Malware Analysis Report

2024-11-15 07:22

Sample ID 240311-g2ywaaeb5v
Target 87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9
SHA256 87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9
Tags
lockbit ransomware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9

Threat Level: Known bad

The file 87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9 was found to be: Known bad.

Malicious Activity Summary

lockbit ransomware

Lockbit family

Rule to detect Lockbit 3.0 ransomware Windows payload

Lockbit

Renames multiple (166) files with added filename extension

Renames multiple (200) files with added filename extension

Deletes itself

Loads dropped DLL

Executes dropped EXE

Drops desktop.ini file(s)

Suspicious use of NtSetInformationThreadHideFromDebugger

Sets desktop wallpaper using registry

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious behavior: RenamesItself

Suspicious behavior: EnumeratesProcesses

Modifies registry class

Suspicious use of AdjustPrivilegeToken

Modifies Control Panel

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-03-11 06:18

Signatures

Lockbit family

lockbit

Rule to detect Lockbit 3.0 ransomware Windows payload

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-11 06:18

Reported

2024-03-11 06:23

Platform

win7-20240221-en

Max time kernel

122s

Max time network

125s

Command Line

"C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe"

Signatures

Lockbit

ransomware lockbit

Renames multiple (200) files with added filename extension

ransomware

Deletes itself

Description Indicator Process Target
N/A N/A C:\ProgramData\99DF.tmp N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\ProgramData\99DF.tmp N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\$Recycle.Bin\S-1-5-21-778096762-2241304387-192235952-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
File opened for modification F:\$RECYCLE.BIN\S-1-5-21-778096762-2241304387-192235952-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\47IsP2Rni.bmp" C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\47IsP2Rni.bmp" C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A

Modifies Control Panel

evasion
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Control Panel\Desktop C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Control Panel\Desktop\WallpaperStyle = "10" C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.47IsP2Rni C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.47IsP2Rni\ = "47IsP2Rni" C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\47IsP2Rni\DefaultIcon C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\47IsP2Rni C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\47IsP2Rni\DefaultIcon\ = "C:\\ProgramData\\47IsP2Rni.ico" C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
Token: 36 N/A C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe

"C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe"

C:\ProgramData\99DF.tmp

"C:\ProgramData\99DF.tmp"

C:\Windows\system32\AUDIODG.EXE

C:\Windows\system32\AUDIODG.EXE 0x150

Network

N/A

Files

memory/2216-0-0x00000000000F0000-0x0000000000130000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-778096762-2241304387-192235952-1000\desktop.ini

MD5 d0f12773a3398a61730e2efcc020ab5f
SHA1 7bcfb6c6a733d848d07f208e5f5afa8834b1e466
SHA256 d048a5715e9527166b39cfff8f3920b566ac4e1a749110e2782f9fcc5ee168dd
SHA512 16005eb4bf49846c91cc016f5a78c19ccb3b4fb2ca656a1580803916351d94fe6f7c76af66de83c15683ea139f5497135ea4207c224e415fb708ddba35b4e008

F:\$RECYCLE.BIN\S-1-5-21-778096762-2241304387-192235952-1000\CCCCCCCCCCC

MD5 47b278a38829bfc17d2d334890f66aea
SHA1 4f93f0c432939a038da4e388b60d4e72d9b8dd5a
SHA256 72c6e11191bcd684c48e025615ed74913eff1e336c0381d8d5316ed953893da8
SHA512 513683dbabc229f0cd151b7e510ce53cb83864a1e113475986f0c28ec2e4f058525e8792e5b7f8dd4522fa84f5dfed374f80df8181facaaf90aef4349aeb40a1

C:\47IsP2Rni.README.txt

MD5 1424d548d20733e35198de62787b4fe2
SHA1 611292e3a830310755e090bde24bc270dd595db7
SHA256 215cd6e86fa052eaaf2412cb3eee33a88e403c907abfe37862c868a1811f4276
SHA512 ed5ede8c64fe8a1a1df835d93b8b9fb922059f0252ed038fc658940e0d7689ee49de9243d3c26fd8a5d2eb04cc424f81c966656a10cc4c3b3925a52e04315dec

\ProgramData\99DF.tmp

MD5 294e9f64cb1642dd89229fff0592856b
SHA1 97b148c27f3da29ba7b18d6aee8a0db9102f47c9
SHA256 917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2
SHA512 b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

memory/2524-331-0x000000007EFA0000-0x000000007EFA1000-memory.dmp

memory/2524-332-0x0000000000A00000-0x0000000000A40000-memory.dmp

memory/2524-334-0x0000000000A00000-0x0000000000A40000-memory.dmp

memory/2524-335-0x000000007EF80000-0x000000007EF81000-memory.dmp

memory/2524-338-0x000000007EF20000-0x000000007EF21000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD

MD5 3919150c23b8ccf3f2aef50bf210db0a
SHA1 2e53f444f2d1bd0f2b416fe5f3e8cd7e77ca5aaa
SHA256 ec80c96894266022c12464246d8a951aaffb956b9f710f3ac0955ce3a51ba06b
SHA512 b738553fb0077776426334b44813bd5d442db5c673b51653930f99c165801b064743e24d62af7d1050e43e41544d430705815b2992616123318de5bad56d478f

memory/2524-364-0x0000000000A00000-0x0000000000A40000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-03-11 06:18

Reported

2024-03-11 06:22

Platform

win10v2004-20240226-en

Max time kernel

131s

Max time network

145s

Command Line

"C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe"

Signatures

Lockbit

ransomware lockbit

Renames multiple (166) files with added filename extension

ransomware

Deletes itself

Description Indicator Process Target
N/A N/A C:\ProgramData\D716.tmp N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\ProgramData\D716.tmp N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\$Recycle.Bin\S-1-5-21-1904519900-954640453-4250331663-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
File opened for modification F:\$RECYCLE.BIN\S-1-5-21-1904519900-954640453-4250331663-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\47IsP2Rni.bmp" C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\47IsP2Rni.bmp" C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A

Modifies Control Panel

evasion
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\Desktop\WallpaperStyle = "10" C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\Desktop C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.47IsP2Rni C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.47IsP2Rni\ = "47IsP2Rni" C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\47IsP2Rni\DefaultIcon C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\47IsP2Rni C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\47IsP2Rni\DefaultIcon\ = "C:\\ProgramData\\47IsP2Rni.ico" C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
Token: 36 N/A C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe

"C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe"

C:\ProgramData\D716.tmp

"C:\ProgramData\D716.tmp"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4088 --field-trial-handle=2256,i,18272763564106695635,11201593968620719822,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 79.121.231.20.in-addr.arpa udp
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 13.107.246.64:443 tcp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp

Files

memory/3828-0-0x00000000034B0000-0x00000000034C0000-memory.dmp

memory/3828-1-0x00000000034B0000-0x00000000034C0000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-1904519900-954640453-4250331663-1000\SSSSSSSSSSS

MD5 d7047ca8260e28e52053831888df88f4
SHA1 4fd0d6f76cf6b7e3b6bf381be850aa65ad1c1990
SHA256 79dfe75bf98d70056e1aa0eece6ab57b26d106ca9fbdd67ec58cc24526fd7f5b
SHA512 6c94f83e2661f01fa24d15aa077e92d155f3f2736d2e0cf96b70521336ddba7b558e8ea169c355cc7706a6a79c5c44ded2167244a8e605de8f95d766efc399cc

F:\$RECYCLE.BIN\S-1-5-21-1904519900-954640453-4250331663-1000\DDDDDDDDDDD

MD5 071ff65e458987030e1a138d8a9df734
SHA1 ec8ccb3242b8be9bec1258e9da7e41eced8ac057
SHA256 42a986ea366904cfbfbb4b0f2ba1ee9951a115e93ffd717863f18ed2193f79b0
SHA512 5c2798e26f9e22f582605ca6d14295864b553ade65ce2cad1a2d04e7eb78d64b33966138574bd799c856c027f76952e8d38c7cfe7fd18ff6676f22478022ecbd

C:\Users\47IsP2Rni.README.txt

MD5 dce8c32081c017b6fd91adcc143524e2
SHA1 f37c83923da63f633c639f95b8c4d756e37fd04b
SHA256 4b6ade91b594a04938d44c1fa9f373eb76fc9f957ac7f7df749d21d0a2e4b427
SHA512 531178ae8dc86c150f4ddc882c7b0071873539977c866c588e405f6131f5cd4bcd1ce8ae811c01154fe6142f5359e1436406ee885b7cacdf1a324714e2dfa3f3

memory/3828-317-0x00000000034B0000-0x00000000034C0000-memory.dmp

memory/3828-318-0x00000000034B0000-0x00000000034C0000-memory.dmp

memory/3828-319-0x00000000034B0000-0x00000000034C0000-memory.dmp

C:\ProgramData\D716.tmp

MD5 294e9f64cb1642dd89229fff0592856b
SHA1 97b148c27f3da29ba7b18d6aee8a0db9102f47c9
SHA256 917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2
SHA512 b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

memory/4740-325-0x000000007FE40000-0x000000007FE41000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC

MD5 baffbd74985b5819920f4abcd8e6dba1
SHA1 1625f21c4b6baae3c33619c9de906287533749d9
SHA256 adb6059b3b4d59885443c29d2459f307e2957e428c876c72cbf26cf6891d4238
SHA512 82a915af4e63e7dfa94ada8d68fede0bf9a133990817dde1c9f4e81e6c5f4fa190d7ba36e08f2bf1694d797835367dea18eb5764d52384f1a2d6616c9813740d

memory/4740-333-0x0000000002380000-0x0000000002390000-memory.dmp

memory/4740-326-0x0000000002380000-0x0000000002390000-memory.dmp

memory/4740-356-0x000000007FE20000-0x000000007FE21000-memory.dmp

memory/4740-357-0x000000007FDC0000-0x000000007FDC1000-memory.dmp

memory/4740-359-0x0000000002380000-0x0000000002390000-memory.dmp

memory/4740-358-0x0000000002380000-0x0000000002390000-memory.dmp