Malware Analysis Report

2024-11-13 14:57

Sample ID 240314-ezapkacf36
Target c690148b6baec765c65fe91ea9f282d6a411ae90c08d74d600515b3e075e21b2
SHA256 c690148b6baec765c65fe91ea9f282d6a411ae90c08d74d600515b3e075e21b2
Tags
lockbit ransomware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

c690148b6baec765c65fe91ea9f282d6a411ae90c08d74d600515b3e075e21b2

Threat Level: Known bad

The file c690148b6baec765c65fe91ea9f282d6a411ae90c08d74d600515b3e075e21b2 was found to be: Known bad.

Malicious Activity Summary

lockbit ransomware

Rule to detect Lockbit 3.0 ransomware Windows payload

Lockbit family

Lockbit

Executes dropped EXE

Deletes itself

Loads dropped DLL

Drops desktop.ini file(s)

Sets desktop wallpaper using registry

Suspicious use of NtSetInformationThreadHideFromDebugger

Drops file in System32 directory

Unsigned PE

Suspicious use of WriteProcessMemory

Checks processor information in registry

Suspicious use of SetWindowsHookEx

Enumerates system info in registry

Modifies Control Panel

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: RenamesItself

Suspicious use of AdjustPrivilegeToken

Modifies registry class

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-03-14 04:22

Signatures

Lockbit family

lockbit

Rule to detect Lockbit 3.0 ransomware Windows payload

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-14 04:22

Reported

2024-03-14 04:24

Platform

win7-20240221-en

Max time kernel

145s

Max time network

142s

Command Line

"C:\Users\Admin\AppData\Local\Temp\c690148b6baec765c65fe91ea9f282d6a411ae90c08d74d600515b3e075e21b2.exe"

Signatures

Lockbit

ransomware lockbit

Deletes itself

Description Indicator Process Target
N/A N/A C:\ProgramData\3B9A.tmp N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\ProgramData\3B9A.tmp N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\$Recycle.Bin\S-1-5-21-778096762-2241304387-192235952-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\c690148b6baec765c65fe91ea9f282d6a411ae90c08d74d600515b3e075e21b2.exe N/A
File opened for modification F:\$RECYCLE.BIN\S-1-5-21-778096762-2241304387-192235952-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\c690148b6baec765c65fe91ea9f282d6a411ae90c08d74d600515b3e075e21b2.exe N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\ddbPFTiN9.bmp" C:\Users\Admin\AppData\Local\Temp\c690148b6baec765c65fe91ea9f282d6a411ae90c08d74d600515b3e075e21b2.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\ddbPFTiN9.bmp" C:\Users\Admin\AppData\Local\Temp\c690148b6baec765c65fe91ea9f282d6a411ae90c08d74d600515b3e075e21b2.exe N/A

Modifies Control Panel

evasion
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Control Panel\Desktop C:\Users\Admin\AppData\Local\Temp\c690148b6baec765c65fe91ea9f282d6a411ae90c08d74d600515b3e075e21b2.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Control Panel\Desktop\WallpaperStyle = "10" C:\Users\Admin\AppData\Local\Temp\c690148b6baec765c65fe91ea9f282d6a411ae90c08d74d600515b3e075e21b2.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ddbPFTiN9 C:\Users\Admin\AppData\Local\Temp\c690148b6baec765c65fe91ea9f282d6a411ae90c08d74d600515b3e075e21b2.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ddbPFTiN9\DefaultIcon\ = "C:\\ProgramData\\ddbPFTiN9.ico" C:\Users\Admin\AppData\Local\Temp\c690148b6baec765c65fe91ea9f282d6a411ae90c08d74d600515b3e075e21b2.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.ddbPFTiN9 C:\Users\Admin\AppData\Local\Temp\c690148b6baec765c65fe91ea9f282d6a411ae90c08d74d600515b3e075e21b2.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.ddbPFTiN9\ = "ddbPFTiN9" C:\Users\Admin\AppData\Local\Temp\c690148b6baec765c65fe91ea9f282d6a411ae90c08d74d600515b3e075e21b2.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ddbPFTiN9\DefaultIcon C:\Users\Admin\AppData\Local\Temp\c690148b6baec765c65fe91ea9f282d6a411ae90c08d74d600515b3e075e21b2.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\c690148b6baec765c65fe91ea9f282d6a411ae90c08d74d600515b3e075e21b2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c690148b6baec765c65fe91ea9f282d6a411ae90c08d74d600515b3e075e21b2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c690148b6baec765c65fe91ea9f282d6a411ae90c08d74d600515b3e075e21b2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c690148b6baec765c65fe91ea9f282d6a411ae90c08d74d600515b3e075e21b2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c690148b6baec765c65fe91ea9f282d6a411ae90c08d74d600515b3e075e21b2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c690148b6baec765c65fe91ea9f282d6a411ae90c08d74d600515b3e075e21b2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c690148b6baec765c65fe91ea9f282d6a411ae90c08d74d600515b3e075e21b2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c690148b6baec765c65fe91ea9f282d6a411ae90c08d74d600515b3e075e21b2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c690148b6baec765c65fe91ea9f282d6a411ae90c08d74d600515b3e075e21b2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c690148b6baec765c65fe91ea9f282d6a411ae90c08d74d600515b3e075e21b2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c690148b6baec765c65fe91ea9f282d6a411ae90c08d74d600515b3e075e21b2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c690148b6baec765c65fe91ea9f282d6a411ae90c08d74d600515b3e075e21b2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c690148b6baec765c65fe91ea9f282d6a411ae90c08d74d600515b3e075e21b2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c690148b6baec765c65fe91ea9f282d6a411ae90c08d74d600515b3e075e21b2.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c690148b6baec765c65fe91ea9f282d6a411ae90c08d74d600515b3e075e21b2.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c690148b6baec765c65fe91ea9f282d6a411ae90c08d74d600515b3e075e21b2.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c690148b6baec765c65fe91ea9f282d6a411ae90c08d74d600515b3e075e21b2.exe N/A
Token: 36 N/A C:\Users\Admin\AppData\Local\Temp\c690148b6baec765c65fe91ea9f282d6a411ae90c08d74d600515b3e075e21b2.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\c690148b6baec765c65fe91ea9f282d6a411ae90c08d74d600515b3e075e21b2.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c690148b6baec765c65fe91ea9f282d6a411ae90c08d74d600515b3e075e21b2.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c690148b6baec765c65fe91ea9f282d6a411ae90c08d74d600515b3e075e21b2.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\c690148b6baec765c65fe91ea9f282d6a411ae90c08d74d600515b3e075e21b2.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\c690148b6baec765c65fe91ea9f282d6a411ae90c08d74d600515b3e075e21b2.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c690148b6baec765c65fe91ea9f282d6a411ae90c08d74d600515b3e075e21b2.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\c690148b6baec765c65fe91ea9f282d6a411ae90c08d74d600515b3e075e21b2.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c690148b6baec765c65fe91ea9f282d6a411ae90c08d74d600515b3e075e21b2.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\c690148b6baec765c65fe91ea9f282d6a411ae90c08d74d600515b3e075e21b2.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c690148b6baec765c65fe91ea9f282d6a411ae90c08d74d600515b3e075e21b2.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c690148b6baec765c65fe91ea9f282d6a411ae90c08d74d600515b3e075e21b2.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c690148b6baec765c65fe91ea9f282d6a411ae90c08d74d600515b3e075e21b2.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c690148b6baec765c65fe91ea9f282d6a411ae90c08d74d600515b3e075e21b2.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c690148b6baec765c65fe91ea9f282d6a411ae90c08d74d600515b3e075e21b2.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c690148b6baec765c65fe91ea9f282d6a411ae90c08d74d600515b3e075e21b2.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c690148b6baec765c65fe91ea9f282d6a411ae90c08d74d600515b3e075e21b2.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c690148b6baec765c65fe91ea9f282d6a411ae90c08d74d600515b3e075e21b2.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c690148b6baec765c65fe91ea9f282d6a411ae90c08d74d600515b3e075e21b2.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c690148b6baec765c65fe91ea9f282d6a411ae90c08d74d600515b3e075e21b2.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c690148b6baec765c65fe91ea9f282d6a411ae90c08d74d600515b3e075e21b2.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c690148b6baec765c65fe91ea9f282d6a411ae90c08d74d600515b3e075e21b2.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c690148b6baec765c65fe91ea9f282d6a411ae90c08d74d600515b3e075e21b2.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c690148b6baec765c65fe91ea9f282d6a411ae90c08d74d600515b3e075e21b2.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c690148b6baec765c65fe91ea9f282d6a411ae90c08d74d600515b3e075e21b2.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c690148b6baec765c65fe91ea9f282d6a411ae90c08d74d600515b3e075e21b2.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c690148b6baec765c65fe91ea9f282d6a411ae90c08d74d600515b3e075e21b2.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c690148b6baec765c65fe91ea9f282d6a411ae90c08d74d600515b3e075e21b2.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c690148b6baec765c65fe91ea9f282d6a411ae90c08d74d600515b3e075e21b2.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c690148b6baec765c65fe91ea9f282d6a411ae90c08d74d600515b3e075e21b2.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c690148b6baec765c65fe91ea9f282d6a411ae90c08d74d600515b3e075e21b2.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c690148b6baec765c65fe91ea9f282d6a411ae90c08d74d600515b3e075e21b2.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c690148b6baec765c65fe91ea9f282d6a411ae90c08d74d600515b3e075e21b2.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c690148b6baec765c65fe91ea9f282d6a411ae90c08d74d600515b3e075e21b2.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c690148b6baec765c65fe91ea9f282d6a411ae90c08d74d600515b3e075e21b2.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c690148b6baec765c65fe91ea9f282d6a411ae90c08d74d600515b3e075e21b2.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c690148b6baec765c65fe91ea9f282d6a411ae90c08d74d600515b3e075e21b2.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c690148b6baec765c65fe91ea9f282d6a411ae90c08d74d600515b3e075e21b2.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c690148b6baec765c65fe91ea9f282d6a411ae90c08d74d600515b3e075e21b2.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c690148b6baec765c65fe91ea9f282d6a411ae90c08d74d600515b3e075e21b2.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c690148b6baec765c65fe91ea9f282d6a411ae90c08d74d600515b3e075e21b2.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c690148b6baec765c65fe91ea9f282d6a411ae90c08d74d600515b3e075e21b2.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c690148b6baec765c65fe91ea9f282d6a411ae90c08d74d600515b3e075e21b2.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c690148b6baec765c65fe91ea9f282d6a411ae90c08d74d600515b3e075e21b2.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c690148b6baec765c65fe91ea9f282d6a411ae90c08d74d600515b3e075e21b2.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c690148b6baec765c65fe91ea9f282d6a411ae90c08d74d600515b3e075e21b2.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c690148b6baec765c65fe91ea9f282d6a411ae90c08d74d600515b3e075e21b2.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c690148b6baec765c65fe91ea9f282d6a411ae90c08d74d600515b3e075e21b2.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c690148b6baec765c65fe91ea9f282d6a411ae90c08d74d600515b3e075e21b2.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c690148b6baec765c65fe91ea9f282d6a411ae90c08d74d600515b3e075e21b2.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c690148b6baec765c65fe91ea9f282d6a411ae90c08d74d600515b3e075e21b2.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c690148b6baec765c65fe91ea9f282d6a411ae90c08d74d600515b3e075e21b2.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c690148b6baec765c65fe91ea9f282d6a411ae90c08d74d600515b3e075e21b2.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c690148b6baec765c65fe91ea9f282d6a411ae90c08d74d600515b3e075e21b2.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c690148b6baec765c65fe91ea9f282d6a411ae90c08d74d600515b3e075e21b2.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c690148b6baec765c65fe91ea9f282d6a411ae90c08d74d600515b3e075e21b2.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c690148b6baec765c65fe91ea9f282d6a411ae90c08d74d600515b3e075e21b2.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c690148b6baec765c65fe91ea9f282d6a411ae90c08d74d600515b3e075e21b2.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c690148b6baec765c65fe91ea9f282d6a411ae90c08d74d600515b3e075e21b2.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c690148b6baec765c65fe91ea9f282d6a411ae90c08d74d600515b3e075e21b2.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c690148b6baec765c65fe91ea9f282d6a411ae90c08d74d600515b3e075e21b2.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\c690148b6baec765c65fe91ea9f282d6a411ae90c08d74d600515b3e075e21b2.exe

"C:\Users\Admin\AppData\Local\Temp\c690148b6baec765c65fe91ea9f282d6a411ae90c08d74d600515b3e075e21b2.exe"

C:\ProgramData\3B9A.tmp

"C:\ProgramData\3B9A.tmp"

Network

N/A

Files

memory/1660-0-0x0000000000270000-0x00000000002B0000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-778096762-2241304387-192235952-1000\desktop.ini

MD5 5e1b1fefc2b4b375bdfedb7ba132018f
SHA1 b29c15ce021fd91bf853b07305e5c0b8231649f8
SHA256 c7c35570cdc8d08a1e069ed79f469e06f7163acdfb65e61debe54447ab8e642a
SHA512 361aaf3c243994d4ad00cffdff76638d77dda085db87b84a5b32e8b66f2b497a8401953a3e965d6834d329b141e8dede557212718f85cdf31864b8157a50d2f2

F:\$RECYCLE.BIN\S-1-5-21-778096762-2241304387-192235952-1000\DDDDDDDDDDD

MD5 5b7ed3d9ab148e0cd95aab523e29b183
SHA1 31f8107eb7df3a9efdd5e7d43a4c35752bbd7bf8
SHA256 030e2d9026c0742167f650b6ac6113ec3611a0fb4668f1883c8af30c9a3feb87
SHA512 ee13958db35783a5b4931ed8ea3d390cba219df851b063dc345a8a135f8549f3ec22a866a524219f39f72a96faa6e5fb9bd451e86b7d7573849bb3b0328734d0

C:\Users\ddbPFTiN9.README.txt

MD5 d55ed51211969c2eedd4bf00b31cd85d
SHA1 8b43a217c6f9bb41036a042c6127600228ca893b
SHA256 86ac9ba4c42e4d804f5d160a9f39d1793afc5723db5820c31b6d734b8455d131
SHA512 1a504550cf2fe491a9a9ad2f9f73fd1bf97f23133f77b6fd2619bdbc546726456edcae70944674f3458d3509654a88dcb2d2e450bd7f866be780e12b3bbc32c0

\ProgramData\3B9A.tmp

MD5 294e9f64cb1642dd89229fff0592856b
SHA1 97b148c27f3da29ba7b18d6aee8a0db9102f47c9
SHA256 917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2
SHA512 b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

memory/1276-306-0x000000007EFA0000-0x000000007EFA1000-memory.dmp

memory/1276-308-0x0000000002250000-0x0000000002290000-memory.dmp

memory/1276-314-0x000000007EF20000-0x000000007EF21000-memory.dmp

memory/1276-313-0x000000007EF80000-0x000000007EF81000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD

MD5 12ff999b58fa5d83895ad1634f8a5733
SHA1 17efa79e305594f86ff755fcfee3b59462cdb57a
SHA256 5821e910674f1961ba7415a2f5c4cde9945e5d9ab52de214e7e686c86980e8ad
SHA512 8ebdc11de8dff7a4b00b161601deae841b2ae0a780051b9023864406e199536cf34e83573b0e35339c791f879526096bbb20feea5e808e1603fe45a35d59d2f3

memory/1276-339-0x0000000002250000-0x0000000002290000-memory.dmp

memory/1276-338-0x0000000002250000-0x0000000002290000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-03-14 04:22

Reported

2024-03-14 04:25

Platform

win10v2004-20240226-en

Max time kernel

157s

Max time network

187s

Command Line

"C:\Users\Admin\AppData\Local\Temp\c690148b6baec765c65fe91ea9f282d6a411ae90c08d74d600515b3e075e21b2.exe"

Signatures

Lockbit

ransomware lockbit

Deletes itself

Description Indicator Process Target
N/A N/A C:\ProgramData\FBB2.tmp N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\ProgramData\FBB2.tmp N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\$Recycle.Bin\S-1-5-21-3045580317-3728985860-206385570-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\c690148b6baec765c65fe91ea9f282d6a411ae90c08d74d600515b3e075e21b2.exe N/A
File opened for modification F:\$RECYCLE.BIN\S-1-5-21-3045580317-3728985860-206385570-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\c690148b6baec765c65fe91ea9f282d6a411ae90c08d74d600515b3e075e21b2.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\system32\spool\PRINTERS\00002.SPL C:\Windows\splwow64.exe N/A
File created C:\Windows\system32\spool\PRINTERS\PP90vwn6uc_b57a1dhrrx0igb1b.TMP C:\Windows\system32\printfilterpipelinesvc.exe N/A
File created C:\Windows\system32\spool\PRINTERS\PPa3t3ow4t43jn6vc80y6mwdl6b.TMP C:\Windows\system32\printfilterpipelinesvc.exe N/A
File created C:\Windows\system32\spool\PRINTERS\PPipvpvgbcc8tjsrmixjw94hrb.TMP C:\Windows\system32\printfilterpipelinesvc.exe N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\ddbPFTiN9.bmp" C:\Users\Admin\AppData\Local\Temp\c690148b6baec765c65fe91ea9f282d6a411ae90c08d74d600515b3e075e21b2.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\ddbPFTiN9.bmp" C:\Users\Admin\AppData\Local\Temp\c690148b6baec765c65fe91ea9f282d6a411ae90c08d74d600515b3e075e21b2.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE N/A

Modifies Control Panel

evasion
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\Desktop C:\Users\Admin\AppData\Local\Temp\c690148b6baec765c65fe91ea9f282d6a411ae90c08d74d600515b3e075e21b2.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\Desktop\WallpaperStyle = "10" C:\Users\Admin\AppData\Local\Temp\c690148b6baec765c65fe91ea9f282d6a411ae90c08d74d600515b3e075e21b2.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.ddbPFTiN9 C:\Users\Admin\AppData\Local\Temp\c690148b6baec765c65fe91ea9f282d6a411ae90c08d74d600515b3e075e21b2.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.ddbPFTiN9\ = "ddbPFTiN9" C:\Users\Admin\AppData\Local\Temp\c690148b6baec765c65fe91ea9f282d6a411ae90c08d74d600515b3e075e21b2.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ddbPFTiN9\DefaultIcon C:\Users\Admin\AppData\Local\Temp\c690148b6baec765c65fe91ea9f282d6a411ae90c08d74d600515b3e075e21b2.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ddbPFTiN9 C:\Users\Admin\AppData\Local\Temp\c690148b6baec765c65fe91ea9f282d6a411ae90c08d74d600515b3e075e21b2.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ddbPFTiN9\DefaultIcon\ = "C:\\ProgramData\\ddbPFTiN9.ico" C:\Users\Admin\AppData\Local\Temp\c690148b6baec765c65fe91ea9f282d6a411ae90c08d74d600515b3e075e21b2.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\c690148b6baec765c65fe91ea9f282d6a411ae90c08d74d600515b3e075e21b2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c690148b6baec765c65fe91ea9f282d6a411ae90c08d74d600515b3e075e21b2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c690148b6baec765c65fe91ea9f282d6a411ae90c08d74d600515b3e075e21b2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c690148b6baec765c65fe91ea9f282d6a411ae90c08d74d600515b3e075e21b2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c690148b6baec765c65fe91ea9f282d6a411ae90c08d74d600515b3e075e21b2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c690148b6baec765c65fe91ea9f282d6a411ae90c08d74d600515b3e075e21b2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c690148b6baec765c65fe91ea9f282d6a411ae90c08d74d600515b3e075e21b2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c690148b6baec765c65fe91ea9f282d6a411ae90c08d74d600515b3e075e21b2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c690148b6baec765c65fe91ea9f282d6a411ae90c08d74d600515b3e075e21b2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c690148b6baec765c65fe91ea9f282d6a411ae90c08d74d600515b3e075e21b2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c690148b6baec765c65fe91ea9f282d6a411ae90c08d74d600515b3e075e21b2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c690148b6baec765c65fe91ea9f282d6a411ae90c08d74d600515b3e075e21b2.exe N/A
N/A N/A C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c690148b6baec765c65fe91ea9f282d6a411ae90c08d74d600515b3e075e21b2.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c690148b6baec765c65fe91ea9f282d6a411ae90c08d74d600515b3e075e21b2.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c690148b6baec765c65fe91ea9f282d6a411ae90c08d74d600515b3e075e21b2.exe N/A
Token: 36 N/A C:\Users\Admin\AppData\Local\Temp\c690148b6baec765c65fe91ea9f282d6a411ae90c08d74d600515b3e075e21b2.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\c690148b6baec765c65fe91ea9f282d6a411ae90c08d74d600515b3e075e21b2.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c690148b6baec765c65fe91ea9f282d6a411ae90c08d74d600515b3e075e21b2.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c690148b6baec765c65fe91ea9f282d6a411ae90c08d74d600515b3e075e21b2.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\c690148b6baec765c65fe91ea9f282d6a411ae90c08d74d600515b3e075e21b2.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\c690148b6baec765c65fe91ea9f282d6a411ae90c08d74d600515b3e075e21b2.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c690148b6baec765c65fe91ea9f282d6a411ae90c08d74d600515b3e075e21b2.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\c690148b6baec765c65fe91ea9f282d6a411ae90c08d74d600515b3e075e21b2.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c690148b6baec765c65fe91ea9f282d6a411ae90c08d74d600515b3e075e21b2.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\c690148b6baec765c65fe91ea9f282d6a411ae90c08d74d600515b3e075e21b2.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c690148b6baec765c65fe91ea9f282d6a411ae90c08d74d600515b3e075e21b2.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c690148b6baec765c65fe91ea9f282d6a411ae90c08d74d600515b3e075e21b2.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c690148b6baec765c65fe91ea9f282d6a411ae90c08d74d600515b3e075e21b2.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c690148b6baec765c65fe91ea9f282d6a411ae90c08d74d600515b3e075e21b2.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c690148b6baec765c65fe91ea9f282d6a411ae90c08d74d600515b3e075e21b2.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c690148b6baec765c65fe91ea9f282d6a411ae90c08d74d600515b3e075e21b2.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c690148b6baec765c65fe91ea9f282d6a411ae90c08d74d600515b3e075e21b2.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c690148b6baec765c65fe91ea9f282d6a411ae90c08d74d600515b3e075e21b2.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c690148b6baec765c65fe91ea9f282d6a411ae90c08d74d600515b3e075e21b2.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c690148b6baec765c65fe91ea9f282d6a411ae90c08d74d600515b3e075e21b2.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c690148b6baec765c65fe91ea9f282d6a411ae90c08d74d600515b3e075e21b2.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c690148b6baec765c65fe91ea9f282d6a411ae90c08d74d600515b3e075e21b2.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c690148b6baec765c65fe91ea9f282d6a411ae90c08d74d600515b3e075e21b2.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c690148b6baec765c65fe91ea9f282d6a411ae90c08d74d600515b3e075e21b2.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c690148b6baec765c65fe91ea9f282d6a411ae90c08d74d600515b3e075e21b2.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c690148b6baec765c65fe91ea9f282d6a411ae90c08d74d600515b3e075e21b2.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c690148b6baec765c65fe91ea9f282d6a411ae90c08d74d600515b3e075e21b2.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c690148b6baec765c65fe91ea9f282d6a411ae90c08d74d600515b3e075e21b2.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c690148b6baec765c65fe91ea9f282d6a411ae90c08d74d600515b3e075e21b2.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c690148b6baec765c65fe91ea9f282d6a411ae90c08d74d600515b3e075e21b2.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c690148b6baec765c65fe91ea9f282d6a411ae90c08d74d600515b3e075e21b2.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c690148b6baec765c65fe91ea9f282d6a411ae90c08d74d600515b3e075e21b2.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c690148b6baec765c65fe91ea9f282d6a411ae90c08d74d600515b3e075e21b2.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c690148b6baec765c65fe91ea9f282d6a411ae90c08d74d600515b3e075e21b2.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c690148b6baec765c65fe91ea9f282d6a411ae90c08d74d600515b3e075e21b2.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c690148b6baec765c65fe91ea9f282d6a411ae90c08d74d600515b3e075e21b2.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c690148b6baec765c65fe91ea9f282d6a411ae90c08d74d600515b3e075e21b2.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c690148b6baec765c65fe91ea9f282d6a411ae90c08d74d600515b3e075e21b2.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c690148b6baec765c65fe91ea9f282d6a411ae90c08d74d600515b3e075e21b2.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c690148b6baec765c65fe91ea9f282d6a411ae90c08d74d600515b3e075e21b2.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c690148b6baec765c65fe91ea9f282d6a411ae90c08d74d600515b3e075e21b2.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c690148b6baec765c65fe91ea9f282d6a411ae90c08d74d600515b3e075e21b2.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c690148b6baec765c65fe91ea9f282d6a411ae90c08d74d600515b3e075e21b2.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c690148b6baec765c65fe91ea9f282d6a411ae90c08d74d600515b3e075e21b2.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c690148b6baec765c65fe91ea9f282d6a411ae90c08d74d600515b3e075e21b2.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c690148b6baec765c65fe91ea9f282d6a411ae90c08d74d600515b3e075e21b2.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c690148b6baec765c65fe91ea9f282d6a411ae90c08d74d600515b3e075e21b2.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c690148b6baec765c65fe91ea9f282d6a411ae90c08d74d600515b3e075e21b2.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c690148b6baec765c65fe91ea9f282d6a411ae90c08d74d600515b3e075e21b2.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c690148b6baec765c65fe91ea9f282d6a411ae90c08d74d600515b3e075e21b2.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c690148b6baec765c65fe91ea9f282d6a411ae90c08d74d600515b3e075e21b2.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c690148b6baec765c65fe91ea9f282d6a411ae90c08d74d600515b3e075e21b2.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c690148b6baec765c65fe91ea9f282d6a411ae90c08d74d600515b3e075e21b2.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c690148b6baec765c65fe91ea9f282d6a411ae90c08d74d600515b3e075e21b2.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c690148b6baec765c65fe91ea9f282d6a411ae90c08d74d600515b3e075e21b2.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c690148b6baec765c65fe91ea9f282d6a411ae90c08d74d600515b3e075e21b2.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c690148b6baec765c65fe91ea9f282d6a411ae90c08d74d600515b3e075e21b2.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c690148b6baec765c65fe91ea9f282d6a411ae90c08d74d600515b3e075e21b2.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c690148b6baec765c65fe91ea9f282d6a411ae90c08d74d600515b3e075e21b2.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c690148b6baec765c65fe91ea9f282d6a411ae90c08d74d600515b3e075e21b2.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c690148b6baec765c65fe91ea9f282d6a411ae90c08d74d600515b3e075e21b2.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\c690148b6baec765c65fe91ea9f282d6a411ae90c08d74d600515b3e075e21b2.exe

"C:\Users\Admin\AppData\Local\Temp\c690148b6baec765c65fe91ea9f282d6a411ae90c08d74d600515b3e075e21b2.exe"

C:\Windows\splwow64.exe

C:\Windows\splwow64.exe 12288

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc

C:\Windows\system32\printfilterpipelinesvc.exe

C:\Windows\system32\printfilterpipelinesvc.exe -Embedding

C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE

/insertdoc "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\{A3CBEE87-4F6F-4618-AC45-7B46955E8431}.xps" 133548638344150000

C:\ProgramData\FBB2.tmp

"C:\ProgramData\FBB2.tmp"

Network

Country Destination Domain Proto
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 46.28.109.52.in-addr.arpa udp
US 8.8.8.8:53 170.117.168.52.in-addr.arpa udp
US 8.8.8.8:53 66.112.168.52.in-addr.arpa udp

Files

memory/452-0-0x0000000003110000-0x0000000003120000-memory.dmp

memory/452-1-0x0000000003110000-0x0000000003120000-memory.dmp

memory/452-2-0x0000000003110000-0x0000000003120000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-3045580317-3728985860-206385570-1000\YYYYYYYYYYY

MD5 fa327cc5c685bf8952aad623a7c74b06
SHA1 0ddfd3a1405d26014dcf662f69772236484640c4
SHA256 bcbb9e47a01db4f82451d63b25116272d984a1e6b56b5b4365a627b0e64d7a74
SHA512 20e0f8ef153a9077117adfa267a33599c616b0c03a6eab6590f46c8d4cd16ff2648bf2ae05b37b3303068148902f34f25446cc08d9186f46e296d08b6b966d11

F:\$RECYCLE.BIN\S-1-5-21-3045580317-3728985860-206385570-1000\DDDDDDDDDDD

MD5 706b4c019d3c725a6123811cc3592d9a
SHA1 811d16b5558a36a778d6df3e374565661f075b22
SHA256 6e0a640c3ed3c115e59c036df2aaf5ce13aff639b7f83b53e538af96ab814f3d
SHA512 7967e9a4e3ed33c3f94da13d1a1eacc9b922a5ce6526d1115954115272658cbe0174663c9b367858132bb816fe5d3687ef7ac2ef3043004de751d79268339a9f

C:\Users\ddbPFTiN9.README.txt

MD5 171cc86fa907cf1d7ff502d38c97ebb9
SHA1 1b4002d6374ce5a51f5954d7f213cfa0bb5a4bb8
SHA256 0a6f8d73610814444ae8aa16e75d8239c9d77be22f97de78c851a8f25331fe30
SHA512 4d21b8f99d6a65f9964174f30848ff9cf1aced1f6d37ab9156cb3cf1b1ba7ffb9be229a5f9987c80c564a79d63596d83e6847a4c85118a395dc3083f5939a4c8

memory/452-282-0x0000000003110000-0x0000000003120000-memory.dmp

memory/452-283-0x0000000003110000-0x0000000003120000-memory.dmp

memory/452-284-0x0000000003110000-0x0000000003120000-memory.dmp

C:\ProgramData\FBB2.tmp

MD5 294e9f64cb1642dd89229fff0592856b
SHA1 97b148c27f3da29ba7b18d6aee8a0db9102f47c9
SHA256 917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2
SHA512 b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

memory/3708-300-0x00007FF9369B0000-0x00007FF9369C0000-memory.dmp

memory/3708-301-0x00007FF976930000-0x00007FF976B25000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD

MD5 521f5f8bc091bf97cd97ac5b5a48a791
SHA1 daabeed028298700a1a327145ad052b0866d8862
SHA256 3f5c8d33599e0b57a1685e2ba103f12a6bf5170724404048ea3df6e46d7bc725
SHA512 08400985ad43ee61d1a8c9c4eb14e2701738813adcc7346e80ffb09ff052cd4296d21e0c9052aa5830fbd80817b2a4f441832c23eb14b2867aa4df4a01f8cb9c

memory/3708-303-0x00007FF976930000-0x00007FF976B25000-memory.dmp

memory/3708-304-0x00007FF9369B0000-0x00007FF9369C0000-memory.dmp

memory/3708-302-0x00007FF9369B0000-0x00007FF9369C0000-memory.dmp

memory/3708-333-0x00007FF976930000-0x00007FF976B25000-memory.dmp

memory/3708-334-0x00007FF976930000-0x00007FF976B25000-memory.dmp

memory/3708-335-0x00007FF9369B0000-0x00007FF9369C0000-memory.dmp

memory/3708-338-0x00007FF9369B0000-0x00007FF9369C0000-memory.dmp

memory/3132-337-0x0000000002500000-0x0000000002510000-memory.dmp

memory/3132-341-0x000000007FDC0000-0x000000007FDC1000-memory.dmp

memory/3132-339-0x0000000002500000-0x0000000002510000-memory.dmp

memory/3708-336-0x00007FF976930000-0x00007FF976B25000-memory.dmp

memory/3132-340-0x000000007FE20000-0x000000007FE21000-memory.dmp

memory/3708-342-0x00007FF976930000-0x00007FF976B25000-memory.dmp

memory/3708-343-0x00007FF976930000-0x00007FF976B25000-memory.dmp

memory/3708-345-0x00007FF976930000-0x00007FF976B25000-memory.dmp

memory/3708-346-0x00007FF976930000-0x00007FF976B25000-memory.dmp

memory/3708-344-0x00007FF934420000-0x00007FF934430000-memory.dmp

memory/3708-347-0x00007FF976930000-0x00007FF976B25000-memory.dmp

memory/3708-349-0x00007FF976930000-0x00007FF976B25000-memory.dmp

memory/3708-350-0x00007FF976930000-0x00007FF976B25000-memory.dmp

memory/3708-348-0x00007FF934420000-0x00007FF934430000-memory.dmp

memory/3708-351-0x00007FF976930000-0x00007FF976B25000-memory.dmp

memory/3708-352-0x00007FF976930000-0x00007FF976B25000-memory.dmp

memory/3132-353-0x000000007FE40000-0x000000007FE41000-memory.dmp

memory/3708-360-0x00007FF976930000-0x00007FF976B25000-memory.dmp

memory/3132-361-0x0000000002500000-0x0000000002510000-memory.dmp

memory/3132-362-0x0000000002500000-0x0000000002510000-memory.dmp