hxxps://github[.]com/Da2dalus/The-MALWARE-Repo/raw/master/Virus/MadMan[.]exe

Analysis

max time kernel
150s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
11-05-2024 18:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/Da2dalus/The-MALWARE-Repo/raw/master/Virus/MadMan.exe

Score

8^/10

agilenet

Malware Config

Signatures

Downloads MZ/PE file
Executes dropped EXE 3 IoCs

Processes:

Lokibot.exeLokibot.exeLokibot.exe

pid process

1484 Lokibot.exe
2756 Lokibot.exe
2480 Lokibot.exe

pid	process
1484	Lokibot.exe
2756	Lokibot.exe
2480	Lokibot.exe

Obfuscated with Agile.Net obfuscator 1 IoCs

Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

agilenet

Processes:

resource	yara_rule
behavioral1/memory/1484-147-0x0000000003320000-0x0000000003334000-memory.dmp	agile_net

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

5 raw.githubusercontent.com
6 raw.githubusercontent.com
Suspicious use of SetThreadContext 1 IoCs

Processes:

Lokibot.exe

description pid process target process

PID 1484 set thread context of 2756 1484 Lokibot.exe Lokibot.exe

flow	ioc
5	raw.githubusercontent.com
6	raw.githubusercontent.com

description	pid	process	target process
PID 1484 set thread context of 2756	1484	Lokibot.exe	Lokibot.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

taskmgr.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133599263520579458"	chrome.exe

Modifies registry class 1 IoCs

Processes:

taskmgr.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings taskmgr.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings	taskmgr.exe

Suspicious behavior: EnumeratesProcesses 58 IoCs

Processes:

chrome.exeLokibot.exetaskmgr.exechrome.exeLokibot.exe

pid	process
1192	chrome.exe
1192	chrome.exe
1484	Lokibot.exe
1192	chrome.exe
1192	chrome.exe
3632	taskmgr.exe
3632	taskmgr.exe
1484	Lokibot.exe
1484	Lokibot.exe
1484	Lokibot.exe
3632	taskmgr.exe
3632	taskmgr.exe
3632	taskmgr.exe
3632	taskmgr.exe
3632	taskmgr.exe
3632	taskmgr.exe
3632	taskmgr.exe
3632	taskmgr.exe
3632	taskmgr.exe
3632	taskmgr.exe
3632	taskmgr.exe
3632	taskmgr.exe
3632	taskmgr.exe
3632	taskmgr.exe
3632	taskmgr.exe
3632	taskmgr.exe
3632	taskmgr.exe
3632	taskmgr.exe
3632	taskmgr.exe
3632	taskmgr.exe
3632	taskmgr.exe
3632	taskmgr.exe
3632	taskmgr.exe
3632	taskmgr.exe
3632	taskmgr.exe
3632	taskmgr.exe
3632	taskmgr.exe
3632	taskmgr.exe
3632	taskmgr.exe
3632	taskmgr.exe
3632	taskmgr.exe
3632	taskmgr.exe
3632	taskmgr.exe
3632	taskmgr.exe
3632	taskmgr.exe
3632	taskmgr.exe
3632	taskmgr.exe
3632	taskmgr.exe
3632	taskmgr.exe
3632	taskmgr.exe
3632	taskmgr.exe
3632	taskmgr.exe
4900	chrome.exe
4900	chrome.exe
3632	taskmgr.exe
3632	taskmgr.exe
3632	taskmgr.exe
2480	Lokibot.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

Processes:

chrome.exe

pid process

1192 chrome.exe
1192 chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

chrome.exe

description	pid	process
Token: SeShutdownPrivilege	1192	chrome.exe
Token: SeCreatePagefilePrivilege	1192	chrome.exe
Token: SeShutdownPrivilege	1192	chrome.exe
Token: SeCreatePagefilePrivilege	1192	chrome.exe
Token: SeShutdownPrivilege	1192	chrome.exe
Token: SeCreatePagefilePrivilege	1192	chrome.exe
Token: SeShutdownPrivilege	1192	chrome.exe
Token: SeCreatePagefilePrivilege	1192	chrome.exe
Token: SeShutdownPrivilege	1192	chrome.exe
Token: SeCreatePagefilePrivilege	1192	chrome.exe
Token: SeShutdownPrivilege	1192	chrome.exe
Token: SeCreatePagefilePrivilege	1192	chrome.exe
Token: SeShutdownPrivilege	1192	chrome.exe
Token: SeCreatePagefilePrivilege	1192	chrome.exe
Token: SeShutdownPrivilege	1192	chrome.exe
Token: SeCreatePagefilePrivilege	1192	chrome.exe
Token: SeShutdownPrivilege	1192	chrome.exe
Token: SeCreatePagefilePrivilege	1192	chrome.exe
Token: SeShutdownPrivilege	1192	chrome.exe
Token: SeCreatePagefilePrivilege	1192	chrome.exe
Token: SeShutdownPrivilege	1192	chrome.exe
Token: SeCreatePagefilePrivilege	1192	chrome.exe
Token: SeShutdownPrivilege	1192	chrome.exe
Token: SeCreatePagefilePrivilege	1192	chrome.exe
Token: SeShutdownPrivilege	1192	chrome.exe
Token: SeCreatePagefilePrivilege	1192	chrome.exe
Token: SeShutdownPrivilege	1192	chrome.exe
Token: SeCreatePagefilePrivilege	1192	chrome.exe
Token: SeShutdownPrivilege	1192	chrome.exe
Token: SeCreatePagefilePrivilege	1192	chrome.exe
Token: SeShutdownPrivilege	1192	chrome.exe
Token: SeCreatePagefilePrivilege	1192	chrome.exe
Token: SeShutdownPrivilege	1192	chrome.exe
Token: SeCreatePagefilePrivilege	1192	chrome.exe
Token: SeShutdownPrivilege	1192	chrome.exe
Token: SeCreatePagefilePrivilege	1192	chrome.exe
Token: SeShutdownPrivilege	1192	chrome.exe
Token: SeCreatePagefilePrivilege	1192	chrome.exe
Token: SeShutdownPrivilege	1192	chrome.exe
Token: SeCreatePagefilePrivilege	1192	chrome.exe
Token: SeShutdownPrivilege	1192	chrome.exe
Token: SeCreatePagefilePrivilege	1192	chrome.exe
Token: SeShutdownPrivilege	1192	chrome.exe
Token: SeCreatePagefilePrivilege	1192	chrome.exe
Token: SeShutdownPrivilege	1192	chrome.exe
Token: SeCreatePagefilePrivilege	1192	chrome.exe
Token: SeShutdownPrivilege	1192	chrome.exe
Token: SeCreatePagefilePrivilege	1192	chrome.exe
Token: SeShutdownPrivilege	1192	chrome.exe
Token: SeCreatePagefilePrivilege	1192	chrome.exe
Token: SeShutdownPrivilege	1192	chrome.exe
Token: SeCreatePagefilePrivilege	1192	chrome.exe
Token: SeShutdownPrivilege	1192	chrome.exe
Token: SeCreatePagefilePrivilege	1192	chrome.exe
Token: SeShutdownPrivilege	1192	chrome.exe
Token: SeCreatePagefilePrivilege	1192	chrome.exe
Token: SeShutdownPrivilege	1192	chrome.exe
Token: SeCreatePagefilePrivilege	1192	chrome.exe
Token: SeShutdownPrivilege	1192	chrome.exe
Token: SeCreatePagefilePrivilege	1192	chrome.exe
Token: SeShutdownPrivilege	1192	chrome.exe
Token: SeCreatePagefilePrivilege	1192	chrome.exe
Token: SeShutdownPrivilege	1192	chrome.exe
Token: SeCreatePagefilePrivilege	1192	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

chrome.exetaskmgr.exe

pid	process
1192	chrome.exe
1192	chrome.exe
1192	chrome.exe
1192	chrome.exe
1192	chrome.exe
1192	chrome.exe
1192	chrome.exe
1192	chrome.exe
1192	chrome.exe
1192	chrome.exe
1192	chrome.exe
1192	chrome.exe
1192	chrome.exe
1192	chrome.exe
1192	chrome.exe
1192	chrome.exe
1192	chrome.exe
1192	chrome.exe
1192	chrome.exe
1192	chrome.exe
1192	chrome.exe
1192	chrome.exe
1192	chrome.exe
1192	chrome.exe
1192	chrome.exe
1192	chrome.exe
1192	chrome.exe
1192	chrome.exe
1192	chrome.exe
1192	chrome.exe
1192	chrome.exe
1192	chrome.exe
1192	chrome.exe
1192	chrome.exe
1192	chrome.exe
1192	chrome.exe
1192	chrome.exe
1192	chrome.exe
1192	chrome.exe
1192	chrome.exe
1192	chrome.exe
1192	chrome.exe
1192	chrome.exe
1192	chrome.exe
1192	chrome.exe
1192	chrome.exe
1192	chrome.exe
1192	chrome.exe
1192	chrome.exe
3632	taskmgr.exe
3632	taskmgr.exe
3632	taskmgr.exe
3632	taskmgr.exe
3632	taskmgr.exe
3632	taskmgr.exe
3632	taskmgr.exe
3632	taskmgr.exe
3632	taskmgr.exe
3632	taskmgr.exe
3632	taskmgr.exe
3632	taskmgr.exe
3632	taskmgr.exe
3632	taskmgr.exe
3632	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

Processes:

chrome.exetaskmgr.exe

pid	process
1192	chrome.exe
1192	chrome.exe
1192	chrome.exe
1192	chrome.exe
1192	chrome.exe
1192	chrome.exe
1192	chrome.exe
1192	chrome.exe
1192	chrome.exe
1192	chrome.exe
1192	chrome.exe
1192	chrome.exe
1192	chrome.exe
1192	chrome.exe
1192	chrome.exe
1192	chrome.exe
1192	chrome.exe
1192	chrome.exe
1192	chrome.exe
1192	chrome.exe
1192	chrome.exe
1192	chrome.exe
1192	chrome.exe
1192	chrome.exe
1192	chrome.exe
1192	chrome.exe
1192	chrome.exe
1192	chrome.exe
1192	chrome.exe
1192	chrome.exe
1192	chrome.exe
1192	chrome.exe
3632	taskmgr.exe
3632	taskmgr.exe
3632	taskmgr.exe
3632	taskmgr.exe
3632	taskmgr.exe
3632	taskmgr.exe
3632	taskmgr.exe
3632	taskmgr.exe
3632	taskmgr.exe
3632	taskmgr.exe
3632	taskmgr.exe
3632	taskmgr.exe
3632	taskmgr.exe
3632	taskmgr.exe
3632	taskmgr.exe
3632	taskmgr.exe
3632	taskmgr.exe
3632	taskmgr.exe
3632	taskmgr.exe
3632	taskmgr.exe
3632	taskmgr.exe
3632	taskmgr.exe
3632	taskmgr.exe
3632	taskmgr.exe
3632	taskmgr.exe
3632	taskmgr.exe
3632	taskmgr.exe
3632	taskmgr.exe
3632	taskmgr.exe
3632	taskmgr.exe
3632	taskmgr.exe
3632	taskmgr.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

chrome.exe

pid process

1192 chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exe

description	pid	process	target process
PID 1192 wrote to memory of 2668	1192	chrome.exe	chrome.exe
PID 1192 wrote to memory of 2668	1192	chrome.exe	chrome.exe
PID 1192 wrote to memory of 2524	1192	chrome.exe	chrome.exe
PID 1192 wrote to memory of 2524	1192	chrome.exe	chrome.exe
PID 1192 wrote to memory of 2524	1192	chrome.exe	chrome.exe
PID 1192 wrote to memory of 2524	1192	chrome.exe	chrome.exe
PID 1192 wrote to memory of 2524	1192	chrome.exe	chrome.exe
PID 1192 wrote to memory of 2524	1192	chrome.exe	chrome.exe
PID 1192 wrote to memory of 2524	1192	chrome.exe	chrome.exe
PID 1192 wrote to memory of 2524	1192	chrome.exe	chrome.exe
PID 1192 wrote to memory of 2524	1192	chrome.exe	chrome.exe
PID 1192 wrote to memory of 2524	1192	chrome.exe	chrome.exe
PID 1192 wrote to memory of 2524	1192	chrome.exe	chrome.exe
PID 1192 wrote to memory of 2524	1192	chrome.exe	chrome.exe
PID 1192 wrote to memory of 2524	1192	chrome.exe	chrome.exe
PID 1192 wrote to memory of 2524	1192	chrome.exe	chrome.exe
PID 1192 wrote to memory of 2524	1192	chrome.exe	chrome.exe
PID 1192 wrote to memory of 2524	1192	chrome.exe	chrome.exe
PID 1192 wrote to memory of 2524	1192	chrome.exe	chrome.exe
PID 1192 wrote to memory of 2524	1192	chrome.exe	chrome.exe
PID 1192 wrote to memory of 2524	1192	chrome.exe	chrome.exe
PID 1192 wrote to memory of 2524	1192	chrome.exe	chrome.exe
PID 1192 wrote to memory of 2524	1192	chrome.exe	chrome.exe
PID 1192 wrote to memory of 2524	1192	chrome.exe	chrome.exe
PID 1192 wrote to memory of 2524	1192	chrome.exe	chrome.exe
PID 1192 wrote to memory of 2524	1192	chrome.exe	chrome.exe
PID 1192 wrote to memory of 2524	1192	chrome.exe	chrome.exe
PID 1192 wrote to memory of 2524	1192	chrome.exe	chrome.exe
PID 1192 wrote to memory of 2524	1192	chrome.exe	chrome.exe
PID 1192 wrote to memory of 2524	1192	chrome.exe	chrome.exe
PID 1192 wrote to memory of 2524	1192	chrome.exe	chrome.exe
PID 1192 wrote to memory of 2524	1192	chrome.exe	chrome.exe
PID 1192 wrote to memory of 2524	1192	chrome.exe	chrome.exe
PID 1192 wrote to memory of 1032	1192	chrome.exe	chrome.exe
PID 1192 wrote to memory of 1032	1192	chrome.exe	chrome.exe
PID 1192 wrote to memory of 1028	1192	chrome.exe	chrome.exe
PID 1192 wrote to memory of 1028	1192	chrome.exe	chrome.exe
PID 1192 wrote to memory of 1028	1192	chrome.exe	chrome.exe
PID 1192 wrote to memory of 1028	1192	chrome.exe	chrome.exe
PID 1192 wrote to memory of 1028	1192	chrome.exe	chrome.exe
PID 1192 wrote to memory of 1028	1192	chrome.exe	chrome.exe
PID 1192 wrote to memory of 1028	1192	chrome.exe	chrome.exe
PID 1192 wrote to memory of 1028	1192	chrome.exe	chrome.exe
PID 1192 wrote to memory of 1028	1192	chrome.exe	chrome.exe
PID 1192 wrote to memory of 1028	1192	chrome.exe	chrome.exe
PID 1192 wrote to memory of 1028	1192	chrome.exe	chrome.exe
PID 1192 wrote to memory of 1028	1192	chrome.exe	chrome.exe
PID 1192 wrote to memory of 1028	1192	chrome.exe	chrome.exe
PID 1192 wrote to memory of 1028	1192	chrome.exe	chrome.exe
PID 1192 wrote to memory of 1028	1192	chrome.exe	chrome.exe
PID 1192 wrote to memory of 1028	1192	chrome.exe	chrome.exe
PID 1192 wrote to memory of 1028	1192	chrome.exe	chrome.exe
PID 1192 wrote to memory of 1028	1192	chrome.exe	chrome.exe
PID 1192 wrote to memory of 1028	1192	chrome.exe	chrome.exe
PID 1192 wrote to memory of 1028	1192	chrome.exe	chrome.exe
PID 1192 wrote to memory of 1028	1192	chrome.exe	chrome.exe
PID 1192 wrote to memory of 1028	1192	chrome.exe	chrome.exe
PID 1192 wrote to memory of 1028	1192	chrome.exe	chrome.exe
PID 1192 wrote to memory of 1028	1192	chrome.exe	chrome.exe
PID 1192 wrote to memory of 1028	1192	chrome.exe	chrome.exe
PID 1192 wrote to memory of 1028	1192	chrome.exe	chrome.exe
PID 1192 wrote to memory of 1028	1192	chrome.exe	chrome.exe
PID 1192 wrote to memory of 1028	1192	chrome.exe	chrome.exe
PID 1192 wrote to memory of 1028	1192	chrome.exe	chrome.exe

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://github.com/Da2dalus/The-MALWARE-Repo/raw/master/Virus/MadMan.exe
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1192

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0x40,0x108,0x7ffe6b4aab58,0x7ffe6b4aab68,0x7ffe6b4aab78
2⤵
PID:2668

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1652 --field-trial-handle=1836,i,6368079564513269094,1862948493521389012,131072 /prefetch:2
2⤵
PID:2524

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2152 --field-trial-handle=1836,i,6368079564513269094,1862948493521389012,131072 /prefetch:8
2⤵
PID:1032

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2212 --field-trial-handle=1836,i,6368079564513269094,1862948493521389012,131072 /prefetch:8
2⤵
PID:1028

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3044 --field-trial-handle=1836,i,6368079564513269094,1862948493521389012,131072 /prefetch:1
2⤵
PID:1984

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3052 --field-trial-handle=1836,i,6368079564513269094,1862948493521389012,131072 /prefetch:1
2⤵
PID:1912

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4500 --field-trial-handle=1836,i,6368079564513269094,1862948493521389012,131072 /prefetch:8
2⤵
PID:1320

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4540 --field-trial-handle=1836,i,6368079564513269094,1862948493521389012,131072 /prefetch:8
2⤵
PID:4760

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4552 --field-trial-handle=1836,i,6368079564513269094,1862948493521389012,131072 /prefetch:8
2⤵
PID:3792

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5004 --field-trial-handle=1836,i,6368079564513269094,1862948493521389012,131072 /prefetch:8
2⤵
PID:4680

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4664 --field-trial-handle=1836,i,6368079564513269094,1862948493521389012,131072 /prefetch:8
2⤵
PID:2252

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=3032 --field-trial-handle=1836,i,6368079564513269094,1862948493521389012,131072 /prefetch:8
2⤵
PID:2148

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4704 --field-trial-handle=1836,i,6368079564513269094,1862948493521389012,131072 /prefetch:8
2⤵
PID:3264

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2200 --field-trial-handle=1836,i,6368079564513269094,1862948493521389012,131072 /prefetch:8
2⤵
PID:2748

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5508 --field-trial-handle=1836,i,6368079564513269094,1862948493521389012,131072 /prefetch:8
2⤵
PID:4548

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5424 --field-trial-handle=1836,i,6368079564513269094,1862948493521389012,131072 /prefetch:8
2⤵
PID:5020

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5516 --field-trial-handle=1836,i,6368079564513269094,1862948493521389012,131072 /prefetch:8
2⤵
PID:2988

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5056 --field-trial-handle=1836,i,6368079564513269094,1862948493521389012,131072 /prefetch:8
2⤵
PID:1228

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5572 --field-trial-handle=1836,i,6368079564513269094,1862948493521389012,131072 /prefetch:8
2⤵
PID:2480

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5660 --field-trial-handle=1836,i,6368079564513269094,1862948493521389012,131072 /prefetch:8
2⤵
PID:3380

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=2184 --field-trial-handle=1836,i,6368079564513269094,1862948493521389012,131072 /prefetch:8
2⤵
PID:4488

C:\Users\Admin\Downloads\Lokibot.exe
"C:\Users\Admin\Downloads\Lokibot.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
PID:1484

C:\Users\Admin\Downloads\Lokibot.exe
"C:\Users\Admin\Downloads\Lokibot.exe"
3⤵
- Executes dropped EXE
PID:2756

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2276 --field-trial-handle=1836,i,6368079564513269094,1862948493521389012,131072 /prefetch:8
2⤵
PID:1556

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5024 --field-trial-handle=1836,i,6368079564513269094,1862948493521389012,131072 /prefetch:2
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4900

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:1524

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /7
1⤵
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3632

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1140

C:\Windows\System32\cwwwvr.exe
"C:\Windows\System32\cwwwvr.exe"
1⤵
PID:4748

C:\Windows\System32\cwwwvr.exe
"C:\Windows\System32\cwwwvr.exe"
1⤵
PID:1752

C:\Windows\System32\cwwwvr.exe
"C:\Windows\System32\cwwwvr.exe"
1⤵
PID:3144

C:\Users\Admin\Downloads\Lokibot.exe
"C:\Users\Admin\Downloads\Lokibot.exe"
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2480

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

T1102

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
1KB

MD5
b95681b67f0a6238b089ad64df0325f9

SHA1
6d7ebfc8947434e51bcbb1034e24972ecf5281e2

SHA256
15da6dd11f671869e33170554632935fa88e5efc662c64bbd132454697c52673

SHA512
430bd9f6f172be41141bd2e198af512fe4ba9fae0b15d3aca681a7646ba290924f4ed5644e43fb90d63c905b2a14bd3c767f95d102d56843e17e4c64b6f3e5e4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports
Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
691B

MD5
0e76373601239e184e6dd50e36cad7ed

SHA1
a7c75bf1bee950ffebc36ffa7a7ed89f13336c3f

SHA256
5edf8d90eb4290fc09803cc53bf64dcb1943ed85986054a86d88c45ff986f9b4

SHA512
69144107c32563582fd6c2c2163ca9fa390ea621399e526de2b3ac17e2be7c2b95481d57234fdd356c389604f313abdc497841d60840d53bfe9e7d4b3f7dfa58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
691B

MD5
960bb65174849013fb1e7fe844b3d96a

SHA1
822366b605451e8f206fc0c519a4324182814612

SHA256
b92de4a6032f6352b6009480b8779488ed8ec3bc797dc1ee202231d5a5b1e00d

SHA512
f12740251fa4a7f165381f0a725a788f7885b1a4172d38e5972478b57fe3d4927f9915e5a318eba8df81058b88bec2bdd585fb7562bb612ffbc96c9a2b06fb00

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
6KB

MD5
ff78062eeae18f49b2e668e72e6d822a

SHA1
fdc6ed275ca2bd08d7ee44d6ff153f8128574640

SHA256
5d13f133df523e3efaaa69edfb37f94847e3d72a09250c79bc7362d5aa986f1f

SHA512
3eeb2b54ddb7c9587203047ec5e08c3750d91793e5886728b4cee7db4d6ed6bd5eaccf15e06aead8964b5311982ef81f09d7f1954dfb35e6f7c599f3cb81a2e0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
7KB

MD5
5d963cfd2448d13adbb64ac61f1f3681

SHA1
05cdb8abee5e558a96c7b2f68f209513841bc279

SHA256
2430bf362bb5ccaea2a40a5af5d4f74dbbfece83fde816f9e5464e74e3568307

SHA512
70b89ea775b861cfdf06874423eeeeda8fc865a108ee4effffa4622ac14f0d7de19ea365276c327e6081836f021f7ed12d7a2ea5d6ad1f31b4a9694e6e364563

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
6KB

MD5
0c25858fd3eab777bda51b57b2789072

SHA1
55534ba757790e21f013aa9e84f3bd9c3cfc9ccc

SHA256
348716b554149ca646543dd97b2f2746ad0c0e472ac9a3a65782e00de032a93e

SHA512
cc628024eaf19dd6d2c408437311572908aab25ec34077a2dd6b1fa012a9f139966f91c1f4c821fa2c7c580293a3388ed36fde147aa8c57a546126e2745c7801

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
257KB

MD5
5b8ca7c1949e998eedfc81e8b6653fec

SHA1
e3106cea3acaa6dd5a77971ec87cbfb2549157d8

SHA256
544594bfea79281fea89622cd6bae1fb4cd3f89a5cf560d2c4cb1d486e4e1b25

SHA512
bbde4c677d5ca0d057040d2e314a4dc5b1a4bbe0b9a43376b3abcffab547c1925962eb0b643f01273f026b3923b6946a9e96f93508602f1b4641b58ae32d0870

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
257KB

MD5
2412ebe5835824d980e18add17600127

SHA1
02221cc2a3b301782d26e98065457ca2a5186009

SHA256
899ffc01182caaded5b98e24d4633b1ed5ab8421f359c8002a419dd34045722e

SHA512
05147a051cc90ef2799ac436da2aec794558921fa6c455ba6844d5473ba3a0e791c0a2bdd41fd6b2d6432711bcf344866975b5e5ebb5c2c288375af0ef4f9764

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
257KB

MD5
de39c29b60d7f6d59efedc6d260efba3

SHA1
2893d80170a0965e434802b5cb87cd265ae8e760

SHA256
09a3f3e40365ee2fb622dcf96dc00bb6b1f8527bd6f96640ce522f808b2ffdbe

SHA512
ba1e755f1d9b761f56e4dc6f3b9aa0a32b73536156f67ecbe7398cfc2af126e7bf25f68085b9a58eb36fa39b6a0b2ebcf1c6b785e3eb3752e512b702fd4a52a5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache
Filesize
111KB

MD5
c5885d1e3b5f2cb21729e089320d7f5a

SHA1
5da53e87c8a193e66eb446ee3d13eeed3a2227e8

SHA256
cc78a56897b2c6debff1e095edece2dd1b023a03fcfbb13658804f56418b99b7

SHA512
85a7ebab6205a2664e9657437862cffb49553e926ebbd9cd2f7a10150eaa313020baa362721582d823537fed835b79246df51153f0b6cae151d4baad386e52d7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache
Filesize
108KB

MD5
e687bdf32294caded7d5c40f1904fdfb

SHA1
3722e83078f278e7d95296bf329294998169134c

SHA256
9a5956acedf0cc0f898b1e190b7e51df78c27ebe32de3905b42bd63b5a6b4e70

SHA512
a889c4bb7bec5e431ba1fc8a083a06c55db1a30c88daf2575569061938a5d58d4c1689f6be7590736fbd1b9ca23bad113b53bc8bc51108115923720c393afad1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe57e177.TMP
Filesize
105KB

MD5
6342b956519d93f6d5eeffb4e07791de

SHA1
5eb5384ba2b9c7b8bcf3afa54b4755c5e5d8f34a

SHA256
b0fe3df28fac10e0754932a06af2b4d9a9522cb9182433154b107ab1844abf9e

SHA512
13f52092bc9e861d459c8e8e44d5a76dcbe40dbc0e35f9246e2a3e9c968af1fcab2b5fcd8b6c21e59cbac166c4296b3bdb7d09c7176e632697e38d07da3d005d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Lokibot.exe.log
Filesize
1KB

MD5
75fb5f23856004f43a51708e1df3a6ad

SHA1
80429ec64455773b650e596a10b754920f755b56

SHA256
d8dd963a32a8e97f4c71f3dfcdd8a8e6a9c5ac6124ae571aee4656a5459e5743

SHA512
3f2cec693b765d25eaa865fc20364ae6b1941b3bcd746c8f10741ffed66cffda031b7ccbfd4886092af8a1704d10764c1a1999b95d88c999f5c621c0dbf6e79f

Download Submit
C:\Users\Admin\Downloads\Lokibot.exe.crdownload
Filesize
300KB

MD5
f52fbb02ac0666cae74fc389b1844e98

SHA1
f7721d590770e2076e64f148a4ba1241404996b8

SHA256
a885b1f5377c2a1cead4e2d7261fab6199f83610ffdd35d20c653d52279d4683

SHA512
78b4bf4d048bda5e4e109d4dd9dafaa250eac1c5a3558c2faecf88ef0ee5dd4f2c82a791756e2f5aa42f7890efcc0c420156308689a27e0ad9fb90156b8dc1c0

Download Submit
C:\Users\Admin\Downloads\MadMan.exe
Filesize
2KB

MD5
a56d479405b23976f162f3a4a74e48aa

SHA1
f4f433b3f56315e1d469148bdfd835469526262f

SHA256
17d81134a5957fb758b9d69a90b033477a991c8b0f107d9864dc790ca37e6a23

SHA512
f5594cde50ca5235f7759c9350d4054d7a61b5e61a197dffc04eb8cdef368572e99d212dd406ad296484b5f0f880bdc5ec9e155781101d15083c1564738a900a

Download Submit
\??\pipe\crashpad_1192_HPNZXZZULCOTXYVW
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/1484-166-0x0000000074840000-0x0000000074FF0000-memory.dmp

Filesize
7.7MB

Download
memory/1484-147-0x0000000003320000-0x0000000003334000-memory.dmp

Filesize
80KB

Download
memory/1484-165-0x0000000006B50000-0x0000000006B94000-memory.dmp

Filesize
272KB

Download
memory/1484-163-0x0000000006690000-0x0000000006722000-memory.dmp

Filesize
584KB

Download
memory/1484-162-0x0000000005EE0000-0x0000000005EE8000-memory.dmp

Filesize
32KB

Download
memory/1484-150-0x0000000074840000-0x0000000074FF0000-memory.dmp

Filesize
7.7MB

Download
memory/1484-149-0x0000000005F00000-0x00000000064A4000-memory.dmp

Filesize
5.6MB

Download
memory/1484-222-0x000000007484E000-0x000000007484F000-memory.dmp

Filesize
4KB

Download
memory/1484-146-0x0000000000EE0000-0x0000000000F32000-memory.dmp

Filesize
328KB

Download
memory/1484-208-0x0000000006900000-0x0000000006922000-memory.dmp

Filesize
136KB

Download
memory/1484-145-0x000000007484E000-0x000000007484F000-memory.dmp

Filesize
4KB

Download
memory/1484-228-0x0000000074840000-0x0000000074FF0000-memory.dmp

Filesize
7.7MB

Download
memory/1484-224-0x0000000074840000-0x0000000074FF0000-memory.dmp

Filesize
7.7MB

Download
memory/1484-164-0x00000000068C0000-0x00000000068C8000-memory.dmp

Filesize
32KB

Download
memory/1484-223-0x0000000074840000-0x0000000074FF0000-memory.dmp

Filesize
7.7MB

Download
memory/3632-221-0x0000017E14E70000-0x0000017E14E71000-memory.dmp

Filesize
4KB

Download
memory/3632-218-0x0000017E14E70000-0x0000017E14E71000-memory.dmp

Filesize
4KB

Download
memory/3632-217-0x0000017E14E70000-0x0000017E14E71000-memory.dmp

Filesize
4KB

Download
memory/3632-216-0x0000017E14E70000-0x0000017E14E71000-memory.dmp

Filesize
4KB

Download
memory/3632-215-0x0000017E14E70000-0x0000017E14E71000-memory.dmp

Filesize
4KB

Download
memory/3632-219-0x0000017E14E70000-0x0000017E14E71000-memory.dmp

Filesize
4KB

Download
memory/3632-220-0x0000017E14E70000-0x0000017E14E71000-memory.dmp

Filesize
4KB

Download
memory/3632-211-0x0000017E14E70000-0x0000017E14E71000-memory.dmp

Filesize
4KB

Download
memory/3632-210-0x0000017E14E70000-0x0000017E14E71000-memory.dmp

Filesize
4KB

Download
memory/3632-209-0x0000017E14E70000-0x0000017E14E71000-memory.dmp

Filesize
4KB

Download