943d4c645f76f0d0494cb9ceca513e83a45e738bc2db71360116716720f4bed4

Analysis

max time kernel
86s
max time network
48s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
05-10-2022 15:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

lockbit.exe
Size

146KB
MD5

fed98c2820ca40c228ef080ddf68e994
SHA1

c61dd67fa85a6e3e1cf48512263a7097d0eac80e
SHA256

943d4c645f76f0d0494cb9ceca513e83a45e738bc2db71360116716720f4bed4
SHA512

6a9705d55b322e17e1f4d5380cf895e61ea89cdeca53e1b62833b0a37bafd3b785c8ee8625b4198c132741ad024d949eeb34053ef391a955540a8b836c5c1ca3
SSDEEP

1536:LzICS4AAwczUUf8y8gvMH+1zGSNAojMP95D1xDuKaUTGiblZ8FvBq5dF9n4KkPqD:0qJogYkcSNm9V7DxGDcYqg6lT

Score

8^/10

ransomware spyware stealer

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

5957.tmp

pid process

820 5957.tmp

Modifies extensions of user files 20 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

lockbit.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Pictures\AssertConvert.png.jJS2yaJaB	lockbit.exe
File opened for modification	C:\Users\Admin\Pictures\NewBackup.tif.jJS2yaJaB	lockbit.exe
File renamed	C:\Users\Admin\Pictures\RestoreClear.raw => C:\Users\Admin\Pictures\RestoreClear.raw.jJS2yaJaB	lockbit.exe
File renamed	C:\Users\Admin\Pictures\AssertConvert.png => C:\Users\Admin\Pictures\AssertConvert.png.jJS2yaJaB	lockbit.exe
File opened for modification	C:\Users\Admin\Pictures\NewSuspend.tiff	lockbit.exe
File opened for modification	C:\Users\Admin\Pictures\UnregisterConnect.png.jJS2yaJaB	lockbit.exe
File renamed	C:\Users\Admin\Pictures\UnregisterConnect.png => C:\Users\Admin\Pictures\UnregisterConnect.png.jJS2yaJaB	lockbit.exe
File opened for modification	C:\Users\Admin\Pictures\ConfirmCompress.tiff.jJS2yaJaB	lockbit.exe
File renamed	C:\Users\Admin\Pictures\NewBackup.tif => C:\Users\Admin\Pictures\NewBackup.tif.jJS2yaJaB	lockbit.exe
File opened for modification	C:\Users\Admin\Pictures\RestoreClear.raw.jJS2yaJaB	lockbit.exe
File opened for modification	C:\Users\Admin\Pictures\RestoreFind.crw.jJS2yaJaB	lockbit.exe
File renamed	C:\Users\Admin\Pictures\TestWait.crw => C:\Users\Admin\Pictures\TestWait.crw.jJS2yaJaB	lockbit.exe
File opened for modification	C:\Users\Admin\Pictures\NewSuspend.tiff.jJS2yaJaB	lockbit.exe
File renamed	C:\Users\Admin\Pictures\RestoreFind.crw => C:\Users\Admin\Pictures\RestoreFind.crw.jJS2yaJaB	lockbit.exe
File opened for modification	C:\Users\Admin\Pictures\TestWait.crw.jJS2yaJaB	lockbit.exe
File opened for modification	C:\Users\Admin\Pictures\ConfirmCompress.tiff	lockbit.exe
File renamed	C:\Users\Admin\Pictures\ConfirmCompress.tiff => C:\Users\Admin\Pictures\ConfirmCompress.tiff.jJS2yaJaB	lockbit.exe
File renamed	C:\Users\Admin\Pictures\ConvertFromDisconnect.png => C:\Users\Admin\Pictures\ConvertFromDisconnect.png.jJS2yaJaB	lockbit.exe
File opened for modification	C:\Users\Admin\Pictures\ConvertFromDisconnect.png.jJS2yaJaB	lockbit.exe
File renamed	C:\Users\Admin\Pictures\NewSuspend.tiff => C:\Users\Admin\Pictures\NewSuspend.tiff.jJS2yaJaB	lockbit.exe

Deletes itself 1 IoCs

Processes:

5957.tmp

pid process

820 5957.tmp
Loads dropped DLL 1 IoCs

Processes:

lockbit.exe

pid process

828 lockbit.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Drops desktop.ini file(s) 1 IoCs

Processes:

lockbit.exe

description ioc process

File opened for modification C:\$Recycle.Bin\S-1-5-21-3845472200-3839195424-595303356-1000\desktop.ini lockbit.exe

description	ioc	process
File opened for modification	C:\$Recycle.Bin\S-1-5-21-3845472200-3839195424-595303356-1000\desktop.ini	lockbit.exe

Sets desktop wallpaper using registry 2 TTPs 2 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

lockbit.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\jJS2yaJaB.bmp"	lockbit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\jJS2yaJaB.bmp"	lockbit.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

5957.tmp

pid process

820 5957.tmp
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Control Panel 2 IoCs

evasion

Processes:

lockbit.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Control Panel\Desktop	lockbit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Control Panel\Desktop\WallpaperStyle = "10"	lockbit.exe

Modifies registry class 5 IoCs

Processes:

lockbit.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.jJS2yaJaB	lockbit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.jJS2yaJaB\ = "jJS2yaJaB"	lockbit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\jJS2yaJaB\DefaultIcon	lockbit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\jJS2yaJaB	lockbit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\jJS2yaJaB\DefaultIcon\ = "C:\\ProgramData\\jJS2yaJaB.ico"	lockbit.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

Processes:

lockbit.exe

pid	process
828	lockbit.exe
828	lockbit.exe
828	lockbit.exe
828	lockbit.exe
828	lockbit.exe
828	lockbit.exe
828	lockbit.exe
828	lockbit.exe
828	lockbit.exe
828	lockbit.exe
828	lockbit.exe
828	lockbit.exe
828	lockbit.exe
828	lockbit.exe
828	lockbit.exe
828	lockbit.exe

Suspicious behavior: RenamesItself 26 IoCs

Processes:

5957.tmp

pid	process
820	5957.tmp
820	5957.tmp
820	5957.tmp
820	5957.tmp
820	5957.tmp
820	5957.tmp
820	5957.tmp
820	5957.tmp
820	5957.tmp
820	5957.tmp
820	5957.tmp
820	5957.tmp
820	5957.tmp
820	5957.tmp
820	5957.tmp
820	5957.tmp
820	5957.tmp
820	5957.tmp
820	5957.tmp
820	5957.tmp
820	5957.tmp
820	5957.tmp
820	5957.tmp
820	5957.tmp
820	5957.tmp
820	5957.tmp

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

lockbit.exe

description	pid	process
Token: SeAssignPrimaryTokenPrivilege	828	lockbit.exe
Token: SeBackupPrivilege	828	lockbit.exe
Token: SeDebugPrivilege	828	lockbit.exe
Token: 36	828	lockbit.exe
Token: SeImpersonatePrivilege	828	lockbit.exe
Token: SeIncBasePriorityPrivilege	828	lockbit.exe
Token: SeIncreaseQuotaPrivilege	828	lockbit.exe
Token: 33	828	lockbit.exe
Token: SeManageVolumePrivilege	828	lockbit.exe
Token: SeProfSingleProcessPrivilege	828	lockbit.exe
Token: SeRestorePrivilege	828	lockbit.exe
Token: SeSecurityPrivilege	828	lockbit.exe
Token: SeSystemProfilePrivilege	828	lockbit.exe
Token: SeTakeOwnershipPrivilege	828	lockbit.exe
Token: SeShutdownPrivilege	828	lockbit.exe
Token: SeDebugPrivilege	828	lockbit.exe
Token: SeBackupPrivilege	828	lockbit.exe
Token: SeBackupPrivilege	828	lockbit.exe
Token: SeSecurityPrivilege	828	lockbit.exe
Token: SeSecurityPrivilege	828	lockbit.exe
Token: SeBackupPrivilege	828	lockbit.exe
Token: SeBackupPrivilege	828	lockbit.exe
Token: SeSecurityPrivilege	828	lockbit.exe
Token: SeSecurityPrivilege	828	lockbit.exe
Token: SeBackupPrivilege	828	lockbit.exe
Token: SeBackupPrivilege	828	lockbit.exe
Token: SeSecurityPrivilege	828	lockbit.exe
Token: SeSecurityPrivilege	828	lockbit.exe
Token: SeBackupPrivilege	828	lockbit.exe
Token: SeBackupPrivilege	828	lockbit.exe
Token: SeSecurityPrivilege	828	lockbit.exe
Token: SeSecurityPrivilege	828	lockbit.exe
Token: SeBackupPrivilege	828	lockbit.exe
Token: SeBackupPrivilege	828	lockbit.exe
Token: SeSecurityPrivilege	828	lockbit.exe
Token: SeSecurityPrivilege	828	lockbit.exe
Token: SeBackupPrivilege	828	lockbit.exe
Token: SeBackupPrivilege	828	lockbit.exe
Token: SeSecurityPrivilege	828	lockbit.exe
Token: SeSecurityPrivilege	828	lockbit.exe
Token: SeBackupPrivilege	828	lockbit.exe
Token: SeBackupPrivilege	828	lockbit.exe
Token: SeSecurityPrivilege	828	lockbit.exe
Token: SeSecurityPrivilege	828	lockbit.exe
Token: SeBackupPrivilege	828	lockbit.exe
Token: SeBackupPrivilege	828	lockbit.exe
Token: SeSecurityPrivilege	828	lockbit.exe
Token: SeSecurityPrivilege	828	lockbit.exe
Token: SeBackupPrivilege	828	lockbit.exe
Token: SeBackupPrivilege	828	lockbit.exe
Token: SeSecurityPrivilege	828	lockbit.exe
Token: SeSecurityPrivilege	828	lockbit.exe
Token: SeBackupPrivilege	828	lockbit.exe
Token: SeBackupPrivilege	828	lockbit.exe
Token: SeSecurityPrivilege	828	lockbit.exe
Token: SeSecurityPrivilege	828	lockbit.exe
Token: SeBackupPrivilege	828	lockbit.exe
Token: SeBackupPrivilege	828	lockbit.exe
Token: SeSecurityPrivilege	828	lockbit.exe
Token: SeSecurityPrivilege	828	lockbit.exe
Token: SeBackupPrivilege	828	lockbit.exe
Token: SeBackupPrivilege	828	lockbit.exe
Token: SeSecurityPrivilege	828	lockbit.exe
Token: SeSecurityPrivilege	828	lockbit.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

lockbit.exe5957.tmp

description	pid	process	target process
PID 828 wrote to memory of 820	828	lockbit.exe	5957.tmp
PID 828 wrote to memory of 820	828	lockbit.exe	5957.tmp
PID 828 wrote to memory of 820	828	lockbit.exe	5957.tmp
PID 828 wrote to memory of 820	828	lockbit.exe	5957.tmp
PID 828 wrote to memory of 820	828	lockbit.exe	5957.tmp
PID 820 wrote to memory of 1384	820	5957.tmp	cmd.exe
PID 820 wrote to memory of 1384	820	5957.tmp	cmd.exe
PID 820 wrote to memory of 1384	820	5957.tmp	cmd.exe
PID 820 wrote to memory of 1384	820	5957.tmp	cmd.exe

C:\Users\Admin\AppData\Local\Temp\lockbit.exe
"C:\Users\Admin\AppData\Local\Temp\lockbit.exe"
1⤵
- Modifies extensions of user files
- Loads dropped DLL
- Drops desktop.ini file(s)
- Sets desktop wallpaper using registry
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:828

C:\ProgramData\5957.tmp
"C:\ProgramData\5957.tmp"
2⤵
- Executes dropped EXE
- Deletes itself
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:820

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\5957.tmp >> NUL
3⤵
PID:1384

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x154
1⤵
PID:1216

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-3845472200-3839195424-595303356-1000\AAAAAAAAAAA
Filesize
129B

MD5
85d73daa8bf33697c864dafc4b82eba0

SHA1
c56c9ce52dd3dc0dc3a30b6a16e06e9a53df4ff5

SHA256
e395c57a185f1bb9e392261d18d5da41abaf9b0242496c3594bd7548c967df10

SHA512
db1438ce9645687e36c8c59428fd9eeb40730bd77e8216f51b630db007745a5e6b08d92f0dae94d0712a85659962ad3f65ece7a742053fb956ca885422cdc3d5

Download Submit
C:\$Recycle.Bin\S-1-5-21-3845472200-3839195424-595303356-1000\BBBBBBBBBBB
Filesize
129B

MD5
85d73daa8bf33697c864dafc4b82eba0

SHA1
c56c9ce52dd3dc0dc3a30b6a16e06e9a53df4ff5

SHA256
e395c57a185f1bb9e392261d18d5da41abaf9b0242496c3594bd7548c967df10

SHA512
db1438ce9645687e36c8c59428fd9eeb40730bd77e8216f51b630db007745a5e6b08d92f0dae94d0712a85659962ad3f65ece7a742053fb956ca885422cdc3d5

Download Submit
C:\$Recycle.Bin\S-1-5-21-3845472200-3839195424-595303356-1000\CCCCCCCCCCC
Filesize
129B

MD5
85d73daa8bf33697c864dafc4b82eba0

SHA1
c56c9ce52dd3dc0dc3a30b6a16e06e9a53df4ff5

SHA256
e395c57a185f1bb9e392261d18d5da41abaf9b0242496c3594bd7548c967df10

SHA512
db1438ce9645687e36c8c59428fd9eeb40730bd77e8216f51b630db007745a5e6b08d92f0dae94d0712a85659962ad3f65ece7a742053fb956ca885422cdc3d5

Download Submit
C:\$Recycle.Bin\S-1-5-21-3845472200-3839195424-595303356-1000\DDDDDDDDDDD
Filesize
129B

MD5
85d73daa8bf33697c864dafc4b82eba0

SHA1
c56c9ce52dd3dc0dc3a30b6a16e06e9a53df4ff5

SHA256
e395c57a185f1bb9e392261d18d5da41abaf9b0242496c3594bd7548c967df10

SHA512
db1438ce9645687e36c8c59428fd9eeb40730bd77e8216f51b630db007745a5e6b08d92f0dae94d0712a85659962ad3f65ece7a742053fb956ca885422cdc3d5

Download Submit
C:\$Recycle.Bin\S-1-5-21-3845472200-3839195424-595303356-1000\EEEEEEEEEEE
Filesize
129B

MD5
85d73daa8bf33697c864dafc4b82eba0

SHA1
c56c9ce52dd3dc0dc3a30b6a16e06e9a53df4ff5

SHA256
e395c57a185f1bb9e392261d18d5da41abaf9b0242496c3594bd7548c967df10

SHA512
db1438ce9645687e36c8c59428fd9eeb40730bd77e8216f51b630db007745a5e6b08d92f0dae94d0712a85659962ad3f65ece7a742053fb956ca885422cdc3d5

Download Submit
C:\$Recycle.Bin\S-1-5-21-3845472200-3839195424-595303356-1000\FFFFFFFFFFF
Filesize
129B

MD5
85d73daa8bf33697c864dafc4b82eba0

SHA1
c56c9ce52dd3dc0dc3a30b6a16e06e9a53df4ff5

SHA256
e395c57a185f1bb9e392261d18d5da41abaf9b0242496c3594bd7548c967df10

SHA512
db1438ce9645687e36c8c59428fd9eeb40730bd77e8216f51b630db007745a5e6b08d92f0dae94d0712a85659962ad3f65ece7a742053fb956ca885422cdc3d5

Download Submit
C:\$Recycle.Bin\S-1-5-21-3845472200-3839195424-595303356-1000\GGGGGGGGGGG
Filesize
129B

MD5
85d73daa8bf33697c864dafc4b82eba0

SHA1
c56c9ce52dd3dc0dc3a30b6a16e06e9a53df4ff5

SHA256
e395c57a185f1bb9e392261d18d5da41abaf9b0242496c3594bd7548c967df10

SHA512
db1438ce9645687e36c8c59428fd9eeb40730bd77e8216f51b630db007745a5e6b08d92f0dae94d0712a85659962ad3f65ece7a742053fb956ca885422cdc3d5

Download Submit
C:\$Recycle.Bin\S-1-5-21-3845472200-3839195424-595303356-1000\HHHHHHHHHHH
Filesize
129B

MD5
85d73daa8bf33697c864dafc4b82eba0

SHA1
c56c9ce52dd3dc0dc3a30b6a16e06e9a53df4ff5

SHA256
e395c57a185f1bb9e392261d18d5da41abaf9b0242496c3594bd7548c967df10

SHA512
db1438ce9645687e36c8c59428fd9eeb40730bd77e8216f51b630db007745a5e6b08d92f0dae94d0712a85659962ad3f65ece7a742053fb956ca885422cdc3d5

Download Submit
C:\$Recycle.Bin\S-1-5-21-3845472200-3839195424-595303356-1000\IIIIIIIIIII
Filesize
129B

MD5
85d73daa8bf33697c864dafc4b82eba0

SHA1
c56c9ce52dd3dc0dc3a30b6a16e06e9a53df4ff5

SHA256
e395c57a185f1bb9e392261d18d5da41abaf9b0242496c3594bd7548c967df10

SHA512
db1438ce9645687e36c8c59428fd9eeb40730bd77e8216f51b630db007745a5e6b08d92f0dae94d0712a85659962ad3f65ece7a742053fb956ca885422cdc3d5

Download Submit
C:\$Recycle.Bin\S-1-5-21-3845472200-3839195424-595303356-1000\JJJJJJJJJJJ
Filesize
129B

MD5
85d73daa8bf33697c864dafc4b82eba0

SHA1
c56c9ce52dd3dc0dc3a30b6a16e06e9a53df4ff5

SHA256
e395c57a185f1bb9e392261d18d5da41abaf9b0242496c3594bd7548c967df10

SHA512
db1438ce9645687e36c8c59428fd9eeb40730bd77e8216f51b630db007745a5e6b08d92f0dae94d0712a85659962ad3f65ece7a742053fb956ca885422cdc3d5

Download Submit
C:\$Recycle.Bin\S-1-5-21-3845472200-3839195424-595303356-1000\KKKKKKKKKKK
Filesize
129B

MD5
85d73daa8bf33697c864dafc4b82eba0

SHA1
c56c9ce52dd3dc0dc3a30b6a16e06e9a53df4ff5

SHA256
e395c57a185f1bb9e392261d18d5da41abaf9b0242496c3594bd7548c967df10

SHA512
db1438ce9645687e36c8c59428fd9eeb40730bd77e8216f51b630db007745a5e6b08d92f0dae94d0712a85659962ad3f65ece7a742053fb956ca885422cdc3d5

Download Submit
C:\$Recycle.Bin\S-1-5-21-3845472200-3839195424-595303356-1000\LLLLLLLLLLL
Filesize
129B

MD5
85d73daa8bf33697c864dafc4b82eba0

SHA1
c56c9ce52dd3dc0dc3a30b6a16e06e9a53df4ff5

SHA256
e395c57a185f1bb9e392261d18d5da41abaf9b0242496c3594bd7548c967df10

SHA512
db1438ce9645687e36c8c59428fd9eeb40730bd77e8216f51b630db007745a5e6b08d92f0dae94d0712a85659962ad3f65ece7a742053fb956ca885422cdc3d5

Download Submit
C:\$Recycle.Bin\S-1-5-21-3845472200-3839195424-595303356-1000\MMMMMMMMMMM
Filesize
129B

MD5
85d73daa8bf33697c864dafc4b82eba0

SHA1
c56c9ce52dd3dc0dc3a30b6a16e06e9a53df4ff5

SHA256
e395c57a185f1bb9e392261d18d5da41abaf9b0242496c3594bd7548c967df10

SHA512
db1438ce9645687e36c8c59428fd9eeb40730bd77e8216f51b630db007745a5e6b08d92f0dae94d0712a85659962ad3f65ece7a742053fb956ca885422cdc3d5

Download Submit
C:\$Recycle.Bin\S-1-5-21-3845472200-3839195424-595303356-1000\NNNNNNNNNNN
Filesize
129B

MD5
85d73daa8bf33697c864dafc4b82eba0

SHA1
c56c9ce52dd3dc0dc3a30b6a16e06e9a53df4ff5

SHA256
e395c57a185f1bb9e392261d18d5da41abaf9b0242496c3594bd7548c967df10

SHA512
db1438ce9645687e36c8c59428fd9eeb40730bd77e8216f51b630db007745a5e6b08d92f0dae94d0712a85659962ad3f65ece7a742053fb956ca885422cdc3d5

Download Submit
C:\$Recycle.Bin\S-1-5-21-3845472200-3839195424-595303356-1000\OOOOOOOOOOO
Filesize
129B

MD5
85d73daa8bf33697c864dafc4b82eba0

SHA1
c56c9ce52dd3dc0dc3a30b6a16e06e9a53df4ff5

SHA256
e395c57a185f1bb9e392261d18d5da41abaf9b0242496c3594bd7548c967df10

SHA512
db1438ce9645687e36c8c59428fd9eeb40730bd77e8216f51b630db007745a5e6b08d92f0dae94d0712a85659962ad3f65ece7a742053fb956ca885422cdc3d5

Download Submit
C:\$Recycle.Bin\S-1-5-21-3845472200-3839195424-595303356-1000\PPPPPPPPPPP
Filesize
129B

MD5
85d73daa8bf33697c864dafc4b82eba0

SHA1
c56c9ce52dd3dc0dc3a30b6a16e06e9a53df4ff5

SHA256
e395c57a185f1bb9e392261d18d5da41abaf9b0242496c3594bd7548c967df10

SHA512
db1438ce9645687e36c8c59428fd9eeb40730bd77e8216f51b630db007745a5e6b08d92f0dae94d0712a85659962ad3f65ece7a742053fb956ca885422cdc3d5

Download Submit
C:\$Recycle.Bin\S-1-5-21-3845472200-3839195424-595303356-1000\QQQQQQQQQQQ
Filesize
129B

MD5
85d73daa8bf33697c864dafc4b82eba0

SHA1
c56c9ce52dd3dc0dc3a30b6a16e06e9a53df4ff5

SHA256
e395c57a185f1bb9e392261d18d5da41abaf9b0242496c3594bd7548c967df10

SHA512
db1438ce9645687e36c8c59428fd9eeb40730bd77e8216f51b630db007745a5e6b08d92f0dae94d0712a85659962ad3f65ece7a742053fb956ca885422cdc3d5

Download Submit
C:\$Recycle.Bin\S-1-5-21-3845472200-3839195424-595303356-1000\RRRRRRRRRRR
Filesize
129B

MD5
85d73daa8bf33697c864dafc4b82eba0

SHA1
c56c9ce52dd3dc0dc3a30b6a16e06e9a53df4ff5

SHA256
e395c57a185f1bb9e392261d18d5da41abaf9b0242496c3594bd7548c967df10

SHA512
db1438ce9645687e36c8c59428fd9eeb40730bd77e8216f51b630db007745a5e6b08d92f0dae94d0712a85659962ad3f65ece7a742053fb956ca885422cdc3d5

Download Submit
C:\$Recycle.Bin\S-1-5-21-3845472200-3839195424-595303356-1000\SSSSSSSSSSS
Filesize
129B

MD5
85d73daa8bf33697c864dafc4b82eba0

SHA1
c56c9ce52dd3dc0dc3a30b6a16e06e9a53df4ff5

SHA256
e395c57a185f1bb9e392261d18d5da41abaf9b0242496c3594bd7548c967df10

SHA512
db1438ce9645687e36c8c59428fd9eeb40730bd77e8216f51b630db007745a5e6b08d92f0dae94d0712a85659962ad3f65ece7a742053fb956ca885422cdc3d5

Download Submit
C:\$Recycle.Bin\S-1-5-21-3845472200-3839195424-595303356-1000\TTTTTTTTTTT
Filesize
129B

MD5
85d73daa8bf33697c864dafc4b82eba0

SHA1
c56c9ce52dd3dc0dc3a30b6a16e06e9a53df4ff5

SHA256
e395c57a185f1bb9e392261d18d5da41abaf9b0242496c3594bd7548c967df10

SHA512
db1438ce9645687e36c8c59428fd9eeb40730bd77e8216f51b630db007745a5e6b08d92f0dae94d0712a85659962ad3f65ece7a742053fb956ca885422cdc3d5

Download Submit
C:\$Recycle.Bin\S-1-5-21-3845472200-3839195424-595303356-1000\UUUUUUUUUUU
Filesize
129B

MD5
85d73daa8bf33697c864dafc4b82eba0

SHA1
c56c9ce52dd3dc0dc3a30b6a16e06e9a53df4ff5

SHA256
e395c57a185f1bb9e392261d18d5da41abaf9b0242496c3594bd7548c967df10

SHA512
db1438ce9645687e36c8c59428fd9eeb40730bd77e8216f51b630db007745a5e6b08d92f0dae94d0712a85659962ad3f65ece7a742053fb956ca885422cdc3d5

Download Submit
C:\$Recycle.Bin\S-1-5-21-3845472200-3839195424-595303356-1000\VVVVVVVVVVV
Filesize
129B

MD5
85d73daa8bf33697c864dafc4b82eba0

SHA1
c56c9ce52dd3dc0dc3a30b6a16e06e9a53df4ff5

SHA256
e395c57a185f1bb9e392261d18d5da41abaf9b0242496c3594bd7548c967df10

SHA512
db1438ce9645687e36c8c59428fd9eeb40730bd77e8216f51b630db007745a5e6b08d92f0dae94d0712a85659962ad3f65ece7a742053fb956ca885422cdc3d5

Download Submit
C:\$Recycle.Bin\S-1-5-21-3845472200-3839195424-595303356-1000\WWWWWWWWWWW
Filesize
129B

MD5
85d73daa8bf33697c864dafc4b82eba0

SHA1
c56c9ce52dd3dc0dc3a30b6a16e06e9a53df4ff5

SHA256
e395c57a185f1bb9e392261d18d5da41abaf9b0242496c3594bd7548c967df10

SHA512
db1438ce9645687e36c8c59428fd9eeb40730bd77e8216f51b630db007745a5e6b08d92f0dae94d0712a85659962ad3f65ece7a742053fb956ca885422cdc3d5

Download Submit
C:\$Recycle.Bin\S-1-5-21-3845472200-3839195424-595303356-1000\XXXXXXXXXXX
Filesize
129B

MD5
85d73daa8bf33697c864dafc4b82eba0

SHA1
c56c9ce52dd3dc0dc3a30b6a16e06e9a53df4ff5

SHA256
e395c57a185f1bb9e392261d18d5da41abaf9b0242496c3594bd7548c967df10

SHA512
db1438ce9645687e36c8c59428fd9eeb40730bd77e8216f51b630db007745a5e6b08d92f0dae94d0712a85659962ad3f65ece7a742053fb956ca885422cdc3d5

Download Submit
C:\$Recycle.Bin\S-1-5-21-3845472200-3839195424-595303356-1000\YYYYYYYYYYY
Filesize
129B

MD5
85d73daa8bf33697c864dafc4b82eba0

SHA1
c56c9ce52dd3dc0dc3a30b6a16e06e9a53df4ff5

SHA256
e395c57a185f1bb9e392261d18d5da41abaf9b0242496c3594bd7548c967df10

SHA512
db1438ce9645687e36c8c59428fd9eeb40730bd77e8216f51b630db007745a5e6b08d92f0dae94d0712a85659962ad3f65ece7a742053fb956ca885422cdc3d5

Download Submit
C:\$Recycle.Bin\S-1-5-21-3845472200-3839195424-595303356-1000\desktop.ini
Filesize
129B

MD5
85d73daa8bf33697c864dafc4b82eba0

SHA1
c56c9ce52dd3dc0dc3a30b6a16e06e9a53df4ff5

SHA256
e395c57a185f1bb9e392261d18d5da41abaf9b0242496c3594bd7548c967df10

SHA512
db1438ce9645687e36c8c59428fd9eeb40730bd77e8216f51b630db007745a5e6b08d92f0dae94d0712a85659962ad3f65ece7a742053fb956ca885422cdc3d5

Download Submit
C:\ProgramData\5957.tmp
Filesize
14KB

MD5
294e9f64cb1642dd89229fff0592856b

SHA1
97b148c27f3da29ba7b18d6aee8a0db9102f47c9

SHA256
917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2

SHA512
b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

Download Submit
C:\ProgramData\5957.tmp
Filesize
14KB

MD5
294e9f64cb1642dd89229fff0592856b

SHA1
97b148c27f3da29ba7b18d6aee8a0db9102f47c9

SHA256
917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2

SHA512
b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

Download Submit
\ProgramData\5957.tmp
Filesize
14KB

MD5
294e9f64cb1642dd89229fff0592856b

SHA1
97b148c27f3da29ba7b18d6aee8a0db9102f47c9

SHA256
917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2

SHA512
b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

Download Submit
memory/820-83-0x0000000000000000-mapping.dmp

Download
memory/820-88-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/820-89-0x00000000021E5000-0x00000000021F6000-memory.dmp

Filesize
68KB

Download
memory/828-54-0x0000000075A11000-0x0000000075A13000-memory.dmp

Filesize
8KB

Download
memory/828-81-0x00000000020E5000-0x00000000020F6000-memory.dmp

Filesize
68KB

Download
memory/1384-87-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads