lokibot | 8023da7bf6499317b973b0b423e6610f86a7107b778c4381cc9c3f42b145be5e

Analysis

max time kernel
147s
max time network
148s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
10-05-2024 11:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d7e564b0c4a97f8d7d6e981bc78e0140_NeikiAnalytics.exe
Size

586KB
MD5

d7e564b0c4a97f8d7d6e981bc78e0140
SHA1

4f73bbf45bb5e1f49e2a556df46dcf62f4fe744a
SHA256

8023da7bf6499317b973b0b423e6610f86a7107b778c4381cc9c3f42b145be5e
SHA512

a8f0c29a3f3625f33c2238f2077f8273c4a6384b5a2e3fb6407ed059ebee53310708797f43b013283c3a43ce1ad8822b47189749e15e07a79eaac801b376d2eb
SSDEEP

12288:yuTT2zB704xh6qVuovw322Ma3D6AiCBoh:yqT2z5t6q03CzLCBoh

Score

10^/10

lokibot collection persistence spyware stealer trojan upx

Malware Config

Extracted

Family

lokibot

http://tokimecltd.ru/can/five/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Signatures

Lokibot
Lokibot is a Password and CryptoCoin Wallet Stealer.
trojan spyware stealer lokibot
Drops startup file 1 IoCs

Processes:

cmd.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs cmd.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe

Executes dropped EXE 64 IoCs

Processes:

1.xyz1.xyz1.xyz1.xyz1.xyz1.xyz1.xyz1.xyz1.xyz1.xyz1.xyz1.xyz1.xyz1.xyz1.xyz1.xyz1.xyz1.xyz1.xyz1.xyz1.xyz1.xyz1.xyz1.xyz1.xyz1.xyz1.xyz1.xyz1.xyz1.xyz1.xyz1.xyz1.xyz1.xyz1.xyz1.xyz1.xyz1.xyz1.xyz1.xyz1.xyz1.xyz1.xyz1.xyz1.xyz1.xyz1.xyz1.xyz1.xyz1.xyz1.xyz1.xyz1.xyz1.xyz1.xyz1.xyz1.xyz1.xyz1.xyz1.xyz1.xyz1.xyz1.xyz1.xyz

pid	process
2956	1.xyz
2308	1.xyz
2544	1.xyz
2644	1.xyz
2732	1.xyz
2632	1.xyz
2572	1.xyz
2092	1.xyz
2588	1.xyz
2600	1.xyz
2744	1.xyz
2464	1.xyz
3048	1.xyz
2484	1.xyz
2492	1.xyz
2432	1.xyz
2480	1.xyz
2516	1.xyz
2612	1.xyz
2296	1.xyz
1680	1.xyz
1436	1.xyz
2976	1.xyz
3024	1.xyz
3004	1.xyz
2772	1.xyz
2768	1.xyz
2332	1.xyz
2424	1.xyz
2616	1.xyz
3036	1.xyz
2696	1.xyz
2684	1.xyz
2692	1.xyz
2780	1.xyz
2528	1.xyz
2540	1.xyz
2816	1.xyz
2840	1.xyz
2856	1.xyz
2384	1.xyz
2060	1.xyz
1892	1.xyz
632	1.xyz
1228	1.xyz
1520	1.xyz
1332	1.xyz
1396	1.xyz
2104	1.xyz
1792	1.xyz
2084	1.xyz
2028	1.xyz
2064	1.xyz
2100	1.xyz
2236	1.xyz
2080	1.xyz
1932	1.xyz
2912	1.xyz
2420	1.xyz
1608	1.xyz
2396	1.xyz
2920	1.xyz
1252	1.xyz
776	1.xyz

Loads dropped DLL 64 IoCs

Processes:

d7e564b0c4a97f8d7d6e981bc78e0140_NeikiAnalytics.exe1.xyz

pid	process
2152	d7e564b0c4a97f8d7d6e981bc78e0140_NeikiAnalytics.exe
2152	d7e564b0c4a97f8d7d6e981bc78e0140_NeikiAnalytics.exe
2956	1.xyz
2956	1.xyz
2956	1.xyz
2956	1.xyz
2956	1.xyz
2956	1.xyz
2956	1.xyz
2956	1.xyz
2956	1.xyz
2956	1.xyz
2956	1.xyz
2956	1.xyz
2956	1.xyz
2956	1.xyz
2956	1.xyz
2956	1.xyz
2956	1.xyz
2956	1.xyz
2956	1.xyz
2956	1.xyz
2956	1.xyz
2956	1.xyz
2956	1.xyz
2956	1.xyz
2956	1.xyz
2956	1.xyz
2956	1.xyz
2956	1.xyz
2956	1.xyz
2956	1.xyz
2956	1.xyz
2956	1.xyz
2956	1.xyz
2956	1.xyz
2956	1.xyz
2956	1.xyz
2956	1.xyz
2956	1.xyz
2956	1.xyz
2956	1.xyz
2956	1.xyz
2956	1.xyz
2956	1.xyz
2956	1.xyz
2956	1.xyz
2956	1.xyz
2956	1.xyz
2956	1.xyz
2956	1.xyz
2956	1.xyz
2956	1.xyz
2956	1.xyz
2956	1.xyz
2956	1.xyz
2956	1.xyz
2956	1.xyz
2956	1.xyz
2956	1.xyz
2956	1.xyz
2956	1.xyz
2956	1.xyz
2956	1.xyz

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyz	upx
behavioral1/memory/2152-10-0x0000000000E00000-0x0000000000EC5000-memory.dmp	upx
behavioral1/memory/2956-71-0x0000000002000000-0x00000000020C5000-memory.dmp	upx
behavioral1/memory/2956-108-0x00000000037B0000-0x0000000003875000-memory.dmp	upx

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

1.xyz

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	1.xyz
Key opened	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook	1.xyz
Key opened	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	1.xyz

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

d7e564b0c4a97f8d7d6e981bc78e0140_NeikiAnalytics.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	d7e564b0c4a97f8d7d6e981bc78e0140_NeikiAnalytics.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

1.xyz

description pid process target process

PID 2956 set thread context of 452 2956 1.xyz 1.xyz
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

1.xyz

pid process

2956 1.xyz
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

1.xyz

description pid process

Token: SeDebugPrivilege 452 1.xyz
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

1.xyz

pid process

2956 1.xyz
2956 1.xyz

description	pid	process	target process
PID 2956 set thread context of 452	2956	1.xyz	1.xyz

description	pid	process
Token: SeDebugPrivilege	452	1.xyz

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

d7e564b0c4a97f8d7d6e981bc78e0140_NeikiAnalytics.exe1.xyz

description	pid	process	target process
PID 2152 wrote to memory of 2956	2152	d7e564b0c4a97f8d7d6e981bc78e0140_NeikiAnalytics.exe	1.xyz
PID 2152 wrote to memory of 2956	2152	d7e564b0c4a97f8d7d6e981bc78e0140_NeikiAnalytics.exe	1.xyz
PID 2152 wrote to memory of 2956	2152	d7e564b0c4a97f8d7d6e981bc78e0140_NeikiAnalytics.exe	1.xyz
PID 2152 wrote to memory of 2956	2152	d7e564b0c4a97f8d7d6e981bc78e0140_NeikiAnalytics.exe	1.xyz
PID 2152 wrote to memory of 2956	2152	d7e564b0c4a97f8d7d6e981bc78e0140_NeikiAnalytics.exe	1.xyz
PID 2152 wrote to memory of 2956	2152	d7e564b0c4a97f8d7d6e981bc78e0140_NeikiAnalytics.exe	1.xyz
PID 2152 wrote to memory of 2956	2152	d7e564b0c4a97f8d7d6e981bc78e0140_NeikiAnalytics.exe	1.xyz
PID 2956 wrote to memory of 2532	2956	1.xyz	cmd.exe
PID 2956 wrote to memory of 2532	2956	1.xyz	cmd.exe
PID 2956 wrote to memory of 2532	2956	1.xyz	cmd.exe
PID 2956 wrote to memory of 2532	2956	1.xyz	cmd.exe
PID 2956 wrote to memory of 2532	2956	1.xyz	cmd.exe
PID 2956 wrote to memory of 2532	2956	1.xyz	cmd.exe
PID 2956 wrote to memory of 2532	2956	1.xyz	cmd.exe
PID 2956 wrote to memory of 2308	2956	1.xyz	1.xyz
PID 2956 wrote to memory of 2308	2956	1.xyz	1.xyz
PID 2956 wrote to memory of 2308	2956	1.xyz	1.xyz
PID 2956 wrote to memory of 2308	2956	1.xyz	1.xyz
PID 2956 wrote to memory of 2308	2956	1.xyz	1.xyz
PID 2956 wrote to memory of 2308	2956	1.xyz	1.xyz
PID 2956 wrote to memory of 2308	2956	1.xyz	1.xyz
PID 2956 wrote to memory of 2544	2956	1.xyz	1.xyz
PID 2956 wrote to memory of 2544	2956	1.xyz	1.xyz
PID 2956 wrote to memory of 2544	2956	1.xyz	1.xyz
PID 2956 wrote to memory of 2544	2956	1.xyz	1.xyz
PID 2956 wrote to memory of 2544	2956	1.xyz	1.xyz
PID 2956 wrote to memory of 2544	2956	1.xyz	1.xyz
PID 2956 wrote to memory of 2544	2956	1.xyz	1.xyz
PID 2956 wrote to memory of 2644	2956	1.xyz	1.xyz
PID 2956 wrote to memory of 2644	2956	1.xyz	1.xyz
PID 2956 wrote to memory of 2644	2956	1.xyz	1.xyz
PID 2956 wrote to memory of 2644	2956	1.xyz	1.xyz
PID 2956 wrote to memory of 2644	2956	1.xyz	1.xyz
PID 2956 wrote to memory of 2644	2956	1.xyz	1.xyz
PID 2956 wrote to memory of 2644	2956	1.xyz	1.xyz
PID 2956 wrote to memory of 2732	2956	1.xyz	1.xyz
PID 2956 wrote to memory of 2732	2956	1.xyz	1.xyz
PID 2956 wrote to memory of 2732	2956	1.xyz	1.xyz
PID 2956 wrote to memory of 2732	2956	1.xyz	1.xyz
PID 2956 wrote to memory of 2732	2956	1.xyz	1.xyz
PID 2956 wrote to memory of 2732	2956	1.xyz	1.xyz
PID 2956 wrote to memory of 2732	2956	1.xyz	1.xyz
PID 2956 wrote to memory of 2632	2956	1.xyz	1.xyz
PID 2956 wrote to memory of 2632	2956	1.xyz	1.xyz
PID 2956 wrote to memory of 2632	2956	1.xyz	1.xyz
PID 2956 wrote to memory of 2632	2956	1.xyz	1.xyz
PID 2956 wrote to memory of 2632	2956	1.xyz	1.xyz
PID 2956 wrote to memory of 2632	2956	1.xyz	1.xyz
PID 2956 wrote to memory of 2632	2956	1.xyz	1.xyz
PID 2956 wrote to memory of 2572	2956	1.xyz	1.xyz
PID 2956 wrote to memory of 2572	2956	1.xyz	1.xyz
PID 2956 wrote to memory of 2572	2956	1.xyz	1.xyz
PID 2956 wrote to memory of 2572	2956	1.xyz	1.xyz
PID 2956 wrote to memory of 2572	2956	1.xyz	1.xyz
PID 2956 wrote to memory of 2572	2956	1.xyz	1.xyz
PID 2956 wrote to memory of 2572	2956	1.xyz	1.xyz
PID 2956 wrote to memory of 2092	2956	1.xyz	1.xyz
PID 2956 wrote to memory of 2092	2956	1.xyz	1.xyz
PID 2956 wrote to memory of 2092	2956	1.xyz	1.xyz
PID 2956 wrote to memory of 2092	2956	1.xyz	1.xyz
PID 2956 wrote to memory of 2092	2956	1.xyz	1.xyz
PID 2956 wrote to memory of 2092	2956	1.xyz	1.xyz
PID 2956 wrote to memory of 2092	2956	1.xyz	1.xyz
PID 2956 wrote to memory of 2588	2956	1.xyz	1.xyz

outlook_office_path 1 IoCs

Processes:

1.xyz

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	1.xyz

outlook_win_path 1 IoCs

Processes:

1.xyz

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	1.xyz

C:\Users\Admin\AppData\Local\Temp\d7e564b0c4a97f8d7d6e981bc78e0140_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\d7e564b0c4a97f8d7d6e981bc78e0140_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2152
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyz
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyz
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2956
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyz",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
    3⤵
    - Drops startup file
    PID:2532
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyz
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyz
    3⤵
    - Executes dropped EXE
    PID:2308
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyz
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyz
    3⤵
    - Executes dropped EXE
    PID:2544
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyz
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyz
    3⤵
    - Executes dropped EXE
    PID:2644
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyz
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyz
    3⤵
    - Executes dropped EXE
    PID:2732
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyz
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyz
    3⤵
    - Executes dropped EXE
    PID:2632
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyz
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyz
    3⤵
    - Executes dropped EXE
    PID:2572
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyz
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyz
    3⤵
    - Executes dropped EXE
    PID:2092
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyz
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyz
    3⤵
    - Executes dropped EXE
    PID:2588
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyz
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyz
    3⤵
    - Executes dropped EXE
    PID:2600
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyz
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyz
    3⤵
    - Executes dropped EXE
    PID:2744
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyz
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyz
    3⤵
    - Executes dropped EXE
    PID:2464
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyz
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyz
    3⤵
    - Executes dropped EXE
    PID:3048
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyz
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyz
    3⤵
    - Executes dropped EXE
    PID:2484
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyz
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyz
    3⤵
    - Executes dropped EXE
    PID:2492
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyz
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyz
    3⤵
    - Executes dropped EXE
    PID:2432
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyz
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyz
    3⤵
    - Executes dropped EXE
    PID:2480
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyz
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyz
    3⤵
    - Executes dropped EXE
    PID:2516
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyz
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyz
    3⤵
    - Executes dropped EXE
    PID:2612
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyz
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyz
    3⤵
    - Executes dropped EXE
    PID:2296
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyz
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyz
    3⤵
    - Executes dropped EXE
    PID:1680
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyz
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyz
    3⤵
    - Executes dropped EXE
    PID:1436
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyz
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyz
    3⤵
    - Executes dropped EXE
    PID:2976
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyz
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyz
    3⤵
    - Executes dropped EXE
    PID:3024
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyz
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyz
    3⤵
    - Executes dropped EXE
    PID:3004
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyz
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyz
    3⤵
    - Executes dropped EXE
    PID:2772
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyz
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyz
    3⤵
    - Executes dropped EXE
    PID:2768
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyz
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyz
    3⤵
    - Executes dropped EXE
    PID:2332
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyz
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyz
    3⤵
    - Executes dropped EXE
    PID:2424
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyz
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyz
    3⤵
    - Executes dropped EXE
    PID:2616
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyz
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyz
    3⤵
    - Executes dropped EXE
    PID:3036
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyz
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyz
    3⤵
    - Executes dropped EXE
    PID:2696
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyz
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyz
    3⤵
    - Executes dropped EXE
    PID:2684
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyz
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyz
    3⤵
    - Executes dropped EXE
    PID:2692
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyz
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyz
    3⤵
    - Executes dropped EXE
    PID:2780
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyz
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyz
    3⤵
    - Executes dropped EXE
    PID:2540
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyz
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyz
    3⤵
    - Executes dropped EXE
    PID:2528
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyz
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyz
    3⤵
    - Executes dropped EXE
    PID:2816
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyz
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyz
    3⤵
    - Executes dropped EXE
    PID:2840
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyz
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyz
    3⤵
    - Executes dropped EXE
    PID:2384
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyz
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyz
    3⤵
    - Executes dropped EXE
    PID:2856
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyz
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyz
    3⤵
    - Executes dropped EXE
    PID:1892
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyz
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyz
    3⤵
    - Executes dropped EXE
    PID:2060
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyz
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyz
    3⤵
    - Executes dropped EXE
    PID:632
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyz
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyz
    3⤵
    - Executes dropped EXE
    PID:1228
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyz
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyz
    3⤵
    - Executes dropped EXE
    PID:1520
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyz
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyz
    3⤵
    - Executes dropped EXE
    PID:1332
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyz
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyz
    3⤵
    - Executes dropped EXE
    PID:1396
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyz
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyz
    3⤵
    - Executes dropped EXE
    PID:1792
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyz
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyz
    3⤵
    - Executes dropped EXE
    PID:2104
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyz
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyz
    3⤵
    - Executes dropped EXE
    PID:2084
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyz
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyz
    3⤵
    - Executes dropped EXE
    PID:2028
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyz
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyz
    3⤵
    - Executes dropped EXE
    PID:2064
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyz
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyz
    3⤵
    - Executes dropped EXE
    PID:2100
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyz
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyz
    3⤵
    - Executes dropped EXE
    PID:2236
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyz
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyz
    3⤵
    - Executes dropped EXE
    PID:1932
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyz
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyz
    3⤵
    - Executes dropped EXE
    PID:2080
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyz
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyz
    3⤵
    - Executes dropped EXE
    PID:2912
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyz
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyz
    3⤵
    - Executes dropped EXE
    PID:2420
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyz
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyz
    3⤵
    - Executes dropped EXE
    PID:1608
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyz
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyz
    3⤵
    - Executes dropped EXE
    PID:2396
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyz
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyz
    3⤵
    - Executes dropped EXE
    PID:1252
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyz
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyz
    3⤵
    - Executes dropped EXE
    PID:2920
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyz
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyz
    3⤵
    - Executes dropped EXE
    PID:776
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyz
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyz
    3⤵
    PID:596
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyz
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyz
    3⤵
    PID:1128
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyz
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyz
    3⤵
    PID:1500
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyz
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyz
    3⤵
    PID:1644
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyz
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyz
    3⤵
    PID:2620
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyz
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyz
    3⤵
    PID:1100
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyz
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyz
    3⤵
    PID:816
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyz
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyz
    3⤵
    PID:1848
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyz
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyz
    3⤵
    PID:1744
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyz
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyz
    3⤵
    PID:1996
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyz
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyz
    3⤵
    PID:900
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyz
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyz
    3⤵
    PID:1536
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyz
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyz
    3⤵
    PID:344
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyz
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyz
    3⤵
    PID:1584
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyz
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyz
    3⤵
    PID:960
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyz
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyz
    3⤵
    PID:384
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyz
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyz
    3⤵
    - Accesses Microsoft Outlook profiles
    - Suspicious use of AdjustPrivilegeToken
    - outlook_office_path
    - outlook_win_path
    PID:452

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\CSIDL_

Filesize
148KB

MD5
9253b3d4b04d192afd66b48a739c9f65

SHA1
093050d1f6abd715df28e514972801a1df98032d

SHA256
4f8d7226fceade3c34822521b37292286ce123e49a5e1d007123990c60753840

SHA512
3912a3150b9f84089d637aac5f211f6f5d49bc35b1d75b76bd275afa6a12101086cfdd61b10ded0288f0032364362a9d3b5b645d28ae1b785ad7065a4f1241c7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2297530677-1229052932-2803917579-1000\0f5007522459c86e95ffcc62f32308f1_63be8c66-23f0-4400-84bb-c1a439222555

Filesize
46B

MD5
d898504a722bff1524134c6ab6a5eaa5

SHA1
e0fdc90c2ca2a0219c99d2758e68c18875a3e11e

SHA256
878f32f76b159494f5a39f9321616c6068cdb82e88df89bcc739bbc1ea78e1f9

SHA512
26a4398bffb0c0aef9a6ec53cd3367a2d0abf2f70097f711bbbf1e9e32fd9f1a72121691bb6a39eeb55d596edd527934e541b4defb3b1426b1d1a6429804dc61

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2297530677-1229052932-2803917579-1000\0f5007522459c86e95ffcc62f32308f1_63be8c66-23f0-4400-84bb-c1a439222555

Filesize
46B

MD5
c07225d4e7d01d31042965f048728a0a

SHA1
69d70b340fd9f44c89adb9a2278df84faa9906b7

SHA256
8c136c7ae08020ad16fd1928e36ad335ddef8b85906d66b712fff049aa57dc9a

SHA512
23d3cea738e1abf561320847c39dadc8b5794d7bd8761b0457956f827a17ad2556118b909a3e6929db79980ccf156a6f58ac823cf88329e62417d2807b34b64b

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyz

Filesize
221KB

MD5
2fd4cfe2f48873740b14fdbc6564960e

SHA1
dcb894b282d4a25c339b1527817914ecc2f79deb

SHA256
0b6f9f71ef12a98837b7b4a49972bc4017ff2d70a12943ae6b531492c5a9a637

SHA512
b1715429977d7ba2221443c5f99e8682ef703a8453ca41053dbfc64005f5ae42821010379be1fe79ae33ce27db9be35409c12317c34a1a54116a6240a2717617

Download Submit
memory/452-142-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/452-126-0x0000000000400000-0x0000000000688000-memory.dmp

Filesize
2.5MB

Download
memory/452-130-0x0000000000400000-0x0000000000688000-memory.dmp

Filesize
2.5MB

Download
memory/452-138-0x0000000000400000-0x0000000000688000-memory.dmp

Filesize
2.5MB

Download
memory/452-143-0x0000000000400000-0x0000000000688000-memory.dmp

Filesize
2.5MB

Download
memory/452-128-0x0000000000400000-0x0000000000688000-memory.dmp

Filesize
2.5MB

Download
memory/452-134-0x0000000000400000-0x0000000000688000-memory.dmp

Filesize
2.5MB

Download
memory/452-144-0x0000000000400000-0x0000000000688000-memory.dmp

Filesize
2.5MB

Download
memory/452-145-0x0000000000400000-0x0000000000688000-memory.dmp

Filesize
2.5MB

Download
memory/452-124-0x0000000000400000-0x0000000000688000-memory.dmp

Filesize
2.5MB

Download
memory/452-140-0x0000000000400000-0x0000000000688000-memory.dmp

Filesize
2.5MB

Download
memory/452-122-0x0000000000300000-0x0000000000400000-memory.dmp

Filesize
1024KB

Download
memory/452-136-0x0000000000400000-0x0000000000688000-memory.dmp

Filesize
2.5MB

Download
memory/452-132-0x0000000000400000-0x0000000000688000-memory.dmp

Filesize
2.5MB

Download
memory/2152-11-0x0000000000E00000-0x0000000000EC5000-memory.dmp

Filesize
788KB

Download
memory/2152-10-0x0000000000E00000-0x0000000000EC5000-memory.dmp

Filesize
788KB

Download
memory/2152-53-0x0000000000E00000-0x0000000000EC5000-memory.dmp

Filesize
788KB

Download
memory/2956-89-0x00000000037B0000-0x0000000003875000-memory.dmp

Filesize
788KB

Download
memory/2956-114-0x00000000037B0000-0x0000000003875000-memory.dmp

Filesize
788KB

Download
memory/2956-103-0x00000000037B0000-0x0000000003875000-memory.dmp

Filesize
788KB

Download
memory/2956-106-0x00000000037B0000-0x0000000003875000-memory.dmp

Filesize
788KB

Download
memory/2956-105-0x00000000037B0000-0x0000000003875000-memory.dmp

Filesize
788KB

Download
memory/2956-107-0x00000000037B0000-0x0000000003875000-memory.dmp

Filesize
788KB

Download
memory/2956-102-0x00000000037B0000-0x0000000003875000-memory.dmp

Filesize
788KB

Download
memory/2956-104-0x00000000037B0000-0x0000000003875000-memory.dmp

Filesize
788KB

Download
memory/2956-101-0x00000000037B0000-0x0000000003875000-memory.dmp

Filesize
788KB

Download
memory/2956-100-0x00000000037B0000-0x0000000003875000-memory.dmp

Filesize
788KB

Download
memory/2956-108-0x00000000037B0000-0x0000000003875000-memory.dmp

Filesize
788KB

Download
memory/2956-112-0x00000000037B0000-0x0000000003875000-memory.dmp

Filesize
788KB

Download
memory/2956-121-0x00000000037B0000-0x0000000003875000-memory.dmp

Filesize
788KB

Download
memory/2956-117-0x00000000037B0000-0x0000000003875000-memory.dmp

Filesize
788KB

Download
memory/2956-116-0x00000000037B0000-0x0000000003875000-memory.dmp

Filesize
788KB

Download
memory/2956-120-0x00000000037B0000-0x0000000003875000-memory.dmp

Filesize
788KB

Download
memory/2956-119-0x00000000037B0000-0x0000000003875000-memory.dmp

Filesize
788KB

Download
memory/2956-118-0x00000000037B0000-0x0000000003875000-memory.dmp

Filesize
788KB

Download
memory/2956-115-0x00000000037B0000-0x0000000003875000-memory.dmp

Filesize
788KB

Download
memory/2956-98-0x00000000037B0000-0x0000000003875000-memory.dmp

Filesize
788KB

Download
memory/2956-113-0x00000000037B0000-0x0000000003875000-memory.dmp

Filesize
788KB

Download
memory/2956-110-0x00000000037B0000-0x0000000003875000-memory.dmp

Filesize
788KB

Download
memory/2956-111-0x00000000037B0000-0x0000000003875000-memory.dmp

Filesize
788KB

Download
memory/2956-109-0x00000000037B0000-0x0000000003875000-memory.dmp

Filesize
788KB

Download
memory/2956-99-0x00000000037B0000-0x0000000003875000-memory.dmp

Filesize
788KB

Download
memory/2956-58-0x00000000037B0000-0x0000000003875000-memory.dmp

Filesize
788KB

Download
memory/2956-59-0x00000000037B0000-0x0000000003875000-memory.dmp

Filesize
788KB

Download
memory/2956-97-0x00000000037B0000-0x0000000003875000-memory.dmp

Filesize
788KB

Download
memory/2956-94-0x00000000037B0000-0x0000000003875000-memory.dmp

Filesize
788KB

Download
memory/2956-69-0x00000000037B0000-0x0000000003875000-memory.dmp

Filesize
788KB

Download
memory/2956-70-0x00000000037B0000-0x0000000003875000-memory.dmp

Filesize
788KB

Download
memory/2956-71-0x0000000002000000-0x00000000020C5000-memory.dmp

Filesize
788KB

Download
memory/2956-72-0x00000000037B0000-0x0000000003875000-memory.dmp

Filesize
788KB

Download
memory/2956-77-0x00000000037B0000-0x0000000003875000-memory.dmp

Filesize
788KB

Download
memory/2956-78-0x00000000037B0000-0x0000000003875000-memory.dmp

Filesize
788KB

Download
memory/2956-79-0x00000000037B0000-0x0000000003875000-memory.dmp

Filesize
788KB

Download
memory/2956-82-0x00000000037B0000-0x0000000003875000-memory.dmp

Filesize
788KB

Download
memory/2956-68-0x00000000037B0000-0x0000000003875000-memory.dmp

Filesize
788KB

Download
memory/2956-22-0x00000000002A0000-0x00000000002A5000-memory.dmp

Filesize
20KB

Download
memory/2956-21-0x0000000000280000-0x0000000000282000-memory.dmp

Filesize
8KB

Download