Malware Analysis Report

2024-11-15 07:21

Sample ID 240314-etmf6sab7w
Target 6b4502d8ba3cff1a3139f72cdad863d53551b65b8c38d7b838d64212822e4630
SHA256 6b4502d8ba3cff1a3139f72cdad863d53551b65b8c38d7b838d64212822e4630
Tags
lockbit ransomware spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

6b4502d8ba3cff1a3139f72cdad863d53551b65b8c38d7b838d64212822e4630

Threat Level: Known bad

The file 6b4502d8ba3cff1a3139f72cdad863d53551b65b8c38d7b838d64212822e4630 was found to be: Known bad.

Malicious Activity Summary

lockbit ransomware spyware stealer

Lockbit family

Lockbit

Rule to detect Lockbit 3.0 ransomware Windows payload

Renames multiple (577) files with added filename extension

Renames multiple (318) files with added filename extension

Executes dropped EXE

Reads user/profile data of web browsers

Deletes itself

Loads dropped DLL

Drops desktop.ini file(s)

Drops file in System32 directory

Sets desktop wallpaper using registry

Suspicious use of NtSetInformationThreadHideFromDebugger

Unsigned PE

Suspicious use of WriteProcessMemory

Modifies registry class

Suspicious behavior: RenamesItself

Suspicious behavior: EnumeratesProcesses

Modifies Control Panel

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-03-14 04:14

Signatures

Lockbit family

lockbit

Rule to detect Lockbit 3.0 ransomware Windows payload

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-14 04:14

Reported

2024-03-14 04:16

Platform

win7-20240221-en

Max time kernel

117s

Max time network

118s

Command Line

"C:\Users\Admin\AppData\Local\Temp\6b4502d8ba3cff1a3139f72cdad863d53551b65b8c38d7b838d64212822e4630.exe"

Signatures

Lockbit

ransomware lockbit

Renames multiple (318) files with added filename extension

ransomware

Deletes itself

Description Indicator Process Target
N/A N/A C:\ProgramData\37C3.tmp N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\ProgramData\37C3.tmp N/A

Reads user/profile data of web browsers

spyware stealer

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification F:\$RECYCLE.BIN\S-1-5-21-1298544033-3225604241-2703760938-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\6b4502d8ba3cff1a3139f72cdad863d53551b65b8c38d7b838d64212822e4630.exe N/A
File opened for modification C:\$Recycle.Bin\S-1-5-21-1298544033-3225604241-2703760938-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\6b4502d8ba3cff1a3139f72cdad863d53551b65b8c38d7b838d64212822e4630.exe N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\hi3mgYt1D.bmp" C:\Users\Admin\AppData\Local\Temp\6b4502d8ba3cff1a3139f72cdad863d53551b65b8c38d7b838d64212822e4630.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\hi3mgYt1D.bmp" C:\Users\Admin\AppData\Local\Temp\6b4502d8ba3cff1a3139f72cdad863d53551b65b8c38d7b838d64212822e4630.exe N/A

Modifies Control Panel

evasion
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Control Panel\Desktop C:\Users\Admin\AppData\Local\Temp\6b4502d8ba3cff1a3139f72cdad863d53551b65b8c38d7b838d64212822e4630.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Control Panel\Desktop\WallpaperStyle = "10" C:\Users\Admin\AppData\Local\Temp\6b4502d8ba3cff1a3139f72cdad863d53551b65b8c38d7b838d64212822e4630.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\hi3mgYt1D C:\Users\Admin\AppData\Local\Temp\6b4502d8ba3cff1a3139f72cdad863d53551b65b8c38d7b838d64212822e4630.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\hi3mgYt1D\DefaultIcon\ = "C:\\ProgramData\\hi3mgYt1D.ico" C:\Users\Admin\AppData\Local\Temp\6b4502d8ba3cff1a3139f72cdad863d53551b65b8c38d7b838d64212822e4630.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.hi3mgYt1D C:\Users\Admin\AppData\Local\Temp\6b4502d8ba3cff1a3139f72cdad863d53551b65b8c38d7b838d64212822e4630.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.hi3mgYt1D\ = "hi3mgYt1D" C:\Users\Admin\AppData\Local\Temp\6b4502d8ba3cff1a3139f72cdad863d53551b65b8c38d7b838d64212822e4630.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\hi3mgYt1D\DefaultIcon C:\Users\Admin\AppData\Local\Temp\6b4502d8ba3cff1a3139f72cdad863d53551b65b8c38d7b838d64212822e4630.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\6b4502d8ba3cff1a3139f72cdad863d53551b65b8c38d7b838d64212822e4630.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6b4502d8ba3cff1a3139f72cdad863d53551b65b8c38d7b838d64212822e4630.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6b4502d8ba3cff1a3139f72cdad863d53551b65b8c38d7b838d64212822e4630.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6b4502d8ba3cff1a3139f72cdad863d53551b65b8c38d7b838d64212822e4630.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6b4502d8ba3cff1a3139f72cdad863d53551b65b8c38d7b838d64212822e4630.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6b4502d8ba3cff1a3139f72cdad863d53551b65b8c38d7b838d64212822e4630.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6b4502d8ba3cff1a3139f72cdad863d53551b65b8c38d7b838d64212822e4630.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6b4502d8ba3cff1a3139f72cdad863d53551b65b8c38d7b838d64212822e4630.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6b4502d8ba3cff1a3139f72cdad863d53551b65b8c38d7b838d64212822e4630.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6b4502d8ba3cff1a3139f72cdad863d53551b65b8c38d7b838d64212822e4630.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6b4502d8ba3cff1a3139f72cdad863d53551b65b8c38d7b838d64212822e4630.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6b4502d8ba3cff1a3139f72cdad863d53551b65b8c38d7b838d64212822e4630.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6b4502d8ba3cff1a3139f72cdad863d53551b65b8c38d7b838d64212822e4630.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6b4502d8ba3cff1a3139f72cdad863d53551b65b8c38d7b838d64212822e4630.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\6b4502d8ba3cff1a3139f72cdad863d53551b65b8c38d7b838d64212822e4630.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\6b4502d8ba3cff1a3139f72cdad863d53551b65b8c38d7b838d64212822e4630.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\6b4502d8ba3cff1a3139f72cdad863d53551b65b8c38d7b838d64212822e4630.exe N/A
Token: 36 N/A C:\Users\Admin\AppData\Local\Temp\6b4502d8ba3cff1a3139f72cdad863d53551b65b8c38d7b838d64212822e4630.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\6b4502d8ba3cff1a3139f72cdad863d53551b65b8c38d7b838d64212822e4630.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\6b4502d8ba3cff1a3139f72cdad863d53551b65b8c38d7b838d64212822e4630.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\6b4502d8ba3cff1a3139f72cdad863d53551b65b8c38d7b838d64212822e4630.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\6b4502d8ba3cff1a3139f72cdad863d53551b65b8c38d7b838d64212822e4630.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\6b4502d8ba3cff1a3139f72cdad863d53551b65b8c38d7b838d64212822e4630.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\6b4502d8ba3cff1a3139f72cdad863d53551b65b8c38d7b838d64212822e4630.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\6b4502d8ba3cff1a3139f72cdad863d53551b65b8c38d7b838d64212822e4630.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\6b4502d8ba3cff1a3139f72cdad863d53551b65b8c38d7b838d64212822e4630.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\6b4502d8ba3cff1a3139f72cdad863d53551b65b8c38d7b838d64212822e4630.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\6b4502d8ba3cff1a3139f72cdad863d53551b65b8c38d7b838d64212822e4630.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\6b4502d8ba3cff1a3139f72cdad863d53551b65b8c38d7b838d64212822e4630.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\6b4502d8ba3cff1a3139f72cdad863d53551b65b8c38d7b838d64212822e4630.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\6b4502d8ba3cff1a3139f72cdad863d53551b65b8c38d7b838d64212822e4630.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\6b4502d8ba3cff1a3139f72cdad863d53551b65b8c38d7b838d64212822e4630.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\6b4502d8ba3cff1a3139f72cdad863d53551b65b8c38d7b838d64212822e4630.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\6b4502d8ba3cff1a3139f72cdad863d53551b65b8c38d7b838d64212822e4630.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\6b4502d8ba3cff1a3139f72cdad863d53551b65b8c38d7b838d64212822e4630.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\6b4502d8ba3cff1a3139f72cdad863d53551b65b8c38d7b838d64212822e4630.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\6b4502d8ba3cff1a3139f72cdad863d53551b65b8c38d7b838d64212822e4630.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\6b4502d8ba3cff1a3139f72cdad863d53551b65b8c38d7b838d64212822e4630.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\6b4502d8ba3cff1a3139f72cdad863d53551b65b8c38d7b838d64212822e4630.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\6b4502d8ba3cff1a3139f72cdad863d53551b65b8c38d7b838d64212822e4630.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\6b4502d8ba3cff1a3139f72cdad863d53551b65b8c38d7b838d64212822e4630.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\6b4502d8ba3cff1a3139f72cdad863d53551b65b8c38d7b838d64212822e4630.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\6b4502d8ba3cff1a3139f72cdad863d53551b65b8c38d7b838d64212822e4630.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\6b4502d8ba3cff1a3139f72cdad863d53551b65b8c38d7b838d64212822e4630.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\6b4502d8ba3cff1a3139f72cdad863d53551b65b8c38d7b838d64212822e4630.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\6b4502d8ba3cff1a3139f72cdad863d53551b65b8c38d7b838d64212822e4630.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\6b4502d8ba3cff1a3139f72cdad863d53551b65b8c38d7b838d64212822e4630.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\6b4502d8ba3cff1a3139f72cdad863d53551b65b8c38d7b838d64212822e4630.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\6b4502d8ba3cff1a3139f72cdad863d53551b65b8c38d7b838d64212822e4630.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\6b4502d8ba3cff1a3139f72cdad863d53551b65b8c38d7b838d64212822e4630.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\6b4502d8ba3cff1a3139f72cdad863d53551b65b8c38d7b838d64212822e4630.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\6b4502d8ba3cff1a3139f72cdad863d53551b65b8c38d7b838d64212822e4630.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\6b4502d8ba3cff1a3139f72cdad863d53551b65b8c38d7b838d64212822e4630.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\6b4502d8ba3cff1a3139f72cdad863d53551b65b8c38d7b838d64212822e4630.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\6b4502d8ba3cff1a3139f72cdad863d53551b65b8c38d7b838d64212822e4630.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\6b4502d8ba3cff1a3139f72cdad863d53551b65b8c38d7b838d64212822e4630.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\6b4502d8ba3cff1a3139f72cdad863d53551b65b8c38d7b838d64212822e4630.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\6b4502d8ba3cff1a3139f72cdad863d53551b65b8c38d7b838d64212822e4630.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\6b4502d8ba3cff1a3139f72cdad863d53551b65b8c38d7b838d64212822e4630.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\6b4502d8ba3cff1a3139f72cdad863d53551b65b8c38d7b838d64212822e4630.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\6b4502d8ba3cff1a3139f72cdad863d53551b65b8c38d7b838d64212822e4630.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\6b4502d8ba3cff1a3139f72cdad863d53551b65b8c38d7b838d64212822e4630.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\6b4502d8ba3cff1a3139f72cdad863d53551b65b8c38d7b838d64212822e4630.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\6b4502d8ba3cff1a3139f72cdad863d53551b65b8c38d7b838d64212822e4630.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\6b4502d8ba3cff1a3139f72cdad863d53551b65b8c38d7b838d64212822e4630.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\6b4502d8ba3cff1a3139f72cdad863d53551b65b8c38d7b838d64212822e4630.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\6b4502d8ba3cff1a3139f72cdad863d53551b65b8c38d7b838d64212822e4630.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\6b4502d8ba3cff1a3139f72cdad863d53551b65b8c38d7b838d64212822e4630.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\6b4502d8ba3cff1a3139f72cdad863d53551b65b8c38d7b838d64212822e4630.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\6b4502d8ba3cff1a3139f72cdad863d53551b65b8c38d7b838d64212822e4630.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\6b4502d8ba3cff1a3139f72cdad863d53551b65b8c38d7b838d64212822e4630.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\6b4502d8ba3cff1a3139f72cdad863d53551b65b8c38d7b838d64212822e4630.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\6b4502d8ba3cff1a3139f72cdad863d53551b65b8c38d7b838d64212822e4630.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\6b4502d8ba3cff1a3139f72cdad863d53551b65b8c38d7b838d64212822e4630.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\6b4502d8ba3cff1a3139f72cdad863d53551b65b8c38d7b838d64212822e4630.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\6b4502d8ba3cff1a3139f72cdad863d53551b65b8c38d7b838d64212822e4630.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\6b4502d8ba3cff1a3139f72cdad863d53551b65b8c38d7b838d64212822e4630.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\6b4502d8ba3cff1a3139f72cdad863d53551b65b8c38d7b838d64212822e4630.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\6b4502d8ba3cff1a3139f72cdad863d53551b65b8c38d7b838d64212822e4630.exe

"C:\Users\Admin\AppData\Local\Temp\6b4502d8ba3cff1a3139f72cdad863d53551b65b8c38d7b838d64212822e4630.exe"

C:\ProgramData\37C3.tmp

"C:\ProgramData\37C3.tmp"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\37C3.tmp >> NUL

C:\Windows\system32\AUDIODG.EXE

C:\Windows\system32\AUDIODG.EXE 0x14c

Network

N/A

Files

memory/1984-0-0x00000000021E0000-0x0000000002220000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-1298544033-3225604241-2703760938-1000\desktop.ini

MD5 ec6c6de479a04be858e6319edeb6e5c7
SHA1 5e520170da8ff45214ba3a0f93ff58fdc16f25c2
SHA256 dbd7837095a36ef1c400da111955c71c070a0679fe9592d04dabe05ca3d2aa95
SHA512 18848cfcbea50c3e19354570150eb91e23ad72fb75f912c1837cb32be1d66dc6e837e579aecf2f7c4e36293cf2a2af607f24cfa8b0398ee1a516ee9fbc06aa61

F:\$RECYCLE.BIN\S-1-5-21-1298544033-3225604241-2703760938-1000\GGGGGGGGGGG

MD5 06ee046b7aac24113477cc82848d3367
SHA1 ef65c70e63fd0643edd1663d9617beafaf61947d
SHA256 6fb94df7edb026be1b6ab5c21d59b4a078d92489dbb2de94f830b18587b371cd
SHA512 1928cca43259391d489d79dcf9cba2a0f46b62ff8d5243115a981d004eab67905b61457046d44581bca0a5b73f57388c4129c78fe84d56041b7d2590fc9d1cd5

C:\hi3mgYt1D.README.txt

MD5 170a331a9e66fd2a5c3de1277d081c7f
SHA1 149596b669db6c1ffe070bb0604bb14a36b7044b
SHA256 5c03309a0b042fa3145e72e67a214affaab86ad21b369e16f35b4103b7912dc5
SHA512 01e8dad53711840540abcaf819cef042e525cdcb8544df97f030470c54caa69ba488a8dad6f2ec38d85b638720376c38ed56df90508a22cd916e3eaf9a5b7e4f

\ProgramData\37C3.tmp

MD5 294e9f64cb1642dd89229fff0592856b
SHA1 97b148c27f3da29ba7b18d6aee8a0db9102f47c9
SHA256 917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2
SHA512 b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

memory/1256-844-0x000000007EFA0000-0x000000007EFA1000-memory.dmp

memory/1256-845-0x0000000000480000-0x00000000004C0000-memory.dmp

memory/1256-848-0x000000007EF80000-0x000000007EF81000-memory.dmp

memory/1256-849-0x000000007EF20000-0x000000007EF21000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD

MD5 9155c07a80befbf51aae144a4c402082
SHA1 0d6819bb81d696b979bf1005e33b8e6bee9c0e40
SHA256 b9c9a5eed9a501c850f4b87013bc896b150577dade6454f5d0ea5dc2c72246bb
SHA512 735f934be446dced14e2854422a503bf9d694d01cbec37c0c75be78ed5948957fe16eab28def96b38f90878a93c10c890485d14461b655600b922bdcc9a467ba

memory/1256-876-0x000000007EF40000-0x000000007EF41000-memory.dmp

memory/1256-877-0x000000007EF60000-0x000000007EF61000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-03-14 04:14

Reported

2024-03-14 04:16

Platform

win10v2004-20240226-en

Max time kernel

14s

Max time network

27s

Command Line

"C:\Users\Admin\AppData\Local\Temp\6b4502d8ba3cff1a3139f72cdad863d53551b65b8c38d7b838d64212822e4630.exe"

Signatures

Lockbit

ransomware lockbit

Renames multiple (577) files with added filename extension

ransomware

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\ProgramData\6E6A.tmp N/A

Reads user/profile data of web browsers

spyware stealer

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\$Recycle.Bin\S-1-5-21-3270530367-132075249-2153716227-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\6b4502d8ba3cff1a3139f72cdad863d53551b65b8c38d7b838d64212822e4630.exe N/A
File opened for modification F:\$RECYCLE.BIN\S-1-5-21-3270530367-132075249-2153716227-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\6b4502d8ba3cff1a3139f72cdad863d53551b65b8c38d7b838d64212822e4630.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\system32\spool\PRINTERS\PPl6x6n0nlgs3b0ur0slhu7ac_.TMP C:\Windows\system32\printfilterpipelinesvc.exe N/A
File created C:\Windows\system32\spool\PRINTERS\PP6duftjsdl0m5e0mp8qyotnosb.TMP C:\Windows\system32\printfilterpipelinesvc.exe N/A
File created C:\Windows\system32\spool\PRINTERS\00002.SPL C:\Windows\splwow64.exe N/A
File created C:\Windows\system32\spool\PRINTERS\PP1grf9exhdq1pv7r9okxrt659d.TMP C:\Windows\system32\printfilterpipelinesvc.exe N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\hi3mgYt1D.bmp" C:\Users\Admin\AppData\Local\Temp\6b4502d8ba3cff1a3139f72cdad863d53551b65b8c38d7b838d64212822e4630.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\hi3mgYt1D.bmp" C:\Users\Admin\AppData\Local\Temp\6b4502d8ba3cff1a3139f72cdad863d53551b65b8c38d7b838d64212822e4630.exe N/A

Modifies Control Panel

evasion
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\Desktop C:\Users\Admin\AppData\Local\Temp\6b4502d8ba3cff1a3139f72cdad863d53551b65b8c38d7b838d64212822e4630.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\Desktop\WallpaperStyle = "10" C:\Users\Admin\AppData\Local\Temp\6b4502d8ba3cff1a3139f72cdad863d53551b65b8c38d7b838d64212822e4630.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.hi3mgYt1D C:\Users\Admin\AppData\Local\Temp\6b4502d8ba3cff1a3139f72cdad863d53551b65b8c38d7b838d64212822e4630.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.hi3mgYt1D\ = "hi3mgYt1D" C:\Users\Admin\AppData\Local\Temp\6b4502d8ba3cff1a3139f72cdad863d53551b65b8c38d7b838d64212822e4630.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\hi3mgYt1D\DefaultIcon C:\Users\Admin\AppData\Local\Temp\6b4502d8ba3cff1a3139f72cdad863d53551b65b8c38d7b838d64212822e4630.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\hi3mgYt1D C:\Users\Admin\AppData\Local\Temp\6b4502d8ba3cff1a3139f72cdad863d53551b65b8c38d7b838d64212822e4630.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\hi3mgYt1D\DefaultIcon\ = "C:\\ProgramData\\hi3mgYt1D.ico" C:\Users\Admin\AppData\Local\Temp\6b4502d8ba3cff1a3139f72cdad863d53551b65b8c38d7b838d64212822e4630.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\6b4502d8ba3cff1a3139f72cdad863d53551b65b8c38d7b838d64212822e4630.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6b4502d8ba3cff1a3139f72cdad863d53551b65b8c38d7b838d64212822e4630.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6b4502d8ba3cff1a3139f72cdad863d53551b65b8c38d7b838d64212822e4630.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6b4502d8ba3cff1a3139f72cdad863d53551b65b8c38d7b838d64212822e4630.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6b4502d8ba3cff1a3139f72cdad863d53551b65b8c38d7b838d64212822e4630.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6b4502d8ba3cff1a3139f72cdad863d53551b65b8c38d7b838d64212822e4630.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6b4502d8ba3cff1a3139f72cdad863d53551b65b8c38d7b838d64212822e4630.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6b4502d8ba3cff1a3139f72cdad863d53551b65b8c38d7b838d64212822e4630.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6b4502d8ba3cff1a3139f72cdad863d53551b65b8c38d7b838d64212822e4630.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6b4502d8ba3cff1a3139f72cdad863d53551b65b8c38d7b838d64212822e4630.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6b4502d8ba3cff1a3139f72cdad863d53551b65b8c38d7b838d64212822e4630.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6b4502d8ba3cff1a3139f72cdad863d53551b65b8c38d7b838d64212822e4630.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6b4502d8ba3cff1a3139f72cdad863d53551b65b8c38d7b838d64212822e4630.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6b4502d8ba3cff1a3139f72cdad863d53551b65b8c38d7b838d64212822e4630.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6b4502d8ba3cff1a3139f72cdad863d53551b65b8c38d7b838d64212822e4630.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6b4502d8ba3cff1a3139f72cdad863d53551b65b8c38d7b838d64212822e4630.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6b4502d8ba3cff1a3139f72cdad863d53551b65b8c38d7b838d64212822e4630.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6b4502d8ba3cff1a3139f72cdad863d53551b65b8c38d7b838d64212822e4630.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6b4502d8ba3cff1a3139f72cdad863d53551b65b8c38d7b838d64212822e4630.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6b4502d8ba3cff1a3139f72cdad863d53551b65b8c38d7b838d64212822e4630.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6b4502d8ba3cff1a3139f72cdad863d53551b65b8c38d7b838d64212822e4630.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6b4502d8ba3cff1a3139f72cdad863d53551b65b8c38d7b838d64212822e4630.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6b4502d8ba3cff1a3139f72cdad863d53551b65b8c38d7b838d64212822e4630.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6b4502d8ba3cff1a3139f72cdad863d53551b65b8c38d7b838d64212822e4630.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6b4502d8ba3cff1a3139f72cdad863d53551b65b8c38d7b838d64212822e4630.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6b4502d8ba3cff1a3139f72cdad863d53551b65b8c38d7b838d64212822e4630.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6b4502d8ba3cff1a3139f72cdad863d53551b65b8c38d7b838d64212822e4630.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6b4502d8ba3cff1a3139f72cdad863d53551b65b8c38d7b838d64212822e4630.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6b4502d8ba3cff1a3139f72cdad863d53551b65b8c38d7b838d64212822e4630.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6b4502d8ba3cff1a3139f72cdad863d53551b65b8c38d7b838d64212822e4630.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6b4502d8ba3cff1a3139f72cdad863d53551b65b8c38d7b838d64212822e4630.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6b4502d8ba3cff1a3139f72cdad863d53551b65b8c38d7b838d64212822e4630.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6b4502d8ba3cff1a3139f72cdad863d53551b65b8c38d7b838d64212822e4630.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6b4502d8ba3cff1a3139f72cdad863d53551b65b8c38d7b838d64212822e4630.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6b4502d8ba3cff1a3139f72cdad863d53551b65b8c38d7b838d64212822e4630.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6b4502d8ba3cff1a3139f72cdad863d53551b65b8c38d7b838d64212822e4630.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6b4502d8ba3cff1a3139f72cdad863d53551b65b8c38d7b838d64212822e4630.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6b4502d8ba3cff1a3139f72cdad863d53551b65b8c38d7b838d64212822e4630.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6b4502d8ba3cff1a3139f72cdad863d53551b65b8c38d7b838d64212822e4630.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6b4502d8ba3cff1a3139f72cdad863d53551b65b8c38d7b838d64212822e4630.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6b4502d8ba3cff1a3139f72cdad863d53551b65b8c38d7b838d64212822e4630.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6b4502d8ba3cff1a3139f72cdad863d53551b65b8c38d7b838d64212822e4630.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6b4502d8ba3cff1a3139f72cdad863d53551b65b8c38d7b838d64212822e4630.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6b4502d8ba3cff1a3139f72cdad863d53551b65b8c38d7b838d64212822e4630.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6b4502d8ba3cff1a3139f72cdad863d53551b65b8c38d7b838d64212822e4630.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6b4502d8ba3cff1a3139f72cdad863d53551b65b8c38d7b838d64212822e4630.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6b4502d8ba3cff1a3139f72cdad863d53551b65b8c38d7b838d64212822e4630.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6b4502d8ba3cff1a3139f72cdad863d53551b65b8c38d7b838d64212822e4630.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6b4502d8ba3cff1a3139f72cdad863d53551b65b8c38d7b838d64212822e4630.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6b4502d8ba3cff1a3139f72cdad863d53551b65b8c38d7b838d64212822e4630.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6b4502d8ba3cff1a3139f72cdad863d53551b65b8c38d7b838d64212822e4630.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6b4502d8ba3cff1a3139f72cdad863d53551b65b8c38d7b838d64212822e4630.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6b4502d8ba3cff1a3139f72cdad863d53551b65b8c38d7b838d64212822e4630.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6b4502d8ba3cff1a3139f72cdad863d53551b65b8c38d7b838d64212822e4630.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6b4502d8ba3cff1a3139f72cdad863d53551b65b8c38d7b838d64212822e4630.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6b4502d8ba3cff1a3139f72cdad863d53551b65b8c38d7b838d64212822e4630.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6b4502d8ba3cff1a3139f72cdad863d53551b65b8c38d7b838d64212822e4630.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6b4502d8ba3cff1a3139f72cdad863d53551b65b8c38d7b838d64212822e4630.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6b4502d8ba3cff1a3139f72cdad863d53551b65b8c38d7b838d64212822e4630.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6b4502d8ba3cff1a3139f72cdad863d53551b65b8c38d7b838d64212822e4630.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6b4502d8ba3cff1a3139f72cdad863d53551b65b8c38d7b838d64212822e4630.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6b4502d8ba3cff1a3139f72cdad863d53551b65b8c38d7b838d64212822e4630.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6b4502d8ba3cff1a3139f72cdad863d53551b65b8c38d7b838d64212822e4630.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6b4502d8ba3cff1a3139f72cdad863d53551b65b8c38d7b838d64212822e4630.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\6b4502d8ba3cff1a3139f72cdad863d53551b65b8c38d7b838d64212822e4630.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\6b4502d8ba3cff1a3139f72cdad863d53551b65b8c38d7b838d64212822e4630.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\6b4502d8ba3cff1a3139f72cdad863d53551b65b8c38d7b838d64212822e4630.exe N/A
Token: 36 N/A C:\Users\Admin\AppData\Local\Temp\6b4502d8ba3cff1a3139f72cdad863d53551b65b8c38d7b838d64212822e4630.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\6b4502d8ba3cff1a3139f72cdad863d53551b65b8c38d7b838d64212822e4630.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\6b4502d8ba3cff1a3139f72cdad863d53551b65b8c38d7b838d64212822e4630.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\6b4502d8ba3cff1a3139f72cdad863d53551b65b8c38d7b838d64212822e4630.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\6b4502d8ba3cff1a3139f72cdad863d53551b65b8c38d7b838d64212822e4630.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\6b4502d8ba3cff1a3139f72cdad863d53551b65b8c38d7b838d64212822e4630.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\6b4502d8ba3cff1a3139f72cdad863d53551b65b8c38d7b838d64212822e4630.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\6b4502d8ba3cff1a3139f72cdad863d53551b65b8c38d7b838d64212822e4630.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\6b4502d8ba3cff1a3139f72cdad863d53551b65b8c38d7b838d64212822e4630.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\6b4502d8ba3cff1a3139f72cdad863d53551b65b8c38d7b838d64212822e4630.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\6b4502d8ba3cff1a3139f72cdad863d53551b65b8c38d7b838d64212822e4630.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\6b4502d8ba3cff1a3139f72cdad863d53551b65b8c38d7b838d64212822e4630.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\6b4502d8ba3cff1a3139f72cdad863d53551b65b8c38d7b838d64212822e4630.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\6b4502d8ba3cff1a3139f72cdad863d53551b65b8c38d7b838d64212822e4630.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\6b4502d8ba3cff1a3139f72cdad863d53551b65b8c38d7b838d64212822e4630.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\6b4502d8ba3cff1a3139f72cdad863d53551b65b8c38d7b838d64212822e4630.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\6b4502d8ba3cff1a3139f72cdad863d53551b65b8c38d7b838d64212822e4630.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\6b4502d8ba3cff1a3139f72cdad863d53551b65b8c38d7b838d64212822e4630.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\6b4502d8ba3cff1a3139f72cdad863d53551b65b8c38d7b838d64212822e4630.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\6b4502d8ba3cff1a3139f72cdad863d53551b65b8c38d7b838d64212822e4630.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\6b4502d8ba3cff1a3139f72cdad863d53551b65b8c38d7b838d64212822e4630.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\6b4502d8ba3cff1a3139f72cdad863d53551b65b8c38d7b838d64212822e4630.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\6b4502d8ba3cff1a3139f72cdad863d53551b65b8c38d7b838d64212822e4630.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\6b4502d8ba3cff1a3139f72cdad863d53551b65b8c38d7b838d64212822e4630.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\6b4502d8ba3cff1a3139f72cdad863d53551b65b8c38d7b838d64212822e4630.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\6b4502d8ba3cff1a3139f72cdad863d53551b65b8c38d7b838d64212822e4630.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\6b4502d8ba3cff1a3139f72cdad863d53551b65b8c38d7b838d64212822e4630.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\6b4502d8ba3cff1a3139f72cdad863d53551b65b8c38d7b838d64212822e4630.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\6b4502d8ba3cff1a3139f72cdad863d53551b65b8c38d7b838d64212822e4630.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\6b4502d8ba3cff1a3139f72cdad863d53551b65b8c38d7b838d64212822e4630.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\6b4502d8ba3cff1a3139f72cdad863d53551b65b8c38d7b838d64212822e4630.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\6b4502d8ba3cff1a3139f72cdad863d53551b65b8c38d7b838d64212822e4630.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\6b4502d8ba3cff1a3139f72cdad863d53551b65b8c38d7b838d64212822e4630.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\6b4502d8ba3cff1a3139f72cdad863d53551b65b8c38d7b838d64212822e4630.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\6b4502d8ba3cff1a3139f72cdad863d53551b65b8c38d7b838d64212822e4630.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\6b4502d8ba3cff1a3139f72cdad863d53551b65b8c38d7b838d64212822e4630.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\6b4502d8ba3cff1a3139f72cdad863d53551b65b8c38d7b838d64212822e4630.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\6b4502d8ba3cff1a3139f72cdad863d53551b65b8c38d7b838d64212822e4630.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\6b4502d8ba3cff1a3139f72cdad863d53551b65b8c38d7b838d64212822e4630.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\6b4502d8ba3cff1a3139f72cdad863d53551b65b8c38d7b838d64212822e4630.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\6b4502d8ba3cff1a3139f72cdad863d53551b65b8c38d7b838d64212822e4630.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\6b4502d8ba3cff1a3139f72cdad863d53551b65b8c38d7b838d64212822e4630.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\6b4502d8ba3cff1a3139f72cdad863d53551b65b8c38d7b838d64212822e4630.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\6b4502d8ba3cff1a3139f72cdad863d53551b65b8c38d7b838d64212822e4630.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\6b4502d8ba3cff1a3139f72cdad863d53551b65b8c38d7b838d64212822e4630.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\6b4502d8ba3cff1a3139f72cdad863d53551b65b8c38d7b838d64212822e4630.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\6b4502d8ba3cff1a3139f72cdad863d53551b65b8c38d7b838d64212822e4630.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\6b4502d8ba3cff1a3139f72cdad863d53551b65b8c38d7b838d64212822e4630.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\6b4502d8ba3cff1a3139f72cdad863d53551b65b8c38d7b838d64212822e4630.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\6b4502d8ba3cff1a3139f72cdad863d53551b65b8c38d7b838d64212822e4630.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\6b4502d8ba3cff1a3139f72cdad863d53551b65b8c38d7b838d64212822e4630.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\6b4502d8ba3cff1a3139f72cdad863d53551b65b8c38d7b838d64212822e4630.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\6b4502d8ba3cff1a3139f72cdad863d53551b65b8c38d7b838d64212822e4630.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\6b4502d8ba3cff1a3139f72cdad863d53551b65b8c38d7b838d64212822e4630.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\6b4502d8ba3cff1a3139f72cdad863d53551b65b8c38d7b838d64212822e4630.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\6b4502d8ba3cff1a3139f72cdad863d53551b65b8c38d7b838d64212822e4630.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\6b4502d8ba3cff1a3139f72cdad863d53551b65b8c38d7b838d64212822e4630.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\6b4502d8ba3cff1a3139f72cdad863d53551b65b8c38d7b838d64212822e4630.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\6b4502d8ba3cff1a3139f72cdad863d53551b65b8c38d7b838d64212822e4630.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\6b4502d8ba3cff1a3139f72cdad863d53551b65b8c38d7b838d64212822e4630.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\6b4502d8ba3cff1a3139f72cdad863d53551b65b8c38d7b838d64212822e4630.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\6b4502d8ba3cff1a3139f72cdad863d53551b65b8c38d7b838d64212822e4630.exe

"C:\Users\Admin\AppData\Local\Temp\6b4502d8ba3cff1a3139f72cdad863d53551b65b8c38d7b838d64212822e4630.exe"

C:\Windows\splwow64.exe

C:\Windows\splwow64.exe 12288

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc

C:\Windows\system32\printfilterpipelinesvc.exe

C:\Windows\system32\printfilterpipelinesvc.exe -Embedding

C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE

/insertdoc "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\{758F371A-98ED-4353-8C21-15B267A5A493}.xps" 133548632536560000

C:\ProgramData\6E6A.tmp

"C:\ProgramData\6E6A.tmp"

Network

Country Destination Domain Proto
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp

Files

memory/1760-0-0x0000000003120000-0x0000000003130000-memory.dmp

memory/1760-1-0x0000000003120000-0x0000000003130000-memory.dmp

memory/1760-2-0x0000000003120000-0x0000000003130000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-3270530367-132075249-2153716227-1000\desktop.ini

MD5 df9eb6c4ea9447532d2a11a9f855dae8
SHA1 7b8306629ce8fd6a81062fbd1d69d418057b8c79
SHA256 b765817b30336638bfd64a1868685d509cc500ba026f8b87ba79980ca580e2cf
SHA512 0f42ec8f03d7a2b3d3aee8f55f724d909ccc22f67d8f510306aa8a32a55088596f10222d635c63acd908afdbd91214db53d815b796da94ba3f637d5e4cb3a0de

F:\$RECYCLE.BIN\S-1-5-21-3270530367-132075249-2153716227-1000\DDDDDDDDDDD

MD5 969c41c4c325e2d6805eae163d6b6081
SHA1 a70c6cb20460be906a264ad237f60c37da75881c
SHA256 b29ed94e7a41146cd5bfacc411dec415cf08814d838f6d620401c2bc7645eb30
SHA512 3fcc779d4fa57c7b7712a605e62a215ef4d49ab4b825f0359b94365251c69c82f166b55f2472ca76a3bd57e032661ca0d362fad5cc5556cdd2bf08298d8a3205

C:\hi3mgYt1D.README.txt

MD5 444365121dee5baeaa1326e8fcdc087e
SHA1 758f11d7d406d5f07f3ed645d380640608d60f8e
SHA256 fa7abba59c84417df94dd927be28d5c36505997957313e5d5c78410cf77d281d
SHA512 2c43bdd338a8883dbd34663bcde1899c3c19f2efd0dde75735a6b8fcabca3e6d5fa67f5854525ce89f73dedc911d3fa85e29ab91ee7794d1b80a22c71daa02d7

C:\ProgramData\6E6A.tmp

MD5 294e9f64cb1642dd89229fff0592856b
SHA1 97b148c27f3da29ba7b18d6aee8a0db9102f47c9
SHA256 917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2
SHA512 b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf