Analysis Overview
SHA256
e0abe2b7858a2b2f90293426e35841de996c6cb1f8c00e20f8dfc13f53f9f2f8
Threat Level: Known bad
The file Sig.exe was found to be: Known bad.
Malicious Activity Summary
Lockbit
SmokeLoader
Rule to detect Lockbit 3.0 ransomware Windows payload
Renames multiple (598) files with added filename extension
Reads user/profile data of web browsers
Executes dropped EXE
Drops desktop.ini file(s)
Suspicious use of SetThreadContext
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: EnumeratesProcesses
Uses Task Scheduler COM API
Suspicious use of WriteProcessMemory
Checks SCSI registry key(s)
Modifies registry class
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: MapViewOfSection
Suspicious use of SendNotifyMessage
Suspicious use of FindShellTrayWindow
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-02-27 11:17
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-02-27 11:17
Reported
2024-02-27 11:19
Platform
win10v2004-20240226-en
Max time kernel
71s
Max time network
68s
Command Line
Signatures
Lockbit
Rule to detect Lockbit 3.0 ransomware Windows payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
SmokeLoader
Renames multiple (598) files with added filename extension
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\220A.exe | N/A |
Reads user/profile data of web browsers
Drops desktop.ini file(s)
| Description | Indicator | Process | Target |
| File opened for modification | C:\$Recycle.Bin\S-1-5-21-609813121-2907144057-1731107329-1000\desktop.ini | C:\Users\Admin\AppData\Local\Temp\220A.exe | N/A |
| File opened for modification | F:\$RECYCLE.BIN\S-1-5-21-609813121-2907144057-1731107329-1000\desktop.ini | C:\Users\Admin\AppData\Local\Temp\220A.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1760 set thread context of 4212 | N/A | C:\Users\Admin\AppData\Local\Temp\Sig.exe | C:\Windows\SysWOW64\cmd.exe |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 | C:\Windows\System32\Taskmgr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A | C:\Windows\System32\Taskmgr.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName | C:\Windows\System32\Taskmgr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Windows\SysWOW64\cmd.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\WFlags = "0" | N/A | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\HotKey = "0" | N/A | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\NodeSlot = "1" | N/A | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}\Vid = "{65F125E5-7BE1-4810-BA9D-D271C8432CE3}" | N/A | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots | N/A | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668} | N/A | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}\FFlags = "1092616193" | N/A | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}\Sort = 0000000000000000000000000000000002000000f4eec83032a8e241ab32e3c3ca28fd29030000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 | N/A | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ | N/A | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders | N/A | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff | N/A | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}\Mode = "6" | N/A | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}\IconSize = "48" | N/A | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}\GroupByDirection = "1" | N/A | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02 | N/A | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}\GroupByKey:PID = "2" | N/A | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}\Rev = "0" | N/A | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags | N/A | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU | N/A | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = ffffffff | N/A | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1 | N/A | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 | N/A | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ | N/A | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}\LogicalViewMode = "2" | N/A | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}\FFlags = "1092616209" | N/A | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}\GroupView = "4294967295" | N/A | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell | N/A | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\ShowCmd = "1" | N/A | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f80cb859f6720028040b29b5540cc05aab60000 | N/A | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 | N/A | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell | N/A | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}\GroupByKey:FMTID = "{30C8EEF4-A832-41E2-AB32-E3C3CA28FD29}" | N/A | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\System32\Taskmgr.exe | N/A |
| N/A | N/A | C:\Windows\System32\Taskmgr.exe | N/A |
| N/A | N/A | C:\Windows\System32\Taskmgr.exe | N/A |
| N/A | N/A | C:\Windows\System32\Taskmgr.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Windows\System32\Taskmgr.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Windows\System32\Taskmgr.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Windows\System32\Taskmgr.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Taskmgr.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Taskmgr.exe | N/A |
| Token: SeCreateGlobalPrivilege | N/A | C:\Windows\System32\Taskmgr.exe | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\220A.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\220A.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\220A.exe | N/A |
| Token: 36 | N/A | C:\Users\Admin\AppData\Local\Temp\220A.exe | N/A |
| Token: SeImpersonatePrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\220A.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\220A.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\220A.exe | N/A |
| Token: 33 | N/A | C:\Users\Admin\AppData\Local\Temp\220A.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\220A.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\220A.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\220A.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\220A.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\220A.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\220A.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\220A.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\220A.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\220A.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\220A.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\220A.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\220A.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\220A.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\220A.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\220A.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\220A.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\220A.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\220A.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\220A.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\220A.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\220A.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1760 wrote to memory of 4212 | N/A | C:\Users\Admin\AppData\Local\Temp\Sig.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 1760 wrote to memory of 4212 | N/A | C:\Users\Admin\AppData\Local\Temp\Sig.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 1760 wrote to memory of 4212 | N/A | C:\Users\Admin\AppData\Local\Temp\Sig.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 1760 wrote to memory of 4212 | N/A | C:\Users\Admin\AppData\Local\Temp\Sig.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 1760 wrote to memory of 4212 | N/A | C:\Users\Admin\AppData\Local\Temp\Sig.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 3384 wrote to memory of 380 | N/A | N/A | C:\Users\Admin\AppData\Local\Temp\220A.exe |
| PID 3384 wrote to memory of 380 | N/A | N/A | C:\Users\Admin\AppData\Local\Temp\220A.exe |
| PID 3384 wrote to memory of 380 | N/A | N/A | C:\Users\Admin\AppData\Local\Temp\220A.exe |
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\Sig.exe
"C:\Users\Admin\AppData\Local\Temp\Sig.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\SysWow64\cmd.exe"
C:\Windows\System32\Taskmgr.exe
"C:\Windows\System32\Taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\220A.exe
C:\Users\Admin\AppData\Local\Temp\220A.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 20.231.121.79:80 | tcp | |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.135.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | kkudndkwatnfevcaqeefytqnh.top | udp |
| NL | 193.222.96.164:80 | kkudndkwatnfevcaqeefytqnh.top | tcp |
| US | 8.8.8.8:53 | 164.96.222.193.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 189.178.17.96.in-addr.arpa | udp |
Files
memory/1760-0-0x0000000000400000-0x00000000005F5000-memory.dmp
memory/1760-1-0x0000000000400000-0x00000000005F5000-memory.dmp
memory/1760-2-0x0000000000400000-0x00000000005F5000-memory.dmp
memory/1760-3-0x0000000000400000-0x00000000005F5000-memory.dmp
memory/1760-5-0x0000000000400000-0x00000000005F5000-memory.dmp
memory/1760-6-0x0000000000400000-0x00000000005F5000-memory.dmp
memory/4212-7-0x0000000000400000-0x000000000040B000-memory.dmp
memory/4212-8-0x0000000000400000-0x000000000040B000-memory.dmp
memory/1568-9-0x0000026E2F3C0000-0x0000026E2F3C1000-memory.dmp
memory/1568-11-0x0000026E2F3C0000-0x0000026E2F3C1000-memory.dmp
memory/1568-10-0x0000026E2F3C0000-0x0000026E2F3C1000-memory.dmp
memory/1568-15-0x0000026E2F3C0000-0x0000026E2F3C1000-memory.dmp
memory/1568-16-0x0000026E2F3C0000-0x0000026E2F3C1000-memory.dmp
memory/1568-18-0x0000026E2F3C0000-0x0000026E2F3C1000-memory.dmp
memory/1568-20-0x0000026E2F3C0000-0x0000026E2F3C1000-memory.dmp
memory/1568-21-0x0000026E2F3C0000-0x0000026E2F3C1000-memory.dmp
memory/1568-19-0x0000026E2F3C0000-0x0000026E2F3C1000-memory.dmp
memory/1568-17-0x0000026E2F3C0000-0x0000026E2F3C1000-memory.dmp
memory/3384-22-0x00000000091A0000-0x00000000091B6000-memory.dmp
memory/4212-24-0x0000000000400000-0x000000000040B000-memory.dmp
memory/1760-26-0x0000000000400000-0x00000000005F5000-memory.dmp
memory/1760-27-0x0000000000400000-0x00000000005F5000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\220A.exe
| MD5 | 9b7027b10ee698c1588def9cbcdb03d8 |
| SHA1 | 0804a8a4a2dcb427df8923a5e6647c49ff786f41 |
| SHA256 | e4e6567b1861ca066a60c3257baaa5ef495694ca66b87647b36008500c935bcd |
| SHA512 | bf27f03d5cefcc2d6ec4dbc60ffd28255324e08b78dd0b3da5a31a3d578fa718768d826d7e656b2ff626fef8651dbed9b61b4f5b48df5aa81921763552226041 |
memory/380-35-0x0000000003140000-0x0000000003150000-memory.dmp
memory/380-36-0x0000000003140000-0x0000000003150000-memory.dmp
memory/380-37-0x0000000003140000-0x0000000003150000-memory.dmp
C:\$Recycle.Bin\S-1-5-21-609813121-2907144057-1731107329-1000\BBBBBBBBBBB
| MD5 | 0ef45a96e30b818fe4dc27bfbb5678af |
| SHA1 | e39ebd80d0d8870115cf58253e6b8729b0073170 |
| SHA256 | 44eef9e474884694d6c7ab31dfc20799af949eb36cc34f99709c4bb58143d433 |
| SHA512 | 94575e094185a808b7c9014cb1979f044035c50234348f18c87c4a9d243bbf31e287868ca3730d4081a9099ff2dc0272f3d4c9dd8184e8227ed13b0eae98e398 |
F:\$RECYCLE.BIN\S-1-5-21-609813121-2907144057-1731107329-1000\EEEEEEEEEEE
| MD5 | 7360248779a08968ee9e401ae0891607 |
| SHA1 | ad5387c54f7c68e22de4299ed889dde61132e196 |
| SHA256 | 7216d75912f2b52fc132ebc4ede2c571cbdeeb8852c2f66a58036f6abdd04050 |
| SHA512 | 6bc7389ef37c04cd82a8d86bbb1519e0d381be534ae2147e707204a455d42b3e80ee18d49f88838fda62ef4d399c5cc0610aab6c7cf809af788089435b3bff06 |
C:\iBUgUvnWk.README.txt
| MD5 | 7c3d34a06bb11ab8383e8afa4c60434d |
| SHA1 | f87e16c6e6d36e70f436228aa3244dfb76f7fc2c |
| SHA256 | 2639d017985bafc4a1b213f5b9cf9409a16bc4b01ece1952bc4360a03bf3066a |
| SHA512 | 7969f6b2b9b5586fedbda52b895704fe2ba31bf7914a04dea790d2787326c66cfb644baf4c913adad22929d4a1e1f3e5d17fc369672f411d857aa456c3ab57bb |
C:\Users\Admin\AppData\Local\D3DSCache\ecbf0d5a3a180bb\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.val
| MD5 | c6e441fd7ca5fec251e7f0d06538ced1 |
| SHA1 | 47aa742761dafd0b85e0658d6199ae5176e900f4 |
| SHA256 | 305ec29e7fb5d619b11aef85888948d47d4d7e138eda6924ea7d395aa46fb70b |
| SHA512 | 62083d36653b545906d336ba741cc2ea8dc6947412c3f1c3632c9fe9d18f9cdedff92753fd821fcf206ae140fa767f20d73bdb02b10ee4402c3a7a339b3ed1d9 |