Malware Analysis Report

2024-11-13 15:03

Sample ID 240314-eqp3wscd36
Target 2e218735fa53e036659ea721bfd7b97e2af67b7eda648e9e2579356eb20899d9
SHA256 2e218735fa53e036659ea721bfd7b97e2af67b7eda648e9e2579356eb20899d9
Tags
lockbit ransomware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

2e218735fa53e036659ea721bfd7b97e2af67b7eda648e9e2579356eb20899d9

Threat Level: Known bad

The file 2e218735fa53e036659ea721bfd7b97e2af67b7eda648e9e2579356eb20899d9 was found to be: Known bad.

Malicious Activity Summary

lockbit ransomware

Rule to detect Lockbit 3.0 ransomware Windows payload

Lockbit family

Lockbit

Deletes itself

Loads dropped DLL

Executes dropped EXE

Drops desktop.ini file(s)

Sets desktop wallpaper using registry

Drops file in System32 directory

Suspicious use of NtSetInformationThreadHideFromDebugger

Enumerates physical storage devices

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious behavior: RenamesItself

Modifies Control Panel

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Modifies registry class

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-03-14 04:08

Signatures

Lockbit family

lockbit

Rule to detect Lockbit 3.0 ransomware Windows payload

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-14 04:08

Reported

2024-03-14 04:11

Platform

win7-20240221-en

Max time kernel

119s

Max time network

127s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2e218735fa53e036659ea721bfd7b97e2af67b7eda648e9e2579356eb20899d9.exe"

Signatures

Lockbit

ransomware lockbit

Deletes itself

Description Indicator Process Target
N/A N/A C:\ProgramData\366C.tmp N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\ProgramData\366C.tmp N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\$Recycle.Bin\S-1-5-21-2297530677-1229052932-2803917579-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\2e218735fa53e036659ea721bfd7b97e2af67b7eda648e9e2579356eb20899d9.exe N/A
File opened for modification F:\$RECYCLE.BIN\S-1-5-21-2297530677-1229052932-2803917579-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\2e218735fa53e036659ea721bfd7b97e2af67b7eda648e9e2579356eb20899d9.exe N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\sdBuuG2px.bmp" C:\Users\Admin\AppData\Local\Temp\2e218735fa53e036659ea721bfd7b97e2af67b7eda648e9e2579356eb20899d9.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\sdBuuG2px.bmp" C:\Users\Admin\AppData\Local\Temp\2e218735fa53e036659ea721bfd7b97e2af67b7eda648e9e2579356eb20899d9.exe N/A

Enumerates physical storage devices

Modifies Control Panel

evasion
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Control Panel\Desktop C:\Users\Admin\AppData\Local\Temp\2e218735fa53e036659ea721bfd7b97e2af67b7eda648e9e2579356eb20899d9.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Control Panel\Desktop\WallpaperStyle = "10" C:\Users\Admin\AppData\Local\Temp\2e218735fa53e036659ea721bfd7b97e2af67b7eda648e9e2579356eb20899d9.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.sdBuuG2px C:\Users\Admin\AppData\Local\Temp\2e218735fa53e036659ea721bfd7b97e2af67b7eda648e9e2579356eb20899d9.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.sdBuuG2px\ = "sdBuuG2px" C:\Users\Admin\AppData\Local\Temp\2e218735fa53e036659ea721bfd7b97e2af67b7eda648e9e2579356eb20899d9.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\sdBuuG2px\DefaultIcon C:\Users\Admin\AppData\Local\Temp\2e218735fa53e036659ea721bfd7b97e2af67b7eda648e9e2579356eb20899d9.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\sdBuuG2px C:\Users\Admin\AppData\Local\Temp\2e218735fa53e036659ea721bfd7b97e2af67b7eda648e9e2579356eb20899d9.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\sdBuuG2px\DefaultIcon\ = "C:\\ProgramData\\sdBuuG2px.ico" C:\Users\Admin\AppData\Local\Temp\2e218735fa53e036659ea721bfd7b97e2af67b7eda648e9e2579356eb20899d9.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2e218735fa53e036659ea721bfd7b97e2af67b7eda648e9e2579356eb20899d9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2e218735fa53e036659ea721bfd7b97e2af67b7eda648e9e2579356eb20899d9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2e218735fa53e036659ea721bfd7b97e2af67b7eda648e9e2579356eb20899d9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2e218735fa53e036659ea721bfd7b97e2af67b7eda648e9e2579356eb20899d9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2e218735fa53e036659ea721bfd7b97e2af67b7eda648e9e2579356eb20899d9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2e218735fa53e036659ea721bfd7b97e2af67b7eda648e9e2579356eb20899d9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2e218735fa53e036659ea721bfd7b97e2af67b7eda648e9e2579356eb20899d9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2e218735fa53e036659ea721bfd7b97e2af67b7eda648e9e2579356eb20899d9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2e218735fa53e036659ea721bfd7b97e2af67b7eda648e9e2579356eb20899d9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2e218735fa53e036659ea721bfd7b97e2af67b7eda648e9e2579356eb20899d9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2e218735fa53e036659ea721bfd7b97e2af67b7eda648e9e2579356eb20899d9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2e218735fa53e036659ea721bfd7b97e2af67b7eda648e9e2579356eb20899d9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2e218735fa53e036659ea721bfd7b97e2af67b7eda648e9e2579356eb20899d9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2e218735fa53e036659ea721bfd7b97e2af67b7eda648e9e2579356eb20899d9.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2e218735fa53e036659ea721bfd7b97e2af67b7eda648e9e2579356eb20899d9.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2e218735fa53e036659ea721bfd7b97e2af67b7eda648e9e2579356eb20899d9.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2e218735fa53e036659ea721bfd7b97e2af67b7eda648e9e2579356eb20899d9.exe N/A
Token: 36 N/A C:\Users\Admin\AppData\Local\Temp\2e218735fa53e036659ea721bfd7b97e2af67b7eda648e9e2579356eb20899d9.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2e218735fa53e036659ea721bfd7b97e2af67b7eda648e9e2579356eb20899d9.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2e218735fa53e036659ea721bfd7b97e2af67b7eda648e9e2579356eb20899d9.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2e218735fa53e036659ea721bfd7b97e2af67b7eda648e9e2579356eb20899d9.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\2e218735fa53e036659ea721bfd7b97e2af67b7eda648e9e2579356eb20899d9.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2e218735fa53e036659ea721bfd7b97e2af67b7eda648e9e2579356eb20899d9.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2e218735fa53e036659ea721bfd7b97e2af67b7eda648e9e2579356eb20899d9.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2e218735fa53e036659ea721bfd7b97e2af67b7eda648e9e2579356eb20899d9.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2e218735fa53e036659ea721bfd7b97e2af67b7eda648e9e2579356eb20899d9.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2e218735fa53e036659ea721bfd7b97e2af67b7eda648e9e2579356eb20899d9.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2e218735fa53e036659ea721bfd7b97e2af67b7eda648e9e2579356eb20899d9.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2e218735fa53e036659ea721bfd7b97e2af67b7eda648e9e2579356eb20899d9.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2e218735fa53e036659ea721bfd7b97e2af67b7eda648e9e2579356eb20899d9.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2e218735fa53e036659ea721bfd7b97e2af67b7eda648e9e2579356eb20899d9.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2e218735fa53e036659ea721bfd7b97e2af67b7eda648e9e2579356eb20899d9.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2e218735fa53e036659ea721bfd7b97e2af67b7eda648e9e2579356eb20899d9.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2e218735fa53e036659ea721bfd7b97e2af67b7eda648e9e2579356eb20899d9.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2e218735fa53e036659ea721bfd7b97e2af67b7eda648e9e2579356eb20899d9.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2e218735fa53e036659ea721bfd7b97e2af67b7eda648e9e2579356eb20899d9.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2e218735fa53e036659ea721bfd7b97e2af67b7eda648e9e2579356eb20899d9.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2e218735fa53e036659ea721bfd7b97e2af67b7eda648e9e2579356eb20899d9.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2e218735fa53e036659ea721bfd7b97e2af67b7eda648e9e2579356eb20899d9.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2e218735fa53e036659ea721bfd7b97e2af67b7eda648e9e2579356eb20899d9.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2e218735fa53e036659ea721bfd7b97e2af67b7eda648e9e2579356eb20899d9.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2e218735fa53e036659ea721bfd7b97e2af67b7eda648e9e2579356eb20899d9.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2e218735fa53e036659ea721bfd7b97e2af67b7eda648e9e2579356eb20899d9.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2e218735fa53e036659ea721bfd7b97e2af67b7eda648e9e2579356eb20899d9.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2e218735fa53e036659ea721bfd7b97e2af67b7eda648e9e2579356eb20899d9.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2e218735fa53e036659ea721bfd7b97e2af67b7eda648e9e2579356eb20899d9.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2e218735fa53e036659ea721bfd7b97e2af67b7eda648e9e2579356eb20899d9.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2e218735fa53e036659ea721bfd7b97e2af67b7eda648e9e2579356eb20899d9.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2e218735fa53e036659ea721bfd7b97e2af67b7eda648e9e2579356eb20899d9.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2e218735fa53e036659ea721bfd7b97e2af67b7eda648e9e2579356eb20899d9.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2e218735fa53e036659ea721bfd7b97e2af67b7eda648e9e2579356eb20899d9.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2e218735fa53e036659ea721bfd7b97e2af67b7eda648e9e2579356eb20899d9.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2e218735fa53e036659ea721bfd7b97e2af67b7eda648e9e2579356eb20899d9.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2e218735fa53e036659ea721bfd7b97e2af67b7eda648e9e2579356eb20899d9.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2e218735fa53e036659ea721bfd7b97e2af67b7eda648e9e2579356eb20899d9.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2e218735fa53e036659ea721bfd7b97e2af67b7eda648e9e2579356eb20899d9.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2e218735fa53e036659ea721bfd7b97e2af67b7eda648e9e2579356eb20899d9.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2e218735fa53e036659ea721bfd7b97e2af67b7eda648e9e2579356eb20899d9.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2e218735fa53e036659ea721bfd7b97e2af67b7eda648e9e2579356eb20899d9.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2e218735fa53e036659ea721bfd7b97e2af67b7eda648e9e2579356eb20899d9.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2e218735fa53e036659ea721bfd7b97e2af67b7eda648e9e2579356eb20899d9.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2e218735fa53e036659ea721bfd7b97e2af67b7eda648e9e2579356eb20899d9.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2e218735fa53e036659ea721bfd7b97e2af67b7eda648e9e2579356eb20899d9.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2e218735fa53e036659ea721bfd7b97e2af67b7eda648e9e2579356eb20899d9.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2e218735fa53e036659ea721bfd7b97e2af67b7eda648e9e2579356eb20899d9.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2e218735fa53e036659ea721bfd7b97e2af67b7eda648e9e2579356eb20899d9.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2e218735fa53e036659ea721bfd7b97e2af67b7eda648e9e2579356eb20899d9.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2e218735fa53e036659ea721bfd7b97e2af67b7eda648e9e2579356eb20899d9.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2e218735fa53e036659ea721bfd7b97e2af67b7eda648e9e2579356eb20899d9.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2e218735fa53e036659ea721bfd7b97e2af67b7eda648e9e2579356eb20899d9.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2e218735fa53e036659ea721bfd7b97e2af67b7eda648e9e2579356eb20899d9.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2e218735fa53e036659ea721bfd7b97e2af67b7eda648e9e2579356eb20899d9.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2e218735fa53e036659ea721bfd7b97e2af67b7eda648e9e2579356eb20899d9.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2e218735fa53e036659ea721bfd7b97e2af67b7eda648e9e2579356eb20899d9.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2e218735fa53e036659ea721bfd7b97e2af67b7eda648e9e2579356eb20899d9.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2e218735fa53e036659ea721bfd7b97e2af67b7eda648e9e2579356eb20899d9.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2e218735fa53e036659ea721bfd7b97e2af67b7eda648e9e2579356eb20899d9.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2e218735fa53e036659ea721bfd7b97e2af67b7eda648e9e2579356eb20899d9.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2e218735fa53e036659ea721bfd7b97e2af67b7eda648e9e2579356eb20899d9.exe

"C:\Users\Admin\AppData\Local\Temp\2e218735fa53e036659ea721bfd7b97e2af67b7eda648e9e2579356eb20899d9.exe"

C:\ProgramData\366C.tmp

"C:\ProgramData\366C.tmp"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\366C.tmp >> NUL

C:\Windows\system32\AUDIODG.EXE

C:\Windows\system32\AUDIODG.EXE 0x14c

Network

N/A

Files

memory/2872-0-0x00000000020F0000-0x0000000002130000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-2297530677-1229052932-2803917579-1000\desktop.ini

MD5 fa555f3227f58aacf167dfa866125eef
SHA1 12682ee9b2f8f73bacc882b46476622595a6b9ff
SHA256 0f2eb0339afc87aeda971c74b28021605bb56d3ddc8e8141de3c09d083da5fef
SHA512 486fbc31ee0ef96d2d9fc258cfeb0dfee45307ddc455a605286191259ab543b15cdd6057cd2e79009f33b45748272cf9455b82d43bb1e98e9a2fb90b3ff30099

F:\$RECYCLE.BIN\S-1-5-21-2297530677-1229052932-2803917579-1000\DDDDDDDDDDD

MD5 65ec569edb20eced64d370533d15c5ee
SHA1 6457f7804f71157fca14d7994b2db1ee29479ab4
SHA256 edf050b36c2ebfadf03a3d99fff6726867c989d2556f3808ce88271989456d9d
SHA512 3e89a5fc9582847798bd6f6fd7cad714740ef73c731c18e47e4c85250105c68870067da3f09701247fc1d64edde3d510d1e88e836a0ed692c2847c4f9730f7bf

C:\Users\sdBuuG2px.README.txt

MD5 d4cfa0c2eba7e16cd40a9626b97f943a
SHA1 653cf80e99cee5a6540dd6009ea72917be80541a
SHA256 a495bf2b826491546e2db1a86cb8e06f632efcc330fbc12610d647638dc8357a
SHA512 082d45dafabfef829414356bfc57715a840dec860d60f6c021dcdb367c177124a3e63e87c3b6169a813773cbe86e6fa4f0a416114c97ef91fc688611cab6885a

\ProgramData\366C.tmp

MD5 294e9f64cb1642dd89229fff0592856b
SHA1 97b148c27f3da29ba7b18d6aee8a0db9102f47c9
SHA256 917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2
SHA512 b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

memory/2364-298-0x000000007EFA0000-0x000000007EFA1000-memory.dmp

memory/2364-299-0x0000000002060000-0x00000000020A0000-memory.dmp

memory/2364-301-0x000000007EF80000-0x000000007EF81000-memory.dmp

memory/2364-302-0x000000007EF20000-0x000000007EF21000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD

MD5 117ca621e50e4d3a61be5e2f93d853b9
SHA1 0c31007fd0ed09a03a7dbcee58bfe10449249deb
SHA256 e52400257215aebb924d1d0da2f6cda181bdaabc0e15b05a1f76d41717e5b555
SHA512 2d5b49e5b29aa10143183844b3f5e3efa7b3caddf61cab380d84550a28f7a965b06abf62beb15bbe2d0e800751500297c2cbec25b5aa2d027d9cd40e2b149ec2

memory/2364-332-0x000000007EF40000-0x000000007EF41000-memory.dmp

memory/2364-333-0x000000007EF60000-0x000000007EF61000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-03-14 04:08

Reported

2024-03-14 04:11

Platform

win10v2004-20240226-en

Max time kernel

150s

Max time network

145s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2e218735fa53e036659ea721bfd7b97e2af67b7eda648e9e2579356eb20899d9.exe"

Signatures

Lockbit

ransomware lockbit

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\$Recycle.Bin\S-1-5-21-1904519900-954640453-4250331663-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\2e218735fa53e036659ea721bfd7b97e2af67b7eda648e9e2579356eb20899d9.exe N/A
File opened for modification F:\$RECYCLE.BIN\S-1-5-21-1904519900-954640453-4250331663-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\2e218735fa53e036659ea721bfd7b97e2af67b7eda648e9e2579356eb20899d9.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\system32\spool\PRINTERS\PPapk3p1ey4yy07n77a80tsok0d.TMP C:\Windows\system32\printfilterpipelinesvc.exe N/A
File created C:\Windows\system32\spool\PRINTERS\PPs_es50ixnbpa6phjd_z3yn9xc.TMP C:\Windows\system32\printfilterpipelinesvc.exe N/A
File created C:\Windows\system32\spool\PRINTERS\PPjf0t6ghxs8fdktvp9t3sc_00.TMP C:\Windows\system32\printfilterpipelinesvc.exe N/A
File created C:\Windows\system32\spool\PRINTERS\00002.SPL C:\Windows\splwow64.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\sdBuuG2px\DefaultIcon\ = "C:\\ProgramData\\sdBuuG2px.ico" C:\Users\Admin\AppData\Local\Temp\2e218735fa53e036659ea721bfd7b97e2af67b7eda648e9e2579356eb20899d9.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.sdBuuG2px C:\Users\Admin\AppData\Local\Temp\2e218735fa53e036659ea721bfd7b97e2af67b7eda648e9e2579356eb20899d9.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.sdBuuG2px\ = "sdBuuG2px" C:\Users\Admin\AppData\Local\Temp\2e218735fa53e036659ea721bfd7b97e2af67b7eda648e9e2579356eb20899d9.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\sdBuuG2px\DefaultIcon C:\Users\Admin\AppData\Local\Temp\2e218735fa53e036659ea721bfd7b97e2af67b7eda648e9e2579356eb20899d9.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\sdBuuG2px C:\Users\Admin\AppData\Local\Temp\2e218735fa53e036659ea721bfd7b97e2af67b7eda648e9e2579356eb20899d9.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2e218735fa53e036659ea721bfd7b97e2af67b7eda648e9e2579356eb20899d9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2e218735fa53e036659ea721bfd7b97e2af67b7eda648e9e2579356eb20899d9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2e218735fa53e036659ea721bfd7b97e2af67b7eda648e9e2579356eb20899d9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2e218735fa53e036659ea721bfd7b97e2af67b7eda648e9e2579356eb20899d9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2e218735fa53e036659ea721bfd7b97e2af67b7eda648e9e2579356eb20899d9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2e218735fa53e036659ea721bfd7b97e2af67b7eda648e9e2579356eb20899d9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2e218735fa53e036659ea721bfd7b97e2af67b7eda648e9e2579356eb20899d9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2e218735fa53e036659ea721bfd7b97e2af67b7eda648e9e2579356eb20899d9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2e218735fa53e036659ea721bfd7b97e2af67b7eda648e9e2579356eb20899d9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2e218735fa53e036659ea721bfd7b97e2af67b7eda648e9e2579356eb20899d9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2e218735fa53e036659ea721bfd7b97e2af67b7eda648e9e2579356eb20899d9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2e218735fa53e036659ea721bfd7b97e2af67b7eda648e9e2579356eb20899d9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2e218735fa53e036659ea721bfd7b97e2af67b7eda648e9e2579356eb20899d9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2e218735fa53e036659ea721bfd7b97e2af67b7eda648e9e2579356eb20899d9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2e218735fa53e036659ea721bfd7b97e2af67b7eda648e9e2579356eb20899d9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2e218735fa53e036659ea721bfd7b97e2af67b7eda648e9e2579356eb20899d9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2e218735fa53e036659ea721bfd7b97e2af67b7eda648e9e2579356eb20899d9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2e218735fa53e036659ea721bfd7b97e2af67b7eda648e9e2579356eb20899d9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2e218735fa53e036659ea721bfd7b97e2af67b7eda648e9e2579356eb20899d9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2e218735fa53e036659ea721bfd7b97e2af67b7eda648e9e2579356eb20899d9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2e218735fa53e036659ea721bfd7b97e2af67b7eda648e9e2579356eb20899d9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2e218735fa53e036659ea721bfd7b97e2af67b7eda648e9e2579356eb20899d9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2e218735fa53e036659ea721bfd7b97e2af67b7eda648e9e2579356eb20899d9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2e218735fa53e036659ea721bfd7b97e2af67b7eda648e9e2579356eb20899d9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2e218735fa53e036659ea721bfd7b97e2af67b7eda648e9e2579356eb20899d9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2e218735fa53e036659ea721bfd7b97e2af67b7eda648e9e2579356eb20899d9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2e218735fa53e036659ea721bfd7b97e2af67b7eda648e9e2579356eb20899d9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2e218735fa53e036659ea721bfd7b97e2af67b7eda648e9e2579356eb20899d9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2e218735fa53e036659ea721bfd7b97e2af67b7eda648e9e2579356eb20899d9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2e218735fa53e036659ea721bfd7b97e2af67b7eda648e9e2579356eb20899d9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2e218735fa53e036659ea721bfd7b97e2af67b7eda648e9e2579356eb20899d9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2e218735fa53e036659ea721bfd7b97e2af67b7eda648e9e2579356eb20899d9.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2e218735fa53e036659ea721bfd7b97e2af67b7eda648e9e2579356eb20899d9.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2e218735fa53e036659ea721bfd7b97e2af67b7eda648e9e2579356eb20899d9.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2e218735fa53e036659ea721bfd7b97e2af67b7eda648e9e2579356eb20899d9.exe N/A
Token: 36 N/A C:\Users\Admin\AppData\Local\Temp\2e218735fa53e036659ea721bfd7b97e2af67b7eda648e9e2579356eb20899d9.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2e218735fa53e036659ea721bfd7b97e2af67b7eda648e9e2579356eb20899d9.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2e218735fa53e036659ea721bfd7b97e2af67b7eda648e9e2579356eb20899d9.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2e218735fa53e036659ea721bfd7b97e2af67b7eda648e9e2579356eb20899d9.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\2e218735fa53e036659ea721bfd7b97e2af67b7eda648e9e2579356eb20899d9.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2e218735fa53e036659ea721bfd7b97e2af67b7eda648e9e2579356eb20899d9.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2e218735fa53e036659ea721bfd7b97e2af67b7eda648e9e2579356eb20899d9.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2e218735fa53e036659ea721bfd7b97e2af67b7eda648e9e2579356eb20899d9.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2e218735fa53e036659ea721bfd7b97e2af67b7eda648e9e2579356eb20899d9.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2e218735fa53e036659ea721bfd7b97e2af67b7eda648e9e2579356eb20899d9.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2e218735fa53e036659ea721bfd7b97e2af67b7eda648e9e2579356eb20899d9.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2e218735fa53e036659ea721bfd7b97e2af67b7eda648e9e2579356eb20899d9.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2e218735fa53e036659ea721bfd7b97e2af67b7eda648e9e2579356eb20899d9.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2e218735fa53e036659ea721bfd7b97e2af67b7eda648e9e2579356eb20899d9.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2e218735fa53e036659ea721bfd7b97e2af67b7eda648e9e2579356eb20899d9.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2e218735fa53e036659ea721bfd7b97e2af67b7eda648e9e2579356eb20899d9.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2e218735fa53e036659ea721bfd7b97e2af67b7eda648e9e2579356eb20899d9.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2e218735fa53e036659ea721bfd7b97e2af67b7eda648e9e2579356eb20899d9.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2e218735fa53e036659ea721bfd7b97e2af67b7eda648e9e2579356eb20899d9.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2e218735fa53e036659ea721bfd7b97e2af67b7eda648e9e2579356eb20899d9.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2e218735fa53e036659ea721bfd7b97e2af67b7eda648e9e2579356eb20899d9.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2e218735fa53e036659ea721bfd7b97e2af67b7eda648e9e2579356eb20899d9.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2e218735fa53e036659ea721bfd7b97e2af67b7eda648e9e2579356eb20899d9.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2e218735fa53e036659ea721bfd7b97e2af67b7eda648e9e2579356eb20899d9.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2e218735fa53e036659ea721bfd7b97e2af67b7eda648e9e2579356eb20899d9.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2e218735fa53e036659ea721bfd7b97e2af67b7eda648e9e2579356eb20899d9.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2e218735fa53e036659ea721bfd7b97e2af67b7eda648e9e2579356eb20899d9.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2e218735fa53e036659ea721bfd7b97e2af67b7eda648e9e2579356eb20899d9.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2e218735fa53e036659ea721bfd7b97e2af67b7eda648e9e2579356eb20899d9.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2e218735fa53e036659ea721bfd7b97e2af67b7eda648e9e2579356eb20899d9.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2e218735fa53e036659ea721bfd7b97e2af67b7eda648e9e2579356eb20899d9.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2e218735fa53e036659ea721bfd7b97e2af67b7eda648e9e2579356eb20899d9.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2e218735fa53e036659ea721bfd7b97e2af67b7eda648e9e2579356eb20899d9.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2e218735fa53e036659ea721bfd7b97e2af67b7eda648e9e2579356eb20899d9.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2e218735fa53e036659ea721bfd7b97e2af67b7eda648e9e2579356eb20899d9.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2e218735fa53e036659ea721bfd7b97e2af67b7eda648e9e2579356eb20899d9.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2e218735fa53e036659ea721bfd7b97e2af67b7eda648e9e2579356eb20899d9.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2e218735fa53e036659ea721bfd7b97e2af67b7eda648e9e2579356eb20899d9.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2e218735fa53e036659ea721bfd7b97e2af67b7eda648e9e2579356eb20899d9.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2e218735fa53e036659ea721bfd7b97e2af67b7eda648e9e2579356eb20899d9.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2e218735fa53e036659ea721bfd7b97e2af67b7eda648e9e2579356eb20899d9.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2e218735fa53e036659ea721bfd7b97e2af67b7eda648e9e2579356eb20899d9.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2e218735fa53e036659ea721bfd7b97e2af67b7eda648e9e2579356eb20899d9.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2e218735fa53e036659ea721bfd7b97e2af67b7eda648e9e2579356eb20899d9.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2e218735fa53e036659ea721bfd7b97e2af67b7eda648e9e2579356eb20899d9.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2e218735fa53e036659ea721bfd7b97e2af67b7eda648e9e2579356eb20899d9.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2e218735fa53e036659ea721bfd7b97e2af67b7eda648e9e2579356eb20899d9.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2e218735fa53e036659ea721bfd7b97e2af67b7eda648e9e2579356eb20899d9.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2e218735fa53e036659ea721bfd7b97e2af67b7eda648e9e2579356eb20899d9.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2e218735fa53e036659ea721bfd7b97e2af67b7eda648e9e2579356eb20899d9.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2e218735fa53e036659ea721bfd7b97e2af67b7eda648e9e2579356eb20899d9.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2e218735fa53e036659ea721bfd7b97e2af67b7eda648e9e2579356eb20899d9.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2e218735fa53e036659ea721bfd7b97e2af67b7eda648e9e2579356eb20899d9.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2e218735fa53e036659ea721bfd7b97e2af67b7eda648e9e2579356eb20899d9.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2e218735fa53e036659ea721bfd7b97e2af67b7eda648e9e2579356eb20899d9.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2e218735fa53e036659ea721bfd7b97e2af67b7eda648e9e2579356eb20899d9.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2e218735fa53e036659ea721bfd7b97e2af67b7eda648e9e2579356eb20899d9.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2e218735fa53e036659ea721bfd7b97e2af67b7eda648e9e2579356eb20899d9.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2e218735fa53e036659ea721bfd7b97e2af67b7eda648e9e2579356eb20899d9.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2e218735fa53e036659ea721bfd7b97e2af67b7eda648e9e2579356eb20899d9.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2e218735fa53e036659ea721bfd7b97e2af67b7eda648e9e2579356eb20899d9.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2e218735fa53e036659ea721bfd7b97e2af67b7eda648e9e2579356eb20899d9.exe

"C:\Users\Admin\AppData\Local\Temp\2e218735fa53e036659ea721bfd7b97e2af67b7eda648e9e2579356eb20899d9.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1408 --field-trial-handle=2280,i,8281149332300504990,9122875031903898779,262144 --variations-seed-version /prefetch:8

C:\Windows\splwow64.exe

C:\Windows\splwow64.exe 12288

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc

C:\Windows\system32\printfilterpipelinesvc.exe

C:\Windows\system32\printfilterpipelinesvc.exe -Embedding

Network

Country Destination Domain Proto
NL 52.142.223.178:80 tcp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 13.107.246.64:443 tcp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp

Files

memory/3764-0-0x0000000002C20000-0x0000000002C30000-memory.dmp

memory/3764-1-0x0000000002C20000-0x0000000002C30000-memory.dmp

memory/3764-2-0x0000000002C20000-0x0000000002C30000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-1904519900-954640453-4250331663-1000\UUUUUUUUUUU

MD5 8a2d9da2d36ebcc33f5c37811bdfd53c
SHA1 8760220a2397edc6dac291453a8420b187eee058
SHA256 54e8cf903df6e00681872db38a631edf8c87f8326ca46ed08e22e707f1eed797
SHA512 7999b5dfc0eba28ce8a84da28873b257c6e6a8dfdf88ffe713c2db169fa141e2ee19d9c431de2534bf34bd26d117d88463b19b418519176b260344a69858d12a

C:\Users\sdBuuG2px.README.txt

MD5 5991641ad00ab27343a77f8adbf722dc
SHA1 2ffab821889ce5d1c05b4c6335015b14662e7fc4
SHA256 201960e9fbfb8ed5dde5128736bb27a4b83645529d5776e55c15118c13263886
SHA512 ecbf39fb35e2032b1633ba3980befcacf6ff6041817ceaf3c1bfd62ee32c7683fcfcf4acafb49532c6aaeca84cde5cfc98c70d9b9e556dca3624769e8a6ae482

F:\$RECYCLE.BIN\S-1-5-21-1904519900-954640453-4250331663-1000\DDDDDDDDDDD

MD5 d60c0d778ce0a11b6a0f2a2454a1f3d1
SHA1 decc4259b2383065c7aa675ffe98e7216d69f42d
SHA256 402d44fd4414ae5d9cfddb375bbcd7db6dd18a9cb724f55edab0a0e750ce346f
SHA512 91372b3e4e7caecd7b0b01d57ce6dd858588c70eca5a8f16c1871e556c3265eafdc9279ae6af226d98c6f8520f2a7a3c26053b110471fa181ec4b2c6940aeff1

memory/3764-304-0x0000000002C20000-0x0000000002C30000-memory.dmp

memory/3764-305-0x0000000002C20000-0x0000000002C30000-memory.dmp

memory/3764-306-0x0000000002C20000-0x0000000002C30000-memory.dmp