Malware Analysis Report

2024-11-30 11:40

Sample ID 240215-jzfb9sce2z
Target 87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.7z
SHA256 853ed24a495d866d64a922922e5d5329ed165fe102cef00007095ee92ba3746d
Tags
lockbit ransomware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

853ed24a495d866d64a922922e5d5329ed165fe102cef00007095ee92ba3746d

Threat Level: Known bad

The file 87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.7z was found to be: Known bad.

Malicious Activity Summary

lockbit ransomware

Lockbit family

Rule to detect Lockbit 3.0 ransomware Windows payload

Lockbit

Renames multiple (168) files with added filename extension

Renames multiple (193) files with added filename extension

Loads dropped DLL

Executes dropped EXE

Checks computer location settings

Deletes itself

Drops desktop.ini file(s)

Suspicious use of NtSetInformationThreadHideFromDebugger

Sets desktop wallpaper using registry

Enumerates physical storage devices

Unsigned PE

Suspicious behavior: RenamesItself

Modifies registry class

Modifies Control Panel

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Opens file in notepad (likely ransom note)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-02-15 08:06

Signatures

Lockbit family

lockbit

Rule to detect Lockbit 3.0 ransomware Windows payload

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-02-15 08:06

Reported

2024-02-15 08:16

Platform

win7-20231215-en

Max time kernel

365s

Max time network

360s

Command Line

"C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe"

Signatures

Lockbit

ransomware lockbit

Renames multiple (193) files with added filename extension

ransomware

Deletes itself

Description Indicator Process Target
N/A N/A C:\ProgramData\34C6.tmp N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\ProgramData\34C6.tmp N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\$Recycle.Bin\S-1-5-21-3818056530-936619650-3554021955-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
File opened for modification F:\$RECYCLE.BIN\S-1-5-21-3818056530-936619650-3554021955-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\47IsP2Rni.bmp" C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\47IsP2Rni.bmp" C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A

Modifies Control Panel

evasion
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Control Panel\Desktop C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Control Panel\Desktop\WallpaperStyle = "10" C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\47IsP2Rni\DefaultIcon\ = "C:\\ProgramData\\47IsP2Rni.ico" C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.47IsP2Rni C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.47IsP2Rni\ = "47IsP2Rni" C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\47IsP2Rni\DefaultIcon C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\47IsP2Rni C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
Token: 36 N/A C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe

"C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe"

C:\ProgramData\34C6.tmp

"C:\ProgramData\34C6.tmp"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\34C6.tmp >> NUL

C:\Windows\system32\AUDIODG.EXE

C:\Windows\system32\AUDIODG.EXE 0x150

C:\Windows\explorer.exe

"C:\Windows\explorer.exe"

Network

N/A

Files

memory/3008-0-0x00000000007A0000-0x00000000007E0000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-3818056530-936619650-3554021955-1000\desktop.ini

MD5 95daa831369bbf496866dff68cfc78cd
SHA1 a6d8201e2091b064a2f160942973d5c4a2e1e686
SHA256 ddf1ff26a661f0bbacaf5a4d07460ea5627fb8917717dbb9ac3f3a94a6ddec2b
SHA512 6bea496e3ae351d2560febc42fd1a0e7d164d8412d5193907f51772aecfa177aa31ea9c3df66c005862f636758587e8c8686c675db5f7d039fcb4f745b5c3aa4

C:\Users\47IsP2Rni.README.txt

MD5 5e80834a3beac1ac107dd600729634f6
SHA1 6299398b2012289d48acc49953817a6423af3b0e
SHA256 ffd80bf4b264beb9e2caa0ddeacd8f1fd526412c1d86ad3bb4d9d88823578150
SHA512 8dbdae7eec3612e454d6c77131269e06cc2b34fd16a56f51324f1eb238ac001484245dd435f9f829490e75bb8a23cd567004b9428309242905fd6ca2fea4d99c

F:\$RECYCLE.BIN\S-1-5-21-3818056530-936619650-3554021955-1000\DDDDDDDDDDD

MD5 10b7bd29bb92168c80e261e5c9fe2315
SHA1 881341cc616951fa7500d0851989bcac1f02b58f
SHA256 a844b637f872a6aae81a9e609e2355dc75608ff9df9b211818513180fb547757
SHA512 a5dbca364702977f445b18b9906301b8a22c4ac551f40684371a56caebc34aec32dbcd03f01616a1182855d12640a118e9867a5dc2b7ba58165db33facda4a93

\ProgramData\34C6.tmp

MD5 294e9f64cb1642dd89229fff0592856b
SHA1 97b148c27f3da29ba7b18d6aee8a0db9102f47c9
SHA256 917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2
SHA512 b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

memory/1824-326-0x000000007EFA0000-0x000000007EFA1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD

MD5 d9a77ba2ffbc3d2bddd302add9d43d38
SHA1 6cba15bca848732ae866daf099f4a77b17f1bab7
SHA256 ed2351ec7272cfee5be94db2430a5d3e3feb912455b4aef009e7a561ba0d5b13
SHA512 65611f3e0e5b0700dd8c45400df1146d42b79b15be552cdddf8bdffaa78409a6175199ea29a4a4ff822338a24d1010067acc89fea8703c993e15813e5b7adc83

memory/1824-328-0x0000000000380000-0x00000000003C0000-memory.dmp

memory/1824-354-0x000000007EF80000-0x000000007EF81000-memory.dmp

memory/1824-355-0x000000007EF20000-0x000000007EF21000-memory.dmp

memory/1824-357-0x0000000000380000-0x00000000003C0000-memory.dmp

memory/1824-358-0x0000000000380000-0x00000000003C0000-memory.dmp

memory/1824-360-0x000000007EF40000-0x000000007EF41000-memory.dmp

memory/1824-361-0x000000007EF40000-0x000000007EF41000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-02-15 08:06

Reported

2024-02-15 08:16

Platform

win10v2004-20231215-en

Max time kernel

599s

Max time network

601s

Command Line

"C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe"

Signatures

Lockbit

ransomware lockbit

Renames multiple (168) files with added filename extension

ransomware

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation C:\ProgramData\61A8.tmp N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\ProgramData\61A8.tmp N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\ProgramData\61A8.tmp N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\$Recycle.Bin\S-1-5-21-1497073144-2389943819-3385106915-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
File opened for modification F:\$RECYCLE.BIN\S-1-5-21-1497073144-2389943819-3385106915-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\47IsP2Rni.bmp" C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\47IsP2Rni.bmp" C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A

Enumerates physical storage devices

Modifies Control Panel

evasion
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\Desktop C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\Desktop\WallpaperStyle = "10" C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.47IsP2Rni C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.47IsP2Rni\ = "47IsP2Rni" C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\47IsP2Rni\DefaultIcon C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\47IsP2Rni C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\47IsP2Rni\DefaultIcon\ = "C:\\ProgramData\\47IsP2Rni.ico" C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A

Opens file in notepad (likely ransom note)

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\NOTEPAD.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
Token: 36 N/A C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe

"C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe"

C:\ProgramData\61A8.tmp

"C:\ProgramData\61A8.tmp"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\61A8.tmp >> NUL

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

C:\Windows\system32\NOTEPAD.EXE

"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Documents\47IsP2Rni.README.txt

Network

Country Destination Domain Proto
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
NL 52.142.223.178:80 tcp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 81.171.91.138.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 11.179.89.13.in-addr.arpa udp

Files

memory/1680-0-0x0000000002CC0000-0x0000000002CD0000-memory.dmp

memory/1680-1-0x0000000002CC0000-0x0000000002CD0000-memory.dmp

memory/1680-2-0x0000000002CC0000-0x0000000002CD0000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-1497073144-2389943819-3385106915-1000\NNNNNNNNNNN

MD5 9002c5719665d9baa723a08eec072983
SHA1 ea878ae5a03e2ee6e34d92e5d15e4656710536f0
SHA256 0c2236449b14880c38c335a4b2b6f7b4a12651b1e5b023db1959cb1c07cf67d2
SHA512 6ccb83b6dac8dd04700c7631a1f0bbde83262b5c76d3ada03f75544a883b0f550048469631bf3c39a87d0bf7db3dc617952dda955210db8fa297a8728a581bb3

F:\$RECYCLE.BIN\S-1-5-21-1497073144-2389943819-3385106915-1000\DDDDDDDDDDD

MD5 110f6518e5881e2618ba493d39700f47
SHA1 5b13c457d19ca8fbddd2b1ea7ad05d2114eb0fc3
SHA256 0618f617f04688b448696eb623058695b090ce6b75c5c969fc0fb64af8151fe7
SHA512 5b1ee754acf38d845b1b8bb6e638fb6e202e008d4c66addbf0912d955e78e1b2a7a98b85b5ccbae2ce8349c7729ae682d15baf582126ec3449a6ce07c031c62e

C:\Users\47IsP2Rni.README.txt

MD5 a6c25dfa6970fcca52c2565e74a6fc5e
SHA1 b5688d9eb69cc157691d557a3d52a5f486b4d4b1
SHA256 72a75365c778e05bb1e635834c8462708e85b6abdb31df15dceb7291e22215f0
SHA512 f9116fd3454560918afa7992f499c1799aef85cb6afd82580d593c2f99af7e813c726ab51f2e172f3cfb8ea6870ba49573b10ba18f554aab7e6155ae87fa2828

C:\ProgramData\61A8.tmp

MD5 294e9f64cb1642dd89229fff0592856b
SHA1 97b148c27f3da29ba7b18d6aee8a0db9102f47c9
SHA256 917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2
SHA512 b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

memory/4344-325-0x000000007FE40000-0x000000007FE41000-memory.dmp

memory/4344-326-0x0000000002660000-0x0000000002670000-memory.dmp

memory/4344-327-0x0000000002660000-0x0000000002670000-memory.dmp

memory/4344-328-0x000000007FE20000-0x000000007FE21000-memory.dmp

memory/4344-329-0x000000007FDC0000-0x000000007FDC1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD

MD5 b20e44a03d60caf25881b5d6ccbba6cb
SHA1 1f5afb4221c5b33aa98564058f4223d8ebcb95af
SHA256 94c422ae8af5888f26e273cda4ee8d3f6da63e3cbbb662477e5d286d24660923
SHA512 70733ed58b8a5b76e58642c45d1fd2ec06fadb4f073bf690c53d9527c1a2c58a859e07b695e7303d7c99b35a7ba05aad665615bde7fd0747ae507577c05c27c1

memory/4344-359-0x0000000002660000-0x0000000002670000-memory.dmp

memory/4344-360-0x0000000002660000-0x0000000002670000-memory.dmp

memory/4344-363-0x000000007FE00000-0x000000007FE01000-memory.dmp

memory/4344-362-0x000000007FDE0000-0x000000007FDE1000-memory.dmp