lockbit | 71d0c896720e01be1b6b095fc8917bcac38f8bc8ed3caba8bf9c2a4fcdde1747

General

Target

tmp.exe
Size

484KB
MD5

8b062fa952cc294d7db09794e2d44ce0
SHA1

ce13e42217f7d0e950dd8ae5ee5ec8d5be6af177
SHA256

71d0c896720e01be1b6b095fc8917bcac38f8bc8ed3caba8bf9c2a4fcdde1747
SHA512

a6643699544db21955c927e9a7cdfd1c056c7078e27d9c68ff68865c240ff3dfd0f8aecd7f4926b9746eaa989b3cbef681e5ffd19c643cd02a7faba2534ed26d

Score

10^/10

lockbit evasion persistence ransomware suricata trojan

Malware Config

Extracted

Path

C:\Restore-My-Files.txt

Ransom Note

!!!All of your files are encrypted!!! To decrypt them send e-mail to this address: DecryptionCenter@gmail.com In case of no answer in 24h, send e-mail to this address: DecryptionCenter@outlook.com All your files will be lost on Wednesday, June 8, 2022 9:12:56 PM. Your SYSTEM ID : B00E6D83 !!!Deleting "Cpriv.Loki" causes permanent data loss.

Emails

DecryptionCenter@gmail.com

DecryptionCenter@outlook.com

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\info.hta

Ransom Note

All your files have been encrypted by Loki locker! All your files have been encrypted due to a security problem with your PC. If you want to restore them, please send an email DecryptionCenter@gmail.com You have to pay for decryption in Bitcoin. The price depends on how fast you contact us. After payment we will send you the decryption tool. You have to 48 hours(2 Days) To contact or paying us After that, you have to Pay Double . In case of no answer in 24 hours (1 Day) write to this email DecryptionCenter@outlook.com Your unique ID is : B00E6D83 You only have LIMITED time to get back your files! If timer runs out and you dont pay us , all of files will be DELETED and you hard disk will be seriously DAMAGED. You will lose some of your data on day 2 in the timer. You can buy more time for pay. Just email us. THIS IS NOT A JOKE! you can wait for the timer to run out ,and watch deletion of your files :) What is our decryption guarantee? Before paying you can send us up to for free decryption. The total size of files must be less than 2Mb (non archived), and files should not contain valuable information. (databases,backups, large excel sheets, etc.) Attention! DO NOT pay any money before decrypting the test files. DO NOT trust any intermediary. they wont help you and you may be victim of scam. just email us , we help you in any steps. DO NOT reply to other emails. ONLY this two emails can help you. Do not rename encrypted files. Do not try to decrypt your data using third party software, it may cause permanent data loss. Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.

Emails

DecryptionCenter@gmail.com

DecryptionCenter@outlook.com

Signatures

Lockbit
Ransomware family with multiple variants released since late 2019.
ransomware lockbit
Modifies Windows Defender Real-time Protection settings 3 TTPs
evasion trojan

Modify Registry
T1112

Modify Existing Service
T1031

Disabling Security Tools
T1089
suricata: ET MALWARE Loki Locker Ransomware CnC Activity
suricata: ET MALWARE Loki Locker Ransomware CnC Activity
suricata
suricata: ET MALWARE Loki Locker Ransomware CnC Domain in DNS Lookup
suricata: ET MALWARE Loki Locker Ransomware CnC Domain in DNS Lookup
suricata
suricata: ET MALWARE Loki Locker Ransomware User-Agent
suricata: ET MALWARE Loki Locker Ransomware User-Agent
suricata
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
ransomware evasion

Inhibit System Recovery
T1490

Processes:

bcdedit.exebcdedit.exe

pid process

4772 bcdedit.exe
3900 bcdedit.exe
Deletes System State backups 3 TTPs 1 IoCs
Uses wbadmin.exe to inhibit system recovery.
ransomware

Command-Line Interface
T1059

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

wbadmin.exe

pid process

2588 wbadmin.exe
Deletes backup catalog 3 TTPs 1 IoCs
Uses wbadmin.exe to inhibit system recovery.
ransomware

Command-Line Interface
T1059

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

wbadmin.exe

pid process

4416 wbadmin.exe
Disables Task Manager via registry modification
evasion
Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031
Modifies extensions of user files 1 IoCs
Ransomware generally changes the extension on encrypted files.
ransomware

Processes:

tmp.exe

description ioc process

File opened for modification C:\Users\Admin\Pictures\RenameEnable.tiff tmp.exe
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

tmp.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation tmp.exe

pid	process
4772	bcdedit.exe
3900	bcdedit.exe

pid	process
2588	wbadmin.exe

pid	process
4416	wbadmin.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Pictures\RenameEnable.tiff	tmp.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	tmp.exe

Drops startup file 3 IoCs

Processes:

tmp.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\winlogon.exe	tmp.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\winlogon.exe	tmp.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\wvtymcow.bat	tmp.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

tmp.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Michael Gillespie = "C:\\ProgramData\\winlogon.exe"	tmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Michael Gillespie = "C:\\Windows\\winlogon.exe"	tmp.exe

Drops desktop.ini file(s) 28 IoCs

Processes:

tmp.exe

description	ioc	process
File opened for modification	C:\Users\Public\Downloads\desktop.ini	tmp.exe
File opened for modification	C:\Users\Public\desktop.ini	tmp.exe
File opened for modification	C:\Program Files (x86)\desktop.ini	tmp.exe
File opened for modification	C:\Users\Admin\Pictures\Camera Roll\desktop.ini	tmp.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	tmp.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	tmp.exe
File opened for modification	C:\Users\Public\Libraries\desktop.ini	tmp.exe
File opened for modification	C:\Program Files\desktop.ini	tmp.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	tmp.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	tmp.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	tmp.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	tmp.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	tmp.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	tmp.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	tmp.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI	tmp.exe
File opened for modification	C:\Users\Public\AccountPictures\desktop.ini	tmp.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	tmp.exe
File opened for modification	C:\Users\Admin\3D Objects\desktop.ini	tmp.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	tmp.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	tmp.exe
File opened for modification	C:\Users\Admin\Pictures\Saved Pictures\desktop.ini	tmp.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	tmp.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	tmp.exe
File opened for modification	C:\Users\Admin\OneDrive\desktop.ini	tmp.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	tmp.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	tmp.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	tmp.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

tmp.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\kjfb04uq.Loki"	tmp.exe

Drops file in Program Files directory 64 IoCs

Processes:

tmp.exe

description	ioc	process
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\default_apps\docs.crx	tmp.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-modules-favorites_ja.jar	tmp.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\cardview-linkedentity-dark@4x.png	tmp.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ka\LC_MESSAGES\vlc.mo	tmp.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\Assets\GetStartedAppList.targetsize-40.png	tmp.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipsjpn.xml	tmp.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\cardview-addtotable@3x.png	tmp.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\Assets\GamesXboxHubAppList.targetsize-256_altform-unplated_contrast-high.png	tmp.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\Assets\contrast-white\MicrosoftLogo.scale-200.png	tmp.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\chrome_200_percent.pak	tmp.exe
File created	C:\Program Files\Microsoft Office\root\Client\Restore-My-Files.txt	tmp.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\CancelFluent@3x.png	tmp.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\be\LC_MESSAGES\vlc.mo	tmp.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\intf\http.luac	tmp.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Images\Stickers\Thumbnails\Sticker_Icon_Star.png	tmp.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.StorePurchaseApp_11811.1001.18.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\StoreMedTile.scale-200.png	tmp.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\images\themes\dark\digsig_icons_2x.png	tmp.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\en-us\Restore-My-Files.txt	tmp.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\en-gb\locimages\offsymxb.ttf	tmp.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\ControlStyles.xbf	tmp.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdO365R_Subscription-ul-oob.xrm-ms	tmp.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Locales\mr.pak.DATA	tmp.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Home\RTL\contrast-black\LargeTile.scale-125.png	tmp.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\WidevineCdm\_platform_specific\win_x64\widevinecdm.dll.sig	tmp.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\ExchangeLargeTile.scale-100.png	tmp.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\OutlookMailBadge.scale-400.png	tmp.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\plugins\rhp\exportpdfupsell-app-tool-view.js	tmp.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.emf.ecore.xmi_2.10.1.v20140901-1043.jar	tmp.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\OutlookR_OEM_Perp-ul-oob.xrm-ms	tmp.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\Cartridges\sqlpdw.xsl	tmp.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.513.0_neutral_~_8wekyb3d8bbwe\Restore-My-Files.txt	tmp.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\LyncVDI_Eula.txt	tmp.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-48_altform-unplated_contrast-white.png	tmp.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\en-gb\Restore-My-Files.txt	tmp.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\CANYON\CANYON.ELM	tmp.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\ThreeWayBlendPage.xbf	tmp.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagement\ja-JP\MSFT_PackageManagement.schema.mfl	tmp.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\ja-jp\Restore-My-Files.txt	tmp.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\lt-LT\tipresx.dll.mui	tmp.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStd2019R_Retail-ppd.xrm-ms	tmp.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.contrast-black_targetsize-40.png	tmp.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\zh-tw\ui-strings.js	tmp.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\ja-jp\ui-strings.js	tmp.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\contrast-black\SmallTile.scale-100_contrast-black.png	tmp.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.XboxApp_48.49.31001.0_neutral_split.scale-125_8wekyb3d8bbwe\AppxManifest.xml	tmp.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\Assets\GetStartedAppList.targetsize-40_altform-unplated.png	tmp.exe
File opened for modification	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-00C1-0000-1000-0000000FF1CE.xml	tmp.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\dismiss.contrast-white.png	tmp.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\ExchangeLargeTile.scale-150.png	tmp.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\AppxMetadata\CodeIntegrity.cat	tmp.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.e4.ui.services.nl_ja_4.4.0.v20140623020002.jar	tmp.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\THIRDPARTYLICENSEREADME.txt	tmp.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\EmptyShare-Dark.scale-100.png	tmp.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\Programmer.targetsize-16_contrast-white.png	tmp.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Assets\ThankYou\Restore-My-Files.txt	tmp.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win-scrollbar\arrow-down.png	tmp.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTest5-ppd.xrm-ms	tmp.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.4.8204.0_x64__8wekyb3d8bbwe\AppxManifest.xml	tmp.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.4.8204.0_x64__8wekyb3d8bbwe\Win10\Classic\Pyramid.Wide.png	tmp.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\en-ae\ui-strings.js	tmp.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-24_altform-unplated_contrast-white.png	tmp.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxCalendarLargeTile.scale-150.png	tmp.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\Review_RHP.aapp	tmp.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\hi\Restore-My-Files.txt	tmp.exe

Drops file in Windows directory 5 IoCs

Processes:

tmp.exewbadmin.exe

description	ioc	process
File created	C:\Windows\winlogon.exe	tmp.exe
File opened for modification	C:\Windows\winlogon.exe	tmp.exe
File opened for modification	C:\Windows\Logs\WindowsBackup\WBEngine.3.etl	wbadmin.exe
File opened for modification	C:\Windows\Logs\WindowsBackup\WBEngine.2.etl	wbadmin.exe
File opened for modification	C:\Windows\Logs\WindowsBackup\WBEngine.1.etl	wbadmin.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 4 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

vds.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	vds.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	vds.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000	vds.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	vds.exe

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

5008 schtasks.exe
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exe

pid process

4368 vssadmin.exe

pid	process
5008	schtasks.exe

pid	process
4368	vssadmin.exe

Modifies Control Panel 2 IoCs

evasion

Processes:

tmp.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\Desktop\WallpaperStyle = "2"	tmp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\Desktop\TileWallpaper = "0"	tmp.exe

Modifies registry class 8 IoCs

Processes:

tmp.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.Loki\ = "Loki"	tmp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Loki\shell\open\command	tmp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Loki	tmp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Loki\shell	tmp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Loki\shell\open	tmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Loki\shell\open\command\ = "C:\\ProgramData\\bpevytwo.exe \"%l\" "	tmp.exe
Key created	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000_Classes\Local Settings	tmp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.Loki	tmp.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

tmp.exe

pid	process
2736	tmp.exe
2736	tmp.exe
2736	tmp.exe
2736	tmp.exe
2736	tmp.exe
2736	tmp.exe
2736	tmp.exe
2736	tmp.exe
2736	tmp.exe
2736	tmp.exe
2736	tmp.exe
2736	tmp.exe
2736	tmp.exe
2736	tmp.exe
2736	tmp.exe
2736	tmp.exe
2736	tmp.exe
2736	tmp.exe
2736	tmp.exe
2736	tmp.exe
2736	tmp.exe
2736	tmp.exe
2736	tmp.exe
2736	tmp.exe
2736	tmp.exe
2736	tmp.exe
2736	tmp.exe
2736	tmp.exe
2736	tmp.exe
2736	tmp.exe
2736	tmp.exe
2736	tmp.exe
2736	tmp.exe
2736	tmp.exe
2736	tmp.exe
2736	tmp.exe
2736	tmp.exe
2736	tmp.exe
2736	tmp.exe
2736	tmp.exe
2736	tmp.exe
2736	tmp.exe
2736	tmp.exe
2736	tmp.exe
2736	tmp.exe
2736	tmp.exe
2736	tmp.exe
2736	tmp.exe
2736	tmp.exe
2736	tmp.exe
2736	tmp.exe
2736	tmp.exe
2736	tmp.exe
2736	tmp.exe
2736	tmp.exe
2736	tmp.exe
2736	tmp.exe
2736	tmp.exe
2736	tmp.exe
2736	tmp.exe
2736	tmp.exe
2736	tmp.exe
2736	tmp.exe
2736	tmp.exe

Suspicious use of AdjustPrivilegeToken 50 IoCs

Processes:

tmp.exeWMIC.exewbengine.exevssvc.exe

description	pid	process
Token: SeDebugPrivilege	2736	tmp.exe
Token: SeIncreaseQuotaPrivilege	2740	WMIC.exe
Token: SeSecurityPrivilege	2740	WMIC.exe
Token: SeTakeOwnershipPrivilege	2740	WMIC.exe
Token: SeLoadDriverPrivilege	2740	WMIC.exe
Token: SeSystemProfilePrivilege	2740	WMIC.exe
Token: SeSystemtimePrivilege	2740	WMIC.exe
Token: SeProfSingleProcessPrivilege	2740	WMIC.exe
Token: SeIncBasePriorityPrivilege	2740	WMIC.exe
Token: SeCreatePagefilePrivilege	2740	WMIC.exe
Token: SeBackupPrivilege	2740	WMIC.exe
Token: SeRestorePrivilege	2740	WMIC.exe
Token: SeShutdownPrivilege	2740	WMIC.exe
Token: SeDebugPrivilege	2740	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2740	WMIC.exe
Token: SeRemoteShutdownPrivilege	2740	WMIC.exe
Token: SeUndockPrivilege	2740	WMIC.exe
Token: SeManageVolumePrivilege	2740	WMIC.exe
Token: 33	2740	WMIC.exe
Token: 34	2740	WMIC.exe
Token: 35	2740	WMIC.exe
Token: 36	2740	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2740	WMIC.exe
Token: SeSecurityPrivilege	2740	WMIC.exe
Token: SeTakeOwnershipPrivilege	2740	WMIC.exe
Token: SeLoadDriverPrivilege	2740	WMIC.exe
Token: SeSystemProfilePrivilege	2740	WMIC.exe
Token: SeSystemtimePrivilege	2740	WMIC.exe
Token: SeProfSingleProcessPrivilege	2740	WMIC.exe
Token: SeIncBasePriorityPrivilege	2740	WMIC.exe
Token: SeCreatePagefilePrivilege	2740	WMIC.exe
Token: SeBackupPrivilege	2740	WMIC.exe
Token: SeRestorePrivilege	2740	WMIC.exe
Token: SeShutdownPrivilege	2740	WMIC.exe
Token: SeDebugPrivilege	2740	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2740	WMIC.exe
Token: SeRemoteShutdownPrivilege	2740	WMIC.exe
Token: SeUndockPrivilege	2740	WMIC.exe
Token: SeManageVolumePrivilege	2740	WMIC.exe
Token: 33	2740	WMIC.exe
Token: 34	2740	WMIC.exe
Token: 35	2740	WMIC.exe
Token: 36	2740	WMIC.exe
Token: SeBackupPrivilege	4468	wbengine.exe
Token: SeRestorePrivilege	4468	wbengine.exe
Token: SeSecurityPrivilege	4468	wbengine.exe
Token: SeBackupPrivilege	1960	vssvc.exe
Token: SeRestorePrivilege	1960	vssvc.exe
Token: SeAuditPrivilege	1960	vssvc.exe
Token: SeDebugPrivilege	2736	tmp.exe

Suspicious use of WriteProcessMemory 55 IoCs

Processes:

tmp.execmd.execsc.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 2736 wrote to memory of 3100	2736	tmp.exe	cmd.exe
PID 2736 wrote to memory of 3100	2736	tmp.exe	cmd.exe
PID 2736 wrote to memory of 2024	2736	tmp.exe	csc.exe
PID 2736 wrote to memory of 2024	2736	tmp.exe	csc.exe
PID 3100 wrote to memory of 5008	3100	cmd.exe	schtasks.exe
PID 3100 wrote to memory of 5008	3100	cmd.exe	schtasks.exe
PID 2024 wrote to memory of 4996	2024	csc.exe	cvtres.exe
PID 2024 wrote to memory of 4996	2024	csc.exe	cvtres.exe
PID 2736 wrote to memory of 532	2736	tmp.exe	cmd.exe
PID 2736 wrote to memory of 532	2736	tmp.exe	cmd.exe
PID 2736 wrote to memory of 2812	2736	tmp.exe	cmd.exe
PID 2736 wrote to memory of 2812	2736	tmp.exe	cmd.exe
PID 2736 wrote to memory of 616	2736	tmp.exe	cmd.exe
PID 2736 wrote to memory of 616	2736	tmp.exe	cmd.exe
PID 2736 wrote to memory of 1388	2736	tmp.exe	cmd.exe
PID 2736 wrote to memory of 1388	2736	tmp.exe	cmd.exe
PID 2736 wrote to memory of 904	2736	tmp.exe	cmd.exe
PID 2736 wrote to memory of 904	2736	tmp.exe	cmd.exe
PID 2736 wrote to memory of 1180	2736	tmp.exe	cmd.exe
PID 2736 wrote to memory of 1180	2736	tmp.exe	cmd.exe
PID 2736 wrote to memory of 516	2736	tmp.exe	cmd.exe
PID 2736 wrote to memory of 516	2736	tmp.exe	cmd.exe
PID 2812 wrote to memory of 2588	2812	cmd.exe	wbadmin.exe
PID 2812 wrote to memory of 2588	2812	cmd.exe	wbadmin.exe
PID 616 wrote to memory of 2740	616	cmd.exe	WMIC.exe
PID 616 wrote to memory of 2740	616	cmd.exe	WMIC.exe
PID 2736 wrote to memory of 1816	2736	tmp.exe	cmd.exe
PID 2736 wrote to memory of 1816	2736	tmp.exe	cmd.exe
PID 532 wrote to memory of 4368	532	cmd.exe	vssadmin.exe
PID 532 wrote to memory of 4368	532	cmd.exe	vssadmin.exe
PID 1388 wrote to memory of 4416	1388	cmd.exe	wbadmin.exe
PID 1388 wrote to memory of 4416	1388	cmd.exe	wbadmin.exe
PID 904 wrote to memory of 4772	904	cmd.exe	bcdedit.exe
PID 904 wrote to memory of 4772	904	cmd.exe	bcdedit.exe
PID 1180 wrote to memory of 3900	1180	cmd.exe	bcdedit.exe
PID 1180 wrote to memory of 3900	1180	cmd.exe	bcdedit.exe
PID 1816 wrote to memory of 3276	1816	cmd.exe	netsh.exe
PID 1816 wrote to memory of 3276	1816	cmd.exe	netsh.exe
PID 516 wrote to memory of 4484	516	cmd.exe	netsh.exe
PID 516 wrote to memory of 4484	516	cmd.exe	netsh.exe
PID 2736 wrote to memory of 4688	2736	tmp.exe	mshta.exe
PID 2736 wrote to memory of 4688	2736	tmp.exe	mshta.exe
PID 2736 wrote to memory of 4688	2736	tmp.exe	mshta.exe
PID 2736 wrote to memory of 3048	2736	tmp.exe	mshta.exe
PID 2736 wrote to memory of 3048	2736	tmp.exe	mshta.exe
PID 2736 wrote to memory of 3048	2736	tmp.exe	mshta.exe
PID 2736 wrote to memory of 4920	2736	tmp.exe	mshta.exe
PID 2736 wrote to memory of 4920	2736	tmp.exe	mshta.exe
PID 2736 wrote to memory of 4920	2736	tmp.exe	mshta.exe
PID 2736 wrote to memory of 292	2736	tmp.exe	mshta.exe
PID 2736 wrote to memory of 292	2736	tmp.exe	mshta.exe
PID 2736 wrote to memory of 292	2736	tmp.exe	mshta.exe
PID 2736 wrote to memory of 4384	2736	tmp.exe	mshta.exe
PID 2736 wrote to memory of 4384	2736	tmp.exe	mshta.exe
PID 2736 wrote to memory of 4384	2736	tmp.exe	mshta.exe

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

Processes:

tmp.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\legalnoticecaption = "Encrypted by Loki locker"	tmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\legalnoticetext = "All your files have been encrypted due to a security problem with your computer\r\nIf you want to restore them, write us to the e-mail: DecryptionCenter@gmail.com\r\nWrite this ID in the title of your message: B00E6D83\r\nIn case of no answer in 24 hours write us to this e-mail: DecryptionCenter@outlook.com"	tmp.exe

C:\Users\Admin\AppData\Local\Temp\tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp.exe"
1⤵
- Modifies extensions of user files
- Checks computer location settings
- Drops startup file
- Adds Run key to start application
- Drops desktop.ini file(s)
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2736

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C schtasks /CREATE /SC ONLOGON /TN Loki /TR C:\Users\Admin\AppData\Roaming\winlogon.exe /RU SYSTEM /RL HIGHEST /F
2⤵
- Suspicious use of WriteProcessMemory
PID:3100

C:\Windows\system32\schtasks.exe
schtasks /CREATE /SC ONLOGON /TN Loki /TR C:\Users\Admin\AppData\Roaming\winlogon.exe /RU SYSTEM /RL HIGHEST /F
3⤵
- Creates scheduled task(s)
PID:5008

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\yoikjizn\yoikjizn.cmdline"
2⤵
- Suspicious use of WriteProcessMemory
PID:2024

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES351A.tmp" "c:\ProgramData\CSC92A2AE7CFC0E4AAB9B11A0211339996E.TMP"
3⤵
PID:4996

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C vssadmin delete shadows /all /quiet
2⤵
- Suspicious use of WriteProcessMemory
PID:532

C:\Windows\system32\vssadmin.exe
vssadmin delete shadows /all /quiet
3⤵
- Interacts with shadow copies
PID:4368

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C wbadmin DELETE SYSTEMSTATEBACKUP
2⤵
- Suspicious use of WriteProcessMemory
PID:2812

C:\Windows\system32\wbadmin.exe
wbadmin DELETE SYSTEMSTATEBACKUP
3⤵
- Deletes System State backups
- Drops file in Windows directory
PID:2588

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C wmic shadowcopy delete
2⤵
- Suspicious use of WriteProcessMemory
PID:616

C:\Windows\System32\Wbem\WMIC.exe
wmic shadowcopy delete
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2740

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C wbadmin delete catalog -quiet
2⤵
- Suspicious use of WriteProcessMemory
PID:1388

C:\Windows\system32\wbadmin.exe
wbadmin delete catalog -quiet
3⤵
- Deletes backup catalog
PID:4416

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures
2⤵
- Suspicious use of WriteProcessMemory
PID:904

C:\Windows\system32\bcdedit.exe
bcdedit /set {default} bootstatuspolicy ignoreallfailures
3⤵
- Modifies boot configuration data using bcdedit
PID:4772

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C bcdedit /set {default} recoveryenabled no
2⤵
- Suspicious use of WriteProcessMemory
PID:1180

C:\Windows\system32\bcdedit.exe
bcdedit /set {default} recoveryenabled no
3⤵
- Modifies boot configuration data using bcdedit
PID:3900

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C netsh advfirewall set currentprofile state off
2⤵
- Suspicious use of WriteProcessMemory
PID:516

C:\Windows\system32\netsh.exe
netsh advfirewall set currentprofile state off
3⤵
PID:4484

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C netsh firewall set opmode mode=disable
2⤵
- Suspicious use of WriteProcessMemory
PID:1816

C:\Windows\system32\netsh.exe
netsh firewall set opmode mode=disable
3⤵
PID:3276

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\info.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
2⤵
PID:4688

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\info.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
2⤵
PID:3048

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\info.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
2⤵
PID:4920

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\info.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
2⤵
PID:292

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\info.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
2⤵
PID:4384

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4468

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1960

C:\Windows\System32\vdsldr.exe
C:\Windows\System32\vdsldr.exe -Embedding
1⤵
PID:1148

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Checks SCSI registry key(s)
PID:228

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Command-Line Interface

2

T1059

Scheduled Task

1

T1053

Persistence

Modify Existing Service

2

T1031

Registry Run Keys / Startup Folder

1

T1060

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Modify Registry

4

T1112

Disabling Security Tools

1

T1089

File Deletion

4

T1107

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

3

T1082

Peripheral Device Discovery

1

T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Inhibit System Recovery

5

T1490

Defacement

1

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\bpevytwo.exe
Filesize
32KB

MD5
e9188c70264736a76f06ba4eeb65450e

SHA1
41bcf82bdba8869b9f2e91342fdabe8d2fea3676

SHA256
a0e2ddc1779a6bb57d89ceddf801dce8b2da7a2f358bd930599a3d0eea56f8f1

SHA512
f797cb43c0fd600260a8c213f607adb7b007fc8fa0f6a10e8e3d2b7b47e08c94565f7fac5235de11171d5c825de4a400127c50ae6aed96fb62a87b99451aad24

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES351A.tmp
Filesize
29KB

MD5
f4e28a2f83eb9bfd345a6fc0b13fba8a

SHA1
eaf422751390e195b975f51733933c2581575835

SHA256
b6b2547ced9bb57b4161a53b13b4e76e90c51b75fea947db33954c25783e7ca4

SHA512
7e9a71c0fd64018b6523bc848a61e01ee0aae032d692437b2663a5cdaad8d13fdd8f5dffc1fe549c7abf486a0e70fe5edca465a1cc789542da0aca65d9096a51

Download Submit
C:\Users\Admin\AppData\Local\Temp\info.hta
Filesize
3KB

MD5
9ebf1767397b1ba0ed619373e6f352a9

SHA1
49b1230c50ae1ce41ef6ca6ffde5fbd24f0adc6b

SHA256
c861dbec6608bbf7aa0c48efd05c62a2381a443711fc083d61cbdc47a9bbeba6

SHA512
63648ef000db4eddfbfa20b7238cd826e16b413315ffa26c016ed45b3272b617d0e50258b368ce2b862cd0ea19fd639883f2899c7ee6230f6ae89b7b0137ddec

Download Submit
\??\c:\ProgramData\CSC92A2AE7CFC0E4AAB9B11A0211339996E.TMP
Filesize
28KB

MD5
e2578536dd0ffd022484bf61eef378cf

SHA1
882dd4514a22ee2d74ba31d1e7e3c638be793d62

SHA256
1b2db80ff3a55017171f8a8b9940a17cf57733e22fbe0d9e0d4cdb7354e2b64a

SHA512
4d48497feaeabfc1ce59e1fdc6468af99024bda2f2dcd4fe2b16a4e3e0d5b5b3bfe7075f6b2af068d984b1015cc3d3ede4dacfcd2ab243b2950d4287c651f746

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\xgne5xiv.ico
Filesize
27KB

MD5
dbc49b5f7714255217080c2e81f05a99

SHA1
4de2ef415d66d2bb8b389ba140a468b125388e19

SHA256
6d2f1f6164cbd331b9dc43b37948372e21b2ee45407aa99e199693835cded09c

SHA512
29a65eb7403bfc220fd057c2e6ea11b29bff545dfce2d3370ad462c66b03ae7f648efd480305423a49440de199a2a94c41214877b226a42dc2d1650683d149bb

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\yoikjizn\yoikjizn.0.cs
Filesize
1KB

MD5
18f905f0497ac3516d54dc291e8ca7b4

SHA1
195999b3b12ca396a49adcdad86e0982c929d8d2

SHA256
b76378c370475262a7acd44f5257a1e06b7b8d198c1a5810c2918a7f1f8d6477

SHA512
f91a2d053934762e852082fc51be523839f17922525f28f2bbdd5bde94d8f00621b1cca231d164216ce24b1b334ffc8fee4f0ab02d50b435ff25009f1e5f5cc9

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\yoikjizn\yoikjizn.cmdline
Filesize
236B

MD5
7a66a3d786ff3f14792983ec02e8ca6d

SHA1
89dfc7e6803d27970dbef55e034751644194435d

SHA256
e20c239635a317e3262579dc65351817ef70b0ed5fb1f0e4a1f00a444769ec3b

SHA512
f81851516d6ff8a4db32926ffc93c40bd42972eb6766419d4f308d5e024731bd97f30fa6b57e0a45f46ef6eccfb78482d7c042a3d6363917a86407510f9ad6c1

Download Submit
memory/292-162-0x0000000000000000-mapping.dmp

Download
memory/516-149-0x0000000000000000-mapping.dmp

Download
memory/532-143-0x0000000000000000-mapping.dmp

Download
memory/616-145-0x0000000000000000-mapping.dmp

Download
memory/904-147-0x0000000000000000-mapping.dmp

Download
memory/1180-148-0x0000000000000000-mapping.dmp

Download
memory/1388-146-0x0000000000000000-mapping.dmp

Download
memory/1816-152-0x0000000000000000-mapping.dmp

Download
memory/2024-134-0x0000000000000000-mapping.dmp

Download
memory/2588-150-0x0000000000000000-mapping.dmp

Download
memory/2736-131-0x00000000033B0000-0x0000000003426000-memory.dmp

Filesize
472KB

Download
memory/2736-130-0x0000000000840000-0x00000000008C2000-memory.dmp

Filesize
520KB

Download
memory/2736-132-0x00007FFE537D0000-0x00007FFE54291000-memory.dmp

Filesize
10.8MB

Download
memory/2740-151-0x0000000000000000-mapping.dmp

Download
memory/2812-144-0x0000000000000000-mapping.dmp

Download
memory/3048-160-0x0000000000000000-mapping.dmp

Download
memory/3100-133-0x0000000000000000-mapping.dmp

Download
memory/3276-157-0x0000000000000000-mapping.dmp

Download
memory/3900-156-0x0000000000000000-mapping.dmp

Download
memory/4368-153-0x0000000000000000-mapping.dmp

Download
memory/4384-163-0x0000000000000000-mapping.dmp

Download
memory/4416-154-0x0000000000000000-mapping.dmp

Download
memory/4484-158-0x0000000000000000-mapping.dmp

Download
memory/4688-159-0x0000000000000000-mapping.dmp

Download
memory/4772-155-0x0000000000000000-mapping.dmp

Download
memory/4920-161-0x0000000000000000-mapping.dmp

Download
memory/4996-139-0x0000000000000000-mapping.dmp

Download
memory/5008-135-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads