Malware Analysis Report

2024-11-15 07:21

Sample ID 240313-vd1xmaab6s
Target a88e9c57e89817701d2651b556f76641e10a7fb54eb29cf9a466648b25fe6716.zip
SHA256 ccd5fb7c75c123189cf804e5bec2b5850896ef88c526ad34737da42686056b0a
Tags
lockbit ransomware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

ccd5fb7c75c123189cf804e5bec2b5850896ef88c526ad34737da42686056b0a

Threat Level: Known bad

The file a88e9c57e89817701d2651b556f76641e10a7fb54eb29cf9a466648b25fe6716.zip was found to be: Known bad.

Malicious Activity Summary

lockbit ransomware

Lockbit

Renames multiple (129) files with added filename extension

Renames multiple (157) files with added filename extension

Renames multiple (166) files with added filename extension

Checks computer location settings

Deletes itself

Executes dropped EXE

Drops desktop.ini file(s)

Sets desktop wallpaper using registry

Suspicious use of NtSetInformationThreadHideFromDebugger

Unsigned PE

Enumerates physical storage devices

Program crash

Modifies Control Panel

Suspicious use of WriteProcessMemory

Modifies registry class

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: RenamesItself

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-03-13 16:53

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-13 16:53

Reported

2024-03-13 16:56

Platform

win10-20240221-en

Max time kernel

133s

Max time network

135s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a88e9c57e89817701d2651b556f76641e10a7fb54eb29cf9a466648b25fe6716.exe"

Signatures

Lockbit

ransomware lockbit

Renames multiple (166) files with added filename extension

ransomware

Deletes itself

Description Indicator Process Target
N/A N/A C:\ProgramData\9385.tmp N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\ProgramData\9385.tmp N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\$Recycle.Bin\S-1-5-21-682446400-748730298-2471801445-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\a88e9c57e89817701d2651b556f76641e10a7fb54eb29cf9a466648b25fe6716.exe N/A
File opened for modification F:\$RECYCLE.BIN\S-1-5-21-682446400-748730298-2471801445-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\a88e9c57e89817701d2651b556f76641e10a7fb54eb29cf9a466648b25fe6716.exe N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-682446400-748730298-2471801445-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\2uaphKeDl.bmp" C:\Users\Admin\AppData\Local\Temp\a88e9c57e89817701d2651b556f76641e10a7fb54eb29cf9a466648b25fe6716.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-682446400-748730298-2471801445-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\2uaphKeDl.bmp" C:\Users\Admin\AppData\Local\Temp\a88e9c57e89817701d2651b556f76641e10a7fb54eb29cf9a466648b25fe6716.exe N/A

Enumerates physical storage devices

Modifies Control Panel

evasion
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-682446400-748730298-2471801445-1000\Control Panel\Desktop C:\Users\Admin\AppData\Local\Temp\a88e9c57e89817701d2651b556f76641e10a7fb54eb29cf9a466648b25fe6716.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-682446400-748730298-2471801445-1000\Control Panel\Desktop\WallpaperStyle = "10" C:\Users\Admin\AppData\Local\Temp\a88e9c57e89817701d2651b556f76641e10a7fb54eb29cf9a466648b25fe6716.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\2uaphKeDl\DefaultIcon C:\Users\Admin\AppData\Local\Temp\a88e9c57e89817701d2651b556f76641e10a7fb54eb29cf9a466648b25fe6716.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\2uaphKeDl C:\Users\Admin\AppData\Local\Temp\a88e9c57e89817701d2651b556f76641e10a7fb54eb29cf9a466648b25fe6716.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\2uaphKeDl\DefaultIcon\ = "C:\\ProgramData\\2uaphKeDl.ico" C:\Users\Admin\AppData\Local\Temp\a88e9c57e89817701d2651b556f76641e10a7fb54eb29cf9a466648b25fe6716.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.2uaphKeDl C:\Users\Admin\AppData\Local\Temp\a88e9c57e89817701d2651b556f76641e10a7fb54eb29cf9a466648b25fe6716.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.2uaphKeDl\ = "2uaphKeDl" C:\Users\Admin\AppData\Local\Temp\a88e9c57e89817701d2651b556f76641e10a7fb54eb29cf9a466648b25fe6716.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a88e9c57e89817701d2651b556f76641e10a7fb54eb29cf9a466648b25fe6716.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a88e9c57e89817701d2651b556f76641e10a7fb54eb29cf9a466648b25fe6716.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a88e9c57e89817701d2651b556f76641e10a7fb54eb29cf9a466648b25fe6716.exe N/A
Token: 36 N/A C:\Users\Admin\AppData\Local\Temp\a88e9c57e89817701d2651b556f76641e10a7fb54eb29cf9a466648b25fe6716.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\a88e9c57e89817701d2651b556f76641e10a7fb54eb29cf9a466648b25fe6716.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a88e9c57e89817701d2651b556f76641e10a7fb54eb29cf9a466648b25fe6716.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a88e9c57e89817701d2651b556f76641e10a7fb54eb29cf9a466648b25fe6716.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\a88e9c57e89817701d2651b556f76641e10a7fb54eb29cf9a466648b25fe6716.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\a88e9c57e89817701d2651b556f76641e10a7fb54eb29cf9a466648b25fe6716.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a88e9c57e89817701d2651b556f76641e10a7fb54eb29cf9a466648b25fe6716.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\a88e9c57e89817701d2651b556f76641e10a7fb54eb29cf9a466648b25fe6716.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a88e9c57e89817701d2651b556f76641e10a7fb54eb29cf9a466648b25fe6716.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\a88e9c57e89817701d2651b556f76641e10a7fb54eb29cf9a466648b25fe6716.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a88e9c57e89817701d2651b556f76641e10a7fb54eb29cf9a466648b25fe6716.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a88e9c57e89817701d2651b556f76641e10a7fb54eb29cf9a466648b25fe6716.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a88e9c57e89817701d2651b556f76641e10a7fb54eb29cf9a466648b25fe6716.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a88e9c57e89817701d2651b556f76641e10a7fb54eb29cf9a466648b25fe6716.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a88e9c57e89817701d2651b556f76641e10a7fb54eb29cf9a466648b25fe6716.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a88e9c57e89817701d2651b556f76641e10a7fb54eb29cf9a466648b25fe6716.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a88e9c57e89817701d2651b556f76641e10a7fb54eb29cf9a466648b25fe6716.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a88e9c57e89817701d2651b556f76641e10a7fb54eb29cf9a466648b25fe6716.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a88e9c57e89817701d2651b556f76641e10a7fb54eb29cf9a466648b25fe6716.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a88e9c57e89817701d2651b556f76641e10a7fb54eb29cf9a466648b25fe6716.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a88e9c57e89817701d2651b556f76641e10a7fb54eb29cf9a466648b25fe6716.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a88e9c57e89817701d2651b556f76641e10a7fb54eb29cf9a466648b25fe6716.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a88e9c57e89817701d2651b556f76641e10a7fb54eb29cf9a466648b25fe6716.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a88e9c57e89817701d2651b556f76641e10a7fb54eb29cf9a466648b25fe6716.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a88e9c57e89817701d2651b556f76641e10a7fb54eb29cf9a466648b25fe6716.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a88e9c57e89817701d2651b556f76641e10a7fb54eb29cf9a466648b25fe6716.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a88e9c57e89817701d2651b556f76641e10a7fb54eb29cf9a466648b25fe6716.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a88e9c57e89817701d2651b556f76641e10a7fb54eb29cf9a466648b25fe6716.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a88e9c57e89817701d2651b556f76641e10a7fb54eb29cf9a466648b25fe6716.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a88e9c57e89817701d2651b556f76641e10a7fb54eb29cf9a466648b25fe6716.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a88e9c57e89817701d2651b556f76641e10a7fb54eb29cf9a466648b25fe6716.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a88e9c57e89817701d2651b556f76641e10a7fb54eb29cf9a466648b25fe6716.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a88e9c57e89817701d2651b556f76641e10a7fb54eb29cf9a466648b25fe6716.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a88e9c57e89817701d2651b556f76641e10a7fb54eb29cf9a466648b25fe6716.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a88e9c57e89817701d2651b556f76641e10a7fb54eb29cf9a466648b25fe6716.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a88e9c57e89817701d2651b556f76641e10a7fb54eb29cf9a466648b25fe6716.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a88e9c57e89817701d2651b556f76641e10a7fb54eb29cf9a466648b25fe6716.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a88e9c57e89817701d2651b556f76641e10a7fb54eb29cf9a466648b25fe6716.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a88e9c57e89817701d2651b556f76641e10a7fb54eb29cf9a466648b25fe6716.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a88e9c57e89817701d2651b556f76641e10a7fb54eb29cf9a466648b25fe6716.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a88e9c57e89817701d2651b556f76641e10a7fb54eb29cf9a466648b25fe6716.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a88e9c57e89817701d2651b556f76641e10a7fb54eb29cf9a466648b25fe6716.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a88e9c57e89817701d2651b556f76641e10a7fb54eb29cf9a466648b25fe6716.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a88e9c57e89817701d2651b556f76641e10a7fb54eb29cf9a466648b25fe6716.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a88e9c57e89817701d2651b556f76641e10a7fb54eb29cf9a466648b25fe6716.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a88e9c57e89817701d2651b556f76641e10a7fb54eb29cf9a466648b25fe6716.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a88e9c57e89817701d2651b556f76641e10a7fb54eb29cf9a466648b25fe6716.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a88e9c57e89817701d2651b556f76641e10a7fb54eb29cf9a466648b25fe6716.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a88e9c57e89817701d2651b556f76641e10a7fb54eb29cf9a466648b25fe6716.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a88e9c57e89817701d2651b556f76641e10a7fb54eb29cf9a466648b25fe6716.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a88e9c57e89817701d2651b556f76641e10a7fb54eb29cf9a466648b25fe6716.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a88e9c57e89817701d2651b556f76641e10a7fb54eb29cf9a466648b25fe6716.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a88e9c57e89817701d2651b556f76641e10a7fb54eb29cf9a466648b25fe6716.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a88e9c57e89817701d2651b556f76641e10a7fb54eb29cf9a466648b25fe6716.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a88e9c57e89817701d2651b556f76641e10a7fb54eb29cf9a466648b25fe6716.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a88e9c57e89817701d2651b556f76641e10a7fb54eb29cf9a466648b25fe6716.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a88e9c57e89817701d2651b556f76641e10a7fb54eb29cf9a466648b25fe6716.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a88e9c57e89817701d2651b556f76641e10a7fb54eb29cf9a466648b25fe6716.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a88e9c57e89817701d2651b556f76641e10a7fb54eb29cf9a466648b25fe6716.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a88e9c57e89817701d2651b556f76641e10a7fb54eb29cf9a466648b25fe6716.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a88e9c57e89817701d2651b556f76641e10a7fb54eb29cf9a466648b25fe6716.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\a88e9c57e89817701d2651b556f76641e10a7fb54eb29cf9a466648b25fe6716.exe

"C:\Users\Admin\AppData\Local\Temp\a88e9c57e89817701d2651b556f76641e10a7fb54eb29cf9a466648b25fe6716.exe"

C:\ProgramData\9385.tmp

"C:\ProgramData\9385.tmp"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\9385.tmp >> NUL

Network

Country Destination Domain Proto
US 8.8.8.8:53 81.171.91.138.in-addr.arpa udp
US 8.8.8.8:53 209.143.182.52.in-addr.arpa udp

Files

memory/2772-0-0x0000000004040000-0x000000000405C000-memory.dmp

memory/2772-1-0x0000000004060000-0x0000000004089000-memory.dmp

memory/2772-2-0x0000000000400000-0x0000000002444000-memory.dmp

memory/2772-3-0x0000000004120000-0x0000000004130000-memory.dmp

memory/2772-4-0x0000000004120000-0x0000000004130000-memory.dmp

memory/2772-5-0x0000000004120000-0x0000000004130000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-682446400-748730298-2471801445-1000\desktop.ini

MD5 5e7e3938758a2c4a2e010a37c042b534
SHA1 bd83106680df42bae8e717b6ca96c0d8f6ad3811
SHA256 df42c527450e8b96529c6a084f71d2691f410940cfacc7de2611052aa7898a6e
SHA512 596ecd0b7c316de84b505492d771ccca982bc9e95c2545baa3212315f88d957f484d75b4be784d2f00aa3fa5e9abfc9107e831979b2c589e9a4606596270e4b8

C:\Users\2uaphKeDl.README.txt

MD5 9b980c4959cea202ff69d6e1ee760e47
SHA1 601b939357a61063b53f933e25440c9193907b28
SHA256 56288be5a306c3fa67f43216b0669aa260294cb6b776a3d1e79b89120f86c910
SHA512 09ae9dc1c16acfc5a269ddb1c567137e98ec275b9796758caeb2d977c9f416924138f0369dcddfefde28692357b9489d5900883845d4282d1ea273f18399a967

F:\$RECYCLE.BIN\S-1-5-21-682446400-748730298-2471801445-1000\DDDDDDDDDDD

MD5 175a6efc0168bcd3159f7a621fcc8cce
SHA1 89b896c39a29d4c6f67c892bd9615a04f48aa7ae
SHA256 122c4e02787275bfb7c46c7ecfd20d1601031529992cda49eed62587cb162210
SHA512 d3789a4df5ca6ed1963d4e2a7adc68e786d1660c44b830aa282cb5ad56ebb8bcaa3b004ba768440927248c2789c54ba5f08a0aa0f4c3fb5db55db5fcabbcb703

C:\ProgramData\9385.tmp

MD5 294e9f64cb1642dd89229fff0592856b
SHA1 97b148c27f3da29ba7b18d6aee8a0db9102f47c9
SHA256 917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2
SHA512 b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

memory/3216-323-0x0000000000400000-0x0000000000407000-memory.dmp

memory/3216-325-0x0000000002450000-0x0000000002460000-memory.dmp

memory/3216-324-0x0000000002450000-0x0000000002460000-memory.dmp

memory/3216-327-0x000000007FE80000-0x000000007FE81000-memory.dmp

memory/3216-328-0x000000007FE20000-0x000000007FE21000-memory.dmp

memory/2772-326-0x0000000000400000-0x0000000002444000-memory.dmp

memory/3216-329-0x000000007FEA0000-0x000000007FEA1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD

MD5 7769ec9322e5570d71e1189be90625c9
SHA1 e1ad556097d03805aa3b44296a4d07a3e660a85f
SHA256 1629827cf0f69597f90e6c661482a52f429fe6369d27037e3a4acf94b9561248
SHA512 f422bc4981b499ba37c4113f2147eb063a3f15eda3f351429d9f7f7d795171f70b568465e0fca901f9cfc6d77a054a4fe2a935d5fcc6f3601a96c20cd91fe7be

memory/3216-358-0x0000000000400000-0x0000000000407000-memory.dmp

memory/3216-360-0x0000000002450000-0x0000000002460000-memory.dmp

memory/3216-359-0x0000000002450000-0x0000000002460000-memory.dmp

memory/3216-363-0x000000007FE40000-0x000000007FE41000-memory.dmp

memory/3216-364-0x000000007FE60000-0x000000007FE61000-memory.dmp

memory/3216-365-0x0000000000400000-0x0000000000407000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-03-13 16:53

Reported

2024-03-13 16:56

Platform

win10v2004-20240226-en

Max time kernel

160s

Max time network

162s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a88e9c57e89817701d2651b556f76641e10a7fb54eb29cf9a466648b25fe6716.exe"

Signatures

Lockbit

ransomware lockbit

Renames multiple (157) files with added filename extension

ransomware

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation C:\ProgramData\55A2.tmp N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\ProgramData\55A2.tmp N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\ProgramData\55A2.tmp N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\$Recycle.Bin\S-1-5-21-275798769-4264537674-1142822080-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\a88e9c57e89817701d2651b556f76641e10a7fb54eb29cf9a466648b25fe6716.exe N/A
File opened for modification F:\$RECYCLE.BIN\S-1-5-21-275798769-4264537674-1142822080-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\a88e9c57e89817701d2651b556f76641e10a7fb54eb29cf9a466648b25fe6716.exe N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\2uaphKeDl.bmp" C:\Users\Admin\AppData\Local\Temp\a88e9c57e89817701d2651b556f76641e10a7fb54eb29cf9a466648b25fe6716.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\2uaphKeDl.bmp" C:\Users\Admin\AppData\Local\Temp\a88e9c57e89817701d2651b556f76641e10a7fb54eb29cf9a466648b25fe6716.exe N/A

Enumerates physical storage devices

Modifies Control Panel

evasion
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\Desktop\WallpaperStyle = "10" C:\Users\Admin\AppData\Local\Temp\a88e9c57e89817701d2651b556f76641e10a7fb54eb29cf9a466648b25fe6716.exe N/A
Key created \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\Desktop C:\Users\Admin\AppData\Local\Temp\a88e9c57e89817701d2651b556f76641e10a7fb54eb29cf9a466648b25fe6716.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\2uaphKeDl\DefaultIcon\ = "C:\\ProgramData\\2uaphKeDl.ico" C:\Users\Admin\AppData\Local\Temp\a88e9c57e89817701d2651b556f76641e10a7fb54eb29cf9a466648b25fe6716.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.2uaphKeDl C:\Users\Admin\AppData\Local\Temp\a88e9c57e89817701d2651b556f76641e10a7fb54eb29cf9a466648b25fe6716.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.2uaphKeDl\ = "2uaphKeDl" C:\Users\Admin\AppData\Local\Temp\a88e9c57e89817701d2651b556f76641e10a7fb54eb29cf9a466648b25fe6716.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\2uaphKeDl\DefaultIcon C:\Users\Admin\AppData\Local\Temp\a88e9c57e89817701d2651b556f76641e10a7fb54eb29cf9a466648b25fe6716.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\2uaphKeDl C:\Users\Admin\AppData\Local\Temp\a88e9c57e89817701d2651b556f76641e10a7fb54eb29cf9a466648b25fe6716.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a88e9c57e89817701d2651b556f76641e10a7fb54eb29cf9a466648b25fe6716.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a88e9c57e89817701d2651b556f76641e10a7fb54eb29cf9a466648b25fe6716.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a88e9c57e89817701d2651b556f76641e10a7fb54eb29cf9a466648b25fe6716.exe N/A
Token: 36 N/A C:\Users\Admin\AppData\Local\Temp\a88e9c57e89817701d2651b556f76641e10a7fb54eb29cf9a466648b25fe6716.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\a88e9c57e89817701d2651b556f76641e10a7fb54eb29cf9a466648b25fe6716.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a88e9c57e89817701d2651b556f76641e10a7fb54eb29cf9a466648b25fe6716.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a88e9c57e89817701d2651b556f76641e10a7fb54eb29cf9a466648b25fe6716.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\a88e9c57e89817701d2651b556f76641e10a7fb54eb29cf9a466648b25fe6716.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\a88e9c57e89817701d2651b556f76641e10a7fb54eb29cf9a466648b25fe6716.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a88e9c57e89817701d2651b556f76641e10a7fb54eb29cf9a466648b25fe6716.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\a88e9c57e89817701d2651b556f76641e10a7fb54eb29cf9a466648b25fe6716.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a88e9c57e89817701d2651b556f76641e10a7fb54eb29cf9a466648b25fe6716.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\a88e9c57e89817701d2651b556f76641e10a7fb54eb29cf9a466648b25fe6716.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a88e9c57e89817701d2651b556f76641e10a7fb54eb29cf9a466648b25fe6716.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a88e9c57e89817701d2651b556f76641e10a7fb54eb29cf9a466648b25fe6716.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a88e9c57e89817701d2651b556f76641e10a7fb54eb29cf9a466648b25fe6716.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a88e9c57e89817701d2651b556f76641e10a7fb54eb29cf9a466648b25fe6716.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a88e9c57e89817701d2651b556f76641e10a7fb54eb29cf9a466648b25fe6716.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a88e9c57e89817701d2651b556f76641e10a7fb54eb29cf9a466648b25fe6716.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a88e9c57e89817701d2651b556f76641e10a7fb54eb29cf9a466648b25fe6716.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a88e9c57e89817701d2651b556f76641e10a7fb54eb29cf9a466648b25fe6716.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a88e9c57e89817701d2651b556f76641e10a7fb54eb29cf9a466648b25fe6716.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a88e9c57e89817701d2651b556f76641e10a7fb54eb29cf9a466648b25fe6716.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a88e9c57e89817701d2651b556f76641e10a7fb54eb29cf9a466648b25fe6716.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a88e9c57e89817701d2651b556f76641e10a7fb54eb29cf9a466648b25fe6716.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a88e9c57e89817701d2651b556f76641e10a7fb54eb29cf9a466648b25fe6716.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a88e9c57e89817701d2651b556f76641e10a7fb54eb29cf9a466648b25fe6716.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a88e9c57e89817701d2651b556f76641e10a7fb54eb29cf9a466648b25fe6716.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a88e9c57e89817701d2651b556f76641e10a7fb54eb29cf9a466648b25fe6716.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a88e9c57e89817701d2651b556f76641e10a7fb54eb29cf9a466648b25fe6716.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a88e9c57e89817701d2651b556f76641e10a7fb54eb29cf9a466648b25fe6716.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a88e9c57e89817701d2651b556f76641e10a7fb54eb29cf9a466648b25fe6716.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a88e9c57e89817701d2651b556f76641e10a7fb54eb29cf9a466648b25fe6716.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a88e9c57e89817701d2651b556f76641e10a7fb54eb29cf9a466648b25fe6716.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a88e9c57e89817701d2651b556f76641e10a7fb54eb29cf9a466648b25fe6716.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a88e9c57e89817701d2651b556f76641e10a7fb54eb29cf9a466648b25fe6716.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a88e9c57e89817701d2651b556f76641e10a7fb54eb29cf9a466648b25fe6716.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a88e9c57e89817701d2651b556f76641e10a7fb54eb29cf9a466648b25fe6716.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a88e9c57e89817701d2651b556f76641e10a7fb54eb29cf9a466648b25fe6716.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a88e9c57e89817701d2651b556f76641e10a7fb54eb29cf9a466648b25fe6716.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a88e9c57e89817701d2651b556f76641e10a7fb54eb29cf9a466648b25fe6716.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a88e9c57e89817701d2651b556f76641e10a7fb54eb29cf9a466648b25fe6716.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a88e9c57e89817701d2651b556f76641e10a7fb54eb29cf9a466648b25fe6716.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a88e9c57e89817701d2651b556f76641e10a7fb54eb29cf9a466648b25fe6716.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a88e9c57e89817701d2651b556f76641e10a7fb54eb29cf9a466648b25fe6716.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a88e9c57e89817701d2651b556f76641e10a7fb54eb29cf9a466648b25fe6716.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a88e9c57e89817701d2651b556f76641e10a7fb54eb29cf9a466648b25fe6716.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a88e9c57e89817701d2651b556f76641e10a7fb54eb29cf9a466648b25fe6716.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a88e9c57e89817701d2651b556f76641e10a7fb54eb29cf9a466648b25fe6716.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a88e9c57e89817701d2651b556f76641e10a7fb54eb29cf9a466648b25fe6716.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a88e9c57e89817701d2651b556f76641e10a7fb54eb29cf9a466648b25fe6716.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a88e9c57e89817701d2651b556f76641e10a7fb54eb29cf9a466648b25fe6716.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a88e9c57e89817701d2651b556f76641e10a7fb54eb29cf9a466648b25fe6716.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a88e9c57e89817701d2651b556f76641e10a7fb54eb29cf9a466648b25fe6716.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a88e9c57e89817701d2651b556f76641e10a7fb54eb29cf9a466648b25fe6716.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a88e9c57e89817701d2651b556f76641e10a7fb54eb29cf9a466648b25fe6716.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a88e9c57e89817701d2651b556f76641e10a7fb54eb29cf9a466648b25fe6716.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a88e9c57e89817701d2651b556f76641e10a7fb54eb29cf9a466648b25fe6716.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a88e9c57e89817701d2651b556f76641e10a7fb54eb29cf9a466648b25fe6716.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a88e9c57e89817701d2651b556f76641e10a7fb54eb29cf9a466648b25fe6716.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a88e9c57e89817701d2651b556f76641e10a7fb54eb29cf9a466648b25fe6716.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a88e9c57e89817701d2651b556f76641e10a7fb54eb29cf9a466648b25fe6716.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a88e9c57e89817701d2651b556f76641e10a7fb54eb29cf9a466648b25fe6716.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a88e9c57e89817701d2651b556f76641e10a7fb54eb29cf9a466648b25fe6716.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\a88e9c57e89817701d2651b556f76641e10a7fb54eb29cf9a466648b25fe6716.exe

"C:\Users\Admin\AppData\Local\Temp\a88e9c57e89817701d2651b556f76641e10a7fb54eb29cf9a466648b25fe6716.exe"

C:\ProgramData\55A2.tmp

"C:\ProgramData\55A2.tmp"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 3464 -ip 3464

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3464 -s 1340

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\55A2.tmp >> NUL

Network

Country Destination Domain Proto
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 23.160.77.104.in-addr.arpa udp
US 8.8.8.8:53 100.5.17.2.in-addr.arpa udp
US 8.8.8.8:53 119.110.54.20.in-addr.arpa udp
US 8.8.8.8:53 207.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 209.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 211.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 173.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 182.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 51.134.221.88.in-addr.arpa udp

Files

memory/3464-0-0x00000000025B0000-0x00000000025CC000-memory.dmp

memory/3464-1-0x00000000041B0000-0x00000000041D9000-memory.dmp

memory/3464-2-0x0000000000400000-0x0000000002444000-memory.dmp

memory/3464-3-0x0000000004390000-0x00000000043A0000-memory.dmp

memory/3464-4-0x0000000004390000-0x00000000043A0000-memory.dmp

memory/3464-5-0x0000000004390000-0x00000000043A0000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-275798769-4264537674-1142822080-1000\DDDDDDDDDDD

MD5 ce0eebbb0517e32f5050d0478c2093b5
SHA1 c12751cc5f0a6d6fc869ec69c7a45be641356c52
SHA256 0ecc62a8ef7e0c897d3ffb71feb8e97c6e12640a4f9942ecde6330352c6f7c9d
SHA512 5e73a7fec1f95f3643152a95d4ca2b58d98dceb93a42aba284f35bdd480481f3ec609219619604a3b7dcf4c77b9038f57e8cf5ecc5ee191e3caaba9352dfb124

F:\$RECYCLE.BIN\S-1-5-21-275798769-4264537674-1142822080-1000\DDDDDDDDDDD

MD5 203bd933c6b2aac15f3b526ee76c5a78
SHA1 fc1f1e8dcdeed84fb682925779bee3de36dce0f8
SHA256 60762136adf6c7b5a65ac61eb7ecfd14d3434d135e929ae312ca768ee5a7951f
SHA512 dbbf215884139bebbce61b6a1bcc30583232a37bff05b2196b30698c57b90ba0dd8bf385f4a8dd43fda242d16b21d5dd96c4f8461dc583a8d9a993d911d85dd3

C:\Users\2uaphKeDl.README.txt

MD5 348599c9d0099444664dd16ea333f96e
SHA1 2e9405515ad5a5ee19e87e0cb13e3f7418dbc017
SHA256 f25e0282e195cd55fcbd04a803895d001d44923363783bcd6971dd3046a7f54a
SHA512 df88b860b833b2f3c8cb7df4d9592213016b735a1c63e3af88fa3953ccd04e943cc0d374f790a2217033b2551acbe56aba01642a7538a4bdbda13726aa31d107

C:\ProgramData\55A2.tmp

MD5 294e9f64cb1642dd89229fff0592856b
SHA1 97b148c27f3da29ba7b18d6aee8a0db9102f47c9
SHA256 917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2
SHA512 b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

memory/3244-317-0x0000000000400000-0x0000000000407000-memory.dmp

memory/3244-318-0x00000000025C0000-0x00000000025D0000-memory.dmp

memory/3244-319-0x00000000025C0000-0x00000000025D0000-memory.dmp

memory/3244-321-0x000000007FDC0000-0x000000007FDC1000-memory.dmp

memory/3244-320-0x000000007FE20000-0x000000007FE21000-memory.dmp

memory/3244-322-0x000000007FE40000-0x000000007FE41000-memory.dmp

memory/3464-323-0x0000000000400000-0x0000000002444000-memory.dmp

memory/3464-324-0x00000000041B0000-0x00000000041D9000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD

MD5 f60ccc2fb0bfd15b30bfe0bba098636f
SHA1 464cb20d5d5b0911bd93520f3eb7277d7959b828
SHA256 33b31dbd98fbf14167d876df3520fe4250047c64520b1db2d46a72b610b25d03
SHA512 9800b16f8479e79931d952ae7db4e32e73bb9dbd0bb1070c3507477a28aead3e2cfc357e93fede956e15cc2a6950de42b32651105bdaac92e3e11163277c1eb1

memory/3244-353-0x0000000000400000-0x0000000000407000-memory.dmp

memory/3244-354-0x00000000025C0000-0x00000000025D0000-memory.dmp

memory/3244-355-0x00000000025C0000-0x00000000025D0000-memory.dmp

memory/3244-358-0x000000007FDE0000-0x000000007FDE1000-memory.dmp

memory/3244-359-0x000000007FE00000-0x000000007FE01000-memory.dmp

memory/3244-360-0x0000000000400000-0x0000000000407000-memory.dmp

Analysis: behavioral3

Detonation Overview

Submitted

2024-03-13 16:53

Reported

2024-03-13 16:56

Platform

win11-20240221-en

Max time kernel

154s

Max time network

156s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a88e9c57e89817701d2651b556f76641e10a7fb54eb29cf9a466648b25fe6716.exe"

Signatures

Lockbit

ransomware lockbit

Renames multiple (129) files with added filename extension

ransomware

Deletes itself

Description Indicator Process Target
N/A N/A C:\ProgramData\67F1.tmp N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\ProgramData\67F1.tmp N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\$Recycle.Bin\S-1-5-21-2930051783-2551506282-3430162621-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\a88e9c57e89817701d2651b556f76641e10a7fb54eb29cf9a466648b25fe6716.exe N/A
File opened for modification F:\$RECYCLE.BIN\S-1-5-21-2930051783-2551506282-3430162621-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\a88e9c57e89817701d2651b556f76641e10a7fb54eb29cf9a466648b25fe6716.exe N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2930051783-2551506282-3430162621-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\2uaphKeDl.bmp" C:\Users\Admin\AppData\Local\Temp\a88e9c57e89817701d2651b556f76641e10a7fb54eb29cf9a466648b25fe6716.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2930051783-2551506282-3430162621-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\2uaphKeDl.bmp" C:\Users\Admin\AppData\Local\Temp\a88e9c57e89817701d2651b556f76641e10a7fb54eb29cf9a466648b25fe6716.exe N/A

Enumerates physical storage devices

Modifies Control Panel

evasion
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2930051783-2551506282-3430162621-1000\Control Panel\Desktop C:\Users\Admin\AppData\Local\Temp\a88e9c57e89817701d2651b556f76641e10a7fb54eb29cf9a466648b25fe6716.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2930051783-2551506282-3430162621-1000\Control Panel\Desktop\WallpaperStyle = "10" C:\Users\Admin\AppData\Local\Temp\a88e9c57e89817701d2651b556f76641e10a7fb54eb29cf9a466648b25fe6716.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\2uaphKeDl C:\Users\Admin\AppData\Local\Temp\a88e9c57e89817701d2651b556f76641e10a7fb54eb29cf9a466648b25fe6716.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\2uaphKeDl\DefaultIcon\ = "C:\\ProgramData\\2uaphKeDl.ico" C:\Users\Admin\AppData\Local\Temp\a88e9c57e89817701d2651b556f76641e10a7fb54eb29cf9a466648b25fe6716.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2930051783-2551506282-3430162621-1000_Classes\Local Settings\MuiCache C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.2uaphKeDl C:\Users\Admin\AppData\Local\Temp\a88e9c57e89817701d2651b556f76641e10a7fb54eb29cf9a466648b25fe6716.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.2uaphKeDl\ = "2uaphKeDl" C:\Users\Admin\AppData\Local\Temp\a88e9c57e89817701d2651b556f76641e10a7fb54eb29cf9a466648b25fe6716.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\2uaphKeDl\DefaultIcon C:\Users\Admin\AppData\Local\Temp\a88e9c57e89817701d2651b556f76641e10a7fb54eb29cf9a466648b25fe6716.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a88e9c57e89817701d2651b556f76641e10a7fb54eb29cf9a466648b25fe6716.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a88e9c57e89817701d2651b556f76641e10a7fb54eb29cf9a466648b25fe6716.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a88e9c57e89817701d2651b556f76641e10a7fb54eb29cf9a466648b25fe6716.exe N/A
Token: 36 N/A C:\Users\Admin\AppData\Local\Temp\a88e9c57e89817701d2651b556f76641e10a7fb54eb29cf9a466648b25fe6716.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\a88e9c57e89817701d2651b556f76641e10a7fb54eb29cf9a466648b25fe6716.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a88e9c57e89817701d2651b556f76641e10a7fb54eb29cf9a466648b25fe6716.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a88e9c57e89817701d2651b556f76641e10a7fb54eb29cf9a466648b25fe6716.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\a88e9c57e89817701d2651b556f76641e10a7fb54eb29cf9a466648b25fe6716.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\a88e9c57e89817701d2651b556f76641e10a7fb54eb29cf9a466648b25fe6716.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a88e9c57e89817701d2651b556f76641e10a7fb54eb29cf9a466648b25fe6716.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\a88e9c57e89817701d2651b556f76641e10a7fb54eb29cf9a466648b25fe6716.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a88e9c57e89817701d2651b556f76641e10a7fb54eb29cf9a466648b25fe6716.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\a88e9c57e89817701d2651b556f76641e10a7fb54eb29cf9a466648b25fe6716.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a88e9c57e89817701d2651b556f76641e10a7fb54eb29cf9a466648b25fe6716.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a88e9c57e89817701d2651b556f76641e10a7fb54eb29cf9a466648b25fe6716.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a88e9c57e89817701d2651b556f76641e10a7fb54eb29cf9a466648b25fe6716.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a88e9c57e89817701d2651b556f76641e10a7fb54eb29cf9a466648b25fe6716.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a88e9c57e89817701d2651b556f76641e10a7fb54eb29cf9a466648b25fe6716.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a88e9c57e89817701d2651b556f76641e10a7fb54eb29cf9a466648b25fe6716.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a88e9c57e89817701d2651b556f76641e10a7fb54eb29cf9a466648b25fe6716.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a88e9c57e89817701d2651b556f76641e10a7fb54eb29cf9a466648b25fe6716.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a88e9c57e89817701d2651b556f76641e10a7fb54eb29cf9a466648b25fe6716.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a88e9c57e89817701d2651b556f76641e10a7fb54eb29cf9a466648b25fe6716.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a88e9c57e89817701d2651b556f76641e10a7fb54eb29cf9a466648b25fe6716.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a88e9c57e89817701d2651b556f76641e10a7fb54eb29cf9a466648b25fe6716.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a88e9c57e89817701d2651b556f76641e10a7fb54eb29cf9a466648b25fe6716.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a88e9c57e89817701d2651b556f76641e10a7fb54eb29cf9a466648b25fe6716.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a88e9c57e89817701d2651b556f76641e10a7fb54eb29cf9a466648b25fe6716.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a88e9c57e89817701d2651b556f76641e10a7fb54eb29cf9a466648b25fe6716.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a88e9c57e89817701d2651b556f76641e10a7fb54eb29cf9a466648b25fe6716.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a88e9c57e89817701d2651b556f76641e10a7fb54eb29cf9a466648b25fe6716.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a88e9c57e89817701d2651b556f76641e10a7fb54eb29cf9a466648b25fe6716.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a88e9c57e89817701d2651b556f76641e10a7fb54eb29cf9a466648b25fe6716.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a88e9c57e89817701d2651b556f76641e10a7fb54eb29cf9a466648b25fe6716.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a88e9c57e89817701d2651b556f76641e10a7fb54eb29cf9a466648b25fe6716.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a88e9c57e89817701d2651b556f76641e10a7fb54eb29cf9a466648b25fe6716.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a88e9c57e89817701d2651b556f76641e10a7fb54eb29cf9a466648b25fe6716.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a88e9c57e89817701d2651b556f76641e10a7fb54eb29cf9a466648b25fe6716.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a88e9c57e89817701d2651b556f76641e10a7fb54eb29cf9a466648b25fe6716.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a88e9c57e89817701d2651b556f76641e10a7fb54eb29cf9a466648b25fe6716.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a88e9c57e89817701d2651b556f76641e10a7fb54eb29cf9a466648b25fe6716.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a88e9c57e89817701d2651b556f76641e10a7fb54eb29cf9a466648b25fe6716.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a88e9c57e89817701d2651b556f76641e10a7fb54eb29cf9a466648b25fe6716.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a88e9c57e89817701d2651b556f76641e10a7fb54eb29cf9a466648b25fe6716.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a88e9c57e89817701d2651b556f76641e10a7fb54eb29cf9a466648b25fe6716.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a88e9c57e89817701d2651b556f76641e10a7fb54eb29cf9a466648b25fe6716.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a88e9c57e89817701d2651b556f76641e10a7fb54eb29cf9a466648b25fe6716.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a88e9c57e89817701d2651b556f76641e10a7fb54eb29cf9a466648b25fe6716.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a88e9c57e89817701d2651b556f76641e10a7fb54eb29cf9a466648b25fe6716.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a88e9c57e89817701d2651b556f76641e10a7fb54eb29cf9a466648b25fe6716.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a88e9c57e89817701d2651b556f76641e10a7fb54eb29cf9a466648b25fe6716.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a88e9c57e89817701d2651b556f76641e10a7fb54eb29cf9a466648b25fe6716.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a88e9c57e89817701d2651b556f76641e10a7fb54eb29cf9a466648b25fe6716.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a88e9c57e89817701d2651b556f76641e10a7fb54eb29cf9a466648b25fe6716.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a88e9c57e89817701d2651b556f76641e10a7fb54eb29cf9a466648b25fe6716.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a88e9c57e89817701d2651b556f76641e10a7fb54eb29cf9a466648b25fe6716.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a88e9c57e89817701d2651b556f76641e10a7fb54eb29cf9a466648b25fe6716.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a88e9c57e89817701d2651b556f76641e10a7fb54eb29cf9a466648b25fe6716.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a88e9c57e89817701d2651b556f76641e10a7fb54eb29cf9a466648b25fe6716.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a88e9c57e89817701d2651b556f76641e10a7fb54eb29cf9a466648b25fe6716.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a88e9c57e89817701d2651b556f76641e10a7fb54eb29cf9a466648b25fe6716.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a88e9c57e89817701d2651b556f76641e10a7fb54eb29cf9a466648b25fe6716.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a88e9c57e89817701d2651b556f76641e10a7fb54eb29cf9a466648b25fe6716.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a88e9c57e89817701d2651b556f76641e10a7fb54eb29cf9a466648b25fe6716.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\a88e9c57e89817701d2651b556f76641e10a7fb54eb29cf9a466648b25fe6716.exe

"C:\Users\Admin\AppData\Local\Temp\a88e9c57e89817701d2651b556f76641e10a7fb54eb29cf9a466648b25fe6716.exe"

C:\ProgramData\67F1.tmp

"C:\ProgramData\67F1.tmp"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 1012 -ip 1012

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1012 -s 1176

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\67F1.tmp >> NUL

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe

"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca

Network

Country Destination Domain Proto
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp

Files

memory/1012-0-0x0000000004290000-0x00000000042AC000-memory.dmp

memory/1012-1-0x00000000042B0000-0x00000000042D9000-memory.dmp

memory/1012-2-0x0000000000400000-0x0000000002444000-memory.dmp

memory/1012-3-0x00000000043D0000-0x00000000043E0000-memory.dmp

memory/1012-4-0x00000000043D0000-0x00000000043E0000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-2930051783-2551506282-3430162621-1000\BBBBBBBBBBB

MD5 5f1e6c660e063c9037f81f8ae01b7570
SHA1 bb140448955d2e550705c1afe0863712834eed91
SHA256 656d69b223ee714e230b4fc188d91fa6cc1a6332079068f953f427eb04a39203
SHA512 ca100a4080c2b54cbf3a10dfb6f5715712864b4659c7f2a22a0d56d4ea17e08edeeab1c120c4cabc1ea5f7e58d905246953036f925be6ad964c71ce01f329083

C:\2uaphKeDl.README.txt

MD5 ba95f3178cf34e43e47bf6f1db607ea9
SHA1 6e465899a852449003e0b40439cd52011b542728
SHA256 c33955f3e57eb3b0adeb6b08df0e0c9de2ef111eb8e9ea8cb2daf7f83fda6f50
SHA512 075f1773ee259fd16176d8913e877b04f244a3f6d41aab17764f125194c3101c5f2d120e1e7e84c4f26ce80112543fae65ebfee80706c51fbd3413885f5a8d65

F:\$RECYCLE.BIN\S-1-5-21-2930051783-2551506282-3430162621-1000\DDDDDDDDDDD

MD5 063a67a9f33fd6dcf7e0e9f4082c1d97
SHA1 290906e4fdf7fe1ad1f1836b5e9453c2553c1c7d
SHA256 089f747b44edce95a588135b3a2b3449f2df9cbc19c43d5727e7085b6cfc35a6
SHA512 591c17e00beed226e68b1e8c25eee6de5b2c46f08f62e43158e0931d95f6696973bfe3b824fc4065b784269cfd872a0ffb9b451fe633a9f124f11db3b97a6cbb

C:\ProgramData\67F1.tmp

MD5 294e9f64cb1642dd89229fff0592856b
SHA1 97b148c27f3da29ba7b18d6aee8a0db9102f47c9
SHA256 917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2
SHA512 b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

memory/3592-286-0x00000000025D0000-0x00000000025E0000-memory.dmp

memory/3592-285-0x0000000000400000-0x0000000000407000-memory.dmp

memory/3592-287-0x00000000025D0000-0x00000000025E0000-memory.dmp

memory/3592-289-0x000000007FDF0000-0x000000007FDF1000-memory.dmp

memory/3592-288-0x000000007FE50000-0x000000007FE51000-memory.dmp

memory/3592-290-0x000000007FE70000-0x000000007FE71000-memory.dmp

memory/1012-291-0x0000000000400000-0x0000000002444000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD

MD5 ed5bbf6fb7d5247568bd1bfd0098d501
SHA1 0828d8e684353c67782a8f2ff5b494b002c5aec1
SHA256 cac9025a6aa4b2f18c270b085e82e96432625af29e1fb39fb775b03565824195
SHA512 a973e6ee0bf6b6f7b33ecb4d453e280bde70ee05d5a4727757ca725d91d4f1ae3331ec381f18e1af8ba7703310b63a9b91f73eb08212efccb4b004f53cf5392d

memory/3592-320-0x0000000000400000-0x0000000000407000-memory.dmp

memory/3592-321-0x00000000025D0000-0x00000000025E0000-memory.dmp

memory/3592-322-0x00000000025D0000-0x00000000025E0000-memory.dmp

memory/3592-326-0x000000007FE30000-0x000000007FE31000-memory.dmp

memory/3592-325-0x000000007FE10000-0x000000007FE11000-memory.dmp

memory/3592-327-0x0000000000400000-0x0000000000407000-memory.dmp

C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat

MD5 eebfb84605e05222e3ad98f4b9f62db2
SHA1 36ddd440df5b2776281ad245a6a57e7a183c09a0
SHA256 4a9b70f7113d5c252937ad9bbfa110031124ffe3643648db3f944111b61bd559
SHA512 90e6f46d36c30783af4032f72beb58eb157849a8197e39945542da8a0c1313cb87e91f18a732f5718ec6a676fcd790458419bcc22c608824416fa6df14bf5ba6

C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat

MD5 405fc71d90ddaa1a11a46a82f45ec8a3
SHA1 145d5254a4838d1a93869d23586b9d13362d0895
SHA256 0ea7613fb69bc81d4d2f515d22ac9b132e0a82c227785d225bb2eee0f147fc9d
SHA512 39803466888e1a00257a17dd9651c3c3b8035dda76f3c86d59a83045be87a210f88538c815d2a0076444eaac6140f9e5d5bd133a6a1150abee9907320e78e8fa