Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

6375e7e4c7...71.exe

windows7-x64

10

6375e7e4c7...71.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    84s
  • max time network
    141s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10/01/2025, 12:41 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    6375e7e4c7cdc3f96afd991c4dfedd5cdfe4b31bf0662dccfa703c117e951f71.exe

  • Size

    1.7MB

  • MD5

    927426bafb84fe8daff84cff77258e0d

  • SHA1

    320a91f6b810e4f5dbb38f58fd2949c780d4c807

  • SHA256

    6375e7e4c7cdc3f96afd991c4dfedd5cdfe4b31bf0662dccfa703c117e951f71

  • SHA512

    1eb9eb0e65a6cb5ea43db76b476f8a0a78942664980eee67e46929685005f40d7f7d85be3e1dec98fce3ca7bfdce62ad2d6daafdc96a4844e84a72a721d55181

  • SSDEEP

    24576:/5dZufOrzvckB+Fr+waFHTcqunNW3QdWvPiVD2CWgrUE94FFs+n9rQOF8nux8igX:/5dVwPaFHTTgkAAn2IQ39y9rRF8uxG

Score
10/10
lockbitdefense_evasiondiscoveryransomwarespywarestealer

Malware Config

Extracted

Path

C:\ZQXLByuZ3.README.txt

Family

lockbit

Ransom Note
~~~ LockBit 3.0 the world's fastest ransomware since 2019~~~ >>>> Your data are stolen and encrypted The data will be published on TOR website if you do not pay the ransom Links for Tor Browser: http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion http://lockbitapt5x4zkjbcqmz6frdhecqqgadevyiwqxukksspnlidyvd7qd.onion http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion http://lockbitapt34kvrip6xojylohhxrwsvpzdffgs5z4pbbsywnzsbdguqd.onion http://lockbitaptc2iq4atewz2ise62q63wfktyrl4qtwuk5qax262kgtzjqd.onion http://lockbitaptjpikdqjynvgozhgc6bgetgucdk5xjacozeaawihmoio6yd.onion http://lockbitaptq7ephv2oigdncfhtwhpqgwmqojnxqdyhprxxfpcllqdxad.onion http://lockbitaptstzf3er2lz6ku3xuifafq2yh5lmiqj5ncur6rtlmkteiqd.onion http://lockbitaptoofrpignlz6dt2wqqc5z3a4evjevoa3eqdfcntxad5lmyd.onion Links for the normal browser http://lockbitapt.uz http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion.ly http://lockbitapt5x4zkjbcqmz6frdhecqqgadevyiwqxukksspnlidyvd7qd.onion.ly http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion.ly http://lockbitapt34kvrip6xojylohhxrwsvpzdffgs5z4pbbsywnzsbdguqd.onion.ly http://lockbitaptc2iq4atewz2ise62q63wfktyrl4qtwuk5qax262kgtzjqd.onion.ly http://lockbitaptjpikdqjynvgozhgc6bgetgucdk5xjacozeaawihmoio6yd.onion.ly http://lockbitaptq7ephv2oigdncfhtwhpqgwmqojnxqdyhprxxfpcllqdxad.onion.ly http://lockbitaptstzf3er2lz6ku3xuifafq2yh5lmiqj5ncur6rtlmkteiqd.onion.ly http://lockbitaptoofrpignlz6dt2wqqc5z3a4evjevoa3eqdfcntxad5lmyd.onion.ly >>>> What guarantees that we will not deceive you? We are not a politically motivated group and we do not need anything other than your money. If you pay, we will provide you the programs for decryption and we will delete your data. Life is too short to be sad. Be not sad, money, it is only paper. If we do not give you decrypters, or we do not delete your data after payment, then nobody will pay us in the future. Therefore to us our reputation is very important. We attack the companies worldwide and there is no dissatisfied victim after payment. You can obtain information about us on twitter https://twitter.com/hashtag/lockbit?f=live >>>> You need contact us and decrypt one file for free your personal DECRYPTION ID Tox ID LockBitSupp: 4FC18FE3304323D69CF8E0A4F88765B7B6E61BC30717B4908925DE4F3584A329993344E1306C Mail: angelinedumas@skiff.com Write to a chat and wait for the answer, we will always answer you. >>>> Your personal DECRYPTION ID: 0742AF252D792D02C581877B1E24E28B >>>> Warning! Do not DELETE or MODIFY any files, it can lead to recovery problems! >>>> Warning! If you do not pay the ransom we will attack your company repeatedly again! >>>> Advertisement Would you like to earn millions of dollars $$$ ? Our company acquire access to networks of various companies, as well as insider information that can help you steal the most valuable data of any company. You can provide us accounting data for the access to any company, for example, login and password to RDP, VPN, corporate email, etc. Open our letter at your email. Launch the provided virus on any computer in your company. You can do it both using your work computer or the computer of any other employee in order to divert suspicion of being in collusion with us. Companies pay us the foreclosure for the decryption of files and prevention of data leak. You can contact us using Tox messenger without registration and SMS https://tox.chat/download.html. Using Tox messenger, we will never know your real name, it means your privacy is guaranteed. If you want to contact us, write in tox. Tox ID LockBitSupp: 4FC18FE3304323D69CF8E0A4F88765B7B6E61BC30717B4908925DE4F3584A329993344E1306C If this contact is expired, and we do not respond you, look for the relevant contact data on our website via Tor or Brave browser Links for Tor Browser: http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion http://lockbitapt5x4zkjbcqmz6frdhecqqgadevyiwqxukksspnlidyvd7qd.onion http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion http://lockbitapt34kvrip6xojylohhxrwsvpzdffgs5z4pbbsywnzsbdguqd.onion http://lockbitaptc2iq4atewz2ise62q63wfktyrl4qtwuk5qax262kgtzjqd.onion http://lockbitaptjpikdqjynvgozhgc6bgetgucdk5xjacozeaawihmoio6yd.onion http://lockbitaptq7ephv2oigdncfhtwhpqgwmqojnxqdyhprxxfpcllqdxad.onion http://lockbitaptstzf3er2lz6ku3xuifafq2yh5lmiqj5ncur6rtlmkteiqd.onion http://lockbitaptoofrpignlz6dt2wqqc5z3a4evjevoa3eqdfcntxad5lmyd.onion Links for the normal browser http://lockbitapt.uz http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion.ly http://lockbitapt5x4zkjbcqmz6frdhecqqgadevyiwqxukksspnlidyvd7qd.onion.ly http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion.ly http://lockbitapt34kvrip6xojylohhxrwsvpzdffgs5z4pbbsywnzsbdguqd.onion.ly http://lockbitaptc2iq4atewz2ise62q63wfktyrl4qtwuk5qax262kgtzjqd.onion.ly http://lockbitaptjpikdqjynvgozhgc6bgetgucdk5xjacozeaawihmoio6yd.onion.ly http://lockbitaptq7ephv2oigdncfhtwhpqgwmqojnxqdyhprxxfpcllqdxad.onion.ly http://lockbitaptstzf3er2lz6ku3xuifafq2yh5lmiqj5ncur6rtlmkteiqd.onion.ly http://lockbitaptoofrpignlz6dt2wqqc5z3a4evjevoa3eqdfcntxad5lmyd.onion.ly
Emails

angelinedumas@skiff.com

URLs

http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion

http://lockbitapt5x4zkjbcqmz6frdhecqqgadevyiwqxukksspnlidyvd7qd.onion

http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion

http://lockbitapt34kvrip6xojylohhxrwsvpzdffgs5z4pbbsywnzsbdguqd.onion

http://lockbitaptc2iq4atewz2ise62q63wfktyrl4qtwuk5qax262kgtzjqd.onion

http://lockbitaptjpikdqjynvgozhgc6bgetgucdk5xjacozeaawihmoio6yd.onion

http://lockbitaptq7ephv2oigdncfhtwhpqgwmqojnxqdyhprxxfpcllqdxad.onion

http://lockbitaptstzf3er2lz6ku3xuifafq2yh5lmiqj5ncur6rtlmkteiqd.onion

http://lockbitaptoofrpignlz6dt2wqqc5z3a4evjevoa3eqdfcntxad5lmyd.onion

http://lockbitapt.uz

http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion.ly

http://lockbitapt5x4zkjbcqmz6frdhecqqgadevyiwqxukksspnlidyvd7qd.onion.ly

http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion.ly

http://lockbitapt34kvrip6xojylohhxrwsvpzdffgs5z4pbbsywnzsbdguqd.onion.ly

http://lockbitaptc2iq4atewz2ise62q63wfktyrl4qtwuk5qax262kgtzjqd.onion.ly

http://lockbitaptjpikdqjynvgozhgc6bgetgucdk5xjacozeaawihmoio6yd.onion.ly

http://lockbitaptq7ephv2oigdncfhtwhpqgwmqojnxqdyhprxxfpcllqdxad.onion.ly

http://lockbitaptstzf3er2lz6ku3xuifafq2yh5lmiqj5ncur6rtlmkteiqd.onion.ly

http://lockbitaptoofrpignlz6dt2wqqc5z3a4evjevoa3eqdfcntxad5lmyd.onion.ly

https://twitter.com/hashtag/lockbit?f=live

Signatures

  • Lockbit

    Ransomware family with multiple variants released since late 2019.

    ransomwarelockbit
  • Lockbit family
    lockbit
  • Renames multiple (614) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Drops desktop.ini file(s) 2 IoCs
  • Indicator Removal: File Deletion 1 TTPs

    Adversaries may delete files left behind by the actions of their intrusion activity.

    defense_evasion
  • Drops file in System32 directory 4 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 2 IoCs
    ransomware
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies Control Panel 2 IoCs
    evasion
  • Modifies registry class 9 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: RenamesItself 26 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of SetWindowsHookEx 13 IoCs
  • Suspicious use of WriteProcessMemory 27 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\6375e7e4c7cdc3f96afd991c4dfedd5cdfe4b31bf0662dccfa703c117e951f71.exe
    "C:\Users\Admin\AppData\Local\Temp\6375e7e4c7cdc3f96afd991c4dfedd5cdfe4b31bf0662dccfa703c117e951f71.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:4456
    • C:\Users\Admin\AppData\Local\Temp\6375e7e4c7cdc3f96afd991c4dfedd5cdfe4b31bf0662dccfa703c117e951f71.exe
      "C:\Users\Admin\AppData\Local\Temp\6375e7e4c7cdc3f96afd991c4dfedd5cdfe4b31bf0662dccfa703c117e951f71.exe"
      2⤵
      • Checks BIOS information in registry
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4120
      • C:\Users\Admin\AppData\Local\Temp\6375e7e4c7cdc3f96afd991c4dfedd5cdfe4b31bf0662dccfa703c117e951f71.exe
        C:\Users\Admin\AppData\Local\Temp\6375e7e4c7cdc3f96afd991c4dfedd5cdfe4b31bf0662dccfa703c117e951f71.exe
        3⤵
        • Drops desktop.ini file(s)
        • Sets desktop wallpaper using registry
        • System Location Discovery: System Language Discovery
        • Modifies Control Panel
        • Modifies registry class
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1232
        • C:\Windows\splwow64.exe
          C:\Windows\splwow64.exe 12288
          4⤵
          • Drops file in System32 directory
          PID:648
        • C:\ProgramData\F1B4.tmp
          "C:\ProgramData\F1B4.tmp"
          4⤵
          • Checks computer location settings
          • Deletes itself
          • Executes dropped EXE
          • Suspicious use of NtSetInformationThreadHideFromDebugger
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: RenamesItself
          • Suspicious use of WriteProcessMemory
          PID:4664
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\F1B4.tmp >> NUL
            5⤵
            • System Location Discovery: System Language Discovery
            PID:1848
  • C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc
    1⤵
      PID:2924
    • C:\Windows\system32\printfilterpipelinesvc.exe
      C:\Windows\system32\printfilterpipelinesvc.exe -Embedding
      1⤵
      • Drops file in System32 directory
      • Suspicious use of WriteProcessMemory
      PID:3304
      • C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
        /insertdoc "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\{5C2BA39F-D202-407C-BEEF-F6E076BC853C}.xps" 133809865366810000
        2⤵
        • Checks processor information in registry
        • Enumerates system info in registry
        • Suspicious use of SetWindowsHookEx
        PID:3656

    Network

    • flag-us
      DNS
      8.8.8.8.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      8.8.8.8.in-addr.arpa
      IN PTR
      Response
      8.8.8.8.in-addr.arpa
      IN PTR
      dnsgoogle
    • flag-us
      DNS
      196.249.167.52.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      196.249.167.52.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      172.210.232.199.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      172.210.232.199.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      4.159.190.20.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      4.159.190.20.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      95.221.229.192.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      95.221.229.192.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      209.205.72.20.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      209.205.72.20.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      roaming.officeapps.live.com
      ONENOTE.EXE
      Remote address:
      8.8.8.8:53
      Request
      roaming.officeapps.live.com
      IN A
      Response
      roaming.officeapps.live.com
      IN CNAME
      prod.roaming1.live.com.akadns.net
      prod.roaming1.live.com.akadns.net
      IN CNAME
      eur.roaming1.live.com.akadns.net
      eur.roaming1.live.com.akadns.net
      IN CNAME
      frc-azsc-000.roaming.officeapps.live.com
      frc-azsc-000.roaming.officeapps.live.com
      IN CNAME
      osiprod-frc-buff-azsc-000.francecentral.cloudapp.azure.com
      osiprod-frc-buff-azsc-000.francecentral.cloudapp.azure.com
      IN A
      52.109.68.129
    • flag-fr
      POST
      https://roaming.officeapps.live.com/rs/RoamingSoapService.svc
      ONENOTE.EXE
      Remote address:
      52.109.68.129:443
      Request
      POST /rs/RoamingSoapService.svc HTTP/1.1
      Cache-Control: no-cache
      Connection: Keep-Alive
      Pragma: no-cache
      Content-Type: text/xml; charset=utf-8
      User-Agent: MS-WebServices/1.0
      SOAPAction: "http://tempuri.org/IRoamingSettingsService/GetConfig"
      Content-Length: 511
      Host: roaming.officeapps.live.com
      Response
      HTTP/1.1 200 OK
      Cache-Control: private
      Content-Type: text/xml; charset=utf-8
      Server: Microsoft-IIS/10.0
      X-OfficeFE: RoamingFE_IN_257
      X-OfficeVersion: 16.0.18505.30575
      X-OfficeCluster: frc-000.roaming.officeapps.live.com
      Content-Security-Policy-Report-Only: script-src 'nonce-yvCzzLEsrWLLuCE3xUYPSRPp+M5AxIYNdPySlGPSqHshY2t/Od9OxGP+VM9BC6f0xjrKO6Fu8lSXqNPfuhIByTT0inSHCCByBEVoE83fLm4ASU1gAgKdceZTnOmajAHZFnneEfM5PbDMFbWk23BLAoLsmN/tl5lylRuL0Zxhpzo=' 'unsafe-inline' 'unsafe-eval' 'strict-dynamic' https:; base-uri 'self'; object-src 'none'; require-trusted-types-for 'script'; report-uri https://csp.microsoft.com/report/OfficeIce-OfficeRoaming-Prod; frame-ancestors 'none';
      X-Frame-Options: Deny
      X-CorrelationId: 419e3cfd-f195-40d2-bff4-477f53d4eee1
      X-Powered-By: ASP.NET
      Date: Fri, 10 Jan 2025 12:42:22 GMT
      Content-Length: 654
    • flag-us
      DNS
      240.76.109.52.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      240.76.109.52.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      129.68.109.52.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      129.68.109.52.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      197.87.175.4.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      197.87.175.4.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      171.39.242.20.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      171.39.242.20.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      92.12.20.2.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      92.12.20.2.in-addr.arpa
      IN PTR
      Response
      92.12.20.2.in-addr.arpa
      IN PTR
      a2-20-12-92deploystaticakamaitechnologiescom
    • flag-us
      DNS
      172.214.232.199.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      172.214.232.199.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      30.243.111.52.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      30.243.111.52.in-addr.arpa
      IN PTR
      Response
    • 52.109.68.129:443
      https://roaming.officeapps.live.com/rs/RoamingSoapService.svc
      tls, http
      ONENOTE.EXE
      1.8kB
       8.3kB
       12
      11

      HTTP Request

      POST https://roaming.officeapps.live.com/rs/RoamingSoapService.svc

      HTTP Response

      200
    • 8.8.8.8:53
      8.8.8.8.in-addr.arpa
      dns
      66 B
       90 B
       1
      1

      DNS Request

      8.8.8.8.in-addr.arpa

    • 8.8.8.8:53
      196.249.167.52.in-addr.arpa
      dns
      73 B
       147 B
       1
      1

      DNS Request

      196.249.167.52.in-addr.arpa

    • 8.8.8.8:53
      172.210.232.199.in-addr.arpa
      dns
      74 B
       128 B
       1
      1

      DNS Request

      172.210.232.199.in-addr.arpa

    • 8.8.8.8:53
      4.159.190.20.in-addr.arpa
      dns
      71 B
       157 B
       1
      1

      DNS Request

      4.159.190.20.in-addr.arpa

    • 8.8.8.8:53
      95.221.229.192.in-addr.arpa
      dns
      73 B
       144 B
       1
      1

      DNS Request

      95.221.229.192.in-addr.arpa

    • 8.8.8.8:53
      209.205.72.20.in-addr.arpa
      dns
      72 B
       158 B
       1
      1

      DNS Request

      209.205.72.20.in-addr.arpa

    • 8.8.8.8:53
      roaming.officeapps.live.com
      dns
      ONENOTE.EXE
      73 B
       250 B
       1
      1

      DNS Request

      roaming.officeapps.live.com

      DNS Response

      52.109.68.129

    • 8.8.8.8:53
      240.76.109.52.in-addr.arpa
      dns
      72 B
       146 B
       1
      1

      DNS Request

      240.76.109.52.in-addr.arpa

    • 8.8.8.8:53
      129.68.109.52.in-addr.arpa
      dns
      72 B
       146 B
       1
      1

      DNS Request

      129.68.109.52.in-addr.arpa

    • 8.8.8.8:53
      197.87.175.4.in-addr.arpa
      dns
      71 B
       157 B
       1
      1

      DNS Request

      197.87.175.4.in-addr.arpa

    • 8.8.8.8:53
      171.39.242.20.in-addr.arpa
      dns
      72 B
       158 B
       1
      1

      DNS Request

      171.39.242.20.in-addr.arpa

    • 8.8.8.8:53
      92.12.20.2.in-addr.arpa
      dns
      69 B
       131 B
       1
      1

      DNS Request

      92.12.20.2.in-addr.arpa

    • 8.8.8.8:53
      172.214.232.199.in-addr.arpa
      dns
      74 B
       128 B
       1
      1

      DNS Request

      172.214.232.199.in-addr.arpa

    • 8.8.8.8:53
      30.243.111.52.in-addr.arpa
      dns
      72 B
       158 B
       1
      1

      DNS Request

      30.243.111.52.in-addr.arpa

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\$Recycle.Bin\S-1-5-21-4089630652-1596403869-279772308-1000\YYYYYYYYYYY
      Filesize

      129B

      MD5

      660a760ac007f3234f2967d5e45a50f3

      SHA1

      99c59f9264fa2d218e97879990f1cd3434ab56bf

      SHA256

      169809a62cb05c19cfb32de2d5808875c5547237022cafc6debf354e61aee878

      SHA512

      1c612620b0a4245378168cd1d014600ef17832da88d21afc47dab09382aa016ec8d6685e7a6e7a82995862000a3fe396063995cac51e45a26c240ca95baaf2ef

      Download Submit

    • C:\ProgramData\F1B4.tmp
      Filesize

      14KB

      MD5

      294e9f64cb1642dd89229fff0592856b

      SHA1

      97b148c27f3da29ba7b18d6aee8a0db9102f47c9

      SHA256

      917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2

      SHA512

      b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD
      Filesize

      1.7MB

      MD5

      b1dbf96cbac92d09620f908add74123a

      SHA1

      721311bb9f042a8d0298f294f9a9c25386a5bb5d

      SHA256

      c74cb00fc0ab4dab4011220be8ebbc98928fbd7185ea1ce20644f2918c0756a6

      SHA512

      86c930d9321d2b7d0f9d283017d19c5548c9d75935e7611dfb711d883d01f03dbc9bfd2cdb91e3ab34f526886358e7bc62ca2e0e3c1b50cbb776ecc42612e96d

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\{CF7D0F2C-6029-4FC9-A3DF-2F864240ADC8}
      Filesize

      4KB

      MD5

      92313fcabf805e0c0a68a0a1cdc55496

      SHA1

      9bce924befffc639553461690094652d35888f62

      SHA256

      5316481275c4115fa3727da7ce1326d479a3a7edf006803fb0153d1b24810ef8

      SHA512

      4cdb68b6d5397c0f1db692986a4ec8e410174db8283c879a80363efbb89b9d62582b2fd2c9a7626adab6a30bc4a419a6bc03a3bcbf40733f0c1240b35611881a

      Download Submit

    • C:\Users\Admin\Documents\OneNote Notebooks\My Notebook\Open Notebook.onetoc2
      Filesize

      4KB

      MD5

      5bc945a644003e24c49b83dbebd4ee70

      SHA1

      d174db67cc1092ecd56e85cc2f448c7b85b1f8e6

      SHA256

      e6d37f749ad25aba9687523acaa0dead6dde371df68a566210d3fec73172f930

      SHA512

      2e476eb4bafd59b94348d01aa46a8ba91979e3ed74a96e8cca5f9c2a4bfe4504f9cb2fd985076a59161515b55633e8e7d8f99aa14926c3f67205c9d809dc2465

      Download Submit

    • C:\ZQXLByuZ3.README.txt
      Filesize

      5KB

      MD5

      5d059a43265f2b6dee086721bf8a251a

      SHA1

      12abeec0e1c9b55caa73ae01ca33e156a1eea434

      SHA256

      81a9270f3478012eaa0ac8ae38663d477a62d3606bb1508c1ece53a9b61a1d7d

      SHA512

      e8548d7a846a869edcd2e719ad2f097af23053f26a672a06ca639417db61cfb46dbaec98a76aa76d31d81486847a9a41bc9b75a7e46c26555a16551b4d572c5e

      Download Submit

    • F:\$RECYCLE.BIN\S-1-5-21-4089630652-1596403869-279772308-1000\DDDDDDDDDDD
      Filesize

      129B

      MD5

      747a098b8318582aefec952f67120be3

      SHA1

      45e0a2e7712161e9c1006fd3996acdfb470f3c9a

      SHA256

      3981ea8b56bb90f02302f0467e14aa159c1bd7af67168f2c7a8dc1b5c7fc5c45

      SHA512

      d5d7dd38b5fd4afd0f90c9ed28049b0ea1c1c7dc766b53d65c0309ac6700f2f1be343e98ab7a7329d5579d2d691f59b263710fc280505fbbaf8d0c4357da83ef

      Download Submit

    • memory/1232-2888-0x0000000002330000-0x0000000002340000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1232-136-0x0000000000400000-0x000000000042A000-memory.dmp

      Filesize

      168KB

      Download

    • memory/1232-23-0x0000000000400000-0x000000000042A000-memory.dmp

      Filesize

      168KB

      Download

    • memory/1232-2886-0x0000000002330000-0x0000000002340000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1232-2887-0x0000000002330000-0x0000000002340000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1232-29-0x0000000000400000-0x000000000042A000-memory.dmp

      Filesize

      168KB

      Download

    • memory/1232-2885-0x0000000000400000-0x000000000042A000-memory.dmp

      Filesize

      168KB

      Download

    • memory/1232-27-0x0000000000400000-0x000000000042A000-memory.dmp

      Filesize

      168KB

      Download

    • memory/1232-25-0x0000000000400000-0x000000000042A000-memory.dmp

      Filesize

      168KB

      Download

    • memory/1232-22-0x0000000000400000-0x000000000042A000-memory.dmp

      Filesize

      168KB

      Download

    • memory/1232-21-0x0000000000400000-0x000000000042A000-memory.dmp

      Filesize

      168KB

      Download

    • memory/1232-18-0x0000000000400000-0x000000000042A000-memory.dmp

      Filesize

      168KB

      Download

    • memory/1232-19-0x0000000000400000-0x000000000042A000-memory.dmp

      Filesize

      168KB

      Download

    • memory/1232-35-0x0000000002330000-0x0000000002340000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1232-33-0x0000000002330000-0x0000000002340000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1232-34-0x0000000002330000-0x0000000002340000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1232-37-0x0000000000400000-0x000000000042A000-memory.dmp

      Filesize

      168KB

      Download

    • memory/1232-45-0x0000000000400000-0x000000000042A000-memory.dmp

      Filesize

      168KB

      Download

    • memory/1232-43-0x0000000000400000-0x000000000042A000-memory.dmp

      Filesize

      168KB

      Download

    • memory/1232-2883-0x0000000000400000-0x000000000042A000-memory.dmp

      Filesize

      168KB

      Download

    • memory/1232-2880-0x0000000000400000-0x000000000042A000-memory.dmp

      Filesize

      168KB

      Download

    • memory/1232-20-0x0000000000400000-0x000000000042A000-memory.dmp

      Filesize

      168KB

      Download

    • memory/1232-2881-0x0000000000400000-0x000000000042A000-memory.dmp

      Filesize

      168KB

      Download

    • memory/1232-315-0x0000000000400000-0x000000000042A000-memory.dmp

      Filesize

      168KB

      Download

    • memory/1232-2871-0x0000000000400000-0x000000000042A000-memory.dmp

      Filesize

      168KB

      Download

    • memory/3656-2907-0x00007FFDEAA30000-0x00007FFDEAA40000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3656-2911-0x00007FFDEAA30000-0x00007FFDEAA40000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3656-2941-0x00007FFDE83A0000-0x00007FFDE83B0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3656-2932-0x00007FFDE83A0000-0x00007FFDE83B0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3656-2908-0x00007FFDEAA30000-0x00007FFDEAA40000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3656-2906-0x00007FFDEAA30000-0x00007FFDEAA40000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3656-2910-0x00007FFDEAA30000-0x00007FFDEAA40000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4120-32-0x0000000010000000-0x00000000101AC000-memory.dmp

      Filesize

      1.7MB

      Download

    • memory/4120-13-0x0000000010000000-0x00000000101AC000-memory.dmp

      Filesize

      1.7MB

      Download

    • memory/4120-11-0x0000000010000000-0x00000000101AC000-memory.dmp

      Filesize

      1.7MB

      Download

    • memory/4120-14-0x0000000002310000-0x000000000246A000-memory.dmp

      Filesize

      1.4MB

      Download

    • memory/4120-9-0x0000000002310000-0x000000000246A000-memory.dmp

      Filesize

      1.4MB

      Download

    • memory/4120-28-0x0000000002310000-0x000000000246A000-memory.dmp

      Filesize

      1.4MB

      Download

    • memory/4120-12-0x0000000010000000-0x00000000101AC000-memory.dmp

      Filesize

      1.7MB

      Download

    • memory/4120-2-0x0000000002310000-0x000000000246A000-memory.dmp

      Filesize

      1.4MB

      Download

    • memory/4120-1-0x0000000010000000-0x00000000101AC000-memory.dmp

      Filesize

      1.7MB

      Download

    • memory/4456-30-0x0000000010000000-0x00000000101AC000-memory.dmp

      Filesize

      1.7MB

      Download

    • memory/4456-0-0x0000000010000000-0x00000000101AC000-memory.dmp

      Filesize

      1.7MB

      Download

    We care about your privacy.

    This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.