Analysis
-
max time kernel
133s -
max time network
128s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
14-03-2024 04:06
Static task
static1
Behavioral task
behavioral1
Sample
19f7d53c4a9ba784fd4c64a06fc6a88caf5a4d9913341a625582d51b1c095ba0.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
19f7d53c4a9ba784fd4c64a06fc6a88caf5a4d9913341a625582d51b1c095ba0.exe
Resource
win10v2004-20240226-en
General
-
Target
19f7d53c4a9ba784fd4c64a06fc6a88caf5a4d9913341a625582d51b1c095ba0.exe
-
Size
959KB
-
MD5
fec0ba68b3118f490dbee9dc5cc382d4
-
SHA1
c5a76c237314d970fb5acfc118c1f1109d012704
-
SHA256
19f7d53c4a9ba784fd4c64a06fc6a88caf5a4d9913341a625582d51b1c095ba0
-
SHA512
4c202c11503607baa0fccc23223933eaf1ffe052607f46f3d596520ced90359d1bcf1369ce335d4b63de9c221cf137d6354ce88fead6e3164c54903c8e20f81c
-
SSDEEP
24576:uLjr3s2nScu1i1tz3f++5kRzFxk7rMxNeR1R9qpdMF:Ujrc2So1Ff+B3k796W
Malware Config
Extracted
C:\Program Files\dotnet\Restore-My-Files.txt
http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion
https://bigblog.at
http://lockbitsup4yezcd5enk5unncx3zcy7kw6wllyqmiyhvanjj352jayid.onion
http://lockbitsap2oaqhcun3syvbqt6n5nzt7fqosc6jdlmsfleu3ka4k2did.onion
https://decoding.at
Extracted
C:\Users\Admin\Desktop\LockBit_Ransomware.hta
https://decoding.at/
http://lockbitsap2oaqhcun3syvbqt6n5nzt7fqosc6jdlmsfleu3ka4k2did.onion/or
https://decoding.at
http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion
https://bigblog.at
Signatures
-
Lockbit
Ransomware family with multiple variants released since late 2019.
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
OfficeC2RClient.exedescription pid pid_target process target process Parent C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE is not expected to spawn this process 432 4864 OfficeC2RClient.exe ONENOTE.EXE -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
Processes:
bcdedit.exebcdedit.exepid process 2512 bcdedit.exe 916 bcdedit.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
19f7d53c4a9ba784fd4c64a06fc6a88caf5a4d9913341a625582d51b1c095ba0.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation 19f7d53c4a9ba784fd4c64a06fc6a88caf5a4d9913341a625582d51b1c095ba0.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
19f7d53c4a9ba784fd4c64a06fc6a88caf5a4d9913341a625582d51b1c095ba0.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\{7866A3C0-E0E0-3A21-40E3-40AA4E080B68} = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\19f7d53c4a9ba784fd4c64a06fc6a88caf5a4d9913341a625582d51b1c095ba0.exe\"" 19f7d53c4a9ba784fd4c64a06fc6a88caf5a4d9913341a625582d51b1c095ba0.exe Set value (str) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\{2C5F9FCC-F266-43F6-BFD7-838DAE269E11} = "C:\\Users\\Admin\\Desktop\\LockBit_Ransomware.hta" 19f7d53c4a9ba784fd4c64a06fc6a88caf5a4d9913341a625582d51b1c095ba0.exe -
Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
19f7d53c4a9ba784fd4c64a06fc6a88caf5a4d9913341a625582d51b1c095ba0.exedescription ioc process File opened (read-only) \??\F: 19f7d53c4a9ba784fd4c64a06fc6a88caf5a4d9913341a625582d51b1c095ba0.exe -
Drops file in System32 directory 6 IoCs
Processes:
printfilterpipelinesvc.exe19f7d53c4a9ba784fd4c64a06fc6a88caf5a4d9913341a625582d51b1c095ba0.exedescription ioc process File created C:\Windows\system32\spool\PRINTERS\PPoq214vj4288jyez8urqbplsc.TMP printfilterpipelinesvc.exe File created C:\Windows\system32\spool\PRINTERS\PPs946rha2zkvhiggxvrqmu4jw.TMP printfilterpipelinesvc.exe File created C:\Windows\system32\spool\PRINTERS\PPbehx0mw8h8crom4w0oerub9zd.TMP printfilterpipelinesvc.exe File created C:\windows\SysWOW64\AE664D.ico 19f7d53c4a9ba784fd4c64a06fc6a88caf5a4d9913341a625582d51b1c095ba0.exe File created C:\Windows\system32\spool\PRINTERS\00002.SPL 19f7d53c4a9ba784fd4c64a06fc6a88caf5a4d9913341a625582d51b1c095ba0.exe File created C:\Windows\system32\spool\PRINTERS\00003.SPL 19f7d53c4a9ba784fd4c64a06fc6a88caf5a4d9913341a625582d51b1c095ba0.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
19f7d53c4a9ba784fd4c64a06fc6a88caf5a4d9913341a625582d51b1c095ba0.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1383.tmp.bmp" 19f7d53c4a9ba784fd4c64a06fc6a88caf5a4d9913341a625582d51b1c095ba0.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 18 IoCs
Processes:
19f7d53c4a9ba784fd4c64a06fc6a88caf5a4d9913341a625582d51b1c095ba0.exepid process 3216 19f7d53c4a9ba784fd4c64a06fc6a88caf5a4d9913341a625582d51b1c095ba0.exe 3216 19f7d53c4a9ba784fd4c64a06fc6a88caf5a4d9913341a625582d51b1c095ba0.exe 3216 19f7d53c4a9ba784fd4c64a06fc6a88caf5a4d9913341a625582d51b1c095ba0.exe 3216 19f7d53c4a9ba784fd4c64a06fc6a88caf5a4d9913341a625582d51b1c095ba0.exe 3216 19f7d53c4a9ba784fd4c64a06fc6a88caf5a4d9913341a625582d51b1c095ba0.exe 3216 19f7d53c4a9ba784fd4c64a06fc6a88caf5a4d9913341a625582d51b1c095ba0.exe 3216 19f7d53c4a9ba784fd4c64a06fc6a88caf5a4d9913341a625582d51b1c095ba0.exe 3216 19f7d53c4a9ba784fd4c64a06fc6a88caf5a4d9913341a625582d51b1c095ba0.exe 3216 19f7d53c4a9ba784fd4c64a06fc6a88caf5a4d9913341a625582d51b1c095ba0.exe 3216 19f7d53c4a9ba784fd4c64a06fc6a88caf5a4d9913341a625582d51b1c095ba0.exe 3216 19f7d53c4a9ba784fd4c64a06fc6a88caf5a4d9913341a625582d51b1c095ba0.exe 3216 19f7d53c4a9ba784fd4c64a06fc6a88caf5a4d9913341a625582d51b1c095ba0.exe 3216 19f7d53c4a9ba784fd4c64a06fc6a88caf5a4d9913341a625582d51b1c095ba0.exe 3216 19f7d53c4a9ba784fd4c64a06fc6a88caf5a4d9913341a625582d51b1c095ba0.exe 3216 19f7d53c4a9ba784fd4c64a06fc6a88caf5a4d9913341a625582d51b1c095ba0.exe 3216 19f7d53c4a9ba784fd4c64a06fc6a88caf5a4d9913341a625582d51b1c095ba0.exe 3216 19f7d53c4a9ba784fd4c64a06fc6a88caf5a4d9913341a625582d51b1c095ba0.exe 3216 19f7d53c4a9ba784fd4c64a06fc6a88caf5a4d9913341a625582d51b1c095ba0.exe -
Drops file in Program Files directory 64 IoCs
Processes:
19f7d53c4a9ba784fd4c64a06fc6a88caf5a4d9913341a625582d51b1c095ba0.exedescription ioc process File opened for modification C:\program files\java\jre-1.8\lib\currency.data 19f7d53c4a9ba784fd4c64a06fc6a88caf5a4d9913341a625582d51b1c095ba0.exe File opened for modification C:\program files\microsoft office\root\licenses16\outlookr_grace-ppd.xrm-ms 19f7d53c4a9ba784fd4c64a06fc6a88caf5a4d9913341a625582d51b1c095ba0.exe File created C:\program files (x86)\adobe\acrobat reader dc\reader\webresources\resource0\static\js\plugins\fss\js\nls\it-it\Restore-My-Files.txt 19f7d53c4a9ba784fd4c64a06fc6a88caf5a4d9913341a625582d51b1c095ba0.exe File opened for modification C:\program files\java\jdk-1.8\legal\jdk\bcel.md 19f7d53c4a9ba784fd4c64a06fc6a88caf5a4d9913341a625582d51b1c095ba0.exe File opened for modification C:\program files\java\jre-1.8\legal\javafx\webkit.md 19f7d53c4a9ba784fd4c64a06fc6a88caf5a4d9913341a625582d51b1c095ba0.exe File opened for modification C:\program files\videolan\vlc\lua\intf\modules\httprequests.luac 19f7d53c4a9ba784fd4c64a06fc6a88caf5a4d9913341a625582d51b1c095ba0.exe File opened for modification C:\program files (x86)\adobe\acrobat reader dc\reader\idtemplates\enu\defaultid.pdf 19f7d53c4a9ba784fd4c64a06fc6a88caf5a4d9913341a625582d51b1c095ba0.exe File opened for modification C:\program files (x86)\adobe\acrobat reader dc\reader\webresources\resource0\static\js\plugins\exportpdfupsell-app\js\nls\nl-nl\ui-strings.js 19f7d53c4a9ba784fd4c64a06fc6a88caf5a4d9913341a625582d51b1c095ba0.exe File opened for modification C:\program files (x86)\adobe\acrobat reader dc\reader\webresources\resource0\static\js\plugins\on-boarding\images\themeless\download_on_the_app_store_badge_sv_135x40.svg 19f7d53c4a9ba784fd4c64a06fc6a88caf5a4d9913341a625582d51b1c095ba0.exe File opened for modification C:\program files\java\jdk-1.8\include\win32\bridge\accessbridgepackages.h 19f7d53c4a9ba784fd4c64a06fc6a88caf5a4d9913341a625582d51b1c095ba0.exe File opened for modification C:\program files\microsoft office\root\office16\proof\mshy7en.lex 19f7d53c4a9ba784fd4c64a06fc6a88caf5a4d9913341a625582d51b1c095ba0.exe File opened for modification C:\program files (x86)\adobe\acrobat reader dc\reader\webresources\resource0\static\images\themes\dark\organize.svg 19f7d53c4a9ba784fd4c64a06fc6a88caf5a4d9913341a625582d51b1c095ba0.exe File opened for modification C:\program files (x86)\adobe\acrobat reader dc\reader\webresources\resource0\static\js\plugins\scan-files\images\themeless\playstore\tr_get.svg 19f7d53c4a9ba784fd4c64a06fc6a88caf5a4d9913341a625582d51b1c095ba0.exe File created C:\program files (x86)\adobe\acrobat reader dc\reader\webresources\resource0\static\js\plugins\unified-share\css\Restore-My-Files.txt 19f7d53c4a9ba784fd4c64a06fc6a88caf5a4d9913341a625582d51b1c095ba0.exe File opened for modification C:\program files (x86)\adobe\acrobat reader dc\resource\typesupport\unicode\mappings\mac\greek.txt 19f7d53c4a9ba784fd4c64a06fc6a88caf5a4d9913341a625582d51b1c095ba0.exe File opened for modification C:\program files\java\jdk-1.8\jre\lib\management\jmxremote.access 19f7d53c4a9ba784fd4c64a06fc6a88caf5a4d9913341a625582d51b1c095ba0.exe File created C:\program files (x86)\adobe\acrobat reader dc\reader\webresources\resource0\static\js\plugins\app-center\js\nls\da-dk\Restore-My-Files.txt 19f7d53c4a9ba784fd4c64a06fc6a88caf5a4d9913341a625582d51b1c095ba0.exe File created C:\program files (x86)\adobe\acrobat reader dc\reader\webresources\resource0\static\js\plugins\add-account\js\nls\pt-br\Restore-My-Files.txt 19f7d53c4a9ba784fd4c64a06fc6a88caf5a4d9913341a625582d51b1c095ba0.exe File opened for modification C:\program files\java\jre-1.8\legal\jdk\jpeg.md 19f7d53c4a9ba784fd4c64a06fc6a88caf5a4d9913341a625582d51b1c095ba0.exe File opened for modification C:\program files\microsoft office\root\office16\logoimages\powerpntlogosmall.scale-100.png 19f7d53c4a9ba784fd4c64a06fc6a88caf5a4d9913341a625582d51b1c095ba0.exe File opened for modification C:\program files\microsoft office\root\licenses16\projectpro2019r_trial-ppd.xrm-ms 19f7d53c4a9ba784fd4c64a06fc6a88caf5a4d9913341a625582d51b1c095ba0.exe File opened for modification C:\program files\videolan\vlc\lua\http\js\common.js 19f7d53c4a9ba784fd4c64a06fc6a88caf5a4d9913341a625582d51b1c095ba0.exe File opened for modification C:\program files (x86)\adobe\acrobat reader dc\reader\webresources\resource0\static\js\plugins\fss\js\nls\fi-fi\ui-strings.js 19f7d53c4a9ba784fd4c64a06fc6a88caf5a4d9913341a625582d51b1c095ba0.exe File created C:\program files (x86)\adobe\acrobat reader dc\reader\webresources\resource0\static\js\plugins\search-summary\js\nls\root\Restore-My-Files.txt 19f7d53c4a9ba784fd4c64a06fc6a88caf5a4d9913341a625582d51b1c095ba0.exe File opened for modification C:\program files\microsoft office\root\templates\1033\apothecaryresume.dotx 19f7d53c4a9ba784fd4c64a06fc6a88caf5a4d9913341a625582d51b1c095ba0.exe File created C:\program files (x86)\adobe\acrobat reader dc\reader\webresources\resource0\static\js\plugins\add-account\images\Restore-My-Files.txt 19f7d53c4a9ba784fd4c64a06fc6a88caf5a4d9913341a625582d51b1c095ba0.exe File created C:\program files\videolan\vlc\locale\hy\lc_messages\Restore-My-Files.txt 19f7d53c4a9ba784fd4c64a06fc6a88caf5a4d9913341a625582d51b1c095ba0.exe File created C:\program files\videolan\vlc\locale\vi\lc_messages\Restore-My-Files.txt 19f7d53c4a9ba784fd4c64a06fc6a88caf5a4d9913341a625582d51b1c095ba0.exe File created C:\program files (x86)\adobe\acrobat reader dc\reader\webresources\resource0\static\js\plugins\my-computer\js\nls\ru-ru\Restore-My-Files.txt 19f7d53c4a9ba784fd4c64a06fc6a88caf5a4d9913341a625582d51b1c095ba0.exe File created C:\program files (x86)\adobe\acrobat reader dc\reader\webresources\resource0\static\js\plugins\signatures\js\nls\zh-cn\Restore-My-Files.txt 19f7d53c4a9ba784fd4c64a06fc6a88caf5a4d9913341a625582d51b1c095ba0.exe File created C:\program files (x86)\adobe\acrobat reader dc\reader\webresources\resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\tool\Restore-My-Files.txt 19f7d53c4a9ba784fd4c64a06fc6a88caf5a4d9913341a625582d51b1c095ba0.exe File opened for modification C:\program files\microsoft office\root\document themes 16\theme effects\subtle solids.eftx 19f7d53c4a9ba784fd4c64a06fc6a88caf5a4d9913341a625582d51b1c095ba0.exe File opened for modification C:\program files\microsoft office\root\licenses16\powerpoint2019r_oem_perp-ppd.xrm-ms 19f7d53c4a9ba784fd4c64a06fc6a88caf5a4d9913341a625582d51b1c095ba0.exe File opened for modification C:\program files (x86)\adobe\acrobat reader dc\reader\webresources\resource0\static\js\plugins\combinepdf\js\plugins\rhp\combinepdf-selector.js 19f7d53c4a9ba784fd4c64a06fc6a88caf5a4d9913341a625582d51b1c095ba0.exe File opened for modification C:\program files (x86)\adobe\acrobat reader dc\reader\webresources\resource0\static\js\plugins\on-boarding\images\themeless\localized_images\es-es\appstore_icon.svg 19f7d53c4a9ba784fd4c64a06fc6a88caf5a4d9913341a625582d51b1c095ba0.exe File opened for modification C:\program files\microsoft office\root\licenses16\homestudentvnextr_grace-ul-oob.xrm-ms 19f7d53c4a9ba784fd4c64a06fc6a88caf5a4d9913341a625582d51b1c095ba0.exe File opened for modification C:\program files\microsoft office\root\licenses16\skypeforbusiness2019r_retail-ul-oob.xrm-ms 19f7d53c4a9ba784fd4c64a06fc6a88caf5a4d9913341a625582d51b1c095ba0.exe File created C:\program files (x86)\adobe\acrobat reader dc\reader\webresources\resource0\static\js\plugins\my-computer\js\nls\fr-fr\Restore-My-Files.txt 19f7d53c4a9ba784fd4c64a06fc6a88caf5a4d9913341a625582d51b1c095ba0.exe File opened for modification C:\program files (x86)\adobe\acrobat reader dc\reader\webresources\resource0\static\js\plugins\send-for-sign\images\themes\dark\cloud_secured_lg.png 19f7d53c4a9ba784fd4c64a06fc6a88caf5a4d9913341a625582d51b1c095ba0.exe File opened for modification C:\program files (x86)\adobe\acrobat reader dc\reader\webresources\resource0\static\js\plugins\signatures\js\nls\eu-es\ui-strings.js 19f7d53c4a9ba784fd4c64a06fc6a88caf5a4d9913341a625582d51b1c095ba0.exe File opened for modification C:\program files\videolan\vlc\locale\ps\lc_messages\vlc.mo 19f7d53c4a9ba784fd4c64a06fc6a88caf5a4d9913341a625582d51b1c095ba0.exe File created C:\program files (x86)\adobe\acrobat reader dc\reader\webresources\resource0\static\js\core\dev\nls\cs-cz\Restore-My-Files.txt 19f7d53c4a9ba784fd4c64a06fc6a88caf5a4d9913341a625582d51b1c095ba0.exe File opened for modification C:\program files (x86)\adobe\acrobat reader dc\reader\webresources\resource0\static\js\plugins\editpdf\js\nls\ko-kr\ui-strings.js 19f7d53c4a9ba784fd4c64a06fc6a88caf5a4d9913341a625582d51b1c095ba0.exe File opened for modification C:\program files\microsoft office\root\licenses16\access2019r_trial-pl.xrm-ms 19f7d53c4a9ba784fd4c64a06fc6a88caf5a4d9913341a625582d51b1c095ba0.exe File opened for modification C:\program files\microsoft office\root\office16\1033\excel_col.hxt 19f7d53c4a9ba784fd4c64a06fc6a88caf5a4d9913341a625582d51b1c095ba0.exe File created C:\program files (x86)\adobe\acrobat reader dc\reader\webresources\resource0\static\js\plugins\my-recent-files\js\nls\uk-ua\Restore-My-Files.txt 19f7d53c4a9ba784fd4c64a06fc6a88caf5a4d9913341a625582d51b1c095ba0.exe File created C:\program files (x86)\adobe\acrobat reader dc\reader\webresources\resource0\static\js\plugins\search-summary\js\nls\he-il\Restore-My-Files.txt 19f7d53c4a9ba784fd4c64a06fc6a88caf5a4d9913341a625582d51b1c095ba0.exe File created C:\program files (x86)\adobe\acrobat reader dc\reader\webresources\resource0\static\js\app\dev\nls\zh-cn\Restore-My-Files.txt 19f7d53c4a9ba784fd4c64a06fc6a88caf5a4d9913341a625582d51b1c095ba0.exe File opened for modification C:\program files (x86)\adobe\acrobat reader dc\reader\webresources\resource0\static\js\plugins\signatures\images\themes\dark\cstm_brand_preview2x.png 19f7d53c4a9ba784fd4c64a06fc6a88caf5a4d9913341a625582d51b1c095ba0.exe File opened for modification C:\program files\microsoft office\root\vfs\common appdata\microsoft help\ms.excel.16.1033.hxn 19f7d53c4a9ba784fd4c64a06fc6a88caf5a4d9913341a625582d51b1c095ba0.exe File opened for modification C:\program files (x86)\adobe\acrobat reader dc\reader\webresources\resource0\static\js\app\dev\nls\hu-hu\ui-strings.js 19f7d53c4a9ba784fd4c64a06fc6a88caf5a4d9913341a625582d51b1c095ba0.exe File opened for modification C:\program files\microsoft office\root\licenses16\mondovl_kms_client-ppd.xrm-ms 19f7d53c4a9ba784fd4c64a06fc6a88caf5a4d9913341a625582d51b1c095ba0.exe File opened for modification C:\program files\microsoft office\root\licenses16\o365educloudedur_subscription-ppd.xrm-ms 19f7d53c4a9ba784fd4c64a06fc6a88caf5a4d9913341a625582d51b1c095ba0.exe File opened for modification C:\program files (x86)\adobe\acrobat reader dc\reader\webresources\resource0\static\js\plugins\scan-files\images\themeless\appstore\download_on_the_app_store_badge_cs_135x40.svg 19f7d53c4a9ba784fd4c64a06fc6a88caf5a4d9913341a625582d51b1c095ba0.exe File opened for modification C:\program files (x86)\adobe\acrobat reader dc\reader\webresources\resource0\static\js\plugins\send-for-sign\images\caution.svg 19f7d53c4a9ba784fd4c64a06fc6a88caf5a4d9913341a625582d51b1c095ba0.exe File opened for modification C:\program files (x86)\adobe\acrobat reader dc\reader\webresources\resource0\static\js\plugins\walk-through\images\cross.png 19f7d53c4a9ba784fd4c64a06fc6a88caf5a4d9913341a625582d51b1c095ba0.exe File opened for modification C:\program files\java\jdk-1.8\jre\legal\javafx\mesa3d.md 19f7d53c4a9ba784fd4c64a06fc6a88caf5a4d9913341a625582d51b1c095ba0.exe File opened for modification C:\program files\microsoft office\root\document themes 16\theme colors\green.xml 19f7d53c4a9ba784fd4c64a06fc6a88caf5a4d9913341a625582d51b1c095ba0.exe File opened for modification C:\program files\videolan\vlc\authors.txt 19f7d53c4a9ba784fd4c64a06fc6a88caf5a4d9913341a625582d51b1c095ba0.exe File opened for modification C:\program files (x86)\adobe\acrobat reader dc\reader\webresources\resource0\static\js\plugins\createpdfupsell-app\js\nls\da-dk\ui-strings.js 19f7d53c4a9ba784fd4c64a06fc6a88caf5a4d9913341a625582d51b1c095ba0.exe File opened for modification C:\program files\java\jre-1.8\legal\jdk\pkcs11cryptotoken.md 19f7d53c4a9ba784fd4c64a06fc6a88caf5a4d9913341a625582d51b1c095ba0.exe File created C:\program files (x86)\adobe\acrobat reader dc\reader\webresources\resource0\static\js\plugins\send-for-sign\js\nls\ca-es\Restore-My-Files.txt 19f7d53c4a9ba784fd4c64a06fc6a88caf5a4d9913341a625582d51b1c095ba0.exe File opened for modification C:\program files\videolan\vlc\locale\nl\lc_messages\vlc.mo 19f7d53c4a9ba784fd4c64a06fc6a88caf5a4d9913341a625582d51b1c095ba0.exe File opened for modification C:\program files (x86)\adobe\acrobat reader dc\reader\webresources\resource0\static\js\plugins\digsig\js\nls\ko-kr\ui-strings.js 19f7d53c4a9ba784fd4c64a06fc6a88caf5a4d9913341a625582d51b1c095ba0.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 4732 752 WerFault.exe mshta.exe -
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 3464 vssadmin.exe -
Modifies Control Panel 2 IoCs
Processes:
19f7d53c4a9ba784fd4c64a06fc6a88caf5a4d9913341a625582d51b1c095ba0.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\Desktop\WallpaperStyle = "2" 19f7d53c4a9ba784fd4c64a06fc6a88caf5a4d9913341a625582d51b1c095ba0.exe Set value (str) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\Desktop\TileWallpaper = "0" 19f7d53c4a9ba784fd4c64a06fc6a88caf5a4d9913341a625582d51b1c095ba0.exe -
Modifies registry class 15 IoCs
Processes:
19f7d53c4a9ba784fd4c64a06fc6a88caf5a4d9913341a625582d51b1c095ba0.exedescription ioc process Key created \Registry\Machine\Software\Classes\Lockbit\DefaultIcon 19f7d53c4a9ba784fd4c64a06fc6a88caf5a4d9913341a625582d51b1c095ba0.exe Key created \Registry\Machine\Software\Classes\htafile\DefaultIcon 19f7d53c4a9ba784fd4c64a06fc6a88caf5a4d9913341a625582d51b1c095ba0.exe Key created \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\Local Settings 19f7d53c4a9ba784fd4c64a06fc6a88caf5a4d9913341a625582d51b1c095ba0.exe Key created \Registry\Machine\Software\Classes\.lockbit 19f7d53c4a9ba784fd4c64a06fc6a88caf5a4d9913341a625582d51b1c095ba0.exe Key created \Registry\Machine\Software\Classes\.lockbit\DefaultIcon 19f7d53c4a9ba784fd4c64a06fc6a88caf5a4d9913341a625582d51b1c095ba0.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.lockbit\ = "LockBit" 19f7d53c4a9ba784fd4c64a06fc6a88caf5a4d9913341a625582d51b1c095ba0.exe Key created \Registry\Machine\Software\Classes\Lockbit 19f7d53c4a9ba784fd4c64a06fc6a88caf5a4d9913341a625582d51b1c095ba0.exe Key created \Registry\Machine\Software\Classes\Lockbit\shell\Open 19f7d53c4a9ba784fd4c64a06fc6a88caf5a4d9913341a625582d51b1c095ba0.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Lockbit\DefaultIcon\ = "C:\\windows\\SysWow64\\AE664D.ico" 19f7d53c4a9ba784fd4c64a06fc6a88caf5a4d9913341a625582d51b1c095ba0.exe Key created \Registry\Machine\Software\Classes\Lockbit\shell 19f7d53c4a9ba784fd4c64a06fc6a88caf5a4d9913341a625582d51b1c095ba0.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.lockbit\DefaultIcon\ = "C:\\windows\\SysWow64\\AE664D.ico" 19f7d53c4a9ba784fd4c64a06fc6a88caf5a4d9913341a625582d51b1c095ba0.exe Key created \Registry\Machine\Software\Classes\Lockbit\shell\Open\Command 19f7d53c4a9ba784fd4c64a06fc6a88caf5a4d9913341a625582d51b1c095ba0.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Lockbit\ = "LockBit Class" 19f7d53c4a9ba784fd4c64a06fc6a88caf5a4d9913341a625582d51b1c095ba0.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Lockbit\shell\Open\Command\ = "\"C:\\Windows\\system32\\mshta.exe\" \"C:\\Users\\Admin\\Desktop\\LockBit_Ransomware.hta\"" 19f7d53c4a9ba784fd4c64a06fc6a88caf5a4d9913341a625582d51b1c095ba0.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htafile\DefaultIcon\ = "C:\\windows\\SysWow64\\AE664D.ico" 19f7d53c4a9ba784fd4c64a06fc6a88caf5a4d9913341a625582d51b1c095ba0.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 56 IoCs
Processes:
19f7d53c4a9ba784fd4c64a06fc6a88caf5a4d9913341a625582d51b1c095ba0.exepid process 3216 19f7d53c4a9ba784fd4c64a06fc6a88caf5a4d9913341a625582d51b1c095ba0.exe 3216 19f7d53c4a9ba784fd4c64a06fc6a88caf5a4d9913341a625582d51b1c095ba0.exe 3216 19f7d53c4a9ba784fd4c64a06fc6a88caf5a4d9913341a625582d51b1c095ba0.exe 3216 19f7d53c4a9ba784fd4c64a06fc6a88caf5a4d9913341a625582d51b1c095ba0.exe 3216 19f7d53c4a9ba784fd4c64a06fc6a88caf5a4d9913341a625582d51b1c095ba0.exe 3216 19f7d53c4a9ba784fd4c64a06fc6a88caf5a4d9913341a625582d51b1c095ba0.exe 3216 19f7d53c4a9ba784fd4c64a06fc6a88caf5a4d9913341a625582d51b1c095ba0.exe 3216 19f7d53c4a9ba784fd4c64a06fc6a88caf5a4d9913341a625582d51b1c095ba0.exe 3216 19f7d53c4a9ba784fd4c64a06fc6a88caf5a4d9913341a625582d51b1c095ba0.exe 3216 19f7d53c4a9ba784fd4c64a06fc6a88caf5a4d9913341a625582d51b1c095ba0.exe 3216 19f7d53c4a9ba784fd4c64a06fc6a88caf5a4d9913341a625582d51b1c095ba0.exe 3216 19f7d53c4a9ba784fd4c64a06fc6a88caf5a4d9913341a625582d51b1c095ba0.exe 3216 19f7d53c4a9ba784fd4c64a06fc6a88caf5a4d9913341a625582d51b1c095ba0.exe 3216 19f7d53c4a9ba784fd4c64a06fc6a88caf5a4d9913341a625582d51b1c095ba0.exe 3216 19f7d53c4a9ba784fd4c64a06fc6a88caf5a4d9913341a625582d51b1c095ba0.exe 3216 19f7d53c4a9ba784fd4c64a06fc6a88caf5a4d9913341a625582d51b1c095ba0.exe 3216 19f7d53c4a9ba784fd4c64a06fc6a88caf5a4d9913341a625582d51b1c095ba0.exe 3216 19f7d53c4a9ba784fd4c64a06fc6a88caf5a4d9913341a625582d51b1c095ba0.exe 3216 19f7d53c4a9ba784fd4c64a06fc6a88caf5a4d9913341a625582d51b1c095ba0.exe 3216 19f7d53c4a9ba784fd4c64a06fc6a88caf5a4d9913341a625582d51b1c095ba0.exe 3216 19f7d53c4a9ba784fd4c64a06fc6a88caf5a4d9913341a625582d51b1c095ba0.exe 3216 19f7d53c4a9ba784fd4c64a06fc6a88caf5a4d9913341a625582d51b1c095ba0.exe 3216 19f7d53c4a9ba784fd4c64a06fc6a88caf5a4d9913341a625582d51b1c095ba0.exe 3216 19f7d53c4a9ba784fd4c64a06fc6a88caf5a4d9913341a625582d51b1c095ba0.exe 3216 19f7d53c4a9ba784fd4c64a06fc6a88caf5a4d9913341a625582d51b1c095ba0.exe 3216 19f7d53c4a9ba784fd4c64a06fc6a88caf5a4d9913341a625582d51b1c095ba0.exe 3216 19f7d53c4a9ba784fd4c64a06fc6a88caf5a4d9913341a625582d51b1c095ba0.exe 3216 19f7d53c4a9ba784fd4c64a06fc6a88caf5a4d9913341a625582d51b1c095ba0.exe 3216 19f7d53c4a9ba784fd4c64a06fc6a88caf5a4d9913341a625582d51b1c095ba0.exe 3216 19f7d53c4a9ba784fd4c64a06fc6a88caf5a4d9913341a625582d51b1c095ba0.exe 3216 19f7d53c4a9ba784fd4c64a06fc6a88caf5a4d9913341a625582d51b1c095ba0.exe 3216 19f7d53c4a9ba784fd4c64a06fc6a88caf5a4d9913341a625582d51b1c095ba0.exe 3216 19f7d53c4a9ba784fd4c64a06fc6a88caf5a4d9913341a625582d51b1c095ba0.exe 3216 19f7d53c4a9ba784fd4c64a06fc6a88caf5a4d9913341a625582d51b1c095ba0.exe 3216 19f7d53c4a9ba784fd4c64a06fc6a88caf5a4d9913341a625582d51b1c095ba0.exe 3216 19f7d53c4a9ba784fd4c64a06fc6a88caf5a4d9913341a625582d51b1c095ba0.exe 3216 19f7d53c4a9ba784fd4c64a06fc6a88caf5a4d9913341a625582d51b1c095ba0.exe 3216 19f7d53c4a9ba784fd4c64a06fc6a88caf5a4d9913341a625582d51b1c095ba0.exe 3216 19f7d53c4a9ba784fd4c64a06fc6a88caf5a4d9913341a625582d51b1c095ba0.exe 3216 19f7d53c4a9ba784fd4c64a06fc6a88caf5a4d9913341a625582d51b1c095ba0.exe 3216 19f7d53c4a9ba784fd4c64a06fc6a88caf5a4d9913341a625582d51b1c095ba0.exe 3216 19f7d53c4a9ba784fd4c64a06fc6a88caf5a4d9913341a625582d51b1c095ba0.exe 3216 19f7d53c4a9ba784fd4c64a06fc6a88caf5a4d9913341a625582d51b1c095ba0.exe 3216 19f7d53c4a9ba784fd4c64a06fc6a88caf5a4d9913341a625582d51b1c095ba0.exe 3216 19f7d53c4a9ba784fd4c64a06fc6a88caf5a4d9913341a625582d51b1c095ba0.exe 3216 19f7d53c4a9ba784fd4c64a06fc6a88caf5a4d9913341a625582d51b1c095ba0.exe 3216 19f7d53c4a9ba784fd4c64a06fc6a88caf5a4d9913341a625582d51b1c095ba0.exe 3216 19f7d53c4a9ba784fd4c64a06fc6a88caf5a4d9913341a625582d51b1c095ba0.exe 3216 19f7d53c4a9ba784fd4c64a06fc6a88caf5a4d9913341a625582d51b1c095ba0.exe 3216 19f7d53c4a9ba784fd4c64a06fc6a88caf5a4d9913341a625582d51b1c095ba0.exe 3216 19f7d53c4a9ba784fd4c64a06fc6a88caf5a4d9913341a625582d51b1c095ba0.exe 3216 19f7d53c4a9ba784fd4c64a06fc6a88caf5a4d9913341a625582d51b1c095ba0.exe 3216 19f7d53c4a9ba784fd4c64a06fc6a88caf5a4d9913341a625582d51b1c095ba0.exe 3216 19f7d53c4a9ba784fd4c64a06fc6a88caf5a4d9913341a625582d51b1c095ba0.exe 3216 19f7d53c4a9ba784fd4c64a06fc6a88caf5a4d9913341a625582d51b1c095ba0.exe 3216 19f7d53c4a9ba784fd4c64a06fc6a88caf5a4d9913341a625582d51b1c095ba0.exe -
Suspicious use of AdjustPrivilegeToken 47 IoCs
Processes:
19f7d53c4a9ba784fd4c64a06fc6a88caf5a4d9913341a625582d51b1c095ba0.exevssvc.exeWMIC.exedescription pid process Token: SeTakeOwnershipPrivilege 3216 19f7d53c4a9ba784fd4c64a06fc6a88caf5a4d9913341a625582d51b1c095ba0.exe Token: SeDebugPrivilege 3216 19f7d53c4a9ba784fd4c64a06fc6a88caf5a4d9913341a625582d51b1c095ba0.exe Token: SeBackupPrivilege 2188 vssvc.exe Token: SeRestorePrivilege 2188 vssvc.exe Token: SeAuditPrivilege 2188 vssvc.exe Token: SeIncreaseQuotaPrivilege 2816 WMIC.exe Token: SeSecurityPrivilege 2816 WMIC.exe Token: SeTakeOwnershipPrivilege 2816 WMIC.exe Token: SeLoadDriverPrivilege 2816 WMIC.exe Token: SeSystemProfilePrivilege 2816 WMIC.exe Token: SeSystemtimePrivilege 2816 WMIC.exe Token: SeProfSingleProcessPrivilege 2816 WMIC.exe Token: SeIncBasePriorityPrivilege 2816 WMIC.exe Token: SeCreatePagefilePrivilege 2816 WMIC.exe Token: SeBackupPrivilege 2816 WMIC.exe Token: SeRestorePrivilege 2816 WMIC.exe Token: SeShutdownPrivilege 2816 WMIC.exe Token: SeDebugPrivilege 2816 WMIC.exe Token: SeSystemEnvironmentPrivilege 2816 WMIC.exe Token: SeRemoteShutdownPrivilege 2816 WMIC.exe Token: SeUndockPrivilege 2816 WMIC.exe Token: SeManageVolumePrivilege 2816 WMIC.exe Token: 33 2816 WMIC.exe Token: 34 2816 WMIC.exe Token: 35 2816 WMIC.exe Token: 36 2816 WMIC.exe Token: SeIncreaseQuotaPrivilege 2816 WMIC.exe Token: SeSecurityPrivilege 2816 WMIC.exe Token: SeTakeOwnershipPrivilege 2816 WMIC.exe Token: SeLoadDriverPrivilege 2816 WMIC.exe Token: SeSystemProfilePrivilege 2816 WMIC.exe Token: SeSystemtimePrivilege 2816 WMIC.exe Token: SeProfSingleProcessPrivilege 2816 WMIC.exe Token: SeIncBasePriorityPrivilege 2816 WMIC.exe Token: SeCreatePagefilePrivilege 2816 WMIC.exe Token: SeBackupPrivilege 2816 WMIC.exe Token: SeRestorePrivilege 2816 WMIC.exe Token: SeShutdownPrivilege 2816 WMIC.exe Token: SeDebugPrivilege 2816 WMIC.exe Token: SeSystemEnvironmentPrivilege 2816 WMIC.exe Token: SeRemoteShutdownPrivilege 2816 WMIC.exe Token: SeUndockPrivilege 2816 WMIC.exe Token: SeManageVolumePrivilege 2816 WMIC.exe Token: 33 2816 WMIC.exe Token: 34 2816 WMIC.exe Token: 35 2816 WMIC.exe Token: 36 2816 WMIC.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
OfficeC2RClient.exepid process 432 OfficeC2RClient.exe -
Suspicious use of WriteProcessMemory 26 IoCs
Processes:
19f7d53c4a9ba784fd4c64a06fc6a88caf5a4d9913341a625582d51b1c095ba0.execmd.exeprintfilterpipelinesvc.exeONENOTE.EXEcmd.exedescription pid process target process PID 3216 wrote to memory of 3564 3216 19f7d53c4a9ba784fd4c64a06fc6a88caf5a4d9913341a625582d51b1c095ba0.exe cmd.exe PID 3216 wrote to memory of 3564 3216 19f7d53c4a9ba784fd4c64a06fc6a88caf5a4d9913341a625582d51b1c095ba0.exe cmd.exe PID 3564 wrote to memory of 3464 3564 cmd.exe vssadmin.exe PID 3564 wrote to memory of 3464 3564 cmd.exe vssadmin.exe PID 3564 wrote to memory of 2816 3564 cmd.exe WMIC.exe PID 3564 wrote to memory of 2816 3564 cmd.exe WMIC.exe PID 3564 wrote to memory of 2512 3564 cmd.exe bcdedit.exe PID 3564 wrote to memory of 2512 3564 cmd.exe bcdedit.exe PID 3564 wrote to memory of 916 3564 cmd.exe bcdedit.exe PID 3564 wrote to memory of 916 3564 cmd.exe bcdedit.exe PID 5104 wrote to memory of 4864 5104 printfilterpipelinesvc.exe ONENOTE.EXE PID 5104 wrote to memory of 4864 5104 printfilterpipelinesvc.exe ONENOTE.EXE PID 4864 wrote to memory of 432 4864 ONENOTE.EXE OfficeC2RClient.exe PID 4864 wrote to memory of 432 4864 ONENOTE.EXE OfficeC2RClient.exe PID 3216 wrote to memory of 752 3216 19f7d53c4a9ba784fd4c64a06fc6a88caf5a4d9913341a625582d51b1c095ba0.exe mshta.exe PID 3216 wrote to memory of 752 3216 19f7d53c4a9ba784fd4c64a06fc6a88caf5a4d9913341a625582d51b1c095ba0.exe mshta.exe PID 3216 wrote to memory of 752 3216 19f7d53c4a9ba784fd4c64a06fc6a88caf5a4d9913341a625582d51b1c095ba0.exe mshta.exe PID 3216 wrote to memory of 4368 3216 19f7d53c4a9ba784fd4c64a06fc6a88caf5a4d9913341a625582d51b1c095ba0.exe cmd.exe PID 3216 wrote to memory of 4368 3216 19f7d53c4a9ba784fd4c64a06fc6a88caf5a4d9913341a625582d51b1c095ba0.exe cmd.exe PID 3216 wrote to memory of 4368 3216 19f7d53c4a9ba784fd4c64a06fc6a88caf5a4d9913341a625582d51b1c095ba0.exe cmd.exe PID 4368 wrote to memory of 2896 4368 cmd.exe PING.EXE PID 4368 wrote to memory of 2896 4368 cmd.exe PING.EXE PID 4368 wrote to memory of 2896 4368 cmd.exe PING.EXE PID 4368 wrote to memory of 3248 4368 cmd.exe fsutil.exe PID 4368 wrote to memory of 3248 4368 cmd.exe fsutil.exe PID 4368 wrote to memory of 3248 4368 cmd.exe fsutil.exe -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\19f7d53c4a9ba784fd4c64a06fc6a88caf5a4d9913341a625582d51b1c095ba0.exe"C:\Users\Admin\AppData\Local\Temp\19f7d53c4a9ba784fd4c64a06fc6a88caf5a4d9913341a625582d51b1c095ba0.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Enumerates connected drives
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3216 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no2⤵
- Suspicious use of WriteProcessMemory
PID:3564 -
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet3⤵
- Interacts with shadow copies
PID:3464 -
C:\Windows\System32\Wbem\WMIC.exewmic shadowcopy delete3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2816 -
C:\Windows\system32\bcdedit.exebcdedit /set {default} bootstatuspolicy ignoreallfailures3⤵
- Modifies boot configuration data using bcdedit
PID:2512 -
C:\Windows\system32\bcdedit.exebcdedit /set {default} recoveryenabled no3⤵
- Modifies boot configuration data using bcdedit
PID:916 -
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\LockBit_Ransomware.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}2⤵PID:752
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 752 -s 17843⤵
- Program crash
PID:4732 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C ping 127.0.0.7 -n 3 > Nul & fsutil file setZeroData offset=0 length=524288 "C:\Users\Admin\AppData\Local\Temp\19f7d53c4a9ba784fd4c64a06fc6a88caf5a4d9913341a625582d51b1c095ba0.exe" & Del /f /q "C:\Users\Admin\AppData\Local\Temp\19f7d53c4a9ba784fd4c64a06fc6a88caf5a4d9913341a625582d51b1c095ba0.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:4368 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.7 -n 33⤵
- Runs ping.exe
PID:2896 -
C:\Windows\SysWOW64\fsutil.exefsutil file setZeroData offset=0 length=524288 "C:\Users\Admin\AppData\Local\Temp\19f7d53c4a9ba784fd4c64a06fc6a88caf5a4d9913341a625582d51b1c095ba0.exe"3⤵PID:3248
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2188
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc1⤵PID:1220
-
C:\Windows\system32\printfilterpipelinesvc.exeC:\Windows\system32\printfilterpipelinesvc.exe -Embedding1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:5104 -
C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE/insertdoc "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\{C60ED9B7-F84E-41AA-9B05-4C255E0CC875}.xps" 1335486285685000002⤵
- Suspicious use of WriteProcessMemory
PID:4864 -
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exeOfficeC2RClient.exe /error PID=4864 ProcessName="Microsoft OneNote" UIType=3 ErrorSource=0x8b10082a ErrorCode=0x80004005 ShowUI=13⤵
- Process spawned unexpected child process
- Suspicious use of SetWindowsHookEx
PID:432
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 752 -ip 7521⤵PID:2784
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
512B
MD5972e591faffedaf607188dd460d2f06f
SHA1e1f1882cbb32a3e2127197bd9641294a5b2e0598
SHA25684793132adb3e50c7d9c0f502b1558c5d2eaecedee15813d25e5c68d5f6f3ceb
SHA51231a58f2a20d5699d366da2464218d793a7e30f3a2e258f36e240218ecd5aa99fb51ab4eb1af14e2dd9c7612302649017f74c50c23d56f5e9db9e733bb8604c38
-
Filesize
46KB
MD5c15c6adc8c923ad87981f289025c37b2
SHA1bfe6533f4afe3255046f7178f289a4c75ad89e76
SHA25690f3a33919fdd766e90fd96f8f20a92c2d1376b7cfdc8b738c2f8e7e6c7498b1
SHA51231dd03b208e00ac012fbe4189d5af1306cc8e3640d40efefab4aa1cabab3c4735eef0cb65e7750c3c77021934e145398e5e26389975cf36b193c8f622a5fde83