lucastealer | f37134e9d3f61052ce126082a31aea1c7e0b3fca9f2373e79c3b4a9d884aef9b

Analysis

max time kernel
150s
max time network
34s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
08-03-2023 01:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4bc5ade40ab56113ce9709c0da15416628e089e838864a6756ceca90b8ffaf5b.exe
Size

5.6MB
MD5

bded213b6ad8b501a9a8769498c06858
SHA1

3927ded7ffee7ab8f400d00bcb3b5479ffa3abfb
SHA256

4bc5ade40ab56113ce9709c0da15416628e089e838864a6756ceca90b8ffaf5b
SHA512

01fae25d7d0865ea0bd3b2f4d8f51d192a3ae9b7af5ab23ea55b34cadc3618ad66f53aec865776a50c98a7fb8076e71335d180ebf6e8ad02cf4a74799d780ee3
SSDEEP

98304:QxD6iw63xsDaup/EMGVxpE581oyzEY6JvRdZjYZPqXEla15YYO:QR6b6+HE25ZyzEX9jaqzv2

Score

10^/10

lucastealer persistence ransomware spyware stealer

Malware Config

Extracted

Path

C:\ProgramData\Adobe\Updater6\RESTORE-MY-FILES.txt

Ransom Note

***SOLIDBIT RANSOMWARE*** All of your files are encrypted by SOLIDBIT ransomware and you cannot decrypt it without our help. If you try to use any additional recovery software - the files might be damaged, so if you are willing to try - try it on the data of the lowest value. To make sure that we REALLY CAN recover data - we offer you to decrypt samples. You can recover all your files safely and easily with us. Contact Download Tor Browser - https://www.torproject.org/download/ and install it Open the link below in Tor Browser and follow instructions on this page http://solidb2jco63vbhx4sfimnqmwhtdjk4jbbgq7a24cmzzkfse4rduxgid.onion Decryption ID: 5-SJNASR2934QJ6MP6XH47DZDHWLI9k8

URLs

http://solidb2jco63vbhx4sfimnqmwhtdjk4jbbgq7a24cmzzkfse4rduxgid.onion

Signatures

Luca Stealer
Info stealer written in Rust first seen in July 2022.
stealer lucastealer

Luca Stealer payload 5 IoCs

resource	yara_rule
behavioral1/files/0x000900000001314e-4813.dat	family_lucastealer
behavioral1/files/0x000900000001314e-4814.dat	family_lucastealer
behavioral1/files/0x000900000001314e-4815.dat	family_lucastealer
behavioral1/files/0x000900000001314e-4816.dat	family_lucastealer
behavioral1/files/0x000900000001314e-4818.dat	family_lucastealer

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Modifies extensions of user files 6 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

description	ioc	Process
File created	C:\Users\Admin\Pictures\SyncUndo.tif.solidbit	Runtime64.exe
File opened for modification	C:\Users\Admin\Pictures\SyncUndo.tif.solidbit	Runtime64.exe
File created	C:\Users\Admin\Pictures\DebugConnect.png.solidbit	Runtime64.exe
File opened for modification	C:\Users\Admin\Pictures\DebugConnect.png.solidbit	Runtime64.exe
File created	C:\Users\Admin\Pictures\ResumeSave.png.solidbit	Runtime64.exe
File opened for modification	C:\Users\Admin\Pictures\ResumeSave.png.solidbit	Runtime64.exe

Drops startup file 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	Runtime64.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RESTORE-MY-FILES.txt	Runtime64.exe

Executes dropped EXE 3 IoCs

pid	Process
1552	LoL Checker x64.exe
1112	LoL Account Checker.exe
1704	Runtime64.exe

Loads dropped DLL 6 IoCs

pid	Process
1968	cmd.exe
940	cmd.exe
940	cmd.exe
1884	Process not Found
1672	cmd.exe
1672	cmd.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Windows\CurrentVersion\Run\UpdateTask = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Runtime64.exe"	Runtime64.exe

Drops desktop.ini file(s) 64 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\History\History.IE5\desktop.ini	Runtime64.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	Runtime64.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini	Runtime64.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini	Runtime64.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	Runtime64.exe
File opened for modification	C:\Users\Public\Music\Sample Music\desktop.ini	Runtime64.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\desktop.ini	Runtime64.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Games\Desktop.ini	Runtime64.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	Runtime64.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini	Runtime64.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	Runtime64.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	Runtime64.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Ringtones\desktop.ini	Runtime64.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	Runtime64.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	Runtime64.exe
File opened for modification	C:\Users\Public\Recorded TV\Sample Media\desktop.ini	Runtime64.exe
File opened for modification	C:\Users\Public\Libraries\desktop.ini	Runtime64.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	Runtime64.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	Runtime64.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini	Runtime64.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\Tablet PC\Desktop.ini	Runtime64.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\desktop.ini	Runtime64.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	Runtime64.exe
File opened for modification	C:\Users\Public\Downloads\desktop.ini	Runtime64.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\E9J3Z65S\desktop.ini	Runtime64.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	Runtime64.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini	Runtime64.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini	Runtime64.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	Runtime64.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	Runtime64.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	Runtime64.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini	Runtime64.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	Runtime64.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini	Runtime64.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	Runtime64.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	Runtime64.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	Runtime64.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\desktop.ini	Runtime64.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini	Runtime64.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini	Runtime64.exe
File opened for modification	C:\Users\Admin\Favorites\Links for United States\desktop.ini	Runtime64.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\A6DSJQQJ\desktop.ini	Runtime64.exe
File opened for modification	C:\Users\Public\Videos\Sample Videos\desktop.ini	Runtime64.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini	Runtime64.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\desktop.ini	Runtime64.exe
File opened for modification	C:\Users\Public\Pictures\Sample Pictures\desktop.ini	Runtime64.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini	Runtime64.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	Runtime64.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	Runtime64.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\BZB8KC7X\desktop.ini	Runtime64.exe
File opened for modification	C:\Users\Public\desktop.ini	Runtime64.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	Runtime64.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JPTKCP3O\desktop.ini	Runtime64.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Desktop.ini	Runtime64.exe
File opened for modification	C:\Users\Public\Recorded TV\desktop.ini	Runtime64.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	Runtime64.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	Runtime64.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\desktop.ini	Runtime64.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	Runtime64.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	Runtime64.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\VCT3UJZ1\desktop.ini	Runtime64.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	Runtime64.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\3FENPIEN\desktop.ini	Runtime64.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\desktop.ini	Runtime64.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	ip-api.com

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
1384	4bc5ade40ab56113ce9709c0da15416628e089e838864a6756ceca90b8ffaf5b.exe
1384	4bc5ade40ab56113ce9709c0da15416628e089e838864a6756ceca90b8ffaf5b.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	4bc5ade40ab56113ce9709c0da15416628e089e838864a6756ceca90b8ffaf5b.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	4bc5ade40ab56113ce9709c0da15416628e089e838864a6756ceca90b8ffaf5b.exe

Interacts with shadow copies 2 TTPs 1 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1107

Inhibit System Recovery

T1490

pid	Process
1268	vssadmin.exe

Suspicious behavior: EnumeratesProcesses 11 IoCs

pid	Process
1112	LoL Account Checker.exe
1112	LoL Account Checker.exe
1700	powershell.exe
1244	powershell.exe
1112	LoL Account Checker.exe
1112	LoL Account Checker.exe
1112	LoL Account Checker.exe
1112	LoL Account Checker.exe
692	powershell.exe
912	powershell.exe
1656	powershell.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	1700	powershell.exe
Token: SeDebugPrivilege	1244	powershell.exe
Token: SeShutdownPrivilege	1112	LoL Account Checker.exe
Token: SeDebugPrivilege	692	powershell.exe
Token: SeDebugPrivilege	912	powershell.exe
Token: SeDebugPrivilege	1656	powershell.exe

Suspicious use of WriteProcessMemory 56 IoCs

description	pid	Process	procid_target
PID 1384 wrote to memory of 1756	1384	4bc5ade40ab56113ce9709c0da15416628e089e838864a6756ceca90b8ffaf5b.exe	28
PID 1384 wrote to memory of 1756	1384	4bc5ade40ab56113ce9709c0da15416628e089e838864a6756ceca90b8ffaf5b.exe	28
PID 1384 wrote to memory of 1756	1384	4bc5ade40ab56113ce9709c0da15416628e089e838864a6756ceca90b8ffaf5b.exe	28
PID 1384 wrote to memory of 1756	1384	4bc5ade40ab56113ce9709c0da15416628e089e838864a6756ceca90b8ffaf5b.exe	28
PID 1384 wrote to memory of 1752	1384	4bc5ade40ab56113ce9709c0da15416628e089e838864a6756ceca90b8ffaf5b.exe	29
PID 1384 wrote to memory of 1752	1384	4bc5ade40ab56113ce9709c0da15416628e089e838864a6756ceca90b8ffaf5b.exe	29
PID 1384 wrote to memory of 1752	1384	4bc5ade40ab56113ce9709c0da15416628e089e838864a6756ceca90b8ffaf5b.exe	29
PID 1384 wrote to memory of 1752	1384	4bc5ade40ab56113ce9709c0da15416628e089e838864a6756ceca90b8ffaf5b.exe	29
PID 1384 wrote to memory of 1968	1384	4bc5ade40ab56113ce9709c0da15416628e089e838864a6756ceca90b8ffaf5b.exe	32
PID 1384 wrote to memory of 1968	1384	4bc5ade40ab56113ce9709c0da15416628e089e838864a6756ceca90b8ffaf5b.exe	32
PID 1384 wrote to memory of 1968	1384	4bc5ade40ab56113ce9709c0da15416628e089e838864a6756ceca90b8ffaf5b.exe	32
PID 1384 wrote to memory of 1968	1384	4bc5ade40ab56113ce9709c0da15416628e089e838864a6756ceca90b8ffaf5b.exe	32
PID 1756 wrote to memory of 1700	1756	cmd.exe	33
PID 1756 wrote to memory of 1700	1756	cmd.exe	33
PID 1756 wrote to memory of 1700	1756	cmd.exe	33
PID 1756 wrote to memory of 1700	1756	cmd.exe	33
PID 1752 wrote to memory of 1244	1752	cmd.exe	34
PID 1752 wrote to memory of 1244	1752	cmd.exe	34
PID 1752 wrote to memory of 1244	1752	cmd.exe	34
PID 1752 wrote to memory of 1244	1752	cmd.exe	34
PID 1384 wrote to memory of 940	1384	4bc5ade40ab56113ce9709c0da15416628e089e838864a6756ceca90b8ffaf5b.exe	37
PID 1384 wrote to memory of 940	1384	4bc5ade40ab56113ce9709c0da15416628e089e838864a6756ceca90b8ffaf5b.exe	37
PID 1384 wrote to memory of 940	1384	4bc5ade40ab56113ce9709c0da15416628e089e838864a6756ceca90b8ffaf5b.exe	37
PID 1384 wrote to memory of 940	1384	4bc5ade40ab56113ce9709c0da15416628e089e838864a6756ceca90b8ffaf5b.exe	37
PID 1968 wrote to memory of 1552	1968	cmd.exe	38
PID 1968 wrote to memory of 1552	1968	cmd.exe	38
PID 1968 wrote to memory of 1552	1968	cmd.exe	38
PID 1968 wrote to memory of 1552	1968	cmd.exe	38
PID 940 wrote to memory of 1112	940	cmd.exe	40
PID 940 wrote to memory of 1112	940	cmd.exe	40
PID 940 wrote to memory of 1112	940	cmd.exe	40
PID 940 wrote to memory of 1112	940	cmd.exe	40
PID 1752 wrote to memory of 692	1752	cmd.exe	41
PID 1752 wrote to memory of 692	1752	cmd.exe	41
PID 1752 wrote to memory of 692	1752	cmd.exe	41
PID 1752 wrote to memory of 692	1752	cmd.exe	41
PID 1552 wrote to memory of 1108	1552	LoL Checker x64.exe	42
PID 1552 wrote to memory of 1108	1552	LoL Checker x64.exe	42
PID 1552 wrote to memory of 1108	1552	LoL Checker x64.exe	42
PID 1552 wrote to memory of 1108	1552	LoL Checker x64.exe	42
PID 1552 wrote to memory of 1672	1552	LoL Checker x64.exe	43
PID 1552 wrote to memory of 1672	1552	LoL Checker x64.exe	43
PID 1552 wrote to memory of 1672	1552	LoL Checker x64.exe	43
PID 1552 wrote to memory of 1672	1552	LoL Checker x64.exe	43
PID 1108 wrote to memory of 912	1108	cmd.exe	46
PID 1108 wrote to memory of 912	1108	cmd.exe	46
PID 1108 wrote to memory of 912	1108	cmd.exe	46
PID 1108 wrote to memory of 912	1108	cmd.exe	46
PID 1672 wrote to memory of 1704	1672	cmd.exe	47
PID 1672 wrote to memory of 1704	1672	cmd.exe	47
PID 1672 wrote to memory of 1704	1672	cmd.exe	47
PID 1672 wrote to memory of 1704	1672	cmd.exe	47
PID 1108 wrote to memory of 1656	1108	cmd.exe	48
PID 1108 wrote to memory of 1656	1108	cmd.exe	48
PID 1108 wrote to memory of 1656	1108	cmd.exe	48
PID 1108 wrote to memory of 1656	1108	cmd.exe	48

C:\Users\Admin\AppData\Local\Temp\4bc5ade40ab56113ce9709c0da15416628e089e838864a6756ceca90b8ffaf5b.exe
"C:\Users\Admin\AppData\Local\Temp\4bc5ade40ab56113ce9709c0da15416628e089e838864a6756ceca90b8ffaf5b.exe"
1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Enumerates system info in registry
- Suspicious use of WriteProcessMemory
PID:1384
- C:\Windows\SysWOW64\cmd.exe
  cmd /c powershell -Command "Add-Type -AssemblyName System.Windows.Forms;[System.Windows.Forms.MessageBox]::Show('Loading Rust Components. It can take up to 5 minutes, please wait.','Error','OK','Error')"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1756
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command "Add-Type -AssemblyName System.Windows.Forms;[System.Windows.Forms.MessageBox]::Show('Loading Rust Components. It can take up to 5 minutes, please wait.','Error','OK','Error')"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1700
- C:\Windows\SysWOW64\cmd.exe
  cmd /c powershell -Command "Add-MpPreference -ExclusionPath @($env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force" & powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force" & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1752
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command "Add-MpPreference -ExclusionPath @($env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1244
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:692
- C:\Windows\SysWOW64\cmd.exe
  cmd /c start "" "C:\Users\Admin\AppData\Local\Temp\LoL Checker x64.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1968
- - C:\Users\Admin\AppData\Local\Temp\LoL Checker x64.exe
    "C:\Users\Admin\AppData\Local\Temp\LoL Checker x64.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:1552
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c powershell -Command "Add-MpPreference -ExclusionPath @($env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force" & powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force" & exit
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1108
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-MpPreference -ExclusionPath @($env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force"
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:912
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force"
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1656
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c start "" "C:\Users\Admin\AppData\Local\Temp\Runtime64.exe"
      4⤵
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:1672
    - - C:\Users\Admin\AppData\Local\Temp\Runtime64.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Runtime64.exe"
        5⤵
        Modifies extensions of user files
        Drops startup file
        Executes dropped EXE
        Adds Run key to start application
        Drops desktop.ini file(s)
        
        PID:1704
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C vssadmin delete shadows /all /quiet & wmic shadowcopy delete
        6⤵
        
        PID:1336
        
        C:\Windows\system32\vssadmin.exe
        
        vssadmin delete shadows /all /quiet
        7⤵
        Interacts with shadow copies
        
        PID:1268
- C:\Windows\SysWOW64\cmd.exe
  cmd /c start "" "C:\Users\Admin\AppData\Local\Temp\LoL Account Checker.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:940
- - C:\Users\Admin\AppData\Local\Temp\LoL Account Checker.exe
    "C:\Users\Admin\AppData\Local\Temp\LoL Account Checker.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1112

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:1312

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

File Deletion

T1107

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Adobe\Updater6\RESTORE-MY-FILES.txt

Filesize
727B

MD5
0e129f3cbe4541431d9af393cf717a42

SHA1
eaf62bed06ff1bf1dc2635c9b892f2c13e6055fc

SHA256
bd3403cd9d471fb4d08da84f7c8c9a793218aee2a18ab725eb573febb63cd9ca

SHA512
293e50377f4779dccf5c45b55f57ed86357b1a48f7cf2f71bb29a56d50adee343cedc639a9644db784c34797ef4545d946a57b586ab0d5dc1ae71a95325ffbdd

Download Submit
C:\Users\Admin\AppData\Local\Temp\LoL Account Checker.exe

Filesize
4.2MB

MD5
737d5f15ce6f25fd35748317f418228e

SHA1
ce770614c55fd78247e81073739a65a4859af95a

SHA256
05e13b81086568e323aa2a00d3c63f8df46f679a1d22a7a35062384f51342820

SHA512
4913be2a1797ffc4b6be68a95bde091897a31490aec701580bf9978f5a76b3bc3d69655e500dac97ff5776d1325c97fe0ceae66982b84179f05ffd30ff4c3c9e

Download Submit
C:\Users\Admin\AppData\Local\Temp\LoL Account Checker.exe

Filesize
4.2MB

MD5
737d5f15ce6f25fd35748317f418228e

SHA1
ce770614c55fd78247e81073739a65a4859af95a

SHA256
05e13b81086568e323aa2a00d3c63f8df46f679a1d22a7a35062384f51342820

SHA512
4913be2a1797ffc4b6be68a95bde091897a31490aec701580bf9978f5a76b3bc3d69655e500dac97ff5776d1325c97fe0ceae66982b84179f05ffd30ff4c3c9e

Download Submit
C:\Users\Admin\AppData\Local\Temp\LoL Checker x64.exe

Filesize
257KB

MD5
872be464e8b07144dd04ead953d26fec

SHA1
6908505f45adf61875f78e4e3e374da2d380b3b8

SHA256
42105689f3974b93b06d56c81d4a6852e0ab7759eaa63834941be7ad4290ff60

SHA512
a9b082aea81a7801f77588ba8834b71ddbd64f43169e9f381f8f43145470e3ed5442551e2483e2c88b7a596d5ccf9cfeb3f5d900ce2c4baa2a6742baa924f5a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\LoL Checker x64.exe

Filesize
257KB

MD5
872be464e8b07144dd04ead953d26fec

SHA1
6908505f45adf61875f78e4e3e374da2d380b3b8

SHA256
42105689f3974b93b06d56c81d4a6852e0ab7759eaa63834941be7ad4290ff60

SHA512
a9b082aea81a7801f77588ba8834b71ddbd64f43169e9f381f8f43145470e3ed5442551e2483e2c88b7a596d5ccf9cfeb3f5d900ce2c4baa2a6742baa924f5a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Runtime64.exe

Filesize
252KB

MD5
3c9bd0d16cea39a29132136d93c0b2ec

SHA1
5ffdf5cb39cc0e51753843e9e0aa14a201472fe4

SHA256
f96e95622e7ef19947169f534f792b660cf9ba8209a3b5de0ff7a22e2d5b1e86

SHA512
314cccc5f00952d19819363342a149fae3ca73db1bff31253a267142537890ea6fab7461c25ff5d0bf530631beac477905ee93a06ef3fafd98ee398bf3aa9fd4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Runtime64.exe

Filesize
252KB

MD5
3c9bd0d16cea39a29132136d93c0b2ec

SHA1
5ffdf5cb39cc0e51753843e9e0aa14a201472fe4

SHA256
f96e95622e7ef19947169f534f792b660cf9ba8209a3b5de0ff7a22e2d5b1e86

SHA512
314cccc5f00952d19819363342a149fae3ca73db1bff31253a267142537890ea6fab7461c25ff5d0bf530631beac477905ee93a06ef3fafd98ee398bf3aa9fd4

Download Submit
C:\Users\Admin\AppData\Local\logsxc\screen-1.png

Filesize
298KB

MD5
3c781e78c002450cca5ea397bf412566

SHA1
b40aab5dcbc7f1d4f03f8ede75061a5b12a2bb09

SHA256
658d23eb082ce190d17333f4f55bfe60eea8a4de4b92150cae51953dab861a34

SHA512
9e9ab3fafab188f311256ea7f14aa7acc2240494de9560a89e5f4e6a0d1ebdfa611cac46ea790188c6e3be365a1007a436dc71f6bdb14a617a94af38a3d7d898

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\LLHB72Y16SKX6H0CH8KW.temp

Filesize
7KB

MD5
cd07ba3becab8487484c9315e7423e80

SHA1
edb9a24ff3b8d1094a500772a90b04733cf1d6c1

SHA256
b74ebf16a66ca184816d8bc0c119bd8f6a18c47aafcf04e6c2d8f24fb275a95b

SHA512
90356b36c312517f336082477a13f1004dc6b6eb42b25bdac046c97e9cea1ba3b092fe52bdf9ce5c52bc4cf7acf32c6acee41d2d3a2373ee809527208c4416da

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
cd07ba3becab8487484c9315e7423e80

SHA1
edb9a24ff3b8d1094a500772a90b04733cf1d6c1

SHA256
b74ebf16a66ca184816d8bc0c119bd8f6a18c47aafcf04e6c2d8f24fb275a95b

SHA512
90356b36c312517f336082477a13f1004dc6b6eb42b25bdac046c97e9cea1ba3b092fe52bdf9ce5c52bc4cf7acf32c6acee41d2d3a2373ee809527208c4416da

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
cd07ba3becab8487484c9315e7423e80

SHA1
edb9a24ff3b8d1094a500772a90b04733cf1d6c1

SHA256
b74ebf16a66ca184816d8bc0c119bd8f6a18c47aafcf04e6c2d8f24fb275a95b

SHA512
90356b36c312517f336082477a13f1004dc6b6eb42b25bdac046c97e9cea1ba3b092fe52bdf9ce5c52bc4cf7acf32c6acee41d2d3a2373ee809527208c4416da

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
cd07ba3becab8487484c9315e7423e80

SHA1
edb9a24ff3b8d1094a500772a90b04733cf1d6c1

SHA256
b74ebf16a66ca184816d8bc0c119bd8f6a18c47aafcf04e6c2d8f24fb275a95b

SHA512
90356b36c312517f336082477a13f1004dc6b6eb42b25bdac046c97e9cea1ba3b092fe52bdf9ce5c52bc4cf7acf32c6acee41d2d3a2373ee809527208c4416da

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
cd07ba3becab8487484c9315e7423e80

SHA1
edb9a24ff3b8d1094a500772a90b04733cf1d6c1

SHA256
b74ebf16a66ca184816d8bc0c119bd8f6a18c47aafcf04e6c2d8f24fb275a95b

SHA512
90356b36c312517f336082477a13f1004dc6b6eb42b25bdac046c97e9cea1ba3b092fe52bdf9ce5c52bc4cf7acf32c6acee41d2d3a2373ee809527208c4416da

Download Submit
C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Notepad.lnk

Filesize
1B

MD5
d1457b72c3fb323a2671125aef3eab5d

SHA1
5bab61eb53176449e25c2c82f172b82cb13ffb9d

SHA256
8a8de823d5ed3e12746a62ef169bcf372be0ca44f0a1236abc35df05d96928e1

SHA512
ca63c07ad35d8c9fb0c92d6146759b122d4ec5d3f67ebe2f30ddb69f9e6c9fd3bf31a5e408b08f1d4d9cd68120cced9e57f010bef3cde97653fed5470da7d1a0

Download Submit
\Users\Admin\AppData\Local\Temp\LoL Account Checker.exe

Filesize
4.2MB

MD5
737d5f15ce6f25fd35748317f418228e

SHA1
ce770614c55fd78247e81073739a65a4859af95a

SHA256
05e13b81086568e323aa2a00d3c63f8df46f679a1d22a7a35062384f51342820

SHA512
4913be2a1797ffc4b6be68a95bde091897a31490aec701580bf9978f5a76b3bc3d69655e500dac97ff5776d1325c97fe0ceae66982b84179f05ffd30ff4c3c9e

Download Submit
\Users\Admin\AppData\Local\Temp\LoL Account Checker.exe

Filesize
4.2MB

MD5
737d5f15ce6f25fd35748317f418228e

SHA1
ce770614c55fd78247e81073739a65a4859af95a

SHA256
05e13b81086568e323aa2a00d3c63f8df46f679a1d22a7a35062384f51342820

SHA512
4913be2a1797ffc4b6be68a95bde091897a31490aec701580bf9978f5a76b3bc3d69655e500dac97ff5776d1325c97fe0ceae66982b84179f05ffd30ff4c3c9e

Download Submit
\Users\Admin\AppData\Local\Temp\LoL Account Checker.exe

Filesize
4.2MB

MD5
737d5f15ce6f25fd35748317f418228e

SHA1
ce770614c55fd78247e81073739a65a4859af95a

SHA256
05e13b81086568e323aa2a00d3c63f8df46f679a1d22a7a35062384f51342820

SHA512
4913be2a1797ffc4b6be68a95bde091897a31490aec701580bf9978f5a76b3bc3d69655e500dac97ff5776d1325c97fe0ceae66982b84179f05ffd30ff4c3c9e

Download Submit
\Users\Admin\AppData\Local\Temp\LoL Checker x64.exe

Filesize
257KB

MD5
872be464e8b07144dd04ead953d26fec

SHA1
6908505f45adf61875f78e4e3e374da2d380b3b8

SHA256
42105689f3974b93b06d56c81d4a6852e0ab7759eaa63834941be7ad4290ff60

SHA512
a9b082aea81a7801f77588ba8834b71ddbd64f43169e9f381f8f43145470e3ed5442551e2483e2c88b7a596d5ccf9cfeb3f5d900ce2c4baa2a6742baa924f5a4

Download Submit
\Users\Admin\AppData\Local\Temp\Runtime64.exe

Filesize
252KB

MD5
3c9bd0d16cea39a29132136d93c0b2ec

SHA1
5ffdf5cb39cc0e51753843e9e0aa14a201472fe4

SHA256
f96e95622e7ef19947169f534f792b660cf9ba8209a3b5de0ff7a22e2d5b1e86

SHA512
314cccc5f00952d19819363342a149fae3ca73db1bff31253a267142537890ea6fab7461c25ff5d0bf530631beac477905ee93a06ef3fafd98ee398bf3aa9fd4

Download Submit
\Users\Admin\AppData\Local\Temp\Runtime64.exe

Filesize
252KB

MD5
3c9bd0d16cea39a29132136d93c0b2ec

SHA1
5ffdf5cb39cc0e51753843e9e0aa14a201472fe4

SHA256
f96e95622e7ef19947169f534f792b660cf9ba8209a3b5de0ff7a22e2d5b1e86

SHA512
314cccc5f00952d19819363342a149fae3ca73db1bff31253a267142537890ea6fab7461c25ff5d0bf530631beac477905ee93a06ef3fafd98ee398bf3aa9fd4

Download Submit
memory/692-4837-0x00000000026C0000-0x0000000002700000-memory.dmp

Filesize
256KB

Download
memory/912-4851-0x0000000002810000-0x0000000002850000-memory.dmp

Filesize
256KB

Download
memory/912-4850-0x0000000002810000-0x0000000002850000-memory.dmp

Filesize
256KB

Download
memory/1244-4829-0x00000000026D0000-0x0000000002710000-memory.dmp

Filesize
256KB

Download
memory/1244-4831-0x00000000026D0000-0x0000000002710000-memory.dmp

Filesize
256KB

Download
memory/1384-485-0x0000000002590000-0x00000000026A1000-memory.dmp

Filesize
1.1MB

Download
memory/1384-522-0x0000000002590000-0x00000000026A1000-memory.dmp

Filesize
1.1MB

Download
memory/1384-486-0x0000000002590000-0x00000000026A1000-memory.dmp

Filesize
1.1MB

Download
memory/1384-488-0x0000000002590000-0x00000000026A1000-memory.dmp

Filesize
1.1MB

Download
memory/1384-490-0x0000000002590000-0x00000000026A1000-memory.dmp

Filesize
1.1MB

Download
memory/1384-489-0x0000000002590000-0x00000000026A1000-memory.dmp

Filesize
1.1MB

Download
memory/1384-492-0x0000000002590000-0x00000000026A1000-memory.dmp

Filesize
1.1MB

Download
memory/1384-491-0x0000000002590000-0x00000000026A1000-memory.dmp

Filesize
1.1MB

Download
memory/1384-493-0x0000000002590000-0x00000000026A1000-memory.dmp

Filesize
1.1MB

Download
memory/1384-494-0x0000000002590000-0x00000000026A1000-memory.dmp

Filesize
1.1MB

Download
memory/1384-496-0x0000000002590000-0x00000000026A1000-memory.dmp

Filesize
1.1MB

Download
memory/1384-495-0x0000000002590000-0x00000000026A1000-memory.dmp

Filesize
1.1MB

Download
memory/1384-497-0x0000000002590000-0x00000000026A1000-memory.dmp

Filesize
1.1MB

Download
memory/1384-498-0x0000000002590000-0x00000000026A1000-memory.dmp

Filesize
1.1MB

Download
memory/1384-499-0x0000000002590000-0x00000000026A1000-memory.dmp

Filesize
1.1MB

Download
memory/1384-501-0x0000000002590000-0x00000000026A1000-memory.dmp

Filesize
1.1MB

Download
memory/1384-500-0x0000000002590000-0x00000000026A1000-memory.dmp

Filesize
1.1MB

Download
memory/1384-503-0x0000000002590000-0x00000000026A1000-memory.dmp

Filesize
1.1MB

Download
memory/1384-502-0x0000000002590000-0x00000000026A1000-memory.dmp

Filesize
1.1MB

Download
memory/1384-504-0x0000000002590000-0x00000000026A1000-memory.dmp

Filesize
1.1MB

Download
memory/1384-505-0x0000000002590000-0x00000000026A1000-memory.dmp

Filesize
1.1MB

Download
memory/1384-507-0x0000000002590000-0x00000000026A1000-memory.dmp

Filesize
1.1MB

Download
memory/1384-506-0x0000000002590000-0x00000000026A1000-memory.dmp

Filesize
1.1MB

Download
memory/1384-508-0x0000000002590000-0x00000000026A1000-memory.dmp

Filesize
1.1MB

Download
memory/1384-509-0x0000000002590000-0x00000000026A1000-memory.dmp

Filesize
1.1MB

Download
memory/1384-510-0x0000000002590000-0x00000000026A1000-memory.dmp

Filesize
1.1MB

Download
memory/1384-512-0x0000000002590000-0x00000000026A1000-memory.dmp

Filesize
1.1MB

Download
memory/1384-511-0x0000000002590000-0x00000000026A1000-memory.dmp

Filesize
1.1MB

Download
memory/1384-513-0x0000000002590000-0x00000000026A1000-memory.dmp

Filesize
1.1MB

Download
memory/1384-515-0x0000000002590000-0x00000000026A1000-memory.dmp

Filesize
1.1MB

Download
memory/1384-514-0x0000000002590000-0x00000000026A1000-memory.dmp

Filesize
1.1MB

Download
memory/1384-516-0x0000000002590000-0x00000000026A1000-memory.dmp

Filesize
1.1MB

Download
memory/1384-517-0x0000000002590000-0x00000000026A1000-memory.dmp

Filesize
1.1MB

Download
memory/1384-518-0x0000000002590000-0x00000000026A1000-memory.dmp

Filesize
1.1MB

Download
memory/1384-519-0x0000000002590000-0x00000000026A1000-memory.dmp

Filesize
1.1MB

Download
memory/1384-521-0x0000000002590000-0x00000000026A1000-memory.dmp

Filesize
1.1MB

Download
memory/1384-520-0x0000000002590000-0x00000000026A1000-memory.dmp

Filesize
1.1MB

Download
memory/1384-487-0x0000000002590000-0x00000000026A1000-memory.dmp

Filesize
1.1MB

Download
memory/1384-523-0x0000000002590000-0x00000000026A1000-memory.dmp

Filesize
1.1MB

Download
memory/1384-1592-0x0000000002130000-0x0000000002230000-memory.dmp

Filesize
1024KB

Download
memory/1384-1593-0x00000000022E0000-0x0000000002461000-memory.dmp

Filesize
1.5MB

Download
memory/1384-484-0x0000000002590000-0x00000000026A1000-memory.dmp

Filesize
1.1MB

Download
memory/1384-54-0x0000000075550000-0x0000000075597000-memory.dmp

Filesize
284KB

Download
memory/1384-4812-0x0000000002590000-0x00000000026A1000-memory.dmp

Filesize
1.1MB

Download
memory/1384-4811-0x0000000000400000-0x0000000000992000-memory.dmp

Filesize
5.6MB

Download
memory/1384-482-0x0000000002590000-0x00000000026A1000-memory.dmp

Filesize
1.1MB

Download
memory/1384-483-0x0000000002590000-0x00000000026A1000-memory.dmp

Filesize
1.1MB

Download
memory/1384-481-0x0000000002590000-0x00000000026A1000-memory.dmp

Filesize
1.1MB

Download
memory/1384-480-0x0000000002590000-0x00000000026A1000-memory.dmp

Filesize
1.1MB

Download
memory/1384-479-0x0000000002590000-0x00000000026A1000-memory.dmp

Filesize
1.1MB

Download
memory/1384-478-0x0000000002590000-0x00000000026A1000-memory.dmp

Filesize
1.1MB

Download
memory/1384-4817-0x00000000027C0000-0x0000000002861000-memory.dmp

Filesize
644KB

Download
memory/1384-477-0x0000000002590000-0x00000000026A1000-memory.dmp

Filesize
1.1MB

Download
memory/1384-475-0x0000000002590000-0x00000000026A1000-memory.dmp

Filesize
1.1MB

Download
memory/1384-460-0x0000000002590000-0x00000000026A1000-memory.dmp

Filesize
1.1MB

Download
memory/1384-476-0x0000000002590000-0x00000000026A1000-memory.dmp

Filesize
1.1MB

Download
memory/1384-462-0x0000000002590000-0x00000000026A1000-memory.dmp

Filesize
1.1MB

Download
memory/1384-474-0x0000000002590000-0x00000000026A1000-memory.dmp

Filesize
1.1MB

Download
memory/1384-473-0x0000000002590000-0x00000000026A1000-memory.dmp

Filesize
1.1MB

Download
memory/1384-472-0x0000000002590000-0x00000000026A1000-memory.dmp

Filesize
1.1MB

Download
memory/1384-471-0x0000000002590000-0x00000000026A1000-memory.dmp

Filesize
1.1MB

Download
memory/1384-470-0x0000000002590000-0x00000000026A1000-memory.dmp

Filesize
1.1MB

Download
memory/1384-469-0x0000000002590000-0x00000000026A1000-memory.dmp

Filesize
1.1MB

Download
memory/1384-467-0x0000000002590000-0x00000000026A1000-memory.dmp

Filesize
1.1MB

Download
memory/1384-468-0x0000000002590000-0x00000000026A1000-memory.dmp

Filesize
1.1MB

Download
memory/1384-464-0x0000000002590000-0x00000000026A1000-memory.dmp

Filesize
1.1MB

Download
memory/1384-461-0x0000000002590000-0x00000000026A1000-memory.dmp

Filesize
1.1MB

Download
memory/1384-466-0x0000000002590000-0x00000000026A1000-memory.dmp

Filesize
1.1MB

Download
memory/1384-463-0x0000000002590000-0x00000000026A1000-memory.dmp

Filesize
1.1MB

Download
memory/1384-465-0x0000000000400000-0x0000000000992000-memory.dmp

Filesize
5.6MB

Download
memory/1700-4830-0x0000000002590000-0x00000000025D0000-memory.dmp

Filesize
256KB

Download
memory/1700-4828-0x0000000002590000-0x00000000025D0000-memory.dmp

Filesize
256KB

Download
memory/1704-4857-0x000000001AFC0000-0x000000001B040000-memory.dmp

Filesize
512KB

Download
memory/1704-4858-0x0000000000180000-0x0000000000198000-memory.dmp

Filesize
96KB

Download
memory/1704-4849-0x0000000000EA0000-0x0000000000EE4000-memory.dmp

Filesize
272KB

Download
memory/1704-5105-0x000000001AFC0000-0x000000001B040000-memory.dmp

Filesize
512KB

Download