lokibot | 329c3b1c04a4b64aa1f20adf2d8df0d409a0d8e816acf3f29e497d3b1946808b

General

Target

566c2c6c5c45306f03831e2c656267ec_JaffaCakes118.rtf
Size

1.5MB
MD5

566c2c6c5c45306f03831e2c656267ec
SHA1

689b81989a8bffcc5674f9389fd233348be46f08
SHA256

329c3b1c04a4b64aa1f20adf2d8df0d409a0d8e816acf3f29e497d3b1946808b
SHA512

7e2e028c86fbd6287a1db1a63e6516047fc69d7fad65f7abe41093bc27fe674e93aad9590ba72a28b457d1d9c0393954af54d5e2264f6a6bf0b091c49c496c95
SSDEEP

24576:pd6qlMEjK59o/Uv9IXvaVojYaT5bDbZUgtUfLznefTHLtpxQrUjDuZ4O:y

Score

10^/10

lokibot collection spyware stealer trojan

Malware Config

Extracted

Family

lokibot

C2

http://gavrelssimonskype.su/wp/web-obtain/css/log/Panel/five/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Signatures

Lokibot
Lokibot is a Password and CryptoCoin Wallet Stealer.
trojan spyware stealer lokibot

Process spawned unexpected child process 2 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

cmd.execmd.exe

description	pid	pid_target	process	target process
Parent C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE is not expected to spawn this process	1604	2076	cmd.exe	WINWORD.EXE
Parent C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE is not expected to spawn this process	2704	2076	cmd.exe	WINWORD.EXE

Executes dropped EXE 1 IoCs

Processes:

saver.scr

pid process

1488 saver.scr
Loads dropped DLL 1 IoCs

Processes:

cmd.exe

pid process

2680 cmd.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
1488	saver.scr

pid	process
2680	cmd.exe

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

saver.scr

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	saver.scr
Key opened	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook	saver.scr
Key opened	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	saver.scr

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Office loads VBA resources, possible macro or embedded object present
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

2572 timeout.exe
Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

2744 taskkill.exe

pid	process
2572	timeout.exe

pid	process
2744	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 9 IoCs

adware spyware

Modify Registry

T1112

Processes:

WINWORD.EXE

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\MenuExt	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Toolbar	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	WINWORD.EXE

NTFS ADS 1 IoCs

Processes:

cmd.exe

description ioc process

File created C:\Users\Admin\appdata\local\temp\hondi.cmd:Zone.Identifier cmd.exe
Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

WINWORD.EXE

pid process

2076 WINWORD.EXE
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

taskkill.exesaver.scr

description pid process

Token: SeDebugPrivilege 2744 taskkill.exe
Token: SeDebugPrivilege 1488 saver.scr
Suspicious use of SetWindowsHookEx 5 IoCs

Processes:

WINWORD.EXEsaver.scr

pid process

2076 WINWORD.EXE
2076 WINWORD.EXE
1488 saver.scr
1488 saver.scr
1488 saver.scr

description	ioc	process
File created	C:\Users\Admin\appdata\local\temp\hondi.cmd:Zone.Identifier	cmd.exe

pid	process
2076	WINWORD.EXE

description	pid	process
Token: SeDebugPrivilege	2744	taskkill.exe
Token: SeDebugPrivilege	1488	saver.scr

pid	process
2076	WINWORD.EXE
2076	WINWORD.EXE
1488	saver.scr
1488	saver.scr
1488	saver.scr

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

WINWORD.EXEcmd.execmd.execmd.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 2076 wrote to memory of 1604	2076	WINWORD.EXE	cmd.exe
PID 2076 wrote to memory of 1604	2076	WINWORD.EXE	cmd.exe
PID 2076 wrote to memory of 1604	2076	WINWORD.EXE	cmd.exe
PID 2076 wrote to memory of 1604	2076	WINWORD.EXE	cmd.exe
PID 1604 wrote to memory of 2604	1604	cmd.exe	cmd.exe
PID 1604 wrote to memory of 2604	1604	cmd.exe	cmd.exe
PID 1604 wrote to memory of 2604	1604	cmd.exe	cmd.exe
PID 1604 wrote to memory of 2604	1604	cmd.exe	cmd.exe
PID 2604 wrote to memory of 2680	2604	cmd.exe	cmd.exe
PID 2604 wrote to memory of 2680	2604	cmd.exe	cmd.exe
PID 2604 wrote to memory of 2680	2604	cmd.exe	cmd.exe
PID 2604 wrote to memory of 2680	2604	cmd.exe	cmd.exe
PID 2076 wrote to memory of 2704	2076	WINWORD.EXE	cmd.exe
PID 2076 wrote to memory of 2704	2076	WINWORD.EXE	cmd.exe
PID 2076 wrote to memory of 2704	2076	WINWORD.EXE	cmd.exe
PID 2076 wrote to memory of 2704	2076	WINWORD.EXE	cmd.exe
PID 2680 wrote to memory of 2572	2680	cmd.exe	timeout.exe
PID 2680 wrote to memory of 2572	2680	cmd.exe	timeout.exe
PID 2680 wrote to memory of 2572	2680	cmd.exe	timeout.exe
PID 2680 wrote to memory of 2572	2680	cmd.exe	timeout.exe
PID 2704 wrote to memory of 2708	2704	cmd.exe	cmd.exe
PID 2704 wrote to memory of 2708	2704	cmd.exe	cmd.exe
PID 2704 wrote to memory of 2708	2704	cmd.exe	cmd.exe
PID 2704 wrote to memory of 2708	2704	cmd.exe	cmd.exe
PID 2680 wrote to memory of 2744	2680	cmd.exe	taskkill.exe
PID 2680 wrote to memory of 2744	2680	cmd.exe	taskkill.exe
PID 2680 wrote to memory of 2744	2680	cmd.exe	taskkill.exe
PID 2680 wrote to memory of 2744	2680	cmd.exe	taskkill.exe
PID 2680 wrote to memory of 2468	2680	cmd.exe	reg.exe
PID 2680 wrote to memory of 2468	2680	cmd.exe	reg.exe
PID 2680 wrote to memory of 2468	2680	cmd.exe	reg.exe
PID 2680 wrote to memory of 2468	2680	cmd.exe	reg.exe
PID 2680 wrote to memory of 2480	2680	cmd.exe	cmd.exe
PID 2680 wrote to memory of 2480	2680	cmd.exe	cmd.exe
PID 2680 wrote to memory of 2480	2680	cmd.exe	cmd.exe
PID 2680 wrote to memory of 2480	2680	cmd.exe	cmd.exe
PID 2480 wrote to memory of 2532	2480	cmd.exe	reg.exe
PID 2480 wrote to memory of 2532	2480	cmd.exe	reg.exe
PID 2480 wrote to memory of 2532	2480	cmd.exe	reg.exe
PID 2480 wrote to memory of 2532	2480	cmd.exe	reg.exe
PID 2680 wrote to memory of 1904	2680	cmd.exe	reg.exe
PID 2680 wrote to memory of 1904	2680	cmd.exe	reg.exe
PID 2680 wrote to memory of 1904	2680	cmd.exe	reg.exe
PID 2680 wrote to memory of 1904	2680	cmd.exe	reg.exe
PID 2680 wrote to memory of 2924	2680	cmd.exe	cmd.exe
PID 2680 wrote to memory of 2924	2680	cmd.exe	cmd.exe
PID 2680 wrote to memory of 2924	2680	cmd.exe	cmd.exe
PID 2680 wrote to memory of 2924	2680	cmd.exe	cmd.exe
PID 2924 wrote to memory of 2920	2924	cmd.exe	reg.exe
PID 2924 wrote to memory of 2920	2924	cmd.exe	reg.exe
PID 2924 wrote to memory of 2920	2924	cmd.exe	reg.exe
PID 2924 wrote to memory of 2920	2924	cmd.exe	reg.exe
PID 2680 wrote to memory of 2240	2680	cmd.exe	reg.exe
PID 2680 wrote to memory of 2240	2680	cmd.exe	reg.exe
PID 2680 wrote to memory of 2240	2680	cmd.exe	reg.exe
PID 2680 wrote to memory of 2240	2680	cmd.exe	reg.exe
PID 2680 wrote to memory of 2932	2680	cmd.exe	cmd.exe
PID 2680 wrote to memory of 2932	2680	cmd.exe	cmd.exe
PID 2680 wrote to memory of 2932	2680	cmd.exe	cmd.exe
PID 2680 wrote to memory of 2932	2680	cmd.exe	cmd.exe
PID 2932 wrote to memory of 2180	2932	cmd.exe	reg.exe
PID 2932 wrote to memory of 2180	2932	cmd.exe	reg.exe
PID 2932 wrote to memory of 2180	2932	cmd.exe	reg.exe
PID 2932 wrote to memory of 2180	2932	cmd.exe	reg.exe

outlook_office_path 1 IoCs

Processes:

saver.scr

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	saver.scr

outlook_win_path 1 IoCs

Processes:

saver.scr

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	saver.scr

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\566c2c6c5c45306f03831e2c656267ec_JaffaCakes118.rtf"
1⤵
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2076

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C CmD < "C:\Users\Admin\AppData\Local\Temp\DqFm.cMD"
2⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:1604

C:\Windows\SysWOW64\cmd.exe
CmD
3⤵
- NTFS ADS
- Suspicious use of WriteProcessMemory
PID:2604

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\Users\Admin\appdata\local\temp\hondi.cmD
4⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2680

C:\Windows\SysWOW64\timeout.exe
TIMEOUT /T 1
5⤵
- Delays execution with timeout.exe
PID:2572

C:\Windows\SysWOW64\taskkill.exe
TASkKILL /F /IM winword.exe
5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2744

C:\Windows\SysWOW64\reg.exe
reg delete HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\11.0\Word\Resiliency /f
5⤵
PID:2468

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\11.0\Word\File MRU" /v "Item 1"
5⤵
- Suspicious use of WriteProcessMemory
PID:2480

C:\Windows\SysWOW64\reg.exe
REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\11.0\Word\File MRU" /v "Item 1"
6⤵
PID:2532

C:\Windows\SysWOW64\reg.exe
reg delete HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\12.0\Word\Resiliency /f
5⤵
PID:1904

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\12.0\Word\File MRU" /v "Item 1"
5⤵
- Suspicious use of WriteProcessMemory
PID:2924

C:\Windows\SysWOW64\reg.exe
REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\12.0\Word\File MRU" /v "Item 1"
6⤵
PID:2920

C:\Windows\SysWOW64\reg.exe
reg delete HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\13.0\Word\Resiliency /f
5⤵
PID:2240

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\13.0\Word\File MRU" /v "Item 1"
5⤵
- Suspicious use of WriteProcessMemory
PID:2932

C:\Windows\SysWOW64\reg.exe
REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\13.0\Word\File MRU" /v "Item 1"
6⤵
PID:2180

C:\Windows\SysWOW64\reg.exe
reg delete HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\14.0\Word\Resiliency /f
5⤵
PID:1564

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\14.0\Word\File MRU" /v "Item 1"
5⤵
PID:1572

C:\Windows\SysWOW64\reg.exe
REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\14.0\Word\File MRU" /v "Item 1"
6⤵
PID:1544

C:\Windows\SysWOW64\reg.exe
reg delete HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Word\Resiliency /f
5⤵
PID:2620

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Word\File MRU" /v "Item 1"
5⤵
PID:1484

C:\Windows\SysWOW64\reg.exe
REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Word\File MRU" /v "Item 1"
6⤵
PID:1636

C:\Windows\SysWOW64\reg.exe
reg delete HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Word\Resiliency /f
5⤵
PID:1856

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Word\File MRU" /v "Item 1"
5⤵
PID:2140

C:\Windows\SysWOW64\reg.exe
REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Word\File MRU" /v "Item 1"
6⤵
PID:1828

C:\Users\Admin\AppData\Local\Temp\saver.scr
"C:\Users\Admin\AppData\Local\Temp\saver.scr"
5⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- outlook_office_path
- outlook_win_path
PID:1488

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C CmD < "C:\Users\Admin\AppData\Local\Temp\DqFm.cMD"
2⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:2704

C:\Windows\SysWOW64\cmd.exe
CmD
3⤵
PID:2708

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Email Collection

1

T1114

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DqFm.cMD
Filesize
269B

MD5
3349aa74c60a95fb4245770fed418b19

SHA1
875ba744ecbdf720bbe7e4f19954abab32598d6e

SHA256
7228f7d55c4987a313c6e5964c46ccb971a8917d69b425e77dedc01fad72dac2

SHA512
8a7c2ef779ca97050a3e6aede13dc0a7642268297790d01c925ce23062c6c8d0eff579372e2590c7b17df0d45c00ac38b53ddba93e810849aa2505313168816e

Download Submit
C:\Users\Admin\AppData\Local\Temp\trbatehtqevyay.ScT
Filesize
600B

MD5
c6c111eecb55022728ef0c1515ee0bd6

SHA1
04789ed7a7262e8056844631ef9e699571569adb

SHA256
84d50947fe24b9147835e0e7255d801b172416c817afa6b0d7b9c455124b6b60

SHA512
70cc78fb397facae2031518a84daf6c1540c85928fc065593bb925276e5f6f8282b1965655c3ae9bb60abbd5d8b566839e8205e24ba46f077223a409d15b41d6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-481678230-3773327859-3495911762-1000\0f5007522459c86e95ffcc62f32308f1_62d00eb3-39d9-4013-96e4-e92894ec756e
Filesize
46B

MD5
d898504a722bff1524134c6ab6a5eaa5

SHA1
e0fdc90c2ca2a0219c99d2758e68c18875a3e11e

SHA256
878f32f76b159494f5a39f9321616c6068cdb82e88df89bcc739bbc1ea78e1f9

SHA512
26a4398bffb0c0aef9a6ec53cd3367a2d0abf2f70097f711bbbf1e9e32fd9f1a72121691bb6a39eeb55d596edd527934e541b4defb3b1426b1d1a6429804dc61

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-481678230-3773327859-3495911762-1000\0f5007522459c86e95ffcc62f32308f1_62d00eb3-39d9-4013-96e4-e92894ec756e
Filesize
46B

MD5
c07225d4e7d01d31042965f048728a0a

SHA1
69d70b340fd9f44c89adb9a2278df84faa9906b7

SHA256
8c136c7ae08020ad16fd1928e36ad335ddef8b85906d66b712fff049aa57dc9a

SHA512
23d3cea738e1abf561320847c39dadc8b5794d7bd8761b0457956f827a17ad2556118b909a3e6929db79980ccf156a6f58ac823cf88329e62417d2807b34b64b

Download Submit
C:\Users\Admin\appData\loCal\TeMp\gondi.doc
Filesize
31KB

MD5
df778726a0f7ffeaa9fc16826f77a946

SHA1
3b4bac8f09cf2d9227c3143aa33ee7b6c1a2cc0c

SHA256
a52fad09e1fb5e5c5532b8a9130c4f99ddbebbfb15ba416e67069866e1b5b3da

SHA512
5d5525b61cce9fc6f806c8d666d291e74915aeac20d7fd937c6d0fab9cefc4287ccdc539dd34b017c9abc6f38c87e9244b0c85a54b3fbe83da885334b1f63215

Download Submit
C:\Users\Admin\appdata\local\temp\hondi.cmd:Zone.Identifier
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\Users\Admin\AppData\Local\Temp\saver.scr
Filesize
660KB

MD5
d9bb08e8aea8377d26b34270ecbbb611

SHA1
38f1d28a6b86eed59539124d73363db68e1b94c1

SHA256
e91aa8a1ca313c56a0d9cfb2de41006f82098bfd2c81507a4e7bb6417fe2cdc0

SHA512
b32457f405f836fe11f350910bad9491b6dc43446996724e0491cbbf4baf9a4fc85e2cb40fdfa1479ff262edc5de4f64c3c115a76af907f8d101bed45e003905

Download Submit
memory/1488-41-0x0000000000400000-0x00000000004A9000-memory.dmp

Filesize
676KB

Download
memory/1488-82-0x0000000000400000-0x00000000004A9000-memory.dmp

Filesize
676KB

Download
memory/2076-36-0x000000007149D000-0x00000000714A8000-memory.dmp

Filesize
44KB

Download
memory/2076-0-0x000000002FA51000-0x000000002FA52000-memory.dmp

Filesize
4KB

Download
memory/2076-2-0x000000007149D000-0x00000000714A8000-memory.dmp

Filesize
44KB

Download
memory/2076-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads