Malware Analysis Report

2025-01-02 02:03

Sample ID 220708-b7plxaccdq
Target 42abb229afc6de51904002a907b3934c24632af5075550b90b1d6a14005eb550
SHA256 42abb229afc6de51904002a907b3934c24632af5075550b90b1d6a14005eb550
Tags
adwind lokibot xtremerat collection persistence rat spyware stealer trojan upx suricata
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

42abb229afc6de51904002a907b3934c24632af5075550b90b1d6a14005eb550

Threat Level: Known bad

The file 42abb229afc6de51904002a907b3934c24632af5075550b90b1d6a14005eb550 was found to be: Known bad.

Malicious Activity Summary

adwind lokibot xtremerat collection persistence rat spyware stealer trojan upx suricata

Lokibot

suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1

suricata: ET MALWARE LokiBot Request for C2 Commands Detected M2

suricata: ET MALWARE LokiBot Checkin

suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)

Detect XtremeRAT payload

AdWind

suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1

XtremeRAT

suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2

UPX packed file

Modifies Installed Components in the registry

Executes dropped EXE

Checks computer location settings

Loads dropped DLL

Reads user/profile data of web browsers

Accesses Microsoft Outlook profiles

Adds Run key to start application

Suspicious use of SetThreadContext

Drops file in System32 directory

Drops file in Windows directory

Enumerates physical storage devices

Modifies registry class

outlook_office_path

outlook_win_path

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-07-08 01:47

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-07-08 01:47

Reported

2022-07-08 03:41

Platform

win7-20220414-en

Max time kernel

147s

Max time network

157s

Command Line

"C:\Users\Admin\AppData\Local\Temp\42abb229afc6de51904002a907b3934c24632af5075550b90b1d6a14005eb550.exe"

Signatures

AdWind

trojan adwind

Detect XtremeRAT payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Lokibot

trojan spyware stealer lokibot

XtremeRAT

persistence spyware rat xtremerat

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{78452I85-U572-837I-073T-W3NL7LW117V7} C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{78452I85-U572-837I-073T-W3NL7LW117V7}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart" C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{78452I85-U572-837I-073T-W3NL7LW117V7} C:\Windows\SysWOW64\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{78452I85-U572-837I-073T-W3NL7LW117V7}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart" C:\Windows\SysWOW64\svchost.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\116azili.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\116azili.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\116azili.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe" C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\svchost.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows\CurrentVersion\Run\116azili.exe = "C:\\Users\\Admin\\AppData\\Roaming/Microsoft/Skype.exe" C:\Users\Admin\AppData\Local\Temp\116azili.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe" C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows\CurrentVersion\Run\42abb229afc6de51904002a907b3934c24632af5075550b90b1d6a14005eb550.exe = "C:\\Users\\Admin\\AppData\\Roaming/Microsoft/Skype.exe" C:\Users\Admin\AppData\Local\Temp\42abb229afc6de51904002a907b3934c24632af5075550b90b1d6a14005eb550.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe" C:\Windows\SysWOW64\svchost.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe" C:\Windows\SysWOW64\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run C:\Users\Admin\AppData\Local\Temp\116azili.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run C:\Users\Admin\AppData\Local\Temp\42abb229afc6de51904002a907b3934c24632af5075550b90b1d6a14005eb550.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\System32\test.txt C:\Program Files\Java\jre7\bin\javaw.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\InstallDir\Server.exe C:\Users\Admin\AppData\Local\Temp\server.exe N/A
File created C:\Windows\InstallDir\Server.exe C:\Users\Admin\AppData\Local\Temp\server.exe N/A
File opened for modification C:\Windows\InstallDir\ C:\Users\Admin\AppData\Local\Temp\server.exe N/A

Enumerates physical storage devices

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Program Files\Java\jre7\bin\javaw.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1356 wrote to memory of 1932 N/A C:\Users\Admin\AppData\Local\Temp\42abb229afc6de51904002a907b3934c24632af5075550b90b1d6a14005eb550.exe C:\Users\Admin\AppData\Local\Temp\42abb229afc6de51904002a907b3934c24632af5075550b90b1d6a14005eb550.exe
PID 1356 wrote to memory of 1932 N/A C:\Users\Admin\AppData\Local\Temp\42abb229afc6de51904002a907b3934c24632af5075550b90b1d6a14005eb550.exe C:\Users\Admin\AppData\Local\Temp\42abb229afc6de51904002a907b3934c24632af5075550b90b1d6a14005eb550.exe
PID 1356 wrote to memory of 1932 N/A C:\Users\Admin\AppData\Local\Temp\42abb229afc6de51904002a907b3934c24632af5075550b90b1d6a14005eb550.exe C:\Users\Admin\AppData\Local\Temp\42abb229afc6de51904002a907b3934c24632af5075550b90b1d6a14005eb550.exe
PID 1356 wrote to memory of 1932 N/A C:\Users\Admin\AppData\Local\Temp\42abb229afc6de51904002a907b3934c24632af5075550b90b1d6a14005eb550.exe C:\Users\Admin\AppData\Local\Temp\42abb229afc6de51904002a907b3934c24632af5075550b90b1d6a14005eb550.exe
PID 1356 wrote to memory of 1932 N/A C:\Users\Admin\AppData\Local\Temp\42abb229afc6de51904002a907b3934c24632af5075550b90b1d6a14005eb550.exe C:\Users\Admin\AppData\Local\Temp\42abb229afc6de51904002a907b3934c24632af5075550b90b1d6a14005eb550.exe
PID 1356 wrote to memory of 1932 N/A C:\Users\Admin\AppData\Local\Temp\42abb229afc6de51904002a907b3934c24632af5075550b90b1d6a14005eb550.exe C:\Users\Admin\AppData\Local\Temp\42abb229afc6de51904002a907b3934c24632af5075550b90b1d6a14005eb550.exe
PID 1932 wrote to memory of 1248 N/A C:\Users\Admin\AppData\Local\Temp\42abb229afc6de51904002a907b3934c24632af5075550b90b1d6a14005eb550.exe C:\Users\Admin\AppData\Local\Temp\server.exe
PID 1932 wrote to memory of 1248 N/A C:\Users\Admin\AppData\Local\Temp\42abb229afc6de51904002a907b3934c24632af5075550b90b1d6a14005eb550.exe C:\Users\Admin\AppData\Local\Temp\server.exe
PID 1932 wrote to memory of 1248 N/A C:\Users\Admin\AppData\Local\Temp\42abb229afc6de51904002a907b3934c24632af5075550b90b1d6a14005eb550.exe C:\Users\Admin\AppData\Local\Temp\server.exe
PID 1932 wrote to memory of 1248 N/A C:\Users\Admin\AppData\Local\Temp\42abb229afc6de51904002a907b3934c24632af5075550b90b1d6a14005eb550.exe C:\Users\Admin\AppData\Local\Temp\server.exe
PID 1932 wrote to memory of 2044 N/A C:\Users\Admin\AppData\Local\Temp\42abb229afc6de51904002a907b3934c24632af5075550b90b1d6a14005eb550.exe C:\Program Files\Java\jre7\bin\javaw.exe
PID 1932 wrote to memory of 2044 N/A C:\Users\Admin\AppData\Local\Temp\42abb229afc6de51904002a907b3934c24632af5075550b90b1d6a14005eb550.exe C:\Program Files\Java\jre7\bin\javaw.exe
PID 1932 wrote to memory of 2044 N/A C:\Users\Admin\AppData\Local\Temp\42abb229afc6de51904002a907b3934c24632af5075550b90b1d6a14005eb550.exe C:\Program Files\Java\jre7\bin\javaw.exe
PID 1932 wrote to memory of 2044 N/A C:\Users\Admin\AppData\Local\Temp\42abb229afc6de51904002a907b3934c24632af5075550b90b1d6a14005eb550.exe C:\Program Files\Java\jre7\bin\javaw.exe
PID 1248 wrote to memory of 1984 N/A C:\Users\Admin\AppData\Local\Temp\server.exe C:\Windows\SysWOW64\svchost.exe
PID 1248 wrote to memory of 1984 N/A C:\Users\Admin\AppData\Local\Temp\server.exe C:\Windows\SysWOW64\svchost.exe
PID 1248 wrote to memory of 1984 N/A C:\Users\Admin\AppData\Local\Temp\server.exe C:\Windows\SysWOW64\svchost.exe
PID 1248 wrote to memory of 1984 N/A C:\Users\Admin\AppData\Local\Temp\server.exe C:\Windows\SysWOW64\svchost.exe
PID 1248 wrote to memory of 1984 N/A C:\Users\Admin\AppData\Local\Temp\server.exe C:\Windows\SysWOW64\svchost.exe
PID 1248 wrote to memory of 1960 N/A C:\Users\Admin\AppData\Local\Temp\server.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1248 wrote to memory of 1960 N/A C:\Users\Admin\AppData\Local\Temp\server.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1248 wrote to memory of 1960 N/A C:\Users\Admin\AppData\Local\Temp\server.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1248 wrote to memory of 1960 N/A C:\Users\Admin\AppData\Local\Temp\server.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1248 wrote to memory of 1400 N/A C:\Users\Admin\AppData\Local\Temp\server.exe C:\Windows\SysWOW64\explorer.exe
PID 1248 wrote to memory of 1400 N/A C:\Users\Admin\AppData\Local\Temp\server.exe C:\Windows\SysWOW64\explorer.exe
PID 1248 wrote to memory of 1400 N/A C:\Users\Admin\AppData\Local\Temp\server.exe C:\Windows\SysWOW64\explorer.exe
PID 1248 wrote to memory of 1400 N/A C:\Users\Admin\AppData\Local\Temp\server.exe C:\Windows\SysWOW64\explorer.exe
PID 1248 wrote to memory of 1400 N/A C:\Users\Admin\AppData\Local\Temp\server.exe C:\Windows\SysWOW64\explorer.exe
PID 2044 wrote to memory of 908 N/A C:\Program Files\Java\jre7\bin\javaw.exe C:\Program Files\Java\jre7\bin\java.exe
PID 2044 wrote to memory of 908 N/A C:\Program Files\Java\jre7\bin\javaw.exe C:\Program Files\Java\jre7\bin\java.exe
PID 2044 wrote to memory of 908 N/A C:\Program Files\Java\jre7\bin\javaw.exe C:\Program Files\Java\jre7\bin\java.exe
PID 1248 wrote to memory of 1636 N/A C:\Users\Admin\AppData\Local\Temp\server.exe C:\Users\Admin\AppData\Local\Temp\116azili.exe
PID 1248 wrote to memory of 1636 N/A C:\Users\Admin\AppData\Local\Temp\server.exe C:\Users\Admin\AppData\Local\Temp\116azili.exe
PID 1248 wrote to memory of 1636 N/A C:\Users\Admin\AppData\Local\Temp\server.exe C:\Users\Admin\AppData\Local\Temp\116azili.exe
PID 1248 wrote to memory of 1636 N/A C:\Users\Admin\AppData\Local\Temp\server.exe C:\Users\Admin\AppData\Local\Temp\116azili.exe
PID 2044 wrote to memory of 920 N/A C:\Program Files\Java\jre7\bin\javaw.exe C:\Windows\system32\cmd.exe
PID 2044 wrote to memory of 920 N/A C:\Program Files\Java\jre7\bin\javaw.exe C:\Windows\system32\cmd.exe
PID 2044 wrote to memory of 920 N/A C:\Program Files\Java\jre7\bin\javaw.exe C:\Windows\system32\cmd.exe
PID 920 wrote to memory of 1616 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cscript.exe
PID 920 wrote to memory of 1616 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cscript.exe
PID 920 wrote to memory of 1616 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cscript.exe
PID 2044 wrote to memory of 936 N/A C:\Program Files\Java\jre7\bin\javaw.exe C:\Windows\system32\cmd.exe
PID 2044 wrote to memory of 936 N/A C:\Program Files\Java\jre7\bin\javaw.exe C:\Windows\system32\cmd.exe
PID 2044 wrote to memory of 936 N/A C:\Program Files\Java\jre7\bin\javaw.exe C:\Windows\system32\cmd.exe
PID 936 wrote to memory of 1324 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cscript.exe
PID 936 wrote to memory of 1324 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cscript.exe
PID 936 wrote to memory of 1324 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cscript.exe
PID 2044 wrote to memory of 1052 N/A C:\Program Files\Java\jre7\bin\javaw.exe C:\Windows\system32\xcopy.exe
PID 2044 wrote to memory of 1052 N/A C:\Program Files\Java\jre7\bin\javaw.exe C:\Windows\system32\xcopy.exe
PID 2044 wrote to memory of 1052 N/A C:\Program Files\Java\jre7\bin\javaw.exe C:\Windows\system32\xcopy.exe
PID 1636 wrote to memory of 1540 N/A C:\Users\Admin\AppData\Local\Temp\116azili.exe C:\Users\Admin\AppData\Local\Temp\116azili.exe
PID 1636 wrote to memory of 1540 N/A C:\Users\Admin\AppData\Local\Temp\116azili.exe C:\Users\Admin\AppData\Local\Temp\116azili.exe
PID 1636 wrote to memory of 1540 N/A C:\Users\Admin\AppData\Local\Temp\116azili.exe C:\Users\Admin\AppData\Local\Temp\116azili.exe
PID 1636 wrote to memory of 1540 N/A C:\Users\Admin\AppData\Local\Temp\116azili.exe C:\Users\Admin\AppData\Local\Temp\116azili.exe
PID 1636 wrote to memory of 1540 N/A C:\Users\Admin\AppData\Local\Temp\116azili.exe C:\Users\Admin\AppData\Local\Temp\116azili.exe
PID 1636 wrote to memory of 1540 N/A C:\Users\Admin\AppData\Local\Temp\116azili.exe C:\Users\Admin\AppData\Local\Temp\116azili.exe
PID 2044 wrote to memory of 1700 N/A C:\Program Files\Java\jre7\bin\javaw.exe C:\Windows\system32\cmd.exe
PID 2044 wrote to memory of 1700 N/A C:\Program Files\Java\jre7\bin\javaw.exe C:\Windows\system32\cmd.exe
PID 2044 wrote to memory of 1700 N/A C:\Program Files\Java\jre7\bin\javaw.exe C:\Windows\system32\cmd.exe

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\116azili.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\116azili.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\42abb229afc6de51904002a907b3934c24632af5075550b90b1d6a14005eb550.exe

"C:\Users\Admin\AppData\Local\Temp\42abb229afc6de51904002a907b3934c24632af5075550b90b1d6a14005eb550.exe"

C:\Users\Admin\AppData\Local\Temp\42abb229afc6de51904002a907b3934c24632af5075550b90b1d6a14005eb550.exe

"C:\Users\Admin\AppData\Local\Temp\42abb229afc6de51904002a907b3934c24632af5075550b90b1d6a14005eb550.exe"

C:\Users\Admin\AppData\Local\Temp\server.exe

"C:\Users\Admin\AppData\Local\Temp\server.exe"

C:\Program Files\Java\jre7\bin\javaw.exe

"C:\Program Files\Java\jre7\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Local\Temp\uxmi.jar"

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files\Java\jre7\bin\java.exe

"C:\Program Files\Java\jre7\bin\java.exe" -jar C:\Users\Admin\AppData\Local\Temp\_0.51850798729124058940410804171072915.class

C:\Users\Admin\AppData\Local\Temp\116azili.exe

"C:\Users\Admin\AppData\Local\Temp\116azili.exe"

C:\Windows\system32\cmd.exe

cmd.exe /C cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive1883545230757125046.vbs

C:\Windows\system32\cscript.exe

cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive1883545230757125046.vbs

C:\Windows\system32\cmd.exe

cmd.exe /C cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive1928585804898164862.vbs

C:\Windows\system32\cscript.exe

cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive1928585804898164862.vbs

C:\Windows\system32\xcopy.exe

xcopy "C:\Program Files\Java\jre7" "C:\Users\Admin\AppData\Roaming\Oracle\" /e

C:\Users\Admin\AppData\Local\Temp\116azili.exe

"C:\Users\Admin\AppData\Local\Temp\116azili.exe"

C:\Windows\system32\cmd.exe

cmd.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 nkilishinkili.hopto.org udp

Files

memory/1356-54-0x0000000075361000-0x0000000075363000-memory.dmp

memory/1932-55-0x0000000000400000-0x0000000000506000-memory.dmp

memory/1932-58-0x00000000004013C1-mapping.dmp

memory/1932-57-0x0000000000400000-0x0000000000506000-memory.dmp

\Users\Admin\AppData\Local\Temp\server.exe

MD5 559bc352357254d75b6086f0d452340c
SHA1 01c5a2b92d124e0e4da5e77b6e3c9921393c1b9c
SHA256 6d5de5a65be7beb73921ac55c71ff76bc2246e370d4d98ac887040f1f937a3b9
SHA512 1734d73c209629b86e7d4923e3cd21b76fdbeb77c23155758a67d65cffeff300af7c50a93b922e8b4f33978e5f09ce052cb5be71831980ced24d22d915bc3ecd

\Users\Admin\AppData\Local\Temp\server.exe

MD5 559bc352357254d75b6086f0d452340c
SHA1 01c5a2b92d124e0e4da5e77b6e3c9921393c1b9c
SHA256 6d5de5a65be7beb73921ac55c71ff76bc2246e370d4d98ac887040f1f937a3b9
SHA512 1734d73c209629b86e7d4923e3cd21b76fdbeb77c23155758a67d65cffeff300af7c50a93b922e8b4f33978e5f09ce052cb5be71831980ced24d22d915bc3ecd

\Users\Admin\AppData\Local\Temp\server.exe

MD5 559bc352357254d75b6086f0d452340c
SHA1 01c5a2b92d124e0e4da5e77b6e3c9921393c1b9c
SHA256 6d5de5a65be7beb73921ac55c71ff76bc2246e370d4d98ac887040f1f937a3b9
SHA512 1734d73c209629b86e7d4923e3cd21b76fdbeb77c23155758a67d65cffeff300af7c50a93b922e8b4f33978e5f09ce052cb5be71831980ced24d22d915bc3ecd

\Users\Admin\AppData\Local\Temp\server.exe

MD5 559bc352357254d75b6086f0d452340c
SHA1 01c5a2b92d124e0e4da5e77b6e3c9921393c1b9c
SHA256 6d5de5a65be7beb73921ac55c71ff76bc2246e370d4d98ac887040f1f937a3b9
SHA512 1734d73c209629b86e7d4923e3cd21b76fdbeb77c23155758a67d65cffeff300af7c50a93b922e8b4f33978e5f09ce052cb5be71831980ced24d22d915bc3ecd

memory/1248-65-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\server.exe

MD5 559bc352357254d75b6086f0d452340c
SHA1 01c5a2b92d124e0e4da5e77b6e3c9921393c1b9c
SHA256 6d5de5a65be7beb73921ac55c71ff76bc2246e370d4d98ac887040f1f937a3b9
SHA512 1734d73c209629b86e7d4923e3cd21b76fdbeb77c23155758a67d65cffeff300af7c50a93b922e8b4f33978e5f09ce052cb5be71831980ced24d22d915bc3ecd

memory/2044-68-0x0000000000000000-mapping.dmp

memory/1932-70-0x0000000000400000-0x0000000000505A70-memory.dmp

memory/2044-69-0x000007FEFB9A1000-0x000007FEFB9A3000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\uxmi.jar

MD5 4990001bbec12f043e4e92545d8b6a7e
SHA1 198ab311ffb25b93b798b2b70476bf17004fc2b8
SHA256 81be62be1456b63d98ed94fc4f48ff20a9fa6edb38289c460806a77572cb51c8
SHA512 ab9f1399ecebad646054e3f0d1b6a701f3e5f10b01a2c8ecf9455bd18138b6a0a4aeb0375ab98c3b5117dcf9bab4cdcce47f77f75827cc39efded5135006c0f1

C:\Users\Admin\AppData\Local\Temp\server.exe

MD5 559bc352357254d75b6086f0d452340c
SHA1 01c5a2b92d124e0e4da5e77b6e3c9921393c1b9c
SHA256 6d5de5a65be7beb73921ac55c71ff76bc2246e370d4d98ac887040f1f937a3b9
SHA512 1734d73c209629b86e7d4923e3cd21b76fdbeb77c23155758a67d65cffeff300af7c50a93b922e8b4f33978e5f09ce052cb5be71831980ced24d22d915bc3ecd

memory/1984-77-0x0000000000C80000-0x0000000000D08000-memory.dmp

C:\Windows\InstallDir\Server.exe

MD5 559bc352357254d75b6086f0d452340c
SHA1 01c5a2b92d124e0e4da5e77b6e3c9921393c1b9c
SHA256 6d5de5a65be7beb73921ac55c71ff76bc2246e370d4d98ac887040f1f937a3b9
SHA512 1734d73c209629b86e7d4923e3cd21b76fdbeb77c23155758a67d65cffeff300af7c50a93b922e8b4f33978e5f09ce052cb5be71831980ced24d22d915bc3ecd

memory/1984-79-0x0000000000000000-mapping.dmp

memory/2044-90-0x00000000021C0000-0x00000000051C0000-memory.dmp

memory/1400-88-0x0000000000000000-mapping.dmp

memory/1984-93-0x0000000000C80000-0x0000000000D08000-memory.dmp

memory/1400-92-0x0000000073D31000-0x0000000073D33000-memory.dmp

memory/908-94-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\_0.51850798729124058940410804171072915.class

MD5 781fb531354d6f291f1ccab48da6d39f
SHA1 9ce4518ebcb5be6d1f0b5477fa00c26860fe9a68
SHA256 97d585b6aff62fb4e43e7e6a5f816dcd7a14be11a88b109a9ba9e8cd4c456eb9
SHA512 3e6630f5feb4a3eb1dac7e9125ce14b1a2a45d7415cf44cea42bc51b2a9aa37169ee4a4c36c888c8f2696e7d6e298e2ad7b2f4c22868aaa5948210eb7db220d8

memory/1400-103-0x0000000000C80000-0x0000000000D08000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\116azili.exe

MD5 550b95d85c6d3fdb343a161b379d75c5
SHA1 86b36eb1bbd9ff428bfe5d266449a6f63ddc5070
SHA256 e93c8786119587a0e626057104cb04d4dc8f2308ca570ad1638d7a266971441e
SHA512 a5f8a2b0aa525730aa75c9c8bfa3ba7ada33bf94953194614666eef63a43117b7f5bbdee6cb054283537dfb14a96cc0d2829f1300ef8f5eb2587a85a713db7f8

memory/1636-109-0x0000000000000000-mapping.dmp

\Users\Admin\AppData\Local\Temp\116azili.exe

MD5 550b95d85c6d3fdb343a161b379d75c5
SHA1 86b36eb1bbd9ff428bfe5d266449a6f63ddc5070
SHA256 e93c8786119587a0e626057104cb04d4dc8f2308ca570ad1638d7a266971441e
SHA512 a5f8a2b0aa525730aa75c9c8bfa3ba7ada33bf94953194614666eef63a43117b7f5bbdee6cb054283537dfb14a96cc0d2829f1300ef8f5eb2587a85a713db7f8

\Users\Admin\AppData\Local\Temp\116azili.exe

MD5 550b95d85c6d3fdb343a161b379d75c5
SHA1 86b36eb1bbd9ff428bfe5d266449a6f63ddc5070
SHA256 e93c8786119587a0e626057104cb04d4dc8f2308ca570ad1638d7a266971441e
SHA512 a5f8a2b0aa525730aa75c9c8bfa3ba7ada33bf94953194614666eef63a43117b7f5bbdee6cb054283537dfb14a96cc0d2829f1300ef8f5eb2587a85a713db7f8

memory/920-115-0x0000000000000000-mapping.dmp

memory/1616-116-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\Retrive1883545230757125046.vbs

MD5 3bdfd33017806b85949b6faa7d4b98e4
SHA1 f92844fee69ef98db6e68931adfaa9a0a0f8ce66
SHA256 9da575dd2d5b7c1e9bab8b51a16cde457b3371c6dcdb0537356cf1497fa868f6
SHA512 ae5e5686ae71edef53e71cd842cb6799e4383b9c238a5c361b81647efa128d2fedf3bf464997771b5b0c47a058fecae7829aeedcd098c80a11008581e5781429

memory/936-118-0x0000000000000000-mapping.dmp

memory/1324-119-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\Retrive1928585804898164862.vbs

MD5 a32c109297ed1ca155598cd295c26611
SHA1 dc4a1fdbaad15ddd6fe22d3907c6b03727b71510
SHA256 45bfe34aa3ef932f75101246eb53d032f5e7cf6d1f5b4e495334955a255f32e7
SHA512 70372552dc86fe02ece9fe3b7721463f80be07a34126b2c75b41e30078cda9e90744c7d644df623f63d4fb985482e345b3351c4d3da873162152c67fc6ecc887

memory/1052-121-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\116azili.exe

MD5 550b95d85c6d3fdb343a161b379d75c5
SHA1 86b36eb1bbd9ff428bfe5d266449a6f63ddc5070
SHA256 e93c8786119587a0e626057104cb04d4dc8f2308ca570ad1638d7a266971441e
SHA512 a5f8a2b0aa525730aa75c9c8bfa3ba7ada33bf94953194614666eef63a43117b7f5bbdee6cb054283537dfb14a96cc0d2829f1300ef8f5eb2587a85a713db7f8

\Users\Admin\AppData\Local\Temp\116azili.exe

MD5 550b95d85c6d3fdb343a161b379d75c5
SHA1 86b36eb1bbd9ff428bfe5d266449a6f63ddc5070
SHA256 e93c8786119587a0e626057104cb04d4dc8f2308ca570ad1638d7a266971441e
SHA512 a5f8a2b0aa525730aa75c9c8bfa3ba7ada33bf94953194614666eef63a43117b7f5bbdee6cb054283537dfb14a96cc0d2829f1300ef8f5eb2587a85a713db7f8

memory/1540-124-0x0000000000400000-0x00000000004A2000-memory.dmp

memory/1540-126-0x0000000000400000-0x00000000004A2000-memory.dmp

memory/1540-127-0x00000000004139DE-mapping.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Skype.exe

MD5 550b95d85c6d3fdb343a161b379d75c5
SHA1 86b36eb1bbd9ff428bfe5d266449a6f63ddc5070
SHA256 e93c8786119587a0e626057104cb04d4dc8f2308ca570ad1638d7a266971441e
SHA512 a5f8a2b0aa525730aa75c9c8bfa3ba7ada33bf94953194614666eef63a43117b7f5bbdee6cb054283537dfb14a96cc0d2829f1300ef8f5eb2587a85a713db7f8

C:\Users\Admin\AppData\Local\Temp\116azili.exe

MD5 550b95d85c6d3fdb343a161b379d75c5
SHA1 86b36eb1bbd9ff428bfe5d266449a6f63ddc5070
SHA256 e93c8786119587a0e626057104cb04d4dc8f2308ca570ad1638d7a266971441e
SHA512 a5f8a2b0aa525730aa75c9c8bfa3ba7ada33bf94953194614666eef63a43117b7f5bbdee6cb054283537dfb14a96cc0d2829f1300ef8f5eb2587a85a713db7f8

memory/1636-132-0x0000000000400000-0x0000000000513000-memory.dmp

memory/1540-131-0x0000000000400000-0x00000000004A2000-memory.dmp

memory/1700-134-0x0000000000000000-mapping.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-07-08 01:47

Reported

2022-07-08 03:41

Platform

win10v2004-20220414-en

Max time kernel

117s

Max time network

156s

Command Line

"C:\Users\Admin\AppData\Local\Temp\42abb229afc6de51904002a907b3934c24632af5075550b90b1d6a14005eb550.exe"

Signatures

Detect XtremeRAT payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Lokibot

trojan spyware stealer lokibot

XtremeRAT

persistence spyware rat xtremerat

suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1

suricata

suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2

suricata

suricata: ET MALWARE LokiBot Checkin

suricata

suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1

suricata

suricata: ET MALWARE LokiBot Request for C2 Commands Detected M2

suricata

suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)

suricata

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{78452I85-U572-837I-073T-W3NL7LW117V7}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart" C:\Windows\SysWOW64\svchost.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{78452I85-U572-837I-073T-W3NL7LW117V7} C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{78452I85-U572-837I-073T-W3NL7LW117V7}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart" C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{78452I85-U572-837I-073T-W3NL7LW117V7} C:\Windows\SysWOW64\svchost.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\42abb229afc6de51904002a907b3934c24632af5075550b90b1d6a14005eb550.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\server.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\116azili.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\116azili.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\116azili.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\42abb229afc6de51904002a907b3934c24632af5075550b90b1d6a14005eb550.exe = "C:\\Users\\Admin\\AppData\\Roaming/Microsoft/Skype.exe" C:\Users\Admin\AppData\Local\Temp\42abb229afc6de51904002a907b3934c24632af5075550b90b1d6a14005eb550.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe" C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe" C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run C:\Users\Admin\AppData\Local\Temp\116azili.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run C:\Users\Admin\AppData\Local\Temp\42abb229afc6de51904002a907b3934c24632af5075550b90b1d6a14005eb550.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe" C:\Windows\SysWOW64\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\svchost.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe" C:\Windows\SysWOW64\svchost.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\116azili.exe = "C:\\Users\\Admin\\AppData\\Roaming/Microsoft/Skype.exe" C:\Users\Admin\AppData\Local\Temp\116azili.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run C:\Users\Admin\AppData\Local\Temp\server.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\InstallDir\Server.exe C:\Users\Admin\AppData\Local\Temp\server.exe N/A
File created C:\Windows\InstallDir\Server.exe C:\Users\Admin\AppData\Local\Temp\server.exe N/A
File opened for modification C:\Windows\InstallDir\ C:\Users\Admin\AppData\Local\Temp\server.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\42abb229afc6de51904002a907b3934c24632af5075550b90b1d6a14005eb550.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\116azili.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Program Files\Java\jre1.8.0_66\bin\java.exe N/A
N/A N/A C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4896 wrote to memory of 4944 N/A C:\Users\Admin\AppData\Local\Temp\42abb229afc6de51904002a907b3934c24632af5075550b90b1d6a14005eb550.exe C:\Users\Admin\AppData\Local\Temp\42abb229afc6de51904002a907b3934c24632af5075550b90b1d6a14005eb550.exe
PID 4896 wrote to memory of 4944 N/A C:\Users\Admin\AppData\Local\Temp\42abb229afc6de51904002a907b3934c24632af5075550b90b1d6a14005eb550.exe C:\Users\Admin\AppData\Local\Temp\42abb229afc6de51904002a907b3934c24632af5075550b90b1d6a14005eb550.exe
PID 4896 wrote to memory of 4944 N/A C:\Users\Admin\AppData\Local\Temp\42abb229afc6de51904002a907b3934c24632af5075550b90b1d6a14005eb550.exe C:\Users\Admin\AppData\Local\Temp\42abb229afc6de51904002a907b3934c24632af5075550b90b1d6a14005eb550.exe
PID 4896 wrote to memory of 4944 N/A C:\Users\Admin\AppData\Local\Temp\42abb229afc6de51904002a907b3934c24632af5075550b90b1d6a14005eb550.exe C:\Users\Admin\AppData\Local\Temp\42abb229afc6de51904002a907b3934c24632af5075550b90b1d6a14005eb550.exe
PID 4896 wrote to memory of 4944 N/A C:\Users\Admin\AppData\Local\Temp\42abb229afc6de51904002a907b3934c24632af5075550b90b1d6a14005eb550.exe C:\Users\Admin\AppData\Local\Temp\42abb229afc6de51904002a907b3934c24632af5075550b90b1d6a14005eb550.exe
PID 4944 wrote to memory of 3812 N/A C:\Users\Admin\AppData\Local\Temp\42abb229afc6de51904002a907b3934c24632af5075550b90b1d6a14005eb550.exe C:\Users\Admin\AppData\Local\Temp\server.exe
PID 4944 wrote to memory of 3812 N/A C:\Users\Admin\AppData\Local\Temp\42abb229afc6de51904002a907b3934c24632af5075550b90b1d6a14005eb550.exe C:\Users\Admin\AppData\Local\Temp\server.exe
PID 4944 wrote to memory of 3812 N/A C:\Users\Admin\AppData\Local\Temp\42abb229afc6de51904002a907b3934c24632af5075550b90b1d6a14005eb550.exe C:\Users\Admin\AppData\Local\Temp\server.exe
PID 4944 wrote to memory of 4352 N/A C:\Users\Admin\AppData\Local\Temp\42abb229afc6de51904002a907b3934c24632af5075550b90b1d6a14005eb550.exe C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe
PID 4944 wrote to memory of 4352 N/A C:\Users\Admin\AppData\Local\Temp\42abb229afc6de51904002a907b3934c24632af5075550b90b1d6a14005eb550.exe C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe
PID 3812 wrote to memory of 4356 N/A C:\Users\Admin\AppData\Local\Temp\server.exe C:\Windows\SysWOW64\svchost.exe
PID 3812 wrote to memory of 4356 N/A C:\Users\Admin\AppData\Local\Temp\server.exe C:\Windows\SysWOW64\svchost.exe
PID 3812 wrote to memory of 4356 N/A C:\Users\Admin\AppData\Local\Temp\server.exe C:\Windows\SysWOW64\svchost.exe
PID 3812 wrote to memory of 4356 N/A C:\Users\Admin\AppData\Local\Temp\server.exe C:\Windows\SysWOW64\svchost.exe
PID 3812 wrote to memory of 3516 N/A C:\Users\Admin\AppData\Local\Temp\server.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3812 wrote to memory of 3516 N/A C:\Users\Admin\AppData\Local\Temp\server.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3812 wrote to memory of 4596 N/A C:\Users\Admin\AppData\Local\Temp\server.exe C:\Windows\SysWOW64\explorer.exe
PID 3812 wrote to memory of 4596 N/A C:\Users\Admin\AppData\Local\Temp\server.exe C:\Windows\SysWOW64\explorer.exe
PID 3812 wrote to memory of 4596 N/A C:\Users\Admin\AppData\Local\Temp\server.exe C:\Windows\SysWOW64\explorer.exe
PID 3812 wrote to memory of 4596 N/A C:\Users\Admin\AppData\Local\Temp\server.exe C:\Windows\SysWOW64\explorer.exe
PID 3812 wrote to memory of 4732 N/A C:\Users\Admin\AppData\Local\Temp\server.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3812 wrote to memory of 4732 N/A C:\Users\Admin\AppData\Local\Temp\server.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3812 wrote to memory of 3100 N/A C:\Users\Admin\AppData\Local\Temp\server.exe C:\Windows\SysWOW64\explorer.exe
PID 3812 wrote to memory of 3100 N/A C:\Users\Admin\AppData\Local\Temp\server.exe C:\Windows\SysWOW64\explorer.exe
PID 3812 wrote to memory of 3100 N/A C:\Users\Admin\AppData\Local\Temp\server.exe C:\Windows\SysWOW64\explorer.exe
PID 3812 wrote to memory of 388 N/A C:\Users\Admin\AppData\Local\Temp\server.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3812 wrote to memory of 388 N/A C:\Users\Admin\AppData\Local\Temp\server.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3812 wrote to memory of 4180 N/A C:\Users\Admin\AppData\Local\Temp\server.exe C:\Windows\SysWOW64\explorer.exe
PID 3812 wrote to memory of 4180 N/A C:\Users\Admin\AppData\Local\Temp\server.exe C:\Windows\SysWOW64\explorer.exe
PID 3812 wrote to memory of 4180 N/A C:\Users\Admin\AppData\Local\Temp\server.exe C:\Windows\SysWOW64\explorer.exe
PID 3812 wrote to memory of 4608 N/A C:\Users\Admin\AppData\Local\Temp\server.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3812 wrote to memory of 4608 N/A C:\Users\Admin\AppData\Local\Temp\server.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3812 wrote to memory of 4776 N/A C:\Users\Admin\AppData\Local\Temp\server.exe C:\Windows\SysWOW64\explorer.exe
PID 3812 wrote to memory of 4776 N/A C:\Users\Admin\AppData\Local\Temp\server.exe C:\Windows\SysWOW64\explorer.exe
PID 3812 wrote to memory of 4776 N/A C:\Users\Admin\AppData\Local\Temp\server.exe C:\Windows\SysWOW64\explorer.exe
PID 3812 wrote to memory of 4776 N/A C:\Users\Admin\AppData\Local\Temp\server.exe C:\Windows\SysWOW64\explorer.exe
PID 3812 wrote to memory of 3968 N/A C:\Users\Admin\AppData\Local\Temp\server.exe C:\Users\Admin\AppData\Local\Temp\116azili.exe
PID 3812 wrote to memory of 3968 N/A C:\Users\Admin\AppData\Local\Temp\server.exe C:\Users\Admin\AppData\Local\Temp\116azili.exe
PID 3812 wrote to memory of 3968 N/A C:\Users\Admin\AppData\Local\Temp\server.exe C:\Users\Admin\AppData\Local\Temp\116azili.exe
PID 3968 wrote to memory of 2936 N/A C:\Users\Admin\AppData\Local\Temp\116azili.exe C:\Users\Admin\AppData\Local\Temp\116azili.exe
PID 3968 wrote to memory of 2936 N/A C:\Users\Admin\AppData\Local\Temp\116azili.exe C:\Users\Admin\AppData\Local\Temp\116azili.exe
PID 3968 wrote to memory of 2936 N/A C:\Users\Admin\AppData\Local\Temp\116azili.exe C:\Users\Admin\AppData\Local\Temp\116azili.exe
PID 3968 wrote to memory of 2936 N/A C:\Users\Admin\AppData\Local\Temp\116azili.exe C:\Users\Admin\AppData\Local\Temp\116azili.exe
PID 3968 wrote to memory of 2936 N/A C:\Users\Admin\AppData\Local\Temp\116azili.exe C:\Users\Admin\AppData\Local\Temp\116azili.exe
PID 4352 wrote to memory of 2428 N/A C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe C:\Program Files\Java\jre1.8.0_66\bin\java.exe
PID 4352 wrote to memory of 2428 N/A C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe C:\Program Files\Java\jre1.8.0_66\bin\java.exe

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\116azili.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\116azili.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\42abb229afc6de51904002a907b3934c24632af5075550b90b1d6a14005eb550.exe

"C:\Users\Admin\AppData\Local\Temp\42abb229afc6de51904002a907b3934c24632af5075550b90b1d6a14005eb550.exe"

C:\Users\Admin\AppData\Local\Temp\42abb229afc6de51904002a907b3934c24632af5075550b90b1d6a14005eb550.exe

"C:\Users\Admin\AppData\Local\Temp\42abb229afc6de51904002a907b3934c24632af5075550b90b1d6a14005eb550.exe"

C:\Users\Admin\AppData\Local\Temp\server.exe

"C:\Users\Admin\AppData\Local\Temp\server.exe"

C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe

"C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Local\Temp\uxmi.jar"

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Users\Admin\AppData\Local\Temp\116azili.exe

"C:\Users\Admin\AppData\Local\Temp\116azili.exe"

C:\Users\Admin\AppData\Local\Temp\116azili.exe

"C:\Users\Admin\AppData\Local\Temp\116azili.exe"

C:\Program Files\Java\jre1.8.0_66\bin\java.exe

"C:\Program Files\Java\jre1.8.0_66\bin\java.exe" -jar C:\Users\Admin\AppData\Local\Temp\_0.6824658843038574009752154300359433.class

Network

Country Destination Domain Proto
FR 2.22.147.90:80 tcp
NL 104.110.191.133:80 tcp
US 20.189.173.2:443 tcp
NL 104.110.191.133:80 tcp
NL 104.110.191.133:80 tcp
NL 104.110.191.133:80 tcp
US 8.8.8.8:53 nkilishinkili.hopto.org udp
US 8.8.8.8:53 nkilishinkili.hopto.org udp
US 8.8.8.8:53 nkilishinkili.hopto.org udp
US 8.8.8.8:53 nkilishinkili.hopto.org udp
US 8.8.8.8:53 nkilishinkili.hopto.org udp
US 8.8.8.8:53 saftygroup.com udp
US 172.81.56.198:80 saftygroup.com tcp
US 172.81.56.198:80 saftygroup.com tcp
US 172.81.56.198:80 saftygroup.com tcp
US 8.8.8.8:53 nkilishinkili.hopto.org udp
US 8.8.8.8:53 nkilishinkili.hopto.org udp
US 8.8.8.8:53 nkilishinkili.hopto.org udp
US 8.8.8.8:53 nkilishinkili.hopto.org udp

Files

memory/4944-130-0x0000000000000000-mapping.dmp

memory/4944-131-0x0000000000400000-0x0000000000506000-memory.dmp

memory/4944-133-0x0000000000400000-0x0000000000505A70-memory.dmp

memory/3812-134-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\server.exe

MD5 559bc352357254d75b6086f0d452340c
SHA1 01c5a2b92d124e0e4da5e77b6e3c9921393c1b9c
SHA256 6d5de5a65be7beb73921ac55c71ff76bc2246e370d4d98ac887040f1f937a3b9
SHA512 1734d73c209629b86e7d4923e3cd21b76fdbeb77c23155758a67d65cffeff300af7c50a93b922e8b4f33978e5f09ce052cb5be71831980ced24d22d915bc3ecd

C:\Users\Admin\AppData\Local\Temp\server.exe

MD5 559bc352357254d75b6086f0d452340c
SHA1 01c5a2b92d124e0e4da5e77b6e3c9921393c1b9c
SHA256 6d5de5a65be7beb73921ac55c71ff76bc2246e370d4d98ac887040f1f937a3b9
SHA512 1734d73c209629b86e7d4923e3cd21b76fdbeb77c23155758a67d65cffeff300af7c50a93b922e8b4f33978e5f09ce052cb5be71831980ced24d22d915bc3ecd

memory/4356-137-0x0000000000000000-mapping.dmp

C:\Windows\InstallDir\Server.exe

MD5 559bc352357254d75b6086f0d452340c
SHA1 01c5a2b92d124e0e4da5e77b6e3c9921393c1b9c
SHA256 6d5de5a65be7beb73921ac55c71ff76bc2246e370d4d98ac887040f1f937a3b9
SHA512 1734d73c209629b86e7d4923e3cd21b76fdbeb77c23155758a67d65cffeff300af7c50a93b922e8b4f33978e5f09ce052cb5be71831980ced24d22d915bc3ecd

memory/4352-139-0x0000000000000000-mapping.dmp

memory/4944-140-0x0000000000400000-0x0000000000505A70-memory.dmp

C:\Users\Admin\AppData\Local\Temp\uxmi.jar

MD5 4990001bbec12f043e4e92545d8b6a7e
SHA1 198ab311ffb25b93b798b2b70476bf17004fc2b8
SHA256 81be62be1456b63d98ed94fc4f48ff20a9fa6edb38289c460806a77572cb51c8
SHA512 ab9f1399ecebad646054e3f0d1b6a701f3e5f10b01a2c8ecf9455bd18138b6a0a4aeb0375ab98c3b5117dcf9bab4cdcce47f77f75827cc39efded5135006c0f1

memory/4356-142-0x0000000000C80000-0x0000000000D08000-memory.dmp

memory/4596-143-0x0000000000000000-mapping.dmp

memory/4776-144-0x0000000000000000-mapping.dmp

memory/4776-145-0x0000000000C80000-0x0000000000D08000-memory.dmp

memory/4596-146-0x0000000000C80000-0x0000000000D08000-memory.dmp

memory/3968-148-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\116azili.exe

MD5 550b95d85c6d3fdb343a161b379d75c5
SHA1 86b36eb1bbd9ff428bfe5d266449a6f63ddc5070
SHA256 e93c8786119587a0e626057104cb04d4dc8f2308ca570ad1638d7a266971441e
SHA512 a5f8a2b0aa525730aa75c9c8bfa3ba7ada33bf94953194614666eef63a43117b7f5bbdee6cb054283537dfb14a96cc0d2829f1300ef8f5eb2587a85a713db7f8

C:\Users\Admin\AppData\Local\Temp\116azili.exe

MD5 550b95d85c6d3fdb343a161b379d75c5
SHA1 86b36eb1bbd9ff428bfe5d266449a6f63ddc5070
SHA256 e93c8786119587a0e626057104cb04d4dc8f2308ca570ad1638d7a266971441e
SHA512 a5f8a2b0aa525730aa75c9c8bfa3ba7ada33bf94953194614666eef63a43117b7f5bbdee6cb054283537dfb14a96cc0d2829f1300ef8f5eb2587a85a713db7f8

memory/3968-152-0x0000000000400000-0x0000000000513000-memory.dmp

memory/4352-153-0x0000000003190000-0x0000000004190000-memory.dmp

memory/4596-161-0x0000000000C80000-0x0000000000D08000-memory.dmp

memory/4352-162-0x0000000003190000-0x0000000004190000-memory.dmp

memory/2936-163-0x0000000000000000-mapping.dmp

memory/2936-164-0x0000000000400000-0x00000000004A2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\116azili.exe

MD5 550b95d85c6d3fdb343a161b379d75c5
SHA1 86b36eb1bbd9ff428bfe5d266449a6f63ddc5070
SHA256 e93c8786119587a0e626057104cb04d4dc8f2308ca570ad1638d7a266971441e
SHA512 a5f8a2b0aa525730aa75c9c8bfa3ba7ada33bf94953194614666eef63a43117b7f5bbdee6cb054283537dfb14a96cc0d2829f1300ef8f5eb2587a85a713db7f8

C:\Users\Admin\AppData\Roaming\Microsoft\Skype.exe

MD5 550b95d85c6d3fdb343a161b379d75c5
SHA1 86b36eb1bbd9ff428bfe5d266449a6f63ddc5070
SHA256 e93c8786119587a0e626057104cb04d4dc8f2308ca570ad1638d7a266971441e
SHA512 a5f8a2b0aa525730aa75c9c8bfa3ba7ada33bf94953194614666eef63a43117b7f5bbdee6cb054283537dfb14a96cc0d2829f1300ef8f5eb2587a85a713db7f8

memory/2936-168-0x0000000000400000-0x00000000004A2000-memory.dmp

memory/3968-169-0x0000000000400000-0x0000000000513000-memory.dmp

memory/2936-170-0x0000000000400000-0x00000000004A2000-memory.dmp

memory/2428-171-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\_0.6824658843038574009752154300359433.class

MD5 781fb531354d6f291f1ccab48da6d39f
SHA1 9ce4518ebcb5be6d1f0b5477fa00c26860fe9a68
SHA256 97d585b6aff62fb4e43e7e6a5f816dcd7a14be11a88b109a9ba9e8cd4c456eb9
SHA512 3e6630f5feb4a3eb1dac7e9125ce14b1a2a45d7415cf44cea42bc51b2a9aa37169ee4a4c36c888c8f2696e7d6e298e2ad7b2f4c22868aaa5948210eb7db220d8

memory/2428-178-0x0000000003290000-0x0000000004290000-memory.dmp

C:\Users\Admin\.oracle_jre_usage\90737d32e3aba4b.timestamp

MD5 15aed1010627393bffef097610905b36
SHA1 4d590bcbb91d19986396f0005b07d1d23480c06f
SHA256 ea9f5f78673dac7656caa1c5ec8d6472a741d909d3f9fdef7b5034604772cb13
SHA512 96e88f425206ae4ff74697105de83649b0d5d0eae3ede83e6d0b55111dfb9b85b6108cfd0f3e1714624e56563a9081e0902d1c1a03960d55fcffd6c290ad0df8

memory/2936-184-0x0000000000400000-0x00000000004A2000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-1081944012-3634099177-1681222835-1000\83aa4cc77f591dfc2374580bbd95f6ba_20e30e2f-4677-4eb9-89e6-7dd1fd044635

MD5 c8366ae350e7019aefc9d1e6e6a498c6
SHA1 5731d8a3e6568a5f2dfbbc87e3db9637df280b61
SHA256 11e6aca8e682c046c83b721eeb5c72c5ef03cb5936c60df6f4993511ddc61238
SHA512 33c980d5a638bfc791de291ebf4b6d263b384247ab27f261a54025108f2f85374b579a026e545f81395736dd40fa4696f2163ca17640dd47f1c42bc9971b18cd

memory/4352-189-0x0000000003190000-0x0000000004190000-memory.dmp

memory/2428-190-0x0000000003290000-0x0000000004290000-memory.dmp

memory/2428-191-0x0000000003290000-0x0000000004290000-memory.dmp

memory/4352-194-0x0000000003190000-0x0000000004190000-memory.dmp

memory/2428-197-0x0000000003290000-0x0000000004290000-memory.dmp

memory/4352-198-0x0000000003190000-0x0000000004190000-memory.dmp

memory/4352-199-0x0000000003190000-0x0000000004190000-memory.dmp