Malware Analysis Report

2024-11-13 14:59

Sample ID 240314-esrz9sab5y
Target 5735ea71ae9c58fe79c5049056421cf68600d6afdac1c441ae02291637779816
SHA256 5735ea71ae9c58fe79c5049056421cf68600d6afdac1c441ae02291637779816
Tags
lockbit ransomware spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

5735ea71ae9c58fe79c5049056421cf68600d6afdac1c441ae02291637779816

Threat Level: Known bad

The file 5735ea71ae9c58fe79c5049056421cf68600d6afdac1c441ae02291637779816 was found to be: Known bad.

Malicious Activity Summary

lockbit ransomware spyware stealer

Lockbit

Lockbit family

Rule to detect Lockbit 3.0 ransomware Windows payload

Renames multiple (348) files with added filename extension

Renames multiple (598) files with added filename extension

Executes dropped EXE

Reads user/profile data of web browsers

Deletes itself

Loads dropped DLL

Drops desktop.ini file(s)

Sets desktop wallpaper using registry

Suspicious use of NtSetInformationThreadHideFromDebugger

Drops file in System32 directory

Unsigned PE

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Suspicious behavior: RenamesItself

Modifies Control Panel

Modifies registry class

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-03-14 04:12

Signatures

Lockbit family

lockbit

Rule to detect Lockbit 3.0 ransomware Windows payload

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-14 04:12

Reported

2024-03-14 04:15

Platform

win7-20240220-en

Max time kernel

120s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\5735ea71ae9c58fe79c5049056421cf68600d6afdac1c441ae02291637779816.exe"

Signatures

Lockbit

ransomware lockbit

Renames multiple (348) files with added filename extension

ransomware

Deletes itself

Description Indicator Process Target
N/A N/A C:\ProgramData\2EAE.tmp N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\ProgramData\2EAE.tmp N/A

Reads user/profile data of web browsers

spyware stealer

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification F:\$RECYCLE.BIN\S-1-5-21-2721934792-624042501-2768869379-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\5735ea71ae9c58fe79c5049056421cf68600d6afdac1c441ae02291637779816.exe N/A
File opened for modification C:\$Recycle.Bin\S-1-5-21-2721934792-624042501-2768869379-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\5735ea71ae9c58fe79c5049056421cf68600d6afdac1c441ae02291637779816.exe N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\sNLnicEVl.bmp" C:\Users\Admin\AppData\Local\Temp\5735ea71ae9c58fe79c5049056421cf68600d6afdac1c441ae02291637779816.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\sNLnicEVl.bmp" C:\Users\Admin\AppData\Local\Temp\5735ea71ae9c58fe79c5049056421cf68600d6afdac1c441ae02291637779816.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\ProgramData\2EAE.tmp N/A

Enumerates physical storage devices

Modifies Control Panel

evasion
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Control Panel\Desktop\WallpaperStyle = "10" C:\Users\Admin\AppData\Local\Temp\5735ea71ae9c58fe79c5049056421cf68600d6afdac1c441ae02291637779816.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Control Panel\Desktop C:\Users\Admin\AppData\Local\Temp\5735ea71ae9c58fe79c5049056421cf68600d6afdac1c441ae02291637779816.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.sNLnicEVl\ = "sNLnicEVl" C:\Users\Admin\AppData\Local\Temp\5735ea71ae9c58fe79c5049056421cf68600d6afdac1c441ae02291637779816.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\sNLnicEVl\DefaultIcon C:\Users\Admin\AppData\Local\Temp\5735ea71ae9c58fe79c5049056421cf68600d6afdac1c441ae02291637779816.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\sNLnicEVl C:\Users\Admin\AppData\Local\Temp\5735ea71ae9c58fe79c5049056421cf68600d6afdac1c441ae02291637779816.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\sNLnicEVl\DefaultIcon\ = "C:\\ProgramData\\sNLnicEVl.ico" C:\Users\Admin\AppData\Local\Temp\5735ea71ae9c58fe79c5049056421cf68600d6afdac1c441ae02291637779816.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.sNLnicEVl C:\Users\Admin\AppData\Local\Temp\5735ea71ae9c58fe79c5049056421cf68600d6afdac1c441ae02291637779816.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\5735ea71ae9c58fe79c5049056421cf68600d6afdac1c441ae02291637779816.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5735ea71ae9c58fe79c5049056421cf68600d6afdac1c441ae02291637779816.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5735ea71ae9c58fe79c5049056421cf68600d6afdac1c441ae02291637779816.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5735ea71ae9c58fe79c5049056421cf68600d6afdac1c441ae02291637779816.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5735ea71ae9c58fe79c5049056421cf68600d6afdac1c441ae02291637779816.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5735ea71ae9c58fe79c5049056421cf68600d6afdac1c441ae02291637779816.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5735ea71ae9c58fe79c5049056421cf68600d6afdac1c441ae02291637779816.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5735ea71ae9c58fe79c5049056421cf68600d6afdac1c441ae02291637779816.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5735ea71ae9c58fe79c5049056421cf68600d6afdac1c441ae02291637779816.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5735ea71ae9c58fe79c5049056421cf68600d6afdac1c441ae02291637779816.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5735ea71ae9c58fe79c5049056421cf68600d6afdac1c441ae02291637779816.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5735ea71ae9c58fe79c5049056421cf68600d6afdac1c441ae02291637779816.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5735ea71ae9c58fe79c5049056421cf68600d6afdac1c441ae02291637779816.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5735ea71ae9c58fe79c5049056421cf68600d6afdac1c441ae02291637779816.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\5735ea71ae9c58fe79c5049056421cf68600d6afdac1c441ae02291637779816.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\5735ea71ae9c58fe79c5049056421cf68600d6afdac1c441ae02291637779816.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\5735ea71ae9c58fe79c5049056421cf68600d6afdac1c441ae02291637779816.exe N/A
Token: 36 N/A C:\Users\Admin\AppData\Local\Temp\5735ea71ae9c58fe79c5049056421cf68600d6afdac1c441ae02291637779816.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\5735ea71ae9c58fe79c5049056421cf68600d6afdac1c441ae02291637779816.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\5735ea71ae9c58fe79c5049056421cf68600d6afdac1c441ae02291637779816.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\5735ea71ae9c58fe79c5049056421cf68600d6afdac1c441ae02291637779816.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\5735ea71ae9c58fe79c5049056421cf68600d6afdac1c441ae02291637779816.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\5735ea71ae9c58fe79c5049056421cf68600d6afdac1c441ae02291637779816.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\5735ea71ae9c58fe79c5049056421cf68600d6afdac1c441ae02291637779816.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\5735ea71ae9c58fe79c5049056421cf68600d6afdac1c441ae02291637779816.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\5735ea71ae9c58fe79c5049056421cf68600d6afdac1c441ae02291637779816.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\5735ea71ae9c58fe79c5049056421cf68600d6afdac1c441ae02291637779816.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\5735ea71ae9c58fe79c5049056421cf68600d6afdac1c441ae02291637779816.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\5735ea71ae9c58fe79c5049056421cf68600d6afdac1c441ae02291637779816.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\5735ea71ae9c58fe79c5049056421cf68600d6afdac1c441ae02291637779816.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\5735ea71ae9c58fe79c5049056421cf68600d6afdac1c441ae02291637779816.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\5735ea71ae9c58fe79c5049056421cf68600d6afdac1c441ae02291637779816.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\5735ea71ae9c58fe79c5049056421cf68600d6afdac1c441ae02291637779816.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\5735ea71ae9c58fe79c5049056421cf68600d6afdac1c441ae02291637779816.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\5735ea71ae9c58fe79c5049056421cf68600d6afdac1c441ae02291637779816.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\5735ea71ae9c58fe79c5049056421cf68600d6afdac1c441ae02291637779816.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\5735ea71ae9c58fe79c5049056421cf68600d6afdac1c441ae02291637779816.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\5735ea71ae9c58fe79c5049056421cf68600d6afdac1c441ae02291637779816.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\5735ea71ae9c58fe79c5049056421cf68600d6afdac1c441ae02291637779816.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\5735ea71ae9c58fe79c5049056421cf68600d6afdac1c441ae02291637779816.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\5735ea71ae9c58fe79c5049056421cf68600d6afdac1c441ae02291637779816.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\5735ea71ae9c58fe79c5049056421cf68600d6afdac1c441ae02291637779816.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\5735ea71ae9c58fe79c5049056421cf68600d6afdac1c441ae02291637779816.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\5735ea71ae9c58fe79c5049056421cf68600d6afdac1c441ae02291637779816.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\5735ea71ae9c58fe79c5049056421cf68600d6afdac1c441ae02291637779816.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\5735ea71ae9c58fe79c5049056421cf68600d6afdac1c441ae02291637779816.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\5735ea71ae9c58fe79c5049056421cf68600d6afdac1c441ae02291637779816.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\5735ea71ae9c58fe79c5049056421cf68600d6afdac1c441ae02291637779816.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\5735ea71ae9c58fe79c5049056421cf68600d6afdac1c441ae02291637779816.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\5735ea71ae9c58fe79c5049056421cf68600d6afdac1c441ae02291637779816.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\5735ea71ae9c58fe79c5049056421cf68600d6afdac1c441ae02291637779816.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\5735ea71ae9c58fe79c5049056421cf68600d6afdac1c441ae02291637779816.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\5735ea71ae9c58fe79c5049056421cf68600d6afdac1c441ae02291637779816.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\5735ea71ae9c58fe79c5049056421cf68600d6afdac1c441ae02291637779816.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\5735ea71ae9c58fe79c5049056421cf68600d6afdac1c441ae02291637779816.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\5735ea71ae9c58fe79c5049056421cf68600d6afdac1c441ae02291637779816.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\5735ea71ae9c58fe79c5049056421cf68600d6afdac1c441ae02291637779816.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\5735ea71ae9c58fe79c5049056421cf68600d6afdac1c441ae02291637779816.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\5735ea71ae9c58fe79c5049056421cf68600d6afdac1c441ae02291637779816.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\5735ea71ae9c58fe79c5049056421cf68600d6afdac1c441ae02291637779816.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\5735ea71ae9c58fe79c5049056421cf68600d6afdac1c441ae02291637779816.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\5735ea71ae9c58fe79c5049056421cf68600d6afdac1c441ae02291637779816.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\5735ea71ae9c58fe79c5049056421cf68600d6afdac1c441ae02291637779816.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\5735ea71ae9c58fe79c5049056421cf68600d6afdac1c441ae02291637779816.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\5735ea71ae9c58fe79c5049056421cf68600d6afdac1c441ae02291637779816.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\5735ea71ae9c58fe79c5049056421cf68600d6afdac1c441ae02291637779816.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\5735ea71ae9c58fe79c5049056421cf68600d6afdac1c441ae02291637779816.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\5735ea71ae9c58fe79c5049056421cf68600d6afdac1c441ae02291637779816.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\5735ea71ae9c58fe79c5049056421cf68600d6afdac1c441ae02291637779816.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\5735ea71ae9c58fe79c5049056421cf68600d6afdac1c441ae02291637779816.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\5735ea71ae9c58fe79c5049056421cf68600d6afdac1c441ae02291637779816.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\5735ea71ae9c58fe79c5049056421cf68600d6afdac1c441ae02291637779816.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\5735ea71ae9c58fe79c5049056421cf68600d6afdac1c441ae02291637779816.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\5735ea71ae9c58fe79c5049056421cf68600d6afdac1c441ae02291637779816.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\5735ea71ae9c58fe79c5049056421cf68600d6afdac1c441ae02291637779816.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\5735ea71ae9c58fe79c5049056421cf68600d6afdac1c441ae02291637779816.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\5735ea71ae9c58fe79c5049056421cf68600d6afdac1c441ae02291637779816.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\5735ea71ae9c58fe79c5049056421cf68600d6afdac1c441ae02291637779816.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\5735ea71ae9c58fe79c5049056421cf68600d6afdac1c441ae02291637779816.exe

"C:\Users\Admin\AppData\Local\Temp\5735ea71ae9c58fe79c5049056421cf68600d6afdac1c441ae02291637779816.exe"

C:\ProgramData\2EAE.tmp

"C:\ProgramData\2EAE.tmp"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\2EAE.tmp >> NUL

C:\Windows\system32\AUDIODG.EXE

C:\Windows\system32\AUDIODG.EXE 0x14c

Network

N/A

Files

memory/2268-0-0x0000000000410000-0x0000000000450000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-2721934792-624042501-2768869379-1000\EEEEEEEEEEE

MD5 1527e602c83cfc6570f4de16035051dd
SHA1 60d8e37aed7e6fdd1be1d5b83c863d6e7e75992d
SHA256 72ab9e6503e26f788c3beabb35f2384cbdf511ba9bec8961963c3b7d85bb122a
SHA512 43ceb96d968974f051ed39d3d8998695fbf8c6f9f8ab65ff51fef14f220f8623a89a4509fafd27aaa8dc96adbe0e3a3b90cd27f57d57f6ee5c6008aa391a6dbb

F:\$RECYCLE.BIN\S-1-5-21-2721934792-624042501-2768869379-1000\DDDDDDDDDDD

MD5 82a7e38d1fa28b7660f639ea0daea8fc
SHA1 f101dedd4b8e78b3e2fb2125b7755e37de229f83
SHA256 6a7a4a27dfa45dac5c79655a20f7df11d227557de01e73716b18d2bc8bd01485
SHA512 8db9a70ac00f23da5622499d73e44b9bc16ea161b0a301bb586e8103f0c8d81543dd0ae356c21fae2d72f213d3f1033ed5952f29bd38e4446360f78b22178d38

C:\sNLnicEVl.README.txt

MD5 885e5b5a0b7100068d7359be5025b479
SHA1 413e60216fd28e306c8ac910f7d317a88f3ea9e3
SHA256 3f8a1cf73e0f9fae26c30e80ff47c409799b697685cf31688e17e9f77e8e8ade
SHA512 804a5949d5d0cde73fb4c667b34cc14266a3dee9691277201f3bfdab99bfe1f8445ff64db8f5f2410528f4f9b96a5f069f90aaede998aa97489ea364f32e9b26

\ProgramData\2EAE.tmp

MD5 294e9f64cb1642dd89229fff0592856b
SHA1 97b148c27f3da29ba7b18d6aee8a0db9102f47c9
SHA256 917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2
SHA512 b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

memory/3036-874-0x000000007EFA0000-0x000000007EFA1000-memory.dmp

memory/3036-875-0x0000000000300000-0x0000000000340000-memory.dmp

memory/3036-879-0x0000000000300000-0x0000000000340000-memory.dmp

memory/3036-881-0x000000007EF80000-0x000000007EF81000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD

MD5 2d2d9cd0b622414a449c37ad22414283
SHA1 b83f2945f57908e4703719247e72700fe59870a1
SHA256 b30210759a4fe4cc438f2ba29250ff1a034f0845857fc6664ed45020da848a87
SHA512 c77efb551b64294c54fccec5a5adc8c63b38cd4da8066e35905281ec45bafef51e353c15d2c0103907da2f6e19079e5c68a092bb41c9ed71fe146ce10a619340

memory/3036-882-0x000000007EF20000-0x000000007EF21000-memory.dmp

memory/3036-908-0x000000007EF60000-0x000000007EF61000-memory.dmp

memory/3036-907-0x000000007EF40000-0x000000007EF41000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-03-14 04:12

Reported

2024-03-14 04:15

Platform

win10v2004-20240226-en

Max time kernel

148s

Max time network

159s

Command Line

"C:\Users\Admin\AppData\Local\Temp\5735ea71ae9c58fe79c5049056421cf68600d6afdac1c441ae02291637779816.exe"

Signatures

Lockbit

ransomware lockbit

Renames multiple (598) files with added filename extension

ransomware

Reads user/profile data of web browsers

spyware stealer

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\$Recycle.Bin\S-1-5-21-513485977-2495024337-1260977654-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\5735ea71ae9c58fe79c5049056421cf68600d6afdac1c441ae02291637779816.exe N/A
File opened for modification F:\$RECYCLE.BIN\S-1-5-21-513485977-2495024337-1260977654-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\5735ea71ae9c58fe79c5049056421cf68600d6afdac1c441ae02291637779816.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\system32\spool\PRINTERS\00002.SPL C:\Windows\splwow64.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.sNLnicEVl\ = "sNLnicEVl" C:\Users\Admin\AppData\Local\Temp\5735ea71ae9c58fe79c5049056421cf68600d6afdac1c441ae02291637779816.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\sNLnicEVl\DefaultIcon C:\Users\Admin\AppData\Local\Temp\5735ea71ae9c58fe79c5049056421cf68600d6afdac1c441ae02291637779816.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\sNLnicEVl C:\Users\Admin\AppData\Local\Temp\5735ea71ae9c58fe79c5049056421cf68600d6afdac1c441ae02291637779816.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\sNLnicEVl\DefaultIcon\ = "C:\\ProgramData\\sNLnicEVl.ico" C:\Users\Admin\AppData\Local\Temp\5735ea71ae9c58fe79c5049056421cf68600d6afdac1c441ae02291637779816.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.sNLnicEVl C:\Users\Admin\AppData\Local\Temp\5735ea71ae9c58fe79c5049056421cf68600d6afdac1c441ae02291637779816.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\5735ea71ae9c58fe79c5049056421cf68600d6afdac1c441ae02291637779816.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5735ea71ae9c58fe79c5049056421cf68600d6afdac1c441ae02291637779816.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5735ea71ae9c58fe79c5049056421cf68600d6afdac1c441ae02291637779816.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5735ea71ae9c58fe79c5049056421cf68600d6afdac1c441ae02291637779816.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5735ea71ae9c58fe79c5049056421cf68600d6afdac1c441ae02291637779816.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5735ea71ae9c58fe79c5049056421cf68600d6afdac1c441ae02291637779816.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5735ea71ae9c58fe79c5049056421cf68600d6afdac1c441ae02291637779816.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5735ea71ae9c58fe79c5049056421cf68600d6afdac1c441ae02291637779816.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5735ea71ae9c58fe79c5049056421cf68600d6afdac1c441ae02291637779816.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5735ea71ae9c58fe79c5049056421cf68600d6afdac1c441ae02291637779816.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5735ea71ae9c58fe79c5049056421cf68600d6afdac1c441ae02291637779816.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5735ea71ae9c58fe79c5049056421cf68600d6afdac1c441ae02291637779816.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5735ea71ae9c58fe79c5049056421cf68600d6afdac1c441ae02291637779816.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5735ea71ae9c58fe79c5049056421cf68600d6afdac1c441ae02291637779816.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5735ea71ae9c58fe79c5049056421cf68600d6afdac1c441ae02291637779816.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5735ea71ae9c58fe79c5049056421cf68600d6afdac1c441ae02291637779816.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5735ea71ae9c58fe79c5049056421cf68600d6afdac1c441ae02291637779816.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5735ea71ae9c58fe79c5049056421cf68600d6afdac1c441ae02291637779816.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5735ea71ae9c58fe79c5049056421cf68600d6afdac1c441ae02291637779816.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5735ea71ae9c58fe79c5049056421cf68600d6afdac1c441ae02291637779816.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5735ea71ae9c58fe79c5049056421cf68600d6afdac1c441ae02291637779816.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5735ea71ae9c58fe79c5049056421cf68600d6afdac1c441ae02291637779816.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5735ea71ae9c58fe79c5049056421cf68600d6afdac1c441ae02291637779816.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5735ea71ae9c58fe79c5049056421cf68600d6afdac1c441ae02291637779816.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5735ea71ae9c58fe79c5049056421cf68600d6afdac1c441ae02291637779816.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5735ea71ae9c58fe79c5049056421cf68600d6afdac1c441ae02291637779816.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5735ea71ae9c58fe79c5049056421cf68600d6afdac1c441ae02291637779816.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5735ea71ae9c58fe79c5049056421cf68600d6afdac1c441ae02291637779816.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5735ea71ae9c58fe79c5049056421cf68600d6afdac1c441ae02291637779816.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5735ea71ae9c58fe79c5049056421cf68600d6afdac1c441ae02291637779816.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5735ea71ae9c58fe79c5049056421cf68600d6afdac1c441ae02291637779816.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5735ea71ae9c58fe79c5049056421cf68600d6afdac1c441ae02291637779816.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5735ea71ae9c58fe79c5049056421cf68600d6afdac1c441ae02291637779816.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5735ea71ae9c58fe79c5049056421cf68600d6afdac1c441ae02291637779816.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5735ea71ae9c58fe79c5049056421cf68600d6afdac1c441ae02291637779816.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5735ea71ae9c58fe79c5049056421cf68600d6afdac1c441ae02291637779816.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5735ea71ae9c58fe79c5049056421cf68600d6afdac1c441ae02291637779816.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5735ea71ae9c58fe79c5049056421cf68600d6afdac1c441ae02291637779816.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5735ea71ae9c58fe79c5049056421cf68600d6afdac1c441ae02291637779816.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5735ea71ae9c58fe79c5049056421cf68600d6afdac1c441ae02291637779816.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5735ea71ae9c58fe79c5049056421cf68600d6afdac1c441ae02291637779816.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5735ea71ae9c58fe79c5049056421cf68600d6afdac1c441ae02291637779816.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5735ea71ae9c58fe79c5049056421cf68600d6afdac1c441ae02291637779816.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5735ea71ae9c58fe79c5049056421cf68600d6afdac1c441ae02291637779816.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5735ea71ae9c58fe79c5049056421cf68600d6afdac1c441ae02291637779816.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5735ea71ae9c58fe79c5049056421cf68600d6afdac1c441ae02291637779816.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5735ea71ae9c58fe79c5049056421cf68600d6afdac1c441ae02291637779816.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5735ea71ae9c58fe79c5049056421cf68600d6afdac1c441ae02291637779816.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5735ea71ae9c58fe79c5049056421cf68600d6afdac1c441ae02291637779816.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5735ea71ae9c58fe79c5049056421cf68600d6afdac1c441ae02291637779816.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5735ea71ae9c58fe79c5049056421cf68600d6afdac1c441ae02291637779816.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5735ea71ae9c58fe79c5049056421cf68600d6afdac1c441ae02291637779816.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5735ea71ae9c58fe79c5049056421cf68600d6afdac1c441ae02291637779816.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5735ea71ae9c58fe79c5049056421cf68600d6afdac1c441ae02291637779816.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5735ea71ae9c58fe79c5049056421cf68600d6afdac1c441ae02291637779816.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5735ea71ae9c58fe79c5049056421cf68600d6afdac1c441ae02291637779816.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5735ea71ae9c58fe79c5049056421cf68600d6afdac1c441ae02291637779816.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5735ea71ae9c58fe79c5049056421cf68600d6afdac1c441ae02291637779816.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5735ea71ae9c58fe79c5049056421cf68600d6afdac1c441ae02291637779816.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5735ea71ae9c58fe79c5049056421cf68600d6afdac1c441ae02291637779816.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5735ea71ae9c58fe79c5049056421cf68600d6afdac1c441ae02291637779816.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5735ea71ae9c58fe79c5049056421cf68600d6afdac1c441ae02291637779816.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5735ea71ae9c58fe79c5049056421cf68600d6afdac1c441ae02291637779816.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5735ea71ae9c58fe79c5049056421cf68600d6afdac1c441ae02291637779816.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\5735ea71ae9c58fe79c5049056421cf68600d6afdac1c441ae02291637779816.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\5735ea71ae9c58fe79c5049056421cf68600d6afdac1c441ae02291637779816.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\5735ea71ae9c58fe79c5049056421cf68600d6afdac1c441ae02291637779816.exe N/A
Token: 36 N/A C:\Users\Admin\AppData\Local\Temp\5735ea71ae9c58fe79c5049056421cf68600d6afdac1c441ae02291637779816.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\5735ea71ae9c58fe79c5049056421cf68600d6afdac1c441ae02291637779816.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\5735ea71ae9c58fe79c5049056421cf68600d6afdac1c441ae02291637779816.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\5735ea71ae9c58fe79c5049056421cf68600d6afdac1c441ae02291637779816.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\5735ea71ae9c58fe79c5049056421cf68600d6afdac1c441ae02291637779816.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\5735ea71ae9c58fe79c5049056421cf68600d6afdac1c441ae02291637779816.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\5735ea71ae9c58fe79c5049056421cf68600d6afdac1c441ae02291637779816.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\5735ea71ae9c58fe79c5049056421cf68600d6afdac1c441ae02291637779816.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\5735ea71ae9c58fe79c5049056421cf68600d6afdac1c441ae02291637779816.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\5735ea71ae9c58fe79c5049056421cf68600d6afdac1c441ae02291637779816.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\5735ea71ae9c58fe79c5049056421cf68600d6afdac1c441ae02291637779816.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\5735ea71ae9c58fe79c5049056421cf68600d6afdac1c441ae02291637779816.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\5735ea71ae9c58fe79c5049056421cf68600d6afdac1c441ae02291637779816.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\5735ea71ae9c58fe79c5049056421cf68600d6afdac1c441ae02291637779816.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\5735ea71ae9c58fe79c5049056421cf68600d6afdac1c441ae02291637779816.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\5735ea71ae9c58fe79c5049056421cf68600d6afdac1c441ae02291637779816.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\5735ea71ae9c58fe79c5049056421cf68600d6afdac1c441ae02291637779816.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\5735ea71ae9c58fe79c5049056421cf68600d6afdac1c441ae02291637779816.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\5735ea71ae9c58fe79c5049056421cf68600d6afdac1c441ae02291637779816.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\5735ea71ae9c58fe79c5049056421cf68600d6afdac1c441ae02291637779816.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\5735ea71ae9c58fe79c5049056421cf68600d6afdac1c441ae02291637779816.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\5735ea71ae9c58fe79c5049056421cf68600d6afdac1c441ae02291637779816.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\5735ea71ae9c58fe79c5049056421cf68600d6afdac1c441ae02291637779816.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\5735ea71ae9c58fe79c5049056421cf68600d6afdac1c441ae02291637779816.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\5735ea71ae9c58fe79c5049056421cf68600d6afdac1c441ae02291637779816.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\5735ea71ae9c58fe79c5049056421cf68600d6afdac1c441ae02291637779816.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\5735ea71ae9c58fe79c5049056421cf68600d6afdac1c441ae02291637779816.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\5735ea71ae9c58fe79c5049056421cf68600d6afdac1c441ae02291637779816.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\5735ea71ae9c58fe79c5049056421cf68600d6afdac1c441ae02291637779816.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\5735ea71ae9c58fe79c5049056421cf68600d6afdac1c441ae02291637779816.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\5735ea71ae9c58fe79c5049056421cf68600d6afdac1c441ae02291637779816.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\5735ea71ae9c58fe79c5049056421cf68600d6afdac1c441ae02291637779816.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\5735ea71ae9c58fe79c5049056421cf68600d6afdac1c441ae02291637779816.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\5735ea71ae9c58fe79c5049056421cf68600d6afdac1c441ae02291637779816.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\5735ea71ae9c58fe79c5049056421cf68600d6afdac1c441ae02291637779816.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\5735ea71ae9c58fe79c5049056421cf68600d6afdac1c441ae02291637779816.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\5735ea71ae9c58fe79c5049056421cf68600d6afdac1c441ae02291637779816.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\5735ea71ae9c58fe79c5049056421cf68600d6afdac1c441ae02291637779816.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\5735ea71ae9c58fe79c5049056421cf68600d6afdac1c441ae02291637779816.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\5735ea71ae9c58fe79c5049056421cf68600d6afdac1c441ae02291637779816.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\5735ea71ae9c58fe79c5049056421cf68600d6afdac1c441ae02291637779816.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\5735ea71ae9c58fe79c5049056421cf68600d6afdac1c441ae02291637779816.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\5735ea71ae9c58fe79c5049056421cf68600d6afdac1c441ae02291637779816.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\5735ea71ae9c58fe79c5049056421cf68600d6afdac1c441ae02291637779816.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\5735ea71ae9c58fe79c5049056421cf68600d6afdac1c441ae02291637779816.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\5735ea71ae9c58fe79c5049056421cf68600d6afdac1c441ae02291637779816.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\5735ea71ae9c58fe79c5049056421cf68600d6afdac1c441ae02291637779816.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\5735ea71ae9c58fe79c5049056421cf68600d6afdac1c441ae02291637779816.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\5735ea71ae9c58fe79c5049056421cf68600d6afdac1c441ae02291637779816.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\5735ea71ae9c58fe79c5049056421cf68600d6afdac1c441ae02291637779816.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\5735ea71ae9c58fe79c5049056421cf68600d6afdac1c441ae02291637779816.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\5735ea71ae9c58fe79c5049056421cf68600d6afdac1c441ae02291637779816.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\5735ea71ae9c58fe79c5049056421cf68600d6afdac1c441ae02291637779816.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\5735ea71ae9c58fe79c5049056421cf68600d6afdac1c441ae02291637779816.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\5735ea71ae9c58fe79c5049056421cf68600d6afdac1c441ae02291637779816.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\5735ea71ae9c58fe79c5049056421cf68600d6afdac1c441ae02291637779816.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\5735ea71ae9c58fe79c5049056421cf68600d6afdac1c441ae02291637779816.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\5735ea71ae9c58fe79c5049056421cf68600d6afdac1c441ae02291637779816.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\5735ea71ae9c58fe79c5049056421cf68600d6afdac1c441ae02291637779816.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\5735ea71ae9c58fe79c5049056421cf68600d6afdac1c441ae02291637779816.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\5735ea71ae9c58fe79c5049056421cf68600d6afdac1c441ae02291637779816.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\5735ea71ae9c58fe79c5049056421cf68600d6afdac1c441ae02291637779816.exe

"C:\Users\Admin\AppData\Local\Temp\5735ea71ae9c58fe79c5049056421cf68600d6afdac1c441ae02291637779816.exe"

C:\Windows\splwow64.exe

C:\Windows\splwow64.exe 12288

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc

Network

Country Destination Domain Proto
US 8.8.8.8:53 134.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 20.231.121.79:80 tcp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 104.241.123.92.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 119.110.54.20.in-addr.arpa udp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 211.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 122.10.44.20.in-addr.arpa udp

Files

memory/852-0-0x0000000002800000-0x0000000002810000-memory.dmp

memory/852-1-0x0000000002800000-0x0000000002810000-memory.dmp

memory/852-2-0x0000000002800000-0x0000000002810000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-513485977-2495024337-1260977654-1000\desktop.ini

MD5 b267f4591d6432c2ea3842f36cb23890
SHA1 43c0ad7c7bb11faa849898ca9525eee4a86e6c31
SHA256 2ffb59c364a33737ce182b1983dfdc1f0987f38c88d80f1ad79264c6f5c37189
SHA512 48ec83b833451e8d6331d717ebd1e818a9b11113b61144a3c982660cf343be63344cee1e4ba6ca867ae3e03deadc53b1ebdfc626286ead8c5fbae7ce3ec351fa

F:\$RECYCLE.BIN\S-1-5-21-513485977-2495024337-1260977654-1000\DDDDDDDDDDD

MD5 91318b3e599e5e5becec27d3a103d3b5
SHA1 476dfaddc4f4dc4483de2c75572bc9818faa21be
SHA256 285e0f063e3ce8402c922a9bf059b0b08b795ad9998952e8b96ca97d7c641f6b
SHA512 d5203b90f8fec7908cb8577bfe538927c50fb744d868bf1c94bc298db2d3495e7d6f1ae60fc6548fb05d721b43926d0e619bf1f0c674773b006272fe72492981

C:\Users\sNLnicEVl.README.txt

MD5 885e5b5a0b7100068d7359be5025b479
SHA1 413e60216fd28e306c8ac910f7d317a88f3ea9e3
SHA256 3f8a1cf73e0f9fae26c30e80ff47c409799b697685cf31688e17e9f77e8e8ade
SHA512 804a5949d5d0cde73fb4c667b34cc14266a3dee9691277201f3bfdab99bfe1f8445ff64db8f5f2410528f4f9b96a5f069f90aaede998aa97489ea364f32e9b26

memory/852-2726-0x0000000002800000-0x0000000002810000-memory.dmp

memory/852-2727-0x0000000002800000-0x0000000002810000-memory.dmp