lokibot | hxxp://196[.]251[.]92[.]64/crypt/Devil[.]exe

Analysis

max time kernel
99s
max time network
96s
platform
windows10-2004_x64
resource
win10v2004-20250217-en
resource tags

arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
submitted
19-02-2025 03:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://196.251.92.64/crypt/Devil.exe

Score

10^/10

lokibot collection discovery spyware stealer trojan

Malware Config

Extracted

Family

lokibot

https://rottot.shop/Devil/PWS/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Signatures

Lokibot
Lokibot is a Password and CryptoCoin Wallet Stealer.
trojan spyware stealer lokibot
Lokibot family
lokibot

Downloads MZ/PE file 1 IoCs

flow	pid	Process
3	4176	chrome.exe

Executes dropped EXE 4 IoCs

pid	Process
2936	Devil.exe
908	Devil.exe
2724	Devil.exe
3264	Devil.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	Devil.exe
Key opened	\REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook	Devil.exe
Key opened	\REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	Devil.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Devil.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133844092906457827"	chrome.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000_Classes\Local Settings	chrome.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4616	chrome.exe
4616	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
4616	chrome.exe
4616	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4616	chrome.exe
Token: SeCreatePagefilePrivilege	4616	chrome.exe
Token: SeShutdownPrivilege	4616	chrome.exe
Token: SeCreatePagefilePrivilege	4616	chrome.exe
Token: SeShutdownPrivilege	4616	chrome.exe
Token: SeCreatePagefilePrivilege	4616	chrome.exe
Token: SeShutdownPrivilege	4616	chrome.exe
Token: SeCreatePagefilePrivilege	4616	chrome.exe
Token: SeShutdownPrivilege	4616	chrome.exe
Token: SeCreatePagefilePrivilege	4616	chrome.exe
Token: SeShutdownPrivilege	4616	chrome.exe
Token: SeCreatePagefilePrivilege	4616	chrome.exe
Token: SeShutdownPrivilege	4616	chrome.exe
Token: SeCreatePagefilePrivilege	4616	chrome.exe
Token: SeShutdownPrivilege	4616	chrome.exe
Token: SeCreatePagefilePrivilege	4616	chrome.exe
Token: SeShutdownPrivilege	4616	chrome.exe
Token: SeCreatePagefilePrivilege	4616	chrome.exe
Token: SeDebugPrivilege	2936	Devil.exe
Token: SeShutdownPrivilege	4616	chrome.exe
Token: SeCreatePagefilePrivilege	4616	chrome.exe
Token: SeShutdownPrivilege	4616	chrome.exe
Token: SeCreatePagefilePrivilege	4616	chrome.exe
Token: SeShutdownPrivilege	4616	chrome.exe
Token: SeCreatePagefilePrivilege	4616	chrome.exe
Token: SeShutdownPrivilege	4616	chrome.exe
Token: SeCreatePagefilePrivilege	4616	chrome.exe
Token: SeShutdownPrivilege	4616	chrome.exe
Token: SeCreatePagefilePrivilege	4616	chrome.exe
Token: SeShutdownPrivilege	4616	chrome.exe
Token: SeCreatePagefilePrivilege	4616	chrome.exe
Token: SeShutdownPrivilege	4616	chrome.exe
Token: SeCreatePagefilePrivilege	4616	chrome.exe
Token: SeShutdownPrivilege	4616	chrome.exe
Token: SeCreatePagefilePrivilege	4616	chrome.exe
Token: SeShutdownPrivilege	4616	chrome.exe
Token: SeCreatePagefilePrivilege	4616	chrome.exe
Token: SeShutdownPrivilege	4616	chrome.exe
Token: SeCreatePagefilePrivilege	4616	chrome.exe
Token: SeShutdownPrivilege	4616	chrome.exe
Token: SeCreatePagefilePrivilege	4616	chrome.exe
Token: SeShutdownPrivilege	4616	chrome.exe
Token: SeCreatePagefilePrivilege	4616	chrome.exe
Token: SeShutdownPrivilege	4616	chrome.exe
Token: SeCreatePagefilePrivilege	4616	chrome.exe
Token: SeShutdownPrivilege	4616	chrome.exe
Token: SeCreatePagefilePrivilege	4616	chrome.exe
Token: SeShutdownPrivilege	4616	chrome.exe
Token: SeCreatePagefilePrivilege	4616	chrome.exe
Token: SeShutdownPrivilege	4616	chrome.exe
Token: SeCreatePagefilePrivilege	4616	chrome.exe
Token: SeShutdownPrivilege	4616	chrome.exe
Token: SeCreatePagefilePrivilege	4616	chrome.exe
Token: SeShutdownPrivilege	4616	chrome.exe
Token: SeCreatePagefilePrivilege	4616	chrome.exe
Token: SeShutdownPrivilege	4616	chrome.exe
Token: SeCreatePagefilePrivilege	4616	chrome.exe
Token: SeShutdownPrivilege	4616	chrome.exe
Token: SeCreatePagefilePrivilege	4616	chrome.exe
Token: SeShutdownPrivilege	4616	chrome.exe
Token: SeCreatePagefilePrivilege	4616	chrome.exe
Token: SeShutdownPrivilege	4616	chrome.exe
Token: SeCreatePagefilePrivilege	4616	chrome.exe
Token: SeShutdownPrivilege	4616	chrome.exe

Suspicious use of FindShellTrayWindow 43 IoCs

pid	Process
4616	chrome.exe
4616	chrome.exe
4616	chrome.exe
4616	chrome.exe
4616	chrome.exe
4616	chrome.exe
4616	chrome.exe
4616	chrome.exe
4616	chrome.exe
4616	chrome.exe
4616	chrome.exe
4616	chrome.exe
4616	chrome.exe
4616	chrome.exe
4616	chrome.exe
4616	chrome.exe
4616	chrome.exe
4616	chrome.exe
4616	chrome.exe
4616	chrome.exe
4616	chrome.exe
4616	chrome.exe
4616	chrome.exe
4616	chrome.exe
4616	chrome.exe
4616	chrome.exe
4616	chrome.exe
4616	chrome.exe
4616	chrome.exe
4616	chrome.exe
4616	chrome.exe
4616	chrome.exe
4616	chrome.exe
4616	chrome.exe
4616	chrome.exe
4616	chrome.exe
4616	chrome.exe
4616	chrome.exe
4616	chrome.exe
4616	chrome.exe
4616	chrome.exe
4616	chrome.exe
4616	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4616	chrome.exe
4616	chrome.exe
4616	chrome.exe
4616	chrome.exe
4616	chrome.exe
4616	chrome.exe
4616	chrome.exe
4616	chrome.exe
4616	chrome.exe
4616	chrome.exe
4616	chrome.exe
4616	chrome.exe
4616	chrome.exe
4616	chrome.exe
4616	chrome.exe
4616	chrome.exe
4616	chrome.exe
4616	chrome.exe
4616	chrome.exe
4616	chrome.exe
4616	chrome.exe
4616	chrome.exe
4616	chrome.exe
4616	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4616 wrote to memory of 3884	4616	chrome.exe	84
PID 4616 wrote to memory of 3884	4616	chrome.exe	84
PID 4616 wrote to memory of 2636	4616	chrome.exe	85
PID 4616 wrote to memory of 2636	4616	chrome.exe	85
PID 4616 wrote to memory of 2636	4616	chrome.exe	85
PID 4616 wrote to memory of 2636	4616	chrome.exe	85
PID 4616 wrote to memory of 2636	4616	chrome.exe	85
PID 4616 wrote to memory of 2636	4616	chrome.exe	85
PID 4616 wrote to memory of 2636	4616	chrome.exe	85
PID 4616 wrote to memory of 2636	4616	chrome.exe	85
PID 4616 wrote to memory of 2636	4616	chrome.exe	85
PID 4616 wrote to memory of 2636	4616	chrome.exe	85
PID 4616 wrote to memory of 2636	4616	chrome.exe	85
PID 4616 wrote to memory of 2636	4616	chrome.exe	85
PID 4616 wrote to memory of 2636	4616	chrome.exe	85
PID 4616 wrote to memory of 2636	4616	chrome.exe	85
PID 4616 wrote to memory of 2636	4616	chrome.exe	85
PID 4616 wrote to memory of 2636	4616	chrome.exe	85
PID 4616 wrote to memory of 2636	4616	chrome.exe	85
PID 4616 wrote to memory of 2636	4616	chrome.exe	85
PID 4616 wrote to memory of 2636	4616	chrome.exe	85
PID 4616 wrote to memory of 2636	4616	chrome.exe	85
PID 4616 wrote to memory of 2636	4616	chrome.exe	85
PID 4616 wrote to memory of 2636	4616	chrome.exe	85
PID 4616 wrote to memory of 2636	4616	chrome.exe	85
PID 4616 wrote to memory of 2636	4616	chrome.exe	85
PID 4616 wrote to memory of 2636	4616	chrome.exe	85
PID 4616 wrote to memory of 2636	4616	chrome.exe	85
PID 4616 wrote to memory of 2636	4616	chrome.exe	85
PID 4616 wrote to memory of 2636	4616	chrome.exe	85
PID 4616 wrote to memory of 2636	4616	chrome.exe	85
PID 4616 wrote to memory of 2636	4616	chrome.exe	85
PID 4616 wrote to memory of 4176	4616	chrome.exe	86
PID 4616 wrote to memory of 4176	4616	chrome.exe	86
PID 4616 wrote to memory of 4188	4616	chrome.exe	87
PID 4616 wrote to memory of 4188	4616	chrome.exe	87
PID 4616 wrote to memory of 4188	4616	chrome.exe	87
PID 4616 wrote to memory of 4188	4616	chrome.exe	87
PID 4616 wrote to memory of 4188	4616	chrome.exe	87
PID 4616 wrote to memory of 4188	4616	chrome.exe	87
PID 4616 wrote to memory of 4188	4616	chrome.exe	87
PID 4616 wrote to memory of 4188	4616	chrome.exe	87
PID 4616 wrote to memory of 4188	4616	chrome.exe	87
PID 4616 wrote to memory of 4188	4616	chrome.exe	87
PID 4616 wrote to memory of 4188	4616	chrome.exe	87
PID 4616 wrote to memory of 4188	4616	chrome.exe	87
PID 4616 wrote to memory of 4188	4616	chrome.exe	87
PID 4616 wrote to memory of 4188	4616	chrome.exe	87
PID 4616 wrote to memory of 4188	4616	chrome.exe	87
PID 4616 wrote to memory of 4188	4616	chrome.exe	87
PID 4616 wrote to memory of 4188	4616	chrome.exe	87
PID 4616 wrote to memory of 4188	4616	chrome.exe	87
PID 4616 wrote to memory of 4188	4616	chrome.exe	87
PID 4616 wrote to memory of 4188	4616	chrome.exe	87
PID 4616 wrote to memory of 4188	4616	chrome.exe	87
PID 4616 wrote to memory of 4188	4616	chrome.exe	87
PID 4616 wrote to memory of 4188	4616	chrome.exe	87
PID 4616 wrote to memory of 4188	4616	chrome.exe	87
PID 4616 wrote to memory of 4188	4616	chrome.exe	87
PID 4616 wrote to memory of 4188	4616	chrome.exe	87
PID 4616 wrote to memory of 4188	4616	chrome.exe	87
PID 4616 wrote to memory of 4188	4616	chrome.exe	87
PID 4616 wrote to memory of 4188	4616	chrome.exe	87
PID 4616 wrote to memory of 4188	4616	chrome.exe	87

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	Devil.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	Devil.exe

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument http://196.251.92.64/crypt/Devil.exe
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4616
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7fff0e17cc40,0x7fff0e17cc4c,0x7fff0e17cc58
  2⤵
  PID:3884
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1904,i,1551602647421719841,11485432427820209233,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=1900 /prefetch:2
  2⤵
  PID:2636
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2144,i,1551602647421719841,11485432427820209233,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=1832 /prefetch:3
  2⤵
  - Downloads MZ/PE file
  PID:4176
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2228,i,1551602647421719841,11485432427820209233,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=2548 /prefetch:8
  2⤵
  PID:4188
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3044,i,1551602647421719841,11485432427820209233,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=3068 /prefetch:1
  2⤵
  PID:2748
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3048,i,1551602647421719841,11485432427820209233,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=3236 /prefetch:1
  2⤵
  PID:1180
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=4888,i,1551602647421719841,11485432427820209233,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4872 /prefetch:8
  2⤵
  PID:2660
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=4908,i,1551602647421719841,11485432427820209233,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4928 /prefetch:8
  2⤵
  PID:4024
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=4496,i,1551602647421719841,11485432427820209233,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=5216 /prefetch:8
  2⤵
  PID:5044
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5212,i,1551602647421719841,11485432427820209233,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=5248 /prefetch:8
  2⤵
  PID:3928
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5512,i,1551602647421719841,11485432427820209233,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=5508 /prefetch:8
  2⤵
  PID:1612
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5516,i,1551602647421719841,11485432427820209233,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4920 /prefetch:8
  2⤵
  PID:860
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5728,i,1551602647421719841,11485432427820209233,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4356 /prefetch:8
  2⤵
  PID:4388
- C:\Users\Admin\Downloads\Devil.exe
  "C:\Users\Admin\Downloads\Devil.exe"
  2⤵
  - Executes dropped EXE
  - Accesses Microsoft Outlook profiles
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - outlook_office_path
  - outlook_win_path
  PID:2936
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5104,i,1551602647421719841,11485432427820209233,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=5840 /prefetch:8
  2⤵
  PID:516

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:4936

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:1316

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:232

C:\Users\Admin\Downloads\Devil.exe
"C:\Users\Admin\Downloads\Devil.exe"
1⤵
- Executes dropped EXE
PID:908

C:\Users\Admin\Downloads\Devil.exe
"C:\Users\Admin\Downloads\Devil.exe"
1⤵
- Executes dropped EXE
PID:2724

C:\Users\Admin\Downloads\Devil.exe
"C:\Users\Admin\Downloads\Devil.exe"
1⤵
- Executes dropped EXE
PID:3264

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
f74f4644a8759a42124e1963600bd2d5

SHA1
2f27d3e182ffdcc2a68477290c277aa3774efedc

SHA256
38ebe2e0959152014f6d122a509fac1440d7e03f0adf277af244da10dc5e31fd

SHA512
150eb8a6a328cf7445f6429042b8eccfe3e36ab2a075071c67c021d7eac2b7cdeef75d00737a0a1afb1fbc2fd210950eb2d35bd3c7f7feeb05e4bdb6a2c7b3ad

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
04fb45707611c17993b2b1eb8e6fdf4e

SHA1
9d02dd1c4965d08af1fba61982098bd9f700b508

SHA256
7d42ea3946a4e04ef7f6a68e600456d4ac7a555c955430e01f8eacd6a569e3e1

SHA512
5136060d856840077f0d644cc0b6edeb8ee5c0f007ffb168c9a823d74e4ad35f74ecac024ba7f2f761348007931456bf70ee12de745d608b4ab3b925620e0e5a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
f6964d3d4976b3d037c6b8192d5849c5

SHA1
2dbf52e9a46bf8b623beee8986d925bcb14c5483

SHA256
d951f92fee32726fc6e627d5e910ca9451da47e7442b46cbcd8dc14b861ccead

SHA512
8c6dfe00ba13117a3c99c47d65fb567c11e7926effb55cbad4eca994a668ca7925fbb5043da9d06112f7832d6b497e94f01597d29bb2825ee38273702bb0d07a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
d88c85636c93803c002bd7c6e805401a

SHA1
f2e3009d9c3931b279b818d07906a8604e27132c

SHA256
93c14672db526e420c365533cb86e394d33a02ccf055ccc3f2b74c1fd767bdf1

SHA512
f5e8ef928691e49d8873e1092ce95f8d091cd7736804d1f949633aa2787820eb2fc09be2067a13ac26e5127a16147a9f54c867fe2f4a5127bea4b00a6361d641

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
2ee9ea0e155c4344c46823baed6d3c20

SHA1
3367dacd89fd67dbfc42ba673f3b445b635c595e

SHA256
e3fcd81cd5467c9fe6f06bae038ea419c2e80b18439fed3a5628bcef82cea2ec

SHA512
366b39ec92815e3640c7bdd4e805f9fa3d0b9285ec37722bcab5763b7382a4af5eb8ffb24c32e8cb9917bb7d433832d4a4f4aa8cc6d221e8ae4b3485e4f19316

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\da0f7b48-deed-4898-b4d8-efac483d03fe.tmp

Filesize
8KB

MD5
a59c41ced54dd8e9f32d34daa9fd67a5

SHA1
23b263c089997b2ff73736784c44f500230b9d05

SHA256
65f3c5d61beda602e2596a2e6a02689c67879b4af834cf56ede3810254723c2e

SHA512
be7953ac825ba60536df55b65bf0eb89321834bba5d22195784f732469aec73397b7544d51cfb75d9927defd5ff18c689695b11cd1eefc027919d315ce0f23d3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
123KB

MD5
2fcf8d1ae42f4bd19868ecfd4ef1b4ea

SHA1
dac523c74d02b583517f796742923a95d8c57d56

SHA256
99ab31aef6ddc0700ca6b3c887f2130a5409d303982eb697bcfd52b3086ec24b

SHA512
5e1450e6ddeac3c0a7cd9c8f22b5f2c06001e142170d47591afbcde30444fb202e18f59112a62e1e991974d467d13f87261001a368100b2560613256e8d46342

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
123KB

MD5
2d6adc37806405828779df3c6abe8314

SHA1
2d1a50478100f0342bc39eeb32170d4e6fa1dc5a

SHA256
3703e182af58a3a15a60a7f58ac5ea79409c283cca176f24de916bc20ab80b11

SHA512
6fcec47980d20f359d324796f74a75671b072d8c093adf5f9b339a290d526ec14c7a40d77926d2f19e19efce4e1febd15ee913cbae67cb35aff6080ca883198d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-1874072718-2205492803-118941907-1000\0f5007522459c86e95ffcc62f32308f1_3cb5daff-117b-4f0b-9800-c76d6ae5f00b

Filesize
46B

MD5
d898504a722bff1524134c6ab6a5eaa5

SHA1
e0fdc90c2ca2a0219c99d2758e68c18875a3e11e

SHA256
878f32f76b159494f5a39f9321616c6068cdb82e88df89bcc739bbc1ea78e1f9

SHA512
26a4398bffb0c0aef9a6ec53cd3367a2d0abf2f70097f711bbbf1e9e32fd9f1a72121691bb6a39eeb55d596edd527934e541b4defb3b1426b1d1a6429804dc61

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-1874072718-2205492803-118941907-1000\0f5007522459c86e95ffcc62f32308f1_3cb5daff-117b-4f0b-9800-c76d6ae5f00b

Filesize
46B

MD5
c07225d4e7d01d31042965f048728a0a

SHA1
69d70b340fd9f44c89adb9a2278df84faa9906b7

SHA256
8c136c7ae08020ad16fd1928e36ad335ddef8b85906d66b712fff049aa57dc9a

SHA512
23d3cea738e1abf561320847c39dadc8b5794d7bd8761b0457956f827a17ad2556118b909a3e6929db79980ccf156a6f58ac823cf88329e62417d2807b34b64b

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 42596.crdownload

Filesize
104KB

MD5
eb6beba0181a014ac8c0ec040cb1121a

SHA1
52805384c7cd1b73944525c480792a3d0319b116

SHA256
f87b4e7c69ce161743f4b9b0001d7376e163d615ce477c390f63cadf09ffc5d4

SHA512
0afb9a7d180fe017520afb39e954821f77c8b6e2e11bbf73402dcdade231d07f3b755f40606252c917b51a0f5f32d499b96b30e7f2f617c50e709eae4cd80ae4

Download Submit
memory/2936-100-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download