Analysis
-
max time kernel
438s -
max time network
443s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
16-02-2024 02:48
Behavioral task
behavioral1
Sample
87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe
Resource
win10v2004-20231215-en
General
-
Target
87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe
-
Size
159KB
-
MD5
5e54923e6dc9508ae25fb6148d5b2e55
-
SHA1
97bef2aed306a8f6bde427fd22e0f20095f14af7
-
SHA256
87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9
-
SHA512
a8195321328c3beeae525ecedb672c520f15f2053eb39aa94efb123506741b807b666d8e15bf2c2c30fbafe9b6df8fc76a10897b3dff889683506d836b42a621
-
SSDEEP
3072:auJ9OlKolUa1U197bzhVsmftsXTUgbQ8aXqgP:aufj0zi1dNVsmftYT+5qE
Malware Config
Extracted
C:\Users\47IsP2Rni.README.txt
lockbit
http://lockbitapt2d73krlbewgv27tquljgxr33xbwwsp6rkyieto7u4ncead.onion
http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion
http://lockbitapt34kvrip6xojylohhxrwsvpzdffgs5z4pbbsywnzsbdguqd.onion
http://lockbitapt5x4zkjbcqmz6frdhecqqgadevyiwqxukksspnlidyvd7qd.onion
http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion
http://lockbitapt72iw55njgnqpymggskg5yp75ry7rirtdg4m7i42artsbqd.onion
http://lockbitaptawjl6udhpd323uehekiyatj6ftcxmkwe5sezs4fqgpjpid.onion
http://lockbitaptbdiajqtplcrigzgdjprwugkkut63nbvy2d5r4w2agyekqd.onion
http://lockbitaptc2iq4atewz2ise62q63wfktyrl4qtwuk5qax262kgtzjqd.onion
http://lockbitapt2d73krlbewgv27tquljgxr33xbwwsp6rkyieto7u4ncead.onion.ly
http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion.ly
http://lockbitapt34kvrip6xojylohhxrwsvpzdffgs5z4pbbsywnzsbdguqd.onion.ly
http://lockbitapt5x4zkjbcqmz6frdhecqqgadevyiwqxukksspnlidyvd7qd.onion.ly
http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion.ly
http://lockbitapt72iw55njgnqpymggskg5yp75ry7rirtdg4m7i42artsbqd.onion.ly
http://lockbitaptawjl6udhpd323uehekiyatj6ftcxmkwe5sezs4fqgpjpid.onion.ly
http://lockbitaptbdiajqtplcrigzgdjprwugkkut63nbvy2d5r4w2agyekqd.onion.ly
http://lockbitaptc2iq4atewz2ise62q63wfktyrl4qtwuk5qax262kgtzjqd.onion.ly
https://twitter.com/hashtag/lockbit?f=live
http://lockbitsupn2h6be2cnqpvncyhj4rgmnwn44633hnzzmtxdvjoqlp7yd.onion
http://lockbitsupa7e3b4pkn4mgkgojrl5iqgx24clbzc4xm7i6jeetsia3qd.onion
http://lockbitsupdwon76nzykzblcplixwts4n4zoecugz2bxabtapqvmzqqd.onion
http://lockbitsupo7vv5vcl3jxpsdviopwvasljqcstym6efhh6oze7c6xjad.onion
http://lockbitsupq3g62dni2f36snrdb4n5qzqvovbtkt5xffw3draxk6gwqd.onion
http://lockbitsupqfyacidr6upt6nhhyipujvaablubuevxj6xy3frthvr3yd.onion
http://lockbitsupt7nr3fa6e7xyb73lk6bw6rcneqhoyblniiabj4uwvzapqd.onion
http://lockbitsupuhswh4izvoucoxsbnotkmgq6durg7kficg6u33zfvq3oyd.onion
http://lockbitsupxcjntihbmat4rrh7ktowips2qzywh6zer5r3xafhviyhqd.onion
https://gdpr.eu/what-is-gdpr/
https://gdpr-info.eu/
Signatures
-
Lockbit
Ransomware family with multiple variants released since late 2019.
-
Renames multiple (150) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
B93E.tmpdescription ioc Process Key value queried \REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\Control Panel\International\Geo\Nation B93E.tmp -
Deletes itself 1 IoCs
Processes:
B93E.tmppid Process 1224 B93E.tmp -
Executes dropped EXE 1 IoCs
Processes:
B93E.tmppid Process 1224 B93E.tmp -
Drops desktop.ini file(s) 2 IoCs
Processes:
87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exedescription ioc Process File opened for modification C:\$Recycle.Bin\S-1-5-21-996941297-2279405024-2328152752-1000\desktop.ini 87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe File opened for modification F:\$RECYCLE.BIN\S-1-5-21-996941297-2279405024-2328152752-1000\desktop.ini 87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe -
Sets desktop wallpaper using registry 2 TTPs 2 IoCs
Processes:
87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exedescription ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\47IsP2Rni.bmp" 87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe Set value (str) \REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\47IsP2Rni.bmp" 87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 12 IoCs
Processes:
87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exeB93E.tmppid Process 3360 87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe 3360 87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe 3360 87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe 3360 87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe 3360 87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe 3360 87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe 1224 B93E.tmp 1224 B93E.tmp 1224 B93E.tmp 1224 B93E.tmp 1224 B93E.tmp 1224 B93E.tmp -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies Control Panel 2 IoCs
Processes:
87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exedescription ioc Process Key created \REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\Control Panel\Desktop 87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe Set value (str) \REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\Control Panel\Desktop\WallpaperStyle = "10" 87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe -
Modifies registry class 5 IoCs
Processes:
87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exedescription ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.47IsP2Rni 87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.47IsP2Rni\ = "47IsP2Rni" 87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\47IsP2Rni\DefaultIcon 87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\47IsP2Rni 87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\47IsP2Rni\DefaultIcon\ = "C:\\ProgramData\\47IsP2Rni.ico" 87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
Processes:
87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exepid Process 3360 87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe 3360 87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe 3360 87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe 3360 87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe 3360 87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe 3360 87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe 3360 87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe 3360 87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe 3360 87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe 3360 87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe 3360 87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe 3360 87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe 3360 87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe 3360 87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe -
Suspicious behavior: RenamesItself 26 IoCs
Processes:
B93E.tmppid Process 1224 B93E.tmp 1224 B93E.tmp 1224 B93E.tmp 1224 B93E.tmp 1224 B93E.tmp 1224 B93E.tmp 1224 B93E.tmp 1224 B93E.tmp 1224 B93E.tmp 1224 B93E.tmp 1224 B93E.tmp 1224 B93E.tmp 1224 B93E.tmp 1224 B93E.tmp 1224 B93E.tmp 1224 B93E.tmp 1224 B93E.tmp 1224 B93E.tmp 1224 B93E.tmp 1224 B93E.tmp 1224 B93E.tmp 1224 B93E.tmp 1224 B93E.tmp 1224 B93E.tmp 1224 B93E.tmp 1224 B93E.tmp -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exedescription pid Process Token: SeAssignPrimaryTokenPrivilege 3360 87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe Token: SeBackupPrivilege 3360 87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe Token: SeDebugPrivilege 3360 87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe Token: 36 3360 87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe Token: SeImpersonatePrivilege 3360 87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe Token: SeIncBasePriorityPrivilege 3360 87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe Token: SeIncreaseQuotaPrivilege 3360 87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe Token: 33 3360 87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe Token: SeManageVolumePrivilege 3360 87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe Token: SeProfSingleProcessPrivilege 3360 87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe Token: SeRestorePrivilege 3360 87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe Token: SeSecurityPrivilege 3360 87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe Token: SeSystemProfilePrivilege 3360 87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe Token: SeTakeOwnershipPrivilege 3360 87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe Token: SeShutdownPrivilege 3360 87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe Token: SeDebugPrivilege 3360 87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe Token: SeBackupPrivilege 3360 87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe Token: SeBackupPrivilege 3360 87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe Token: SeSecurityPrivilege 3360 87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe Token: SeSecurityPrivilege 3360 87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe Token: SeBackupPrivilege 3360 87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe Token: SeBackupPrivilege 3360 87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe Token: SeSecurityPrivilege 3360 87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe Token: SeSecurityPrivilege 3360 87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe Token: SeBackupPrivilege 3360 87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe Token: SeBackupPrivilege 3360 87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe Token: SeSecurityPrivilege 3360 87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe Token: SeSecurityPrivilege 3360 87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe Token: SeBackupPrivilege 3360 87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe Token: SeBackupPrivilege 3360 87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe Token: SeSecurityPrivilege 3360 87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe Token: SeSecurityPrivilege 3360 87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe Token: SeBackupPrivilege 3360 87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe Token: SeBackupPrivilege 3360 87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe Token: SeSecurityPrivilege 3360 87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe Token: SeSecurityPrivilege 3360 87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe Token: SeBackupPrivilege 3360 87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe Token: SeBackupPrivilege 3360 87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe Token: SeSecurityPrivilege 3360 87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe Token: SeSecurityPrivilege 3360 87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe Token: SeBackupPrivilege 3360 87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe Token: SeBackupPrivilege 3360 87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe Token: SeSecurityPrivilege 3360 87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe Token: SeSecurityPrivilege 3360 87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe Token: SeBackupPrivilege 3360 87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe Token: SeBackupPrivilege 3360 87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe Token: SeSecurityPrivilege 3360 87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe Token: SeSecurityPrivilege 3360 87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe Token: SeBackupPrivilege 3360 87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe Token: SeBackupPrivilege 3360 87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe Token: SeSecurityPrivilege 3360 87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe Token: SeSecurityPrivilege 3360 87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe Token: SeBackupPrivilege 3360 87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe Token: SeBackupPrivilege 3360 87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe Token: SeSecurityPrivilege 3360 87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe Token: SeSecurityPrivilege 3360 87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe Token: SeBackupPrivilege 3360 87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe Token: SeBackupPrivilege 3360 87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe Token: SeSecurityPrivilege 3360 87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe Token: SeSecurityPrivilege 3360 87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe Token: SeBackupPrivilege 3360 87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe Token: SeBackupPrivilege 3360 87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe Token: SeSecurityPrivilege 3360 87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe Token: SeSecurityPrivilege 3360 87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exeB93E.tmpdescription pid Process procid_target PID 3360 wrote to memory of 1224 3360 87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe 90 PID 3360 wrote to memory of 1224 3360 87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe 90 PID 3360 wrote to memory of 1224 3360 87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe 90 PID 3360 wrote to memory of 1224 3360 87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe 90 PID 1224 wrote to memory of 3108 1224 B93E.tmp 94 PID 1224 wrote to memory of 3108 1224 B93E.tmp 94 PID 1224 wrote to memory of 3108 1224 B93E.tmp 94
Processes
-
C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe"C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe"1⤵
- Drops desktop.ini file(s)
- Sets desktop wallpaper using registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3360 -
C:\ProgramData\B93E.tmp"C:\ProgramData\B93E.tmp"2⤵
- Checks computer location settings
- Deletes itself
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:1224 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\B93E.tmp >> NUL3⤵PID:3108
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
129B
MD50744736b0d08e257aeafc82ef3f36f93
SHA1c06ae3686bbcf4e11b9e9f6a90543a6e7089b852
SHA2561f418a40640613be2bea3f4d03edb80a9ef103e29901f77649f2aad383ecfde9
SHA512b554d65a02700a018921e14fdf8a3edaf901f7cf950bf58faa7c6bd3464ccbba799ecf7482eed8f23715db6a8c7ab9b7e6dfc6f9e66fa57dad266425fee40539
-
Filesize
14KB
MD5294e9f64cb1642dd89229fff0592856b
SHA197b148c27f3da29ba7b18d6aee8a0db9102f47c9
SHA256917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2
SHA512b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf
-
Filesize
10KB
MD5bcdba1dc809fe14500cbd6fe3461d920
SHA166d07e6dcfca8a0ce4f59771fb784ab041666aaa
SHA2568d9e7957f604702307849a4a9b95096d53bc6cb2056b07564e46afa4c9e0453a
SHA5123a2482ce0bd9330bf48b645f34a743bb0b2604f78acf9f948dafb5af0518c008ac9cd9cd29fd8da91dae5a63483dffb2dcf17c26561131626dc7c06f589de6c7
-
C:\Users\Admin\AppData\Local\Temp\DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD
Filesize159KB
MD57f23c476873effbfd8ef825f6048440d
SHA14ad7686160c1a301f09960c03bad9d6574a63471
SHA25602d9cf5b6eaf5aadb3cc4a81a2130f52f44af1c87cc243987ddda960725fa364
SHA51229ee39f2c16bc8ffe476331988eeb37b6640d59cb152d331d9dcf8ed3f5ef3f6748a3a2dac58f95fb455fe44c25b2b67812c5cbf69d697625c7bb4437e1d6755
-
Filesize
129B
MD592d8bedd0ffc9a205c51443a6f6c061f
SHA1a5589cbf0f0fe912c3d4f29466b592415dcd8cde
SHA25626c72721b05226ec0957831e0fca93469579846dfbc529a84f52e97762819676
SHA51274f262d084d9485d48a19eb976623f8509e6f908ecf22932085c5a736badf8edd5095325ab0652b32c48ea6fbb13043e45461beee4cd7882b49b6045f3ef0a84