lockbit | fe9c9951dbfe19a8e8db02831e17e0ef31a8c522ffbd1e689f9545571853a70f

Resubmissions

23/12/2023, 23:48

231223-3ttr9aahgr 10

12/07/2023, 00:36

230712-ax75tsbc92 10

Analysis

max time kernel
1795s
max time network
1158s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
23/12/2023, 23:48

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

xhBTePmb.ps1
Size

204KB
MD5

e9b595b99ac9d2c1615073b88164dccd
SHA1

06b5c574a98e9a1fb822bde91d77505d53d36f83
SHA256

fe9c9951dbfe19a8e8db02831e17e0ef31a8c522ffbd1e689f9545571853a70f
SHA512

3b837153add08da65e1c4b1418b32565b2ba934ab4306badb5fc5dcc547b423e0e3f8c9c5387b0087119bba6a8b2b2deedb14b1318cfa14c1b0e15a6cc38a231
SSDEEP

6144:SUxev1EfxTZQR9pzvr66jflWpO6RHjZkoyLs1/fH5ND:SYewQndveKwxRDZzYsBfzD

Score

10^/10

lockbit ransomware spyware stealer

Malware Config

Extracted

Path

C:\fg1nrax2U.README.txt

Family

lockbit

Ransom Note

~~~ LockBit 3.0 the world's fastest ransomware since 2019~~~ >>>> Your data are stolen and encrypted The data will be published on TOR website if you do not pay the ransom >>>> What guarantees that we will not deceive you? We are not a politically motivated group and we do not need anything other than your money. If you pay, we will provide you the programs for decryption and we will delete your data. Life is too short to be sad. Be not sad, money, it is only paper. If we do not give you decrypters, or we do not delete your data after payment, then nobody will pay us in the future. Therefore to us our reputation is very important. We attack the companies worldwide and there is no dissatisfied victim after payment. You can obtain information about us on twitter https://twitter.com/hashtag/lockbit?f=live >>>> You need contact us and decrypt one file for free on these TOR sites with your personal DECRYPTION ID Download and install TOR Browser https://www.torproject.org/ Write to a chat and wait for the answer, we will always answer you. Sometimes you will need to wait for our answer because we attack many companies. If you do not get an answer in the chat room for a long time, the site does not work and in any other emergency, you can contact us in jabber or tox. >>>> Your personal DECRYPTION ID: 095A437114C72F3510849B155A1904F9 >>>> Warning! Do not DELETE or MODIFY any files, it can lead to recovery problems! >>>> Warning! If you do not pay the ransom we will attack your company repeatedly again! >>>> Advertisement Would you like to earn millions of dollars $$$ ? Our company acquire access to networks of various companies, as well as insider information that can help you steal the most valuable data of any company. You can provide us accounting data for the access to any company, for example, login and password to RDP, VPN, corporate email, etc. Open our letter at your email. Launch the provided virus on any computer in your company. You can do it both using your work computer or the computer of any other employee in order to divert suspicion of being in collusion with us. Companies pay us the foreclosure for the decryption of files and prevention of data leak. You can contact us using Tox messenger without registration and SMS https://tox.chat/download.html. Using Tox messenger, we will never know your real name, it means your privacy is guaranteed. If you want to contact us, write in jabber or tox. If this contact is expired, and we do not respond you, look for the relevant contact data on our website via Tor or Brave browser

URLs

https://twitter.com/hashtag/lockbit?f=live

https://tox.chat/download.html

Signatures

Lockbit
Ransomware family with multiple variants released since late 2019.
ransomware lockbit

Rule to detect Lockbit 3.0 ransomware Windows payload 1 IoCs

resource	yara_rule
behavioral2/files/0x00060000000006e9-29.dat	family_lockbit

Renames multiple (595) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\Control Panel\International\Geo\Nation	24C5.tmp

Executes dropped EXE 2 IoCs

pid	Process
3464	jI52LmRAkoqc.exe
3376	24C5.tmp

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File opened for modification	C:\$Recycle.Bin\S-1-5-21-1815711207-1844170477-3539718864-1000\desktop.ini	jI52LmRAkoqc.exe
File opened for modification	F:\$RECYCLE.BIN\S-1-5-21-1815711207-1844170477-3539718864-1000\desktop.ini	jI52LmRAkoqc.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File created	C:\Windows\system32\spool\PRINTERS\00002.SPL	splwow64.exe
File created	C:\Windows\system32\spool\PRINTERS\PPmw69bd8gdhhsgdqe1ezesm1ib.TMP	printfilterpipelinesvc.exe
File created	C:\Windows\system32\spool\PRINTERS\PPfzaujo21vhtqgegj3l80wv3bd.TMP	printfilterpipelinesvc.exe
File created	C:\Windows\system32\spool\PRINTERS\PPlw3hqq213f2d3guiytpr32rnd.TMP	printfilterpipelinesvc.exe

Sets desktop wallpaper using registry 2 TTPs 2 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\fg1nrax2U.bmp"	jI52LmRAkoqc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\fg1nrax2U.bmp"	jI52LmRAkoqc.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs

pid	Process
3464	jI52LmRAkoqc.exe
3464	jI52LmRAkoqc.exe
3464	jI52LmRAkoqc.exe
3464	jI52LmRAkoqc.exe
3376	24C5.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	ONENOTE.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	ONENOTE.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	ONENOTE.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	ONENOTE.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	ONENOTE.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	ONENOTE.EXE

Modifies Control Panel 2 IoCs

evasion

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\Control Panel\Desktop	jI52LmRAkoqc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\Control Panel\Desktop\WallpaperStyle = "10"	jI52LmRAkoqc.exe

Modifies registry class 5 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\fg1nrax2U	jI52LmRAkoqc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\fg1nrax2U\DefaultIcon\ = "C:\\ProgramData\\fg1nrax2U.ico"	jI52LmRAkoqc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.fg1nrax2U	jI52LmRAkoqc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.fg1nrax2U\ = "fg1nrax2U"	jI52LmRAkoqc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\fg1nrax2U\DefaultIcon	jI52LmRAkoqc.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4680	powershell.exe
4680	powershell.exe
3464	jI52LmRAkoqc.exe
3464	jI52LmRAkoqc.exe
3464	jI52LmRAkoqc.exe
3464	jI52LmRAkoqc.exe
3464	jI52LmRAkoqc.exe
3464	jI52LmRAkoqc.exe
3464	jI52LmRAkoqc.exe
3464	jI52LmRAkoqc.exe
3464	jI52LmRAkoqc.exe
3464	jI52LmRAkoqc.exe
3464	jI52LmRAkoqc.exe
3464	jI52LmRAkoqc.exe
3464	jI52LmRAkoqc.exe
3464	jI52LmRAkoqc.exe
3464	jI52LmRAkoqc.exe
3464	jI52LmRAkoqc.exe
3464	jI52LmRAkoqc.exe
3464	jI52LmRAkoqc.exe
3464	jI52LmRAkoqc.exe
3464	jI52LmRAkoqc.exe
3464	jI52LmRAkoqc.exe
3464	jI52LmRAkoqc.exe
3464	jI52LmRAkoqc.exe
3464	jI52LmRAkoqc.exe
3464	jI52LmRAkoqc.exe
3464	jI52LmRAkoqc.exe
3464	jI52LmRAkoqc.exe
3464	jI52LmRAkoqc.exe
3464	jI52LmRAkoqc.exe
3464	jI52LmRAkoqc.exe
3464	jI52LmRAkoqc.exe
3464	jI52LmRAkoqc.exe
3464	jI52LmRAkoqc.exe
3464	jI52LmRAkoqc.exe
3464	jI52LmRAkoqc.exe
3464	jI52LmRAkoqc.exe
3464	jI52LmRAkoqc.exe
3464	jI52LmRAkoqc.exe
3464	jI52LmRAkoqc.exe
3464	jI52LmRAkoqc.exe
3464	jI52LmRAkoqc.exe
3464	jI52LmRAkoqc.exe
3464	jI52LmRAkoqc.exe
3464	jI52LmRAkoqc.exe
3464	jI52LmRAkoqc.exe
3464	jI52LmRAkoqc.exe
3464	jI52LmRAkoqc.exe
3464	jI52LmRAkoqc.exe
3464	jI52LmRAkoqc.exe
3464	jI52LmRAkoqc.exe
3464	jI52LmRAkoqc.exe
3464	jI52LmRAkoqc.exe
3464	jI52LmRAkoqc.exe
3464	jI52LmRAkoqc.exe
3464	jI52LmRAkoqc.exe
3464	jI52LmRAkoqc.exe
3464	jI52LmRAkoqc.exe
3464	jI52LmRAkoqc.exe
3464	jI52LmRAkoqc.exe
3464	jI52LmRAkoqc.exe
3464	jI52LmRAkoqc.exe
3464	jI52LmRAkoqc.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4680	powershell.exe
Token: SeAssignPrimaryTokenPrivilege	3464	jI52LmRAkoqc.exe
Token: SeBackupPrivilege	3464	jI52LmRAkoqc.exe
Token: SeDebugPrivilege	3464	jI52LmRAkoqc.exe
Token: 36	3464	jI52LmRAkoqc.exe
Token: SeImpersonatePrivilege	3464	jI52LmRAkoqc.exe
Token: SeIncBasePriorityPrivilege	3464	jI52LmRAkoqc.exe
Token: SeIncreaseQuotaPrivilege	3464	jI52LmRAkoqc.exe
Token: 33	3464	jI52LmRAkoqc.exe
Token: SeManageVolumePrivilege	3464	jI52LmRAkoqc.exe
Token: SeProfSingleProcessPrivilege	3464	jI52LmRAkoqc.exe
Token: SeRestorePrivilege	3464	jI52LmRAkoqc.exe
Token: SeSecurityPrivilege	3464	jI52LmRAkoqc.exe
Token: SeSystemProfilePrivilege	3464	jI52LmRAkoqc.exe
Token: SeTakeOwnershipPrivilege	3464	jI52LmRAkoqc.exe
Token: SeShutdownPrivilege	3464	jI52LmRAkoqc.exe
Token: SeDebugPrivilege	3464	jI52LmRAkoqc.exe
Token: SeBackupPrivilege	3464	jI52LmRAkoqc.exe
Token: SeBackupPrivilege	3464	jI52LmRAkoqc.exe
Token: SeSecurityPrivilege	3464	jI52LmRAkoqc.exe
Token: SeSecurityPrivilege	3464	jI52LmRAkoqc.exe
Token: SeBackupPrivilege	3464	jI52LmRAkoqc.exe
Token: SeBackupPrivilege	3464	jI52LmRAkoqc.exe
Token: SeSecurityPrivilege	3464	jI52LmRAkoqc.exe
Token: SeSecurityPrivilege	3464	jI52LmRAkoqc.exe
Token: SeBackupPrivilege	3464	jI52LmRAkoqc.exe
Token: SeBackupPrivilege	3464	jI52LmRAkoqc.exe
Token: SeSecurityPrivilege	3464	jI52LmRAkoqc.exe
Token: SeSecurityPrivilege	3464	jI52LmRAkoqc.exe
Token: SeBackupPrivilege	3464	jI52LmRAkoqc.exe
Token: SeBackupPrivilege	3464	jI52LmRAkoqc.exe
Token: SeSecurityPrivilege	3464	jI52LmRAkoqc.exe
Token: SeSecurityPrivilege	3464	jI52LmRAkoqc.exe
Token: SeBackupPrivilege	3464	jI52LmRAkoqc.exe
Token: SeBackupPrivilege	3464	jI52LmRAkoqc.exe
Token: SeSecurityPrivilege	3464	jI52LmRAkoqc.exe
Token: SeSecurityPrivilege	3464	jI52LmRAkoqc.exe
Token: SeBackupPrivilege	3464	jI52LmRAkoqc.exe
Token: SeBackupPrivilege	3464	jI52LmRAkoqc.exe
Token: SeSecurityPrivilege	3464	jI52LmRAkoqc.exe
Token: SeSecurityPrivilege	3464	jI52LmRAkoqc.exe
Token: SeBackupPrivilege	3464	jI52LmRAkoqc.exe
Token: SeBackupPrivilege	3464	jI52LmRAkoqc.exe
Token: SeSecurityPrivilege	3464	jI52LmRAkoqc.exe
Token: SeSecurityPrivilege	3464	jI52LmRAkoqc.exe
Token: SeBackupPrivilege	3464	jI52LmRAkoqc.exe
Token: SeBackupPrivilege	3464	jI52LmRAkoqc.exe
Token: SeSecurityPrivilege	3464	jI52LmRAkoqc.exe
Token: SeSecurityPrivilege	3464	jI52LmRAkoqc.exe
Token: SeBackupPrivilege	3464	jI52LmRAkoqc.exe
Token: SeBackupPrivilege	3464	jI52LmRAkoqc.exe
Token: SeSecurityPrivilege	3464	jI52LmRAkoqc.exe
Token: SeSecurityPrivilege	3464	jI52LmRAkoqc.exe
Token: SeBackupPrivilege	3464	jI52LmRAkoqc.exe
Token: SeBackupPrivilege	3464	jI52LmRAkoqc.exe
Token: SeSecurityPrivilege	3464	jI52LmRAkoqc.exe
Token: SeSecurityPrivilege	3464	jI52LmRAkoqc.exe
Token: SeBackupPrivilege	3464	jI52LmRAkoqc.exe
Token: SeBackupPrivilege	3464	jI52LmRAkoqc.exe
Token: SeSecurityPrivilege	3464	jI52LmRAkoqc.exe
Token: SeSecurityPrivilege	3464	jI52LmRAkoqc.exe
Token: SeBackupPrivilege	3464	jI52LmRAkoqc.exe
Token: SeBackupPrivilege	3464	jI52LmRAkoqc.exe
Token: SeSecurityPrivilege	3464	jI52LmRAkoqc.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 4680 wrote to memory of 920	4680	powershell.exe	89
PID 4680 wrote to memory of 920	4680	powershell.exe	89
PID 920 wrote to memory of 1640	920	csc.exe	91
PID 920 wrote to memory of 1640	920	csc.exe	91
PID 4680 wrote to memory of 3464	4680	powershell.exe	93
PID 4680 wrote to memory of 3464	4680	powershell.exe	93
PID 4680 wrote to memory of 3464	4680	powershell.exe	93
PID 3464 wrote to memory of 1576	3464	jI52LmRAkoqc.exe	108
PID 3464 wrote to memory of 1576	3464	jI52LmRAkoqc.exe	108
PID 2400 wrote to memory of 2760	2400	printfilterpipelinesvc.exe	111
PID 2400 wrote to memory of 2760	2400	printfilterpipelinesvc.exe	111
PID 3464 wrote to memory of 3376	3464	jI52LmRAkoqc.exe	112
PID 3464 wrote to memory of 3376	3464	jI52LmRAkoqc.exe	112
PID 3464 wrote to memory of 3376	3464	jI52LmRAkoqc.exe	112
PID 3464 wrote to memory of 3376	3464	jI52LmRAkoqc.exe	112
PID 3376 wrote to memory of 4996	3376	24C5.tmp	113
PID 3376 wrote to memory of 4996	3376	24C5.tmp	113
PID 3376 wrote to memory of 4996	3376	24C5.tmp	113

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\xhBTePmb.ps1
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4680
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\apasxrxp\apasxrxp.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:920
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7251.tmp" "c:\Users\Admin\AppData\Local\Temp\apasxrxp\CSC3451AA8E7FB04C5383EDC4AE14DEABD.TMP"
    3⤵
    PID:1640
- C:\Users\Admin\AppData\Local\Temp\jI52LmRAkoqc.exe
  jI52LmRAkoqc.exe
  2⤵
  - Executes dropped EXE
  - Drops desktop.ini file(s)
  - Sets desktop wallpaper using registry
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Modifies Control Panel
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3464
- - C:\Windows\splwow64.exe
    C:\Windows\splwow64.exe 12288
    3⤵
    - Drops file in System32 directory
    PID:1576
- - C:\ProgramData\24C5.tmp
    "C:\ProgramData\24C5.tmp"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious use of WriteProcessMemory
    PID:3376
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\24C5.tmp >> NUL
      4⤵
      PID:4996

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc
1⤵
PID:3276

C:\Windows\system32\printfilterpipelinesvc.exe
C:\Windows\system32\printfilterpipelinesvc.exe -Embedding
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2400
- C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
  /insertdoc "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\{D257FD59-66D3-4EC3-9EF6-F10725D19BDB}.xps" 133478497429970000
  2⤵
  - Checks processor information in registry
  - Enumerates system info in registry
  PID:2760

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-1815711207-1844170477-3539718864-1000\desktop.ini

Filesize
129B

MD5
62f2c50ecc4bdd8fb2500d3b900ac1b8

SHA1
acfa671c70436bc2e2247b7bd97d3c457c5b21d0

SHA256
d09ad05fdc22546ad05f98065f8865264ace7e200536e9f848f3afe262393d3c

SHA512
5e6a62ea8789bc0e03721dc0b8b83f8ea38ac3d2e9f0077f4fb57a20f3393107b6739b8b06c1739b0a7c2c0522076b4790f0738015bf8e310ec236464cf7bd64

Download Submit
C:\ProgramData\24C5.tmp

Filesize
14KB

MD5
294e9f64cb1642dd89229fff0592856b

SHA1
97b148c27f3da29ba7b18d6aee8a0db9102f47c9

SHA256
917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2

SHA512
b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\BBBBBBBBBBBBBBBB

Filesize
149KB

MD5
4b83b74dee22053c6367b79947366427

SHA1
ef1c95f601471d6f208df4eb4dedacbb72a1d492

SHA256
ffa46962ebd433ce02b36290f72dc3c7a6d59e16906360e2a6670ccacf71013b

SHA512
bbc2063612e7ff9ffd7c79ed2f734202e1e5ad6a737e1bad903857beef60336477512670fe554ec575e48cd03be3a026916c61dfc0501961007f04b15dac642c

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES7251.tmp

Filesize
1KB

MD5
2260296d8f32dc582bfd7b2d23f3b53e

SHA1
f74dcaad0b933e898cd59710df97b44b7ee49580

SHA256
74bc8ec3debab820107307360df19a19d483bf92ef9bd98bfa67d5b8521ff3da

SHA512
d1271a094d2e5f2e1af03c57fb87c7a191d80d6c79a7b000a7f79996f38107cd395bd53fa9d7e5bc68f8bda8d6be677f577e48f981015087be73cbc44fc3d8f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_1p53b0wd.5du.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\apasxrxp\apasxrxp.dll

Filesize
4KB

MD5
f59ac1a8ffcda1ddbb72f72fc2265edf

SHA1
f09152dd477d14d86ca7feb077fe8c858d9ff0b7

SHA256
79733c6473277500b3f80f4124ab08cc03b04356ada05def377c0ebfde69a3b4

SHA512
a52c6102186227ce56d975d6c64b015541013f1f19378697a032834b2d2205634db25742243501d73d75b82fb747a3dcae6dc4d32f284d2f3807845b3ed1275c

Download Submit
C:\Users\Admin\AppData\Local\Temp\jI52LmRAkoqc.exe

Filesize
149KB

MD5
734cee97a335632f53f4d325848efcd7

SHA1
941fe2aa7b799380020bda118d2f85892f52c3c7

SHA256
25f9e2bb5312f3ba8d593529546402d91460720239805502c8ce29582c922036

SHA512
01864dd4415bf56f78fd14adf157b307d5c36f888b59ec79a0174307e0d4ccb12cd5650f03e32108b83039da3875e76ded213286682ab0346be116d717bd178e

Download Submit
C:\fg1nrax2U.README.txt

Filesize
2KB

MD5
eb1b86073b2e82067172461e4374cf9a

SHA1
90f6f181790b911a883c39514b55689d48913d04

SHA256
9026447e728475d2505781b08a4833786a473c1eb384d63a2517decf6c984fb5

SHA512
0b43b63b7045dab1d21323e69acd8efaf8bf4801c32cd3d640ca491c9e7945c117d88d49f12413661210dd704af059bb728dcfe78ab0fc99b8ebe14f6e900859

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-1815711207-1844170477-3539718864-1000\DDDDDDDDDDD

Filesize
129B

MD5
3cdd49860c9c34cc5310f6e4cefb0424

SHA1
13013a700aca34874609f8e08be55deabad79c47

SHA256
ff343072fd33268019d7bcb86c0781ce1c6b3b7378f0d02e72f1e0502306d79d

SHA512
693fe20869e36b935aa54ab00228b84f01fe7c608a198618c88d92749a02dada708dd98b5ee98b967ded45b24859eb69aecb9d4fef32f7024b56577ac0f3d327

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\apasxrxp\CSC3451AA8E7FB04C5383EDC4AE14DEABD.TMP

Filesize
652B

MD5
51dc2f1417e0e2f1f1c9e89c1a2a37a6

SHA1
5c99cefd6d978130a93ab813a03d3fb36ff7763c

SHA256
853b641b178569fb8700da25e2d576050fbf32c84096f12ecdcfc48bdc69b59b

SHA512
ad2b733b9a53e892431047a2b9bd057c3b681d2975ac4107007bcb2fe802ae20f6599bf3730e476aeb638eb95e28e53c6059d6d90934656789aff4668773f711

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\apasxrxp\apasxrxp.0.cs

Filesize
2KB

MD5
a484a625a1ac39f6bc6822fdaa5389ca

SHA1
5f9102a83ecdc1fe1320977e4d10fa5178a64b1a

SHA256
0070dbcfc3a0e878c896f34f6d4a929dc741bd8c51f359c3d08c76fb2d41501a

SHA512
fee8d999e864a91ddec3009ad91ebcdb3ad730de92b3b78bd9e3f0e3fd1c295123f23ae89d156aeffc185684bab5c41059c3ac033a893eb7e7500de016a0d548

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\apasxrxp\apasxrxp.cmdline

Filesize
369B

MD5
417b6981e9252b0e09289ad109d25d8d

SHA1
0c6396dfa6ecf17d7255a334d6ca58702d37a23c

SHA256
773e38b973082dbc4ef0681ce2126ed61e7bd17e9c006d9d8dd4d9237a6d2d07

SHA512
9c3f6dd1ce7cf2e4fad152bc149fd64dca698444e55dd2e1e9df8c04e27a7671be9c78cbc102df86f7e7d7f35b5cf36dba8ce490d3501a9bc822d16f662fa9c4

Download Submit
memory/3376-2821-0x000000007FE20000-0x000000007FE21000-memory.dmp

Filesize
4KB

Download
memory/3376-2801-0x0000000002490000-0x00000000024A0000-memory.dmp

Filesize
64KB

Download
memory/3376-2826-0x000000007FDE0000-0x000000007FDE1000-memory.dmp

Filesize
4KB

Download
memory/3376-2794-0x0000000002490000-0x00000000024A0000-memory.dmp

Filesize
64KB

Download
memory/3376-2825-0x000000007FDC0000-0x000000007FDC1000-memory.dmp

Filesize
4KB

Download
memory/3376-2793-0x000000007FE40000-0x000000007FE41000-memory.dmp

Filesize
4KB

Download
memory/3376-2827-0x000000007FE00000-0x000000007FE01000-memory.dmp

Filesize
4KB

Download
memory/3464-36-0x0000000000CD0000-0x0000000000CE0000-memory.dmp

Filesize
64KB

Download
memory/3464-2776-0x0000000000CD0000-0x0000000000CE0000-memory.dmp

Filesize
64KB

Download
memory/3464-2777-0x0000000000CD0000-0x0000000000CE0000-memory.dmp

Filesize
64KB

Download
memory/3464-2775-0x0000000000CD0000-0x0000000000CE0000-memory.dmp

Filesize
64KB

Download
memory/3464-35-0x0000000000CD0000-0x0000000000CE0000-memory.dmp

Filesize
64KB

Download
memory/3464-34-0x0000000000CD0000-0x0000000000CE0000-memory.dmp

Filesize
64KB

Download
memory/4680-33-0x00007FFED5050000-0x00007FFED5B11000-memory.dmp

Filesize
10.8MB

Download
memory/4680-26-0x000001AF2ED90000-0x000001AF2ED98000-memory.dmp

Filesize
32KB

Download
memory/4680-12-0x000001AF16530000-0x000001AF16540000-memory.dmp

Filesize
64KB

Download
memory/4680-11-0x000001AF16530000-0x000001AF16540000-memory.dmp

Filesize
64KB

Download
memory/4680-10-0x00007FFED5050000-0x00007FFED5B11000-memory.dmp

Filesize
10.8MB

Download
memory/4680-5-0x000001AF2ED40000-0x000001AF2ED62000-memory.dmp

Filesize
136KB

Download