96803a7ef46835e00bf118a5e1503f69d1192c2a0209d6657429728d2d8f4995

Analysis

max time kernel
114s
max time network
48s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
26-09-2022 00:08

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

LB3.exe
Size

153KB
MD5

b0191df32cfca1acbdc891cc45ac3170
SHA1

282d92b9ead63ddf4f508eaed736e9f6fe000fe9
SHA256

96803a7ef46835e00bf118a5e1503f69d1192c2a0209d6657429728d2d8f4995
SHA512

0c6b14457fb9d2ab993cc151bff6598b4c3af344e189468fb21c4488104fa0e48dab59bf1a3698ce3ed1956721de43a177442e5b08657adfb91e44e80daabd99
SSDEEP

1536:BzICS4AAwczUUf8y8gvMH+1zGSNAojMP95D1xDUlAZfbSRX8jTucJyad353RsuJq:6qJogYkcSNm9V7DORsjqNadd6uJjjWT

Score

10^/10

ransomware spyware stealer

Malware Config

Extracted

Path

C:\x5zMder8a.README.txt

Ransom Note

~~~ LockBit 3.0 the world's fastest ransomware since 2019~~~ >>>> Your data are stolen and encrypted The data will be published on TOR website if you do not pay the ransom Links for Tor Browser: http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion http://lockbitapt5x4zkjbcqmz6frdhecqqgadevyiwqxukksspnlidyvd7qd.onion http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion http://lockbitapt34kvrip6xojylohhxrwsvpzdffgs5z4pbbsywnzsbdguqd.onion http://lockbitaptc2iq4atewz2ise62q63wfktyrl4qtwuk5qax262kgtzjqd.onion http://lockbitaptjpikdqjynvgozhgc6bgetgucdk5xjacozeaawihmoio6yd.onion http://lockbitaptq7ephv2oigdncfhtwhpqgwmqojnxqdyhprxxfpcllqdxad.onion http://lockbitaptstzf3er2lz6ku3xuifafq2yh5lmiqj5ncur6rtlmkteiqd.onion http://lockbitaptoofrpignlz6dt2wqqc5z3a4evjevoa3eqdfcntxad5lmyd.onion Links for the normal browser http://lockbitapt.uz http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion.ly http://lockbitapt5x4zkjbcqmz6frdhecqqgadevyiwqxukksspnlidyvd7qd.onion.ly http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion.ly http://lockbitapt34kvrip6xojylohhxrwsvpzdffgs5z4pbbsywnzsbdguqd.onion.ly http://lockbitaptc2iq4atewz2ise62q63wfktyrl4qtwuk5qax262kgtzjqd.onion.ly http://lockbitaptjpikdqjynvgozhgc6bgetgucdk5xjacozeaawihmoio6yd.onion.ly http://lockbitaptq7ephv2oigdncfhtwhpqgwmqojnxqdyhprxxfpcllqdxad.onion.ly http://lockbitaptstzf3er2lz6ku3xuifafq2yh5lmiqj5ncur6rtlmkteiqd.onion.ly http://lockbitaptoofrpignlz6dt2wqqc5z3a4evjevoa3eqdfcntxad5lmyd.onion.ly >>>> What guarantees that we will not deceive you? We are not a politically motivated group and we do not need anything other than your money. If you pay, we will provide you the programs for decryption and we will delete your data. Life is too short to be sad. Be not sad, money, it is only paper. If we do not give you decrypters, or we do not delete your data after payment, then nobody will pay us in the future. Therefore to us our reputation is very important. We attack the companies worldwide and there is no dissatisfied victim after payment. You can obtain information about us on twitter https://twitter.com/hashtag/lockbit?f=live >>>> You need contact us and decrypt one file for free on these TOR sites with your personal DECRYPTION ID Download and install TOR Browser https://www.torproject.org/ Write to a chat and wait for the answer, we will always answer you. Sometimes you will need to wait for our answer because we attack many companies. Links for Tor Browser: http://lockbitsupt7nr3fa6e7xyb73lk6bw6rcneqhoyblniiabj4uwvzapqd.onion http://lockbitsupuhswh4izvoucoxsbnotkmgq6durg7kficg6u33zfvq3oyd.onion http://lockbitsupn2h6be2cnqpvncyhj4rgmnwn44633hnzzmtxdvjoqlp7yd.onion Link for the normal browser http://lockbitsupp.uz If you do not get an answer in the chat room for a long time, the site does not work and in any other emergency, you can contact us in jabber or tox. Tox ID LockBitSupp: 3085B89A0C515D2FB124D645906F5D3DA5CB97CEBEA975959AE4F95302A04E1D709C3C4AE9B7 XMPP (Jabber) Support: 598954663666452@exploit.im 365473292355268@thesecure.biz >>>> Your personal DECRYPTION ID: 57B8077257FF0110748002E704C28702 >>>> Warning! Do not DELETE or MODIFY any files, it can lead to recovery problems! >>>> Warning! If you do not pay the ransom we will attack your company repeatedly again! >>>> Advertisement Would you like to earn millions of dollars $$$ ? Our company acquire access to networks of various companies, as well as insider information that can help you steal the most valuable data of any company. You can provide us accounting data for the access to any company, for example, login and password to RDP, VPN, corporate email, etc. Open our letter at your email. Launch the provided virus on any computer in your company. You can do it both using your work computer or the computer of any other employee in order to divert suspicion of being in collusion with us. Companies pay us the foreclosure for the decryption of files and prevention of data leak. You can contact us using Tox messenger without registration and SMS https://tox.chat/download.html. Using Tox messenger, we will never know your real name, it means your privacy is guaranteed. If you want to contact us, write in jabber or tox. Tox ID LockBitSupp: 3085B89A0C515D2FB124D645906F5D3DA5CB97CEBEA975959AE4F95302A04E1D709C3C4AE9B7 XMPP (Jabber) Support: 598954663666452@exploit.im 365473292355268@thesecure.biz If this contact is expired, and we do not respond you, look for the relevant contact data on our website via Tor or Brave browser Links for Tor Browser: http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion http://lockbitapt5x4zkjbcqmz6frdhecqqgadevyiwqxukksspnlidyvd7qd.onion http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion http://lockbitapt34kvrip6xojylohhxrwsvpzdffgs5z4pbbsywnzsbdguqd.onion http://lockbitaptc2iq4atewz2ise62q63wfktyrl4qtwuk5qax262kgtzjqd.onion http://lockbitaptjpikdqjynvgozhgc6bgetgucdk5xjacozeaawihmoio6yd.onion http://lockbitaptq7ephv2oigdncfhtwhpqgwmqojnxqdyhprxxfpcllqdxad.onion http://lockbitaptstzf3er2lz6ku3xuifafq2yh5lmiqj5ncur6rtlmkteiqd.onion http://lockbitaptoofrpignlz6dt2wqqc5z3a4evjevoa3eqdfcntxad5lmyd.onion Links for the normal browser http://lockbitapt.uz http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion.ly http://lockbitapt5x4zkjbcqmz6frdhecqqgadevyiwqxukksspnlidyvd7qd.onion.ly http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion.ly http://lockbitapt34kvrip6xojylohhxrwsvpzdffgs5z4pbbsywnzsbdguqd.onion.ly http://lockbitaptc2iq4atewz2ise62q63wfktyrl4qtwuk5qax262kgtzjqd.onion.ly http://lockbitaptjpikdqjynvgozhgc6bgetgucdk5xjacozeaawihmoio6yd.onion.ly http://lockbitaptq7ephv2oigdncfhtwhpqgwmqojnxqdyhprxxfpcllqdxad.onion.ly http://lockbitaptstzf3er2lz6ku3xuifafq2yh5lmiqj5ncur6rtlmkteiqd.onion.ly http://lockbitaptoofrpignlz6dt2wqqc5z3a4evjevoa3eqdfcntxad5lmyd.onion.ly

Emails

598954663666452@exploit.im

365473292355268@thesecure.biz

URLs

http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion

http://lockbitapt5x4zkjbcqmz6frdhecqqgadevyiwqxukksspnlidyvd7qd.onion

http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion

http://lockbitapt34kvrip6xojylohhxrwsvpzdffgs5z4pbbsywnzsbdguqd.onion

http://lockbitaptc2iq4atewz2ise62q63wfktyrl4qtwuk5qax262kgtzjqd.onion

http://lockbitaptjpikdqjynvgozhgc6bgetgucdk5xjacozeaawihmoio6yd.onion

http://lockbitaptq7ephv2oigdncfhtwhpqgwmqojnxqdyhprxxfpcllqdxad.onion

http://lockbitaptstzf3er2lz6ku3xuifafq2yh5lmiqj5ncur6rtlmkteiqd.onion

http://lockbitaptoofrpignlz6dt2wqqc5z3a4evjevoa3eqdfcntxad5lmyd.onion

http://lockbitapt.uz

http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion.ly

http://lockbitapt5x4zkjbcqmz6frdhecqqgadevyiwqxukksspnlidyvd7qd.onion.ly

http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion.ly

http://lockbitapt34kvrip6xojylohhxrwsvpzdffgs5z4pbbsywnzsbdguqd.onion.ly

http://lockbitaptc2iq4atewz2ise62q63wfktyrl4qtwuk5qax262kgtzjqd.onion.ly

http://lockbitaptjpikdqjynvgozhgc6bgetgucdk5xjacozeaawihmoio6yd.onion.ly

http://lockbitaptq7ephv2oigdncfhtwhpqgwmqojnxqdyhprxxfpcllqdxad.onion.ly

http://lockbitaptstzf3er2lz6ku3xuifafq2yh5lmiqj5ncur6rtlmkteiqd.onion.ly

http://lockbitaptoofrpignlz6dt2wqqc5z3a4evjevoa3eqdfcntxad5lmyd.onion.ly

https://twitter.com/hashtag/lockbit?f=live

Signatures

Executes dropped EXE 1 IoCs

Processes:

474.tmp

pid process

1268 474.tmp

Modifies extensions of user files 18 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

LB3.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Pictures\ConnectPublish.raw.x5zMder8a	LB3.exe
File renamed	C:\Users\Admin\Pictures\HideRestore.tif => C:\Users\Admin\Pictures\HideRestore.tif.x5zMder8a	LB3.exe
File opened for modification	C:\Users\Admin\Pictures\MergeResolve.tiff.x5zMder8a	LB3.exe
File renamed	C:\Users\Admin\Pictures\SelectStart.raw => C:\Users\Admin\Pictures\SelectStart.raw.x5zMder8a	LB3.exe
File renamed	C:\Users\Admin\Pictures\MergeResolve.tiff => C:\Users\Admin\Pictures\MergeResolve.tiff.x5zMder8a	LB3.exe
File opened for modification	C:\Users\Admin\Pictures\ProtectEnter.tiff	LB3.exe
File opened for modification	C:\Users\Admin\Pictures\SelectStart.raw.x5zMder8a	LB3.exe
File renamed	C:\Users\Admin\Pictures\SendExpand.png => C:\Users\Admin\Pictures\SendExpand.png.x5zMder8a	LB3.exe
File renamed	C:\Users\Admin\Pictures\ConnectPublish.raw => C:\Users\Admin\Pictures\ConnectPublish.raw.x5zMder8a	LB3.exe
File opened for modification	C:\Users\Admin\Pictures\MergeResolve.tiff	LB3.exe
File renamed	C:\Users\Admin\Pictures\ProtectEnter.tiff => C:\Users\Admin\Pictures\ProtectEnter.tiff.x5zMder8a	LB3.exe
File renamed	C:\Users\Admin\Pictures\SaveConvertFrom.crw => C:\Users\Admin\Pictures\SaveConvertFrom.crw.x5zMder8a	LB3.exe
File opened for modification	C:\Users\Admin\Pictures\SaveConvertFrom.crw.x5zMder8a	LB3.exe
File renamed	C:\Users\Admin\Pictures\AssertSelect.crw => C:\Users\Admin\Pictures\AssertSelect.crw.x5zMder8a	LB3.exe
File opened for modification	C:\Users\Admin\Pictures\AssertSelect.crw.x5zMder8a	LB3.exe
File opened for modification	C:\Users\Admin\Pictures\HideRestore.tif.x5zMder8a	LB3.exe
File opened for modification	C:\Users\Admin\Pictures\ProtectEnter.tiff.x5zMder8a	LB3.exe
File opened for modification	C:\Users\Admin\Pictures\SendExpand.png.x5zMder8a	LB3.exe

Deletes itself 1 IoCs

Processes:

474.tmp

pid process

1268 474.tmp
Loads dropped DLL 1 IoCs

Processes:

LB3.exe

pid process

1576 LB3.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Drops desktop.ini file(s) 1 IoCs

Processes:

LB3.exe

description ioc process

File opened for modification C:\$Recycle.Bin\S-1-5-21-2292972927-2705560509-2768824231-1000\desktop.ini LB3.exe

description	ioc	process
File opened for modification	C:\$Recycle.Bin\S-1-5-21-2292972927-2705560509-2768824231-1000\desktop.ini	LB3.exe

Sets desktop wallpaper using registry 2 TTPs 2 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

LB3.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\x5zMder8a.bmp"	LB3.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\x5zMder8a.bmp"	LB3.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 6 IoCs

Processes:

474.tmp

pid process

1268 474.tmp
1268 474.tmp
1268 474.tmp
1268 474.tmp
1268 474.tmp
1268 474.tmp

Modifies Control Panel 3 IoCs

evasion

Processes:

LB3.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Control Panel\International	LB3.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Control Panel\Desktop	LB3.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Control Panel\Desktop\WallpaperStyle = "10"	LB3.exe

Modifies registry class 5 IoCs

Processes:

LB3.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\x5zMder8a\DefaultIcon	LB3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\x5zMder8a	LB3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\x5zMder8a\DefaultIcon\ = "C:\\ProgramData\\x5zMder8a.ico"	LB3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.x5zMder8a	LB3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.x5zMder8a\ = "x5zMder8a"	LB3.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

LB3.exe

pid	process
1576	LB3.exe
1576	LB3.exe
1576	LB3.exe
1576	LB3.exe
1576	LB3.exe
1576	LB3.exe
1576	LB3.exe
1576	LB3.exe
1576	LB3.exe
1576	LB3.exe
1576	LB3.exe
1576	LB3.exe
1576	LB3.exe
1576	LB3.exe

Suspicious behavior: RenamesItself 26 IoCs

Processes:

474.tmp

pid	process
1268	474.tmp
1268	474.tmp
1268	474.tmp
1268	474.tmp
1268	474.tmp
1268	474.tmp
1268	474.tmp
1268	474.tmp
1268	474.tmp
1268	474.tmp
1268	474.tmp
1268	474.tmp
1268	474.tmp
1268	474.tmp
1268	474.tmp
1268	474.tmp
1268	474.tmp
1268	474.tmp
1268	474.tmp
1268	474.tmp
1268	474.tmp
1268	474.tmp
1268	474.tmp
1268	474.tmp
1268	474.tmp
1268	474.tmp

Suspicious use of AdjustPrivilegeToken 25 IoCs

Processes:

LB3.exe474.tmp

description	pid	process
Token: SeAssignPrimaryTokenPrivilege	1576	LB3.exe
Token: SeBackupPrivilege	1576	LB3.exe
Token: SeDebugPrivilege	1576	LB3.exe
Token: 36	1576	LB3.exe
Token: SeImpersonatePrivilege	1576	LB3.exe
Token: SeIncBasePriorityPrivilege	1576	LB3.exe
Token: SeIncreaseQuotaPrivilege	1576	LB3.exe
Token: 33	1576	LB3.exe
Token: SeManageVolumePrivilege	1576	LB3.exe
Token: SeProfSingleProcessPrivilege	1576	LB3.exe
Token: SeRestorePrivilege	1576	LB3.exe
Token: SeSecurityPrivilege	1576	LB3.exe
Token: SeSystemProfilePrivilege	1576	LB3.exe
Token: SeTakeOwnershipPrivilege	1576	LB3.exe
Token: SeShutdownPrivilege	1576	LB3.exe
Token: SeDebugPrivilege	1576	LB3.exe
Token: SeBackupPrivilege	1268	474.tmp
Token: SeRestorePrivilege	1268	474.tmp
Token: SeIncBasePriorityPrivilege	1268	474.tmp
Token: 33	1268	474.tmp
Token: SeManageVolumePrivilege	1268	474.tmp
Token: SeSecurityPrivilege	1268	474.tmp
Token: SeShutdownPrivilege	1268	474.tmp
Token: SeSystemProfilePrivilege	1268	474.tmp
Token: SeTakeOwnershipPrivilege	1268	474.tmp

Suspicious use of WriteProcessMemory 5 IoCs

Processes:

LB3.exe

description	pid	process	target process
PID 1576 wrote to memory of 1268	1576	LB3.exe	474.tmp
PID 1576 wrote to memory of 1268	1576	LB3.exe	474.tmp
PID 1576 wrote to memory of 1268	1576	LB3.exe	474.tmp
PID 1576 wrote to memory of 1268	1576	LB3.exe	474.tmp
PID 1576 wrote to memory of 1268	1576	LB3.exe	474.tmp

C:\Users\Admin\AppData\Local\Temp\LB3.exe
"C:\Users\Admin\AppData\Local\Temp\LB3.exe"
1⤵
- Modifies extensions of user files
- Loads dropped DLL
- Drops desktop.ini file(s)
- Sets desktop wallpaper using registry
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1576

C:\ProgramData\474.tmp
"C:\ProgramData\474.tmp"
2⤵
- Executes dropped EXE
- Deletes itself
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
PID:1268

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-2292972927-2705560509-2768824231-1000\AAAAAAAAAAA
Filesize
129B

MD5
7b8237d98a77e3808312d133408b4db0

SHA1
364b25c70579a8d5940bdde0cafab6d6d83a8e22

SHA256
f14280a82ebbb06a4c6ae177008a9384f8a0ca78ba7916dad1fb7104cc59c033

SHA512
47392f13824ce852f6491973cebc613ad90366227cb9850b6d8e2de1720cd83953382b3bbd6491264d4b0692d43b20ccc17795e05154caeadba748778e1f65a8

Download Submit
C:\$Recycle.Bin\S-1-5-21-2292972927-2705560509-2768824231-1000\BBBBBBBBBBB
Filesize
129B

MD5
7b8237d98a77e3808312d133408b4db0

SHA1
364b25c70579a8d5940bdde0cafab6d6d83a8e22

SHA256
f14280a82ebbb06a4c6ae177008a9384f8a0ca78ba7916dad1fb7104cc59c033

SHA512
47392f13824ce852f6491973cebc613ad90366227cb9850b6d8e2de1720cd83953382b3bbd6491264d4b0692d43b20ccc17795e05154caeadba748778e1f65a8

Download Submit
C:\$Recycle.Bin\S-1-5-21-2292972927-2705560509-2768824231-1000\CCCCCCCCCCC
Filesize
129B

MD5
7b8237d98a77e3808312d133408b4db0

SHA1
364b25c70579a8d5940bdde0cafab6d6d83a8e22

SHA256
f14280a82ebbb06a4c6ae177008a9384f8a0ca78ba7916dad1fb7104cc59c033

SHA512
47392f13824ce852f6491973cebc613ad90366227cb9850b6d8e2de1720cd83953382b3bbd6491264d4b0692d43b20ccc17795e05154caeadba748778e1f65a8

Download Submit
C:\$Recycle.Bin\S-1-5-21-2292972927-2705560509-2768824231-1000\DDDDDDDDDDD
Filesize
129B

MD5
7b8237d98a77e3808312d133408b4db0

SHA1
364b25c70579a8d5940bdde0cafab6d6d83a8e22

SHA256
f14280a82ebbb06a4c6ae177008a9384f8a0ca78ba7916dad1fb7104cc59c033

SHA512
47392f13824ce852f6491973cebc613ad90366227cb9850b6d8e2de1720cd83953382b3bbd6491264d4b0692d43b20ccc17795e05154caeadba748778e1f65a8

Download Submit
C:\$Recycle.Bin\S-1-5-21-2292972927-2705560509-2768824231-1000\EEEEEEEEEEE
Filesize
129B

MD5
7b8237d98a77e3808312d133408b4db0

SHA1
364b25c70579a8d5940bdde0cafab6d6d83a8e22

SHA256
f14280a82ebbb06a4c6ae177008a9384f8a0ca78ba7916dad1fb7104cc59c033

SHA512
47392f13824ce852f6491973cebc613ad90366227cb9850b6d8e2de1720cd83953382b3bbd6491264d4b0692d43b20ccc17795e05154caeadba748778e1f65a8

Download Submit
C:\$Recycle.Bin\S-1-5-21-2292972927-2705560509-2768824231-1000\FFFFFFFFFFF
Filesize
129B

MD5
7b8237d98a77e3808312d133408b4db0

SHA1
364b25c70579a8d5940bdde0cafab6d6d83a8e22

SHA256
f14280a82ebbb06a4c6ae177008a9384f8a0ca78ba7916dad1fb7104cc59c033

SHA512
47392f13824ce852f6491973cebc613ad90366227cb9850b6d8e2de1720cd83953382b3bbd6491264d4b0692d43b20ccc17795e05154caeadba748778e1f65a8

Download Submit
C:\$Recycle.Bin\S-1-5-21-2292972927-2705560509-2768824231-1000\GGGGGGGGGGG
Filesize
129B

MD5
7b8237d98a77e3808312d133408b4db0

SHA1
364b25c70579a8d5940bdde0cafab6d6d83a8e22

SHA256
f14280a82ebbb06a4c6ae177008a9384f8a0ca78ba7916dad1fb7104cc59c033

SHA512
47392f13824ce852f6491973cebc613ad90366227cb9850b6d8e2de1720cd83953382b3bbd6491264d4b0692d43b20ccc17795e05154caeadba748778e1f65a8

Download Submit
C:\$Recycle.Bin\S-1-5-21-2292972927-2705560509-2768824231-1000\HHHHHHHHHHH
Filesize
129B

MD5
7b8237d98a77e3808312d133408b4db0

SHA1
364b25c70579a8d5940bdde0cafab6d6d83a8e22

SHA256
f14280a82ebbb06a4c6ae177008a9384f8a0ca78ba7916dad1fb7104cc59c033

SHA512
47392f13824ce852f6491973cebc613ad90366227cb9850b6d8e2de1720cd83953382b3bbd6491264d4b0692d43b20ccc17795e05154caeadba748778e1f65a8

Download Submit
C:\$Recycle.Bin\S-1-5-21-2292972927-2705560509-2768824231-1000\IIIIIIIIIII
Filesize
129B

MD5
7b8237d98a77e3808312d133408b4db0

SHA1
364b25c70579a8d5940bdde0cafab6d6d83a8e22

SHA256
f14280a82ebbb06a4c6ae177008a9384f8a0ca78ba7916dad1fb7104cc59c033

SHA512
47392f13824ce852f6491973cebc613ad90366227cb9850b6d8e2de1720cd83953382b3bbd6491264d4b0692d43b20ccc17795e05154caeadba748778e1f65a8

Download Submit
C:\$Recycle.Bin\S-1-5-21-2292972927-2705560509-2768824231-1000\JJJJJJJJJJJ
Filesize
129B

MD5
7b8237d98a77e3808312d133408b4db0

SHA1
364b25c70579a8d5940bdde0cafab6d6d83a8e22

SHA256
f14280a82ebbb06a4c6ae177008a9384f8a0ca78ba7916dad1fb7104cc59c033

SHA512
47392f13824ce852f6491973cebc613ad90366227cb9850b6d8e2de1720cd83953382b3bbd6491264d4b0692d43b20ccc17795e05154caeadba748778e1f65a8

Download Submit
C:\$Recycle.Bin\S-1-5-21-2292972927-2705560509-2768824231-1000\KKKKKKKKKKK
Filesize
129B

MD5
7b8237d98a77e3808312d133408b4db0

SHA1
364b25c70579a8d5940bdde0cafab6d6d83a8e22

SHA256
f14280a82ebbb06a4c6ae177008a9384f8a0ca78ba7916dad1fb7104cc59c033

SHA512
47392f13824ce852f6491973cebc613ad90366227cb9850b6d8e2de1720cd83953382b3bbd6491264d4b0692d43b20ccc17795e05154caeadba748778e1f65a8

Download Submit
C:\$Recycle.Bin\S-1-5-21-2292972927-2705560509-2768824231-1000\LLLLLLLLLLL
Filesize
129B

MD5
7b8237d98a77e3808312d133408b4db0

SHA1
364b25c70579a8d5940bdde0cafab6d6d83a8e22

SHA256
f14280a82ebbb06a4c6ae177008a9384f8a0ca78ba7916dad1fb7104cc59c033

SHA512
47392f13824ce852f6491973cebc613ad90366227cb9850b6d8e2de1720cd83953382b3bbd6491264d4b0692d43b20ccc17795e05154caeadba748778e1f65a8

Download Submit
C:\$Recycle.Bin\S-1-5-21-2292972927-2705560509-2768824231-1000\MMMMMMMMMMM
Filesize
129B

MD5
7b8237d98a77e3808312d133408b4db0

SHA1
364b25c70579a8d5940bdde0cafab6d6d83a8e22

SHA256
f14280a82ebbb06a4c6ae177008a9384f8a0ca78ba7916dad1fb7104cc59c033

SHA512
47392f13824ce852f6491973cebc613ad90366227cb9850b6d8e2de1720cd83953382b3bbd6491264d4b0692d43b20ccc17795e05154caeadba748778e1f65a8

Download Submit
C:\$Recycle.Bin\S-1-5-21-2292972927-2705560509-2768824231-1000\NNNNNNNNNNN
Filesize
129B

MD5
7b8237d98a77e3808312d133408b4db0

SHA1
364b25c70579a8d5940bdde0cafab6d6d83a8e22

SHA256
f14280a82ebbb06a4c6ae177008a9384f8a0ca78ba7916dad1fb7104cc59c033

SHA512
47392f13824ce852f6491973cebc613ad90366227cb9850b6d8e2de1720cd83953382b3bbd6491264d4b0692d43b20ccc17795e05154caeadba748778e1f65a8

Download Submit
C:\$Recycle.Bin\S-1-5-21-2292972927-2705560509-2768824231-1000\OOOOOOOOOOO
Filesize
129B

MD5
7b8237d98a77e3808312d133408b4db0

SHA1
364b25c70579a8d5940bdde0cafab6d6d83a8e22

SHA256
f14280a82ebbb06a4c6ae177008a9384f8a0ca78ba7916dad1fb7104cc59c033

SHA512
47392f13824ce852f6491973cebc613ad90366227cb9850b6d8e2de1720cd83953382b3bbd6491264d4b0692d43b20ccc17795e05154caeadba748778e1f65a8

Download Submit
C:\$Recycle.Bin\S-1-5-21-2292972927-2705560509-2768824231-1000\PPPPPPPPPPP
Filesize
129B

MD5
7b8237d98a77e3808312d133408b4db0

SHA1
364b25c70579a8d5940bdde0cafab6d6d83a8e22

SHA256
f14280a82ebbb06a4c6ae177008a9384f8a0ca78ba7916dad1fb7104cc59c033

SHA512
47392f13824ce852f6491973cebc613ad90366227cb9850b6d8e2de1720cd83953382b3bbd6491264d4b0692d43b20ccc17795e05154caeadba748778e1f65a8

Download Submit
C:\$Recycle.Bin\S-1-5-21-2292972927-2705560509-2768824231-1000\QQQQQQQQQQQ
Filesize
129B

MD5
7b8237d98a77e3808312d133408b4db0

SHA1
364b25c70579a8d5940bdde0cafab6d6d83a8e22

SHA256
f14280a82ebbb06a4c6ae177008a9384f8a0ca78ba7916dad1fb7104cc59c033

SHA512
47392f13824ce852f6491973cebc613ad90366227cb9850b6d8e2de1720cd83953382b3bbd6491264d4b0692d43b20ccc17795e05154caeadba748778e1f65a8

Download Submit
C:\$Recycle.Bin\S-1-5-21-2292972927-2705560509-2768824231-1000\RRRRRRRRRRR
Filesize
129B

MD5
7b8237d98a77e3808312d133408b4db0

SHA1
364b25c70579a8d5940bdde0cafab6d6d83a8e22

SHA256
f14280a82ebbb06a4c6ae177008a9384f8a0ca78ba7916dad1fb7104cc59c033

SHA512
47392f13824ce852f6491973cebc613ad90366227cb9850b6d8e2de1720cd83953382b3bbd6491264d4b0692d43b20ccc17795e05154caeadba748778e1f65a8

Download Submit
C:\$Recycle.Bin\S-1-5-21-2292972927-2705560509-2768824231-1000\SSSSSSSSSSS
Filesize
129B

MD5
7b8237d98a77e3808312d133408b4db0

SHA1
364b25c70579a8d5940bdde0cafab6d6d83a8e22

SHA256
f14280a82ebbb06a4c6ae177008a9384f8a0ca78ba7916dad1fb7104cc59c033

SHA512
47392f13824ce852f6491973cebc613ad90366227cb9850b6d8e2de1720cd83953382b3bbd6491264d4b0692d43b20ccc17795e05154caeadba748778e1f65a8

Download Submit
C:\$Recycle.Bin\S-1-5-21-2292972927-2705560509-2768824231-1000\TTTTTTTTTTT
Filesize
129B

MD5
7b8237d98a77e3808312d133408b4db0

SHA1
364b25c70579a8d5940bdde0cafab6d6d83a8e22

SHA256
f14280a82ebbb06a4c6ae177008a9384f8a0ca78ba7916dad1fb7104cc59c033

SHA512
47392f13824ce852f6491973cebc613ad90366227cb9850b6d8e2de1720cd83953382b3bbd6491264d4b0692d43b20ccc17795e05154caeadba748778e1f65a8

Download Submit
C:\$Recycle.Bin\S-1-5-21-2292972927-2705560509-2768824231-1000\UUUUUUUUUUU
Filesize
129B

MD5
7b8237d98a77e3808312d133408b4db0

SHA1
364b25c70579a8d5940bdde0cafab6d6d83a8e22

SHA256
f14280a82ebbb06a4c6ae177008a9384f8a0ca78ba7916dad1fb7104cc59c033

SHA512
47392f13824ce852f6491973cebc613ad90366227cb9850b6d8e2de1720cd83953382b3bbd6491264d4b0692d43b20ccc17795e05154caeadba748778e1f65a8

Download Submit
C:\$Recycle.Bin\S-1-5-21-2292972927-2705560509-2768824231-1000\VVVVVVVVVVV
Filesize
129B

MD5
7b8237d98a77e3808312d133408b4db0

SHA1
364b25c70579a8d5940bdde0cafab6d6d83a8e22

SHA256
f14280a82ebbb06a4c6ae177008a9384f8a0ca78ba7916dad1fb7104cc59c033

SHA512
47392f13824ce852f6491973cebc613ad90366227cb9850b6d8e2de1720cd83953382b3bbd6491264d4b0692d43b20ccc17795e05154caeadba748778e1f65a8

Download Submit
C:\$Recycle.Bin\S-1-5-21-2292972927-2705560509-2768824231-1000\WWWWWWWWWWW
Filesize
129B

MD5
7b8237d98a77e3808312d133408b4db0

SHA1
364b25c70579a8d5940bdde0cafab6d6d83a8e22

SHA256
f14280a82ebbb06a4c6ae177008a9384f8a0ca78ba7916dad1fb7104cc59c033

SHA512
47392f13824ce852f6491973cebc613ad90366227cb9850b6d8e2de1720cd83953382b3bbd6491264d4b0692d43b20ccc17795e05154caeadba748778e1f65a8

Download Submit
C:\$Recycle.Bin\S-1-5-21-2292972927-2705560509-2768824231-1000\XXXXXXXXXXX
Filesize
129B

MD5
7b8237d98a77e3808312d133408b4db0

SHA1
364b25c70579a8d5940bdde0cafab6d6d83a8e22

SHA256
f14280a82ebbb06a4c6ae177008a9384f8a0ca78ba7916dad1fb7104cc59c033

SHA512
47392f13824ce852f6491973cebc613ad90366227cb9850b6d8e2de1720cd83953382b3bbd6491264d4b0692d43b20ccc17795e05154caeadba748778e1f65a8

Download Submit
C:\$Recycle.Bin\S-1-5-21-2292972927-2705560509-2768824231-1000\YYYYYYYYYYY
Filesize
129B

MD5
7b8237d98a77e3808312d133408b4db0

SHA1
364b25c70579a8d5940bdde0cafab6d6d83a8e22

SHA256
f14280a82ebbb06a4c6ae177008a9384f8a0ca78ba7916dad1fb7104cc59c033

SHA512
47392f13824ce852f6491973cebc613ad90366227cb9850b6d8e2de1720cd83953382b3bbd6491264d4b0692d43b20ccc17795e05154caeadba748778e1f65a8

Download Submit
C:\$Recycle.Bin\S-1-5-21-2292972927-2705560509-2768824231-1000\desktop.ini
Filesize
129B

MD5
7b8237d98a77e3808312d133408b4db0

SHA1
364b25c70579a8d5940bdde0cafab6d6d83a8e22

SHA256
f14280a82ebbb06a4c6ae177008a9384f8a0ca78ba7916dad1fb7104cc59c033

SHA512
47392f13824ce852f6491973cebc613ad90366227cb9850b6d8e2de1720cd83953382b3bbd6491264d4b0692d43b20ccc17795e05154caeadba748778e1f65a8

Download Submit
C:\ProgramData\474.tmp
Filesize
14KB

MD5
294e9f64cb1642dd89229fff0592856b

SHA1
97b148c27f3da29ba7b18d6aee8a0db9102f47c9

SHA256
917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2

SHA512
b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

Download Submit
C:\ProgramData\474.tmp
Filesize
14KB

MD5
294e9f64cb1642dd89229fff0592856b

SHA1
97b148c27f3da29ba7b18d6aee8a0db9102f47c9

SHA256
917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2

SHA512
b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

Download Submit
\ProgramData\474.tmp
Filesize
14KB

MD5
294e9f64cb1642dd89229fff0592856b

SHA1
97b148c27f3da29ba7b18d6aee8a0db9102f47c9

SHA256
917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2

SHA512
b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

Download Submit
memory/1268-83-0x0000000000000000-mapping.dmp

Download
memory/1268-87-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/1268-88-0x0000000002525000-0x0000000002536000-memory.dmp

Filesize
68KB

Download
memory/1268-89-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/1576-54-0x0000000075B11000-0x0000000075B13000-memory.dmp

Filesize
8KB

Download
memory/1576-81-0x0000000000CE5000-0x0000000000CF6000-memory.dmp

Filesize
68KB

Download

Analysis

Sharing

Errors

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads