lockbit | 71d0c896720e01be1b6b095fc8917bcac38f8bc8ed3caba8bf9c2a4fcdde1747

General

Target

tmp.exe
Size

484KB
MD5

8b062fa952cc294d7db09794e2d44ce0
SHA1

ce13e42217f7d0e950dd8ae5ee5ec8d5be6af177
SHA256

71d0c896720e01be1b6b095fc8917bcac38f8bc8ed3caba8bf9c2a4fcdde1747
SHA512

a6643699544db21955c927e9a7cdfd1c056c7078e27d9c68ff68865c240ff3dfd0f8aecd7f4926b9746eaa989b3cbef681e5ffd19c643cd02a7faba2534ed26d

Score

10^/10

lockbit evasion persistence ransomware suricata trojan

Malware Config

Extracted

Path

C:\Restore-My-Files.txt

Ransom Note

!!!All of your files are encrypted!!! To decrypt them send e-mail to this address: DecryptionCenter@gmail.com In case of no answer in 24h, send e-mail to this address: DecryptionCenter@outlook.com All your files will be lost on Saturday, May 28, 2022 10:10:43 PM. Your SYSTEM ID : 80B7D473 !!!Deleting "Cpriv.Loki" causes permanent data loss.

Emails

DecryptionCenter@gmail.com

DecryptionCenter@outlook.com

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\info.hta

Ransom Note

All your files have been encrypted by Loki locker! All your files have been encrypted due to a security problem with your PC. If you want to restore them, please send an email DecryptionCenter@gmail.com You have to pay for decryption in Bitcoin. The price depends on how fast you contact us. After payment we will send you the decryption tool. You have to 48 hours(2 Days) To contact or paying us After that, you have to Pay Double . In case of no answer in 24 hours (1 Day) write to this email DecryptionCenter@outlook.com Your unique ID is : 80B7D473 You only have LIMITED time to get back your files! If timer runs out and you dont pay us , all of files will be DELETED and you hard disk will be seriously DAMAGED. You will lose some of your data on day 2 in the timer. You can buy more time for pay. Just email us. THIS IS NOT A JOKE! you can wait for the timer to run out ,and watch deletion of your files :) What is our decryption guarantee? Before paying you can send us up to for free decryption. The total size of files must be less than 2Mb (non archived), and files should not contain valuable information. (databases,backups, large excel sheets, etc.) Attention! DO NOT pay any money before decrypting the test files. DO NOT trust any intermediary. they wont help you and you may be victim of scam. just email us , we help you in any steps. DO NOT reply to other emails. ONLY this two emails can help you. Do not rename encrypted files. Do not try to decrypt your data using third party software, it may cause permanent data loss. Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.

Emails

DecryptionCenter@gmail.com

DecryptionCenter@outlook.com

Signatures

Lockbit
Ransomware family with multiple variants released since late 2019.
ransomware lockbit
Modifies Windows Defender Real-time Protection settings 3 TTPs
evasion trojan

Modify Registry
T1112

Modify Existing Service
T1031

Disabling Security Tools
T1089
suricata: ET MALWARE Loki Locker Ransomware CnC Activity
suricata: ET MALWARE Loki Locker Ransomware CnC Activity
suricata
suricata: ET MALWARE Loki Locker Ransomware CnC Domain in DNS Lookup
suricata: ET MALWARE Loki Locker Ransomware CnC Domain in DNS Lookup
suricata
suricata: ET MALWARE Loki Locker Ransomware User-Agent
suricata: ET MALWARE Loki Locker Ransomware User-Agent
suricata
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
ransomware evasion

Inhibit System Recovery
T1490

Processes:

bcdedit.exebcdedit.exe

pid process

4628 bcdedit.exe
216 bcdedit.exe
Deletes System State backups 3 TTPs 1 IoCs
Uses wbadmin.exe to inhibit system recovery.
ransomware

Command-Line Interface
T1059

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

wbadmin.exe

pid process

2084 wbadmin.exe
Deletes backup catalog 3 TTPs 1 IoCs
Uses wbadmin.exe to inhibit system recovery.
ransomware

Command-Line Interface
T1059

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

wbadmin.exe

pid process

1408 wbadmin.exe
Disables Task Manager via registry modification
evasion
Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

tmp.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation tmp.exe

pid	process
4628	bcdedit.exe
216	bcdedit.exe

pid	process
2084	wbadmin.exe

pid	process
1408	wbadmin.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	tmp.exe

Drops startup file 3 IoCs

Processes:

tmp.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\winlogon.exe	tmp.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\winlogon.exe	tmp.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\wvtymcow.bat	tmp.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

tmp.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Michael Gillespie = "C:\\ProgramData\\winlogon.exe"	tmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Michael Gillespie = "C:\\Windows\\winlogon.exe"	tmp.exe

Drops desktop.ini file(s) 28 IoCs

Processes:

tmp.exe

description	ioc	process
File opened for modification	C:\Users\Public\AccountPictures\desktop.ini	tmp.exe
File opened for modification	C:\Users\Public\Downloads\desktop.ini	tmp.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	tmp.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	tmp.exe
File opened for modification	C:\Program Files\desktop.ini	tmp.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	tmp.exe
File opened for modification	C:\Users\Public\Libraries\desktop.ini	tmp.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	tmp.exe
File opened for modification	C:\Users\Admin\Pictures\Saved Pictures\desktop.ini	tmp.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	tmp.exe
File opened for modification	C:\Users\Public\desktop.ini	tmp.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	tmp.exe
File opened for modification	C:\Users\Admin\OneDrive\desktop.ini	tmp.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	tmp.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	tmp.exe
File opened for modification	C:\Users\Admin\3D Objects\desktop.ini	tmp.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	tmp.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	tmp.exe
File opened for modification	C:\Users\Admin\Pictures\Camera Roll\desktop.ini	tmp.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	tmp.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	tmp.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	tmp.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI	tmp.exe
File opened for modification	C:\Program Files (x86)\desktop.ini	tmp.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	tmp.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	tmp.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	tmp.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	tmp.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

tmp.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tjunlxjw.Loki"	tmp.exe

Drops file in Program Files directory 64 IoCs

Processes:

tmp.exe

description	ioc	process
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxCalendarAppList.targetsize-48.png	tmp.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ja-JP\InkObj.dll.mui	tmp.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\WordR_Trial-ul-oob.xrm-ms	tmp.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Smart Tag\FBIBLIO.DLL	tmp.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\URLREDIR.DLL	tmp.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\contrast-white\SplashScreen.scale-125_contrast-white.png	tmp.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.targetsize-30_altform-lightunplated.png	tmp.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\StoreLogo.png	tmp.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\illustrations.png	tmp.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\Images\Ratings\Yelp2.scale-125.png	tmp.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_x64__8wekyb3d8bbwe\Assets\contrast-white\MixedRealityPortalMedTile.scale-200_contrast-white.png	tmp.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteSectionGroupWideTile.scale-125.png	tmp.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\contrast-black\MedTile.scale-200_contrast-black.png	tmp.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\WorldClockLargeTile.contrast-black_scale-200.png	tmp.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\StoreRatingPromotion.winmd	tmp.exe
File created	C:\Program Files\Common Files\microsoft shared\VC\Restore-My-Files.txt	tmp.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-api-caching_ja.jar	tmp.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusinessVL_KMS_Client-ppd.xrm-ms	tmp.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_x64__8wekyb3d8bbwe\Assets\MixedRealityPortalAppList.targetsize-64_altform-lightunplated.png	tmp.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Images\Stickers\Thumbnails\Sticker_Icon_Tongue.png	tmp.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Place\contrast-black\WideTile.scale-100.png	tmp.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\AppxManifest.xml	tmp.exe
File opened for modification	C:\Program Files (x86)\Common Files\System\msadc\ja-JP\msadcor.dll.mui	tmp.exe
File created	C:\Program Files\VideoLAN\VLC\locale\lg\LC_MESSAGES\Restore-My-Files.txt	tmp.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\AppPackageSplashScreen.scale-100.png	tmp.exe
File created	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\Config\Restore-My-Files.txt	tmp.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\en-us\styles\wefgallerywinrt.css	tmp.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2018.826.98.0_x64__8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraAppList.targetsize-16_altform-lightunplated.png	tmp.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\EmptyCalendarSearch.scale-200.png	tmp.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteSectionGroupSmallTile.scale-100.png	tmp.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\OneNotePageSmallTile.scale-100.png	tmp.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\ReactAssets\assets\node_modules\reactxp-experimental-navigation\NavigationExperimental\assets\back-icon.png	tmp.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_2019.716.2313.0_neutral_~_8wekyb3d8bbwe\AppxSignature.p7x	tmp.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\rhp_world_icon_hover.png	tmp.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\META-INF\eclipse.inf	tmp.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\e4_default_winxp_blu.css	tmp.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentR_Trial2-ul-oob.xrm-ms	tmp.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_SubTrial3-pl.xrm-ms	tmp.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\OneNoteNotebookWideTile.scale-125.png	tmp.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-16_altform-unplated_contrast-white.png	tmp.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\en-il\ui-strings.js	tmp.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\az_get.svg	tmp.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\GenericMailLargeTile.scale-200.png	tmp.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\ja-jp\AppStore_icon.svg	tmp.exe
File opened for modification	C:\Program Files\Common Files\System\Ole DB\fr-FR\msdasqlr.dll.mui	tmp.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Access2019VL_MAK_AE-ul-phn.xrm-ms	tmp.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Excel2019R_OEM_Perp-ul-phn.xrm-ms	tmp.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Professional2019R_Retail-ul-oob.xrm-ms	tmp.exe
File opened for modification	C:\Program Files\Microsoft Office\root\rsod\wordmui.msi.16.en-us.boot.tree.dat	tmp.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\REFINED\Restore-My-Files.txt	tmp.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\show_third_party_software_licenses.bat	tmp.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsStore_11910.1002.5.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\contrast-black\StoreWideTile.scale-100.png	tmp.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\Images\LayersControl\Restore-My-Files.txt	tmp.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\images\icons_retina.png	tmp.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\MyriadPro-Bold.otf	tmp.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\sv-SE\tipresx.dll.mui	tmp.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-96_contrast-black.png	tmp.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\root\ui-strings.js	tmp.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\ExchangeBadge.scale-200.png	tmp.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Trust Protection Lists\Restore-My-Files.txt	tmp.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.greychart.ui.ja_5.5.0.165303.jar	tmp.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\MSIPC\ko\msipc.dll.mui	tmp.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\PlatformCapabilities\Restore-My-Files.txt	tmp.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Home\LTR\contrast-white\SmallTile.scale-125.png	tmp.exe

Drops file in Windows directory 5 IoCs

Processes:

tmp.exewbadmin.exe

description	ioc	process
File created	C:\Windows\winlogon.exe	tmp.exe
File opened for modification	C:\Windows\winlogon.exe	tmp.exe
File opened for modification	C:\Windows\Logs\WindowsBackup\WBEngine.3.etl	wbadmin.exe
File opened for modification	C:\Windows\Logs\WindowsBackup\WBEngine.2.etl	wbadmin.exe
File opened for modification	C:\Windows\Logs\WindowsBackup\WBEngine.1.etl	wbadmin.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 4 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

vds.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	vds.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	vds.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000	vds.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	vds.exe

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

4044 schtasks.exe
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exe

pid process

3808 vssadmin.exe

pid	process
4044	schtasks.exe

pid	process
3808	vssadmin.exe

Modifies Control Panel 2 IoCs

evasion

Processes:

tmp.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\Desktop\WallpaperStyle = "2"	tmp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\Desktop\TileWallpaper = "0"	tmp.exe

Modifies registry class 8 IoCs

Processes:

tmp.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Loki	tmp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Loki\shell	tmp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Loki\shell\open	tmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Loki\shell\open\command\ = "C:\\ProgramData\\z5zwlrde.exe \"%l\" "	tmp.exe
Key created	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000_Classes\Local Settings	tmp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.Loki	tmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.Loki\ = "Loki"	tmp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Loki\shell\open\command	tmp.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

tmp.exe

pid	process
1372	tmp.exe
1372	tmp.exe
1372	tmp.exe
1372	tmp.exe
1372	tmp.exe
1372	tmp.exe
1372	tmp.exe
1372	tmp.exe
1372	tmp.exe
1372	tmp.exe
1372	tmp.exe
1372	tmp.exe
1372	tmp.exe
1372	tmp.exe
1372	tmp.exe
1372	tmp.exe
1372	tmp.exe
1372	tmp.exe
1372	tmp.exe
1372	tmp.exe
1372	tmp.exe
1372	tmp.exe
1372	tmp.exe
1372	tmp.exe
1372	tmp.exe
1372	tmp.exe
1372	tmp.exe
1372	tmp.exe
1372	tmp.exe
1372	tmp.exe
1372	tmp.exe
1372	tmp.exe
1372	tmp.exe
1372	tmp.exe
1372	tmp.exe
1372	tmp.exe
1372	tmp.exe
1372	tmp.exe
1372	tmp.exe
1372	tmp.exe
1372	tmp.exe
1372	tmp.exe
1372	tmp.exe
1372	tmp.exe
1372	tmp.exe
1372	tmp.exe
1372	tmp.exe
1372	tmp.exe
1372	tmp.exe
1372	tmp.exe
1372	tmp.exe
1372	tmp.exe
1372	tmp.exe
1372	tmp.exe
1372	tmp.exe
1372	tmp.exe
1372	tmp.exe
1372	tmp.exe
1372	tmp.exe
1372	tmp.exe
1372	tmp.exe
1372	tmp.exe
1372	tmp.exe
1372	tmp.exe

Suspicious use of AdjustPrivilegeToken 50 IoCs

Processes:

tmp.exevssvc.exeWMIC.exewbengine.exe

description	pid	process
Token: SeDebugPrivilege	1372	tmp.exe
Token: SeBackupPrivilege	208	vssvc.exe
Token: SeRestorePrivilege	208	vssvc.exe
Token: SeAuditPrivilege	208	vssvc.exe
Token: SeIncreaseQuotaPrivilege	328	WMIC.exe
Token: SeSecurityPrivilege	328	WMIC.exe
Token: SeTakeOwnershipPrivilege	328	WMIC.exe
Token: SeLoadDriverPrivilege	328	WMIC.exe
Token: SeSystemProfilePrivilege	328	WMIC.exe
Token: SeSystemtimePrivilege	328	WMIC.exe
Token: SeProfSingleProcessPrivilege	328	WMIC.exe
Token: SeIncBasePriorityPrivilege	328	WMIC.exe
Token: SeCreatePagefilePrivilege	328	WMIC.exe
Token: SeBackupPrivilege	328	WMIC.exe
Token: SeRestorePrivilege	328	WMIC.exe
Token: SeShutdownPrivilege	328	WMIC.exe
Token: SeDebugPrivilege	328	WMIC.exe
Token: SeSystemEnvironmentPrivilege	328	WMIC.exe
Token: SeRemoteShutdownPrivilege	328	WMIC.exe
Token: SeUndockPrivilege	328	WMIC.exe
Token: SeManageVolumePrivilege	328	WMIC.exe
Token: 33	328	WMIC.exe
Token: 34	328	WMIC.exe
Token: 35	328	WMIC.exe
Token: 36	328	WMIC.exe
Token: SeBackupPrivilege	1356	wbengine.exe
Token: SeRestorePrivilege	1356	wbengine.exe
Token: SeSecurityPrivilege	1356	wbengine.exe
Token: SeIncreaseQuotaPrivilege	328	WMIC.exe
Token: SeSecurityPrivilege	328	WMIC.exe
Token: SeTakeOwnershipPrivilege	328	WMIC.exe
Token: SeLoadDriverPrivilege	328	WMIC.exe
Token: SeSystemProfilePrivilege	328	WMIC.exe
Token: SeSystemtimePrivilege	328	WMIC.exe
Token: SeProfSingleProcessPrivilege	328	WMIC.exe
Token: SeIncBasePriorityPrivilege	328	WMIC.exe
Token: SeCreatePagefilePrivilege	328	WMIC.exe
Token: SeBackupPrivilege	328	WMIC.exe
Token: SeRestorePrivilege	328	WMIC.exe
Token: SeShutdownPrivilege	328	WMIC.exe
Token: SeDebugPrivilege	328	WMIC.exe
Token: SeSystemEnvironmentPrivilege	328	WMIC.exe
Token: SeRemoteShutdownPrivilege	328	WMIC.exe
Token: SeUndockPrivilege	328	WMIC.exe
Token: SeManageVolumePrivilege	328	WMIC.exe
Token: 33	328	WMIC.exe
Token: 34	328	WMIC.exe
Token: 35	328	WMIC.exe
Token: 36	328	WMIC.exe
Token: SeDebugPrivilege	1372	tmp.exe

Suspicious use of WriteProcessMemory 55 IoCs

Processes:

tmp.execmd.execsc.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 1372 wrote to memory of 876	1372	tmp.exe	cmd.exe
PID 1372 wrote to memory of 876	1372	tmp.exe	cmd.exe
PID 1372 wrote to memory of 1292	1372	tmp.exe	csc.exe
PID 1372 wrote to memory of 1292	1372	tmp.exe	csc.exe
PID 876 wrote to memory of 4044	876	cmd.exe	schtasks.exe
PID 876 wrote to memory of 4044	876	cmd.exe	schtasks.exe
PID 1292 wrote to memory of 4392	1292	csc.exe	cvtres.exe
PID 1292 wrote to memory of 4392	1292	csc.exe	cvtres.exe
PID 1372 wrote to memory of 2792	1372	tmp.exe	cmd.exe
PID 1372 wrote to memory of 2792	1372	tmp.exe	cmd.exe
PID 1372 wrote to memory of 3304	1372	tmp.exe	cmd.exe
PID 1372 wrote to memory of 3304	1372	tmp.exe	cmd.exe
PID 1372 wrote to memory of 4060	1372	tmp.exe	cmd.exe
PID 1372 wrote to memory of 4060	1372	tmp.exe	cmd.exe
PID 1372 wrote to memory of 4760	1372	tmp.exe	cmd.exe
PID 1372 wrote to memory of 4760	1372	tmp.exe	cmd.exe
PID 1372 wrote to memory of 3880	1372	tmp.exe	cmd.exe
PID 1372 wrote to memory of 3880	1372	tmp.exe	cmd.exe
PID 1372 wrote to memory of 4764	1372	tmp.exe	cmd.exe
PID 1372 wrote to memory of 4764	1372	tmp.exe	cmd.exe
PID 1372 wrote to memory of 3372	1372	tmp.exe	cmd.exe
PID 1372 wrote to memory of 3372	1372	tmp.exe	cmd.exe
PID 1372 wrote to memory of 2340	1372	tmp.exe	cmd.exe
PID 1372 wrote to memory of 2340	1372	tmp.exe	cmd.exe
PID 2792 wrote to memory of 3808	2792	cmd.exe	vssadmin.exe
PID 2792 wrote to memory of 3808	2792	cmd.exe	vssadmin.exe
PID 3304 wrote to memory of 2084	3304	cmd.exe	wbadmin.exe
PID 3304 wrote to memory of 2084	3304	cmd.exe	wbadmin.exe
PID 4764 wrote to memory of 4628	4764	cmd.exe	bcdedit.exe
PID 4764 wrote to memory of 4628	4764	cmd.exe	bcdedit.exe
PID 4060 wrote to memory of 328	4060	cmd.exe	WMIC.exe
PID 4060 wrote to memory of 328	4060	cmd.exe	WMIC.exe
PID 3880 wrote to memory of 216	3880	cmd.exe	bcdedit.exe
PID 3880 wrote to memory of 216	3880	cmd.exe	bcdedit.exe
PID 4760 wrote to memory of 1408	4760	cmd.exe	wbadmin.exe
PID 4760 wrote to memory of 1408	4760	cmd.exe	wbadmin.exe
PID 3372 wrote to memory of 4052	3372	cmd.exe	netsh.exe
PID 3372 wrote to memory of 4052	3372	cmd.exe	netsh.exe
PID 2340 wrote to memory of 4772	2340	cmd.exe	netsh.exe
PID 2340 wrote to memory of 4772	2340	cmd.exe	netsh.exe
PID 1372 wrote to memory of 5028	1372	tmp.exe	mshta.exe
PID 1372 wrote to memory of 5028	1372	tmp.exe	mshta.exe
PID 1372 wrote to memory of 5028	1372	tmp.exe	mshta.exe
PID 1372 wrote to memory of 3808	1372	tmp.exe	mshta.exe
PID 1372 wrote to memory of 3808	1372	tmp.exe	mshta.exe
PID 1372 wrote to memory of 3808	1372	tmp.exe	mshta.exe
PID 1372 wrote to memory of 328	1372	tmp.exe	mshta.exe
PID 1372 wrote to memory of 328	1372	tmp.exe	mshta.exe
PID 1372 wrote to memory of 328	1372	tmp.exe	mshta.exe
PID 1372 wrote to memory of 3292	1372	tmp.exe	mshta.exe
PID 1372 wrote to memory of 3292	1372	tmp.exe	mshta.exe
PID 1372 wrote to memory of 3292	1372	tmp.exe	mshta.exe
PID 1372 wrote to memory of 3096	1372	tmp.exe	mshta.exe
PID 1372 wrote to memory of 3096	1372	tmp.exe	mshta.exe
PID 1372 wrote to memory of 3096	1372	tmp.exe	mshta.exe

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

Processes:

tmp.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\legalnoticecaption = "Encrypted by Loki locker"	tmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\legalnoticetext = "All your files have been encrypted due to a security problem with your computer\r\nIf you want to restore them, write us to the e-mail: DecryptionCenter@gmail.com\r\nWrite this ID in the title of your message: 80B7D473\r\nIn case of no answer in 24 hours write us to this e-mail: DecryptionCenter@outlook.com"	tmp.exe

C:\Users\Admin\AppData\Local\Temp\tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp.exe"
1⤵
- Checks computer location settings
- Drops startup file
- Adds Run key to start application
- Drops desktop.ini file(s)
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1372

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C schtasks /CREATE /SC ONLOGON /TN Loki /TR C:\Users\Admin\AppData\Roaming\winlogon.exe /RU SYSTEM /RL HIGHEST /F
2⤵
- Suspicious use of WriteProcessMemory
PID:876

C:\Windows\system32\schtasks.exe
schtasks /CREATE /SC ONLOGON /TN Loki /TR C:\Users\Admin\AppData\Roaming\winlogon.exe /RU SYSTEM /RL HIGHEST /F
3⤵
- Creates scheduled task(s)
PID:4044

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\z3clf3pj\z3clf3pj.cmdline"
2⤵
- Suspicious use of WriteProcessMemory
PID:1292

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES19B2.tmp" "c:\ProgramData\CSCC4B5ECF2E09B44A7BB84836E8E6D7B94.TMP"
3⤵
PID:4392

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C vssadmin delete shadows /all /quiet
2⤵
- Suspicious use of WriteProcessMemory
PID:2792

C:\Windows\system32\vssadmin.exe
vssadmin delete shadows /all /quiet
3⤵
- Interacts with shadow copies
PID:3808

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C wbadmin DELETE SYSTEMSTATEBACKUP
2⤵
- Suspicious use of WriteProcessMemory
PID:3304

C:\Windows\system32\wbadmin.exe
wbadmin DELETE SYSTEMSTATEBACKUP
3⤵
- Deletes System State backups
- Drops file in Windows directory
PID:2084

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C wmic shadowcopy delete
2⤵
- Suspicious use of WriteProcessMemory
PID:4060

C:\Windows\System32\Wbem\WMIC.exe
wmic shadowcopy delete
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:328

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C wbadmin delete catalog -quiet
2⤵
- Suspicious use of WriteProcessMemory
PID:4760

C:\Windows\system32\wbadmin.exe
wbadmin delete catalog -quiet
3⤵
- Deletes backup catalog
PID:1408

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C netsh advfirewall set currentprofile state off
2⤵
- Suspicious use of WriteProcessMemory
PID:3372

C:\Windows\system32\netsh.exe
netsh advfirewall set currentprofile state off
3⤵
PID:4052

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C netsh firewall set opmode mode=disable
2⤵
- Suspicious use of WriteProcessMemory
PID:2340

C:\Windows\system32\netsh.exe
netsh firewall set opmode mode=disable
3⤵
PID:4772

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C bcdedit /set {default} recoveryenabled no
2⤵
- Suspicious use of WriteProcessMemory
PID:4764

C:\Windows\system32\bcdedit.exe
bcdedit /set {default} recoveryenabled no
3⤵
- Modifies boot configuration data using bcdedit
PID:4628

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures
2⤵
- Suspicious use of WriteProcessMemory
PID:3880

C:\Windows\system32\bcdedit.exe
bcdedit /set {default} bootstatuspolicy ignoreallfailures
3⤵
- Modifies boot configuration data using bcdedit
PID:216

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\info.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
2⤵
PID:5028

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\info.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
2⤵
PID:3808

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\info.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
2⤵
PID:328

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\info.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
2⤵
PID:3292

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\info.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
2⤵
PID:3096

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:208

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1356

C:\Windows\System32\vdsldr.exe
C:\Windows\System32\vdsldr.exe -Embedding
1⤵
PID:2164

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Checks SCSI registry key(s)
PID:1432

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Command-Line Interface

2

T1059

Scheduled Task

1

T1053

Persistence

Modify Existing Service

2

T1031

Registry Run Keys / Startup Folder

1

T1060

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Modify Registry

4

T1112

Disabling Security Tools

1

T1089

File Deletion

4

T1107

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

3

T1082

Peripheral Device Discovery

1

T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Inhibit System Recovery

5

T1490

Defacement

1

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\z5zwlrde.exe
Filesize
32KB

MD5
1c5051c9e064f3dfb0088a3d852281a0

SHA1
e7bcf4b0ec8bb459cffaf8c691ca36a18b403da8

SHA256
a6d1a4fb561ebd5bfc0eac7b22978bb0b0f2004a42fb52a11364e6b1ae25d1a2

SHA512
67dc59d6cb157d507cb01fe3a746994cc597bdab134950da9c020af71d204c3235b8fb899437c00a2dad58ad4acc9428f2915faab697e9a829df5450a8b8dd74

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES19B2.tmp
Filesize
29KB

MD5
56e8a9728a42943903552b125f94dc95

SHA1
764c0ddf259e8a514941edb00c645aaea150a99f

SHA256
ab97366ea67260f1d07a54520d40fb161c4dac1aea625d0c2c345b893172e7cb

SHA512
f16fdaf4f371c069394fcdf0bd2a0e2dc4252ffbdbefab038f3f8ae26d9003be5aca950ad237a5f46fbf731c79eb65d293e2e253b1240f36b4503f29297696a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\info.hta
Filesize
3KB

MD5
f31024709650ffcc3e0576849d068b1c

SHA1
894a3226eba49173fdf7adfe9d0a41ac9879c392

SHA256
3e358980a2ea52465feaaaa7668befa90ca26b520a51d1ce28541c534a4615c3

SHA512
2c5e33b52ade0899fb7467ee733eb3d8add0e7b4d077bca9942cee37164f37b82f23f820e367a3993db21b91317d42aae8e63cceff6b16dbdcea7831dd8d44ce

Download Submit
\??\c:\ProgramData\CSCC4B5ECF2E09B44A7BB84836E8E6D7B94.TMP
Filesize
28KB

MD5
d8780092762a525157b7bd01d55adeec

SHA1
f78ff65954c9e8090bd31aeb222d0c0010df7178

SHA256
7f215eb4e5694aed3bff7d9855d2718281dec8ac3d80d6db6773d66f45f64e4e

SHA512
388e1b85f06f7f87675b68df76a50639fcf3b677d7207ec134f420f5af36729bd05472636ebfdfce3920048aa88a8c7366b279549323481587e45cfeffa63acf

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\0ia4orha.ico
Filesize
27KB

MD5
dbc49b5f7714255217080c2e81f05a99

SHA1
4de2ef415d66d2bb8b389ba140a468b125388e19

SHA256
6d2f1f6164cbd331b9dc43b37948372e21b2ee45407aa99e199693835cded09c

SHA512
29a65eb7403bfc220fd057c2e6ea11b29bff545dfce2d3370ad462c66b03ae7f648efd480305423a49440de199a2a94c41214877b226a42dc2d1650683d149bb

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\z3clf3pj\z3clf3pj.0.cs
Filesize
1KB

MD5
8f062ded0c36d22e73ce2fb77df8304a

SHA1
ae89a5daf9ee054c2f3e2add2d00446ae894b478

SHA256
b3e950f1dd0336ad0de7fc4650245dd7eff1b172663442393a8876baa86b03ab

SHA512
6eac41dfaad2622b7d6aba41da2e32df8f4af39414f6859b11a98f963e33613fb526d095405f18f053e0500264d2c97f76c3022d4764570ed9d6b7a2eb2db9a1

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\z3clf3pj\z3clf3pj.cmdline
Filesize
236B

MD5
2065791ac23528d813061be1cd2eb55d

SHA1
15e7c5bef2c287abec9edd0c08efb7d64078fbc7

SHA256
7d2a5b7d17ae9b684b9a6c135dc9a8ccb0fcdb4a3455494123f1ac445bd9f233

SHA512
91873c61910a2c77044a27a2e5717cfd5d44ca0d92990ad127617c024b04f7179c4c4bb5944eb9db50cf4e49ee407097972b09dfbcd934d4426c1690e54d65d8

Download Submit
memory/216-155-0x0000000000000000-mapping.dmp

Download
memory/328-161-0x0000000000000000-mapping.dmp

Download
memory/328-154-0x0000000000000000-mapping.dmp

Download
memory/876-133-0x0000000000000000-mapping.dmp

Download
memory/1292-134-0x0000000000000000-mapping.dmp

Download
memory/1372-132-0x00007FFD52380000-0x00007FFD52E41000-memory.dmp

Filesize
10.8MB

Download
memory/1372-131-0x000000001CF00000-0x000000001CF76000-memory.dmp

Filesize
472KB

Download
memory/1372-130-0x0000000000900000-0x0000000000982000-memory.dmp

Filesize
520KB

Download
memory/1408-156-0x0000000000000000-mapping.dmp

Download
memory/2084-152-0x0000000000000000-mapping.dmp

Download
memory/2340-150-0x0000000000000000-mapping.dmp

Download
memory/2792-143-0x0000000000000000-mapping.dmp

Download
memory/3096-163-0x0000000000000000-mapping.dmp

Download
memory/3292-162-0x0000000000000000-mapping.dmp

Download
memory/3304-144-0x0000000000000000-mapping.dmp

Download
memory/3372-149-0x0000000000000000-mapping.dmp

Download
memory/3808-151-0x0000000000000000-mapping.dmp

Download
memory/3808-160-0x0000000000000000-mapping.dmp

Download
memory/3880-147-0x0000000000000000-mapping.dmp

Download
memory/4044-135-0x0000000000000000-mapping.dmp

Download
memory/4052-157-0x0000000000000000-mapping.dmp

Download
memory/4060-145-0x0000000000000000-mapping.dmp

Download
memory/4392-139-0x0000000000000000-mapping.dmp

Download
memory/4628-153-0x0000000000000000-mapping.dmp

Download
memory/4760-146-0x0000000000000000-mapping.dmp

Download
memory/4764-148-0x0000000000000000-mapping.dmp

Download
memory/4772-158-0x0000000000000000-mapping.dmp

Download
memory/5028-159-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads