lockbit | 71d0c896720e01be1b6b095fc8917bcac38f8bc8ed3caba8bf9c2a4fcdde1747

General

Target

tmp.exe
Size

484KB
MD5

8b062fa952cc294d7db09794e2d44ce0
SHA1

ce13e42217f7d0e950dd8ae5ee5ec8d5be6af177
SHA256

71d0c896720e01be1b6b095fc8917bcac38f8bc8ed3caba8bf9c2a4fcdde1747
SHA512

a6643699544db21955c927e9a7cdfd1c056c7078e27d9c68ff68865c240ff3dfd0f8aecd7f4926b9746eaa989b3cbef681e5ffd19c643cd02a7faba2534ed26d

Score

10^/10

lockbit evasion persistence ransomware suricata trojan

Malware Config

Extracted

Path

C:\Restore-My-Files.txt

Ransom Note

!!!All of your files are encrypted!!! To decrypt them send e-mail to this address: DecryptionCenter@gmail.com In case of no answer in 24h, send e-mail to this address: DecryptionCenter@outlook.com All your files will be lost on Saturday, June 4, 2022 6:59:47 PM. Your SYSTEM ID : 1095E964 !!!Deleting "Cpriv.Loki" causes permanent data loss.

Emails

DecryptionCenter@gmail.com

DecryptionCenter@outlook.com

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\info.hta

Ransom Note

All your files have been encrypted by Loki locker! All your files have been encrypted due to a security problem with your PC. If you want to restore them, please send an email DecryptionCenter@gmail.com You have to pay for decryption in Bitcoin. The price depends on how fast you contact us. After payment we will send you the decryption tool. You have to 48 hours(2 Days) To contact or paying us After that, you have to Pay Double . In case of no answer in 24 hours (1 Day) write to this email DecryptionCenter@outlook.com Your unique ID is : 1095E964 You only have LIMITED time to get back your files! If timer runs out and you dont pay us , all of files will be DELETED and you hard disk will be seriously DAMAGED. You will lose some of your data on day 2 in the timer. You can buy more time for pay. Just email us. THIS IS NOT A JOKE! you can wait for the timer to run out ,and watch deletion of your files :) What is our decryption guarantee? Before paying you can send us up to for free decryption. The total size of files must be less than 2Mb (non archived), and files should not contain valuable information. (databases,backups, large excel sheets, etc.) Attention! DO NOT pay any money before decrypting the test files. DO NOT trust any intermediary. they wont help you and you may be victim of scam. just email us , we help you in any steps. DO NOT reply to other emails. ONLY this two emails can help you. Do not rename encrypted files. Do not try to decrypt your data using third party software, it may cause permanent data loss. Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.

Emails

DecryptionCenter@gmail.com

DecryptionCenter@outlook.com

Signatures

Lockbit
Ransomware family with multiple variants released since late 2019.
ransomware lockbit
Modifies Windows Defender Real-time Protection settings 3 TTPs
evasion trojan

Modify Registry
T1112

Modify Existing Service
T1031

Disabling Security Tools
T1089
suricata: ET MALWARE Loki Locker Ransomware CnC Activity
suricata: ET MALWARE Loki Locker Ransomware CnC Activity
suricata
suricata: ET MALWARE Loki Locker Ransomware CnC Domain in DNS Lookup
suricata: ET MALWARE Loki Locker Ransomware CnC Domain in DNS Lookup
suricata
suricata: ET MALWARE Loki Locker Ransomware User-Agent
suricata: ET MALWARE Loki Locker Ransomware User-Agent
suricata
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
ransomware evasion

Inhibit System Recovery
T1490

Processes:

bcdedit.exebcdedit.exe

pid process

5636 bcdedit.exe
5588 bcdedit.exe
Deletes System State backups 3 TTPs 1 IoCs
Uses wbadmin.exe to inhibit system recovery.
ransomware

Command-Line Interface
T1059

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

wbadmin.exe

pid process

5600 wbadmin.exe
Deletes backup catalog 3 TTPs 1 IoCs
Uses wbadmin.exe to inhibit system recovery.
ransomware

Command-Line Interface
T1059

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

wbadmin.exe

pid process

3592 wbadmin.exe
Disables Task Manager via registry modification
evasion
Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

tmp.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation tmp.exe

pid	process
5636	bcdedit.exe
5588	bcdedit.exe

pid	process
5600	wbadmin.exe

pid	process
3592	wbadmin.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	tmp.exe

Drops startup file 3 IoCs

Processes:

tmp.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\winlogon.exe	tmp.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\wvtymcow.bat	tmp.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\winlogon.exe	tmp.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

tmp.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Michael Gillespie = "C:\\Windows\\winlogon.exe"	tmp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Michael Gillespie = "C:\\ProgramData\\winlogon.exe"	tmp.exe

Drops desktop.ini file(s) 28 IoCs

Processes:

tmp.exe

description	ioc	process
File opened for modification	C:\Users\Admin\3D Objects\desktop.ini	tmp.exe
File opened for modification	C:\Users\Admin\Pictures\Saved Pictures\desktop.ini	tmp.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	tmp.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	tmp.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	tmp.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	tmp.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	tmp.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	tmp.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI	tmp.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	tmp.exe
File opened for modification	C:\Users\Admin\Pictures\Camera Roll\desktop.ini	tmp.exe
File opened for modification	C:\Users\Public\AccountPictures\desktop.ini	tmp.exe
File opened for modification	C:\Users\Public\Downloads\desktop.ini	tmp.exe
File opened for modification	C:\Users\Public\Libraries\desktop.ini	tmp.exe
File opened for modification	C:\Users\Public\desktop.ini	tmp.exe
File opened for modification	C:\Users\Admin\OneDrive\desktop.ini	tmp.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	tmp.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	tmp.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	tmp.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	tmp.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	tmp.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	tmp.exe
File opened for modification	C:\Program Files\desktop.ini	tmp.exe
File opened for modification	C:\Program Files (x86)\desktop.ini	tmp.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	tmp.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	tmp.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	tmp.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	tmp.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

tmp.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\4j311ty1.Loki"	tmp.exe

Drops file in Program Files directory 64 IoCs

Processes:

tmp.exe

description	ioc	process
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\km-KH\View3d\3DViewerProductDescription-universal.xml	tmp.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxCalendarAppList.scale-400.png	tmp.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\BORDERS\MSART7.BDR	tmp.exe
File created	C:\Program Files\VideoLAN\VLC\locale\pl\LC_MESSAGES\Restore-My-Files.txt	tmp.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\fa-IR\View3d\3DViewerProductDescription-universal.xml	tmp.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Work\contrast-white\SmallTile.scale-100.png	tmp.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\images\themes\dark\progress.gif	tmp.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\zh-cn\Restore-My-Files.txt	tmp.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Locales\nl.pak	tmp.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipskor.xml	tmp.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_2019.807.41.0_neutral_~_8wekyb3d8bbwe\AppxMetadata\AppxBundleManifest.xml	tmp.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxA-Yahoo-Dark.scale-100.png	tmp.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\VisualElements\SmallLogo.png	tmp.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\lib\LibCurl64.DllA\OpenSSL64.DllA\Restore-My-Files.txt	tmp.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-64_altform-unplated_contrast-black.png	tmp.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\es-es\ui-strings.js	tmp.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_x64__8wekyb3d8bbwe\Assets\MixedRealityPortalAppList.targetsize-40_altform-lightunplated.png	tmp.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Services.Store.Engagement_10.0.18101.0_x64__8wekyb3d8bbwe\logo.png	tmp.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\Microsoft.Graphics.Canvas.winmd	tmp.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Dial\Undo.png	tmp.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\scan-2x.png	tmp.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\images\checkmark-2x.png	tmp.exe
File opened for modification	C:\Program Files\7-Zip\Lang\mn.txt	tmp.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\high-contrast.css	tmp.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.XboxApp_48.49.31001.0_neutral_split.scale-200_8wekyb3d8bbwe\Assets\GamesXboxHubLargeTile.scale-200_contrast-high.png	tmp.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\de-de\Restore-My-Files.txt	tmp.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_OEM_Perp3-ul-oob.xrm-ms	tmp.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Templates\1033\LoanAmortization.xltx	tmp.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\Restore-My-Files.txt	tmp.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\is-IS\View3d\3DViewerProductDescription-universal.xml	tmp.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\IRIS\IRIS.INF	tmp.exe
File opened for modification	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\Workflow.VisualBasic.Targets	tmp.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\contrast-black\LargeTile.scale-100_contrast-black.png	tmp.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\uk\Restore-My-Files.txt	tmp.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\ca-es\Restore-My-Files.txt	tmp.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\nl-nl\Restore-My-Files.txt	tmp.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\sk-SK\tipresx.dll.mui	tmp.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherIcons\30x30\152.png	tmp.exe
File created	C:\Program Files\WindowsApps\Microsoft.Xbox.TCUI_1.23.28002.0_x64__8wekyb3d8bbwe\Assets\Restore-My-Files.txt	tmp.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsSoundRecorder_10.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\Restore-My-Files.txt	tmp.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\en-US\wmplayer.exe.mui	tmp.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Diagnostics\Comprehensive\Restore-My-Files.txt	tmp.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\images\themes\dark\s_thumbnailview_18.svg	tmp.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\fi-fi\ui-strings.js	tmp.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Notifications\Restore-My-Files.txt	tmp.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.GetHelp_10.1706.13331.0_x64__8wekyb3d8bbwe\Assets\WideTile.scale-200_contrast-white.png	tmp.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\contrast-white\PeopleAppStoreLogo.scale-125.png	tmp.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\apple-touch-icon-114x114-precomposed.png	tmp.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000042\assets\assets\images\Restore-My-Files.txt	tmp.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\Restore-My-Files.txt	tmp.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Assets\InsiderHubAppList.targetsize-32.png	tmp.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\themes\dark\Restore-My-Files.txt	tmp.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\da-dk\AppStore_icon.svg	tmp.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\lib\fonts\LucidaSansDemiBold.ttf	tmp.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\schema\triggerActionExceptionHandlers.exsd	tmp.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Cartridges\orcl7.xsl	tmp.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppUpdate.svg	tmp.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\Restore-My-Files.txt	tmp.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppPackageStoreLogo.scale-150_contrast-black.png	tmp.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\Assets\AppTiles\AppIcon.targetsize-96_altform-unplated.png	tmp.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\images\example_icons.png	tmp.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioProVL_KMS_Client-ul-oob.xrm-ms	tmp.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Images\Stickers\Thumbnails\Sticker_Icon_Moustache.png	tmp.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\Assets\GamesXboxHubAppList.targetsize-30_altform-unplated.png	tmp.exe

Drops file in Windows directory 2 IoCs

Processes:

tmp.exe

description ioc process

File created C:\Windows\winlogon.exe tmp.exe
File opened for modification C:\Windows\winlogon.exe tmp.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	ioc	process
File created	C:\Windows\winlogon.exe	tmp.exe
File opened for modification	C:\Windows\winlogon.exe	tmp.exe

Checks SCSI registry key(s) 3 TTPs 4 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

vds.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	vds.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	vds.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000	vds.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	vds.exe

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

5940 schtasks.exe
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exe

pid process

3688 vssadmin.exe

pid	process
5940	schtasks.exe

pid	process
3688	vssadmin.exe

Modifies Control Panel 2 IoCs

evasion

Processes:

tmp.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\Desktop\WallpaperStyle = "2"	tmp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\Desktop\TileWallpaper = "0"	tmp.exe

Modifies registry class 8 IoCs

Processes:

tmp.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.Loki	tmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.Loki\ = "Loki"	tmp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Loki\shell\open\command	tmp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Loki	tmp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Loki\shell	tmp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Loki\shell\open	tmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Loki\shell\open\command\ = "C:\\ProgramData\\kwiwnuqg.exe \"%l\" "	tmp.exe
Key created	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000_Classes\Local Settings	tmp.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

tmp.exe

pid	process
4668	tmp.exe
4668	tmp.exe
4668	tmp.exe
4668	tmp.exe
4668	tmp.exe
4668	tmp.exe
4668	tmp.exe
4668	tmp.exe
4668	tmp.exe
4668	tmp.exe
4668	tmp.exe
4668	tmp.exe
4668	tmp.exe
4668	tmp.exe
4668	tmp.exe
4668	tmp.exe
4668	tmp.exe
4668	tmp.exe
4668	tmp.exe
4668	tmp.exe
4668	tmp.exe
4668	tmp.exe
4668	tmp.exe
4668	tmp.exe
4668	tmp.exe
4668	tmp.exe
4668	tmp.exe
4668	tmp.exe
4668	tmp.exe
4668	tmp.exe
4668	tmp.exe
4668	tmp.exe
4668	tmp.exe
4668	tmp.exe
4668	tmp.exe
4668	tmp.exe
4668	tmp.exe
4668	tmp.exe
4668	tmp.exe
4668	tmp.exe
4668	tmp.exe
4668	tmp.exe
4668	tmp.exe
4668	tmp.exe
4668	tmp.exe
4668	tmp.exe
4668	tmp.exe
4668	tmp.exe
4668	tmp.exe
4668	tmp.exe
4668	tmp.exe
4668	tmp.exe
4668	tmp.exe
4668	tmp.exe
4668	tmp.exe
4668	tmp.exe
4668	tmp.exe
4668	tmp.exe
4668	tmp.exe
4668	tmp.exe
4668	tmp.exe
4668	tmp.exe
4668	tmp.exe
4668	tmp.exe

Suspicious use of AdjustPrivilegeToken 50 IoCs

Processes:

tmp.exeWMIC.exevssvc.exewbengine.exe

description	pid	process
Token: SeDebugPrivilege	4668	tmp.exe
Token: SeIncreaseQuotaPrivilege	2244	WMIC.exe
Token: SeSecurityPrivilege	2244	WMIC.exe
Token: SeTakeOwnershipPrivilege	2244	WMIC.exe
Token: SeLoadDriverPrivilege	2244	WMIC.exe
Token: SeSystemProfilePrivilege	2244	WMIC.exe
Token: SeSystemtimePrivilege	2244	WMIC.exe
Token: SeProfSingleProcessPrivilege	2244	WMIC.exe
Token: SeIncBasePriorityPrivilege	2244	WMIC.exe
Token: SeCreatePagefilePrivilege	2244	WMIC.exe
Token: SeBackupPrivilege	2244	WMIC.exe
Token: SeRestorePrivilege	2244	WMIC.exe
Token: SeShutdownPrivilege	2244	WMIC.exe
Token: SeDebugPrivilege	2244	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2244	WMIC.exe
Token: SeRemoteShutdownPrivilege	2244	WMIC.exe
Token: SeUndockPrivilege	2244	WMIC.exe
Token: SeManageVolumePrivilege	2244	WMIC.exe
Token: 33	2244	WMIC.exe
Token: 34	2244	WMIC.exe
Token: 35	2244	WMIC.exe
Token: 36	2244	WMIC.exe
Token: SeBackupPrivilege	5632	vssvc.exe
Token: SeRestorePrivilege	5632	vssvc.exe
Token: SeAuditPrivilege	5632	vssvc.exe
Token: SeBackupPrivilege	4656	wbengine.exe
Token: SeRestorePrivilege	4656	wbengine.exe
Token: SeSecurityPrivilege	4656	wbengine.exe
Token: SeIncreaseQuotaPrivilege	2244	WMIC.exe
Token: SeSecurityPrivilege	2244	WMIC.exe
Token: SeTakeOwnershipPrivilege	2244	WMIC.exe
Token: SeLoadDriverPrivilege	2244	WMIC.exe
Token: SeSystemProfilePrivilege	2244	WMIC.exe
Token: SeSystemtimePrivilege	2244	WMIC.exe
Token: SeProfSingleProcessPrivilege	2244	WMIC.exe
Token: SeIncBasePriorityPrivilege	2244	WMIC.exe
Token: SeCreatePagefilePrivilege	2244	WMIC.exe
Token: SeBackupPrivilege	2244	WMIC.exe
Token: SeRestorePrivilege	2244	WMIC.exe
Token: SeShutdownPrivilege	2244	WMIC.exe
Token: SeDebugPrivilege	2244	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2244	WMIC.exe
Token: SeRemoteShutdownPrivilege	2244	WMIC.exe
Token: SeUndockPrivilege	2244	WMIC.exe
Token: SeManageVolumePrivilege	2244	WMIC.exe
Token: 33	2244	WMIC.exe
Token: 34	2244	WMIC.exe
Token: 35	2244	WMIC.exe
Token: 36	2244	WMIC.exe
Token: SeDebugPrivilege	4668	tmp.exe

Suspicious use of WriteProcessMemory 55 IoCs

Processes:

tmp.execmd.execsc.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 4668 wrote to memory of 5720	4668	tmp.exe	cmd.exe
PID 4668 wrote to memory of 5720	4668	tmp.exe	cmd.exe
PID 4668 wrote to memory of 5696	4668	tmp.exe	csc.exe
PID 4668 wrote to memory of 5696	4668	tmp.exe	csc.exe
PID 5720 wrote to memory of 5940	5720	cmd.exe	schtasks.exe
PID 5720 wrote to memory of 5940	5720	cmd.exe	schtasks.exe
PID 5696 wrote to memory of 6024	5696	csc.exe	cvtres.exe
PID 5696 wrote to memory of 6024	5696	csc.exe	cvtres.exe
PID 4668 wrote to memory of 532	4668	tmp.exe	cmd.exe
PID 4668 wrote to memory of 532	4668	tmp.exe	cmd.exe
PID 4668 wrote to memory of 1944	4668	tmp.exe	cmd.exe
PID 4668 wrote to memory of 1944	4668	tmp.exe	cmd.exe
PID 4668 wrote to memory of 5216	4668	tmp.exe	cmd.exe
PID 4668 wrote to memory of 5216	4668	tmp.exe	cmd.exe
PID 4668 wrote to memory of 6112	4668	tmp.exe	cmd.exe
PID 4668 wrote to memory of 6112	4668	tmp.exe	cmd.exe
PID 4668 wrote to memory of 5040	4668	tmp.exe	cmd.exe
PID 4668 wrote to memory of 5040	4668	tmp.exe	cmd.exe
PID 4668 wrote to memory of 3944	4668	tmp.exe	cmd.exe
PID 4668 wrote to memory of 3944	4668	tmp.exe	cmd.exe
PID 4668 wrote to memory of 5348	4668	tmp.exe	cmd.exe
PID 4668 wrote to memory of 5348	4668	tmp.exe	cmd.exe
PID 4668 wrote to memory of 2472	4668	tmp.exe	cmd.exe
PID 4668 wrote to memory of 2472	4668	tmp.exe	cmd.exe
PID 532 wrote to memory of 3688	532	cmd.exe	vssadmin.exe
PID 532 wrote to memory of 3688	532	cmd.exe	vssadmin.exe
PID 6112 wrote to memory of 3592	6112	cmd.exe	wbadmin.exe
PID 6112 wrote to memory of 3592	6112	cmd.exe	wbadmin.exe
PID 3944 wrote to memory of 5636	3944	cmd.exe	bcdedit.exe
PID 3944 wrote to memory of 5636	3944	cmd.exe	bcdedit.exe
PID 5216 wrote to memory of 2244	5216	cmd.exe	WMIC.exe
PID 5216 wrote to memory of 2244	5216	cmd.exe	WMIC.exe
PID 1944 wrote to memory of 5600	1944	cmd.exe	wbadmin.exe
PID 1944 wrote to memory of 5600	1944	cmd.exe	wbadmin.exe
PID 5348 wrote to memory of 3656	5348	cmd.exe	netsh.exe
PID 5348 wrote to memory of 3656	5348	cmd.exe	netsh.exe
PID 5040 wrote to memory of 5588	5040	cmd.exe	bcdedit.exe
PID 5040 wrote to memory of 5588	5040	cmd.exe	bcdedit.exe
PID 2472 wrote to memory of 4684	2472	cmd.exe	netsh.exe
PID 2472 wrote to memory of 4684	2472	cmd.exe	netsh.exe
PID 4668 wrote to memory of 5712	4668	tmp.exe	mshta.exe
PID 4668 wrote to memory of 5712	4668	tmp.exe	mshta.exe
PID 4668 wrote to memory of 5712	4668	tmp.exe	mshta.exe
PID 4668 wrote to memory of 6016	4668	tmp.exe	mshta.exe
PID 4668 wrote to memory of 6016	4668	tmp.exe	mshta.exe
PID 4668 wrote to memory of 6016	4668	tmp.exe	mshta.exe
PID 4668 wrote to memory of 6048	4668	tmp.exe	mshta.exe
PID 4668 wrote to memory of 6048	4668	tmp.exe	mshta.exe
PID 4668 wrote to memory of 6048	4668	tmp.exe	mshta.exe
PID 4668 wrote to memory of 5892	4668	tmp.exe	mshta.exe
PID 4668 wrote to memory of 5892	4668	tmp.exe	mshta.exe
PID 4668 wrote to memory of 5892	4668	tmp.exe	mshta.exe
PID 4668 wrote to memory of 6100	4668	tmp.exe	mshta.exe
PID 4668 wrote to memory of 6100	4668	tmp.exe	mshta.exe
PID 4668 wrote to memory of 6100	4668	tmp.exe	mshta.exe

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

Processes:

tmp.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\legalnoticecaption = "Encrypted by Loki locker"	tmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\legalnoticetext = "All your files have been encrypted due to a security problem with your computer\r\nIf you want to restore them, write us to the e-mail: DecryptionCenter@gmail.com\r\nWrite this ID in the title of your message: 1095E964\r\nIn case of no answer in 24 hours write us to this e-mail: DecryptionCenter@outlook.com"	tmp.exe

C:\Users\Admin\AppData\Local\Temp\tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp.exe"
1⤵
- Checks computer location settings
- Drops startup file
- Adds Run key to start application
- Drops desktop.ini file(s)
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4668

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C schtasks /CREATE /SC ONLOGON /TN Loki /TR C:\Users\Admin\AppData\Roaming\winlogon.exe /RU SYSTEM /RL HIGHEST /F
2⤵
- Suspicious use of WriteProcessMemory
PID:5720

C:\Windows\system32\schtasks.exe
schtasks /CREATE /SC ONLOGON /TN Loki /TR C:\Users\Admin\AppData\Roaming\winlogon.exe /RU SYSTEM /RL HIGHEST /F
3⤵
- Creates scheduled task(s)
PID:5940

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\duug14l2\duug14l2.cmdline"
2⤵
- Suspicious use of WriteProcessMemory
PID:5696

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6E79.tmp" "c:\ProgramData\CSCC35B4BAE327346C49246E3A5B5D8F9B8.TMP"
3⤵
PID:6024

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C vssadmin delete shadows /all /quiet
2⤵
- Suspicious use of WriteProcessMemory
PID:532

C:\Windows\system32\vssadmin.exe
vssadmin delete shadows /all /quiet
3⤵
- Interacts with shadow copies
PID:3688

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C wbadmin DELETE SYSTEMSTATEBACKUP
2⤵
- Suspicious use of WriteProcessMemory
PID:1944

C:\Windows\system32\wbadmin.exe
wbadmin DELETE SYSTEMSTATEBACKUP
3⤵
- Deletes System State backups
PID:5600

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C wmic shadowcopy delete
2⤵
- Suspicious use of WriteProcessMemory
PID:5216

C:\Windows\System32\Wbem\WMIC.exe
wmic shadowcopy delete
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2244

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C wbadmin delete catalog -quiet
2⤵
- Suspicious use of WriteProcessMemory
PID:6112

C:\Windows\system32\wbadmin.exe
wbadmin delete catalog -quiet
3⤵
- Deletes backup catalog
PID:3592

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures
2⤵
- Suspicious use of WriteProcessMemory
PID:5040

C:\Windows\system32\bcdedit.exe
bcdedit /set {default} bootstatuspolicy ignoreallfailures
3⤵
- Modifies boot configuration data using bcdedit
PID:5588

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C bcdedit /set {default} recoveryenabled no
2⤵
- Suspicious use of WriteProcessMemory
PID:3944

C:\Windows\system32\bcdedit.exe
bcdedit /set {default} recoveryenabled no
3⤵
- Modifies boot configuration data using bcdedit
PID:5636

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C netsh advfirewall set currentprofile state off
2⤵
- Suspicious use of WriteProcessMemory
PID:5348

C:\Windows\system32\netsh.exe
netsh advfirewall set currentprofile state off
3⤵
PID:3656

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C netsh firewall set opmode mode=disable
2⤵
- Suspicious use of WriteProcessMemory
PID:2472

C:\Windows\system32\netsh.exe
netsh firewall set opmode mode=disable
3⤵
PID:4684

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\info.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
2⤵
PID:5712

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\info.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
2⤵
PID:6016

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\info.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
2⤵
PID:6048

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\info.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
2⤵
PID:5892

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\info.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
2⤵
PID:6100

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5632

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4656

C:\Windows\System32\vdsldr.exe
C:\Windows\System32\vdsldr.exe -Embedding
1⤵
PID:1216

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Checks SCSI registry key(s)
PID:1544

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Command-Line Interface

2

T1059

Scheduled Task

1

T1053

Persistence

Modify Existing Service

2

T1031

Registry Run Keys / Startup Folder

1

T1060

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Modify Registry

4

T1112

Disabling Security Tools

1

T1089

File Deletion

4

T1107

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

3

T1082

Peripheral Device Discovery

1

T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Inhibit System Recovery

5

T1490

Defacement

1

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\kwiwnuqg.exe
Filesize
32KB

MD5
8fcafe5ae7f217364afc3c12f1ebb0e1

SHA1
5046cb978406e83ec9636c36337f8c880f4faf81

SHA256
b6cc8a850d90237fd2180b17573b2bd4f51e295b97eebbafa1171347ec30e386

SHA512
64b13f092a82062a87583cdb9aca26ad376627111ea22b72a7e43525d8066f88e3b6d8c77fb48b6c3db1bff15131cab4d377fbb8761b5b332a64b3504a010fd7

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES6E79.tmp
Filesize
29KB

MD5
3d8c7682276a8037f2127218269ad6a6

SHA1
0ec2007353db9cf776065cae9281e9e82a55b6b8

SHA256
1b14a330f9f9ef6a72e7c265df268fd68aeeb4724c5d43e0a2b384ca4f0d8e1f

SHA512
08fe9d6d5d7e53eb020de248b6ee5bcf87927b06d3efbb33c76bb8ee6b8df387d575dcc2170b1e8e0e4866c6ca3a9d2a80985755b3e6854eab614280219316d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\info.hta
Filesize
3KB

MD5
cdb00d793ff4f68766d673e3af67c608

SHA1
2f2e0f76fe8c934abcd27af2c67d55ad564e10c0

SHA256
c2ab7e7d6ca328c9031d2bb893abd9c5df0156a3fe802229cc46b164cfb6bda3

SHA512
1b290173f8cecc8c516afcc53289374105b6bfd9ff85f92e76473929077cf7696c1721e8704f2a6339071b49f5a11ff93b8fe10822004635794fb7f3daa30a80

Download Submit
\??\c:\ProgramData\CSCC35B4BAE327346C49246E3A5B5D8F9B8.TMP
Filesize
28KB

MD5
42958c0a5905226d3f206f01437ba394

SHA1
ccfc155322bcbfa588f84b717b8874e965defe8f

SHA256
03cfaf6afae600e874b441eb6083bddcb9eb54a1b2b7694607c1f26287583ebb

SHA512
2b0f99c52497b52fa7f9eea639ef9497091854d3b67c257496c13d2633632179a038b3cc9bbe133cae8038ca81ee9015ced44e22e7042944404b5636a6e58d06

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\duug14l2\duug14l2.0.cs
Filesize
1KB

MD5
75a66536976086c8098b23442037b427

SHA1
fd27d3d01a981b479b880194fe50af1f85914284

SHA256
cca7fb993f399a6ce14901b64398567ad373c5e4468eb9a78aaad45881f9b59d

SHA512
0bc2e1a80763b0296d85aad64f0515fd851e56787efac87410c49850944ec2632464cfff860b4fba946e876d7ec13a17579fe8c5c09ac55d70e7c5d5b31e182e

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\duug14l2\duug14l2.cmdline
Filesize
236B

MD5
8f39974be88d22024bd19b38ee685f4c

SHA1
bce3ffe28017ceb46fa86942b165ed8a4065645a

SHA256
ba5d988309b0dc50b74022f3d7b3466c25e4ab150c48d8f409064a9af372cd64

SHA512
e514517a7028b2bb79c14f1b3e74e475f860e061d6615caa90926a38c489f5180961f7d8b43d6e22fdb449856f56180e1712a833136f88786ea5d4b8b9bd1036

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\dvydvcdb.ico
Filesize
27KB

MD5
dbc49b5f7714255217080c2e81f05a99

SHA1
4de2ef415d66d2bb8b389ba140a468b125388e19

SHA256
6d2f1f6164cbd331b9dc43b37948372e21b2ee45407aa99e199693835cded09c

SHA512
29a65eb7403bfc220fd057c2e6ea11b29bff545dfce2d3370ad462c66b03ae7f648efd480305423a49440de199a2a94c41214877b226a42dc2d1650683d149bb

Download Submit
memory/532-143-0x0000000000000000-mapping.dmp

Download
memory/1944-144-0x0000000000000000-mapping.dmp

Download
memory/2244-154-0x0000000000000000-mapping.dmp

Download
memory/2472-150-0x0000000000000000-mapping.dmp

Download
memory/3592-152-0x0000000000000000-mapping.dmp

Download
memory/3656-156-0x0000000000000000-mapping.dmp

Download
memory/3688-151-0x0000000000000000-mapping.dmp

Download
memory/3944-148-0x0000000000000000-mapping.dmp

Download
memory/4668-131-0x0000000003430000-0x00000000034A6000-memory.dmp

Filesize
472KB

Download
memory/4668-132-0x00007FFA0E0F0000-0x00007FFA0EBB1000-memory.dmp

Filesize
10.8MB

Download
memory/4668-130-0x00000000009A0000-0x0000000000A22000-memory.dmp

Filesize
520KB

Download
memory/4684-158-0x0000000000000000-mapping.dmp

Download
memory/5040-147-0x0000000000000000-mapping.dmp

Download
memory/5216-145-0x0000000000000000-mapping.dmp

Download
memory/5348-149-0x0000000000000000-mapping.dmp

Download
memory/5588-157-0x0000000000000000-mapping.dmp

Download
memory/5600-155-0x0000000000000000-mapping.dmp

Download
memory/5636-153-0x0000000000000000-mapping.dmp

Download
memory/5696-134-0x0000000000000000-mapping.dmp

Download
memory/5712-159-0x0000000000000000-mapping.dmp

Download
memory/5720-133-0x0000000000000000-mapping.dmp

Download
memory/5892-162-0x0000000000000000-mapping.dmp

Download
memory/5940-135-0x0000000000000000-mapping.dmp

Download
memory/6016-160-0x0000000000000000-mapping.dmp

Download
memory/6024-139-0x0000000000000000-mapping.dmp

Download
memory/6048-161-0x0000000000000000-mapping.dmp

Download
memory/6100-163-0x0000000000000000-mapping.dmp

Download
memory/6112-146-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads