lockbit | 28664daf83a19ae6efd7caf9433600981fbb7c95025f473dc4e6099b603512a0

General

Target

test3.zip
Size

102KB
MD5

0e325d00fd30af4577f7a1df57a67b3f
SHA1

a3f86e3a702dba6582b967217e411af3b662d771
SHA256

28664daf83a19ae6efd7caf9433600981fbb7c95025f473dc4e6099b603512a0
SHA512

5802d619ffb5bba93183d2d1ccb25c516e13e6ed801b37737a8aafeeb3577c8a12bf36308eb57f6621e69e2589b82f1fd7d4c4b4b669c3df4622acae22faa1c7
SSDEEP

3072:Wwa7KxzWhIKXRzJUGdje+7Yenbw85eNwnaYeW02aa:Wwa7NhIKYG0+EeHeSa912aa

Score

10^/10

lockbit discovery ransomware

Malware Config

Signatures

Lockbit
Ransomware family with multiple variants released since late 2019.
ransomware lockbit

Rule to detect Lockbit 3.0 ransomware Windows payload 3 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\test3\a56b41a6023f828cccaaef470874571d169fdb8f683a75edd430fbd31a2c3f6e.exe.bin	family_lockbit
behavioral1/memory/2620-7-0x0000000000400000-0x000000000042C000-memory.dmp	family_lockbit
behavioral1/memory/2620-12-0x0000000000400000-0x000000000042C000-memory.dmp	family_lockbit

Executes dropped EXE 6 IoCs

Processes:

a56b41a6023f828cccaaef470874571d169fdb8f683a75edd430fbd31a2c3f6e.exe.bina56b41a6023f828cccaaef470874571d169fdb8f683a75edd430fbd31a2c3f6e.exe.bina56b41a6023f828cccaaef470874571d169fdb8f683a75edd430fbd31a2c3f6e.exe.bina56b41a6023f828cccaaef470874571d169fdb8f683a75edd430fbd31a2c3f6e.exe.bina56b41a6023f828cccaaef470874571d169fdb8f683a75edd430fbd31a2c3f6e.exea56b41a6023f828cccaaef470874571d169fdb8f683a75edd430fbd31a2c3f6e.exe

pid	process
2620	a56b41a6023f828cccaaef470874571d169fdb8f683a75edd430fbd31a2c3f6e.exe.bin
2204	a56b41a6023f828cccaaef470874571d169fdb8f683a75edd430fbd31a2c3f6e.exe.bin
1648	a56b41a6023f828cccaaef470874571d169fdb8f683a75edd430fbd31a2c3f6e.exe.bin
1864	a56b41a6023f828cccaaef470874571d169fdb8f683a75edd430fbd31a2c3f6e.exe.bin
2024	a56b41a6023f828cccaaef470874571d169fdb8f683a75edd430fbd31a2c3f6e.exe
1204	a56b41a6023f828cccaaef470874571d169fdb8f683a75edd430fbd31a2c3f6e.exe

Loads dropped DLL 15 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	process
2676	WerFault.exe
2676	WerFault.exe
2676	WerFault.exe
2676	WerFault.exe
2404	WerFault.exe
2404	WerFault.exe
2404	WerFault.exe
2404	WerFault.exe
1096	WerFault.exe
1096	WerFault.exe
1096	WerFault.exe
1096	WerFault.exe
2848	WerFault.exe
2848	WerFault.exe
2848	WerFault.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 6 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
2676	2620	WerFault.exe	a56b41a6023f828cccaaef470874571d169fdb8f683a75edd430fbd31a2c3f6e.exe.bin
2404	2204	WerFault.exe	a56b41a6023f828cccaaef470874571d169fdb8f683a75edd430fbd31a2c3f6e.exe.bin
1096	1648	WerFault.exe	a56b41a6023f828cccaaef470874571d169fdb8f683a75edd430fbd31a2c3f6e.exe.bin
2848	1864	WerFault.exe	a56b41a6023f828cccaaef470874571d169fdb8f683a75edd430fbd31a2c3f6e.exe.bin
1876	2024	WerFault.exe	a56b41a6023f828cccaaef470874571d169fdb8f683a75edd430fbd31a2c3f6e.exe
1992	1204	WerFault.exe	a56b41a6023f828cccaaef470874571d169fdb8f683a75edd430fbd31a2c3f6e.exe

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

a56b41a6023f828cccaaef470874571d169fdb8f683a75edd430fbd31a2c3f6e.exe.bina56b41a6023f828cccaaef470874571d169fdb8f683a75edd430fbd31a2c3f6e.exea56b41a6023f828cccaaef470874571d169fdb8f683a75edd430fbd31a2c3f6e.exea56b41a6023f828cccaaef470874571d169fdb8f683a75edd430fbd31a2c3f6e.exe.bina56b41a6023f828cccaaef470874571d169fdb8f683a75edd430fbd31a2c3f6e.exe.bina56b41a6023f828cccaaef470874571d169fdb8f683a75edd430fbd31a2c3f6e.exe.bin

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a56b41a6023f828cccaaef470874571d169fdb8f683a75edd430fbd31a2c3f6e.exe.bin
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a56b41a6023f828cccaaef470874571d169fdb8f683a75edd430fbd31a2c3f6e.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a56b41a6023f828cccaaef470874571d169fdb8f683a75edd430fbd31a2c3f6e.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a56b41a6023f828cccaaef470874571d169fdb8f683a75edd430fbd31a2c3f6e.exe.bin
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a56b41a6023f828cccaaef470874571d169fdb8f683a75edd430fbd31a2c3f6e.exe.bin
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a56b41a6023f828cccaaef470874571d169fdb8f683a75edd430fbd31a2c3f6e.exe.bin

Modifies registry class 1 IoCs

Processes:

rundll32.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_Classes\Local Settings rundll32.exe
Opens file in notepad (likely ransom note) 1 IoCs
ransomware

Processes:

NOTEPAD.EXE

pid process

2408 NOTEPAD.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_Classes\Local Settings	rundll32.exe

pid	process
2408	NOTEPAD.EXE

Suspicious behavior: CmdExeWriteProcessMemorySpam 5 IoCs

Processes:

a56b41a6023f828cccaaef470874571d169fdb8f683a75edd430fbd31a2c3f6e.exe.bina56b41a6023f828cccaaef470874571d169fdb8f683a75edd430fbd31a2c3f6e.exe.bina56b41a6023f828cccaaef470874571d169fdb8f683a75edd430fbd31a2c3f6e.exe.bina56b41a6023f828cccaaef470874571d169fdb8f683a75edd430fbd31a2c3f6e.exe.bina56b41a6023f828cccaaef470874571d169fdb8f683a75edd430fbd31a2c3f6e.exe

pid	process
2620	a56b41a6023f828cccaaef470874571d169fdb8f683a75edd430fbd31a2c3f6e.exe.bin
2204	a56b41a6023f828cccaaef470874571d169fdb8f683a75edd430fbd31a2c3f6e.exe.bin
1648	a56b41a6023f828cccaaef470874571d169fdb8f683a75edd430fbd31a2c3f6e.exe.bin
1864	a56b41a6023f828cccaaef470874571d169fdb8f683a75edd430fbd31a2c3f6e.exe.bin
1204	a56b41a6023f828cccaaef470874571d169fdb8f683a75edd430fbd31a2c3f6e.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

7zG.exe

description	pid	process
Token: SeRestorePrivilege	2832	7zG.exe
Token: 35	2832	7zG.exe
Token: SeSecurityPrivilege	2832	7zG.exe
Token: SeSecurityPrivilege	2832	7zG.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

7zG.exe

pid process

2832 7zG.exe

pid	process
2832	7zG.exe

Suspicious use of WriteProcessMemory 44 IoCs

Processes:

cmd.exea56b41a6023f828cccaaef470874571d169fdb8f683a75edd430fbd31a2c3f6e.exe.bina56b41a6023f828cccaaef470874571d169fdb8f683a75edd430fbd31a2c3f6e.exe.bina56b41a6023f828cccaaef470874571d169fdb8f683a75edd430fbd31a2c3f6e.exe.bina56b41a6023f828cccaaef470874571d169fdb8f683a75edd430fbd31a2c3f6e.exe.bina56b41a6023f828cccaaef470874571d169fdb8f683a75edd430fbd31a2c3f6e.exea56b41a6023f828cccaaef470874571d169fdb8f683a75edd430fbd31a2c3f6e.exe

description	pid	process	target process
PID 1500 wrote to memory of 2620	1500	cmd.exe	a56b41a6023f828cccaaef470874571d169fdb8f683a75edd430fbd31a2c3f6e.exe.bin
PID 1500 wrote to memory of 2620	1500	cmd.exe	a56b41a6023f828cccaaef470874571d169fdb8f683a75edd430fbd31a2c3f6e.exe.bin
PID 1500 wrote to memory of 2620	1500	cmd.exe	a56b41a6023f828cccaaef470874571d169fdb8f683a75edd430fbd31a2c3f6e.exe.bin
PID 1500 wrote to memory of 2620	1500	cmd.exe	a56b41a6023f828cccaaef470874571d169fdb8f683a75edd430fbd31a2c3f6e.exe.bin
PID 2620 wrote to memory of 2676	2620	a56b41a6023f828cccaaef470874571d169fdb8f683a75edd430fbd31a2c3f6e.exe.bin	WerFault.exe
PID 2620 wrote to memory of 2676	2620	a56b41a6023f828cccaaef470874571d169fdb8f683a75edd430fbd31a2c3f6e.exe.bin	WerFault.exe
PID 2620 wrote to memory of 2676	2620	a56b41a6023f828cccaaef470874571d169fdb8f683a75edd430fbd31a2c3f6e.exe.bin	WerFault.exe
PID 2620 wrote to memory of 2676	2620	a56b41a6023f828cccaaef470874571d169fdb8f683a75edd430fbd31a2c3f6e.exe.bin	WerFault.exe
PID 1500 wrote to memory of 2204	1500	cmd.exe	a56b41a6023f828cccaaef470874571d169fdb8f683a75edd430fbd31a2c3f6e.exe.bin
PID 1500 wrote to memory of 2204	1500	cmd.exe	a56b41a6023f828cccaaef470874571d169fdb8f683a75edd430fbd31a2c3f6e.exe.bin
PID 1500 wrote to memory of 2204	1500	cmd.exe	a56b41a6023f828cccaaef470874571d169fdb8f683a75edd430fbd31a2c3f6e.exe.bin
PID 1500 wrote to memory of 2204	1500	cmd.exe	a56b41a6023f828cccaaef470874571d169fdb8f683a75edd430fbd31a2c3f6e.exe.bin
PID 2204 wrote to memory of 2404	2204	a56b41a6023f828cccaaef470874571d169fdb8f683a75edd430fbd31a2c3f6e.exe.bin	WerFault.exe
PID 2204 wrote to memory of 2404	2204	a56b41a6023f828cccaaef470874571d169fdb8f683a75edd430fbd31a2c3f6e.exe.bin	WerFault.exe
PID 2204 wrote to memory of 2404	2204	a56b41a6023f828cccaaef470874571d169fdb8f683a75edd430fbd31a2c3f6e.exe.bin	WerFault.exe
PID 2204 wrote to memory of 2404	2204	a56b41a6023f828cccaaef470874571d169fdb8f683a75edd430fbd31a2c3f6e.exe.bin	WerFault.exe
PID 1500 wrote to memory of 1648	1500	cmd.exe	a56b41a6023f828cccaaef470874571d169fdb8f683a75edd430fbd31a2c3f6e.exe.bin
PID 1500 wrote to memory of 1648	1500	cmd.exe	a56b41a6023f828cccaaef470874571d169fdb8f683a75edd430fbd31a2c3f6e.exe.bin
PID 1500 wrote to memory of 1648	1500	cmd.exe	a56b41a6023f828cccaaef470874571d169fdb8f683a75edd430fbd31a2c3f6e.exe.bin
PID 1500 wrote to memory of 1648	1500	cmd.exe	a56b41a6023f828cccaaef470874571d169fdb8f683a75edd430fbd31a2c3f6e.exe.bin
PID 1648 wrote to memory of 1096	1648	a56b41a6023f828cccaaef470874571d169fdb8f683a75edd430fbd31a2c3f6e.exe.bin	WerFault.exe
PID 1648 wrote to memory of 1096	1648	a56b41a6023f828cccaaef470874571d169fdb8f683a75edd430fbd31a2c3f6e.exe.bin	WerFault.exe
PID 1648 wrote to memory of 1096	1648	a56b41a6023f828cccaaef470874571d169fdb8f683a75edd430fbd31a2c3f6e.exe.bin	WerFault.exe
PID 1648 wrote to memory of 1096	1648	a56b41a6023f828cccaaef470874571d169fdb8f683a75edd430fbd31a2c3f6e.exe.bin	WerFault.exe
PID 1500 wrote to memory of 1864	1500	cmd.exe	a56b41a6023f828cccaaef470874571d169fdb8f683a75edd430fbd31a2c3f6e.exe.bin
PID 1500 wrote to memory of 1864	1500	cmd.exe	a56b41a6023f828cccaaef470874571d169fdb8f683a75edd430fbd31a2c3f6e.exe.bin
PID 1500 wrote to memory of 1864	1500	cmd.exe	a56b41a6023f828cccaaef470874571d169fdb8f683a75edd430fbd31a2c3f6e.exe.bin
PID 1500 wrote to memory of 1864	1500	cmd.exe	a56b41a6023f828cccaaef470874571d169fdb8f683a75edd430fbd31a2c3f6e.exe.bin
PID 1864 wrote to memory of 2848	1864	a56b41a6023f828cccaaef470874571d169fdb8f683a75edd430fbd31a2c3f6e.exe.bin	WerFault.exe
PID 1864 wrote to memory of 2848	1864	a56b41a6023f828cccaaef470874571d169fdb8f683a75edd430fbd31a2c3f6e.exe.bin	WerFault.exe
PID 1864 wrote to memory of 2848	1864	a56b41a6023f828cccaaef470874571d169fdb8f683a75edd430fbd31a2c3f6e.exe.bin	WerFault.exe
PID 1864 wrote to memory of 2848	1864	a56b41a6023f828cccaaef470874571d169fdb8f683a75edd430fbd31a2c3f6e.exe.bin	WerFault.exe
PID 2024 wrote to memory of 1876	2024	a56b41a6023f828cccaaef470874571d169fdb8f683a75edd430fbd31a2c3f6e.exe	WerFault.exe
PID 2024 wrote to memory of 1876	2024	a56b41a6023f828cccaaef470874571d169fdb8f683a75edd430fbd31a2c3f6e.exe	WerFault.exe
PID 2024 wrote to memory of 1876	2024	a56b41a6023f828cccaaef470874571d169fdb8f683a75edd430fbd31a2c3f6e.exe	WerFault.exe
PID 2024 wrote to memory of 1876	2024	a56b41a6023f828cccaaef470874571d169fdb8f683a75edd430fbd31a2c3f6e.exe	WerFault.exe
PID 1500 wrote to memory of 1204	1500	cmd.exe	a56b41a6023f828cccaaef470874571d169fdb8f683a75edd430fbd31a2c3f6e.exe
PID 1500 wrote to memory of 1204	1500	cmd.exe	a56b41a6023f828cccaaef470874571d169fdb8f683a75edd430fbd31a2c3f6e.exe
PID 1500 wrote to memory of 1204	1500	cmd.exe	a56b41a6023f828cccaaef470874571d169fdb8f683a75edd430fbd31a2c3f6e.exe
PID 1500 wrote to memory of 1204	1500	cmd.exe	a56b41a6023f828cccaaef470874571d169fdb8f683a75edd430fbd31a2c3f6e.exe
PID 1204 wrote to memory of 1992	1204	a56b41a6023f828cccaaef470874571d169fdb8f683a75edd430fbd31a2c3f6e.exe	WerFault.exe
PID 1204 wrote to memory of 1992	1204	a56b41a6023f828cccaaef470874571d169fdb8f683a75edd430fbd31a2c3f6e.exe	WerFault.exe
PID 1204 wrote to memory of 1992	1204	a56b41a6023f828cccaaef470874571d169fdb8f683a75edd430fbd31a2c3f6e.exe	WerFault.exe
PID 1204 wrote to memory of 1992	1204	a56b41a6023f828cccaaef470874571d169fdb8f683a75edd430fbd31a2c3f6e.exe	WerFault.exe

C:\Windows\Explorer.exe
C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\test3.zip
1⤵
PID:2936

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\AppData\Local\Temp\test3\" -spe -an -ai#7zMap21070:90:7zEvent3980
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2832

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\test3\nothing.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:2408

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1500
- C:\Users\Admin\AppData\Local\Temp\test3\a56b41a6023f828cccaaef470874571d169fdb8f683a75edd430fbd31a2c3f6e.exe.bin
  a56b41a6023f828cccaaef470874571d169fdb8f683a75edd430fbd31a2c3f6e.exe.bin -k LocalServiceNetworkRestricted -pass db66023ab2abcb9957fb01ed50cdfa6a CHECK_UI_LANGUAGE_FLAG
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  - Suspicious use of WriteProcessMemory
  PID:2620
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2620 -s 88
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:2676
- C:\Users\Admin\AppData\Local\Temp\test3\a56b41a6023f828cccaaef470874571d169fdb8f683a75edd430fbd31a2c3f6e.exe.bin
  a56b41a6023f828cccaaef470874571d169fdb8f683a75edd430fbd31a2c3f6e.exe.bin -k LocalServiceNetworkRestricted -pass db66023ab2abcb9957fb01ed50cdfa6a
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  - Suspicious use of WriteProcessMemory
  PID:2204
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2204 -s 88
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:2404
- C:\Users\Admin\AppData\Local\Temp\test3\a56b41a6023f828cccaaef470874571d169fdb8f683a75edd430fbd31a2c3f6e.exe.bin
  a56b41a6023f828cccaaef470874571d169fdb8f683a75edd430fbd31a2c3f6e.exe.bin -pass db66023ab2abcb9957fb01ed50cdfa6a
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  - Suspicious use of WriteProcessMemory
  PID:1648
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1648 -s 88
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:1096
- C:\Users\Admin\AppData\Local\Temp\test3\a56b41a6023f828cccaaef470874571d169fdb8f683a75edd430fbd31a2c3f6e.exe.bin
  a56b41a6023f828cccaaef470874571d169fdb8f683a75edd430fbd31a2c3f6e.exe.bin
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  - Suspicious use of WriteProcessMemory
  PID:1864
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1864 -s 88
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:2848
- C:\Users\Admin\AppData\Local\Temp\test3\a56b41a6023f828cccaaef470874571d169fdb8f683a75edd430fbd31a2c3f6e.exe
  a56b41a6023f828cccaaef470874571d169fdb8f683a75edd430fbd31a2c3f6e.exe -k LocalServiceNetworkRestricted -pass db66023ab2abcb9957fb01ed50cdfa6a
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  - Suspicious use of WriteProcessMemory
  PID:1204
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1204 -s 88
    3⤵
    - Program crash
    PID:1992

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\test3\a56b41a6023f828cccaaef470874571d169fdb8f683a75edd430fbd31a2c3f6e.exe.bin
1⤵
- Modifies registry class
PID:2016

C:\Users\Admin\AppData\Local\Temp\test3\a56b41a6023f828cccaaef470874571d169fdb8f683a75edd430fbd31a2c3f6e.exe
"C:\Users\Admin\AppData\Local\Temp\test3\a56b41a6023f828cccaaef470874571d169fdb8f683a75edd430fbd31a2c3f6e.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2024
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2024 -s 88
  2⤵
  - Program crash
  PID:1876

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\test3\a56b41a6023f828cccaaef470874571d169fdb8f683a75edd430fbd31a2c3f6e.exe.bin

Filesize
162KB

MD5
03b14473eef5b7e38d9a5041c1af0a76

SHA1
371353e9564c58ae4722a03205ac84ab34383d8c

SHA256
a56b41a6023f828cccaaef470874571d169fdb8f683a75edd430fbd31a2c3f6e

SHA512
eb39446791d4cdbfcd13dfc3ee1902cbc80f946d177e53a2927ef1e53257113e904ae5b5711a5622769b45bfcb961cd9c33158ad9c1f5e1258ff91d8bc753615

Download Submit
C:\Users\Admin\AppData\Local\Temp\test3\nothing.txt

Filesize
96B

MD5
e3826f99bef4b2cb1e4b20f9293d782a

SHA1
a05ec35fb8ba27a5b34e7b0896f26c1496b53698

SHA256
980fc980881354923c7ef7c6737adf9bdf5e72d3cf8a12fa18c4d4eb38cdf7ae

SHA512
5028582211b5764fa87c3a83f9daed057149fc5dd08e327a10c62fda5bb52bc3385ec3971b37d75b6a85dcd4c6c2e1873f09ce310ad21763c5fe12f4efee168a

Download Submit
memory/2620-7-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2620-12-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads