lockbit | dd8fe3966ab4d2d6215c63b3ac7abf4673d9c19f2d9f35a6bf247922c642ec2d

Analysis

max time kernel
138s
max time network
124s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
26-12-2023 04:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

53ec94e3325c7ea427857b0a1e911c66.exe
Size

862KB
MD5

53ec94e3325c7ea427857b0a1e911c66
SHA1

1d88d25ce890b3118bf719fe4d83583868247b86
SHA256

dd8fe3966ab4d2d6215c63b3ac7abf4673d9c19f2d9f35a6bf247922c642ec2d
SHA512

75d719b8de7e52da51ad841cb85be05e8d77457f68852f321512d5340cd3c1f3784b2f4d1d4e25f1c6d15fd264f1aee01bd0a3c16e22ef1e81df0e9be75235d5
SSDEEP

24576:DxAf2NuubB6RWspgjuwu7pl4Ha+UmxJH+QTF:dAfSrWW4g+7Ht+UmxJec

Score

10^/10

lockbit discovery evasion persistence ransomware

Malware Config

Extracted

Path

C:\Program Files\DVD Maker\de-DE\Restore-My-Files.txt

Ransom Note

LockBit 2.0 Ransomware Your data are stolen and encrypted The data will be published on TOR website http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion and https://bigblog.at if you do not pay the ransom You can contact us and decrypt one file for free on these TOR sites http://lockbitsup4yezcd5enk5unncx3zcy7kw6wllyqmiyhvanjj352jayid.onion http://lockbitsap2oaqhcun3syvbqt6n5nzt7fqosc6jdlmsfleu3ka4k2did.onion OR https://decoding.at Decryption ID: 6691A3C6BA585EA0736819343257E453

URLs

http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion

https://bigblog.at

http://lockbitsup4yezcd5enk5unncx3zcy7kw6wllyqmiyhvanjj352jayid.onion

http://lockbitsap2oaqhcun3syvbqt6n5nzt7fqosc6jdlmsfleu3ka4k2did.onion

https://decoding.at

Signatures

Lockbit
Ransomware family with multiple variants released since late 2019.
ransomware lockbit
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490

Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs

ransomware evasion

Inhibit System Recovery

T1490

pid	Process
3004	bcdedit.exe
2412	bcdedit.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Windows\CurrentVersion\Run\{5A9155C6-5858-5E72-3E6-383D3BBEEDC} = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\53ec94e3325c7ea427857b0a1e911c66.exe\""	53ec94e3325c7ea427857b0a1e911c66.exe

Enumerates connected drives 3 TTPs 1 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\F:	53ec94e3325c7ea427857b0a1e911c66.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\windows\SysWOW64\6691A3.ico	53ec94e3325c7ea427857b0a1e911c66.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 22 IoCs

pid	Process
2416	53ec94e3325c7ea427857b0a1e911c66.exe
2416	53ec94e3325c7ea427857b0a1e911c66.exe
2416	53ec94e3325c7ea427857b0a1e911c66.exe
2416	53ec94e3325c7ea427857b0a1e911c66.exe
2416	53ec94e3325c7ea427857b0a1e911c66.exe
2416	53ec94e3325c7ea427857b0a1e911c66.exe
2416	53ec94e3325c7ea427857b0a1e911c66.exe
2416	53ec94e3325c7ea427857b0a1e911c66.exe
2416	53ec94e3325c7ea427857b0a1e911c66.exe
2416	53ec94e3325c7ea427857b0a1e911c66.exe
2416	53ec94e3325c7ea427857b0a1e911c66.exe
2416	53ec94e3325c7ea427857b0a1e911c66.exe
2416	53ec94e3325c7ea427857b0a1e911c66.exe
2416	53ec94e3325c7ea427857b0a1e911c66.exe
2416	53ec94e3325c7ea427857b0a1e911c66.exe
2416	53ec94e3325c7ea427857b0a1e911c66.exe
2416	53ec94e3325c7ea427857b0a1e911c66.exe
2416	53ec94e3325c7ea427857b0a1e911c66.exe
2416	53ec94e3325c7ea427857b0a1e911c66.exe
2416	53ec94e3325c7ea427857b0a1e911c66.exe
2416	53ec94e3325c7ea427857b0a1e911c66.exe
2416	53ec94e3325c7ea427857b0a1e911c66.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\program files\java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.core.nl_zh_4.4.0.v20140623020002.jar	53ec94e3325c7ea427857b0a1e911c66.exe
File opened for modification	C:\program files\java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-editor-mimelookup_ja.jar	53ec94e3325c7ea427857b0a1e911c66.exe
File opened for modification	C:\program files\java\jdk1.7.0_80\lib\visualvm\platform\modules\org-openide-compat.jar	53ec94e3325c7ea427857b0a1e911c66.exe
File created	C:\program files\microsoft games\purble place\fr-fr\Restore-My-Files.txt	53ec94e3325c7ea427857b0a1e911c66.exe
File created	C:\program files\windows sidebar\gadgets\currency.gadget\fr-fr\css\Restore-My-Files.txt	53ec94e3325c7ea427857b0a1e911c66.exe
File opened for modification	C:\program files (x86)\microsoft office\clipart\pub60cor\dd00437_.wmf	53ec94e3325c7ea427857b0a1e911c66.exe
File opened for modification	C:\program files (x86)\microsoft office\clipart\pub60cor\j0382966.jpg	53ec94e3325c7ea427857b0a1e911c66.exe
File opened for modification	C:\program files (x86)\microsoft office\clipart\pub60cor\music_01.mid	53ec94e3325c7ea427857b0a1e911c66.exe
File opened for modification	C:\program files\java\jdk1.7.0_80\jre\lib\zi\etc\gmt-4	53ec94e3325c7ea427857b0a1e911c66.exe
File opened for modification	C:\program files\windows sidebar\gadgets\clock.gadget\images\square_h.png	53ec94e3325c7ea427857b0a1e911c66.exe
File opened for modification	C:\program files\windows sidebar\gadgets\currency.gadget\images\graph_down.png	53ec94e3325c7ea427857b0a1e911c66.exe
File created	C:\program files\windows sidebar\gadgets\picturepuzzle.gadget\en-us\css\Restore-My-Files.txt	53ec94e3325c7ea427857b0a1e911c66.exe
File opened for modification	C:\program files\windows sidebar\gadgets\rssfeeds.gadget\es-es\gadget.xml	53ec94e3325c7ea427857b0a1e911c66.exe
File opened for modification	C:\program files (x86)\adobe\reader 9.0\reader\plug_ins\vdkhome\vdk10.std	53ec94e3325c7ea427857b0a1e911c66.exe
File opened for modification	C:\program files (x86)\microsoft office\clipart\pub60cor\in00177_.wmf	53ec94e3325c7ea427857b0a1e911c66.exe
File opened for modification	C:\program files\java\jdk1.7.0_80\jre\lib\zi\africa\johannesburg	53ec94e3325c7ea427857b0a1e911c66.exe
File opened for modification	C:\program files\java\jre7\lib\zi\asia\dushanbe	53ec94e3325c7ea427857b0a1e911c66.exe
File opened for modification	C:\program files\java\jre7\lib\zi\asia\makassar	53ec94e3325c7ea427857b0a1e911c66.exe
File opened for modification	C:\program files\mozilla firefox\dependentlibs.list	53ec94e3325c7ea427857b0a1e911c66.exe
File created	C:\program files\videolan\vlc\lua\intf\modules\Restore-My-Files.txt	53ec94e3325c7ea427857b0a1e911c66.exe
File opened for modification	C:\program files\windows sidebar\gadgets\clock.gadget\images\system_m.png	53ec94e3325c7ea427857b0a1e911c66.exe
File opened for modification	C:\program files\java\jdk1.7.0_80\jre\lib\zi\pst8pdt	53ec94e3325c7ea427857b0a1e911c66.exe
File opened for modification	C:\program files\java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.css.swt.theme_0.9.300.v20140424-2042.jar	53ec94e3325c7ea427857b0a1e911c66.exe
File opened for modification	C:\program files\java\jdk1.7.0_80\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-application.jar	53ec94e3325c7ea427857b0a1e911c66.exe
File opened for modification	C:\program files\java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-profiler_zh_cn.jar	53ec94e3325c7ea427857b0a1e911c66.exe
File opened for modification	C:\program files (x86)\microsoft office\clipart\pub60cor\bd00155_.wmf	53ec94e3325c7ea427857b0a1e911c66.exe
File opened for modification	C:\program files (x86)\microsoft office\clipart\pub60cor\j0199475.wmf	53ec94e3325c7ea427857b0a1e911c66.exe
File opened for modification	C:\program files\dvd maker\shared\dvdstyles\babyboy\babyblue.png	53ec94e3325c7ea427857b0a1e911c66.exe
File opened for modification	C:\program files\java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\meta-inf\eclipse_.sf	53ec94e3325c7ea427857b0a1e911c66.exe
File opened for modification	C:\program files\java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-openide-loaders_ja.jar	53ec94e3325c7ea427857b0a1e911c66.exe
File created	C:\program files\java\jdk1.7.0_80\lib\visualvm\platform\modules\Restore-My-Files.txt	53ec94e3325c7ea427857b0a1e911c66.exe
File opened for modification	C:\program files\java\jre7\lib\zi\america\paramaribo	53ec94e3325c7ea427857b0a1e911c66.exe
File opened for modification	C:\program files\java\jre7\lib\zi\europe\london	53ec94e3325c7ea427857b0a1e911c66.exe
File opened for modification	C:\program files (x86)\microsoft office\clipart\pub60cor\j0182946.wmf	53ec94e3325c7ea427857b0a1e911c66.exe
File opened for modification	C:\program files\readuse.mhtml	53ec94e3325c7ea427857b0a1e911c66.exe
File opened for modification	C:\program files (x86)\microsoft office\clipart\pub60cor\ag00120_.gif	53ec94e3325c7ea427857b0a1e911c66.exe
File opened for modification	C:\program files (x86)\microsoft office\clipart\pub60cor\an01218_.wmf	53ec94e3325c7ea427857b0a1e911c66.exe
File opened for modification	C:\program files (x86)\microsoft office\clipart\pub60cor\j0099180.wmf	53ec94e3325c7ea427857b0a1e911c66.exe
File opened for modification	C:\program files\java\jdk1.7.0_80\jre\lib\zi\america\asuncion	53ec94e3325c7ea427857b0a1e911c66.exe
File opened for modification	C:\program files\java\jdk1.7.0_80\jre\lib\zi\pacific\pago_pago	53ec94e3325c7ea427857b0a1e911c66.exe
File opened for modification	C:\program files\videolan\vlc\locale\ko\lc_messages\vlc.mo	53ec94e3325c7ea427857b0a1e911c66.exe
File opened for modification	C:\program files\windows sidebar\gadgets\picturepuzzle.gadget\images\setting_back.png	53ec94e3325c7ea427857b0a1e911c66.exe
File opened for modification	C:\program files\java\jdk1.7.0_80\lib\visualvm\visualvm\config\modules\com-sun-tools-visualvm-application.xml	53ec94e3325c7ea427857b0a1e911c66.exe
File created	C:\program files\videolan\vlc\locale\ia\lc_messages\Restore-My-Files.txt	53ec94e3325c7ea427857b0a1e911c66.exe
File opened for modification	C:\program files (x86)\adobe\reader 9.0\resource\font\zx______.pfb	53ec94e3325c7ea427857b0a1e911c66.exe
File opened for modification	C:\program files (x86)\adobe\reader 9.0\resource\typesupport\unicode\mappings\mac\centeuro.txt	53ec94e3325c7ea427857b0a1e911c66.exe
File opened for modification	C:\program files\videolan\vlc\locale\ast\lc_messages\vlc.mo	53ec94e3325c7ea427857b0a1e911c66.exe
File opened for modification	C:\program files\windows sidebar\gadgets\calendar.gadget\images\curl.png	53ec94e3325c7ea427857b0a1e911c66.exe
File opened for modification	C:\program files\windows sidebar\gadgets\cpu.gadget\images\dial_sml.png	53ec94e3325c7ea427857b0a1e911c66.exe
File opened for modification	C:\program files (x86)\microsoft office\clipart\pub60cor\bd05119_.wmf	53ec94e3325c7ea427857b0a1e911c66.exe
File opened for modification	C:\program files (x86)\microsoft office\clipart\pub60cor\in00233_.wmf	53ec94e3325c7ea427857b0a1e911c66.exe
File opened for modification	C:\program files (x86)\microsoft office\clipart\pub60cor\j0103058.wmf	53ec94e3325c7ea427857b0a1e911c66.exe
File opened for modification	C:\program files (x86)\microsoft office\clipart\pub60cor\j0198372.wmf	53ec94e3325c7ea427857b0a1e911c66.exe
File opened for modification	C:\program files\java\jdk1.7.0_80\jre\lib\zi\asia\yekaterinburg	53ec94e3325c7ea427857b0a1e911c66.exe
File opened for modification	C:\program files\java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.jsp.jasper.registry_1.0.300.v20130327-1442.jar	53ec94e3325c7ea427857b0a1e911c66.exe
File opened for modification	C:\program files\java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-jmx_ja.jar	53ec94e3325c7ea427857b0a1e911c66.exe
File opened for modification	C:\program files\java\jre7\lib\zi\america\costa_rica	53ec94e3325c7ea427857b0a1e911c66.exe
File opened for modification	C:\program files\windows defender\fr-fr\mpevmsg.dll.mui	53ec94e3325c7ea427857b0a1e911c66.exe
File opened for modification	C:\program files (x86)\microsoft office\clipart\pub60cor\j0107494.wmf	53ec94e3325c7ea427857b0a1e911c66.exe
File opened for modification	C:\program files (x86)\microsoft office\clipart\pub60cor\j0382950.jpg	53ec94e3325c7ea427857b0a1e911c66.exe
File opened for modification	C:\program files (x86)\microsoft office\clipart\pub60cor\na00068_.wmf	53ec94e3325c7ea427857b0a1e911c66.exe
File opened for modification	C:\program files\dvd maker\shared\dvdstyles\travel\passport.png	53ec94e3325c7ea427857b0a1e911c66.exe
File opened for modification	C:\program files\java\jdk1.7.0_80\lib\visualvm\etc\visualvm.clusters	53ec94e3325c7ea427857b0a1e911c66.exe
File opened for modification	C:\program files\java\jre7\lib\zi\antarctica\syowa	53ec94e3325c7ea427857b0a1e911c66.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Interacts with shadow copies 2 TTPs 1 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

pid	Process
2728	vssadmin.exe

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\Registry\Machine\Software\Classes\.lockbit	53ec94e3325c7ea427857b0a1e911c66.exe
Key created	\Registry\Machine\Software\Classes\.lockbit\DefaultIcon	53ec94e3325c7ea427857b0a1e911c66.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.lockbit\DefaultIcon\ = "C:\\windows\\SysWow64\\6691A3.ico"	53ec94e3325c7ea427857b0a1e911c66.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2416	53ec94e3325c7ea427857b0a1e911c66.exe
2416	53ec94e3325c7ea427857b0a1e911c66.exe

Suspicious use of AdjustPrivilegeToken 45 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2416	53ec94e3325c7ea427857b0a1e911c66.exe
Token: SeDebugPrivilege	2416	53ec94e3325c7ea427857b0a1e911c66.exe
Token: SeBackupPrivilege	1740	vssvc.exe
Token: SeRestorePrivilege	1740	vssvc.exe
Token: SeAuditPrivilege	1740	vssvc.exe
Token: SeIncreaseQuotaPrivilege	2184	WMIC.exe
Token: SeSecurityPrivilege	2184	WMIC.exe
Token: SeTakeOwnershipPrivilege	2184	WMIC.exe
Token: SeLoadDriverPrivilege	2184	WMIC.exe
Token: SeSystemProfilePrivilege	2184	WMIC.exe
Token: SeSystemtimePrivilege	2184	WMIC.exe
Token: SeProfSingleProcessPrivilege	2184	WMIC.exe
Token: SeIncBasePriorityPrivilege	2184	WMIC.exe
Token: SeCreatePagefilePrivilege	2184	WMIC.exe
Token: SeBackupPrivilege	2184	WMIC.exe
Token: SeRestorePrivilege	2184	WMIC.exe
Token: SeShutdownPrivilege	2184	WMIC.exe
Token: SeDebugPrivilege	2184	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2184	WMIC.exe
Token: SeRemoteShutdownPrivilege	2184	WMIC.exe
Token: SeUndockPrivilege	2184	WMIC.exe
Token: SeManageVolumePrivilege	2184	WMIC.exe
Token: 33	2184	WMIC.exe
Token: 34	2184	WMIC.exe
Token: 35	2184	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2184	WMIC.exe
Token: SeSecurityPrivilege	2184	WMIC.exe
Token: SeTakeOwnershipPrivilege	2184	WMIC.exe
Token: SeLoadDriverPrivilege	2184	WMIC.exe
Token: SeSystemProfilePrivilege	2184	WMIC.exe
Token: SeSystemtimePrivilege	2184	WMIC.exe
Token: SeProfSingleProcessPrivilege	2184	WMIC.exe
Token: SeIncBasePriorityPrivilege	2184	WMIC.exe
Token: SeCreatePagefilePrivilege	2184	WMIC.exe
Token: SeBackupPrivilege	2184	WMIC.exe
Token: SeRestorePrivilege	2184	WMIC.exe
Token: SeShutdownPrivilege	2184	WMIC.exe
Token: SeDebugPrivilege	2184	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2184	WMIC.exe
Token: SeRemoteShutdownPrivilege	2184	WMIC.exe
Token: SeUndockPrivilege	2184	WMIC.exe
Token: SeManageVolumePrivilege	2184	WMIC.exe
Token: 33	2184	WMIC.exe
Token: 34	2184	WMIC.exe
Token: 35	2184	WMIC.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2416 wrote to memory of 1636	2416	53ec94e3325c7ea427857b0a1e911c66.exe	31
PID 2416 wrote to memory of 1636	2416	53ec94e3325c7ea427857b0a1e911c66.exe	31
PID 2416 wrote to memory of 1636	2416	53ec94e3325c7ea427857b0a1e911c66.exe	31
PID 2416 wrote to memory of 1636	2416	53ec94e3325c7ea427857b0a1e911c66.exe	31
PID 1636 wrote to memory of 2728	1636	cmd.exe	33
PID 1636 wrote to memory of 2728	1636	cmd.exe	33
PID 1636 wrote to memory of 2728	1636	cmd.exe	33
PID 1636 wrote to memory of 2184	1636	cmd.exe	36
PID 1636 wrote to memory of 2184	1636	cmd.exe	36
PID 1636 wrote to memory of 2184	1636	cmd.exe	36
PID 1636 wrote to memory of 3004	1636	cmd.exe	38
PID 1636 wrote to memory of 3004	1636	cmd.exe	38
PID 1636 wrote to memory of 3004	1636	cmd.exe	38
PID 1636 wrote to memory of 2412	1636	cmd.exe	39
PID 1636 wrote to memory of 2412	1636	cmd.exe	39
PID 1636 wrote to memory of 2412	1636	cmd.exe	39

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\53ec94e3325c7ea427857b0a1e911c66.exe
"C:\Users\Admin\AppData\Local\Temp\53ec94e3325c7ea427857b0a1e911c66.exe"
1⤵
- Adds Run key to start application
- Enumerates connected drives
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2416
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1636
- - C:\Windows\system32\vssadmin.exe
    vssadmin delete shadows /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:2728
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic shadowcopy delete
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2184
- - C:\Windows\system32\bcdedit.exe
    bcdedit /set {default} bootstatuspolicy ignoreallfailures
    3⤵
    - Modifies boot configuration data using bcdedit
    PID:3004
- - C:\Windows\system32\bcdedit.exe
    bcdedit /set {default} recoveryenabled no
    3⤵
    - Modifies boot configuration data using bcdedit
    PID:2412

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1740

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Discovery

Network Service Discovery

T1046

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\DVD Maker\de-DE\Restore-My-Files.txt

Filesize
512B

MD5
fd59836e036fef549dbdbd68ce35f4d8

SHA1
8a232b7524040adb3c4658b07113edef0626e367

SHA256
03ffd5697441a6c3e3a6ed596a8fba239a2e63a477077b83656af6defa4d39ad

SHA512
71cd6c05da58976dd5f42e3ed51f32723618289d3491f4f65017d51482eb2775cb8ee2382134728528ca589f8ac059ce14346f994c85386bca2219bd24407430

Download Submit