Malware Analysis Report

2024-11-13 14:58

Sample ID 240314-ezz98acf48
Target deca4775a99217b9a8e5e2614f23c20d7d6fa1c13d6b00bad73175a07fe049f1
SHA256 deca4775a99217b9a8e5e2614f23c20d7d6fa1c13d6b00bad73175a07fe049f1
Tags
lockbit ransomware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

deca4775a99217b9a8e5e2614f23c20d7d6fa1c13d6b00bad73175a07fe049f1

Threat Level: Known bad

The file deca4775a99217b9a8e5e2614f23c20d7d6fa1c13d6b00bad73175a07fe049f1 was found to be: Known bad.

Malicious Activity Summary

lockbit ransomware

Lockbit

Lockbit family

Rule to detect Lockbit 3.0 ransomware Windows payload

Loads dropped DLL

Deletes itself

Executes dropped EXE

Drops desktop.ini file(s)

Suspicious use of NtSetInformationThreadHideFromDebugger

Drops file in System32 directory

Sets desktop wallpaper using registry

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

Modifies registry class

Suspicious use of AdjustPrivilegeToken

Checks processor information in registry

Suspicious behavior: RenamesItself

Suspicious behavior: EnumeratesProcesses

Enumerates system info in registry

Modifies Control Panel

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-03-14 04:23

Signatures

Lockbit family

lockbit

Rule to detect Lockbit 3.0 ransomware Windows payload

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-14 04:23

Reported

2024-03-14 04:26

Platform

win7-20240221-en

Max time kernel

119s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\deca4775a99217b9a8e5e2614f23c20d7d6fa1c13d6b00bad73175a07fe049f1.exe"

Signatures

Lockbit

ransomware lockbit

Deletes itself

Description Indicator Process Target
N/A N/A C:\ProgramData\3D9C.tmp N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\ProgramData\3D9C.tmp N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\$Recycle.Bin\S-1-5-21-1298544033-3225604241-2703760938-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\deca4775a99217b9a8e5e2614f23c20d7d6fa1c13d6b00bad73175a07fe049f1.exe N/A
File opened for modification F:\$RECYCLE.BIN\S-1-5-21-1298544033-3225604241-2703760938-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\deca4775a99217b9a8e5e2614f23c20d7d6fa1c13d6b00bad73175a07fe049f1.exe N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\dB6AsqMxo.bmp" C:\Users\Admin\AppData\Local\Temp\deca4775a99217b9a8e5e2614f23c20d7d6fa1c13d6b00bad73175a07fe049f1.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\dB6AsqMxo.bmp" C:\Users\Admin\AppData\Local\Temp\deca4775a99217b9a8e5e2614f23c20d7d6fa1c13d6b00bad73175a07fe049f1.exe N/A

Modifies Control Panel

evasion
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Control Panel\Desktop C:\Users\Admin\AppData\Local\Temp\deca4775a99217b9a8e5e2614f23c20d7d6fa1c13d6b00bad73175a07fe049f1.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Control Panel\Desktop\WallpaperStyle = "10" C:\Users\Admin\AppData\Local\Temp\deca4775a99217b9a8e5e2614f23c20d7d6fa1c13d6b00bad73175a07fe049f1.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\dB6AsqMxo\DefaultIcon\ = "C:\\ProgramData\\dB6AsqMxo.ico" C:\Users\Admin\AppData\Local\Temp\deca4775a99217b9a8e5e2614f23c20d7d6fa1c13d6b00bad73175a07fe049f1.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.dB6AsqMxo C:\Users\Admin\AppData\Local\Temp\deca4775a99217b9a8e5e2614f23c20d7d6fa1c13d6b00bad73175a07fe049f1.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.dB6AsqMxo\ = "dB6AsqMxo" C:\Users\Admin\AppData\Local\Temp\deca4775a99217b9a8e5e2614f23c20d7d6fa1c13d6b00bad73175a07fe049f1.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\dB6AsqMxo\DefaultIcon C:\Users\Admin\AppData\Local\Temp\deca4775a99217b9a8e5e2614f23c20d7d6fa1c13d6b00bad73175a07fe049f1.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\dB6AsqMxo C:\Users\Admin\AppData\Local\Temp\deca4775a99217b9a8e5e2614f23c20d7d6fa1c13d6b00bad73175a07fe049f1.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\deca4775a99217b9a8e5e2614f23c20d7d6fa1c13d6b00bad73175a07fe049f1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\deca4775a99217b9a8e5e2614f23c20d7d6fa1c13d6b00bad73175a07fe049f1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\deca4775a99217b9a8e5e2614f23c20d7d6fa1c13d6b00bad73175a07fe049f1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\deca4775a99217b9a8e5e2614f23c20d7d6fa1c13d6b00bad73175a07fe049f1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\deca4775a99217b9a8e5e2614f23c20d7d6fa1c13d6b00bad73175a07fe049f1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\deca4775a99217b9a8e5e2614f23c20d7d6fa1c13d6b00bad73175a07fe049f1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\deca4775a99217b9a8e5e2614f23c20d7d6fa1c13d6b00bad73175a07fe049f1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\deca4775a99217b9a8e5e2614f23c20d7d6fa1c13d6b00bad73175a07fe049f1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\deca4775a99217b9a8e5e2614f23c20d7d6fa1c13d6b00bad73175a07fe049f1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\deca4775a99217b9a8e5e2614f23c20d7d6fa1c13d6b00bad73175a07fe049f1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\deca4775a99217b9a8e5e2614f23c20d7d6fa1c13d6b00bad73175a07fe049f1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\deca4775a99217b9a8e5e2614f23c20d7d6fa1c13d6b00bad73175a07fe049f1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\deca4775a99217b9a8e5e2614f23c20d7d6fa1c13d6b00bad73175a07fe049f1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\deca4775a99217b9a8e5e2614f23c20d7d6fa1c13d6b00bad73175a07fe049f1.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\deca4775a99217b9a8e5e2614f23c20d7d6fa1c13d6b00bad73175a07fe049f1.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\deca4775a99217b9a8e5e2614f23c20d7d6fa1c13d6b00bad73175a07fe049f1.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\deca4775a99217b9a8e5e2614f23c20d7d6fa1c13d6b00bad73175a07fe049f1.exe N/A
Token: 36 N/A C:\Users\Admin\AppData\Local\Temp\deca4775a99217b9a8e5e2614f23c20d7d6fa1c13d6b00bad73175a07fe049f1.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\deca4775a99217b9a8e5e2614f23c20d7d6fa1c13d6b00bad73175a07fe049f1.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\deca4775a99217b9a8e5e2614f23c20d7d6fa1c13d6b00bad73175a07fe049f1.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\deca4775a99217b9a8e5e2614f23c20d7d6fa1c13d6b00bad73175a07fe049f1.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\deca4775a99217b9a8e5e2614f23c20d7d6fa1c13d6b00bad73175a07fe049f1.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\deca4775a99217b9a8e5e2614f23c20d7d6fa1c13d6b00bad73175a07fe049f1.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\deca4775a99217b9a8e5e2614f23c20d7d6fa1c13d6b00bad73175a07fe049f1.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\deca4775a99217b9a8e5e2614f23c20d7d6fa1c13d6b00bad73175a07fe049f1.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\deca4775a99217b9a8e5e2614f23c20d7d6fa1c13d6b00bad73175a07fe049f1.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\deca4775a99217b9a8e5e2614f23c20d7d6fa1c13d6b00bad73175a07fe049f1.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\deca4775a99217b9a8e5e2614f23c20d7d6fa1c13d6b00bad73175a07fe049f1.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\deca4775a99217b9a8e5e2614f23c20d7d6fa1c13d6b00bad73175a07fe049f1.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\deca4775a99217b9a8e5e2614f23c20d7d6fa1c13d6b00bad73175a07fe049f1.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\deca4775a99217b9a8e5e2614f23c20d7d6fa1c13d6b00bad73175a07fe049f1.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\deca4775a99217b9a8e5e2614f23c20d7d6fa1c13d6b00bad73175a07fe049f1.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\deca4775a99217b9a8e5e2614f23c20d7d6fa1c13d6b00bad73175a07fe049f1.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\deca4775a99217b9a8e5e2614f23c20d7d6fa1c13d6b00bad73175a07fe049f1.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\deca4775a99217b9a8e5e2614f23c20d7d6fa1c13d6b00bad73175a07fe049f1.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\deca4775a99217b9a8e5e2614f23c20d7d6fa1c13d6b00bad73175a07fe049f1.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\deca4775a99217b9a8e5e2614f23c20d7d6fa1c13d6b00bad73175a07fe049f1.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\deca4775a99217b9a8e5e2614f23c20d7d6fa1c13d6b00bad73175a07fe049f1.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\deca4775a99217b9a8e5e2614f23c20d7d6fa1c13d6b00bad73175a07fe049f1.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\deca4775a99217b9a8e5e2614f23c20d7d6fa1c13d6b00bad73175a07fe049f1.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\deca4775a99217b9a8e5e2614f23c20d7d6fa1c13d6b00bad73175a07fe049f1.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\deca4775a99217b9a8e5e2614f23c20d7d6fa1c13d6b00bad73175a07fe049f1.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\deca4775a99217b9a8e5e2614f23c20d7d6fa1c13d6b00bad73175a07fe049f1.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\deca4775a99217b9a8e5e2614f23c20d7d6fa1c13d6b00bad73175a07fe049f1.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\deca4775a99217b9a8e5e2614f23c20d7d6fa1c13d6b00bad73175a07fe049f1.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\deca4775a99217b9a8e5e2614f23c20d7d6fa1c13d6b00bad73175a07fe049f1.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\deca4775a99217b9a8e5e2614f23c20d7d6fa1c13d6b00bad73175a07fe049f1.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\deca4775a99217b9a8e5e2614f23c20d7d6fa1c13d6b00bad73175a07fe049f1.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\deca4775a99217b9a8e5e2614f23c20d7d6fa1c13d6b00bad73175a07fe049f1.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\deca4775a99217b9a8e5e2614f23c20d7d6fa1c13d6b00bad73175a07fe049f1.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\deca4775a99217b9a8e5e2614f23c20d7d6fa1c13d6b00bad73175a07fe049f1.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\deca4775a99217b9a8e5e2614f23c20d7d6fa1c13d6b00bad73175a07fe049f1.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\deca4775a99217b9a8e5e2614f23c20d7d6fa1c13d6b00bad73175a07fe049f1.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\deca4775a99217b9a8e5e2614f23c20d7d6fa1c13d6b00bad73175a07fe049f1.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\deca4775a99217b9a8e5e2614f23c20d7d6fa1c13d6b00bad73175a07fe049f1.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\deca4775a99217b9a8e5e2614f23c20d7d6fa1c13d6b00bad73175a07fe049f1.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\deca4775a99217b9a8e5e2614f23c20d7d6fa1c13d6b00bad73175a07fe049f1.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\deca4775a99217b9a8e5e2614f23c20d7d6fa1c13d6b00bad73175a07fe049f1.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\deca4775a99217b9a8e5e2614f23c20d7d6fa1c13d6b00bad73175a07fe049f1.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\deca4775a99217b9a8e5e2614f23c20d7d6fa1c13d6b00bad73175a07fe049f1.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\deca4775a99217b9a8e5e2614f23c20d7d6fa1c13d6b00bad73175a07fe049f1.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\deca4775a99217b9a8e5e2614f23c20d7d6fa1c13d6b00bad73175a07fe049f1.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\deca4775a99217b9a8e5e2614f23c20d7d6fa1c13d6b00bad73175a07fe049f1.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\deca4775a99217b9a8e5e2614f23c20d7d6fa1c13d6b00bad73175a07fe049f1.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\deca4775a99217b9a8e5e2614f23c20d7d6fa1c13d6b00bad73175a07fe049f1.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\deca4775a99217b9a8e5e2614f23c20d7d6fa1c13d6b00bad73175a07fe049f1.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\deca4775a99217b9a8e5e2614f23c20d7d6fa1c13d6b00bad73175a07fe049f1.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\deca4775a99217b9a8e5e2614f23c20d7d6fa1c13d6b00bad73175a07fe049f1.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\deca4775a99217b9a8e5e2614f23c20d7d6fa1c13d6b00bad73175a07fe049f1.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\deca4775a99217b9a8e5e2614f23c20d7d6fa1c13d6b00bad73175a07fe049f1.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\deca4775a99217b9a8e5e2614f23c20d7d6fa1c13d6b00bad73175a07fe049f1.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\deca4775a99217b9a8e5e2614f23c20d7d6fa1c13d6b00bad73175a07fe049f1.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\deca4775a99217b9a8e5e2614f23c20d7d6fa1c13d6b00bad73175a07fe049f1.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\deca4775a99217b9a8e5e2614f23c20d7d6fa1c13d6b00bad73175a07fe049f1.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\deca4775a99217b9a8e5e2614f23c20d7d6fa1c13d6b00bad73175a07fe049f1.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\deca4775a99217b9a8e5e2614f23c20d7d6fa1c13d6b00bad73175a07fe049f1.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\deca4775a99217b9a8e5e2614f23c20d7d6fa1c13d6b00bad73175a07fe049f1.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\deca4775a99217b9a8e5e2614f23c20d7d6fa1c13d6b00bad73175a07fe049f1.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\deca4775a99217b9a8e5e2614f23c20d7d6fa1c13d6b00bad73175a07fe049f1.exe

"C:\Users\Admin\AppData\Local\Temp\deca4775a99217b9a8e5e2614f23c20d7d6fa1c13d6b00bad73175a07fe049f1.exe"

C:\ProgramData\3D9C.tmp

"C:\ProgramData\3D9C.tmp"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\3D9C.tmp >> NUL

C:\Windows\system32\AUDIODG.EXE

C:\Windows\system32\AUDIODG.EXE 0x14c

Network

N/A

Files

memory/2088-0-0x0000000000D30000-0x0000000000D70000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-1298544033-3225604241-2703760938-1000\desktop.ini

MD5 83896bd348deaebb57eede99572e37ca
SHA1 a2c0dd64413598b8af9b63e01cbef8db0ce35aa6
SHA256 4149870f074ab77462959cac864de0af18931df116f872b26d4c701e870f38c7
SHA512 a3776c3da22ce0629c89126e1474ea5aef81265f0b169d432d10d681016d057c5b5e102e57e8f7c9e6436163e0e2a975bdc052c32a055f77370e6194cad73f09

C:\dB6AsqMxo.README.txt

MD5 802d4c92988b7591fe4600669a7770db
SHA1 a5710433d05398316048272b84264ab4669bcf24
SHA256 667485a1ecb2c2ca7bc462af1b28ef45b350181da5e88183a1fc193dd3bc1fc2
SHA512 ec430902d4cb0fb663b26a6c33f18fb43df81d7753ff1a0cce2184270eec6242ad9f97f46401c6a4a1225d1c24440822787fdaebda52126c2a722470c0b18798

F:\$RECYCLE.BIN\S-1-5-21-1298544033-3225604241-2703760938-1000\DDDDDDDDDDD

MD5 4526adf0de51a31ca32a887e2d3493d6
SHA1 2ef272cebec48c73ef8f8cdd92513603149ae515
SHA256 31ad50487a142f04365676c655fe030b2fe2a7730a54dcfe9f85172f7493e942
SHA512 5791807f0dbc0d5972ebb3b9c2f0ee13a0e75163dd134f58cacb4e1d6271d8e0159d528acbc819b73a05da4ef7da55dba44c81590f3d64b066006c52c1e713f8

\ProgramData\3D9C.tmp

MD5 294e9f64cb1642dd89229fff0592856b
SHA1 97b148c27f3da29ba7b18d6aee8a0db9102f47c9
SHA256 917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2
SHA512 b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

memory/1768-313-0x000000007EFA0000-0x000000007EFA1000-memory.dmp

memory/1768-314-0x0000000002270000-0x00000000022B0000-memory.dmp

memory/1768-317-0x000000007EF80000-0x000000007EF81000-memory.dmp

memory/1768-321-0x000000007EF20000-0x000000007EF21000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD

MD5 b235abdc286af5fbdfe36740d6498512
SHA1 d6c519736e6f323eafe4d350d8a63dcde11fdac0
SHA256 57e463cb13c66dc054a50ded5387c067e49691614130ed36e949ea6cd961f651
SHA512 cc7e93ac435f8faa11d2bedd43656e70704517dc3681cb357c3932528c3edd7574586294287cc010e7cb0c6631c97b91d423341756827115795f77bd138113a6

memory/1768-347-0x000000007EF40000-0x000000007EF41000-memory.dmp

memory/1768-348-0x000000007EF60000-0x000000007EF61000-memory.dmp

memory/1768-349-0x000000007EF60000-0x000000007EF61000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-03-14 04:23

Reported

2024-03-14 04:26

Platform

win10v2004-20240226-en

Max time kernel

148s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\deca4775a99217b9a8e5e2614f23c20d7d6fa1c13d6b00bad73175a07fe049f1.exe"

Signatures

Lockbit

ransomware lockbit

Deletes itself

Description Indicator Process Target
N/A N/A C:\ProgramData\8EBF.tmp N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\ProgramData\8EBF.tmp N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\$Recycle.Bin\S-1-5-21-513485977-2495024337-1260977654-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\deca4775a99217b9a8e5e2614f23c20d7d6fa1c13d6b00bad73175a07fe049f1.exe N/A
File opened for modification F:\$RECYCLE.BIN\S-1-5-21-513485977-2495024337-1260977654-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\deca4775a99217b9a8e5e2614f23c20d7d6fa1c13d6b00bad73175a07fe049f1.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\system32\spool\PRINTERS\PP444ebjx41l_93vkmboaa9wtxb.TMP C:\Windows\system32\printfilterpipelinesvc.exe N/A
File created C:\Windows\system32\spool\PRINTERS\00002.SPL C:\Windows\splwow64.exe N/A
File created C:\Windows\system32\spool\PRINTERS\PP50ddpk06l2fu50mgoli392fde.TMP C:\Windows\system32\printfilterpipelinesvc.exe N/A
File created C:\Windows\system32\spool\PRINTERS\PPnkn9rxa_tv9983s5pzw43uclb.TMP C:\Windows\system32\printfilterpipelinesvc.exe N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\dB6AsqMxo.bmp" C:\Users\Admin\AppData\Local\Temp\deca4775a99217b9a8e5e2614f23c20d7d6fa1c13d6b00bad73175a07fe049f1.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\dB6AsqMxo.bmp" C:\Users\Admin\AppData\Local\Temp\deca4775a99217b9a8e5e2614f23c20d7d6fa1c13d6b00bad73175a07fe049f1.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE N/A

Modifies Control Panel

evasion
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\Desktop C:\Users\Admin\AppData\Local\Temp\deca4775a99217b9a8e5e2614f23c20d7d6fa1c13d6b00bad73175a07fe049f1.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\Desktop\WallpaperStyle = "10" C:\Users\Admin\AppData\Local\Temp\deca4775a99217b9a8e5e2614f23c20d7d6fa1c13d6b00bad73175a07fe049f1.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\dB6AsqMxo\DefaultIcon\ = "C:\\ProgramData\\dB6AsqMxo.ico" C:\Users\Admin\AppData\Local\Temp\deca4775a99217b9a8e5e2614f23c20d7d6fa1c13d6b00bad73175a07fe049f1.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.dB6AsqMxo C:\Users\Admin\AppData\Local\Temp\deca4775a99217b9a8e5e2614f23c20d7d6fa1c13d6b00bad73175a07fe049f1.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.dB6AsqMxo\ = "dB6AsqMxo" C:\Users\Admin\AppData\Local\Temp\deca4775a99217b9a8e5e2614f23c20d7d6fa1c13d6b00bad73175a07fe049f1.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\dB6AsqMxo\DefaultIcon C:\Users\Admin\AppData\Local\Temp\deca4775a99217b9a8e5e2614f23c20d7d6fa1c13d6b00bad73175a07fe049f1.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\dB6AsqMxo C:\Users\Admin\AppData\Local\Temp\deca4775a99217b9a8e5e2614f23c20d7d6fa1c13d6b00bad73175a07fe049f1.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\deca4775a99217b9a8e5e2614f23c20d7d6fa1c13d6b00bad73175a07fe049f1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\deca4775a99217b9a8e5e2614f23c20d7d6fa1c13d6b00bad73175a07fe049f1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\deca4775a99217b9a8e5e2614f23c20d7d6fa1c13d6b00bad73175a07fe049f1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\deca4775a99217b9a8e5e2614f23c20d7d6fa1c13d6b00bad73175a07fe049f1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\deca4775a99217b9a8e5e2614f23c20d7d6fa1c13d6b00bad73175a07fe049f1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\deca4775a99217b9a8e5e2614f23c20d7d6fa1c13d6b00bad73175a07fe049f1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\deca4775a99217b9a8e5e2614f23c20d7d6fa1c13d6b00bad73175a07fe049f1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\deca4775a99217b9a8e5e2614f23c20d7d6fa1c13d6b00bad73175a07fe049f1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\deca4775a99217b9a8e5e2614f23c20d7d6fa1c13d6b00bad73175a07fe049f1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\deca4775a99217b9a8e5e2614f23c20d7d6fa1c13d6b00bad73175a07fe049f1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\deca4775a99217b9a8e5e2614f23c20d7d6fa1c13d6b00bad73175a07fe049f1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\deca4775a99217b9a8e5e2614f23c20d7d6fa1c13d6b00bad73175a07fe049f1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\deca4775a99217b9a8e5e2614f23c20d7d6fa1c13d6b00bad73175a07fe049f1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\deca4775a99217b9a8e5e2614f23c20d7d6fa1c13d6b00bad73175a07fe049f1.exe N/A
N/A N/A C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\deca4775a99217b9a8e5e2614f23c20d7d6fa1c13d6b00bad73175a07fe049f1.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\deca4775a99217b9a8e5e2614f23c20d7d6fa1c13d6b00bad73175a07fe049f1.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\deca4775a99217b9a8e5e2614f23c20d7d6fa1c13d6b00bad73175a07fe049f1.exe N/A
Token: 36 N/A C:\Users\Admin\AppData\Local\Temp\deca4775a99217b9a8e5e2614f23c20d7d6fa1c13d6b00bad73175a07fe049f1.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\deca4775a99217b9a8e5e2614f23c20d7d6fa1c13d6b00bad73175a07fe049f1.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\deca4775a99217b9a8e5e2614f23c20d7d6fa1c13d6b00bad73175a07fe049f1.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\deca4775a99217b9a8e5e2614f23c20d7d6fa1c13d6b00bad73175a07fe049f1.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\deca4775a99217b9a8e5e2614f23c20d7d6fa1c13d6b00bad73175a07fe049f1.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\deca4775a99217b9a8e5e2614f23c20d7d6fa1c13d6b00bad73175a07fe049f1.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\deca4775a99217b9a8e5e2614f23c20d7d6fa1c13d6b00bad73175a07fe049f1.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\deca4775a99217b9a8e5e2614f23c20d7d6fa1c13d6b00bad73175a07fe049f1.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\deca4775a99217b9a8e5e2614f23c20d7d6fa1c13d6b00bad73175a07fe049f1.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\deca4775a99217b9a8e5e2614f23c20d7d6fa1c13d6b00bad73175a07fe049f1.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\deca4775a99217b9a8e5e2614f23c20d7d6fa1c13d6b00bad73175a07fe049f1.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\deca4775a99217b9a8e5e2614f23c20d7d6fa1c13d6b00bad73175a07fe049f1.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\deca4775a99217b9a8e5e2614f23c20d7d6fa1c13d6b00bad73175a07fe049f1.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\deca4775a99217b9a8e5e2614f23c20d7d6fa1c13d6b00bad73175a07fe049f1.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\deca4775a99217b9a8e5e2614f23c20d7d6fa1c13d6b00bad73175a07fe049f1.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\deca4775a99217b9a8e5e2614f23c20d7d6fa1c13d6b00bad73175a07fe049f1.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\deca4775a99217b9a8e5e2614f23c20d7d6fa1c13d6b00bad73175a07fe049f1.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\deca4775a99217b9a8e5e2614f23c20d7d6fa1c13d6b00bad73175a07fe049f1.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\deca4775a99217b9a8e5e2614f23c20d7d6fa1c13d6b00bad73175a07fe049f1.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\deca4775a99217b9a8e5e2614f23c20d7d6fa1c13d6b00bad73175a07fe049f1.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\deca4775a99217b9a8e5e2614f23c20d7d6fa1c13d6b00bad73175a07fe049f1.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\deca4775a99217b9a8e5e2614f23c20d7d6fa1c13d6b00bad73175a07fe049f1.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\deca4775a99217b9a8e5e2614f23c20d7d6fa1c13d6b00bad73175a07fe049f1.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\deca4775a99217b9a8e5e2614f23c20d7d6fa1c13d6b00bad73175a07fe049f1.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\deca4775a99217b9a8e5e2614f23c20d7d6fa1c13d6b00bad73175a07fe049f1.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\deca4775a99217b9a8e5e2614f23c20d7d6fa1c13d6b00bad73175a07fe049f1.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\deca4775a99217b9a8e5e2614f23c20d7d6fa1c13d6b00bad73175a07fe049f1.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\deca4775a99217b9a8e5e2614f23c20d7d6fa1c13d6b00bad73175a07fe049f1.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\deca4775a99217b9a8e5e2614f23c20d7d6fa1c13d6b00bad73175a07fe049f1.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\deca4775a99217b9a8e5e2614f23c20d7d6fa1c13d6b00bad73175a07fe049f1.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\deca4775a99217b9a8e5e2614f23c20d7d6fa1c13d6b00bad73175a07fe049f1.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\deca4775a99217b9a8e5e2614f23c20d7d6fa1c13d6b00bad73175a07fe049f1.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\deca4775a99217b9a8e5e2614f23c20d7d6fa1c13d6b00bad73175a07fe049f1.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\deca4775a99217b9a8e5e2614f23c20d7d6fa1c13d6b00bad73175a07fe049f1.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\deca4775a99217b9a8e5e2614f23c20d7d6fa1c13d6b00bad73175a07fe049f1.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\deca4775a99217b9a8e5e2614f23c20d7d6fa1c13d6b00bad73175a07fe049f1.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\deca4775a99217b9a8e5e2614f23c20d7d6fa1c13d6b00bad73175a07fe049f1.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\deca4775a99217b9a8e5e2614f23c20d7d6fa1c13d6b00bad73175a07fe049f1.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\deca4775a99217b9a8e5e2614f23c20d7d6fa1c13d6b00bad73175a07fe049f1.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\deca4775a99217b9a8e5e2614f23c20d7d6fa1c13d6b00bad73175a07fe049f1.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\deca4775a99217b9a8e5e2614f23c20d7d6fa1c13d6b00bad73175a07fe049f1.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\deca4775a99217b9a8e5e2614f23c20d7d6fa1c13d6b00bad73175a07fe049f1.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\deca4775a99217b9a8e5e2614f23c20d7d6fa1c13d6b00bad73175a07fe049f1.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\deca4775a99217b9a8e5e2614f23c20d7d6fa1c13d6b00bad73175a07fe049f1.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\deca4775a99217b9a8e5e2614f23c20d7d6fa1c13d6b00bad73175a07fe049f1.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\deca4775a99217b9a8e5e2614f23c20d7d6fa1c13d6b00bad73175a07fe049f1.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\deca4775a99217b9a8e5e2614f23c20d7d6fa1c13d6b00bad73175a07fe049f1.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\deca4775a99217b9a8e5e2614f23c20d7d6fa1c13d6b00bad73175a07fe049f1.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\deca4775a99217b9a8e5e2614f23c20d7d6fa1c13d6b00bad73175a07fe049f1.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\deca4775a99217b9a8e5e2614f23c20d7d6fa1c13d6b00bad73175a07fe049f1.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\deca4775a99217b9a8e5e2614f23c20d7d6fa1c13d6b00bad73175a07fe049f1.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\deca4775a99217b9a8e5e2614f23c20d7d6fa1c13d6b00bad73175a07fe049f1.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\deca4775a99217b9a8e5e2614f23c20d7d6fa1c13d6b00bad73175a07fe049f1.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\deca4775a99217b9a8e5e2614f23c20d7d6fa1c13d6b00bad73175a07fe049f1.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\deca4775a99217b9a8e5e2614f23c20d7d6fa1c13d6b00bad73175a07fe049f1.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\deca4775a99217b9a8e5e2614f23c20d7d6fa1c13d6b00bad73175a07fe049f1.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\deca4775a99217b9a8e5e2614f23c20d7d6fa1c13d6b00bad73175a07fe049f1.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\deca4775a99217b9a8e5e2614f23c20d7d6fa1c13d6b00bad73175a07fe049f1.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\deca4775a99217b9a8e5e2614f23c20d7d6fa1c13d6b00bad73175a07fe049f1.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\deca4775a99217b9a8e5e2614f23c20d7d6fa1c13d6b00bad73175a07fe049f1.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\deca4775a99217b9a8e5e2614f23c20d7d6fa1c13d6b00bad73175a07fe049f1.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\deca4775a99217b9a8e5e2614f23c20d7d6fa1c13d6b00bad73175a07fe049f1.exe

"C:\Users\Admin\AppData\Local\Temp\deca4775a99217b9a8e5e2614f23c20d7d6fa1c13d6b00bad73175a07fe049f1.exe"

C:\Windows\splwow64.exe

C:\Windows\splwow64.exe 12288

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc

C:\Windows\system32\printfilterpipelinesvc.exe

C:\Windows\system32\printfilterpipelinesvc.exe -Embedding

C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE

/insertdoc "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\{2B24E8E7-94B3-436F-964F-255EDE9522C7}.xps" 133548638718620000

C:\ProgramData\8EBF.tmp

"C:\ProgramData\8EBF.tmp"

Network

Country Destination Domain Proto
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 2.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 45.19.74.20.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 20.231.121.79:80 tcp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 97.32.109.52.in-addr.arpa udp
US 8.8.8.8:53 9.173.189.20.in-addr.arpa udp
US 8.8.8.8:53 169.117.168.52.in-addr.arpa udp

Files

memory/4264-1-0x0000000002F70000-0x0000000002F80000-memory.dmp

memory/4264-0-0x0000000002F70000-0x0000000002F80000-memory.dmp

memory/4264-2-0x0000000002F70000-0x0000000002F80000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-513485977-2495024337-1260977654-1000\BBBBBBBBBBB

MD5 5a832a3d8ed988f34c5c8cac5885cc06
SHA1 387e9cb1572cb10f2415e3d6b1614208e6de1213
SHA256 7937e7194a8c13105c96e266012dc2741bdf772590bb6492a1249c4f42e3902d
SHA512 57e976c772d5ff91a5901562541f0299cfb9f0a531f93a1c29015f9c8bb66a84f400f6ef717330124708d405714f4049ddec8fda2ad194f503d7f3cf09b32005

F:\$RECYCLE.BIN\S-1-5-21-513485977-2495024337-1260977654-1000\DDDDDDDDDDD

MD5 0055347be81388e6e77024dc1d641a8b
SHA1 bfb6a0777cdb5f568fc808bf0709bc996a3e6771
SHA256 d986a0aa1e3abd091817490a37a608de4e37c1145a0e759d6f72676c81a1f1f5
SHA512 b25812698e0e7df180fd44fdbca000baf43a209312da0d2d3e7cf2663fb55526930d8dbdb6e74e5b025bb881e420371f5699aa82a49c46c4bed9e685e6053d20

C:\Users\dB6AsqMxo.README.txt

MD5 316bef2d0f08378eeeef596836beac49
SHA1 23c4489a2ccf7e8edf98a226b18a222c0dc52d86
SHA256 d5ba85621e3d712d6cfcd827ea5d86f46b18471ea2fa9eba903d5f57a0764821
SHA512 be1f9181325a7bb89f11142cd06da7ea6286d9f4ad64b64851bbd56ad26544f5bcf607a213628e94ed812604b67bf3b06507410d25f1a7277398adea34e79b21

memory/4264-290-0x0000000002F70000-0x0000000002F80000-memory.dmp

memory/4264-291-0x0000000002F70000-0x0000000002F80000-memory.dmp

memory/4264-292-0x0000000002F70000-0x0000000002F80000-memory.dmp

C:\ProgramData\8EBF.tmp

MD5 294e9f64cb1642dd89229fff0592856b
SHA1 97b148c27f3da29ba7b18d6aee8a0db9102f47c9
SHA256 917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2
SHA512 b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

memory/3984-308-0x00007FFC59A30000-0x00007FFC59A40000-memory.dmp

memory/3984-310-0x00007FFC59A30000-0x00007FFC59A40000-memory.dmp

memory/3984-339-0x00007FFC999B0000-0x00007FFC99BA5000-memory.dmp

memory/3984-340-0x00007FFC999B0000-0x00007FFC99BA5000-memory.dmp

memory/3984-342-0x00007FFC999B0000-0x00007FFC99BA5000-memory.dmp

memory/3984-341-0x00007FFC59A30000-0x00007FFC59A40000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD

MD5 46e29394ea643917d80787e341db47fd
SHA1 9e921fd45948d588203cee46b78cf944984785d8
SHA256 2cc834701fba67daeb94b43f3398b76f8a1531a880483d454eef941631626018
SHA512 6941f013f963d7105cfad0e09f0123feeb87f24248a24067222e90c76ade61b4761f28df79d9786f644cf06d358bbec969df52e23cbcf2af7ee6340f7bdd79ca

memory/3984-309-0x00007FFC59A30000-0x00007FFC59A40000-memory.dmp

memory/4064-344-0x000000007FE40000-0x000000007FE41000-memory.dmp

memory/4064-345-0x0000000002840000-0x0000000002850000-memory.dmp

memory/4064-346-0x000000007FE20000-0x000000007FE21000-memory.dmp

memory/4064-347-0x000000007FDC0000-0x000000007FDC1000-memory.dmp

memory/3984-348-0x00007FFC999B0000-0x00007FFC99BA5000-memory.dmp

memory/3984-349-0x00007FFC999B0000-0x00007FFC99BA5000-memory.dmp

memory/3984-350-0x00007FFC999B0000-0x00007FFC99BA5000-memory.dmp

memory/3984-352-0x00007FFC999B0000-0x00007FFC99BA5000-memory.dmp

memory/3984-353-0x00007FFC999B0000-0x00007FFC99BA5000-memory.dmp

memory/3984-354-0x00007FFC999B0000-0x00007FFC99BA5000-memory.dmp

memory/3984-356-0x00007FFC999B0000-0x00007FFC99BA5000-memory.dmp

memory/3984-355-0x00007FFC579D0000-0x00007FFC579E0000-memory.dmp

memory/3984-351-0x00007FFC579D0000-0x00007FFC579E0000-memory.dmp

memory/3984-343-0x00007FFC59A30000-0x00007FFC59A40000-memory.dmp

memory/3984-357-0x00007FFC999B0000-0x00007FFC99BA5000-memory.dmp

memory/3984-358-0x00007FFC999B0000-0x00007FFC99BA5000-memory.dmp

C:\Users\Admin\Documents\OneNote Notebooks\My Notebook\Open Notebook.onetoc2

MD5 b4b43b7229dbba72ad845b8834ec28c1
SHA1 981eae4c6288500416076bd41ef915ff2a67f2bb
SHA256 ad7f2109cfb0099a85358cdac900c7593c1add3bdc52190f888faaadca3f42a6
SHA512 be1436f2cd973b31e28faea434fa7e4b1c11903b11ffe8367f5923535c323cdd863b5380bb9dd1e1efbd0a9ef084cce3187bb17501aed6e9473df92204de8a68

memory/3984-379-0x00007FFC999B0000-0x00007FFC99BA5000-memory.dmp