a709b8588a7ac3e2b27ae10724e0eb2625fa55062259ca40824ac453f77dffe793a98a22ff

                                    Download Submit

                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
                                    Filesize

                                    16B

                                    MD5

                                    206702161f94c5cd39fadd03f4014d98

                                    SHA1

                                    bd8bfc144fb5326d21bd1531523d9fb50e1b600a

                                    SHA256

                                    1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

                                    SHA512

                                    0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

                                    Download Submit

                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
                                    Filesize

                                    16B

                                    MD5

                                    46295cac801e5d4857d09837238a6394

                                    SHA1

                                    44e0fa1b517dbf802b18faf0785eeea6ac51594b

                                    SHA256

                                    0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

                                    SHA512

                                    8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

                                    Download Submit

                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
                                    Filesize

                                    11KB

                                    MD5

                                    db4d875da4811044187610b555934cf0

                                    SHA1

                                    245a0fe144504104c57cc3df45ef302ab44923ad

                                    SHA256

                                    244279748463d345d00b72286812c150a063c343cbe1824e335659bf79dfd303

                                    SHA512

                                    3422bb07a3f59b655ccf1c56c9b9f3fe447e8df0eb82f0b1981dc826af407fd538f0cec0763bdf8cc7683a6feeb7482a712eb42b40f3378774b760c59a782a33

                                    Download Submit

                                  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                    Filesize

                                    18KB

                                    MD5

                                    6fc12000458073d3ce94098607db63e8

                                    SHA1

                                    a3514d3d9f2de98a3e898f7f85e8d00afb68d57a

                                    SHA256

                                    6233961d6d4179ee98e65b6352d355b4523cf7216ebab6eaf7d60784fca6f70b

                                    SHA512

                                    300e5abd3d9dad90992dbef97e41eccf1efe510624b30ae74e6116d5bfd6eec2a04f803d68ba83d00b24128bed40befc2518bfa9e12774ddaa0ffd634290978f

                                    Download Submit

                                  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_1y3fqjaq.1dh.ps1
                                    Filesize

                                    60B

                                    MD5

                                    d17fe0a3f47be24a6453e9ef58c94641

                                    SHA1

                                    6ab83620379fc69f80c0242105ddffd7d98d5d9d

                                    SHA256

                                    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                                    SHA512

                                    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                                    Download Submit

                                  • C:\Users\Admin\AppData\Local\Temp\tmp8A2A.tmp
                                    Filesize

                                    1KB

                                    MD5

                                    dd6ab538dec2c0cc1d894405620f7f5e

                                    SHA1

                                    250b3ae493145b7ad49c27e3bfd36aa32ffaea15

                                    SHA256

                                    0f58ff7ea93545952bdb0a2ed4820961770e170e1029a895d4dda1ba7f8f10c8

                                    SHA512

                                    c0212b298ef7fe32cfdefa30d214fe65d5d8d806534744970192e8ccfac9d8c7b2028d66a938420e774bb19c8cfc0bdf23b1c8abc1eadd3093e64158479742e9

                                    Download Submit

                                  • C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3571316656-3665257725-2415531812-1000\0f5007522459c86e95ffcc62f32308f1_a47c70d8-7adc-4ad7-994f-644a8c84c176
                                    Filesize

                                    46B

                                    MD5

                                    d898504a722bff1524134c6ab6a5eaa5

                                    SHA1

                                    e0fdc90c2ca2a0219c99d2758e68c18875a3e11e

                                    SHA256

                                    878f32f76b159494f5a39f9321616c6068cdb82e88df89bcc739bbc1ea78e1f9

                                    SHA512

                                    26a4398bffb0c0aef9a6ec53cd3367a2d0abf2f70097f711bbbf1e9e32fd9f1a72121691bb6a39eeb55d596edd527934e541b4defb3b1426b1d1a6429804dc61

                                    Download Submit

                                  • C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3571316656-3665257725-2415531812-1000\0f5007522459c86e95ffcc62f32308f1_a47c70d8-7adc-4ad7-994f-644a8c84c176
                                    Filesize

                                    46B

                                    MD5

                                    c07225d4e7d01d31042965f048728a0a

                                    SHA1

                                    69d70b340fd9f44c89adb9a2278df84faa9906b7

                                    SHA256

                                    8c136c7ae08020ad16fd1928e36ad335ddef8b85906d66b712fff049aa57dc9a

                                    SHA512

                                    23d3cea738e1abf561320847c39dadc8b5794d7bd8761b0457956f827a17ad2556118b909a3e6929db79980ccf156a6f58ac823cf88329e62417d2807b34b64b

                                    Download Submit

                                  • C:\Users\Admin\Downloads\Documents_details_info.exe
                                    Filesize

                                    711KB

                                    MD5

                                    8442630945fb45d52873adb092715013

                                    SHA1

                                    477b80dcb20332c8883efda37fa5aca7a0daf4af

                                    SHA256

                                    864951bb748b7cf1dac9a0a2801ea3db551bfc3d32f19fa2dae3861d52b6427c

                                    SHA512

                                    5122b722be109c51ffc79b4c4ab21275c508adad731aa196d9e518479877df7db7ed37f4d6f442fdb8827b4670ef7abc8706d36ccaf6f2ae0223043efd706d7d

                                    Download Submit

                                  • C:\Users\Admin\Downloads\Documents_details_info.rar
                                    Filesize

                                    575KB

                                    MD5

                                    6aee8cc5fe616daf2c72025f6f0e8256

                                    SHA1

                                    2dc910f2fd34f06e8ea7644cb59f871bc81e7500

                                    SHA256

                                    0973a20a76fb293002cb75b439b30838afe9257cfb0aa9d0b93b02a032fd6ac9

                                    SHA512

                                    466c41c36a80e331fbc43944a23fb0ce415b94da7c9a8f5a695a0c68d99a6ed17be5976496aebb343c3e3fcc7383c662ab21e3befdc26f02c5d2acbd0b9a32ba

                                    Download Submit

                                  • memory/3088-109-0x0000000004CC0000-0x0000000004D52000-memory.dmp

                                    Filesize

                                    584KB

                                    Download

                                  • memory/3088-111-0x0000000006340000-0x00000000063C0000-memory.dmp

                                    Filesize

                                    512KB

                                    Download

                                  • memory/3088-122-0x0000000006620000-0x0000000006682000-memory.dmp

                                    Filesize

                                    392KB

                                    Download

                                  • memory/3088-107-0x0000000000220000-0x00000000002D8000-memory.dmp

                                    Filesize

                                    736KB

                                    Download

                                  • memory/3088-108-0x0000000005320000-0x00000000058C4000-memory.dmp

                                    Filesize

                                    5.6MB

                                    Download

                                  • memory/3088-110-0x0000000004CA0000-0x0000000004CAA000-memory.dmp

                                    Filesize

                                    40KB

                                    Download

                                  • memory/3088-123-0x0000000008CB0000-0x0000000008D4C000-memory.dmp

                                    Filesize

                                    624KB

                                    Download

                                  • memory/3088-112-0x0000000004ED0000-0x0000000004EEE000-memory.dmp

                                    Filesize

                                    120KB

                                    Download

                                  • memory/3088-121-0x0000000005300000-0x0000000005310000-memory.dmp

                                    Filesize

                                    64KB

                                    Download

                                  • memory/3192-203-0x0000000007870000-0x000000000788E000-memory.dmp

                                    Filesize

                                    120KB

                                    Download

                                  • memory/3192-171-0x0000000006240000-0x0000000006594000-memory.dmp

                                    Filesize

                                    3.3MB

                                    Download

                                  • memory/3192-152-0x00000000059D0000-0x0000000005FF8000-memory.dmp

                                    Filesize

                                    6.2MB

                                    Download

                                  • memory/3192-234-0x0000000007EE0000-0x0000000007EE8000-memory.dmp

                                    Filesize

                                    32KB

                                    Download

                                  • memory/3192-222-0x0000000007DC0000-0x0000000007DD1000-memory.dmp

                                    Filesize

                                    68KB

                                    Download

                                  • memory/3192-209-0x0000000008210000-0x000000000888A000-memory.dmp

                                    Filesize

                                    6.5MB

                                    Download

                                  • memory/3192-186-0x0000000006E70000-0x0000000006EA2000-memory.dmp

                                    Filesize

                                    200KB

                                    Download

                                  • memory/3192-187-0x00000000734F0000-0x000000007353C000-memory.dmp

                                    Filesize

                                    304KB

                                    Download

                                  • memory/5812-188-0x00000000734F0000-0x000000007353C000-memory.dmp

                                    Filesize

                                    304KB

                                    Download

                                  • memory/5812-181-0x0000000006400000-0x000000000641E000-memory.dmp

                                    Filesize

                                    120KB

                                    Download

                                  • memory/5812-208-0x00000000075E0000-0x0000000007683000-memory.dmp

                                    Filesize

                                    652KB

                                    Download

                                  • memory/5812-210-0x0000000007720000-0x000000000773A000-memory.dmp

                                    Filesize

                                    104KB

                                    Download

                                  • memory/5812-182-0x0000000006490000-0x00000000064DC000-memory.dmp

                                    Filesize

                                    304KB

                                    Download

                                  • memory/5812-211-0x0000000007790000-0x000000000779A000-memory.dmp

                                    Filesize

                                    40KB

                                    Download

                                  • memory/5812-221-0x00000000079A0000-0x0000000007A36000-memory.dmp

                                    Filesize

                                    600KB

                                    Download

                                  • memory/5812-154-0x0000000005430000-0x0000000005452000-memory.dmp

                                    Filesize

                                    136KB

                                    Download

                                  • memory/5812-156-0x0000000005CA0000-0x0000000005D06000-memory.dmp

                                    Filesize

                                    408KB

                                    Download

                                  • memory/5812-155-0x0000000005B80000-0x0000000005BE6000-memory.dmp

                                    Filesize

                                    408KB

                                    Download

                                  • memory/5812-231-0x0000000007950000-0x000000000795E000-memory.dmp

                                    Filesize

                                    56KB

                                    Download

                                  • memory/5812-232-0x0000000007960000-0x0000000007974000-memory.dmp

                                    Filesize

                                    80KB

                                    Download

                                  • memory/5812-233-0x0000000007A60000-0x0000000007A7A000-memory.dmp

                                    Filesize

                                    104KB

                                    Download

                                  • memory/5812-151-0x0000000004E30000-0x0000000004E66000-memory.dmp

                                    Filesize

                                    216KB

                                    Download

                                  • memory/5968-229-0x0000000000400000-0x00000000004A2000-memory.dmp

                                    Filesize

                                    648KB

                                    Download

                                  • memory/5968-177-0x0000000000400000-0x00000000004A2000-memory.dmp

                                    Filesize

                                    648KB

                                    Download

                                  • memory/5968-180-0x0000000000400000-0x00000000004A2000-memory.dmp

                                    Filesize

                                    648KB

                                    Download

                                  • memory/5968-250-0x0000000000400000-0x00000000004A2000-memory.dmp

                                    Filesize

                                    648KB

                                    Download