lockbit | b2f1ec9408272cc125b96a4f3b7c06c23742d69845e9b6a24f7eafad4da72faa

Analysis

max time kernel
117s
max time network
118s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
29-12-2023 19:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

022091772db14e763fcceeb462d150d1.exe
Size

969KB
MD5

022091772db14e763fcceeb462d150d1
SHA1

dcc81069eccf55b6b292fa0b284265c6af4c4e74
SHA256

b2f1ec9408272cc125b96a4f3b7c06c23742d69845e9b6a24f7eafad4da72faa
SHA512

67ac81a397f7e0c73167ead29a412e0d2f5e9d552f68059d431bbb8b04767d0783ea49bbedabe025331cc9067a3a959666765ccd7b88b16e28ca9ed5d53c131b
SSDEEP

24576:PbqIi4vsu1NQ9+aubOj+vCVCdN/4yMdkzkxwccmiF:DqIiW7Qoau174IkxwVD

Score

10^/10

lockbit discovery evasion persistence ransomware

Malware Config

Extracted

Path

C:\Program Files\DVD Maker\de-DE\Restore-My-Files.txt

Ransom Note

LockBit 2.0 Ransomware Your data are stolen and encrypted The data will be published on TOR website http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion and https://bigblog.at if you do not pay the ransom You can contact us and decrypt one file for free on these TOR sites http://lockbitsup4yezcd5enk5unncx3zcy7kw6wllyqmiyhvanjj352jayid.onion http://lockbitsap2oaqhcun3syvbqt6n5nzt7fqosc6jdlmsfleu3ka4k2did.onion OR https://decoding.at Decryption ID: FCE1FD7644DB7C6D108666CEB475A4FD

URLs

http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion

https://bigblog.at

http://lockbitsup4yezcd5enk5unncx3zcy7kw6wllyqmiyhvanjj352jayid.onion

http://lockbitsap2oaqhcun3syvbqt6n5nzt7fqosc6jdlmsfleu3ka4k2did.onion

https://decoding.at

Signatures

Lockbit
Ransomware family with multiple variants released since late 2019.
ransomware lockbit
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490

Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs

ransomware evasion

Inhibit System Recovery

T1490

pid	Process
2804	bcdedit.exe
1420	bcdedit.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\{B0E1BE76-DBDB-7C37-816E-81107837D142} = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\022091772db14e763fcceeb462d150d1.exe\""	022091772db14e763fcceeb462d150d1.exe

Enumerates connected drives 3 TTPs 1 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\F:	022091772db14e763fcceeb462d150d1.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 21 IoCs

pid	Process
2196	022091772db14e763fcceeb462d150d1.exe
2196	022091772db14e763fcceeb462d150d1.exe
2196	022091772db14e763fcceeb462d150d1.exe
2196	022091772db14e763fcceeb462d150d1.exe
2196	022091772db14e763fcceeb462d150d1.exe
2196	022091772db14e763fcceeb462d150d1.exe
2196	022091772db14e763fcceeb462d150d1.exe
2196	022091772db14e763fcceeb462d150d1.exe
2196	022091772db14e763fcceeb462d150d1.exe
2196	022091772db14e763fcceeb462d150d1.exe
2196	022091772db14e763fcceeb462d150d1.exe
2196	022091772db14e763fcceeb462d150d1.exe
2196	022091772db14e763fcceeb462d150d1.exe
2196	022091772db14e763fcceeb462d150d1.exe
2196	022091772db14e763fcceeb462d150d1.exe
2196	022091772db14e763fcceeb462d150d1.exe
2196	022091772db14e763fcceeb462d150d1.exe
2196	022091772db14e763fcceeb462d150d1.exe
2196	022091772db14e763fcceeb462d150d1.exe
2196	022091772db14e763fcceeb462d150d1.exe
2196	022091772db14e763fcceeb462d150d1.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\program files (x86)\microsoft office\office14\pubwiz\bzcrd98.poc	022091772db14e763fcceeb462d150d1.exe
File opened for modification	C:\program files\java\jre7\lib\zi\antarctica\dumontdurville	022091772db14e763fcceeb462d150d1.exe
File opened for modification	C:\program files\videolan\vlc\lua\http\dialogs\offset_window.html	022091772db14e763fcceeb462d150d1.exe
File opened for modification	C:\program files\windows sidebar\de-de\sidebar.exe.mui	022091772db14e763fcceeb462d150d1.exe
File opened for modification	C:\program files (x86)\microsoft office\clipart\pub60cor\bd00116_.wmf	022091772db14e763fcceeb462d150d1.exe
File opened for modification	C:\program files (x86)\microsoft office\office14\groove\tooldata\groove.net\grooveprojecttoolset\splashimage.jpg	022091772db14e763fcceeb462d150d1.exe
File opened for modification	C:\program files\dvd maker\shared\dvdstyles\full\navigationright_selectionsubpicture.png	022091772db14e763fcceeb462d150d1.exe
File opened for modification	C:\program files (x86)\microsoft office\clipart\pub60cor\j0157177.wmf	022091772db14e763fcceeb462d150d1.exe
File opened for modification	C:\program files (x86)\microsoft office\office14\pagesize\pglbl109.xml	022091772db14e763fcceeb462d150d1.exe
File opened for modification	C:\program files (x86)\microsoft visual studio 8\common7\ide\vsta\itemtemplates\visualbasic\1033\text.zip	022091772db14e763fcceeb462d150d1.exe
File created	C:\program files\windows photo viewer\en-us\Restore-My-Files.txt	022091772db14e763fcceeb462d150d1.exe
File opened for modification	C:\program files (x86)\microsoft office\document themes 14\module.thmx	022091772db14e763fcceeb462d150d1.exe
File opened for modification	C:\program files (x86)\windows sidebar\gadgets\clock.gadget\images\system_m.png	022091772db14e763fcceeb462d150d1.exe
File opened for modification	C:\program files\java\jdk1.7.0_80\jre\lib\currency.data	022091772db14e763fcceeb462d150d1.exe
File opened for modification	C:\program files\java\jdk1.7.0_80\jre\lib\management\management.properties	022091772db14e763fcceeb462d150d1.exe
File opened for modification	C:\program files\java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\org-netbeans-modules-profiler-heapwalker_zh_cn.jar	022091772db14e763fcceeb462d150d1.exe
File opened for modification	C:\program files\java\jre7\lib\zi\america\rankin_inlet	022091772db14e763fcceeb462d150d1.exe
File opened for modification	C:\program files\java\jre7\lib\zi\europe\vienna	022091772db14e763fcceeb462d150d1.exe
File opened for modification	C:\program files (x86)\microsoft office\office14\bibliography\style\turabian.xsl	022091772db14e763fcceeb462d150d1.exe
File created	C:\program files\videolan\vlc\locale\ky\lc_messages\Restore-My-Files.txt	022091772db14e763fcceeb462d150d1.exe
File opened for modification	C:\program files\windows sidebar\gadgets\picturepuzzle.gadget\ja-jp\picturepuzzle.html	022091772db14e763fcceeb462d150d1.exe
File opened for modification	C:\program files (x86)\microsoft office\clipart\pub60cor\ag00057_.gif	022091772db14e763fcceeb462d150d1.exe
File opened for modification	C:\program files (x86)\microsoft office\clipart\pub60cor\j0107446.wmf	022091772db14e763fcceeb462d150d1.exe
File created	C:\program files (x86)\microsoft office\media\office14\Restore-My-Files.txt	022091772db14e763fcceeb462d150d1.exe
File opened for modification	C:\program files (x86)\windows sidebar\gadgets\slideshow.gadget\es-es\css\settings.css	022091772db14e763fcceeb462d150d1.exe
File opened for modification	C:\program files (x86)\windows sidebar\gadgets\slideshow.gadget\ja-jp\gadget.xml	022091772db14e763fcceeb462d150d1.exe
File opened for modification	C:\program files (x86)\microsoft office\clipart\pub60cor\j0107516.wmf	022091772db14e763fcceeb462d150d1.exe
File opened for modification	C:\program files (x86)\microsoft office\clipart\pub60cor\j0241041.wmf	022091772db14e763fcceeb462d150d1.exe
File created	C:\program files (x86)\microsoft office\office14\groove\tooldata\groove.net\grooveprojecttoolset\projecttool\project report type\fancy\Restore-My-Files.txt	022091772db14e763fcceeb462d150d1.exe
File opened for modification	C:\program files (x86)\microsoft office\office14\pubwiz\dgcal.dpv	022091772db14e763fcceeb462d150d1.exe
File opened for modification	C:\program files (x86)\windows sidebar\gadgets\slideshow.gadget\en-us\css\settings.css	022091772db14e763fcceeb462d150d1.exe
File opened for modification	C:\program files\java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.jface.databinding_1.6.200.v20140528-1422.jar	022091772db14e763fcceeb462d150d1.exe
File created	C:\program files\java\jdk1.7.0_80\lib\visualvm\platform\lib\locale\Restore-My-Files.txt	022091772db14e763fcceeb462d150d1.exe
File opened for modification	C:\program files\java\jre7\lib\zi\systemv\yst9	022091772db14e763fcceeb462d150d1.exe
File opened for modification	C:\program files\syncpop.xhtml	022091772db14e763fcceeb462d150d1.exe
File opened for modification	C:\program files\videolan\vlc\locale\zu\lc_messages\vlc.mo	022091772db14e763fcceeb462d150d1.exe
File opened for modification	C:\program files (x86)\microsoft office\clipart\pub60cor\en00397_.wmf	022091772db14e763fcceeb462d150d1.exe
File opened for modification	C:\program files\dvd maker\shared\dvdstyles\whitedot.png	022091772db14e763fcceeb462d150d1.exe
File created	C:\program files\videolan\vlc\locale\pl\lc_messages\Restore-My-Files.txt	022091772db14e763fcceeb462d150d1.exe
File opened for modification	C:\program files (x86)\microsoft office\clipart\pub60cor\na01849_.wmf	022091772db14e763fcceeb462d150d1.exe
File opened for modification	C:\program files (x86)\microsoft office\office14\1033\pubftscm\scheme39.css	022091772db14e763fcceeb462d150d1.exe
File opened for modification	C:\program files (x86)\microsoft office\office14\msaccess.exe.manifest	022091772db14e763fcceeb462d150d1.exe
File opened for modification	C:\program files (x86)\microsoft office\clipart\pub60cor\j0101858.bmp	022091772db14e763fcceeb462d150d1.exe
File opened for modification	C:\program files (x86)\microsoft office\office14\1033\grooveforms5\formsstyles\americana\tab_off.gif	022091772db14e763fcceeb462d150d1.exe
File opened for modification	C:\program files (x86)\microsoft office\office14\infopathom\infopathomformservices\infopathomformservicesv12\microsoft.office.infopath.xml	022091772db14e763fcceeb462d150d1.exe
File opened for modification	C:\program files\java\jdk1.7.0_80\jre\lib\zi\atlantic\madeira	022091772db14e763fcceeb462d150d1.exe
File opened for modification	C:\program files\java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.rcp.feature_1.2.0.v20140523-0116\epl-v10.html	022091772db14e763fcceeb462d150d1.exe
File opened for modification	C:\program files\java\jre7\lib\zi\america\chihuahua	022091772db14e763fcceeb462d150d1.exe
File opened for modification	C:\program files\windows sidebar\gadgets\slideshow.gadget\images\in_sidebar\slideshow_glass_frame.png	022091772db14e763fcceeb462d150d1.exe
File opened for modification	C:\program files\windows sidebar\gadgets\slideshow.gadget\images\prev_down.png	022091772db14e763fcceeb462d150d1.exe
File opened for modification	C:\program files (x86)\windows sidebar\gadgets\clock.gadget\images\settings_box_top.png	022091772db14e763fcceeb462d150d1.exe
File opened for modification	C:\program files\dvd maker\fr-fr\omdproject.dll.mui	022091772db14e763fcceeb462d150d1.exe
File opened for modification	C:\program files\java\jdk1.7.0_80\lib\visualvm\visualvm\config\modules\com-sun-tools-visualvm-attach.xml	022091772db14e763fcceeb462d150d1.exe
File opened for modification	C:\program files (x86)\microsoft office\clipart\pub60cor\dd01152_.wmf	022091772db14e763fcceeb462d150d1.exe
File opened for modification	C:\program files (x86)\microsoft office\office14\1033\grooveforms5\formsstyles\brightorange\tab_off.gif	022091772db14e763fcceeb462d150d1.exe
File opened for modification	C:\program files (x86)\microsoft office\office14\1033\pubftscm\scheme41.css	022091772db14e763fcceeb462d150d1.exe
File opened for modification	C:\program files (x86)\microsoft office\clipart\pub60cor\j0309664.jpg	022091772db14e763fcceeb462d150d1.exe
File opened for modification	C:\program files (x86)\microsoft office\office14\groove\tooldata\groove.net\commondata\unreadiconimages.jpg	022091772db14e763fcceeb462d150d1.exe
File opened for modification	C:\program files (x86)\microsoft office\office14\groove\tooldata\groove.net\grooveprojecttoolset\tabmask.bmp	022091772db14e763fcceeb462d150d1.exe
File opened for modification	C:\program files\7-zip\lang\de.txt	022091772db14e763fcceeb462d150d1.exe
File opened for modification	C:\program files\7-zip\lang\kk.txt	022091772db14e763fcceeb462d150d1.exe
File opened for modification	C:\program files\java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx.zh_cn_5.5.0.165303.jar	022091772db14e763fcceeb462d150d1.exe
File opened for modification	C:\program files\java\jdk1.7.0_80\lib\visualvm\platform\modules\org-openide-explorer.jar	022091772db14e763fcceeb462d150d1.exe
File opened for modification	C:\program files (x86)\microsoft office\clipart\pub60cor\j0090777.wmf	022091772db14e763fcceeb462d150d1.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3276	2196	WerFault.exe	25

Interacts with shadow copies 2 TTPs 1 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

pid	Process
1580	vssadmin.exe

Suspicious behavior: EnumeratesProcesses 27 IoCs

pid	Process
2196	022091772db14e763fcceeb462d150d1.exe
2196	022091772db14e763fcceeb462d150d1.exe
2196	022091772db14e763fcceeb462d150d1.exe
2196	022091772db14e763fcceeb462d150d1.exe
2196	022091772db14e763fcceeb462d150d1.exe
2196	022091772db14e763fcceeb462d150d1.exe
2196	022091772db14e763fcceeb462d150d1.exe
2196	022091772db14e763fcceeb462d150d1.exe
2196	022091772db14e763fcceeb462d150d1.exe
2196	022091772db14e763fcceeb462d150d1.exe
2196	022091772db14e763fcceeb462d150d1.exe
2196	022091772db14e763fcceeb462d150d1.exe
2196	022091772db14e763fcceeb462d150d1.exe
2196	022091772db14e763fcceeb462d150d1.exe
2196	022091772db14e763fcceeb462d150d1.exe
2196	022091772db14e763fcceeb462d150d1.exe
2196	022091772db14e763fcceeb462d150d1.exe
2196	022091772db14e763fcceeb462d150d1.exe
2196	022091772db14e763fcceeb462d150d1.exe
2196	022091772db14e763fcceeb462d150d1.exe
2196	022091772db14e763fcceeb462d150d1.exe
2196	022091772db14e763fcceeb462d150d1.exe
2196	022091772db14e763fcceeb462d150d1.exe
2196	022091772db14e763fcceeb462d150d1.exe
2196	022091772db14e763fcceeb462d150d1.exe
2196	022091772db14e763fcceeb462d150d1.exe
2196	022091772db14e763fcceeb462d150d1.exe

Suspicious use of AdjustPrivilegeToken 45 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2196	022091772db14e763fcceeb462d150d1.exe
Token: SeDebugPrivilege	2196	022091772db14e763fcceeb462d150d1.exe
Token: SeBackupPrivilege	2064	vssvc.exe
Token: SeRestorePrivilege	2064	vssvc.exe
Token: SeAuditPrivilege	2064	vssvc.exe
Token: SeIncreaseQuotaPrivilege	2844	WMIC.exe
Token: SeSecurityPrivilege	2844	WMIC.exe
Token: SeTakeOwnershipPrivilege	2844	WMIC.exe
Token: SeLoadDriverPrivilege	2844	WMIC.exe
Token: SeSystemProfilePrivilege	2844	WMIC.exe
Token: SeSystemtimePrivilege	2844	WMIC.exe
Token: SeProfSingleProcessPrivilege	2844	WMIC.exe
Token: SeIncBasePriorityPrivilege	2844	WMIC.exe
Token: SeCreatePagefilePrivilege	2844	WMIC.exe
Token: SeBackupPrivilege	2844	WMIC.exe
Token: SeRestorePrivilege	2844	WMIC.exe
Token: SeShutdownPrivilege	2844	WMIC.exe
Token: SeDebugPrivilege	2844	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2844	WMIC.exe
Token: SeRemoteShutdownPrivilege	2844	WMIC.exe
Token: SeUndockPrivilege	2844	WMIC.exe
Token: SeManageVolumePrivilege	2844	WMIC.exe
Token: 33	2844	WMIC.exe
Token: 34	2844	WMIC.exe
Token: 35	2844	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2844	WMIC.exe
Token: SeSecurityPrivilege	2844	WMIC.exe
Token: SeTakeOwnershipPrivilege	2844	WMIC.exe
Token: SeLoadDriverPrivilege	2844	WMIC.exe
Token: SeSystemProfilePrivilege	2844	WMIC.exe
Token: SeSystemtimePrivilege	2844	WMIC.exe
Token: SeProfSingleProcessPrivilege	2844	WMIC.exe
Token: SeIncBasePriorityPrivilege	2844	WMIC.exe
Token: SeCreatePagefilePrivilege	2844	WMIC.exe
Token: SeBackupPrivilege	2844	WMIC.exe
Token: SeRestorePrivilege	2844	WMIC.exe
Token: SeShutdownPrivilege	2844	WMIC.exe
Token: SeDebugPrivilege	2844	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2844	WMIC.exe
Token: SeRemoteShutdownPrivilege	2844	WMIC.exe
Token: SeUndockPrivilege	2844	WMIC.exe
Token: SeManageVolumePrivilege	2844	WMIC.exe
Token: 33	2844	WMIC.exe
Token: 34	2844	WMIC.exe
Token: 35	2844	WMIC.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 2196 wrote to memory of 2652	2196	022091772db14e763fcceeb462d150d1.exe	28
PID 2196 wrote to memory of 2652	2196	022091772db14e763fcceeb462d150d1.exe	28
PID 2196 wrote to memory of 2652	2196	022091772db14e763fcceeb462d150d1.exe	28
PID 2196 wrote to memory of 2652	2196	022091772db14e763fcceeb462d150d1.exe	28
PID 2652 wrote to memory of 1580	2652	cmd.exe	30
PID 2652 wrote to memory of 1580	2652	cmd.exe	30
PID 2652 wrote to memory of 1580	2652	cmd.exe	30
PID 2652 wrote to memory of 2844	2652	cmd.exe	33
PID 2652 wrote to memory of 2844	2652	cmd.exe	33
PID 2652 wrote to memory of 2844	2652	cmd.exe	33
PID 2652 wrote to memory of 2804	2652	cmd.exe	35
PID 2652 wrote to memory of 2804	2652	cmd.exe	35
PID 2652 wrote to memory of 2804	2652	cmd.exe	35
PID 2652 wrote to memory of 1420	2652	cmd.exe	36
PID 2652 wrote to memory of 1420	2652	cmd.exe	36
PID 2652 wrote to memory of 1420	2652	cmd.exe	36
PID 2196 wrote to memory of 3276	2196	022091772db14e763fcceeb462d150d1.exe	38
PID 2196 wrote to memory of 3276	2196	022091772db14e763fcceeb462d150d1.exe	38
PID 2196 wrote to memory of 3276	2196	022091772db14e763fcceeb462d150d1.exe	38
PID 2196 wrote to memory of 3276	2196	022091772db14e763fcceeb462d150d1.exe	38

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\022091772db14e763fcceeb462d150d1.exe
"C:\Users\Admin\AppData\Local\Temp\022091772db14e763fcceeb462d150d1.exe"
1⤵
- Adds Run key to start application
- Enumerates connected drives
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2196
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2652
- - C:\Windows\system32\vssadmin.exe
    vssadmin delete shadows /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:1580
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic shadowcopy delete
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2844
- - C:\Windows\system32\bcdedit.exe
    bcdedit /set {default} bootstatuspolicy ignoreallfailures
    3⤵
    - Modifies boot configuration data using bcdedit
    PID:2804
- - C:\Windows\system32\bcdedit.exe
    bcdedit /set {default} recoveryenabled no
    3⤵
    - Modifies boot configuration data using bcdedit
    PID:1420
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2196 -s 2604
  2⤵
  - Program crash
  PID:3276

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2064

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Discovery

Network Service Discovery

T1046

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\DVD Maker\de-DE\Restore-My-Files.txt

Filesize
512B

MD5
4f690f3f8acfbf99c5f5f12f34bfef10

SHA1
ba50bf0ec83267f130678272e0db4a6eef69def3

SHA256
5f98c99a5141c50b157f25c6be2aa2a8e8185195e398355d230c1778cdb4eec2

SHA512
86c3030b0e868802cc3f04bfe8307fe7bb66490e0cec9990fcf58116b51c416141e9ed6fa6f76040bf2760ac61eeebf44dbf2295f81e7b18eb87a2f9e19df461

Download Submit