Analysis
-
max time kernel
78s -
max time network
80s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
28-08-2024 18:57
Static task
static1
URLScan task
urlscan1
General
Malware Config
Signatures
-
Downloads MZ/PE file
-
Executes dropped EXE 18 IoCs
Processes:
BlueScreen.exeBlueScreen.exeLokibot.exeLokibot.exeLokibot.exeLokibot.exeLokibot.exeLokibot.exeLokibot.exeLokibot.exeLokibot.exeLokibot.exeLokibot.exeLokibot.exeLokibot.exeLokibot.exeLokibot.exeLokibot.exepid process 4940 BlueScreen.exe 1440 BlueScreen.exe 4672 Lokibot.exe 4280 Lokibot.exe 1324 Lokibot.exe 1844 Lokibot.exe 1360 Lokibot.exe 3216 Lokibot.exe 3396 Lokibot.exe 1648 Lokibot.exe 2584 Lokibot.exe 5032 Lokibot.exe 5068 Lokibot.exe 2968 Lokibot.exe 1256 Lokibot.exe 4788 Lokibot.exe 4372 Lokibot.exe 820 Lokibot.exe -
Obfuscated with Agile.Net obfuscator 8 IoCs
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
Processes:
resource yara_rule behavioral1/memory/4672-397-0x0000000002C40000-0x0000000002C54000-memory.dmp agile_net behavioral1/memory/4280-400-0x0000000001890000-0x00000000018A4000-memory.dmp agile_net behavioral1/memory/1324-413-0x0000000002C40000-0x0000000002C54000-memory.dmp agile_net behavioral1/memory/3216-417-0x0000000001850000-0x0000000001864000-memory.dmp agile_net behavioral1/memory/3396-419-0x0000000000B80000-0x0000000000B94000-memory.dmp agile_net behavioral1/memory/1648-421-0x0000000001770000-0x0000000001784000-memory.dmp agile_net behavioral1/memory/5032-424-0x00000000010B0000-0x00000000010C4000-memory.dmp agile_net behavioral1/memory/5068-426-0x0000000002B70000-0x0000000002B84000-memory.dmp agile_net -
Processes:
resource yara_rule C:\Users\Admin\Downloads\c120dc10-8632-4b34-a69e-7c0633273f7c.tmp upx behavioral1/memory/4940-244-0x0000000000400000-0x0000000000409000-memory.dmp upx behavioral1/memory/4940-246-0x0000000000400000-0x0000000000409000-memory.dmp upx behavioral1/memory/1440-249-0x0000000000400000-0x0000000000409000-memory.dmp upx -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 18 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
Lokibot.exeLokibot.exeLokibot.exeLokibot.exeLokibot.exeLokibot.exeLokibot.exeLokibot.exeLokibot.exeLokibot.exeLokibot.exeLokibot.exeLokibot.exeBlueScreen.exeBlueScreen.exeLokibot.exeLokibot.exeLokibot.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lokibot.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lokibot.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lokibot.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lokibot.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lokibot.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lokibot.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lokibot.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lokibot.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lokibot.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lokibot.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lokibot.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lokibot.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lokibot.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language BlueScreen.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language BlueScreen.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lokibot.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lokibot.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lokibot.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
msedge.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Modifies registry class 1 IoCs
Processes:
msedge.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings msedge.exe -
NTFS ADS 3 IoCs
Processes:
msedge.exedescription ioc process File opened for modification C:\Users\Admin\Downloads\Unconfirmed 160115.crdownload:SmartScreen msedge.exe File opened for modification C:\Users\Admin\Downloads\Unconfirmed 779982.crdownload:SmartScreen msedge.exe File opened for modification C:\Users\Admin\Downloads\Unconfirmed 445774.crdownload:SmartScreen msedge.exe -
Suspicious behavior: EnumeratesProcesses 42 IoCs
Processes:
msedge.exemsedge.exeidentity_helper.exemsedge.exemsedge.exeLokibot.exeLokibot.exeLokibot.exeLokibot.exeLokibot.exeLokibot.exeLokibot.exeLokibot.exeLokibot.exeLokibot.exeLokibot.exeLokibot.exeLokibot.exeLokibot.exeLokibot.exeLokibot.exepid process 4224 msedge.exe 4224 msedge.exe 636 msedge.exe 636 msedge.exe 1728 identity_helper.exe 1728 identity_helper.exe 1648 msedge.exe 1648 msedge.exe 1972 msedge.exe 1972 msedge.exe 4672 Lokibot.exe 4672 Lokibot.exe 4280 Lokibot.exe 4280 Lokibot.exe 1324 Lokibot.exe 1324 Lokibot.exe 1844 Lokibot.exe 1844 Lokibot.exe 1360 Lokibot.exe 1360 Lokibot.exe 3216 Lokibot.exe 3216 Lokibot.exe 3396 Lokibot.exe 3396 Lokibot.exe 1648 Lokibot.exe 1648 Lokibot.exe 2584 Lokibot.exe 2584 Lokibot.exe 5032 Lokibot.exe 5032 Lokibot.exe 5068 Lokibot.exe 5068 Lokibot.exe 2968 Lokibot.exe 2968 Lokibot.exe 1256 Lokibot.exe 1256 Lokibot.exe 4788 Lokibot.exe 4788 Lokibot.exe 4372 Lokibot.exe 4372 Lokibot.exe 820 Lokibot.exe 820 Lokibot.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs
Processes:
msedge.exepid process 636 msedge.exe 636 msedge.exe 636 msedge.exe 636 msedge.exe 636 msedge.exe 636 msedge.exe 636 msedge.exe 636 msedge.exe 636 msedge.exe 636 msedge.exe -
Suspicious use of AdjustPrivilegeToken 16 IoCs
Processes:
Lokibot.exeLokibot.exeLokibot.exeLokibot.exeLokibot.exeLokibot.exeLokibot.exeLokibot.exeLokibot.exeLokibot.exeLokibot.exeLokibot.exeLokibot.exeLokibot.exeLokibot.exeLokibot.exedescription pid process Token: SeDebugPrivilege 4672 Lokibot.exe Token: SeDebugPrivilege 4280 Lokibot.exe Token: SeDebugPrivilege 1324 Lokibot.exe Token: SeDebugPrivilege 1844 Lokibot.exe Token: SeDebugPrivilege 1360 Lokibot.exe Token: SeDebugPrivilege 3216 Lokibot.exe Token: SeDebugPrivilege 3396 Lokibot.exe Token: SeDebugPrivilege 1648 Lokibot.exe Token: SeDebugPrivilege 2584 Lokibot.exe Token: SeDebugPrivilege 5032 Lokibot.exe Token: SeDebugPrivilege 5068 Lokibot.exe Token: SeDebugPrivilege 2968 Lokibot.exe Token: SeDebugPrivilege 1256 Lokibot.exe Token: SeDebugPrivilege 4788 Lokibot.exe Token: SeDebugPrivilege 4372 Lokibot.exe Token: SeDebugPrivilege 820 Lokibot.exe -
Suspicious use of FindShellTrayWindow 52 IoCs
Processes:
msedge.exepid process 636 msedge.exe 636 msedge.exe 636 msedge.exe 636 msedge.exe 636 msedge.exe 636 msedge.exe 636 msedge.exe 636 msedge.exe 636 msedge.exe 636 msedge.exe 636 msedge.exe 636 msedge.exe 636 msedge.exe 636 msedge.exe 636 msedge.exe 636 msedge.exe 636 msedge.exe 636 msedge.exe 636 msedge.exe 636 msedge.exe 636 msedge.exe 636 msedge.exe 636 msedge.exe 636 msedge.exe 636 msedge.exe 636 msedge.exe 636 msedge.exe 636 msedge.exe 636 msedge.exe 636 msedge.exe 636 msedge.exe 636 msedge.exe 636 msedge.exe 636 msedge.exe 636 msedge.exe 636 msedge.exe 636 msedge.exe 636 msedge.exe 636 msedge.exe 636 msedge.exe 636 msedge.exe 636 msedge.exe 636 msedge.exe 636 msedge.exe 636 msedge.exe 636 msedge.exe 636 msedge.exe 636 msedge.exe 636 msedge.exe 636 msedge.exe 636 msedge.exe 636 msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
Processes:
msedge.exepid process 636 msedge.exe 636 msedge.exe 636 msedge.exe 636 msedge.exe 636 msedge.exe 636 msedge.exe 636 msedge.exe 636 msedge.exe 636 msedge.exe 636 msedge.exe 636 msedge.exe 636 msedge.exe 636 msedge.exe 636 msedge.exe 636 msedge.exe 636 msedge.exe 636 msedge.exe 636 msedge.exe 636 msedge.exe 636 msedge.exe 636 msedge.exe 636 msedge.exe 636 msedge.exe 636 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
msedge.exedescription pid process target process PID 636 wrote to memory of 1028 636 msedge.exe msedge.exe PID 636 wrote to memory of 1028 636 msedge.exe msedge.exe PID 636 wrote to memory of 1868 636 msedge.exe msedge.exe PID 636 wrote to memory of 1868 636 msedge.exe msedge.exe PID 636 wrote to memory of 1868 636 msedge.exe msedge.exe PID 636 wrote to memory of 1868 636 msedge.exe msedge.exe PID 636 wrote to memory of 1868 636 msedge.exe msedge.exe PID 636 wrote to memory of 1868 636 msedge.exe msedge.exe PID 636 wrote to memory of 1868 636 msedge.exe msedge.exe PID 636 wrote to memory of 1868 636 msedge.exe msedge.exe PID 636 wrote to memory of 1868 636 msedge.exe msedge.exe PID 636 wrote to memory of 1868 636 msedge.exe msedge.exe PID 636 wrote to memory of 1868 636 msedge.exe msedge.exe PID 636 wrote to memory of 1868 636 msedge.exe msedge.exe PID 636 wrote to memory of 1868 636 msedge.exe msedge.exe PID 636 wrote to memory of 1868 636 msedge.exe msedge.exe PID 636 wrote to memory of 1868 636 msedge.exe msedge.exe PID 636 wrote to memory of 1868 636 msedge.exe msedge.exe PID 636 wrote to memory of 1868 636 msedge.exe msedge.exe PID 636 wrote to memory of 1868 636 msedge.exe msedge.exe PID 636 wrote to memory of 1868 636 msedge.exe msedge.exe PID 636 wrote to memory of 1868 636 msedge.exe msedge.exe PID 636 wrote to memory of 1868 636 msedge.exe msedge.exe PID 636 wrote to memory of 1868 636 msedge.exe msedge.exe PID 636 wrote to memory of 1868 636 msedge.exe msedge.exe PID 636 wrote to memory of 1868 636 msedge.exe msedge.exe PID 636 wrote to memory of 1868 636 msedge.exe msedge.exe PID 636 wrote to memory of 1868 636 msedge.exe msedge.exe PID 636 wrote to memory of 1868 636 msedge.exe msedge.exe PID 636 wrote to memory of 1868 636 msedge.exe msedge.exe PID 636 wrote to memory of 1868 636 msedge.exe msedge.exe PID 636 wrote to memory of 1868 636 msedge.exe msedge.exe PID 636 wrote to memory of 1868 636 msedge.exe msedge.exe PID 636 wrote to memory of 1868 636 msedge.exe msedge.exe PID 636 wrote to memory of 1868 636 msedge.exe msedge.exe PID 636 wrote to memory of 1868 636 msedge.exe msedge.exe PID 636 wrote to memory of 1868 636 msedge.exe msedge.exe PID 636 wrote to memory of 1868 636 msedge.exe msedge.exe PID 636 wrote to memory of 1868 636 msedge.exe msedge.exe PID 636 wrote to memory of 1868 636 msedge.exe msedge.exe PID 636 wrote to memory of 1868 636 msedge.exe msedge.exe PID 636 wrote to memory of 1868 636 msedge.exe msedge.exe PID 636 wrote to memory of 4224 636 msedge.exe msedge.exe PID 636 wrote to memory of 4224 636 msedge.exe msedge.exe PID 636 wrote to memory of 4492 636 msedge.exe msedge.exe PID 636 wrote to memory of 4492 636 msedge.exe msedge.exe PID 636 wrote to memory of 4492 636 msedge.exe msedge.exe PID 636 wrote to memory of 4492 636 msedge.exe msedge.exe PID 636 wrote to memory of 4492 636 msedge.exe msedge.exe PID 636 wrote to memory of 4492 636 msedge.exe msedge.exe PID 636 wrote to memory of 4492 636 msedge.exe msedge.exe PID 636 wrote to memory of 4492 636 msedge.exe msedge.exe PID 636 wrote to memory of 4492 636 msedge.exe msedge.exe PID 636 wrote to memory of 4492 636 msedge.exe msedge.exe PID 636 wrote to memory of 4492 636 msedge.exe msedge.exe PID 636 wrote to memory of 4492 636 msedge.exe msedge.exe PID 636 wrote to memory of 4492 636 msedge.exe msedge.exe PID 636 wrote to memory of 4492 636 msedge.exe msedge.exe PID 636 wrote to memory of 4492 636 msedge.exe msedge.exe PID 636 wrote to memory of 4492 636 msedge.exe msedge.exe PID 636 wrote to memory of 4492 636 msedge.exe msedge.exe PID 636 wrote to memory of 4492 636 msedge.exe msedge.exe PID 636 wrote to memory of 4492 636 msedge.exe msedge.exe PID 636 wrote to memory of 4492 636 msedge.exe msedge.exe
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/Da2dalus/The-MALWARE-Repo/blob/master/Trojan/BlueScreen.exe1⤵
- Enumerates system info in registry
- Modifies registry class
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:636 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff8841246f8,0x7ff884124708,0x7ff8841247182⤵PID:1028
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2060,16554665802278877085,1777251452261762461,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2076 /prefetch:22⤵PID:1868
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2060,16554665802278877085,1777251452261762461,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2144 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:4224 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2060,16554665802278877085,1777251452261762461,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2568 /prefetch:82⤵PID:4492
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,16554665802278877085,1777251452261762461,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3352 /prefetch:12⤵PID:3100
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,16554665802278877085,1777251452261762461,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3360 /prefetch:12⤵PID:2252
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2060,16554665802278877085,1777251452261762461,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5376 /prefetch:82⤵PID:3876
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2060,16554665802278877085,1777251452261762461,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5376 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:1728 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,16554665802278877085,1777251452261762461,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5600 /prefetch:12⤵PID:1172
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,16554665802278877085,1777251452261762461,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5596 /prefetch:12⤵PID:2752
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,16554665802278877085,1777251452261762461,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3668 /prefetch:12⤵PID:4328
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,16554665802278877085,1777251452261762461,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3392 /prefetch:12⤵PID:2796
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2060,16554665802278877085,1777251452261762461,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=6072 /prefetch:82⤵PID:216
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,16554665802278877085,1777251452261762461,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6032 /prefetch:12⤵PID:1408
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,16554665802278877085,1777251452261762461,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3420 /prefetch:12⤵PID:3840
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2060,16554665802278877085,1777251452261762461,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6372 /prefetch:82⤵PID:3716
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2060,16554665802278877085,1777251452261762461,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6256 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:1648 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2060,16554665802278877085,1777251452261762461,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5436 /prefetch:82⤵PID:2536
-
C:\Users\Admin\Downloads\BlueScreen.exe"C:\Users\Admin\Downloads\BlueScreen.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4940 -
C:\Users\Admin\Downloads\BlueScreen.exe"C:\Users\Admin\Downloads\BlueScreen.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1440 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,16554665802278877085,1777251452261762461,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5744 /prefetch:12⤵PID:3456
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2060,16554665802278877085,1777251452261762461,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=2756 /prefetch:82⤵PID:4832
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,16554665802278877085,1777251452261762461,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3652 /prefetch:12⤵PID:4268
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2060,16554665802278877085,1777251452261762461,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1280 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:1972 -
C:\Users\Admin\Downloads\Lokibot.exe"C:\Users\Admin\Downloads\Lokibot.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4672 -
C:\Users\Admin\Downloads\Lokibot.exe"C:\Users\Admin\Downloads\Lokibot.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4280 -
C:\Users\Admin\Downloads\Lokibot.exe"C:\Users\Admin\Downloads\Lokibot.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1324 -
C:\Users\Admin\Downloads\Lokibot.exe"C:\Users\Admin\Downloads\Lokibot.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1844 -
C:\Users\Admin\Downloads\Lokibot.exe"C:\Users\Admin\Downloads\Lokibot.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1360 -
C:\Users\Admin\Downloads\Lokibot.exe"C:\Users\Admin\Downloads\Lokibot.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3216 -
C:\Users\Admin\Downloads\Lokibot.exe"C:\Users\Admin\Downloads\Lokibot.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3396 -
C:\Users\Admin\Downloads\Lokibot.exe"C:\Users\Admin\Downloads\Lokibot.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1648 -
C:\Users\Admin\Downloads\Lokibot.exe"C:\Users\Admin\Downloads\Lokibot.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2584 -
C:\Users\Admin\Downloads\Lokibot.exe"C:\Users\Admin\Downloads\Lokibot.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5032 -
C:\Users\Admin\Downloads\Lokibot.exe"C:\Users\Admin\Downloads\Lokibot.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5068 -
C:\Users\Admin\Downloads\Lokibot.exe"C:\Users\Admin\Downloads\Lokibot.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2968 -
C:\Users\Admin\Downloads\Lokibot.exe"C:\Users\Admin\Downloads\Lokibot.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1256 -
C:\Users\Admin\Downloads\Lokibot.exe"C:\Users\Admin\Downloads\Lokibot.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4788
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:376
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:3920
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:872
-
C:\Users\Admin\Downloads\Lokibot.exe"C:\Users\Admin\Downloads\Lokibot.exe"1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4372
-
C:\Users\Admin\Downloads\Lokibot.exe"C:\Users\Admin\Downloads\Lokibot.exe"1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:820
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
425B
MD54eaca4566b22b01cd3bc115b9b0b2196
SHA1e743e0792c19f71740416e7b3c061d9f1336bf94
SHA25634ba0ab8d1850e7825763f413142a333ccbc05fa2b5499a28a7d27b8a1c5b4bb
SHA512bc2b1bf45203e3bb3009a7d37617b8f0f7ffa613680b32de2b963e39d2cf1650614d7035a0cf78f35a4f5cb17a2a439e2e07deaefd2a4275a62efd0a5c0184a1
-
Filesize
152B
MD5ff63763eedb406987ced076e36ec9acf
SHA116365aa97cd1a115412f8ae436d5d4e9be5f7b5d
SHA2568f460e8b7a67f0c65b7248961a7c71146c9e7a19772b193972b486dbf05b8e4c
SHA512ce90336169c8b2de249d4faea2519bf7c3df48ae9d77cdf471dd5dbd8e8542d47d9348080a098074aa63c255890850ee3b80ddb8eef8384919fdca3bb9371d9f
-
Filesize
152B
MD52783c40400a8912a79cfd383da731086
SHA1001a131fe399c30973089e18358818090ca81789
SHA256331fa67da5f67bbb42794c3aeab8f7819f35347460ffb352ccc914e0373a22c5
SHA512b7c7d3aa966ad39a86aae02479649d74dcbf29d9cb3a7ff8b9b2354ea60704da55f5c0df803fd0a7191170a8e72fdd5eacfa1a739d7a74e390a7b74bdced1685
-
Filesize
18KB
MD52e23d6e099f830cf0b14356b3c3443ce
SHA1027db4ff48118566db039d6b5f574a8ac73002bc
SHA2567238196a5bf79e1b83cacb9ed4a82bf40b32cd789c30ef790e4eac0bbf438885
SHA512165b1de091bfe0dd9deff0f8a3968268113d95edc9fd7a8081b525e0910f4442cfb3b4f5ac58ecfa41991d9dcabe5aa8b69f7f1c77e202cd17dd774931662717
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize2KB
MD581272ef2303818b8b6fe39cf464e48ff
SHA1f060d77f5b8ac9478b9600addcc61377a121176e
SHA25608ce2e4b5bdbcfe9ea10e206e81209abce9216b1a35c2d25bfba6a368f3a3b57
SHA512a9ec3d9ef2a1df188666610fb1b2d165c921b94728957e0cd61886778fdd2b3fe4899a0dec026afdb7ea751f143bad9269e9393058c6c46a3512b0beb447d742
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize2KB
MD5ae6ec40f15c0112b334ce270a7783654
SHA1c3acbdb62ab83d065fe0e73f745cfc4bd8f8606d
SHA2567d1e5acb66f52c38bff9e002fb8cec43c2463cad79198f7bf1bc7709a85eace4
SHA512a8c60a8d4b98cc959bdb5ec1bbafe05bb7cbcd891f7ae486995448360eec8ca3ece58306f4b5caa6e939509abfa246d9e59e134bfad7266186876a45c26f0567
-
Filesize
579B
MD5ed5f4213c17629776cd75510648fc019
SHA1ebfa685dca9b7c920cd5ad521c03e4ad0ce435b9
SHA256e969795f0e63ec8a35cdf34d5bc43867ca0825bebfed9734943e69b34ed2ad87
SHA51271bcc166ae5a48f7a79aa5de7ecc7e10dce22c39240ca9ffe9d0f9340f40fc2a2429529cfee8b2b5d7082efe94921fa7df3454852d5313ff4093bfdffc189627
-
Filesize
6KB
MD5c1f3c56daac236dcb2e2acf6d1c67030
SHA161f78568246bfbad6d1dc48a0e9cb5ea3bc27cfc
SHA256bbda2d725e64d9009d97db38457f7708d1c6358edec32bc5b4edaff1890bed89
SHA512a96d5460f60947942cd0335e967a6da76f18203cf1a8e075a797d737e3fab0f68510dc91707f88f301e96f83dd320357a2ade49c5f68e321e767f5ba16bc8ba5
-
Filesize
6KB
MD599d1be4c667136a91078e05b3fd99a9b
SHA1677fc434918891d0e6a1e141217af8371d5b8f0a
SHA256f0f0cb66780f0ea80fb9fe8f9871c08c3d8905bfe86574ea3dfed02429c6827b
SHA5129bf6769ed56d9b583b1d6b327679a608f8b47517d9f6a401a9f632057d15a8eaf4b34ea00fcb96a834ec3b7b90abecddee24a0d01565fffcb7f4fc2e107c9d85
-
Filesize
6KB
MD53c5150cac0f366af6b25209cdcf2cef3
SHA1cadadadb9a208b25d5d0ec5f0a7e3597c3fd1886
SHA25636c5d9fe13ee32072a4157609ab041f5e556c1436d837982b8431b5a9b4f4b11
SHA5120488f28549af75d59a4843b98f3b359c00fc2a2b15fdf8f07407a17c4e97a0f047956e2d148a2e6b2aebd33216333be9bfdf35171bb7916f16b7b0a71389b7eb
-
Filesize
1KB
MD5b448dcbe64c5b8682fe324c2e4d2ff44
SHA119d28d7e6d74dc82bfa2689aece2bb89628da45b
SHA25601b5a2fbede551cbdbe55e874640dabe222a3593dd7c6d6a5caab2bacd6ed3f2
SHA5129f90b0f4ff1cab7bee0e88d48050035d549e7f2497f34d7d7d0ba8f66e8bfc9c014669a23ccc7ee14a873ef9b6393f287dcab06a75c2ee66141d2c2474339b72
-
Filesize
1KB
MD51b9ff983000be7af06410d5b6226bc2c
SHA1cb0a7a821840eb5cab5dd39c95a3742eb446684f
SHA25688d464f999e9c88e11a6994ce473d367f703ad355699410f0aab3f5754c87c86
SHA512551016528db42e55c95736605918b49c047b39e843fe478210372847eebac33ea25320d5117a930a618155df1415799e8451c9c0e82efc1b936bf88a225554ec
-
Filesize
1KB
MD517d17d55e94033ed535a45511b39b964
SHA14a3283f9292fc4f1ed809fdf4ed90750afe279a4
SHA2566d1a9d90476e807bf2fc0efb95e4369007fba82be160a0d6809fbea386c0a357
SHA512c8a4228e5eaa0286ab6bc73fa28b3230ef42c42e962946eac05cc7480d0c846ddc9662c23d1fa5d05adc3af7369fdb5e6bdea5f3c1afe1fc4cf131846e42d3d7
-
Filesize
874B
MD5eca3301ba6222a5451dc11ae7d9d4e20
SHA183f3d844d13aae4d1c5d2afd6d149c06706271a4
SHA256ecfe8d4f037b32164e9cb948baada563584a98a9a1f98f6cc9e9aacc05a43265
SHA5129a542f62ea385e519f60af139c91cc09096855fc2846464e192f0c4cc7fa87675480a8494b0fe788f933dd42fd8eb92855564d36c58ea50419fe867e523f5c76
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
12KB
MD599cfc829613e350e652cf1e428dc4bd5
SHA163974ad45e9590b20d7a9ea7f336595119ebfb6c
SHA256f7f83975b4069cb0acc1947adfed1413ed278339d9652b0eaf880ae783806591
SHA51248d451b110e2d887f1fe39f224d4d09af10ae9ddb8fc688d2f02de52e30905db9a25379e454c37735e0f843e7f90a12daeb19bab932a72d6a90d5d2829ebf186
-
Filesize
11KB
MD5cdfe2ebc198297254c56c57ddf4b0544
SHA178243f42c7ae6505fa601f83c326a09dd65c5ca5
SHA25694c3d9d10100fc3c522d627b7c446efe5cd7bfccbf5b59636cb3777c1b79fe17
SHA5127406a299732f35f1c6eb8e11ff43945f9a80111ec78c3fc7bb054143c2739a08b8bab8a2374a3ae14f7b936f8645979af3f96e2ef6e00ef3aa8d619737821fd3
-
Filesize
11KB
MD50d4cb172b716eb0557b470e212d58301
SHA1e9b4d8b81900957584ef019b8d8aaf7aaddea3b7
SHA256d9394d71a49901ec45b76be46a9222d2065e189bb19aa61787df512d4f1e9e08
SHA5125a35a677fbe14b8eaadbd25e0ee6993f5e53fbce4a6fc995888b679594f83a23a91e7234db6f3a5c92edc931e92a615b91d08ec92657149a3b66dec03d5ca68c
-
Filesize
300KB
MD5f52fbb02ac0666cae74fc389b1844e98
SHA1f7721d590770e2076e64f148a4ba1241404996b8
SHA256a885b1f5377c2a1cead4e2d7261fab6199f83610ffdd35d20c653d52279d4683
SHA51278b4bf4d048bda5e4e109d4dd9dafaa250eac1c5a3558c2faecf88ef0ee5dd4f2c82a791756e2f5aa42f7890efcc0c420156308689a27e0ad9fb90156b8dc1c0
-
Filesize
9KB
MD5b01ee228c4a61a5c06b01160790f9f7c
SHA1e7cc238b6767401f6e3018d3f0acfe6d207450f8
SHA25614e6ac84d824c0cf6ea8ebb5b3be10f8893449474096e59ff0fd878d49d0c160
SHA512c849231c19590e61fbf15847af5062f817247f2bcd476700f1e1fa52dcafa5f0417cc01906b44c890be8cef9347e3c8f6b1594d750b1cebdd6a71256fed79140
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e