Malware Analysis Report

2024-11-13 14:58

Sample ID 240314-ezp49acf45
Target d31e38f333deeeb21c8b55fe129b64964a3ff14c04f3149b3f93a56e2fbf33d3
SHA256 d31e38f333deeeb21c8b55fe129b64964a3ff14c04f3149b3f93a56e2fbf33d3
Tags
lockbit ransomware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

d31e38f333deeeb21c8b55fe129b64964a3ff14c04f3149b3f93a56e2fbf33d3

Threat Level: Known bad

The file d31e38f333deeeb21c8b55fe129b64964a3ff14c04f3149b3f93a56e2fbf33d3 was found to be: Known bad.

Malicious Activity Summary

lockbit ransomware

Rule to detect Lockbit 3.0 ransomware Windows payload

Lockbit family

Lockbit

Loads dropped DLL

Executes dropped EXE

Deletes itself

Drops desktop.ini file(s)

Suspicious use of NtSetInformationThreadHideFromDebugger

Sets desktop wallpaper using registry

Drops file in System32 directory

Unsigned PE

Checks processor information in registry

Modifies registry class

Enumerates system info in registry

Suspicious use of SetWindowsHookEx

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: RenamesItself

Modifies Control Panel

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-03-14 04:22

Signatures

Lockbit family

lockbit

Rule to detect Lockbit 3.0 ransomware Windows payload

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-14 04:22

Reported

2024-03-14 04:26

Platform

win7-20240221-en

Max time kernel

119s

Max time network

130s

Command Line

"C:\Users\Admin\AppData\Local\Temp\d31e38f333deeeb21c8b55fe129b64964a3ff14c04f3149b3f93a56e2fbf33d3.exe"

Signatures

Lockbit

ransomware lockbit

Deletes itself

Description Indicator Process Target
N/A N/A C:\ProgramData\1C76.tmp N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\ProgramData\1C76.tmp N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification F:\$RECYCLE.BIN\S-1-5-21-3787592910-3720486031-2929222812-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\d31e38f333deeeb21c8b55fe129b64964a3ff14c04f3149b3f93a56e2fbf33d3.exe N/A
File opened for modification C:\$Recycle.Bin\S-1-5-21-3787592910-3720486031-2929222812-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\d31e38f333deeeb21c8b55fe129b64964a3ff14c04f3149b3f93a56e2fbf33d3.exe N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\5XKuA1aj2.bmp" C:\Users\Admin\AppData\Local\Temp\d31e38f333deeeb21c8b55fe129b64964a3ff14c04f3149b3f93a56e2fbf33d3.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\5XKuA1aj2.bmp" C:\Users\Admin\AppData\Local\Temp\d31e38f333deeeb21c8b55fe129b64964a3ff14c04f3149b3f93a56e2fbf33d3.exe N/A

Modifies Control Panel

evasion
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Control Panel\Desktop C:\Users\Admin\AppData\Local\Temp\d31e38f333deeeb21c8b55fe129b64964a3ff14c04f3149b3f93a56e2fbf33d3.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Control Panel\Desktop\WallpaperStyle = "10" C:\Users\Admin\AppData\Local\Temp\d31e38f333deeeb21c8b55fe129b64964a3ff14c04f3149b3f93a56e2fbf33d3.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.5XKuA1aj2 C:\Users\Admin\AppData\Local\Temp\d31e38f333deeeb21c8b55fe129b64964a3ff14c04f3149b3f93a56e2fbf33d3.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.5XKuA1aj2\ = "5XKuA1aj2" C:\Users\Admin\AppData\Local\Temp\d31e38f333deeeb21c8b55fe129b64964a3ff14c04f3149b3f93a56e2fbf33d3.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\5XKuA1aj2\DefaultIcon C:\Users\Admin\AppData\Local\Temp\d31e38f333deeeb21c8b55fe129b64964a3ff14c04f3149b3f93a56e2fbf33d3.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\5XKuA1aj2 C:\Users\Admin\AppData\Local\Temp\d31e38f333deeeb21c8b55fe129b64964a3ff14c04f3149b3f93a56e2fbf33d3.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\5XKuA1aj2\DefaultIcon\ = "C:\\ProgramData\\5XKuA1aj2.ico" C:\Users\Admin\AppData\Local\Temp\d31e38f333deeeb21c8b55fe129b64964a3ff14c04f3149b3f93a56e2fbf33d3.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\d31e38f333deeeb21c8b55fe129b64964a3ff14c04f3149b3f93a56e2fbf33d3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d31e38f333deeeb21c8b55fe129b64964a3ff14c04f3149b3f93a56e2fbf33d3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d31e38f333deeeb21c8b55fe129b64964a3ff14c04f3149b3f93a56e2fbf33d3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d31e38f333deeeb21c8b55fe129b64964a3ff14c04f3149b3f93a56e2fbf33d3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d31e38f333deeeb21c8b55fe129b64964a3ff14c04f3149b3f93a56e2fbf33d3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d31e38f333deeeb21c8b55fe129b64964a3ff14c04f3149b3f93a56e2fbf33d3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d31e38f333deeeb21c8b55fe129b64964a3ff14c04f3149b3f93a56e2fbf33d3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d31e38f333deeeb21c8b55fe129b64964a3ff14c04f3149b3f93a56e2fbf33d3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d31e38f333deeeb21c8b55fe129b64964a3ff14c04f3149b3f93a56e2fbf33d3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d31e38f333deeeb21c8b55fe129b64964a3ff14c04f3149b3f93a56e2fbf33d3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d31e38f333deeeb21c8b55fe129b64964a3ff14c04f3149b3f93a56e2fbf33d3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d31e38f333deeeb21c8b55fe129b64964a3ff14c04f3149b3f93a56e2fbf33d3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d31e38f333deeeb21c8b55fe129b64964a3ff14c04f3149b3f93a56e2fbf33d3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d31e38f333deeeb21c8b55fe129b64964a3ff14c04f3149b3f93a56e2fbf33d3.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\d31e38f333deeeb21c8b55fe129b64964a3ff14c04f3149b3f93a56e2fbf33d3.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\d31e38f333deeeb21c8b55fe129b64964a3ff14c04f3149b3f93a56e2fbf33d3.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\d31e38f333deeeb21c8b55fe129b64964a3ff14c04f3149b3f93a56e2fbf33d3.exe N/A
Token: 36 N/A C:\Users\Admin\AppData\Local\Temp\d31e38f333deeeb21c8b55fe129b64964a3ff14c04f3149b3f93a56e2fbf33d3.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\d31e38f333deeeb21c8b55fe129b64964a3ff14c04f3149b3f93a56e2fbf33d3.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\d31e38f333deeeb21c8b55fe129b64964a3ff14c04f3149b3f93a56e2fbf33d3.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\d31e38f333deeeb21c8b55fe129b64964a3ff14c04f3149b3f93a56e2fbf33d3.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\d31e38f333deeeb21c8b55fe129b64964a3ff14c04f3149b3f93a56e2fbf33d3.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\d31e38f333deeeb21c8b55fe129b64964a3ff14c04f3149b3f93a56e2fbf33d3.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\d31e38f333deeeb21c8b55fe129b64964a3ff14c04f3149b3f93a56e2fbf33d3.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\d31e38f333deeeb21c8b55fe129b64964a3ff14c04f3149b3f93a56e2fbf33d3.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\d31e38f333deeeb21c8b55fe129b64964a3ff14c04f3149b3f93a56e2fbf33d3.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\d31e38f333deeeb21c8b55fe129b64964a3ff14c04f3149b3f93a56e2fbf33d3.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\d31e38f333deeeb21c8b55fe129b64964a3ff14c04f3149b3f93a56e2fbf33d3.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\d31e38f333deeeb21c8b55fe129b64964a3ff14c04f3149b3f93a56e2fbf33d3.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\d31e38f333deeeb21c8b55fe129b64964a3ff14c04f3149b3f93a56e2fbf33d3.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\d31e38f333deeeb21c8b55fe129b64964a3ff14c04f3149b3f93a56e2fbf33d3.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\d31e38f333deeeb21c8b55fe129b64964a3ff14c04f3149b3f93a56e2fbf33d3.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\d31e38f333deeeb21c8b55fe129b64964a3ff14c04f3149b3f93a56e2fbf33d3.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\d31e38f333deeeb21c8b55fe129b64964a3ff14c04f3149b3f93a56e2fbf33d3.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\d31e38f333deeeb21c8b55fe129b64964a3ff14c04f3149b3f93a56e2fbf33d3.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\d31e38f333deeeb21c8b55fe129b64964a3ff14c04f3149b3f93a56e2fbf33d3.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\d31e38f333deeeb21c8b55fe129b64964a3ff14c04f3149b3f93a56e2fbf33d3.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\d31e38f333deeeb21c8b55fe129b64964a3ff14c04f3149b3f93a56e2fbf33d3.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\d31e38f333deeeb21c8b55fe129b64964a3ff14c04f3149b3f93a56e2fbf33d3.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\d31e38f333deeeb21c8b55fe129b64964a3ff14c04f3149b3f93a56e2fbf33d3.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\d31e38f333deeeb21c8b55fe129b64964a3ff14c04f3149b3f93a56e2fbf33d3.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\d31e38f333deeeb21c8b55fe129b64964a3ff14c04f3149b3f93a56e2fbf33d3.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\d31e38f333deeeb21c8b55fe129b64964a3ff14c04f3149b3f93a56e2fbf33d3.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\d31e38f333deeeb21c8b55fe129b64964a3ff14c04f3149b3f93a56e2fbf33d3.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\d31e38f333deeeb21c8b55fe129b64964a3ff14c04f3149b3f93a56e2fbf33d3.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\d31e38f333deeeb21c8b55fe129b64964a3ff14c04f3149b3f93a56e2fbf33d3.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\d31e38f333deeeb21c8b55fe129b64964a3ff14c04f3149b3f93a56e2fbf33d3.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\d31e38f333deeeb21c8b55fe129b64964a3ff14c04f3149b3f93a56e2fbf33d3.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\d31e38f333deeeb21c8b55fe129b64964a3ff14c04f3149b3f93a56e2fbf33d3.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\d31e38f333deeeb21c8b55fe129b64964a3ff14c04f3149b3f93a56e2fbf33d3.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\d31e38f333deeeb21c8b55fe129b64964a3ff14c04f3149b3f93a56e2fbf33d3.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\d31e38f333deeeb21c8b55fe129b64964a3ff14c04f3149b3f93a56e2fbf33d3.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\d31e38f333deeeb21c8b55fe129b64964a3ff14c04f3149b3f93a56e2fbf33d3.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\d31e38f333deeeb21c8b55fe129b64964a3ff14c04f3149b3f93a56e2fbf33d3.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\d31e38f333deeeb21c8b55fe129b64964a3ff14c04f3149b3f93a56e2fbf33d3.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\d31e38f333deeeb21c8b55fe129b64964a3ff14c04f3149b3f93a56e2fbf33d3.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\d31e38f333deeeb21c8b55fe129b64964a3ff14c04f3149b3f93a56e2fbf33d3.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\d31e38f333deeeb21c8b55fe129b64964a3ff14c04f3149b3f93a56e2fbf33d3.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\d31e38f333deeeb21c8b55fe129b64964a3ff14c04f3149b3f93a56e2fbf33d3.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\d31e38f333deeeb21c8b55fe129b64964a3ff14c04f3149b3f93a56e2fbf33d3.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\d31e38f333deeeb21c8b55fe129b64964a3ff14c04f3149b3f93a56e2fbf33d3.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\d31e38f333deeeb21c8b55fe129b64964a3ff14c04f3149b3f93a56e2fbf33d3.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\d31e38f333deeeb21c8b55fe129b64964a3ff14c04f3149b3f93a56e2fbf33d3.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\d31e38f333deeeb21c8b55fe129b64964a3ff14c04f3149b3f93a56e2fbf33d3.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\d31e38f333deeeb21c8b55fe129b64964a3ff14c04f3149b3f93a56e2fbf33d3.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\d31e38f333deeeb21c8b55fe129b64964a3ff14c04f3149b3f93a56e2fbf33d3.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\d31e38f333deeeb21c8b55fe129b64964a3ff14c04f3149b3f93a56e2fbf33d3.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\d31e38f333deeeb21c8b55fe129b64964a3ff14c04f3149b3f93a56e2fbf33d3.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\d31e38f333deeeb21c8b55fe129b64964a3ff14c04f3149b3f93a56e2fbf33d3.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\d31e38f333deeeb21c8b55fe129b64964a3ff14c04f3149b3f93a56e2fbf33d3.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\d31e38f333deeeb21c8b55fe129b64964a3ff14c04f3149b3f93a56e2fbf33d3.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\d31e38f333deeeb21c8b55fe129b64964a3ff14c04f3149b3f93a56e2fbf33d3.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\d31e38f333deeeb21c8b55fe129b64964a3ff14c04f3149b3f93a56e2fbf33d3.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\d31e38f333deeeb21c8b55fe129b64964a3ff14c04f3149b3f93a56e2fbf33d3.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\d31e38f333deeeb21c8b55fe129b64964a3ff14c04f3149b3f93a56e2fbf33d3.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\d31e38f333deeeb21c8b55fe129b64964a3ff14c04f3149b3f93a56e2fbf33d3.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\d31e38f333deeeb21c8b55fe129b64964a3ff14c04f3149b3f93a56e2fbf33d3.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\d31e38f333deeeb21c8b55fe129b64964a3ff14c04f3149b3f93a56e2fbf33d3.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\d31e38f333deeeb21c8b55fe129b64964a3ff14c04f3149b3f93a56e2fbf33d3.exe

"C:\Users\Admin\AppData\Local\Temp\d31e38f333deeeb21c8b55fe129b64964a3ff14c04f3149b3f93a56e2fbf33d3.exe"

C:\ProgramData\1C76.tmp

"C:\ProgramData\1C76.tmp"

C:\Windows\system32\AUDIODG.EXE

C:\Windows\system32\AUDIODG.EXE 0x154

Network

N/A

Files

memory/2108-0-0x00000000022B0000-0x00000000022F0000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-3787592910-3720486031-2929222812-1000\BBBBBBBBBBB

MD5 d688a63679b072e0001b43b73ba10f11
SHA1 ec162aa906fe02667d2fe875b4db5e893efc86d4
SHA256 10ce6fda71f422651fe783cb61fd3f8443d9df46e697292f73aba6b4be895136
SHA512 cd6b44fc8c98d5f314501656ab9d474e59ecc0f6a9b21757d82cd36ce3f25849be9115bb1e488ab2e3b5a86829f4f61a302bc8635c497a469574e6b178e9e1fe

C:\Users\5XKuA1aj2.README.txt

MD5 e2ff2226df731e9f35ce8a4e26de52b2
SHA1 31c91e836ca631d50368a507a072be7cfaee01d2
SHA256 1d9cebabb11049b8b0879a2603b1ee4209b64dfbdee2e1f977060fb7a11fe4fe
SHA512 ceb46b5ade75cfc249db8de89b91de98af10aea6e668413ecf88a8b232dc1885c9487e030d5d4cd257bc62f8ef94cd9fc97480b185e37e5f039ca848e10ddbf8

F:\$RECYCLE.BIN\S-1-5-21-3787592910-3720486031-2929222812-1000\DDDDDDDDDDD

MD5 c54d6632c8e1368adfe14882cfd5425b
SHA1 e3c237078837dff1adb52e4935bd9e43c2aabcfd
SHA256 cab2bc8906116ad6005427cf7711145bff2dc7942f4ae95bd6acfdeae25f2859
SHA512 45ec13a06711086b38d09dd21441319a1e20922b1b4507ee26d81325788c274e19ab30333bf074befbe0937f27babb1d5d748c59424ebdc8b5c891d5d74b8a41

\ProgramData\1C76.tmp

MD5 294e9f64cb1642dd89229fff0592856b
SHA1 97b148c27f3da29ba7b18d6aee8a0db9102f47c9
SHA256 917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2
SHA512 b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

memory/2492-301-0x0000000001FF0000-0x0000000002030000-memory.dmp

memory/2492-299-0x0000000000400000-0x0000000000407000-memory.dmp

memory/2492-302-0x000000007EF80000-0x000000007EF81000-memory.dmp

memory/2492-303-0x000000007EF20000-0x000000007EF21000-memory.dmp

memory/2492-305-0x000000007EFA0000-0x000000007EFA1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD

MD5 539ba15f29d10727509ef9ae0e604857
SHA1 db85187c0b468bfa54a74915b0f291974b7ea1a4
SHA256 97a34540817367cf53849ecfa734680c4c21cde15d5d6e52a7231df170a7e45c
SHA512 1f57a7385ea6b5e23b44ca9edb1fdac81e66258e00f449775fa2fb04fbd8fbfe578e7f3ee05150b8c22a2bf8de56511485a7328b4040ad9595f6e10aaa6cdd02

memory/2492-333-0x0000000000400000-0x0000000000407000-memory.dmp

memory/2492-334-0x0000000001FF0000-0x0000000002030000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-03-14 04:22

Reported

2024-03-14 04:23

Platform

win10v2004-20240226-en

Max time kernel

52s

Max time network

55s

Command Line

"C:\Users\Admin\AppData\Local\Temp\d31e38f333deeeb21c8b55fe129b64964a3ff14c04f3149b3f93a56e2fbf33d3.exe"

Signatures

Lockbit

ransomware lockbit

Deletes itself

Description Indicator Process Target
N/A N/A C:\ProgramData\6487.tmp N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\ProgramData\6487.tmp N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\$Recycle.Bin\S-1-5-21-399997616-3400990511-967324271-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\d31e38f333deeeb21c8b55fe129b64964a3ff14c04f3149b3f93a56e2fbf33d3.exe N/A
File opened for modification F:\$RECYCLE.BIN\S-1-5-21-399997616-3400990511-967324271-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\d31e38f333deeeb21c8b55fe129b64964a3ff14c04f3149b3f93a56e2fbf33d3.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\system32\spool\PRINTERS\00002.SPL C:\Windows\splwow64.exe N/A
File created C:\Windows\system32\spool\PRINTERS\PP0idlia_hiscq0ba0swddv2qf.TMP C:\Windows\system32\printfilterpipelinesvc.exe N/A
File created C:\Windows\system32\spool\PRINTERS\PPupdb7vn3n0s5pvz7myk22s6qc.TMP C:\Windows\system32\printfilterpipelinesvc.exe N/A
File created C:\Windows\system32\spool\PRINTERS\PP06gs6o4727l7eblba70uk07f.TMP C:\Windows\system32\printfilterpipelinesvc.exe N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\5XKuA1aj2.bmp" C:\Users\Admin\AppData\Local\Temp\d31e38f333deeeb21c8b55fe129b64964a3ff14c04f3149b3f93a56e2fbf33d3.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\5XKuA1aj2.bmp" C:\Users\Admin\AppData\Local\Temp\d31e38f333deeeb21c8b55fe129b64964a3ff14c04f3149b3f93a56e2fbf33d3.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE N/A

Modifies Control Panel

evasion
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\Desktop\WallpaperStyle = "10" C:\Users\Admin\AppData\Local\Temp\d31e38f333deeeb21c8b55fe129b64964a3ff14c04f3149b3f93a56e2fbf33d3.exe N/A
Key created \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\Desktop C:\Users\Admin\AppData\Local\Temp\d31e38f333deeeb21c8b55fe129b64964a3ff14c04f3149b3f93a56e2fbf33d3.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\5XKuA1aj2\DefaultIcon C:\Users\Admin\AppData\Local\Temp\d31e38f333deeeb21c8b55fe129b64964a3ff14c04f3149b3f93a56e2fbf33d3.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\5XKuA1aj2 C:\Users\Admin\AppData\Local\Temp\d31e38f333deeeb21c8b55fe129b64964a3ff14c04f3149b3f93a56e2fbf33d3.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\5XKuA1aj2\DefaultIcon\ = "C:\\ProgramData\\5XKuA1aj2.ico" C:\Users\Admin\AppData\Local\Temp\d31e38f333deeeb21c8b55fe129b64964a3ff14c04f3149b3f93a56e2fbf33d3.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.5XKuA1aj2 C:\Users\Admin\AppData\Local\Temp\d31e38f333deeeb21c8b55fe129b64964a3ff14c04f3149b3f93a56e2fbf33d3.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.5XKuA1aj2\ = "5XKuA1aj2" C:\Users\Admin\AppData\Local\Temp\d31e38f333deeeb21c8b55fe129b64964a3ff14c04f3149b3f93a56e2fbf33d3.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\d31e38f333deeeb21c8b55fe129b64964a3ff14c04f3149b3f93a56e2fbf33d3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d31e38f333deeeb21c8b55fe129b64964a3ff14c04f3149b3f93a56e2fbf33d3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d31e38f333deeeb21c8b55fe129b64964a3ff14c04f3149b3f93a56e2fbf33d3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d31e38f333deeeb21c8b55fe129b64964a3ff14c04f3149b3f93a56e2fbf33d3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d31e38f333deeeb21c8b55fe129b64964a3ff14c04f3149b3f93a56e2fbf33d3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d31e38f333deeeb21c8b55fe129b64964a3ff14c04f3149b3f93a56e2fbf33d3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d31e38f333deeeb21c8b55fe129b64964a3ff14c04f3149b3f93a56e2fbf33d3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d31e38f333deeeb21c8b55fe129b64964a3ff14c04f3149b3f93a56e2fbf33d3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d31e38f333deeeb21c8b55fe129b64964a3ff14c04f3149b3f93a56e2fbf33d3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d31e38f333deeeb21c8b55fe129b64964a3ff14c04f3149b3f93a56e2fbf33d3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d31e38f333deeeb21c8b55fe129b64964a3ff14c04f3149b3f93a56e2fbf33d3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d31e38f333deeeb21c8b55fe129b64964a3ff14c04f3149b3f93a56e2fbf33d3.exe N/A
N/A N/A C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\d31e38f333deeeb21c8b55fe129b64964a3ff14c04f3149b3f93a56e2fbf33d3.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\d31e38f333deeeb21c8b55fe129b64964a3ff14c04f3149b3f93a56e2fbf33d3.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\d31e38f333deeeb21c8b55fe129b64964a3ff14c04f3149b3f93a56e2fbf33d3.exe N/A
Token: 36 N/A C:\Users\Admin\AppData\Local\Temp\d31e38f333deeeb21c8b55fe129b64964a3ff14c04f3149b3f93a56e2fbf33d3.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\d31e38f333deeeb21c8b55fe129b64964a3ff14c04f3149b3f93a56e2fbf33d3.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\d31e38f333deeeb21c8b55fe129b64964a3ff14c04f3149b3f93a56e2fbf33d3.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\d31e38f333deeeb21c8b55fe129b64964a3ff14c04f3149b3f93a56e2fbf33d3.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\d31e38f333deeeb21c8b55fe129b64964a3ff14c04f3149b3f93a56e2fbf33d3.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\d31e38f333deeeb21c8b55fe129b64964a3ff14c04f3149b3f93a56e2fbf33d3.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\d31e38f333deeeb21c8b55fe129b64964a3ff14c04f3149b3f93a56e2fbf33d3.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\d31e38f333deeeb21c8b55fe129b64964a3ff14c04f3149b3f93a56e2fbf33d3.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\d31e38f333deeeb21c8b55fe129b64964a3ff14c04f3149b3f93a56e2fbf33d3.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\d31e38f333deeeb21c8b55fe129b64964a3ff14c04f3149b3f93a56e2fbf33d3.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\d31e38f333deeeb21c8b55fe129b64964a3ff14c04f3149b3f93a56e2fbf33d3.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\d31e38f333deeeb21c8b55fe129b64964a3ff14c04f3149b3f93a56e2fbf33d3.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\d31e38f333deeeb21c8b55fe129b64964a3ff14c04f3149b3f93a56e2fbf33d3.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\d31e38f333deeeb21c8b55fe129b64964a3ff14c04f3149b3f93a56e2fbf33d3.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\d31e38f333deeeb21c8b55fe129b64964a3ff14c04f3149b3f93a56e2fbf33d3.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\d31e38f333deeeb21c8b55fe129b64964a3ff14c04f3149b3f93a56e2fbf33d3.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\d31e38f333deeeb21c8b55fe129b64964a3ff14c04f3149b3f93a56e2fbf33d3.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\d31e38f333deeeb21c8b55fe129b64964a3ff14c04f3149b3f93a56e2fbf33d3.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\d31e38f333deeeb21c8b55fe129b64964a3ff14c04f3149b3f93a56e2fbf33d3.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\d31e38f333deeeb21c8b55fe129b64964a3ff14c04f3149b3f93a56e2fbf33d3.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\d31e38f333deeeb21c8b55fe129b64964a3ff14c04f3149b3f93a56e2fbf33d3.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\d31e38f333deeeb21c8b55fe129b64964a3ff14c04f3149b3f93a56e2fbf33d3.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\d31e38f333deeeb21c8b55fe129b64964a3ff14c04f3149b3f93a56e2fbf33d3.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\d31e38f333deeeb21c8b55fe129b64964a3ff14c04f3149b3f93a56e2fbf33d3.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\d31e38f333deeeb21c8b55fe129b64964a3ff14c04f3149b3f93a56e2fbf33d3.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\d31e38f333deeeb21c8b55fe129b64964a3ff14c04f3149b3f93a56e2fbf33d3.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\d31e38f333deeeb21c8b55fe129b64964a3ff14c04f3149b3f93a56e2fbf33d3.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\d31e38f333deeeb21c8b55fe129b64964a3ff14c04f3149b3f93a56e2fbf33d3.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\d31e38f333deeeb21c8b55fe129b64964a3ff14c04f3149b3f93a56e2fbf33d3.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\d31e38f333deeeb21c8b55fe129b64964a3ff14c04f3149b3f93a56e2fbf33d3.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\d31e38f333deeeb21c8b55fe129b64964a3ff14c04f3149b3f93a56e2fbf33d3.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\d31e38f333deeeb21c8b55fe129b64964a3ff14c04f3149b3f93a56e2fbf33d3.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\d31e38f333deeeb21c8b55fe129b64964a3ff14c04f3149b3f93a56e2fbf33d3.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\d31e38f333deeeb21c8b55fe129b64964a3ff14c04f3149b3f93a56e2fbf33d3.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\d31e38f333deeeb21c8b55fe129b64964a3ff14c04f3149b3f93a56e2fbf33d3.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\d31e38f333deeeb21c8b55fe129b64964a3ff14c04f3149b3f93a56e2fbf33d3.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\d31e38f333deeeb21c8b55fe129b64964a3ff14c04f3149b3f93a56e2fbf33d3.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\d31e38f333deeeb21c8b55fe129b64964a3ff14c04f3149b3f93a56e2fbf33d3.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\d31e38f333deeeb21c8b55fe129b64964a3ff14c04f3149b3f93a56e2fbf33d3.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\d31e38f333deeeb21c8b55fe129b64964a3ff14c04f3149b3f93a56e2fbf33d3.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\d31e38f333deeeb21c8b55fe129b64964a3ff14c04f3149b3f93a56e2fbf33d3.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\d31e38f333deeeb21c8b55fe129b64964a3ff14c04f3149b3f93a56e2fbf33d3.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\d31e38f333deeeb21c8b55fe129b64964a3ff14c04f3149b3f93a56e2fbf33d3.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\d31e38f333deeeb21c8b55fe129b64964a3ff14c04f3149b3f93a56e2fbf33d3.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\d31e38f333deeeb21c8b55fe129b64964a3ff14c04f3149b3f93a56e2fbf33d3.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\d31e38f333deeeb21c8b55fe129b64964a3ff14c04f3149b3f93a56e2fbf33d3.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\d31e38f333deeeb21c8b55fe129b64964a3ff14c04f3149b3f93a56e2fbf33d3.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\d31e38f333deeeb21c8b55fe129b64964a3ff14c04f3149b3f93a56e2fbf33d3.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\d31e38f333deeeb21c8b55fe129b64964a3ff14c04f3149b3f93a56e2fbf33d3.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\d31e38f333deeeb21c8b55fe129b64964a3ff14c04f3149b3f93a56e2fbf33d3.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\d31e38f333deeeb21c8b55fe129b64964a3ff14c04f3149b3f93a56e2fbf33d3.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\d31e38f333deeeb21c8b55fe129b64964a3ff14c04f3149b3f93a56e2fbf33d3.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\d31e38f333deeeb21c8b55fe129b64964a3ff14c04f3149b3f93a56e2fbf33d3.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\d31e38f333deeeb21c8b55fe129b64964a3ff14c04f3149b3f93a56e2fbf33d3.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\d31e38f333deeeb21c8b55fe129b64964a3ff14c04f3149b3f93a56e2fbf33d3.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\d31e38f333deeeb21c8b55fe129b64964a3ff14c04f3149b3f93a56e2fbf33d3.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\d31e38f333deeeb21c8b55fe129b64964a3ff14c04f3149b3f93a56e2fbf33d3.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\d31e38f333deeeb21c8b55fe129b64964a3ff14c04f3149b3f93a56e2fbf33d3.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\d31e38f333deeeb21c8b55fe129b64964a3ff14c04f3149b3f93a56e2fbf33d3.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\d31e38f333deeeb21c8b55fe129b64964a3ff14c04f3149b3f93a56e2fbf33d3.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\d31e38f333deeeb21c8b55fe129b64964a3ff14c04f3149b3f93a56e2fbf33d3.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\d31e38f333deeeb21c8b55fe129b64964a3ff14c04f3149b3f93a56e2fbf33d3.exe

"C:\Users\Admin\AppData\Local\Temp\d31e38f333deeeb21c8b55fe129b64964a3ff14c04f3149b3f93a56e2fbf33d3.exe"

C:\Windows\splwow64.exe

C:\Windows\splwow64.exe 12288

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc

C:\Windows\system32\printfilterpipelinesvc.exe

C:\Windows\system32\printfilterpipelinesvc.exe -Embedding

C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE

/insertdoc "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\{23738028-18A8-4E52-A1AF-CDA83EF1C42A}.xps" 133548637839330000

C:\ProgramData\6487.tmp

"C:\ProgramData\6487.tmp"

Network

Country Destination Domain Proto
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
GB 92.123.128.167:443 www.bing.com tcp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 167.128.123.92.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 46.28.109.52.in-addr.arpa udp
US 8.8.8.8:53 210.143.182.52.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp

Files

memory/2292-1-0x0000000002CE0000-0x0000000002CF0000-memory.dmp

memory/2292-0-0x0000000002CE0000-0x0000000002CF0000-memory.dmp

memory/2292-2-0x0000000002CE0000-0x0000000002CF0000-memory.dmp

F:\$RECYCLE.BIN\S-1-5-21-399997616-3400990511-967324271-1000\DDDDDDDDDDD

MD5 e590007a35ed85a70c45d5b831f590fa
SHA1 1682685f7e4795c88d4f9d97b29d78190baf3853
SHA256 bc568b89da40ad530927f0418d203f9021cb1b35a21401991a2e43db9cf7763b
SHA512 31bb5bd933b35a740bf37fbe1edec5d898e369c3a812279715d26bf991e569caca8fe942c79fff631b610a117f0c542a8dcebd93684b0e9a847aefa7c09f7e63

C:\$Recycle.Bin\S-1-5-21-399997616-3400990511-967324271-1000\FFFFFFFFFFF

MD5 8ad5e7ff7f2bb928da81c8bda768d397
SHA1 c22a8cba345936279979312a39c51cd673d30f8c
SHA256 a03da6840ad8937f43354423804cc2b13b1477b16eed7a888a33fafd13d061b1
SHA512 fd64daeac28f8df65ec644bbb85cb48a3b8c8f073eac6470a0c8fd545dcc74978f193e4c857710cdc4fb8784329ca7a20627b72dfa5f6424c624767a42ecc890

C:\5XKuA1aj2.README.txt

MD5 29925258b83173f167ede9942f48e672
SHA1 985c6408bd9e1ebc10d1fb1182f48c80106aaa92
SHA256 a30efdf638e4b2fe1ffc862daefa88ebc1002032bca9be7495a18689464e3f49
SHA512 0c55e8fe514a1ffa1256d9d350b34cd50ca0313b8706b172e4698d1bf4bdff6d9968bf3e876635b7d9e1c9733a0ec7f7befb99f980d9574dc27734d8b232ff00

C:\ProgramData\6487.tmp

MD5 294e9f64cb1642dd89229fff0592856b
SHA1 97b148c27f3da29ba7b18d6aee8a0db9102f47c9
SHA256 917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2
SHA512 b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

memory/2384-313-0x00007FF82F830000-0x00007FF82FA25000-memory.dmp

memory/2384-312-0x00007FF7EF8B0000-0x00007FF7EF8C0000-memory.dmp

memory/2384-310-0x00007FF7EF8B0000-0x00007FF7EF8C0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD

MD5 f43e9a5bf8c59fa9ee85150978c619db
SHA1 82f3146b81e69a9af474a881a86ee6cfd0d9c8ef
SHA256 06a866d6ac3ca414b84eb039e00cc76183f66f09f9ee1b97fb946b244885a5d9
SHA512 aa4b35ef38f459c037e0816e018332429308316869659c21f2ea0942588dd1630413d931123506bdaaf0aa1aed454cf69c3d180149ab0c4aef6525b2a23a4408

memory/2384-317-0x00007FF82F830000-0x00007FF82FA25000-memory.dmp

memory/2384-316-0x00007FF7EF8B0000-0x00007FF7EF8C0000-memory.dmp

memory/2384-346-0x00007FF7EF8B0000-0x00007FF7EF8C0000-memory.dmp

memory/2384-347-0x00007FF82F830000-0x00007FF82FA25000-memory.dmp

memory/2384-348-0x00007FF7EF8B0000-0x00007FF7EF8C0000-memory.dmp

memory/2384-349-0x00007FF82F830000-0x00007FF82FA25000-memory.dmp

memory/2576-350-0x000000007FE40000-0x000000007FE41000-memory.dmp

memory/2576-351-0x00000000023A0000-0x00000000023B0000-memory.dmp

memory/2576-352-0x000000007FE20000-0x000000007FE21000-memory.dmp

memory/2576-353-0x000000007FDC0000-0x000000007FDC1000-memory.dmp

memory/2384-355-0x00007FF82F830000-0x00007FF82FA25000-memory.dmp

memory/2384-354-0x00007FF7ED800000-0x00007FF7ED810000-memory.dmp

memory/2384-356-0x00007FF7ED800000-0x00007FF7ED810000-memory.dmp

C:\Users\Admin\Documents\OneNote Notebooks\My Notebook\Open Notebook.onetoc2

MD5 92c8184bcd56a42b7ac6aa9c305f9457
SHA1 b3e1a168cd7c77ae58e5741bed116b325670de47
SHA256 64057236aba233f7e7272d726b2dedc1cddaf5960088cca00b74f6411f320db6
SHA512 192168f9f7753b5c1cbef4087ba55979c62dc77d34bfb8978bdd0d05fa5dce8df152dd3c6771fbb44e9a3b3e8b3b4c53310b888e3d15c0e56cb27e8b47a3d397

memory/2384-377-0x00007FF82F830000-0x00007FF82FA25000-memory.dmp

memory/2384-378-0x00007FF82F830000-0x00007FF82FA25000-memory.dmp

memory/2576-379-0x00000000023A0000-0x00000000023B0000-memory.dmp

memory/2576-380-0x00000000023A0000-0x00000000023B0000-memory.dmp

memory/2384-381-0x00007FF82F830000-0x00007FF82FA25000-memory.dmp