lokibot | bd3b6502224d6aa64a38ec8854d9aa4d015c803b90bf5ccc2527f5d3021fbaf8

Analysis

max time kernel
125s
max time network
126s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
14-05-2024 03:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3dab021a3f3de36764faea9bdf6a58a4_JaffaCakes118.msi
Size

412KB
MD5

3dab021a3f3de36764faea9bdf6a58a4
SHA1

db94f26d20b10730445deb16a1c2b521b4f15849
SHA256

bd3b6502224d6aa64a38ec8854d9aa4d015c803b90bf5ccc2527f5d3021fbaf8
SHA512

8ef5db5de0e100f06f45b34cd28b564b3cc792fd284fcd87f647b3c35683114751925359b65f5aec829dd65ed8c3e99ec889275c7d6e6f2d179c8b7c855af998
SSDEEP

12288:yEHgAVG3oSEKyNJD4xEbMMEOn8c23H93:yEAlyVNJD8qR8c2X

Score

10^/10

lokibot zgrat agilenet collection persistence rat spyware stealer trojan

Malware Config

Extracted

Family

lokibot

http://agroinovate.online/baminews/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Signatures

Detect ZGRat V1 1 IoCs

resource	yara_rule
behavioral1/memory/2672-14-0x0000000000520000-0x0000000000548000-memory.dmp	family_zgrat_v1

Lokibot
Lokibot is a Password and CryptoCoin Wallet Stealer.
trojan spyware stealer lokibot
ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

Obfuscated with Agile.Net obfuscator 1 IoCs

Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

agilenet

resource	yara_rule
behavioral1/memory/2672-14-0x0000000000520000-0x0000000000548000-memory.dmp	agile_net

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	svchost.exe
Key opened	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook	svchost.exe
Key opened	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	svchost.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\Application = "C:\\Users\\Admin\\AppData\\Local\\svchost.exe -boot"	svchost.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 772 set thread context of 1836	772	svchost.exe	40

Drops file in Windows directory 10 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\f76e7c0.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIEBA8.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\f76e7c3.ipi	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.ev3	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.ev1	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File opened for modification	C:\Windows\Installer\MSIEB68.tmp	msiexec.exe
File created	C:\Windows\Installer\f76e7c0.msi	msiexec.exe
File created	C:\Windows\Installer\f76e7c3.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe

Executes dropped EXE 3 IoCs

pid	Process
2672	MSIEBA8.tmp
772	svchost.exe
1836	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies data under HKEY_USERS 43 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2932	msiexec.exe
2932	msiexec.exe
2672	MSIEBA8.tmp
772	svchost.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2656	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2656	msiexec.exe
Token: SeRestorePrivilege	2932	msiexec.exe
Token: SeTakeOwnershipPrivilege	2932	msiexec.exe
Token: SeSecurityPrivilege	2932	msiexec.exe
Token: SeCreateTokenPrivilege	2656	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2656	msiexec.exe
Token: SeLockMemoryPrivilege	2656	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2656	msiexec.exe
Token: SeMachineAccountPrivilege	2656	msiexec.exe
Token: SeTcbPrivilege	2656	msiexec.exe
Token: SeSecurityPrivilege	2656	msiexec.exe
Token: SeTakeOwnershipPrivilege	2656	msiexec.exe
Token: SeLoadDriverPrivilege	2656	msiexec.exe
Token: SeSystemProfilePrivilege	2656	msiexec.exe
Token: SeSystemtimePrivilege	2656	msiexec.exe
Token: SeProfSingleProcessPrivilege	2656	msiexec.exe
Token: SeIncBasePriorityPrivilege	2656	msiexec.exe
Token: SeCreatePagefilePrivilege	2656	msiexec.exe
Token: SeCreatePermanentPrivilege	2656	msiexec.exe
Token: SeBackupPrivilege	2656	msiexec.exe
Token: SeRestorePrivilege	2656	msiexec.exe
Token: SeShutdownPrivilege	2656	msiexec.exe
Token: SeDebugPrivilege	2656	msiexec.exe
Token: SeAuditPrivilege	2656	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2656	msiexec.exe
Token: SeChangeNotifyPrivilege	2656	msiexec.exe
Token: SeRemoteShutdownPrivilege	2656	msiexec.exe
Token: SeUndockPrivilege	2656	msiexec.exe
Token: SeSyncAgentPrivilege	2656	msiexec.exe
Token: SeEnableDelegationPrivilege	2656	msiexec.exe
Token: SeManageVolumePrivilege	2656	msiexec.exe
Token: SeImpersonatePrivilege	2656	msiexec.exe
Token: SeCreateGlobalPrivilege	2656	msiexec.exe
Token: SeBackupPrivilege	2680	vssvc.exe
Token: SeRestorePrivilege	2680	vssvc.exe
Token: SeAuditPrivilege	2680	vssvc.exe
Token: SeBackupPrivilege	2932	msiexec.exe
Token: SeRestorePrivilege	2932	msiexec.exe
Token: SeRestorePrivilege	2840	DrvInst.exe
Token: SeRestorePrivilege	2840	DrvInst.exe
Token: SeRestorePrivilege	2840	DrvInst.exe
Token: SeRestorePrivilege	2840	DrvInst.exe
Token: SeRestorePrivilege	2840	DrvInst.exe
Token: SeRestorePrivilege	2840	DrvInst.exe
Token: SeRestorePrivilege	2840	DrvInst.exe
Token: SeLoadDriverPrivilege	2840	DrvInst.exe
Token: SeLoadDriverPrivilege	2840	DrvInst.exe
Token: SeLoadDriverPrivilege	2840	DrvInst.exe
Token: SeRestorePrivilege	2932	msiexec.exe
Token: SeTakeOwnershipPrivilege	2932	msiexec.exe
Token: SeRestorePrivilege	2932	msiexec.exe
Token: SeTakeOwnershipPrivilege	2932	msiexec.exe
Token: SeRestorePrivilege	2932	msiexec.exe
Token: SeTakeOwnershipPrivilege	2932	msiexec.exe
Token: SeRestorePrivilege	2932	msiexec.exe
Token: SeTakeOwnershipPrivilege	2932	msiexec.exe
Token: SeDebugPrivilege	2672	MSIEBA8.tmp
Token: SeRestorePrivilege	2932	msiexec.exe
Token: SeTakeOwnershipPrivilege	2932	msiexec.exe
Token: SeRestorePrivilege	2932	msiexec.exe
Token: SeTakeOwnershipPrivilege	2932	msiexec.exe
Token: SeDebugPrivilege	772	svchost.exe
Token: SeDebugPrivilege	1836	svchost.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2656	msiexec.exe
2656	msiexec.exe

Suspicious use of WriteProcessMemory 26 IoCs

description	pid	Process	procid_target
PID 2932 wrote to memory of 2672	2932	msiexec.exe	34
PID 2932 wrote to memory of 2672	2932	msiexec.exe	34
PID 2932 wrote to memory of 2672	2932	msiexec.exe	34
PID 2932 wrote to memory of 2672	2932	msiexec.exe	34
PID 2672 wrote to memory of 1644	2672	MSIEBA8.tmp	35
PID 2672 wrote to memory of 1644	2672	MSIEBA8.tmp	35
PID 2672 wrote to memory of 1644	2672	MSIEBA8.tmp	35
PID 2672 wrote to memory of 1644	2672	MSIEBA8.tmp	35
PID 2672 wrote to memory of 1272	2672	MSIEBA8.tmp	37
PID 2672 wrote to memory of 1272	2672	MSIEBA8.tmp	37
PID 2672 wrote to memory of 1272	2672	MSIEBA8.tmp	37
PID 2672 wrote to memory of 1272	2672	MSIEBA8.tmp	37
PID 1464 wrote to memory of 772	1464	explorer.exe	39
PID 1464 wrote to memory of 772	1464	explorer.exe	39
PID 1464 wrote to memory of 772	1464	explorer.exe	39
PID 1464 wrote to memory of 772	1464	explorer.exe	39
PID 772 wrote to memory of 1836	772	svchost.exe	40
PID 772 wrote to memory of 1836	772	svchost.exe	40
PID 772 wrote to memory of 1836	772	svchost.exe	40
PID 772 wrote to memory of 1836	772	svchost.exe	40
PID 772 wrote to memory of 1836	772	svchost.exe	40
PID 772 wrote to memory of 1836	772	svchost.exe	40
PID 772 wrote to memory of 1836	772	svchost.exe	40
PID 772 wrote to memory of 1836	772	svchost.exe	40
PID 772 wrote to memory of 1836	772	svchost.exe	40
PID 772 wrote to memory of 1836	772	svchost.exe	40

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	svchost.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	svchost.exe

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\3dab021a3f3de36764faea9bdf6a58a4_JaffaCakes118.msi
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2656

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2932
- C:\Windows\Installer\MSIEBA8.tmp
  "C:\Windows\Installer\MSIEBA8.tmp"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2672
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c copy "C:\Windows\Installer\MSIEBA8.tmp" "C:\Users\Admin\AppData\Local\svchost.exe"
    3⤵
    PID:1644
- - C:\Windows\SysWOW64\explorer.exe
    "C:\Windows\System32\explorer.exe" /c, "C:\Users\Admin\AppData\Local\svchost.exe"
    3⤵
    PID:1272

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2680

C:\Windows\system32\DrvInst.exe
DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000004B0" "000000000000054C"
1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2840

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Suspicious use of WriteProcessMemory
PID:1464
- C:\Users\Admin\AppData\Local\svchost.exe
  "C:\Users\Admin\AppData\Local\svchost.exe"
  2⤵
  - Adds Run key to start application
  - Suspicious use of SetThreadContext
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:772
- - C:\Users\Admin\AppData\Local\svchost.exe
    "C:\Users\Admin\AppData\Local\svchost.exe"
    3⤵
    - Accesses Microsoft Outlook profiles
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - outlook_office_path
    - outlook_win_path
    PID:1836

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\f76e7c4.rbs

Filesize
663B

MD5
1324691f55327a726d1a7b54f3300675

SHA1
73aa0074092100d5b1ae06a2c502bd94055c8d21

SHA256
647edb0d398672dc7e18058c4f6ad3df333c2ddfb23e25dd74337c10546a3ef7

SHA512
83e5536da81f2be55fecd35d0818922f682c433903ec1b18b0627382433510e95a19f3b9c9e287a3c602294293eeabb0671c92eb3d787fc49d39d9283cacde83

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-330940541-141609230-1670313778-1000\0f5007522459c86e95ffcc62f32308f1_4456596e-0528-4680-8940-5edc26c0ff50

Filesize
46B

MD5
d898504a722bff1524134c6ab6a5eaa5

SHA1
e0fdc90c2ca2a0219c99d2758e68c18875a3e11e

SHA256
878f32f76b159494f5a39f9321616c6068cdb82e88df89bcc739bbc1ea78e1f9

SHA512
26a4398bffb0c0aef9a6ec53cd3367a2d0abf2f70097f711bbbf1e9e32fd9f1a72121691bb6a39eeb55d596edd527934e541b4defb3b1426b1d1a6429804dc61

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-330940541-141609230-1670313778-1000\0f5007522459c86e95ffcc62f32308f1_4456596e-0528-4680-8940-5edc26c0ff50

Filesize
46B

MD5
c07225d4e7d01d31042965f048728a0a

SHA1
69d70b340fd9f44c89adb9a2278df84faa9906b7

SHA256
8c136c7ae08020ad16fd1928e36ad335ddef8b85906d66b712fff049aa57dc9a

SHA512
23d3cea738e1abf561320847c39dadc8b5794d7bd8761b0457956f827a17ad2556118b909a3e6929db79980ccf156a6f58ac823cf88329e62417d2807b34b64b

Download Submit
C:\Windows\Installer\MSIEBA8.tmp

Filesize
385KB

MD5
82c87b45d33e0b49c0c0bb71e8e89ffa

SHA1
19214137d254c6ae23a719cb3b20236a6cae05c3

SHA256
b1ae085c89f7fa234cd08cf94b2256deb9fcb61960b38d707798be0374a71816

SHA512
041f6cbe568ea979041da911a09488996174ceba124e371f1cc53d7a45bfb268a9df8a2cf171a07a31d3030d0092ac6cb8b42c02ea8271c468d70678b769dcba

Download Submit
memory/772-31-0x0000000000B00000-0x0000000000B74000-memory.dmp

Filesize
464KB

Download
memory/772-30-0x0000000000B70000-0x0000000000BD6000-memory.dmp

Filesize
408KB

Download
memory/1836-34-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/1836-33-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/1836-37-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/1836-39-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/1836-47-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/1836-48-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1836-51-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/1836-53-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/2672-14-0x0000000000520000-0x0000000000548000-memory.dmp

Filesize
160KB

Download
memory/2672-13-0x00000000003E0000-0x0000000000454000-memory.dmp

Filesize
464KB

Download
memory/2672-12-0x0000000000BB0000-0x0000000000C16000-memory.dmp

Filesize
408KB

Download