Malware Analysis Report

2024-11-30 11:42

Sample ID 240216-dagk5sfb9y
Target 87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.7z
SHA256 853ed24a495d866d64a922922e5d5329ed165fe102cef00007095ee92ba3746d
Tags
lockbit ransomware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

853ed24a495d866d64a922922e5d5329ed165fe102cef00007095ee92ba3746d

Threat Level: Known bad

The file 87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.7z was found to be: Known bad.

Malicious Activity Summary

lockbit ransomware

Rule to detect Lockbit 3.0 ransomware Windows payload

Lockbit

Lockbit family

Renames multiple (150) files with added filename extension

Renames multiple (187) files with added filename extension

Deletes itself

Loads dropped DLL

Executes dropped EXE

Checks computer location settings

Drops desktop.ini file(s)

Suspicious use of NtSetInformationThreadHideFromDebugger

Sets desktop wallpaper using registry

Enumerates physical storage devices

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: RenamesItself

Suspicious use of WriteProcessMemory

Modifies Control Panel

Suspicious use of AdjustPrivilegeToken

Modifies registry class

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-02-16 02:48

Signatures

Lockbit family

lockbit

Rule to detect Lockbit 3.0 ransomware Windows payload

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-02-16 02:48

Reported

2024-02-16 03:00

Platform

win7-20231215-en

Max time kernel

475s

Max time network

365s

Command Line

"C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe"

Signatures

Lockbit

ransomware lockbit

Renames multiple (187) files with added filename extension

ransomware

Deletes itself

Description Indicator Process Target
N/A N/A C:\ProgramData\187.tmp N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\ProgramData\187.tmp N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\$Recycle.Bin\S-1-5-21-3308111660-3636268597-2291490419-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
File opened for modification F:\$RECYCLE.BIN\S-1-5-21-3308111660-3636268597-2291490419-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\47IsP2Rni.bmp" C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\47IsP2Rni.bmp" C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A

Modifies Control Panel

evasion
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Control Panel\Desktop C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Control Panel\Desktop\WallpaperStyle = "10" C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.47IsP2Rni C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.47IsP2Rni\ = "47IsP2Rni" C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\47IsP2Rni\DefaultIcon C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\47IsP2Rni C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\47IsP2Rni\DefaultIcon\ = "C:\\ProgramData\\47IsP2Rni.ico" C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
Token: 36 N/A C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe

"C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe"

C:\ProgramData\187.tmp

"C:\ProgramData\187.tmp"

C:\Windows\system32\AUDIODG.EXE

C:\Windows\system32\AUDIODG.EXE 0x150

Network

N/A

Files

memory/2128-0-0x0000000000CC0000-0x0000000000D00000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-3308111660-3636268597-2291490419-1000\desktop.ini

MD5 e29880760ae4059d333875d8eefd4e11
SHA1 f77fba677ae83215d5db574fb6ee8ea8858b89c8
SHA256 78b252dd09b048f87b781437db9fee6b526ccae06734604306669a2af362af21
SHA512 203724d08c6ab6b8e19f94a98e51e0901c3497407d920091bec3261a1bd3bac070a62ba6ccc07a3c66434b38426ba4b59815c860865255770869c6ab88055abc

C:\Users\47IsP2Rni.README.txt

MD5 5199fb0a5a4d173b1c7f827478289b7f
SHA1 b8db09c2d81df3decc4b9b9523e78c0c9454d6a9
SHA256 5c13e5624f32dd1852e73b47fa1c07d48f26263afd298877b2b02f34663ccc00
SHA512 35ebc74abf47e1e9ce690b4806cc275160c814b66536b86c9fa453250fa67f72f465325d0bc798358fb3e0952f7349e87b777c2cc90bf2cb4a4824e39e464495

F:\$RECYCLE.BIN\S-1-5-21-3308111660-3636268597-2291490419-1000\DDDDDDDDDDD

MD5 5f4041ac8315c713061444fa99e480a7
SHA1 3541ab52e840b07fa763c56b8a686c92fdb46b5d
SHA256 8a7861ee8e0d907725c334c33413fb55b3bdc506b97e9e85d17a8d7de820cb51
SHA512 7cca3a8f9458c71dbc5dcba0d95e8da051cc7f34d9f0d09454927cff578ec89f45334afe837a71349cccf10b332a2fd77d1ab09366c6bdedf591101ac5d8f4ee

\ProgramData\187.tmp

MD5 294e9f64cb1642dd89229fff0592856b
SHA1 97b148c27f3da29ba7b18d6aee8a0db9102f47c9
SHA256 917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2
SHA512 b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

memory/1280-317-0x0000000000400000-0x0000000000407000-memory.dmp

memory/1280-319-0x0000000002180000-0x00000000021C0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD

MD5 9731487ef53876c2eb556ea98c454b2e
SHA1 d709a3fb0b6b461f83b790de45796895d4aa1769
SHA256 661b60cfad334b36bffd880831732f71959205ee4106e13d0fea37e14c7ef53f
SHA512 dee0b9cd5e0b7ea0f0f829dc7fdef880783f9a52484bce981f1a222cccac1f19f83a892793b00928df53128f06766575870dc7923e0a20d3c5f1988c767b746b

memory/1280-320-0x000000007EF80000-0x000000007EF81000-memory.dmp

memory/1280-349-0x000000007EF20000-0x000000007EF21000-memory.dmp

memory/1280-350-0x000000007EFA0000-0x000000007EFA1000-memory.dmp

memory/1280-351-0x0000000000400000-0x0000000000407000-memory.dmp

memory/1280-352-0x0000000002180000-0x00000000021C0000-memory.dmp

memory/1280-353-0x0000000002180000-0x00000000021C0000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-02-16 02:48

Reported

2024-02-16 02:58

Platform

win10v2004-20231215-en

Max time kernel

438s

Max time network

443s

Command Line

"C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe"

Signatures

Lockbit

ransomware lockbit

Renames multiple (150) files with added filename extension

ransomware

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\Control Panel\International\Geo\Nation C:\ProgramData\B93E.tmp N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\ProgramData\B93E.tmp N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\ProgramData\B93E.tmp N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\$Recycle.Bin\S-1-5-21-996941297-2279405024-2328152752-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
File opened for modification F:\$RECYCLE.BIN\S-1-5-21-996941297-2279405024-2328152752-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\47IsP2Rni.bmp" C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\47IsP2Rni.bmp" C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A

Enumerates physical storage devices

Modifies Control Panel

evasion
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\Control Panel\Desktop C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\Control Panel\Desktop\WallpaperStyle = "10" C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.47IsP2Rni C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.47IsP2Rni\ = "47IsP2Rni" C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\47IsP2Rni\DefaultIcon C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\47IsP2Rni C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\47IsP2Rni\DefaultIcon\ = "C:\\ProgramData\\47IsP2Rni.ico" C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
Token: 36 N/A C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe

"C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe"

C:\ProgramData\B93E.tmp

"C:\ProgramData\B93E.tmp"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\B93E.tmp >> NUL

Network

Country Destination Domain Proto
US 8.8.8.8:53 79.121.231.20.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 90.65.42.20.in-addr.arpa udp

Files

memory/3360-0-0x00000000025C0000-0x00000000025D0000-memory.dmp

memory/3360-1-0x00000000025C0000-0x00000000025D0000-memory.dmp

memory/3360-2-0x00000000025C0000-0x00000000025D0000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-996941297-2279405024-2328152752-1000\NNNNNNNNNNN

MD5 0744736b0d08e257aeafc82ef3f36f93
SHA1 c06ae3686bbcf4e11b9e9f6a90543a6e7089b852
SHA256 1f418a40640613be2bea3f4d03edb80a9ef103e29901f77649f2aad383ecfde9
SHA512 b554d65a02700a018921e14fdf8a3edaf901f7cf950bf58faa7c6bd3464ccbba799ecf7482eed8f23715db6a8c7ab9b7e6dfc6f9e66fa57dad266425fee40539

C:\Users\47IsP2Rni.README.txt

MD5 bcdba1dc809fe14500cbd6fe3461d920
SHA1 66d07e6dcfca8a0ce4f59771fb784ab041666aaa
SHA256 8d9e7957f604702307849a4a9b95096d53bc6cb2056b07564e46afa4c9e0453a
SHA512 3a2482ce0bd9330bf48b645f34a743bb0b2604f78acf9f948dafb5af0518c008ac9cd9cd29fd8da91dae5a63483dffb2dcf17c26561131626dc7c06f589de6c7

F:\$RECYCLE.BIN\S-1-5-21-996941297-2279405024-2328152752-1000\DDDDDDDDDDD

MD5 92d8bedd0ffc9a205c51443a6f6c061f
SHA1 a5589cbf0f0fe912c3d4f29466b592415dcd8cde
SHA256 26c72721b05226ec0957831e0fca93469579846dfbc529a84f52e97762819676
SHA512 74f262d084d9485d48a19eb976623f8509e6f908ecf22932085c5a736badf8edd5095325ab0652b32c48ea6fbb13043e45461beee4cd7882b49b6045f3ef0a84

C:\ProgramData\B93E.tmp

MD5 294e9f64cb1642dd89229fff0592856b
SHA1 97b148c27f3da29ba7b18d6aee8a0db9102f47c9
SHA256 917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2
SHA512 b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

memory/1224-307-0x0000000000400000-0x0000000000407000-memory.dmp

memory/1224-308-0x000000007FE40000-0x000000007FE41000-memory.dmp

memory/1224-309-0x0000000000590000-0x00000000005A0000-memory.dmp

memory/1224-310-0x0000000000590000-0x00000000005A0000-memory.dmp

memory/1224-311-0x000000007FE20000-0x000000007FE21000-memory.dmp

memory/1224-312-0x000000007FDC0000-0x000000007FDC1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD

MD5 7f23c476873effbfd8ef825f6048440d
SHA1 4ad7686160c1a301f09960c03bad9d6574a63471
SHA256 02d9cf5b6eaf5aadb3cc4a81a2130f52f44af1c87cc243987ddda960725fa364
SHA512 29ee39f2c16bc8ffe476331988eeb37b6640d59cb152d331d9dcf8ed3f5ef3f6748a3a2dac58f95fb455fe44c25b2b67812c5cbf69d697625c7bb4437e1d6755

memory/1224-341-0x0000000000400000-0x0000000000407000-memory.dmp

memory/1224-342-0x0000000000590000-0x00000000005A0000-memory.dmp

memory/1224-346-0x000000007FE00000-0x000000007FE01000-memory.dmp

memory/1224-345-0x000000007FDE0000-0x000000007FDE1000-memory.dmp

memory/1224-347-0x0000000000400000-0x0000000000407000-memory.dmp