Analysis
-
max time kernel
282s -
max time network
284s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
-
submitted
28-05-2024 09:39
Errors
General
-
Target
https://github.com/Da2dalus/The-MALWARE-Repo/blob/master/Virus/MadMan.exe
Malware Config
Extracted
lokibot
http://blesblochem.com/two/gates1/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Signatures
-
Lokibot
Lokibot is a Password and CryptoCoin Wallet Stealer.
-
Disables Task Manager via registry modification
-
Downloads MZ/PE file
-
Drops file in Drivers directory 3 IoCs
-
ACProtect 1.3x - 1.4x DLL software 1 IoCs
Detects file using ACProtect software.
-
Executes dropped EXE 12 IoCs
-
Loads dropped DLL 2 IoCs
-
Obfuscated with Agile.Net obfuscator 1 IoCs
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
UPX packed file 5 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Writes to the Master Boot Record (MBR) 1 TTPs 2 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
-
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Drops file in Program Files directory 1 IoCs
-
Drops file in Windows directory 2 IoCs
-
Program crash 2 IoCs
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Modifies data under HKEY_USERS 15 IoCs
-
Modifies registry class 1 IoCs
-
NTFS ADS 8 IoCs
-
Suspicious behavior: EnumeratesProcesses 36 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 14 IoCs
-
Suspicious use of AdjustPrivilegeToken 5 IoCs
-
Suspicious use of FindShellTrayWindow 64 IoCs
-
Suspicious use of SendNotifyMessage 40 IoCs
-
Suspicious use of SetWindowsHookEx 3 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
outlook_office_path 1 IoCs
-
outlook_win_path 1 IoCs
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/Da2dalus/The-MALWARE-Repo/blob/master/Virus/MadMan.exe1⤵
- Enumerates system info in registry
- Modifies registry class
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe902246f8,0x7ffe90224708,0x7ffe902247182⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2004,9315755605417246734,5584289627962795644,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2032 /prefetch:22⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2004,9315755605417246734,5584289627962795644,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2136 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2004,9315755605417246734,5584289627962795644,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2832 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2004,9315755605417246734,5584289627962795644,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3316 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2004,9315755605417246734,5584289627962795644,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3324 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2004,9315755605417246734,5584289627962795644,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5200 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2004,9315755605417246734,5584289627962795644,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5200 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2004,9315755605417246734,5584289627962795644,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5412 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2004,9315755605417246734,5584289627962795644,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5340 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2004,9315755605417246734,5584289627962795644,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3472 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2004,9315755605417246734,5584289627962795644,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5632 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2004,9315755605417246734,5584289627962795644,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=1620 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2004,9315755605417246734,5584289627962795644,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5568 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2004,9315755605417246734,5584289627962795644,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6136 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2004,9315755605417246734,5584289627962795644,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5952 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2004,9315755605417246734,5584289627962795644,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6444 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2004,9315755605417246734,5584289627962795644,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6360 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2004,9315755605417246734,5584289627962795644,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6232 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2004,9315755605417246734,5584289627962795644,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5288 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2004,9315755605417246734,5584289627962795644,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5968 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2004,9315755605417246734,5584289627962795644,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6392 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2004,9315755605417246734,5584289627962795644,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6324 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2004,9315755605417246734,5584289627962795644,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5528 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2004,9315755605417246734,5584289627962795644,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2656 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2004,9315755605417246734,5584289627962795644,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=6212 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2004,9315755605417246734,5584289627962795644,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1620 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2004,9315755605417246734,5584289627962795644,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=3376 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2004,9315755605417246734,5584289627962795644,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3428 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2004,9315755605417246734,5584289627962795644,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=35 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6196 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2004,9315755605417246734,5584289627962795644,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5624 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2004,9315755605417246734,5584289627962795644,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=38 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3212 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2004,9315755605417246734,5584289627962795644,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5304 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2004,9315755605417246734,5584289627962795644,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=41 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4848 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2004,9315755605417246734,5584289627962795644,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=2324 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2004,9315755605417246734,5584289627962795644,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3340 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Users\Admin\Downloads\Lokibot.exe"C:\Users\Admin\Downloads\Lokibot.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\Downloads\Lokibot.exe"C:\Users\Admin\Downloads\Lokibot.exe"2⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
-
-
C:\Users\Admin\Downloads\Gnil.exe"C:\Users\Admin\Downloads\Gnil.exe"1⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\drivers\spoclsv.exeC:\Windows\system32\drivers\spoclsv.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Users\Admin\Downloads\Mabezat.exe"C:\Users\Admin\Downloads\Mabezat.exe"1⤵
- Executes dropped EXE
-
C:\Users\Admin\Downloads\Floxif.exe"C:\Users\Admin\Downloads\Floxif.exe"1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4568 -s 4322⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4568 -ip 45681⤵
-
C:\Users\Admin\Downloads\Floxif.exe"C:\Users\Admin\Downloads\Floxif.exe"1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2280 -s 4002⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 2280 -ip 22801⤵
-
C:\Users\Admin\Downloads\Bezilom.exe"C:\Users\Admin\Downloads\Bezilom.exe"1⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\Downloads\Bezilom.exe"C:\Users\Admin\Downloads\Bezilom.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\Downloads\$uckyLocker.exe"C:\Users\Admin\Downloads\$uckyLocker.exe"1⤵
- Executes dropped EXE
- Sets desktop wallpaper using registry
-
C:\Users\Admin\Downloads\PowerPoint.exe"C:\Users\Admin\Downloads\PowerPoint.exe"1⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- NTFS ADS
-
C:\Users\Admin\AppData\Local\Temp\sys3.exeC:\Users\Admin\AppData\Local\Temp\\sys3.exe2⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x4 /state0:0xa38d1855 /state1:0x41c64e6d1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
72KB
MD5ccf7e487353602c57e2e743d047aca36
SHA199f66919152d67a882685a41b7130af5f7703888
SHA256eaf76e5f1a438478ecf7b678744da34e9d9e5038b128f0c595672ee1dbbfd914
SHA512dde0366658082b142faa6487245bfc8b8942605f0ede65d12f8c368ff3673ca18e416a4bf132c4bee5be43e94aef0531be2008746c24f1e6b2f294a63ab1486c
-
Filesize
12KB
MD5e61bac5462c901e5eea10c895dc2f20a
SHA11af9da537c4e39f2b2d327801b31a97cbbe26d96
SHA256fd7a6aa83f8fcc0df9ce543292d499792b5e254b5476c06ade18ca7487931562
SHA512c315d700a930fef29d09569d73152f78f000657ce34ef3c366ad8ab32bb3423111107a33fc758e2a200077f7a1febb3b0cb6d0bd194c307bc1463abcff5ad355
-
Filesize
152B
MD5ce4c898f8fc7601e2fbc252fdadb5115
SHA101bf06badc5da353e539c7c07527d30dccc55a91
SHA256bce2dfaa91f0d44e977e0f79c60e64954a7b9dc828b0e30fbaa67dbe82f750aa
SHA51280fff4c722c8d3e69ec4f09510779b7e3518ae60725d2d36903e606a27ec1eaedbdbfac5b662bf2c19194c572ccf0125445f22a907b329ad256e6c00b9cf032c
-
Filesize
152B
MD54158365912175436289496136e7912c2
SHA1813d11f772b1cfe9ceac2bf37f4f741e5e8fbe59
SHA256354de4b033ba6e4d85f94d91230cb8501f62e0a4e302cd4076c7e0ad73bedbd1
SHA51274b4f7b24ad4ea395f3a4cd8dbfae54f112a7c87bce3d286ee5161f6b63d62dfa19bb0d96bb7ed1c6d925f5697a2580c25023d5052c6a09992e6fd9dd49ea82b
-
Filesize
1KB
MD5e9952d369ad83418e5e7e1f8682f00f4
SHA18809335eded1848ec6e666e4d961c52fff57760f
SHA256ffb3bd2a2a3df73df36e02736841bab819faead62d7fb6bd10f65400447f5f94
SHA51291033a1662eb8d2d1bf8c663fdac67347a1135e6bf375f53b0bc92e74151473729dec427e2ce406014bfcf7a4371050350125f68726fdd6944098557d755f558
-
Filesize
579B
MD51457054144647bd31a843784e45d3630
SHA165fc54de6e9328271f256ac14436c077d10c5988
SHA256bcee631eb8ad5b3fe71a27e90c143a90e4b50fae3cc9d6fe4851fdc111931ebd
SHA512aff4036f00922184fb2ed1b6bb89b4a5fda40f97b99be4720ee4f3c84e0ec2d8e0ebee2b54c0c5a295995db5292f2111be6ca20d7d63d1f535e7fc1e3833ab1b
-
Filesize
5KB
MD51f1dead3de4ba7185018ede451c0ff11
SHA1e1b34e016cb4b553eb16284ea424a52802657eb5
SHA2561c63123e0f892bf6ffb811dd2b5e0575024eafa58c0f3dcdd8cc66aac358c6bb
SHA512a9c4be9b7507b9416844ed03e243a41a3717ab3b7c8a6c9f5c2f71f0d7c920d9e551e0db2c7575db3e7d70a50901644601efe91540c8844e99f14ea4f0b7d0e4
-
Filesize
6KB
MD5692c133c4828f49b15cbfe07003fda98
SHA162287994f8dd79986058085a724caebf8286fcf4
SHA256acfdb598c3a66867e7a0095ac26da0578413ca293fdd6dffa6407784f8d90540
SHA512ec87b9f4c4fbe1dcfed4fe994ce561ae299b6e6e2f65d7525e33e7b87a81cf5bf4f78668007bf67819bb37d55da31dfd88274897721465b54b8fb121f022fc80
-
Filesize
6KB
MD5a61156a4bda6e914e70faf2695078a71
SHA12f9f2578c1e9b8a275a1ff3ec08a1bb46c09418a
SHA2568b216ddd2e20075b12175f8b46ed9803cddd6ad2a297fcfe2ca85839f3205e49
SHA51293db49e77d0838ecbb0453b933e30c5fb510985a8f46909435303ffd349245c7490af2524ec2d234c719ba45cad48f75ac840ad501ba1bca89f01a492bc23d33
-
Filesize
6KB
MD5e761af9e3ec5db845679befcba20b2dd
SHA1beb586f34ac3a2417237f579f6cfd551cc9d879d
SHA2560631c156f41379dfd593f2455ba0cfa526c26da2d8856a7e59964504bf9a68b5
SHA51254cb9e9b37e485252c032f1b2cc2e48b7e9b73d0cb34f346d07f2cef98de94882533b185b712d32cd0d600ff99a331d16fb88e274da4b1818dd7b3aa733108d5
-
Filesize
1KB
MD50aad6389ace2e54e45d210ed5fcd95c4
SHA130de9566e33565487e5997b92363fdfaf4848457
SHA25698e3a2f3e0c8722fa3b5241232a28ad92483e3a40384f0a12f510ece95707261
SHA5126742aee02af84c5d4dafb9e88f45b0b9091323dc5c93a98fb8188d0f436d6a1dfd9aafe94a3643b231fc140111358a1b559416b35e7792ff44bf20cafea2a939
-
Filesize
1KB
MD53c419921f12531e93cc544a5bb8fa183
SHA179e3578b75f50d8ce3c39eaeca34aa1b42b211f4
SHA256a58a783688cf67cc1382765f9eafe884ca3e3228e24b63eca8d02cd916952243
SHA51246c0195ec04f93e5954c3764e2bea4c31ced58b4664077c3e0e8593f3d96f4d05e6789dcb510c00eb10e2396b284aa7f583a16c378230f0814e122c224bc39c9
-
Filesize
1KB
MD59eb123032100223d9796f5f453ac66c7
SHA14f1d41d7116730d85d940176b6d0fc86755cf077
SHA256367eb9142b87a2ab739268a70072f12c12bdde515a5d283b957fca1055611602
SHA51281a136a4a2d87db39ce1fd4b4985b5faf08739e5f7149ba0232774ef958cde46b7aa3dc86b444370e3ccd018bf4867410852b96795c521f259e0932fee8bc242
-
Filesize
874B
MD588a4e203e75686485897f1e1d04b07d6
SHA1a962d6aa1d844f326f5ba497b3b30fc23b7fe9ec
SHA256376ff1cb739501029a65de5972c4bee12a8aec90d0b5c5149838080e51fe38ae
SHA512b58d1e2363014d251daf078323b99bafd7b0a6ac6b62207b9ca910553a96b7dd032995af93965cdf1bb35cf2819ba6abd50f49af6811f8a78dd87a8260c39ec4
-
Filesize
1KB
MD55e7e158f259b0f43767fa256182a0c88
SHA1ba4b07d7d764f80a57299d57f6e52dc01860a3b5
SHA25675422f6b10ed430c57eb51fac9c62a55cd1e4cb63ca9989307d98f7f9745f524
SHA51272705ab37b993793c817f0aa05429972e2b8bd937e161e8d5a018db2922a2ae75c279d6bb6bf65eb0ccd00c5dc39949ed71acef11e37e6d037eab71740e2a29d
-
Filesize
1KB
MD5217c990b0f4a52ed2c45480b31b276d6
SHA1bcf86a624585a423c084acb6d2a478adc67a065a
SHA256604a294c7faf68ffbb604c64eb34c4d0c799bc95e46690cbdbc61f4bbdd49340
SHA5122355917fcddb03b0ec041f1eac941556522a6efa7f5b5d7df6058efd24f5e31444259922e8817854c9b34cd7489d0730b8451075381b47001fb40739627671b6
-
Filesize
874B
MD557eb90fd2658e7ea314e246d028a2d6e
SHA12151ca0314fcaf869a18e2a31f629c0e5002fae4
SHA256bfeab7eeff2ce15a52d5c6df829e6b31d62753c2ae7961381ed4d3e0df00e2d1
SHA512e359ee1a1bf52b4cd10b4f259656c915bdbd44c9a60d8ab74d7d542e00a3f01ac227d8b679a225a2286d2a334f23e02e8cc9b47a497e7e74b2a78e5ddc4a5090
-
Filesize
1KB
MD547a7c724cdba7ac2a614051aa5a581d1
SHA15992313ee29bac663ac5ec3a284ad31f6a48eecb
SHA256955f09c0c4218be0e450d4655b2407bcb223b3cadeb3b298028a663907e1e1f1
SHA5120654c114880fecfc5bea8955d73fc016a017794bd20555e0e2a874af07d148cb01cb036af2234cd0547e0eba82b35b44d0d4028e2d8d6f570f6968a5eef58665
-
Filesize
1KB
MD5300921ad3337a89c53b6b7c1f021eb65
SHA13351feaba607563963c1b3117de7ae3f8cbf4dba
SHA256d60171577d473233613f082cc8b6551c035fac49308bd88e4b768caed590b980
SHA51213f256ea877a88b1ade0c8e6a9d8fdc032627bf129ec8aab9da87cbc4f045d01e2904f3b8da5b4209f116eb506f5c558e8cdd04f982f2c77dd09c53033a763aa
-
Filesize
1KB
MD5922b0a5f15f1314bca632e7e8d751303
SHA124711ec7e214e46b6bba9172ff04470b7a3d16f5
SHA256db3dbcca370c3b2e44eddee015c07f2d21ad3d3cc2af46d04482f9ef4c755a21
SHA51213e526120492d226e15c1a65b7f62a5284a1519e0b42705e497b4da723f50ac01436ccf82f9466284d0354301b0fa1a9cdbaabd266f9dfa81a18794feb3770c1
-
Filesize
1KB
MD5a6a35c1d0d6bbb67fb35f0bc7cda38b1
SHA199df5f3cb3e18a50f9fc710cd60daefd87c7caac
SHA256e6f3cabed37796501da8a9e3946c3b62e0f190fedbac8547c3fb9c3e937fb869
SHA512a7e58a1eba03724df93fdd2e1acb6e92e3baa57ed34b496fa782df9ada70f99d2454e7e12ee2e6cb0b9864a5cd5451e5b720a6cc47bc9ade6ed512da33374db3
-
Filesize
874B
MD500013c59d9a5fa881dd992f9f86f279c
SHA1b674b43ae62822ccac34ace50dbc67b3c0c11b6a
SHA2568fcd6ccbd0fa3a4e7f277da194bfb25fbf06ff71dd787c9a3e3b2757da32f39c
SHA512c52a317692ad26de560aa775b5a014e08ccd9bbd178f5e5d8f2d4dd9316993de97611fcea94e8ef74437db0feb40632c1d5403c26c04755b090b22d33d1ef656
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
11KB
MD52de1ded1efb7cd8a8e263c68efb60394
SHA1a0ddf571f3a3b0cfa46b558e700c991da8be35f9
SHA2565c12bfd9536470f5f931941a696dd14e6d6d550cfe71887b65b838f540e52697
SHA512c556e65f572991b0f3bfd48f912eb528b015b79320defe42b1c9cdfce823800f9bbacabdad6e94600c98ea2040c6a3a60ed42450c49cb1fdef515978fd152ef9
-
Filesize
12KB
MD5925f94de0ea116f27e64d5b203c79f15
SHA1013037d60d8464367b1a287950c1d73019295b50
SHA256752621a4ca7ab1f8ca88795607595fae64ffdbc9ae98f7046a07f14f78c504b4
SHA5123ea3a8638da35bf13cc8114ba79c7ea0b6c06ca24707240c4038e88215558469feae39b3ca0252d9279f7fd73ad80a9601120801268bcae8bd359c1666b95033
-
Filesize
11KB
MD5b026c05d394a881800cff06d14d0e1c8
SHA1ce7718be696af80e1745518a8d9c99b90e6270ad
SHA256fbb4f762e6f44ef0b02ecc515defec88bcb96eba50836f499d4529076f20e79f
SHA5120e438a33e3818a8b2c4802ee3c61f6de566091e43412da1005ee1de37e041732229309fb6b53f0935e1f105e5a5fc9e2a586e351643e2ee6e9ac450d8c21c8c7
-
Filesize
12KB
MD5fa49d1157d50c51ca25892199ef4acd2
SHA1deb9f6c06b8af6c6fddc087078634e0121d4d451
SHA2562e12f54a268fb31cb313ad5289c48b065af4a3a91f36d48c0f3fa7ac8336a555
SHA5124680511abb45226d2f620c2bdb6fddc2be42f2870d242fc2057597cbe5990208baff6d8da20f69e64f35edc35fbffc202a1ebd66eebb823fe37a1223c6a68c73
-
Filesize
12KB
MD57decfaec152a1f3445487d355d4f3751
SHA10fcba019b358e808397fa620387dfce677451916
SHA2564084cc5b27cd9c1c9183037222fcef47b58154bc1b3f3713eea50ec3436b731b
SHA51251a27bccd58ca0aabec49242f32fdb3d7de98211abf65561aa88a978f65bf17cce38b7bd7172c0043ef422a6a7c1e795d7140fe2c3acbcad5ed248bae6122831
-
Filesize
12KB
MD5b0b1b96b1787c3595ae3ef6e33533e3c
SHA15285ef4b4949039562bdebf6aaa3b4ed57da5734
SHA25673d6840dc190ab8b338f58ca46c1eefc180eee75bf7bd3365920eefc2cc3df3a
SHA51247d3a8381757f644b0461789eb8bcf010a369a76a7926d1bc1e335b99606ad004736335dfa293f23b9c6e46e23ad242d77858be36a8146c382b6d8a8d3d10a3f
-
Filesize
39B
MD55bab23550d87f5289492508850e965b8
SHA1753ba866033acefce32ce0b9221f087310bcc5ad
SHA256092680746cc546b40d62a2c718599c2031fc590fff2f72e08b8a357970619474
SHA5122518bce1ed90225be957bb038549e086fb541e32a377d912571da0b29b59effbabd75dba82ce37f74ee237920a6c8614c62865a013004f18477844857db7a399
-
Filesize
46B
MD5c07225d4e7d01d31042965f048728a0a
SHA169d70b340fd9f44c89adb9a2278df84faa9906b7
SHA2568c136c7ae08020ad16fd1928e36ad335ddef8b85906d66b712fff049aa57dc9a
SHA51223d3cea738e1abf561320847c39dadc8b5794d7bd8761b0457956f827a17ad2556118b909a3e6929db79980ccf156a6f58ac823cf88329e62417d2807b34b64b
-
Filesize
46B
MD5d898504a722bff1524134c6ab6a5eaa5
SHA1e0fdc90c2ca2a0219c99d2758e68c18875a3e11e
SHA256878f32f76b159494f5a39f9321616c6068cdb82e88df89bcc739bbc1ea78e1f9
SHA51226a4398bffb0c0aef9a6ec53cd3367a2d0abf2f70097f711bbbf1e9e32fd9f1a72121691bb6a39eeb55d596edd527934e541b4defb3b1426b1d1a6429804dc61
-
Filesize
532KB
MD500add4a97311b2b8b6264674335caab6
SHA13688de985909cc9f9fa6e0a4f2e43d986fe6d0ec
SHA256812af0ec9e1dfd8f48b47fd148bafe6eecb42d0a304bc0e4539750dd23820a7f
SHA512aaf5dae929e6b5809b77b6a79ab833e548b66fb628afeb20b554d678947494a6804cb3d59bf6bbcb2b14cede1a0609aa41f8e7fe8a7999d578e8b7af7144cb70
-
Filesize
414KB
MD5c850f942ccf6e45230169cc4bd9eb5c8
SHA151c647e2b150e781bd1910cac4061a2cee1daf89
SHA25686e0eac8c5ce70c4b839ef18af5231b5f92e292b81e440193cdbdc7ed108049f
SHA5122b3890241b8c8690aab0aed347daa778aba20f29f76e8b79b02953b6252324317520b91ea60d3ef73e42ad403f7a6e0e3f2a057799f21ed447dae7096b2f47d9
-
Filesize
136KB
MD570108103a53123201ceb2e921fcfe83c
SHA1c71799a6a6d09ee758b04cdf90a4ab76fbd2a7e3
SHA2569c3f8df80193c085912c9950c58051ae77c321975784cc069ceacd4f57d5861d
SHA512996701c65eee7f781c2d22dce63f4a95900f36b97a99dcf833045bce239a08b3c2f6326b3a808431cdab92d59161dd80763e44126578e160d79b7095175d276b
-
Filesize
73KB
MD537e887b7a048ddb9013c8d2a26d5b740
SHA1713b4678c05a76dbd22e6f8d738c9ef655e70226
SHA25624c0638ff7571c7f4df5bcddd50bc478195823e934481fa3ee96eb1d1c4b4a1b
SHA51299f74eb00c6f6d1cbecb4d88e1056222e236cb85cf2a421243b63cd481939d3c4693e08edde743722d3320c27573fbcc99bf749ff72b857831e4b6667374b8af
-
Filesize
300KB
MD5f52fbb02ac0666cae74fc389b1844e98
SHA1f7721d590770e2076e64f148a4ba1241404996b8
SHA256a885b1f5377c2a1cead4e2d7261fab6199f83610ffdd35d20c653d52279d4683
SHA51278b4bf4d048bda5e4e109d4dd9dafaa250eac1c5a3558c2faecf88ef0ee5dd4f2c82a791756e2f5aa42f7890efcc0c420156308689a27e0ad9fb90156b8dc1c0
-
Filesize
28KB
MD58e9d7feb3b955e6def8365fd83007080
SHA1df7522e270506b1a2c874700a9beeb9d3d233e23
SHA25694d2b1da2c4ce7db94ee9603bc2f81386032687e7c664aff6460ba0f5dac0022
SHA5124157a5628dc7f47489be2c30dbf2b14458a813eb66e942bba881615c101df25001c09afb9a54f88831fa4c1858f42d897f8f55fbf6b4c1a82d2509bd52ba1536
-
Filesize
141KB
MD5de8d08a3018dfe8fd04ed525d30bb612
SHA1a65d97c20e777d04fb4f3c465b82e8c456edba24
SHA2562ae0c4a5f1fedf964e2f8a486bf0ee5d1816aac30c889458a9ac113d13b50ceb
SHA512cc4bbf71024732addda3a30a511ce33ce41cbed2d507dfc7391e8367ddf9a5c4906a57bf8310e3f6535646f6d365835c7e49b95584d1114faf2738dcb1eb451a
-
Filesize
7B
MD54047530ecbc0170039e76fe1657bdb01
SHA132db7d5e662ebccdd1d71de285f907e3a1c68ac5
SHA25682254025d1b98d60044d3aeb7c56eed7c61c07c3e30534d6e05dab9d6c326750
SHA5128f002af3f4ed2b3dfb4ed8273318d160152da50ee4842c9f5d9915f50a3e643952494699c4258e6af993dc6e1695d0dc3db6d23f4d93c26b0bc6a20f4b4f336e
-
Filesize
144KB
-
Filesize
192KB
-
Filesize
468KB
-
Filesize
192KB
-
Filesize
152KB
-
Filesize
192KB
-
Filesize
468KB
-
Filesize
192KB
-
Filesize
440KB
-
Filesize
40KB
-
Filesize
32KB
-
Filesize
5.6MB
-
Filesize
136KB
-
Filesize
272KB
-
Filesize
328KB
-
Filesize
32KB
-
Filesize
584KB
-
Filesize
80KB
-
Filesize
144KB
-
Filesize
144KB
-
Filesize
648KB
-
Filesize
648KB
-
Filesize
648KB
-
Filesize
648KB
-
Filesize
272KB
-
Filesize
272KB
-
Filesize
272KB