Analysis
-
max time kernel
143s -
max time network
129s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
10-05-2024 11:53
Static task
static1
Behavioral task
behavioral1
Sample
d7e564b0c4a97f8d7d6e981bc78e0140_NeikiAnalytics.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
d7e564b0c4a97f8d7d6e981bc78e0140_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
General
-
Target
d7e564b0c4a97f8d7d6e981bc78e0140_NeikiAnalytics.exe
-
Size
586KB
-
MD5
d7e564b0c4a97f8d7d6e981bc78e0140
-
SHA1
4f73bbf45bb5e1f49e2a556df46dcf62f4fe744a
-
SHA256
8023da7bf6499317b973b0b423e6610f86a7107b778c4381cc9c3f42b145be5e
-
SHA512
a8f0c29a3f3625f33c2238f2077f8273c4a6384b5a2e3fb6407ed059ebee53310708797f43b013283c3a43ce1ad8822b47189749e15e07a79eaac801b376d2eb
-
SSDEEP
12288:yuTT2zB704xh6qVuovw322Ma3D6AiCBoh:yqT2z5t6q03CzLCBoh
Malware Config
Extracted
lokibot
http://tokimecltd.ru/can/five/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Signatures
-
Drops startup file 1 IoCs
Processes:
cmd.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs cmd.exe -
Executes dropped EXE 64 IoCs
Processes:
1.xyz1.xyz1.xyz1.xyz1.xyz1.xyz1.xyz1.xyz1.xyz1.xyz1.xyz1.xyz1.xyz1.xyz1.xyz1.xyz1.xyz1.xyz1.xyz1.xyz1.xyz1.xyz1.xyz1.xyz1.xyz1.xyz1.xyz1.xyz1.xyz1.xyz1.xyz1.xyz1.xyz1.xyz1.xyz1.xyz1.xyz1.xyz1.xyz1.xyz1.xyz1.xyz1.xyz1.xyz1.xyz1.xyz1.xyz1.xyz1.xyz1.xyz1.xyz1.xyz1.xyz1.xyz1.xyz1.xyz1.xyz1.xyz1.xyz1.xyz1.xyz1.xyz1.xyz1.xyzpid process 2972 1.xyz 1744 1.xyz 1764 1.xyz 4616 1.xyz 3824 1.xyz 3484 1.xyz 4824 1.xyz 636 1.xyz 4960 1.xyz 3320 1.xyz 4620 1.xyz 5112 1.xyz 1756 1.xyz 1280 1.xyz 5044 1.xyz 692 1.xyz 4532 1.xyz 2088 1.xyz 5084 1.xyz 4828 1.xyz 864 1.xyz 4056 1.xyz 3236 1.xyz 428 1.xyz 3328 1.xyz 4976 1.xyz 452 1.xyz 2648 1.xyz 2420 1.xyz 4500 1.xyz 2676 1.xyz 2768 1.xyz 648 1.xyz 2280 1.xyz 1884 1.xyz 1616 1.xyz 2976 1.xyz 3352 1.xyz 2636 1.xyz 612 1.xyz 3460 1.xyz 2208 1.xyz 2640 1.xyz 4080 1.xyz 3524 1.xyz 1328 1.xyz 3176 1.xyz 4952 1.xyz 4852 1.xyz 960 1.xyz 4388 1.xyz 2128 1.xyz 4276 1.xyz 2948 1.xyz 4252 1.xyz 1036 1.xyz 3820 1.xyz 1116 1.xyz 5064 1.xyz 3056 1.xyz 1640 1.xyz 2460 1.xyz 4808 1.xyz 1480 1.xyz -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyz upx behavioral2/memory/2972-7-0x0000000002000000-0x00000000020C5000-memory.dmp upx behavioral2/memory/2972-35-0x0000000002000000-0x00000000020C5000-memory.dmp upx -
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
1.xyzdescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook 1.xyz Key opened \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook 1.xyz Key opened \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook 1.xyz -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
d7e564b0c4a97f8d7d6e981bc78e0140_NeikiAnalytics.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" d7e564b0c4a97f8d7d6e981bc78e0140_NeikiAnalytics.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
1.xyzdescription pid process target process PID 2972 set thread context of 3644 2972 1.xyz 1.xyz -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
1.xyzpid process 2972 1.xyz 2972 1.xyz -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
1.xyzdescription pid process Token: SeDebugPrivilege 3644 1.xyz -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
1.xyzpid process 2972 1.xyz 2972 1.xyz -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
d7e564b0c4a97f8d7d6e981bc78e0140_NeikiAnalytics.exe1.xyzdescription pid process target process PID 628 wrote to memory of 2972 628 d7e564b0c4a97f8d7d6e981bc78e0140_NeikiAnalytics.exe 1.xyz PID 628 wrote to memory of 2972 628 d7e564b0c4a97f8d7d6e981bc78e0140_NeikiAnalytics.exe 1.xyz PID 628 wrote to memory of 2972 628 d7e564b0c4a97f8d7d6e981bc78e0140_NeikiAnalytics.exe 1.xyz PID 2972 wrote to memory of 2448 2972 1.xyz cmd.exe PID 2972 wrote to memory of 2448 2972 1.xyz cmd.exe PID 2972 wrote to memory of 2448 2972 1.xyz cmd.exe PID 2972 wrote to memory of 1744 2972 1.xyz 1.xyz PID 2972 wrote to memory of 1744 2972 1.xyz 1.xyz PID 2972 wrote to memory of 1744 2972 1.xyz 1.xyz PID 2972 wrote to memory of 1764 2972 1.xyz 1.xyz PID 2972 wrote to memory of 1764 2972 1.xyz 1.xyz PID 2972 wrote to memory of 1764 2972 1.xyz 1.xyz PID 2972 wrote to memory of 4616 2972 1.xyz 1.xyz PID 2972 wrote to memory of 4616 2972 1.xyz 1.xyz PID 2972 wrote to memory of 4616 2972 1.xyz 1.xyz PID 2972 wrote to memory of 3824 2972 1.xyz 1.xyz PID 2972 wrote to memory of 3824 2972 1.xyz 1.xyz PID 2972 wrote to memory of 3824 2972 1.xyz 1.xyz PID 2972 wrote to memory of 3484 2972 1.xyz 1.xyz PID 2972 wrote to memory of 3484 2972 1.xyz 1.xyz PID 2972 wrote to memory of 3484 2972 1.xyz 1.xyz PID 2972 wrote to memory of 4824 2972 1.xyz 1.xyz PID 2972 wrote to memory of 4824 2972 1.xyz 1.xyz PID 2972 wrote to memory of 4824 2972 1.xyz 1.xyz PID 2972 wrote to memory of 636 2972 1.xyz 1.xyz PID 2972 wrote to memory of 636 2972 1.xyz 1.xyz PID 2972 wrote to memory of 636 2972 1.xyz 1.xyz PID 2972 wrote to memory of 4960 2972 1.xyz 1.xyz PID 2972 wrote to memory of 4960 2972 1.xyz 1.xyz PID 2972 wrote to memory of 4960 2972 1.xyz 1.xyz PID 2972 wrote to memory of 3320 2972 1.xyz 1.xyz PID 2972 wrote to memory of 3320 2972 1.xyz 1.xyz PID 2972 wrote to memory of 3320 2972 1.xyz 1.xyz PID 2972 wrote to memory of 4620 2972 1.xyz 1.xyz PID 2972 wrote to memory of 4620 2972 1.xyz 1.xyz PID 2972 wrote to memory of 4620 2972 1.xyz 1.xyz PID 2972 wrote to memory of 5112 2972 1.xyz 1.xyz PID 2972 wrote to memory of 5112 2972 1.xyz 1.xyz PID 2972 wrote to memory of 5112 2972 1.xyz 1.xyz PID 2972 wrote to memory of 1756 2972 1.xyz 1.xyz PID 2972 wrote to memory of 1756 2972 1.xyz 1.xyz PID 2972 wrote to memory of 1756 2972 1.xyz 1.xyz PID 2972 wrote to memory of 5044 2972 1.xyz 1.xyz PID 2972 wrote to memory of 5044 2972 1.xyz 1.xyz PID 2972 wrote to memory of 5044 2972 1.xyz 1.xyz PID 2972 wrote to memory of 1280 2972 1.xyz 1.xyz PID 2972 wrote to memory of 1280 2972 1.xyz 1.xyz PID 2972 wrote to memory of 1280 2972 1.xyz 1.xyz PID 2972 wrote to memory of 692 2972 1.xyz 1.xyz PID 2972 wrote to memory of 692 2972 1.xyz 1.xyz PID 2972 wrote to memory of 692 2972 1.xyz 1.xyz PID 2972 wrote to memory of 4532 2972 1.xyz 1.xyz PID 2972 wrote to memory of 4532 2972 1.xyz 1.xyz PID 2972 wrote to memory of 4532 2972 1.xyz 1.xyz PID 2972 wrote to memory of 2088 2972 1.xyz 1.xyz PID 2972 wrote to memory of 2088 2972 1.xyz 1.xyz PID 2972 wrote to memory of 2088 2972 1.xyz 1.xyz PID 2972 wrote to memory of 5084 2972 1.xyz 1.xyz PID 2972 wrote to memory of 5084 2972 1.xyz 1.xyz PID 2972 wrote to memory of 5084 2972 1.xyz 1.xyz PID 2972 wrote to memory of 4828 2972 1.xyz 1.xyz PID 2972 wrote to memory of 4828 2972 1.xyz 1.xyz PID 2972 wrote to memory of 4828 2972 1.xyz 1.xyz PID 2972 wrote to memory of 864 2972 1.xyz 1.xyz -
outlook_office_path 1 IoCs
Processes:
1.xyzdescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook 1.xyz -
outlook_win_path 1 IoCs
Processes:
1.xyzdescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook 1.xyz
Processes
-
C:\Users\Admin\AppData\Local\Temp\d7e564b0c4a97f8d7d6e981bc78e0140_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\d7e564b0c4a97f8d7d6e981bc78e0140_NeikiAnalytics.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:628 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyzC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyz2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2972 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyz",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"3⤵
- Drops startup file
PID:2448
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyzC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyz3⤵
- Executes dropped EXE
PID:1744
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyzC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyz3⤵
- Executes dropped EXE
PID:1764
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyzC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyz3⤵
- Executes dropped EXE
PID:4616
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyzC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyz3⤵
- Executes dropped EXE
PID:3824
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyzC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyz3⤵
- Executes dropped EXE
PID:3484
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyzC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyz3⤵
- Executes dropped EXE
PID:4824
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyzC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyz3⤵
- Executes dropped EXE
PID:636
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyzC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyz3⤵
- Executes dropped EXE
PID:4960
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyzC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyz3⤵
- Executes dropped EXE
PID:3320
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyzC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyz3⤵
- Executes dropped EXE
PID:4620
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyzC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyz3⤵
- Executes dropped EXE
PID:5112
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyzC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyz3⤵
- Executes dropped EXE
PID:1756
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyzC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyz3⤵
- Executes dropped EXE
PID:5044
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyzC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyz3⤵
- Executes dropped EXE
PID:1280
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyzC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyz3⤵
- Executes dropped EXE
PID:692
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyzC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyz3⤵
- Executes dropped EXE
PID:4532
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyzC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyz3⤵
- Executes dropped EXE
PID:2088
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyzC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyz3⤵
- Executes dropped EXE
PID:5084
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyzC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyz3⤵
- Executes dropped EXE
PID:4828
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyzC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyz3⤵
- Executes dropped EXE
PID:864
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyzC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyz3⤵
- Executes dropped EXE
PID:4056
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyzC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyz3⤵
- Executes dropped EXE
PID:3236
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyzC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyz3⤵
- Executes dropped EXE
PID:428
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyzC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyz3⤵
- Executes dropped EXE
PID:3328
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyzC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyz3⤵
- Executes dropped EXE
PID:4976
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyzC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyz3⤵
- Executes dropped EXE
PID:452
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyzC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyz3⤵
- Executes dropped EXE
PID:2648
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyzC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyz3⤵
- Executes dropped EXE
PID:2420
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyzC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyz3⤵
- Executes dropped EXE
PID:4500
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyzC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyz3⤵
- Executes dropped EXE
PID:2676
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyzC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyz3⤵
- Executes dropped EXE
PID:2768
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyzC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyz3⤵
- Executes dropped EXE
PID:648
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyzC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyz3⤵
- Executes dropped EXE
PID:2280
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyzC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyz3⤵
- Executes dropped EXE
PID:1884
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyzC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyz3⤵
- Executes dropped EXE
PID:1616
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyzC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyz3⤵
- Executes dropped EXE
PID:2976
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyzC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyz3⤵
- Executes dropped EXE
PID:3352
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyzC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyz3⤵
- Executes dropped EXE
PID:2636
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyzC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyz3⤵
- Executes dropped EXE
PID:612
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyzC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyz3⤵
- Executes dropped EXE
PID:3460
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyzC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyz3⤵
- Executes dropped EXE
PID:2208
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyzC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyz3⤵
- Executes dropped EXE
PID:2640
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyzC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyz3⤵
- Executes dropped EXE
PID:4080
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyzC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyz3⤵
- Executes dropped EXE
PID:3524
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyzC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyz3⤵
- Executes dropped EXE
PID:1328
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyzC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyz3⤵
- Executes dropped EXE
PID:3176
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyzC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyz3⤵
- Executes dropped EXE
PID:4952
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyzC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyz3⤵
- Executes dropped EXE
PID:4852
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyzC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyz3⤵
- Executes dropped EXE
PID:960
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyzC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyz3⤵
- Executes dropped EXE
PID:4388
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyzC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyz3⤵
- Executes dropped EXE
PID:2128
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyzC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyz3⤵
- Executes dropped EXE
PID:4276
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyzC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyz3⤵
- Executes dropped EXE
PID:2948
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyzC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyz3⤵
- Executes dropped EXE
PID:4252
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyzC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyz3⤵
- Executes dropped EXE
PID:1036
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyzC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyz3⤵
- Executes dropped EXE
PID:3820
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyzC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyz3⤵
- Executes dropped EXE
PID:1116
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyzC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyz3⤵
- Executes dropped EXE
PID:5064
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyzC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyz3⤵
- Executes dropped EXE
PID:3056
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyzC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyz3⤵
- Executes dropped EXE
PID:1640
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyzC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyz3⤵
- Executes dropped EXE
PID:2460
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyzC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyz3⤵
- Executes dropped EXE
PID:4808
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyzC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyz3⤵
- Executes dropped EXE
PID:1480
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyzC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyz3⤵PID:5000
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyzC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyz3⤵PID:1104
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyzC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyz3⤵PID:1628
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyzC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyz3⤵PID:2324
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyzC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyz3⤵PID:3900
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyzC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyz3⤵PID:4780
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyzC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyz3⤵PID:3196
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyzC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyz3⤵PID:4428
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyzC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyz3⤵PID:3684
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyzC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyz3⤵PID:3768
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyzC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyz3⤵PID:1196
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyzC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyz3⤵PID:4120
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyzC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyz3⤵PID:4288
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyzC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyz3⤵PID:3464
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyzC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyz3⤵PID:3752
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyzC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyz3⤵PID:544
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyzC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyz3⤵
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:3644
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
148KB
MD59253b3d4b04d192afd66b48a739c9f65
SHA1093050d1f6abd715df28e514972801a1df98032d
SHA2564f8d7226fceade3c34822521b37292286ce123e49a5e1d007123990c60753840
SHA5123912a3150b9f84089d637aac5f211f6f5d49bc35b1d75b76bd275afa6a12101086cfdd61b10ded0288f0032364362a9d3b5b645d28ae1b785ad7065a4f1241c7
-
Filesize
221KB
MD52fd4cfe2f48873740b14fdbc6564960e
SHA1dcb894b282d4a25c339b1527817914ecc2f79deb
SHA2560b6f9f71ef12a98837b7b4a49972bc4017ff2d70a12943ae6b531492c5a9a637
SHA512b1715429977d7ba2221443c5f99e8682ef703a8453ca41053dbfc64005f5ae42821010379be1fe79ae33ce27db9be35409c12317c34a1a54116a6240a2717617
-
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-1337824034-2731376981-3755436523-1000\0f5007522459c86e95ffcc62f32308f1_6833eb7b-8d4b-4cdd-9502-9bbf7fc1cf9f
Filesize46B
MD5d898504a722bff1524134c6ab6a5eaa5
SHA1e0fdc90c2ca2a0219c99d2758e68c18875a3e11e
SHA256878f32f76b159494f5a39f9321616c6068cdb82e88df89bcc739bbc1ea78e1f9
SHA51226a4398bffb0c0aef9a6ec53cd3367a2d0abf2f70097f711bbbf1e9e32fd9f1a72121691bb6a39eeb55d596edd527934e541b4defb3b1426b1d1a6429804dc61
-
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-1337824034-2731376981-3755436523-1000\0f5007522459c86e95ffcc62f32308f1_6833eb7b-8d4b-4cdd-9502-9bbf7fc1cf9f
Filesize46B
MD5c07225d4e7d01d31042965f048728a0a
SHA169d70b340fd9f44c89adb9a2278df84faa9906b7
SHA2568c136c7ae08020ad16fd1928e36ad335ddef8b85906d66b712fff049aa57dc9a
SHA51223d3cea738e1abf561320847c39dadc8b5794d7bd8761b0457956f827a17ad2556118b909a3e6929db79980ccf156a6f58ac823cf88329e62417d2807b34b64b