lokibot | a995bb11b514f86196d1c0826ffdc7c93da31232d2f68b2818e2f293b5924fe9

General

Target

a995bb11b514f86196d1c0826ffdc7c93da31232d2f68b2818e2f293b5924fe9.exe
Size

23KB
MD5

9a1b6f469ae1ed4f63973d0d681bf203
SHA1

a3ed922ee5d0f1eca5f44ec35310600334ce89e4
SHA256

a995bb11b514f86196d1c0826ffdc7c93da31232d2f68b2818e2f293b5924fe9
SHA512

69057211d2cfb78aff88e49b033a4b2255f45525c8a9daffbc8d6357256e5d0557ea69fdd276a99c7f261b6cca2b8f19337fa09037d5bddfe6ccdd2bc1833495

Score

10^/10

lokibot evasion persistence spyware stealer trojan

Malware Config

Extracted

Family

lokibot

C2

http://51.195.53.221/p.php/cfOoZYb0LXPms

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Signatures

Lokibot
Lokibot is a Password and CryptoCoin Wallet Stealer.
trojan spyware stealer lokibot

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

a995bb11b514f86196d1c0826ffdc7c93da31232d2f68b2818e2f293b5924fe9.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "explorer.exe,\"C:\\Users\\Admin\\AppData\\Local\\Temp\\a995bb11b514f86196d1c0826ffdc7c93da31232d2f68b2818e2f293b5924fe9.exe\""	a995bb11b514f86196d1c0826ffdc7c93da31232d2f68b2818e2f293b5924fe9.exe

Turns off Windows Defender SpyNet reporting 2 TTPs
evasion

Disabling Security Tools
T1089

Modify Registry
T1112
Windows security bypass 2 TTPs
evasion trojan

Disabling Security Tools
T1089

Modify Registry
T1112
Looks for VirtualBox Guest Additions in registry 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497
Looks for VMWare Tools registry key 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

a995bb11b514f86196d1c0826ffdc7c93da31232d2f68b2818e2f293b5924fe9.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	a995bb11b514f86196d1c0826ffdc7c93da31232d2f68b2818e2f293b5924fe9.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	a995bb11b514f86196d1c0826ffdc7c93da31232d2f68b2818e2f293b5924fe9.exe

Drops startup file 2 IoCs

Processes:

a995bb11b514f86196d1c0826ffdc7c93da31232d2f68b2818e2f293b5924fe9.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a995bb11b514f86196d1c0826ffdc7c93da31232d2f68b2818e2f293b5924fe9.exe	a995bb11b514f86196d1c0826ffdc7c93da31232d2f68b2818e2f293b5924fe9.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a995bb11b514f86196d1c0826ffdc7c93da31232d2f68b2818e2f293b5924fe9.exe	a995bb11b514f86196d1c0826ffdc7c93da31232d2f68b2818e2f293b5924fe9.exe

Windows security modification 2 TTPs 11 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

a995bb11b514f86196d1c0826ffdc7c93da31232d2f68b2818e2f293b5924fe9.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	a995bb11b514f86196d1c0826ffdc7c93da31232d2f68b2818e2f293b5924fe9.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Spynet\SubmitSamplesConsent = "0"	a995bb11b514f86196d1c0826ffdc7c93da31232d2f68b2818e2f293b5924fe9.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	a995bb11b514f86196d1c0826ffdc7c93da31232d2f68b2818e2f293b5924fe9.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	a995bb11b514f86196d1c0826ffdc7c93da31232d2f68b2818e2f293b5924fe9.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths	a995bb11b514f86196d1c0826ffdc7c93da31232d2f68b2818e2f293b5924fe9.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a995bb11b514f86196d1c0826ffdc7c93da31232d2f68b2818e2f293b5924fe9.exe = "0"	a995bb11b514f86196d1c0826ffdc7c93da31232d2f68b2818e2f293b5924fe9.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Real-Time Protection	a995bb11b514f86196d1c0826ffdc7c93da31232d2f68b2818e2f293b5924fe9.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Spynet\SpyNetReporting = "0"	a995bb11b514f86196d1c0826ffdc7c93da31232d2f68b2818e2f293b5924fe9.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions	a995bb11b514f86196d1c0826ffdc7c93da31232d2f68b2818e2f293b5924fe9.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\a995bb11b514f86196d1c0826ffdc7c93da31232d2f68b2818e2f293b5924fe9.exe = "0"	a995bb11b514f86196d1c0826ffdc7c93da31232d2f68b2818e2f293b5924fe9.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Spynet	a995bb11b514f86196d1c0826ffdc7c93da31232d2f68b2818e2f293b5924fe9.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

a995bb11b514f86196d1c0826ffdc7c93da31232d2f68b2818e2f293b5924fe9.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\<Unknown> = "C:\\Users\\Admin\\AppData\\Local\\Temp\\a995bb11b514f86196d1c0826ffdc7c93da31232d2f68b2818e2f293b5924fe9.exe"	a995bb11b514f86196d1c0826ffdc7c93da31232d2f68b2818e2f293b5924fe9.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\a995bb11b514f86196d1c0826ffdc7c93da31232d2f68b2818e2f293b5924fe9.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\a995bb11b514f86196d1c0826ffdc7c93da31232d2f68b2818e2f293b5924fe9.exe"	a995bb11b514f86196d1c0826ffdc7c93da31232d2f68b2818e2f293b5924fe9.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

a995bb11b514f86196d1c0826ffdc7c93da31232d2f68b2818e2f293b5924fe9.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\0	a995bb11b514f86196d1c0826ffdc7c93da31232d2f68b2818e2f293b5924fe9.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	a995bb11b514f86196d1c0826ffdc7c93da31232d2f68b2818e2f293b5924fe9.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 15 IoCs

Processes:

a995bb11b514f86196d1c0826ffdc7c93da31232d2f68b2818e2f293b5924fe9.exe

pid	process
1212	a995bb11b514f86196d1c0826ffdc7c93da31232d2f68b2818e2f293b5924fe9.exe
1212	a995bb11b514f86196d1c0826ffdc7c93da31232d2f68b2818e2f293b5924fe9.exe
1212	a995bb11b514f86196d1c0826ffdc7c93da31232d2f68b2818e2f293b5924fe9.exe
1212	a995bb11b514f86196d1c0826ffdc7c93da31232d2f68b2818e2f293b5924fe9.exe
1212	a995bb11b514f86196d1c0826ffdc7c93da31232d2f68b2818e2f293b5924fe9.exe
1212	a995bb11b514f86196d1c0826ffdc7c93da31232d2f68b2818e2f293b5924fe9.exe
1212	a995bb11b514f86196d1c0826ffdc7c93da31232d2f68b2818e2f293b5924fe9.exe
1212	a995bb11b514f86196d1c0826ffdc7c93da31232d2f68b2818e2f293b5924fe9.exe
1212	a995bb11b514f86196d1c0826ffdc7c93da31232d2f68b2818e2f293b5924fe9.exe
1212	a995bb11b514f86196d1c0826ffdc7c93da31232d2f68b2818e2f293b5924fe9.exe
1212	a995bb11b514f86196d1c0826ffdc7c93da31232d2f68b2818e2f293b5924fe9.exe
1212	a995bb11b514f86196d1c0826ffdc7c93da31232d2f68b2818e2f293b5924fe9.exe
1212	a995bb11b514f86196d1c0826ffdc7c93da31232d2f68b2818e2f293b5924fe9.exe
1212	a995bb11b514f86196d1c0826ffdc7c93da31232d2f68b2818e2f293b5924fe9.exe
1212	a995bb11b514f86196d1c0826ffdc7c93da31232d2f68b2818e2f293b5924fe9.exe

Suspicious use of SetThreadContext 5 IoCs

Processes:

a995bb11b514f86196d1c0826ffdc7c93da31232d2f68b2818e2f293b5924fe9.exe

description	pid	process	target process
PID 1212 set thread context of 2760	1212	a995bb11b514f86196d1c0826ffdc7c93da31232d2f68b2818e2f293b5924fe9.exe	a995bb11b514f86196d1c0826ffdc7c93da31232d2f68b2818e2f293b5924fe9.exe
PID 1212 set thread context of 2688	1212	a995bb11b514f86196d1c0826ffdc7c93da31232d2f68b2818e2f293b5924fe9.exe	a995bb11b514f86196d1c0826ffdc7c93da31232d2f68b2818e2f293b5924fe9.exe
PID 1212 set thread context of 3784	1212	a995bb11b514f86196d1c0826ffdc7c93da31232d2f68b2818e2f293b5924fe9.exe	a995bb11b514f86196d1c0826ffdc7c93da31232d2f68b2818e2f293b5924fe9.exe
PID 1212 set thread context of 2872	1212	a995bb11b514f86196d1c0826ffdc7c93da31232d2f68b2818e2f293b5924fe9.exe	a995bb11b514f86196d1c0826ffdc7c93da31232d2f68b2818e2f293b5924fe9.exe
PID 1212 set thread context of 4176	1212	a995bb11b514f86196d1c0826ffdc7c93da31232d2f68b2818e2f293b5924fe9.exe	a995bb11b514f86196d1c0826ffdc7c93da31232d2f68b2818e2f293b5924fe9.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

4196 2688 WerFault.exe a995bb11b514f86196d1c0826ffdc7c93da31232d2f68b2818e2f293b5924fe9.exe

pid	pid_target	process	target process
4196	2688	WerFault.exe	a995bb11b514f86196d1c0826ffdc7c93da31232d2f68b2818e2f293b5924fe9.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

Processes:

a995bb11b514f86196d1c0826ffdc7c93da31232d2f68b2818e2f293b5924fe9.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	process
1212	a995bb11b514f86196d1c0826ffdc7c93da31232d2f68b2818e2f293b5924fe9.exe
3892	powershell.exe
2604	powershell.exe
2916	powershell.exe
3448	powershell.exe
3892	powershell.exe
2916	powershell.exe
2604	powershell.exe
3448	powershell.exe
2916	powershell.exe
3892	powershell.exe
2604	powershell.exe
3448	powershell.exe

Suspicious behavior: RenamesItself 1 IoCs

Processes:

a995bb11b514f86196d1c0826ffdc7c93da31232d2f68b2818e2f293b5924fe9.exe

pid process

2760 a995bb11b514f86196d1c0826ffdc7c93da31232d2f68b2818e2f293b5924fe9.exe

pid	process
2760	a995bb11b514f86196d1c0826ffdc7c93da31232d2f68b2818e2f293b5924fe9.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

a995bb11b514f86196d1c0826ffdc7c93da31232d2f68b2818e2f293b5924fe9.exepowershell.exepowershell.exepowershell.exepowershell.exea995bb11b514f86196d1c0826ffdc7c93da31232d2f68b2818e2f293b5924fe9.exe

description	pid	process
Token: SeDebugPrivilege	1212	a995bb11b514f86196d1c0826ffdc7c93da31232d2f68b2818e2f293b5924fe9.exe
Token: SeDebugPrivilege	3892	powershell.exe
Token: SeDebugPrivilege	2916	powershell.exe
Token: SeDebugPrivilege	2604	powershell.exe
Token: SeDebugPrivilege	3448	powershell.exe
Token: SeDebugPrivilege	2760	a995bb11b514f86196d1c0826ffdc7c93da31232d2f68b2818e2f293b5924fe9.exe

Suspicious use of WriteProcessMemory 56 IoCs

Processes:

a995bb11b514f86196d1c0826ffdc7c93da31232d2f68b2818e2f293b5924fe9.exe

C:\Users\Admin\AppData\Local\Temp\a995bb11b514f86196d1c0826ffdc7c93da31232d2f68b2818e2f293b5924fe9.exe
"C:\Users\Admin\AppData\Local\Temp\a995bb11b514f86196d1c0826ffdc7c93da31232d2f68b2818e2f293b5924fe9.exe"
1⤵
- Modifies WinLogon for persistence
- Checks BIOS information in registry
- Drops startup file
- Windows security modification
- Adds Run key to start application
- Maps connected drives based on registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1212

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a995bb11b514f86196d1c0826ffdc7c93da31232d2f68b2818e2f293b5924fe9.exe" -Force
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3892

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a995bb11b514f86196d1c0826ffdc7c93da31232d2f68b2818e2f293b5924fe9.exe" -Force
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2916

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a995bb11b514f86196d1c0826ffdc7c93da31232d2f68b2818e2f293b5924fe9.exe" -Force
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3448

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\a995bb11b514f86196d1c0826ffdc7c93da31232d2f68b2818e2f293b5924fe9.exe" -Force
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2604

C:\Users\Admin\AppData\Local\Temp\a995bb11b514f86196d1c0826ffdc7c93da31232d2f68b2818e2f293b5924fe9.exe
"C:\Users\Admin\AppData\Local\Temp\a995bb11b514f86196d1c0826ffdc7c93da31232d2f68b2818e2f293b5924fe9.exe"
2⤵
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
PID:2760

C:\Users\Admin\AppData\Local\Temp\a995bb11b514f86196d1c0826ffdc7c93da31232d2f68b2818e2f293b5924fe9.exe
"C:\Users\Admin\AppData\Local\Temp\a995bb11b514f86196d1c0826ffdc7c93da31232d2f68b2818e2f293b5924fe9.exe"
2⤵
PID:2688

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2688 -s 96
3⤵
- Program crash
PID:4196

C:\Users\Admin\AppData\Local\Temp\a995bb11b514f86196d1c0826ffdc7c93da31232d2f68b2818e2f293b5924fe9.exe
"C:\Users\Admin\AppData\Local\Temp\a995bb11b514f86196d1c0826ffdc7c93da31232d2f68b2818e2f293b5924fe9.exe"
2⤵
PID:2872

C:\Users\Admin\AppData\Local\Temp\a995bb11b514f86196d1c0826ffdc7c93da31232d2f68b2818e2f293b5924fe9.exe
"C:\Users\Admin\AppData\Local\Temp\a995bb11b514f86196d1c0826ffdc7c93da31232d2f68b2818e2f293b5924fe9.exe"
2⤵
PID:4176

C:\Users\Admin\AppData\Local\Temp\a995bb11b514f86196d1c0826ffdc7c93da31232d2f68b2818e2f293b5924fe9.exe
"C:\Users\Admin\AppData\Local\Temp\a995bb11b514f86196d1c0826ffdc7c93da31232d2f68b2818e2f293b5924fe9.exe"
2⤵
PID:3784

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

1

T1004

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

5

T1112

Disabling Security Tools

3

T1089

Virtualization/Sandbox Evasion

2

T1497

Credential Access

Discovery

Query Registry

4

T1012

Virtualization/Sandbox Evasion

2

T1497

System Information Discovery

2

T1082

Peripheral Device Discovery

1

T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

1

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
MD5
1c19c16e21c97ed42d5beabc93391fc5

SHA1
8ad83f8e0b3acf8dfbbf87931e41f0d664c4df68

SHA256
1bcd97396c83babfe6c5068ba590d7a3f8b70e72955a9d1e4070648e404cbf05

SHA512
7d18776d8f649b3d29c182ff03efc6cea8b527542ee55304980f24577aae8b64e37044407776e220984346c3998ace5f8853afa58c8b38407482a728e9495e0c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
c01116e433925cf2630629ef08599ba9

SHA1
4a8da29bd0395f896dd6f06f28fe84bfd17ca7be

SHA256
1e6ebb14eff71d4b366a350220c64b45d59afee80740691948ac5c82f9a78d01

SHA512
bc309c4888a135b2f61debbe7e408d28e4ee9660535e283538cad51dcfcf5ab05275414cd5449c9de19c28e9d0a5947c5c4b9636012d74ff730cab2da23a2e67

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
05bcc23b6ab0d1cb265be53c1f4c1254

SHA1
a6d2dd4c84a6496685e58a553c5a97ea78a20038

SHA256
8ef2f4ec6099be9ac0d2fad5b2b1556a42c19f8fd23a66c98f65a664d844f5f4

SHA512
9ca413a43550eb68ea9e7a2276c75c32b6e91e6c780cd17a58a1e6d692c10526ebc53dc72c197a8f4aade0c7ed0d58736a9673781121aa344d51ec5dda8566be

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
42e6af868b15d1c5a9cb7059739264e3

SHA1
6120b50fdcbd762cd5b12c3df303e661d54cfe3a

SHA256
3779182ab2eaff1b908d5ad768b08d6c125ffc03321aca81b517fcb69ea3d6f7

SHA512
be66b54e834d309f39f8c05333eff7d2627a9c76de77fbc13ef70ccb354df4500f40d4bcf43235b9d7157f18a2443e198016be0ab4cee783217797a7777e991e

Download Submit
memory/1212-6-0x0000000004880000-0x0000000004881000-memory.dmp

Filesize
4KB

Download
memory/1212-8-0x0000000002280000-0x0000000002281000-memory.dmp

Filesize
4KB

Download
memory/1212-9-0x0000000004830000-0x0000000004831000-memory.dmp

Filesize
4KB

Download
memory/1212-10-0x0000000005920000-0x0000000005979000-memory.dmp

Filesize
356KB

Download
memory/1212-11-0x00000000059F0000-0x00000000059F1000-memory.dmp

Filesize
4KB

Download
memory/1212-7-0x0000000004920000-0x0000000004921000-memory.dmp

Filesize
4KB

Download
memory/1212-2-0x0000000073290000-0x000000007397E000-memory.dmp

Filesize
6.9MB

Download
memory/1212-5-0x0000000004CE0000-0x0000000004CE1000-memory.dmp

Filesize
4KB

Download
memory/1212-3-0x0000000000010000-0x0000000000011000-memory.dmp

Filesize
4KB

Download
memory/1212-58-0x0000000005FB0000-0x0000000005FB1000-memory.dmp

Filesize
4KB

Download
memory/2604-15-0x0000000000000000-mapping.dmp

Download
memory/2604-51-0x00000000064C2000-0x00000000064C3000-memory.dmp

Filesize
4KB

Download
memory/2604-108-0x0000000007E40000-0x0000000007E41000-memory.dmp

Filesize
4KB

Download
memory/2604-43-0x00000000064C0000-0x00000000064C1000-memory.dmp

Filesize
4KB

Download
memory/2604-114-0x0000000008D10000-0x0000000008D11000-memory.dmp

Filesize
4KB

Download
memory/2604-24-0x0000000073290000-0x000000007397E000-memory.dmp

Filesize
6.9MB

Download
memory/2604-104-0x000000007F840000-0x000000007F841000-memory.dmp

Filesize
4KB

Download
memory/2604-132-0x0000000008E00000-0x0000000008E01000-memory.dmp

Filesize
4KB

Download
memory/2604-129-0x00000000064C3000-0x00000000064C4000-memory.dmp

Filesize
4KB

Download
memory/2604-83-0x0000000008980000-0x00000000089B3000-memory.dmp

Filesize
204KB

Download
memory/2688-37-0x00000000004139DE-mapping.dmp

Download
memory/2760-32-0x00000000004139DE-mapping.dmp

Download
memory/2760-30-0x0000000000400000-0x00000000004A3000-memory.dmp

Filesize
652KB

Download
memory/2872-49-0x00000000004139DE-mapping.dmp

Download
memory/2916-113-0x000000007F510000-0x000000007F511000-memory.dmp

Filesize
4KB

Download
memory/2916-76-0x0000000008350000-0x0000000008351000-memory.dmp

Filesize
4KB

Download
memory/2916-39-0x0000000006C52000-0x0000000006C53000-memory.dmp

Filesize
4KB

Download
memory/2916-13-0x0000000000000000-mapping.dmp

Download
memory/2916-16-0x0000000073290000-0x000000007397E000-memory.dmp

Filesize
6.9MB

Download
memory/2916-140-0x0000000008EB0000-0x0000000008EB1000-memory.dmp

Filesize
4KB

Download
memory/2916-19-0x0000000006C50000-0x0000000006C51000-memory.dmp

Filesize
4KB

Download
memory/2916-128-0x0000000006C53000-0x0000000006C54000-memory.dmp

Filesize
4KB

Download
memory/2916-124-0x0000000009590000-0x0000000009591000-memory.dmp

Filesize
4KB

Download
memory/2916-18-0x0000000006AC0000-0x0000000006AC1000-memory.dmp

Filesize
4KB

Download
memory/2916-22-0x0000000007290000-0x0000000007291000-memory.dmp

Filesize
4KB

Download
memory/3448-25-0x0000000073290000-0x000000007397E000-memory.dmp

Filesize
6.9MB

Download
memory/3448-56-0x0000000006CB2000-0x0000000006CB3000-memory.dmp

Filesize
4KB

Download
memory/3448-48-0x0000000006CB0000-0x0000000006CB1000-memory.dmp

Filesize
4KB

Download
memory/3448-14-0x0000000000000000-mapping.dmp

Download
memory/3448-131-0x0000000006CB3000-0x0000000006CB4000-memory.dmp

Filesize
4KB

Download
memory/3448-118-0x000000007E2A0000-0x000000007E2A1000-memory.dmp

Filesize
4KB

Download
memory/3784-45-0x0000000000400000-0x00000000004A3000-memory.dmp

Filesize
652KB

Download
memory/3784-42-0x00000000004139DE-mapping.dmp

Download
memory/3892-31-0x0000000007790000-0x0000000007791000-memory.dmp

Filesize
4KB

Download
memory/3892-21-0x0000000007340000-0x0000000007341000-memory.dmp

Filesize
4KB

Download
memory/3892-70-0x0000000008690000-0x0000000008691000-memory.dmp

Filesize
4KB

Download
memory/3892-109-0x000000007EFC0000-0x000000007EFC1000-memory.dmp

Filesize
4KB

Download
memory/3892-130-0x0000000007343000-0x0000000007344000-memory.dmp

Filesize
4KB

Download
memory/3892-41-0x0000000007342000-0x0000000007343000-memory.dmp

Filesize
4KB

Download
memory/3892-17-0x0000000073290000-0x000000007397E000-memory.dmp

Filesize
6.9MB

Download
memory/3892-38-0x0000000008160000-0x0000000008161000-memory.dmp

Filesize
4KB

Download
memory/3892-33-0x0000000007FB0000-0x0000000007FB1000-memory.dmp

Filesize
4KB

Download
memory/3892-68-0x00000000080B0000-0x00000000080B1000-memory.dmp

Filesize
4KB

Download
memory/3892-12-0x0000000000000000-mapping.dmp

Download
memory/4176-57-0x00000000004139DE-mapping.dmp

Download
memory/4196-63-0x0000000004570000-0x0000000004571000-memory.dmp

Filesize
4KB

Download

description	pid	process	target process
PID 1212 wrote to memory of 3892	1212	a995bb11b514f86196d1c0826ffdc7c93da31232d2f68b2818e2f293b5924fe9.exe	powershell.exe
PID 1212 wrote to memory of 3892	1212	a995bb11b514f86196d1c0826ffdc7c93da31232d2f68b2818e2f293b5924fe9.exe	powershell.exe
PID 1212 wrote to memory of 3892	1212	a995bb11b514f86196d1c0826ffdc7c93da31232d2f68b2818e2f293b5924fe9.exe	powershell.exe
PID 1212 wrote to memory of 2916	1212	a995bb11b514f86196d1c0826ffdc7c93da31232d2f68b2818e2f293b5924fe9.exe	powershell.exe
PID 1212 wrote to memory of 2916	1212	a995bb11b514f86196d1c0826ffdc7c93da31232d2f68b2818e2f293b5924fe9.exe	powershell.exe
PID 1212 wrote to memory of 2916	1212	a995bb11b514f86196d1c0826ffdc7c93da31232d2f68b2818e2f293b5924fe9.exe	powershell.exe
PID 1212 wrote to memory of 3448	1212	a995bb11b514f86196d1c0826ffdc7c93da31232d2f68b2818e2f293b5924fe9.exe	powershell.exe
PID 1212 wrote to memory of 3448	1212	a995bb11b514f86196d1c0826ffdc7c93da31232d2f68b2818e2f293b5924fe9.exe	powershell.exe
PID 1212 wrote to memory of 3448	1212	a995bb11b514f86196d1c0826ffdc7c93da31232d2f68b2818e2f293b5924fe9.exe	powershell.exe
PID 1212 wrote to memory of 2604	1212	a995bb11b514f86196d1c0826ffdc7c93da31232d2f68b2818e2f293b5924fe9.exe	powershell.exe
PID 1212 wrote to memory of 2604	1212	a995bb11b514f86196d1c0826ffdc7c93da31232d2f68b2818e2f293b5924fe9.exe	powershell.exe
PID 1212 wrote to memory of 2604	1212	a995bb11b514f86196d1c0826ffdc7c93da31232d2f68b2818e2f293b5924fe9.exe	powershell.exe
PID 1212 wrote to memory of 2760	1212	a995bb11b514f86196d1c0826ffdc7c93da31232d2f68b2818e2f293b5924fe9.exe	a995bb11b514f86196d1c0826ffdc7c93da31232d2f68b2818e2f293b5924fe9.exe
PID 1212 wrote to memory of 2760	1212	a995bb11b514f86196d1c0826ffdc7c93da31232d2f68b2818e2f293b5924fe9.exe	a995bb11b514f86196d1c0826ffdc7c93da31232d2f68b2818e2f293b5924fe9.exe
PID 1212 wrote to memory of 2760	1212	a995bb11b514f86196d1c0826ffdc7c93da31232d2f68b2818e2f293b5924fe9.exe	a995bb11b514f86196d1c0826ffdc7c93da31232d2f68b2818e2f293b5924fe9.exe
PID 1212 wrote to memory of 2760	1212	a995bb11b514f86196d1c0826ffdc7c93da31232d2f68b2818e2f293b5924fe9.exe	a995bb11b514f86196d1c0826ffdc7c93da31232d2f68b2818e2f293b5924fe9.exe
PID 1212 wrote to memory of 2760	1212	a995bb11b514f86196d1c0826ffdc7c93da31232d2f68b2818e2f293b5924fe9.exe	a995bb11b514f86196d1c0826ffdc7c93da31232d2f68b2818e2f293b5924fe9.exe
PID 1212 wrote to memory of 2760	1212	a995bb11b514f86196d1c0826ffdc7c93da31232d2f68b2818e2f293b5924fe9.exe	a995bb11b514f86196d1c0826ffdc7c93da31232d2f68b2818e2f293b5924fe9.exe
PID 1212 wrote to memory of 2760	1212	a995bb11b514f86196d1c0826ffdc7c93da31232d2f68b2818e2f293b5924fe9.exe	a995bb11b514f86196d1c0826ffdc7c93da31232d2f68b2818e2f293b5924fe9.exe
PID 1212 wrote to memory of 2760	1212	a995bb11b514f86196d1c0826ffdc7c93da31232d2f68b2818e2f293b5924fe9.exe	a995bb11b514f86196d1c0826ffdc7c93da31232d2f68b2818e2f293b5924fe9.exe
PID 1212 wrote to memory of 2760	1212	a995bb11b514f86196d1c0826ffdc7c93da31232d2f68b2818e2f293b5924fe9.exe	a995bb11b514f86196d1c0826ffdc7c93da31232d2f68b2818e2f293b5924fe9.exe
PID 1212 wrote to memory of 2760	1212	a995bb11b514f86196d1c0826ffdc7c93da31232d2f68b2818e2f293b5924fe9.exe	a995bb11b514f86196d1c0826ffdc7c93da31232d2f68b2818e2f293b5924fe9.exe
PID 1212 wrote to memory of 2688	1212	a995bb11b514f86196d1c0826ffdc7c93da31232d2f68b2818e2f293b5924fe9.exe	a995bb11b514f86196d1c0826ffdc7c93da31232d2f68b2818e2f293b5924fe9.exe
PID 1212 wrote to memory of 2688	1212	a995bb11b514f86196d1c0826ffdc7c93da31232d2f68b2818e2f293b5924fe9.exe	a995bb11b514f86196d1c0826ffdc7c93da31232d2f68b2818e2f293b5924fe9.exe
PID 1212 wrote to memory of 2688	1212	a995bb11b514f86196d1c0826ffdc7c93da31232d2f68b2818e2f293b5924fe9.exe	a995bb11b514f86196d1c0826ffdc7c93da31232d2f68b2818e2f293b5924fe9.exe
PID 1212 wrote to memory of 2688	1212	a995bb11b514f86196d1c0826ffdc7c93da31232d2f68b2818e2f293b5924fe9.exe	a995bb11b514f86196d1c0826ffdc7c93da31232d2f68b2818e2f293b5924fe9.exe
PID 1212 wrote to memory of 3784	1212	a995bb11b514f86196d1c0826ffdc7c93da31232d2f68b2818e2f293b5924fe9.exe	a995bb11b514f86196d1c0826ffdc7c93da31232d2f68b2818e2f293b5924fe9.exe
PID 1212 wrote to memory of 3784	1212	a995bb11b514f86196d1c0826ffdc7c93da31232d2f68b2818e2f293b5924fe9.exe	a995bb11b514f86196d1c0826ffdc7c93da31232d2f68b2818e2f293b5924fe9.exe
PID 1212 wrote to memory of 3784	1212	a995bb11b514f86196d1c0826ffdc7c93da31232d2f68b2818e2f293b5924fe9.exe	a995bb11b514f86196d1c0826ffdc7c93da31232d2f68b2818e2f293b5924fe9.exe
PID 1212 wrote to memory of 3784	1212	a995bb11b514f86196d1c0826ffdc7c93da31232d2f68b2818e2f293b5924fe9.exe	a995bb11b514f86196d1c0826ffdc7c93da31232d2f68b2818e2f293b5924fe9.exe
PID 1212 wrote to memory of 3784	1212	a995bb11b514f86196d1c0826ffdc7c93da31232d2f68b2818e2f293b5924fe9.exe	a995bb11b514f86196d1c0826ffdc7c93da31232d2f68b2818e2f293b5924fe9.exe
PID 1212 wrote to memory of 3784	1212	a995bb11b514f86196d1c0826ffdc7c93da31232d2f68b2818e2f293b5924fe9.exe	a995bb11b514f86196d1c0826ffdc7c93da31232d2f68b2818e2f293b5924fe9.exe
PID 1212 wrote to memory of 3784	1212	a995bb11b514f86196d1c0826ffdc7c93da31232d2f68b2818e2f293b5924fe9.exe	a995bb11b514f86196d1c0826ffdc7c93da31232d2f68b2818e2f293b5924fe9.exe
PID 1212 wrote to memory of 3784	1212	a995bb11b514f86196d1c0826ffdc7c93da31232d2f68b2818e2f293b5924fe9.exe	a995bb11b514f86196d1c0826ffdc7c93da31232d2f68b2818e2f293b5924fe9.exe
PID 1212 wrote to memory of 3784	1212	a995bb11b514f86196d1c0826ffdc7c93da31232d2f68b2818e2f293b5924fe9.exe	a995bb11b514f86196d1c0826ffdc7c93da31232d2f68b2818e2f293b5924fe9.exe
PID 1212 wrote to memory of 3784	1212	a995bb11b514f86196d1c0826ffdc7c93da31232d2f68b2818e2f293b5924fe9.exe	a995bb11b514f86196d1c0826ffdc7c93da31232d2f68b2818e2f293b5924fe9.exe
PID 1212 wrote to memory of 2872	1212	a995bb11b514f86196d1c0826ffdc7c93da31232d2f68b2818e2f293b5924fe9.exe	a995bb11b514f86196d1c0826ffdc7c93da31232d2f68b2818e2f293b5924fe9.exe
PID 1212 wrote to memory of 2872	1212	a995bb11b514f86196d1c0826ffdc7c93da31232d2f68b2818e2f293b5924fe9.exe	a995bb11b514f86196d1c0826ffdc7c93da31232d2f68b2818e2f293b5924fe9.exe
PID 1212 wrote to memory of 2872	1212	a995bb11b514f86196d1c0826ffdc7c93da31232d2f68b2818e2f293b5924fe9.exe	a995bb11b514f86196d1c0826ffdc7c93da31232d2f68b2818e2f293b5924fe9.exe
PID 1212 wrote to memory of 2872	1212	a995bb11b514f86196d1c0826ffdc7c93da31232d2f68b2818e2f293b5924fe9.exe	a995bb11b514f86196d1c0826ffdc7c93da31232d2f68b2818e2f293b5924fe9.exe
PID 1212 wrote to memory of 2872	1212	a995bb11b514f86196d1c0826ffdc7c93da31232d2f68b2818e2f293b5924fe9.exe	a995bb11b514f86196d1c0826ffdc7c93da31232d2f68b2818e2f293b5924fe9.exe
PID 1212 wrote to memory of 2872	1212	a995bb11b514f86196d1c0826ffdc7c93da31232d2f68b2818e2f293b5924fe9.exe	a995bb11b514f86196d1c0826ffdc7c93da31232d2f68b2818e2f293b5924fe9.exe
PID 1212 wrote to memory of 2872	1212	a995bb11b514f86196d1c0826ffdc7c93da31232d2f68b2818e2f293b5924fe9.exe	a995bb11b514f86196d1c0826ffdc7c93da31232d2f68b2818e2f293b5924fe9.exe
PID 1212 wrote to memory of 2872	1212	a995bb11b514f86196d1c0826ffdc7c93da31232d2f68b2818e2f293b5924fe9.exe	a995bb11b514f86196d1c0826ffdc7c93da31232d2f68b2818e2f293b5924fe9.exe
PID 1212 wrote to memory of 2872	1212	a995bb11b514f86196d1c0826ffdc7c93da31232d2f68b2818e2f293b5924fe9.exe	a995bb11b514f86196d1c0826ffdc7c93da31232d2f68b2818e2f293b5924fe9.exe
PID 1212 wrote to memory of 2872	1212	a995bb11b514f86196d1c0826ffdc7c93da31232d2f68b2818e2f293b5924fe9.exe	a995bb11b514f86196d1c0826ffdc7c93da31232d2f68b2818e2f293b5924fe9.exe
PID 1212 wrote to memory of 4176	1212	a995bb11b514f86196d1c0826ffdc7c93da31232d2f68b2818e2f293b5924fe9.exe	a995bb11b514f86196d1c0826ffdc7c93da31232d2f68b2818e2f293b5924fe9.exe
PID 1212 wrote to memory of 4176	1212	a995bb11b514f86196d1c0826ffdc7c93da31232d2f68b2818e2f293b5924fe9.exe	a995bb11b514f86196d1c0826ffdc7c93da31232d2f68b2818e2f293b5924fe9.exe
PID 1212 wrote to memory of 4176	1212	a995bb11b514f86196d1c0826ffdc7c93da31232d2f68b2818e2f293b5924fe9.exe	a995bb11b514f86196d1c0826ffdc7c93da31232d2f68b2818e2f293b5924fe9.exe
PID 1212 wrote to memory of 4176	1212	a995bb11b514f86196d1c0826ffdc7c93da31232d2f68b2818e2f293b5924fe9.exe	a995bb11b514f86196d1c0826ffdc7c93da31232d2f68b2818e2f293b5924fe9.exe
PID 1212 wrote to memory of 4176	1212	a995bb11b514f86196d1c0826ffdc7c93da31232d2f68b2818e2f293b5924fe9.exe	a995bb11b514f86196d1c0826ffdc7c93da31232d2f68b2818e2f293b5924fe9.exe
PID 1212 wrote to memory of 4176	1212	a995bb11b514f86196d1c0826ffdc7c93da31232d2f68b2818e2f293b5924fe9.exe	a995bb11b514f86196d1c0826ffdc7c93da31232d2f68b2818e2f293b5924fe9.exe
PID 1212 wrote to memory of 4176	1212	a995bb11b514f86196d1c0826ffdc7c93da31232d2f68b2818e2f293b5924fe9.exe	a995bb11b514f86196d1c0826ffdc7c93da31232d2f68b2818e2f293b5924fe9.exe
PID 1212 wrote to memory of 4176	1212	a995bb11b514f86196d1c0826ffdc7c93da31232d2f68b2818e2f293b5924fe9.exe	a995bb11b514f86196d1c0826ffdc7c93da31232d2f68b2818e2f293b5924fe9.exe
PID 1212 wrote to memory of 4176	1212	a995bb11b514f86196d1c0826ffdc7c93da31232d2f68b2818e2f293b5924fe9.exe	a995bb11b514f86196d1c0826ffdc7c93da31232d2f68b2818e2f293b5924fe9.exe
PID 1212 wrote to memory of 4176	1212	a995bb11b514f86196d1c0826ffdc7c93da31232d2f68b2818e2f293b5924fe9.exe	a995bb11b514f86196d1c0826ffdc7c93da31232d2f68b2818e2f293b5924fe9.exe

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads