Malware Analysis Report

2024-11-13 15:03

Sample ID 240314-esa2racd68
Target 54ac7ac6db6fcec5234454430513d1d2787ee8a48aa60fbf95c1af27534fdb4a
SHA256 54ac7ac6db6fcec5234454430513d1d2787ee8a48aa60fbf95c1af27534fdb4a
Tags
lockbit ransomware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

54ac7ac6db6fcec5234454430513d1d2787ee8a48aa60fbf95c1af27534fdb4a

Threat Level: Known bad

The file 54ac7ac6db6fcec5234454430513d1d2787ee8a48aa60fbf95c1af27534fdb4a was found to be: Known bad.

Malicious Activity Summary

lockbit ransomware

Lockbit family

Lockbit

Rule to detect Lockbit 3.0 ransomware Windows payload

Loads dropped DLL

Deletes itself

Executes dropped EXE

Drops desktop.ini file(s)

Drops file in System32 directory

Suspicious use of NtSetInformationThreadHideFromDebugger

Sets desktop wallpaper using registry

Enumerates physical storage devices

Unsigned PE

Suspicious use of SetWindowsHookEx

Checks processor information in registry

Enumerates system info in registry

Suspicious behavior: RenamesItself

Suspicious use of AdjustPrivilegeToken

Modifies Control Panel

Modifies registry class

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-03-14 04:11

Signatures

Lockbit family

lockbit

Rule to detect Lockbit 3.0 ransomware Windows payload

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-14 04:11

Reported

2024-03-14 04:14

Platform

win7-20240221-en

Max time kernel

120s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\54ac7ac6db6fcec5234454430513d1d2787ee8a48aa60fbf95c1af27534fdb4a.exe"

Signatures

Lockbit

ransomware lockbit

Deletes itself

Description Indicator Process Target
N/A N/A C:\ProgramData\2829.tmp N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\ProgramData\2829.tmp N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\$Recycle.Bin\S-1-5-21-2297530677-1229052932-2803917579-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\54ac7ac6db6fcec5234454430513d1d2787ee8a48aa60fbf95c1af27534fdb4a.exe N/A
File opened for modification F:\$RECYCLE.BIN\S-1-5-21-2297530677-1229052932-2803917579-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\54ac7ac6db6fcec5234454430513d1d2787ee8a48aa60fbf95c1af27534fdb4a.exe N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\o3LDjrpOa.bmp" C:\Users\Admin\AppData\Local\Temp\54ac7ac6db6fcec5234454430513d1d2787ee8a48aa60fbf95c1af27534fdb4a.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\o3LDjrpOa.bmp" C:\Users\Admin\AppData\Local\Temp\54ac7ac6db6fcec5234454430513d1d2787ee8a48aa60fbf95c1af27534fdb4a.exe N/A

Enumerates physical storage devices

Modifies Control Panel

evasion
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Control Panel\Desktop C:\Users\Admin\AppData\Local\Temp\54ac7ac6db6fcec5234454430513d1d2787ee8a48aa60fbf95c1af27534fdb4a.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Control Panel\Desktop\WallpaperStyle = "10" C:\Users\Admin\AppData\Local\Temp\54ac7ac6db6fcec5234454430513d1d2787ee8a48aa60fbf95c1af27534fdb4a.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.o3LDjrpOa C:\Users\Admin\AppData\Local\Temp\54ac7ac6db6fcec5234454430513d1d2787ee8a48aa60fbf95c1af27534fdb4a.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.o3LDjrpOa\ = "o3LDjrpOa" C:\Users\Admin\AppData\Local\Temp\54ac7ac6db6fcec5234454430513d1d2787ee8a48aa60fbf95c1af27534fdb4a.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\o3LDjrpOa\DefaultIcon C:\Users\Admin\AppData\Local\Temp\54ac7ac6db6fcec5234454430513d1d2787ee8a48aa60fbf95c1af27534fdb4a.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\o3LDjrpOa C:\Users\Admin\AppData\Local\Temp\54ac7ac6db6fcec5234454430513d1d2787ee8a48aa60fbf95c1af27534fdb4a.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\o3LDjrpOa\DefaultIcon\ = "C:\\ProgramData\\o3LDjrpOa.ico" C:\Users\Admin\AppData\Local\Temp\54ac7ac6db6fcec5234454430513d1d2787ee8a48aa60fbf95c1af27534fdb4a.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\54ac7ac6db6fcec5234454430513d1d2787ee8a48aa60fbf95c1af27534fdb4a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\54ac7ac6db6fcec5234454430513d1d2787ee8a48aa60fbf95c1af27534fdb4a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\54ac7ac6db6fcec5234454430513d1d2787ee8a48aa60fbf95c1af27534fdb4a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\54ac7ac6db6fcec5234454430513d1d2787ee8a48aa60fbf95c1af27534fdb4a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\54ac7ac6db6fcec5234454430513d1d2787ee8a48aa60fbf95c1af27534fdb4a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\54ac7ac6db6fcec5234454430513d1d2787ee8a48aa60fbf95c1af27534fdb4a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\54ac7ac6db6fcec5234454430513d1d2787ee8a48aa60fbf95c1af27534fdb4a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\54ac7ac6db6fcec5234454430513d1d2787ee8a48aa60fbf95c1af27534fdb4a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\54ac7ac6db6fcec5234454430513d1d2787ee8a48aa60fbf95c1af27534fdb4a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\54ac7ac6db6fcec5234454430513d1d2787ee8a48aa60fbf95c1af27534fdb4a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\54ac7ac6db6fcec5234454430513d1d2787ee8a48aa60fbf95c1af27534fdb4a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\54ac7ac6db6fcec5234454430513d1d2787ee8a48aa60fbf95c1af27534fdb4a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\54ac7ac6db6fcec5234454430513d1d2787ee8a48aa60fbf95c1af27534fdb4a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\54ac7ac6db6fcec5234454430513d1d2787ee8a48aa60fbf95c1af27534fdb4a.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\54ac7ac6db6fcec5234454430513d1d2787ee8a48aa60fbf95c1af27534fdb4a.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\54ac7ac6db6fcec5234454430513d1d2787ee8a48aa60fbf95c1af27534fdb4a.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\54ac7ac6db6fcec5234454430513d1d2787ee8a48aa60fbf95c1af27534fdb4a.exe N/A
Token: 36 N/A C:\Users\Admin\AppData\Local\Temp\54ac7ac6db6fcec5234454430513d1d2787ee8a48aa60fbf95c1af27534fdb4a.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\54ac7ac6db6fcec5234454430513d1d2787ee8a48aa60fbf95c1af27534fdb4a.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\54ac7ac6db6fcec5234454430513d1d2787ee8a48aa60fbf95c1af27534fdb4a.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\54ac7ac6db6fcec5234454430513d1d2787ee8a48aa60fbf95c1af27534fdb4a.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\54ac7ac6db6fcec5234454430513d1d2787ee8a48aa60fbf95c1af27534fdb4a.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\54ac7ac6db6fcec5234454430513d1d2787ee8a48aa60fbf95c1af27534fdb4a.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\54ac7ac6db6fcec5234454430513d1d2787ee8a48aa60fbf95c1af27534fdb4a.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\54ac7ac6db6fcec5234454430513d1d2787ee8a48aa60fbf95c1af27534fdb4a.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\54ac7ac6db6fcec5234454430513d1d2787ee8a48aa60fbf95c1af27534fdb4a.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\54ac7ac6db6fcec5234454430513d1d2787ee8a48aa60fbf95c1af27534fdb4a.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\54ac7ac6db6fcec5234454430513d1d2787ee8a48aa60fbf95c1af27534fdb4a.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\54ac7ac6db6fcec5234454430513d1d2787ee8a48aa60fbf95c1af27534fdb4a.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\54ac7ac6db6fcec5234454430513d1d2787ee8a48aa60fbf95c1af27534fdb4a.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\54ac7ac6db6fcec5234454430513d1d2787ee8a48aa60fbf95c1af27534fdb4a.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\54ac7ac6db6fcec5234454430513d1d2787ee8a48aa60fbf95c1af27534fdb4a.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\54ac7ac6db6fcec5234454430513d1d2787ee8a48aa60fbf95c1af27534fdb4a.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\54ac7ac6db6fcec5234454430513d1d2787ee8a48aa60fbf95c1af27534fdb4a.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\54ac7ac6db6fcec5234454430513d1d2787ee8a48aa60fbf95c1af27534fdb4a.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\54ac7ac6db6fcec5234454430513d1d2787ee8a48aa60fbf95c1af27534fdb4a.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\54ac7ac6db6fcec5234454430513d1d2787ee8a48aa60fbf95c1af27534fdb4a.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\54ac7ac6db6fcec5234454430513d1d2787ee8a48aa60fbf95c1af27534fdb4a.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\54ac7ac6db6fcec5234454430513d1d2787ee8a48aa60fbf95c1af27534fdb4a.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\54ac7ac6db6fcec5234454430513d1d2787ee8a48aa60fbf95c1af27534fdb4a.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\54ac7ac6db6fcec5234454430513d1d2787ee8a48aa60fbf95c1af27534fdb4a.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\54ac7ac6db6fcec5234454430513d1d2787ee8a48aa60fbf95c1af27534fdb4a.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\54ac7ac6db6fcec5234454430513d1d2787ee8a48aa60fbf95c1af27534fdb4a.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\54ac7ac6db6fcec5234454430513d1d2787ee8a48aa60fbf95c1af27534fdb4a.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\54ac7ac6db6fcec5234454430513d1d2787ee8a48aa60fbf95c1af27534fdb4a.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\54ac7ac6db6fcec5234454430513d1d2787ee8a48aa60fbf95c1af27534fdb4a.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\54ac7ac6db6fcec5234454430513d1d2787ee8a48aa60fbf95c1af27534fdb4a.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\54ac7ac6db6fcec5234454430513d1d2787ee8a48aa60fbf95c1af27534fdb4a.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\54ac7ac6db6fcec5234454430513d1d2787ee8a48aa60fbf95c1af27534fdb4a.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\54ac7ac6db6fcec5234454430513d1d2787ee8a48aa60fbf95c1af27534fdb4a.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\54ac7ac6db6fcec5234454430513d1d2787ee8a48aa60fbf95c1af27534fdb4a.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\54ac7ac6db6fcec5234454430513d1d2787ee8a48aa60fbf95c1af27534fdb4a.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\54ac7ac6db6fcec5234454430513d1d2787ee8a48aa60fbf95c1af27534fdb4a.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\54ac7ac6db6fcec5234454430513d1d2787ee8a48aa60fbf95c1af27534fdb4a.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\54ac7ac6db6fcec5234454430513d1d2787ee8a48aa60fbf95c1af27534fdb4a.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\54ac7ac6db6fcec5234454430513d1d2787ee8a48aa60fbf95c1af27534fdb4a.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\54ac7ac6db6fcec5234454430513d1d2787ee8a48aa60fbf95c1af27534fdb4a.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\54ac7ac6db6fcec5234454430513d1d2787ee8a48aa60fbf95c1af27534fdb4a.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\54ac7ac6db6fcec5234454430513d1d2787ee8a48aa60fbf95c1af27534fdb4a.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\54ac7ac6db6fcec5234454430513d1d2787ee8a48aa60fbf95c1af27534fdb4a.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\54ac7ac6db6fcec5234454430513d1d2787ee8a48aa60fbf95c1af27534fdb4a.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\54ac7ac6db6fcec5234454430513d1d2787ee8a48aa60fbf95c1af27534fdb4a.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\54ac7ac6db6fcec5234454430513d1d2787ee8a48aa60fbf95c1af27534fdb4a.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\54ac7ac6db6fcec5234454430513d1d2787ee8a48aa60fbf95c1af27534fdb4a.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\54ac7ac6db6fcec5234454430513d1d2787ee8a48aa60fbf95c1af27534fdb4a.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\54ac7ac6db6fcec5234454430513d1d2787ee8a48aa60fbf95c1af27534fdb4a.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\54ac7ac6db6fcec5234454430513d1d2787ee8a48aa60fbf95c1af27534fdb4a.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\54ac7ac6db6fcec5234454430513d1d2787ee8a48aa60fbf95c1af27534fdb4a.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\54ac7ac6db6fcec5234454430513d1d2787ee8a48aa60fbf95c1af27534fdb4a.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\54ac7ac6db6fcec5234454430513d1d2787ee8a48aa60fbf95c1af27534fdb4a.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\54ac7ac6db6fcec5234454430513d1d2787ee8a48aa60fbf95c1af27534fdb4a.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\54ac7ac6db6fcec5234454430513d1d2787ee8a48aa60fbf95c1af27534fdb4a.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\54ac7ac6db6fcec5234454430513d1d2787ee8a48aa60fbf95c1af27534fdb4a.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\54ac7ac6db6fcec5234454430513d1d2787ee8a48aa60fbf95c1af27534fdb4a.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\54ac7ac6db6fcec5234454430513d1d2787ee8a48aa60fbf95c1af27534fdb4a.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\54ac7ac6db6fcec5234454430513d1d2787ee8a48aa60fbf95c1af27534fdb4a.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\54ac7ac6db6fcec5234454430513d1d2787ee8a48aa60fbf95c1af27534fdb4a.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\54ac7ac6db6fcec5234454430513d1d2787ee8a48aa60fbf95c1af27534fdb4a.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\54ac7ac6db6fcec5234454430513d1d2787ee8a48aa60fbf95c1af27534fdb4a.exe

"C:\Users\Admin\AppData\Local\Temp\54ac7ac6db6fcec5234454430513d1d2787ee8a48aa60fbf95c1af27534fdb4a.exe"

C:\ProgramData\2829.tmp

"C:\ProgramData\2829.tmp"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\2829.tmp >> NUL

C:\Windows\system32\AUDIODG.EXE

C:\Windows\system32\AUDIODG.EXE 0x14c

Network

N/A

Files

memory/1812-0-0x00000000003C0000-0x0000000000400000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-2297530677-1229052932-2803917579-1000\desktop.ini

MD5 0c6c4f867a08ca3dda895a8d98089ebe
SHA1 448506893a320587b2d28c6e49a16ac9e8a34307
SHA256 cde0f7bed9d74d866d52a4e89ba0ef32ba2930919ea3e90ed62227feac6e3b30
SHA512 a4b7f515c96d4b822679da757bdea91a4e54948332fa24df6436e55e9a9cef407aaee3d3bc648e756c4b6b5e5ed033fba8818cb163d72fb55fcf5ea813c035eb

F:\o3LDjrpOa.README.txt

MD5 47a1dcd21891bbe5addf535dffca0f2a
SHA1 8a81092466a3ba2d4d7e909da3b044feb4bea276
SHA256 c8e83412c62211f875cbcaa89b3ba02e40249d052faaf375aa5a23affbb4c863
SHA512 ff6440344ab0f27bd8b0b94af088c84250141e6e3febfa89901ce9afda4c798d0f8097e50f8d8ec975929373f9eb2592204559de8f0b4ecad58d38ea0affb718

F:\$RECYCLE.BIN\S-1-5-21-2297530677-1229052932-2803917579-1000\DDDDDDDDDDD

MD5 890c21a5f87cbc91c5415b4ed1072298
SHA1 d5121319f4dfd5615f451f44f7f6e83a7dc4630c
SHA256 3deca78e87a7792044aab9582d0c6fe5d09f60103dc3be3576eae8e1469b400e
SHA512 4a60af88f094abdd4e950cee73203364c1d155c91fcef0a755a4dad3f572deac90c498ed59c02eeaa0dab97a27168c9517d29658e6ed23b599b4a2b35536cb51

\ProgramData\2829.tmp

MD5 294e9f64cb1642dd89229fff0592856b
SHA1 97b148c27f3da29ba7b18d6aee8a0db9102f47c9
SHA256 917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2
SHA512 b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

memory/1800-285-0x000000007EFA0000-0x000000007EFA1000-memory.dmp

memory/1800-286-0x0000000002270000-0x00000000022B0000-memory.dmp

memory/1800-290-0x000000007EF80000-0x000000007EF81000-memory.dmp

memory/1800-291-0x000000007EF20000-0x000000007EF21000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD

MD5 19799f4ab2dfa09a3fd5d1a02b4568d8
SHA1 4a9c7a6e9bf9d8214cda50baf2efddfa2ca41bf1
SHA256 8ae2ef9126d6e9881f115b129bebdd9ec5dfcb8cd0086ef239daff5f1e9fc7ba
SHA512 cb3b095bb12895cb7aebda95100d563ff252c626149b8aec17f2b513f04c8db2c699f58db0e08469e6e8620f956b00a5b0a4a704e90fdf8f783358891cc51ef8

Analysis: behavioral2

Detonation Overview

Submitted

2024-03-14 04:11

Reported

2024-03-14 04:14

Platform

win10v2004-20240226-en

Max time kernel

150s

Max time network

161s

Command Line

"C:\Users\Admin\AppData\Local\Temp\54ac7ac6db6fcec5234454430513d1d2787ee8a48aa60fbf95c1af27534fdb4a.exe"

Signatures

Lockbit

ransomware lockbit

Deletes itself

Description Indicator Process Target
N/A N/A C:\ProgramData\849D.tmp N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\ProgramData\849D.tmp N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification F:\$RECYCLE.BIN\S-1-5-21-1904519900-954640453-4250331663-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\54ac7ac6db6fcec5234454430513d1d2787ee8a48aa60fbf95c1af27534fdb4a.exe N/A
File opened for modification C:\$Recycle.Bin\S-1-5-21-1904519900-954640453-4250331663-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\54ac7ac6db6fcec5234454430513d1d2787ee8a48aa60fbf95c1af27534fdb4a.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\system32\spool\PRINTERS\00002.SPL C:\Windows\splwow64.exe N/A
File created C:\Windows\system32\spool\PRINTERS\PP7kduq8u1ygm5z1q6vc59vzuyc.TMP C:\Windows\system32\printfilterpipelinesvc.exe N/A
File created C:\Windows\system32\spool\PRINTERS\PPchitm7ys_6703c2kulibdhyxc.TMP C:\Windows\system32\printfilterpipelinesvc.exe N/A
File created C:\Windows\system32\spool\PRINTERS\PPl56f607vyaqzlyiyfw6zx8b1d.TMP C:\Windows\system32\printfilterpipelinesvc.exe N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\o3LDjrpOa.bmp" C:\Users\Admin\AppData\Local\Temp\54ac7ac6db6fcec5234454430513d1d2787ee8a48aa60fbf95c1af27534fdb4a.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\o3LDjrpOa.bmp" C:\Users\Admin\AppData\Local\Temp\54ac7ac6db6fcec5234454430513d1d2787ee8a48aa60fbf95c1af27534fdb4a.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE N/A

Modifies Control Panel

evasion
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\Desktop C:\Users\Admin\AppData\Local\Temp\54ac7ac6db6fcec5234454430513d1d2787ee8a48aa60fbf95c1af27534fdb4a.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\Desktop\WallpaperStyle = "10" C:\Users\Admin\AppData\Local\Temp\54ac7ac6db6fcec5234454430513d1d2787ee8a48aa60fbf95c1af27534fdb4a.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\o3LDjrpOa C:\Users\Admin\AppData\Local\Temp\54ac7ac6db6fcec5234454430513d1d2787ee8a48aa60fbf95c1af27534fdb4a.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\o3LDjrpOa\DefaultIcon\ = "C:\\ProgramData\\o3LDjrpOa.ico" C:\Users\Admin\AppData\Local\Temp\54ac7ac6db6fcec5234454430513d1d2787ee8a48aa60fbf95c1af27534fdb4a.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.o3LDjrpOa C:\Users\Admin\AppData\Local\Temp\54ac7ac6db6fcec5234454430513d1d2787ee8a48aa60fbf95c1af27534fdb4a.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.o3LDjrpOa\ = "o3LDjrpOa" C:\Users\Admin\AppData\Local\Temp\54ac7ac6db6fcec5234454430513d1d2787ee8a48aa60fbf95c1af27534fdb4a.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\o3LDjrpOa\DefaultIcon C:\Users\Admin\AppData\Local\Temp\54ac7ac6db6fcec5234454430513d1d2787ee8a48aa60fbf95c1af27534fdb4a.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\54ac7ac6db6fcec5234454430513d1d2787ee8a48aa60fbf95c1af27534fdb4a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\54ac7ac6db6fcec5234454430513d1d2787ee8a48aa60fbf95c1af27534fdb4a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\54ac7ac6db6fcec5234454430513d1d2787ee8a48aa60fbf95c1af27534fdb4a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\54ac7ac6db6fcec5234454430513d1d2787ee8a48aa60fbf95c1af27534fdb4a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\54ac7ac6db6fcec5234454430513d1d2787ee8a48aa60fbf95c1af27534fdb4a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\54ac7ac6db6fcec5234454430513d1d2787ee8a48aa60fbf95c1af27534fdb4a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\54ac7ac6db6fcec5234454430513d1d2787ee8a48aa60fbf95c1af27534fdb4a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\54ac7ac6db6fcec5234454430513d1d2787ee8a48aa60fbf95c1af27534fdb4a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\54ac7ac6db6fcec5234454430513d1d2787ee8a48aa60fbf95c1af27534fdb4a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\54ac7ac6db6fcec5234454430513d1d2787ee8a48aa60fbf95c1af27534fdb4a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\54ac7ac6db6fcec5234454430513d1d2787ee8a48aa60fbf95c1af27534fdb4a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\54ac7ac6db6fcec5234454430513d1d2787ee8a48aa60fbf95c1af27534fdb4a.exe N/A
N/A N/A C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\54ac7ac6db6fcec5234454430513d1d2787ee8a48aa60fbf95c1af27534fdb4a.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\54ac7ac6db6fcec5234454430513d1d2787ee8a48aa60fbf95c1af27534fdb4a.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\54ac7ac6db6fcec5234454430513d1d2787ee8a48aa60fbf95c1af27534fdb4a.exe N/A
Token: 36 N/A C:\Users\Admin\AppData\Local\Temp\54ac7ac6db6fcec5234454430513d1d2787ee8a48aa60fbf95c1af27534fdb4a.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\54ac7ac6db6fcec5234454430513d1d2787ee8a48aa60fbf95c1af27534fdb4a.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\54ac7ac6db6fcec5234454430513d1d2787ee8a48aa60fbf95c1af27534fdb4a.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\54ac7ac6db6fcec5234454430513d1d2787ee8a48aa60fbf95c1af27534fdb4a.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\54ac7ac6db6fcec5234454430513d1d2787ee8a48aa60fbf95c1af27534fdb4a.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\54ac7ac6db6fcec5234454430513d1d2787ee8a48aa60fbf95c1af27534fdb4a.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\54ac7ac6db6fcec5234454430513d1d2787ee8a48aa60fbf95c1af27534fdb4a.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\54ac7ac6db6fcec5234454430513d1d2787ee8a48aa60fbf95c1af27534fdb4a.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\54ac7ac6db6fcec5234454430513d1d2787ee8a48aa60fbf95c1af27534fdb4a.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\54ac7ac6db6fcec5234454430513d1d2787ee8a48aa60fbf95c1af27534fdb4a.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\54ac7ac6db6fcec5234454430513d1d2787ee8a48aa60fbf95c1af27534fdb4a.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\54ac7ac6db6fcec5234454430513d1d2787ee8a48aa60fbf95c1af27534fdb4a.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\54ac7ac6db6fcec5234454430513d1d2787ee8a48aa60fbf95c1af27534fdb4a.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\54ac7ac6db6fcec5234454430513d1d2787ee8a48aa60fbf95c1af27534fdb4a.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\54ac7ac6db6fcec5234454430513d1d2787ee8a48aa60fbf95c1af27534fdb4a.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\54ac7ac6db6fcec5234454430513d1d2787ee8a48aa60fbf95c1af27534fdb4a.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\54ac7ac6db6fcec5234454430513d1d2787ee8a48aa60fbf95c1af27534fdb4a.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\54ac7ac6db6fcec5234454430513d1d2787ee8a48aa60fbf95c1af27534fdb4a.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\54ac7ac6db6fcec5234454430513d1d2787ee8a48aa60fbf95c1af27534fdb4a.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\54ac7ac6db6fcec5234454430513d1d2787ee8a48aa60fbf95c1af27534fdb4a.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\54ac7ac6db6fcec5234454430513d1d2787ee8a48aa60fbf95c1af27534fdb4a.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\54ac7ac6db6fcec5234454430513d1d2787ee8a48aa60fbf95c1af27534fdb4a.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\54ac7ac6db6fcec5234454430513d1d2787ee8a48aa60fbf95c1af27534fdb4a.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\54ac7ac6db6fcec5234454430513d1d2787ee8a48aa60fbf95c1af27534fdb4a.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\54ac7ac6db6fcec5234454430513d1d2787ee8a48aa60fbf95c1af27534fdb4a.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\54ac7ac6db6fcec5234454430513d1d2787ee8a48aa60fbf95c1af27534fdb4a.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\54ac7ac6db6fcec5234454430513d1d2787ee8a48aa60fbf95c1af27534fdb4a.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\54ac7ac6db6fcec5234454430513d1d2787ee8a48aa60fbf95c1af27534fdb4a.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\54ac7ac6db6fcec5234454430513d1d2787ee8a48aa60fbf95c1af27534fdb4a.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\54ac7ac6db6fcec5234454430513d1d2787ee8a48aa60fbf95c1af27534fdb4a.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\54ac7ac6db6fcec5234454430513d1d2787ee8a48aa60fbf95c1af27534fdb4a.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\54ac7ac6db6fcec5234454430513d1d2787ee8a48aa60fbf95c1af27534fdb4a.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\54ac7ac6db6fcec5234454430513d1d2787ee8a48aa60fbf95c1af27534fdb4a.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\54ac7ac6db6fcec5234454430513d1d2787ee8a48aa60fbf95c1af27534fdb4a.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\54ac7ac6db6fcec5234454430513d1d2787ee8a48aa60fbf95c1af27534fdb4a.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\54ac7ac6db6fcec5234454430513d1d2787ee8a48aa60fbf95c1af27534fdb4a.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\54ac7ac6db6fcec5234454430513d1d2787ee8a48aa60fbf95c1af27534fdb4a.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\54ac7ac6db6fcec5234454430513d1d2787ee8a48aa60fbf95c1af27534fdb4a.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\54ac7ac6db6fcec5234454430513d1d2787ee8a48aa60fbf95c1af27534fdb4a.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\54ac7ac6db6fcec5234454430513d1d2787ee8a48aa60fbf95c1af27534fdb4a.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\54ac7ac6db6fcec5234454430513d1d2787ee8a48aa60fbf95c1af27534fdb4a.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\54ac7ac6db6fcec5234454430513d1d2787ee8a48aa60fbf95c1af27534fdb4a.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\54ac7ac6db6fcec5234454430513d1d2787ee8a48aa60fbf95c1af27534fdb4a.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\54ac7ac6db6fcec5234454430513d1d2787ee8a48aa60fbf95c1af27534fdb4a.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\54ac7ac6db6fcec5234454430513d1d2787ee8a48aa60fbf95c1af27534fdb4a.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\54ac7ac6db6fcec5234454430513d1d2787ee8a48aa60fbf95c1af27534fdb4a.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\54ac7ac6db6fcec5234454430513d1d2787ee8a48aa60fbf95c1af27534fdb4a.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\54ac7ac6db6fcec5234454430513d1d2787ee8a48aa60fbf95c1af27534fdb4a.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\54ac7ac6db6fcec5234454430513d1d2787ee8a48aa60fbf95c1af27534fdb4a.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\54ac7ac6db6fcec5234454430513d1d2787ee8a48aa60fbf95c1af27534fdb4a.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\54ac7ac6db6fcec5234454430513d1d2787ee8a48aa60fbf95c1af27534fdb4a.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\54ac7ac6db6fcec5234454430513d1d2787ee8a48aa60fbf95c1af27534fdb4a.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\54ac7ac6db6fcec5234454430513d1d2787ee8a48aa60fbf95c1af27534fdb4a.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\54ac7ac6db6fcec5234454430513d1d2787ee8a48aa60fbf95c1af27534fdb4a.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\54ac7ac6db6fcec5234454430513d1d2787ee8a48aa60fbf95c1af27534fdb4a.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\54ac7ac6db6fcec5234454430513d1d2787ee8a48aa60fbf95c1af27534fdb4a.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\54ac7ac6db6fcec5234454430513d1d2787ee8a48aa60fbf95c1af27534fdb4a.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\54ac7ac6db6fcec5234454430513d1d2787ee8a48aa60fbf95c1af27534fdb4a.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\54ac7ac6db6fcec5234454430513d1d2787ee8a48aa60fbf95c1af27534fdb4a.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\54ac7ac6db6fcec5234454430513d1d2787ee8a48aa60fbf95c1af27534fdb4a.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\54ac7ac6db6fcec5234454430513d1d2787ee8a48aa60fbf95c1af27534fdb4a.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\54ac7ac6db6fcec5234454430513d1d2787ee8a48aa60fbf95c1af27534fdb4a.exe

"C:\Users\Admin\AppData\Local\Temp\54ac7ac6db6fcec5234454430513d1d2787ee8a48aa60fbf95c1af27534fdb4a.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1044 --field-trial-handle=2588,i,14229658658073991926,6938034815163866135,262144 --variations-seed-version /prefetch:8

C:\Windows\splwow64.exe

C:\Windows\splwow64.exe 12288

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc

C:\Windows\system32\printfilterpipelinesvc.exe

C:\Windows\system32\printfilterpipelinesvc.exe -Embedding

C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE

/insertdoc "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\{25B69333-0052-4D6D-BD75-F7442646BD92}.xps" 133548631655530000

C:\ProgramData\849D.tmp

"C:\ProgramData\849D.tmp"

Network

Country Destination Domain Proto
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 13.107.246.64:443 tcp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 104.241.123.92.in-addr.arpa udp
US 8.8.8.8:53 119.110.54.20.in-addr.arpa udp
US 8.8.8.8:53 176.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 26.143.101.95.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 97.32.109.52.in-addr.arpa udp
US 8.8.8.8:53 91.65.42.20.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
NL 142.250.179.138:443 chromewebstore.googleapis.com tcp
US 8.8.8.8:53 138.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp

Files

memory/4544-0-0x0000000000F60000-0x0000000000F70000-memory.dmp

memory/4544-1-0x0000000000F60000-0x0000000000F70000-memory.dmp

memory/4544-2-0x0000000000F60000-0x0000000000F70000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-1904519900-954640453-4250331663-1000\DDDDDDDDDDD

MD5 f78679cd2ed37d57b2f611e1b32956dd
SHA1 15c3bc410420ded0345e87cca00e7169c6de65ba
SHA256 9e96b775af09cbcab50128036f99cb0ab9f21dd8c05748b41de5e8113a9bd767
SHA512 7393dadaa2c917747b407908e876e0f0f2f6f9b6f65f52ee3879a4cfcd9589d1b7a4a2809b27cfdb65b7cde59c817ac2f4efa98746f408d7f26779562e8079ca

C:\Users\o3LDjrpOa.README.txt

MD5 f45e391f29f25500baf0ac2b649df89c
SHA1 d894747132a8b28c15e67da3cab21e0dfb5c372a
SHA256 4b7a1867b2c0a5a501361186df5104e0c4bd4e9579d0087b40ee478ca56d5a7f
SHA512 aa56adc6927b5947a5131b42e73c943bc762b590f57b7f80521f0beab8e4a0520e6b75206fd7a1ade74551dc3fc84d4b53c1e721b123efc55dcb917d3893a682

F:\$RECYCLE.BIN\S-1-5-21-1904519900-954640453-4250331663-1000\AAAAAAAAAAA

MD5 d88d1f5841336a017efc511831957f80
SHA1 f6dacddb6672afc3301144c0d77305885294cfb1
SHA256 33d94a431a8c86c0516d7c8b0ee7f50b32d15be19c5f12a3b078fb1c081303d5
SHA512 dee6d812b86874797518689da793d0491c8a0450da1f82f9ecf935746b3c1f4b550aeab4af9220d57a4e8d6ee61eb05d89c2578c1b6cd6ab67f767c4a9e3562a

memory/4544-272-0x0000000000F60000-0x0000000000F70000-memory.dmp

memory/4544-273-0x0000000000F60000-0x0000000000F70000-memory.dmp

memory/4544-274-0x0000000000F60000-0x0000000000F70000-memory.dmp

memory/5356-286-0x00007FFB4EF30000-0x00007FFB4EF40000-memory.dmp

memory/5356-287-0x00007FFB4EF30000-0x00007FFB4EF40000-memory.dmp

memory/5356-288-0x00007FFB4EF30000-0x00007FFB4EF40000-memory.dmp

memory/5356-290-0x00007FFB8EEB0000-0x00007FFB8F0A5000-memory.dmp

memory/5356-289-0x00007FFB4EF30000-0x00007FFB4EF40000-memory.dmp

memory/5356-291-0x00007FFB8EEB0000-0x00007FFB8F0A5000-memory.dmp

memory/5356-293-0x00007FFB8EEB0000-0x00007FFB8F0A5000-memory.dmp

memory/5356-295-0x00007FFB8EEB0000-0x00007FFB8F0A5000-memory.dmp

C:\ProgramData\849D.tmp

MD5 294e9f64cb1642dd89229fff0592856b
SHA1 97b148c27f3da29ba7b18d6aee8a0db9102f47c9
SHA256 917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2
SHA512 b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

C:\Users\Admin\AppData\Local\Temp\EEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE

MD5 0f7ce0389709f8b08378c8a69bb1c58e
SHA1 5815a5139ee4e4894e5a7c8a79a8a3cd1141441b
SHA256 59643b2b8f8e5f5e0470ada38fe0dc2be8d63db33c302ff221a30a636a660b98
SHA512 612d9c8756543703b0ffb70e87e25accea86a3ee81bedb92cef68d97ffc46a69d334e5dc9f47f0df1b3f35813264e4ba0dcb7c155979c52890fb11c71035eb37

memory/5356-317-0x00007FFB8EEB0000-0x00007FFB8F0A5000-memory.dmp

memory/5356-330-0x00007FFB8EEB0000-0x00007FFB8F0A5000-memory.dmp

memory/5356-325-0x00007FFB4C710000-0x00007FFB4C720000-memory.dmp

memory/5356-331-0x00007FFB8EEB0000-0x00007FFB8F0A5000-memory.dmp

memory/5356-333-0x00007FFB4C710000-0x00007FFB4C720000-memory.dmp

memory/5356-332-0x00007FFB8EEB0000-0x00007FFB8F0A5000-memory.dmp

memory/5356-334-0x00007FFB8EEB0000-0x00007FFB8F0A5000-memory.dmp

memory/5356-335-0x00007FFB8EEB0000-0x00007FFB8F0A5000-memory.dmp

memory/5356-336-0x00007FFB8EEB0000-0x00007FFB8F0A5000-memory.dmp

memory/5356-337-0x00007FFB8EEB0000-0x00007FFB8F0A5000-memory.dmp

memory/5356-338-0x00007FFB8EEB0000-0x00007FFB8F0A5000-memory.dmp

memory/5356-340-0x00007FFB8EEB0000-0x00007FFB8F0A5000-memory.dmp

memory/5356-339-0x00007FFB8EEB0000-0x00007FFB8F0A5000-memory.dmp

memory/5468-342-0x0000000002520000-0x0000000002530000-memory.dmp

memory/5468-343-0x000000007FE20000-0x000000007FE21000-memory.dmp

memory/5468-341-0x0000000002520000-0x0000000002530000-memory.dmp

memory/5356-299-0x00007FFB8EEB0000-0x00007FFB8F0A5000-memory.dmp

memory/5356-292-0x00007FFB4EF30000-0x00007FFB4EF40000-memory.dmp

memory/5468-344-0x000000007FDC0000-0x000000007FDC1000-memory.dmp

memory/5468-345-0x000000007FE40000-0x000000007FE41000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\{0DE2A63E-E383-4FA8-BE09-DADD0EB59ADB}

MD5 703b6dfe0545cd784bbde2964dcb3634
SHA1 fba9d74b89a547553a90f7542cee43888e2197ec
SHA256 a45b907b4058eb86256e2038288cd94e98cc9e872907f16478b8013a6a4c5c36
SHA512 728499f215778251b37ba5de13bc0d9834cf6695c101df210b1c6ddb21226af7ca648c9c87cb00d0e9a196af106d74aeabf00a57371d89a21ce64540a69847fe

memory/5356-366-0x00007FFB8EEB0000-0x00007FFB8F0A5000-memory.dmp

memory/5356-367-0x00007FFB8EEB0000-0x00007FFB8F0A5000-memory.dmp

memory/5468-368-0x0000000002520000-0x0000000002530000-memory.dmp

memory/5468-369-0x0000000002520000-0x0000000002530000-memory.dmp